Privacy Policy

0. Plain-English summary

• We collect: your email, name, password (hashed), preferred language, your WhatsApp session credentials (stored on disk), the message templates you write, and the last 100 webhook events as a debug log.
• The webhook log includes your clients' personal data (names, phones, booking details from EasyWeek). You're the controller of that data — we just pass it through and keep a small recent log.
• We do not sell your data. We do not run analytics or advertising. We use one third party: Resend, for sending verification emails.
• You can delete your account and all associated data at any time.

1. Who we are

The operator of WABook is a private individual based in Poland. WABook is a personal side project, not a registered business. Contact details are available on request through the website.

2. What we collect

Account data

• Email address — used as your login and to send verification + critical service emails
• Display name — shown in the dashboard
• Password — stored as a bcrypt hash, never in plaintext
• Preferred language — to display the UI in your language
• Sign-up IP address — kept for abuse detection (90 days)
• ToS acceptance timestamp + version — for legal compliance

WhatsApp session

When you scan the QR code, the WhatsApp Web library stores session credentials on the server's disk (/data/wa-sessions/{your-id}/). These are the same credentials your phone would use to keep you logged in to WhatsApp Web. They allow the server to send messages on your behalf until you disconnect.

Session data is deleted from disk when you disconnect or delete your account.

Message templates

The text templates you write are stored in our database. Templates are tied to your account and not shared with anyone.

Webhook log

For debugging, we keep a log of the last 100 webhook events received from EasyWeek per account. Each entry contains:

• Timestamp
• Event type (e.g. booking-created)
• The full webhook payload from EasyWeek (client name, phone, email, booking date/time, service, address, price, etc.)
• Status (sent / failed / no-template / no-session)
• Error message, if any

Logs older than the most recent 100 events per account are deleted automatically.

Rate-limit counters

To enforce the message limits (20/hour, 100/day), we count how many messages you've sent in each window. Counters from finished windows are kept for 30 days for auditing, then deleted.

3. Your clients' personal data

Webhook payloads from EasyWeek contain personal data about your booked clients (names, phone numbers, email addresses, appointment details). Under the GDPR (and similar laws):

• You are the data controller of your clients' data.
• WABook is a data processor — we process this data only on your instructions, to render templates and forward messages to WhatsApp.
• You are responsible for having a lawful basis (consent, contract, legitimate interest) to process and forward this data via WhatsApp, and for informing your clients accordingly.

4. Why we collect it (legal basis under GDPR)

• To provide the Service (Art. 6(1)(b) GDPR — performance of contract): account, password, WhatsApp session, templates, webhook processing
• To prevent abuse (Art. 6(1)(f) — legitimate interest): IP address, rate-limit counters, sign-up logs
• To comply with our own legal obligations (Art. 6(1)(c)): ToS acceptance records

5. Who we share data with

We do not sell, rent, or trade your personal data.

The Service uses these third-party processors:

• Railway (USA / EU regions) — hosting infrastructure (servers, database, file storage)
• Resend (USA) — sending verification and service emails
• WhatsApp / Meta — when you connect WhatsApp, you're effectively using WhatsApp Web. Your messages and credentials flow through Meta's WhatsApp infrastructure under their privacy terms

We do not use Google Analytics, Facebook Pixel, or any advertising/tracking SDKs.

6. Cookies

We use a single technical cookie / localStorage value (wabook_token) to keep you logged in, and wabook_lang to remember your language preference. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

7. How long we keep data

• Account, templates: until you delete the account
• WhatsApp session: until you disconnect
• Webhook log: rolling 100 events per account, older entries deleted automatically
• Rate-limit counters: 30 days then deleted
• Sign-up IP: 90 days then deleted

8. Your rights (GDPR)

If you're in the EU/EEA/UK, you have the right to:

• Access the personal data we hold about you
• Have it corrected if it's wrong
• Have it deleted ("right to be forgotten")
• Receive your data in a machine-readable format (data portability)
• Object to or restrict processing
• Lodge a complaint with your data protection authority (in Poland: UODO)

To exercise any of these, contact the operator. Most rights can be exercised by simply deleting your account from the dashboard, which removes all associated data.

9. Security

We take basic security measures: HTTPS everywhere, bcrypt password hashing, JWT tokens, rate limiting on auth endpoints, validated input. However, this is a side project running on a small server — we don't have a security team, formal pen-tests, or SOC 2 compliance. Use accordingly.

10. International transfers

Our hosting (Railway) and email (Resend) providers may transfer data to servers in the United States. Both providers offer GDPR-compliant data processing agreements.

11. Children

WABook is not intended for users under 16. We don't knowingly collect data from minors. If you believe we have, contact the operator and we'll delete it.

12. Changes to this policy

If we change this policy in a material way, we'll email verified users. Minor edits will just be reflected on this page with an updated date.

13. Contact

For privacy questions or to exercise your rights, contact the operator through the website.