Data Processing Agreement

• Controller: You, the business using Wapai
• Processor: Wapai Ltd, acting on your behalf
• Personal data: Any information relating to an identified or identifiable natural person
• Data subject: Your end customers whose data is processed through Wapai
• Processing: Any operation performed on personal data (storage, retrieval, analysis, transmission)
• GDPR / UK GDPR: The applicable data protection legislation in the United Kingdom

Wapai processes the following categories of personal data on your behalf:

• Customer names and phone numbers
• WhatsApp message content
• Order information and purchase history
• Customer preferences and tags derived from conversations
• Booking information

Processing activities include: storing messages, generating AI responses, analysing customer behaviour, sending broadcasts, and providing you with analytics.

The purpose of processing is solely to provide the Wapai service as described in the Terms of Service.

Wapai (as Processor) agrees to:

• Process personal data only on your documented instructions
• Ensure persons authorised to process data are bound by confidentiality
• Implement appropriate technical and organisational security measures
• Assist you in responding to data subject requests
• Assist you in meeting your obligations under GDPR Articles 32–36
• Delete or return all personal data at your request or on termination
• Make available all information necessary to demonstrate compliance
• Not engage sub-processors without your prior consent

You authorise Wapai to use the following sub-processors. Wapai remains responsible for their compliance:

We will notify you of any changes to sub-processors with 30 days' notice.

Wapai implements the following technical and organisational measures:

• Encryption of data in transit (TLS 1.3) and at rest (AES-256)
• Row-level security ensuring businesses can only access their own data
• Authentication via Supabase with JWT tokens and refresh rotation
• Regular automated backups with point-in-time recovery
• Access controls limiting staff access to production data
• Security monitoring and incident response procedures
• Penetration testing conducted annually

In the event of a personal data breach, Wapai will:

• Notify you without undue delay, and within 72 hours of becoming aware of the breach
• Provide details of the nature of the breach, categories affected, and likely consequences
• Describe measures taken or proposed to address the breach

You remain responsible for notifying the ICO and affected data subjects where required by GDPR.

When data subjects (your customers) exercise their rights under GDPR, Wapai will:

• Forward requests to you within 5 business days
• Provide technical tools to assist with data export and deletion (available in Settings)
• Not respond directly to data subjects on your behalf without your authorisation

You are the Controller and are responsible for responding to data subject requests within the required timeframes.

Upon termination of the Service:

• All personal data will be deleted from our systems within 30 days
• You may export your data before termination via the GDPR export tool in Settings
• Backups containing personal data will be deleted within 90 days
• We will provide written confirmation of deletion on request

Certain data may be retained longer if required by law (e.g. financial records under UK accounting regulations).