SigFollow
Sign in

Legal

Privacy Policy

Last updated: 2026-04-20. This English version is the authoritative text; if a translated version conflicts with the English, the English text prevails.

1. Introduction

SigFollow (“we”, “us”, or “the Platform”) provides a multi-tenant WhatsApp customer collaboration SaaS to enterprise customers. This Privacy Policy explains how we collect, use, share, store, and protect personal information when we deliver the service to our customers (“Tenants”) and their agents.

This policy applies to all products and services accessed through sigfollow.com and its sub-domains. By interacting with the Platform as a tenant administrator, agent, or end user, you acknowledge that you have read and understood this policy.

Roles. With respect to messages that end users send to a Tenant over WhatsApp, the Tenant is the data controller and SigFollow acts as the processor handling those activities on the Tenant’s behalf. With respect to the Tenant’s own staff (administrators and agents), SigFollow acts as a processor. Tenants may publish their own privacy policies describing their processing activities; please consult those as well.

2. Information We Collect

2.1 Information you provide directly

  • Account and identity information: Tenant name, business contact email, agent names, employee IDs, hashed login credentials.
  • Configuration data: WhatsApp Business Account (WABA) IDs, Phone Number IDs, Cloud API access tokens, routing rules, queue members, template content. Tokens are stored encrypted and used solely to call Meta APIs on your behalf.
  • Business content you submit: agent reply text, media files, annotations, and notes created inside the workbench.

2.2 Information received through WhatsApp / Meta

  • Message content: text, images, video, audio, documents, locations, interactive replies, and reaction emoji sent by end users to a Tenant through WhatsApp.
  • Message metadata: sender phone number, message IDs (wamid), timestamps, template names, delivery and read receipts.
  • Contact profile: the limited information Meta allows us to receive, such as the end user’s WhatsApp display name.

2.3 Automatically collected technical information

  • IP address, browser / client fingerprint, operating system, language preferences.
  • Sign-in and activity logs, API call records, error stack traces, performance samples.
  • Cookies strictly necessary for maintaining sessions and protecting against CSRF. We do not use third-party advertising cookies.

3. How We Use This Information

  • Provide the core service — receiving, routing, replying to, and archiving messages — to Tenants and their agents.
  • Assign inbound messages to queues and agents using the ACD engine; in AI agent mode, generate reply suggestions or automated answers based on conversation context and knowledge-base content.
  • Produce conversation analytics, agent-performance reports, and audit records within each Tenant.
  • Maintain reliability, troubleshoot incidents, defend against fraud and abuse, and comply with legal obligations.
  • With your explicit opt-in, send product announcements, security-incident notices, and terms-of-service change notifications to Tenant contacts.

We do not use WhatsApp message content for advertising purposes, and we do not share message content with third-party advertising networks. AI models are trained or fine-tuned on a Tenant’s data only with that Tenant’s explicit authorization; cross-tenant data is never mixed into a shared training set.

4. Relationship with Meta and WhatsApp

The Platform connects to the WhatsApp Business Platform through the Meta Cloud API. Communications and metadata exchanged over WhatsApp between you and your end users are also processed by Meta under its own WhatsApp Business Policy and WhatsApp Privacy Policy. By using the Platform, you acknowledge that Meta independently processes such data under those terms.

We invoke Meta APIs only to the extent necessary to deliver the service to our Tenants and comply with Meta’s business requirements — including the 24-hour customer-service window and template pre-approval.

5. Sharing and Disclosure

We share personal information only in the limited circumstances below:

  • Infrastructure sub-processors: databases, object storage, message queues, and observability providers access data solely as required to operate the Platform, under a signed Data Processing Agreement (DPA).
  • Tenant-owned outbound webhooks: a Tenant may subscribe to outbound webhooks; we forward that Tenant’s own message events, signed, to the HTTPS endpoint they designate. We enforce SSRF protection, require HTTPS, and reject private address ranges; compliance of the destination URL remains the Tenant’s responsibility.
  • Mergers, acquisitions, or reorganizations: if our corporate structure changes, we will notify you in advance and transfer data in line with applicable law.
  • Legal requests: when served with a lawful demand from a competent authority, we evaluate it carefully and disclose only what is necessary to comply.

We do not sell Tenant message content to any third party, and we do not reuse it for commercial purposes outside the Tenant’s stated service purpose.

6. International Data Transfers

The Platform’s infrastructure may be deployed in countries other than the Tenant’s chosen region. When data crosses borders, we apply encryption in transit, contractual safeguards, and access controls so that the protection level is no lower than that of the source jurisdiction. For transfers involving the EU / UK, we rely on the Standard Contractual Clauses (SCC) or UK International Data Transfer Addendum (IDTA) as an appropriate transfer mechanism.

7. Retention

  • Account and configuration data: retained throughout the Tenant’s subscription; deleted or anonymized within 90 days after account closure.
  • Message content: retention follows the Tenant’s contractual term, typically no more than 18 months; Tenants can configure a shorter period in the admin console.
  • Security and audit logs: retained up to 24 months to meet regulatory and forensic needs.
  • Backup copies: retained up to 35 days; deleted records are purged from backups within 35 days of the initial deletion.

8. Your Rights

Depending on applicable law, you may have the right to:

  • Know what personal information we process and obtain a copy of it;
  • Correct or complete inaccurate or incomplete data;
  • Delete, restrict, or object to specific processing activities;
  • Withdraw consent (without affecting processing carried out before withdrawal);
  • Receive the data in a structured, commonly used, machine-readable format (data portability);
  • Lodge a complaint with your local supervisory authority.

If you are an end user interacting with a Tenant over WhatsApp, please contact that Tenant first to exercise these rights. If you are a Tenant, write to privacy@sigfollow.com. We aim to respond within 30 calendar days.

9. Security

  • Transport: end-to-end HTTPS / TLS 1.2+, encrypted WebSocket, mTLS between internal services.
  • Storage: Cloud API access tokens, webhook secrets, and other sensitive fields are encrypted at rest; uploaded media is validated against its magic bytes to reject spoofed MIME types.
  • Access control: role-based permissions (SUPER_ADMIN / TENANT_ADMIN / Agent) with least-privilege, approval trails, and session recording for operators accessing production.
  • External input: unified SSRF guards, HMAC signature verification, rate limiting, and IP-CIDR allow-lists.
  • Continuous assurance: code-review loops, vulnerability-response process, and periodic third-party penetration testing.

Despite these measures, no system can be absolutely secure on the public internet. If a security incident that may affect you occurs, we will notify you and the relevant authorities as required by applicable law.

10. Cookies and Similar Technologies

The Platform uses strictly necessary cookies to maintain sign-in state, defend against CSRF, and remember preferences. We do not use third-party advertising cookies. You can block cookies in your browser settings, although some Platform features may not function correctly.

11. Children

The Platform is intended for business use and is not directed at individuals under the age of 16. If we learn that we have inadvertently collected personal information from a child, we will delete it promptly.

12. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated by email, in-platform notice, or another prominent method. The latest version is always available on this page; continued use of the Platform constitutes acceptance of the updated policy.

13. Contact Us

For questions, comments, or complaints about this policy or our handling of personal information, reach out to: