Summary: Sanestix Flow is a WhatsApp Business Platform (BSP) that helps businesses manage customer conversations. We collect only the data necessary to provide our service. We do not sell your data. We comply with Meta's Platform Policies, GDPR, and applicable data protection laws.
1 Who We Are
Sanestix ("we," "us," or "our") operates Sanestix Flow, a WhatsApp Business Solution Provider (BSP) platform accessible at flow.sanestix.com. We are an official Meta Business Partner.
This Privacy Policy explains how we collect, use, disclose, and protect information when you use our platform — whether you are a business ("Workspace Admin"), a team member ("Agent"), or an end-user whose messages are processed through our platform ("Customer").
By using Sanestix Flow, you agree to the collection and use of information in accordance with this policy.
2 Information We Collect
2.1 Account & Registration Data
- Full name, email address, and password (hashed — never stored in plaintext)
- Business name and workspace details
- Billing information (processed by Stripe — we do not store card numbers)
- IP address and login timestamps for security
2.2 WhatsApp Business Data
- WhatsApp Business Account (WABA) ID and phone number ID
- Access tokens (encrypted at rest using AES-256)
- Message content sent and received through your connected WhatsApp number
- Media files (images, audio, documents) sent or received via WhatsApp
- Message delivery and read status
2.3 Contact / CRM Data
- Customer phone numbers and display names from WhatsApp
- Conversation history and message metadata
- Custom tags, notes, and fields added by your team
- Contact segments and broadcast lists
2.4 Usage & Analytics Data
- Platform usage patterns and feature interactions
- Response time metrics and AI resolution rates
- Error logs for debugging purposes
- Browser type, device type, and operating system
3 How We Use Your Information
We use the information we collect to:
- Provide the service — process WhatsApp messages, power AI responses, manage team inboxes, and deliver platform features
- Process payments — manage subscriptions and billing via Stripe
- Send operational communications — account alerts, security notifications, and service updates
- Improve our platform — analyze usage patterns to improve features and fix bugs
- Ensure security — detect fraud, abuse, and unauthorized access
- Comply with legal obligations — respond to lawful requests from authorities
- AI / GPT processing — message content may be sent to OpenAI's API to generate automated replies. OpenAI processes this data under their Privacy Policy
We do not sell your data. We do not use your customers' WhatsApp message data for advertising or marketing purposes beyond the scope of providing our service.
4 WhatsApp & Meta Platform Data
Sanestix Flow is built on the WhatsApp Business Platform API provided by Meta Platforms, Inc. By connecting your WhatsApp Business Account to our platform, you acknowledge:
- Message data flows through Meta's infrastructure before reaching our servers
- Meta's WhatsApp Privacy Policy and Platform Policies also apply
- We access your WABA data only with your explicit authorization via Meta's Embedded Signup flow
- We use System User tokens (not personal user tokens) to ensure service continuity
- You may revoke our access at any time through your Meta Business Manager settings
- We do not access your personal Facebook or Instagram account data
- WhatsApp message templates must be approved by Meta before use
We comply with Meta's Messaging Policy, including opt-in requirements, prohibited content rules, and messaging frequency guidelines.
5 Data Sharing & Third Parties
We share data only with the following categories of third parties, strictly for service delivery:
5.1 Service Providers
- Meta / WhatsApp — message delivery infrastructure
- OpenAI — AI-powered automated replies (GPT-4o)
- Stripe — payment processing and subscription management
- Resend — transactional email delivery
- Cloudflare / AWS S3 — media file storage
- Sentry — error monitoring and debugging
5.2 When Required by Law
We may disclose data if required by applicable law, court order, or government request, or to protect the rights, property, or safety of Sanestix, our users, or the public.
5.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you via email and/or a prominent notice on our platform.
5.4 White-Label Resellers
If you access our platform through a white-label reseller, that reseller may have access to your workspace data as part of their administrative role. Please review their privacy policy as well.
We do not share your data with advertisers, data brokers, or any third party for marketing purposes.
6 Data Retention
- Active accounts — data retained for the duration of your subscription
- Cancelled accounts — data retained for 30 days after cancellation, then deleted
- Suspended accounts (non-payment) — data retained for 51 days, then permanently deleted
- Message history — retained per your workspace's configured retention policy (default: indefinite while active)
- Audit logs — retained for 12 months
- Billing records — retained for 7 years as required by financial regulations
You may request earlier deletion of your data at any time by contacting us at privacy@sanestix.com.
7 Data Security
We implement industry-standard security measures including:
- Encryption in transit — all data transmitted over HTTPS/TLS 1.2+
- Encryption at rest — database encryption and AES-256 for sensitive tokens
- Access controls — role-based access control (RBAC) with audit logging
- Two-factor authentication (2FA) — available for all accounts
- Regular security audits — periodic vulnerability assessments
- Workspace isolation — complete data separation between workspaces
Despite our efforts, no method of transmission over the Internet is 100% secure. We will notify you of any data breach affecting your account within 72 hours of discovery, as required by GDPR.
8 Your Rights (GDPR & CCPA)
Depending on your location, you may have the following rights:
8.1 GDPR Rights (EU/EEA Users)
- Right of Access — request a copy of your personal data
- Right to Rectification — correct inaccurate data
- Right to Erasure — request deletion of your data ("right to be forgotten")
- Right to Portability — receive your data in a machine-readable format
- Right to Restrict Processing — limit how we use your data
- Right to Object — object to certain types of processing
- Right to Withdraw Consent — withdraw consent at any time
8.2 CCPA Rights (California Users)
- Right to know what personal information is collected and how it is used
- Right to delete personal information
- Right to opt-out of the sale of personal information (we do not sell data)
- Right to non-discrimination for exercising your privacy rights
8.3 WhatsApp End-User Rights
If you are a customer whose data was collected through a business using our platform, you have the right to request that business to delete your conversation data. You may also contact us directly at privacy@sanestix.com.
To exercise any of these rights, email us at privacy@sanestix.com. We will respond within 30 days.
9 Cookies
Our platform uses the following types of cookies:
- Essential cookies — required for authentication and session management
- Analytics cookies — help us understand how the platform is used (anonymized)
- Preference cookies — remember your settings (e.g., theme preference)
We do not use advertising or tracking cookies. You can control cookies through your browser settings. Disabling essential cookies may affect platform functionality.
10 Children's Privacy
Sanestix Flow is a business-to-business (B2B) platform intended for use by businesses and professionals. We do not knowingly collect personal information from individuals under the age of 16.
If you believe a minor has provided us with personal information, please contact us immediately at privacy@sanestix.com and we will delete that information.
11 International Data Transfers
Sanestix Flow operates globally. Your data may be transferred to and processed in countries other than your own, including Pakistan, the United States, and the European Union.
For transfers from the EEA to third countries, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Your explicit consent where required
12 Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page
- Send an email notification to all registered workspace admins
- Display a prominent notice on the platform dashboard
Your continued use of Sanestix Flow after changes become effective constitutes acceptance of the updated policy.
13 Contact Us
For privacy-related questions, data requests, or concerns, please contact our Data Protection team: