Privacy Policy
Last updated: May 16, 2026 · Effective date: May 16, 2026
1. Introduction
Xentori ("we", "our", or "us") operates a WhatsApp Business messaging platform that enables businesses to send, receive, and manage customer conversations via the WhatsApp Business Cloud API. This Privacy Policy explains how we collect, use, store, and protect personal information when you use our platform, and describes your rights with respect to that information.
By accessing or using Xentori, you agree to the practices described in this policy. If you do not agree, please discontinue use of the platform.
2. Who We Are
Xentori is a business messaging and customer communication tool. Our platform is used by businesses and their authorized staff to communicate with customers via WhatsApp. We act as a data processor on behalf of the businesses that use our platform, and those businesses act as data controllers with respect to their customers' data.
Data Controller Contact
Email: anurag@xentori.com
For data deletion requests, contact: anurag@xentori.com
3. Information We Collect
3.1 Message Content & Conversation Data
When customers send messages to a business using Xentori, we receive and store the content of those messages, including text, media attachments (images, audio, video, documents), and associated metadata such as timestamps, message delivery status (sent, delivered, read), and message type.
3.2 Contact Information
We collect and store WhatsApp phone numbers, display names provided by WhatsApp, and any contact names added by business staff. We do not collect email addresses, physical addresses, or payment information from end users (customers).
3.3 Platform User Accounts
For staff accounts that log into the Xentori dashboard, we collect email addresses and encrypted passwords via Supabase Authentication. We do not store plain-text passwords.
3.4 Technical & Usage Data
We may collect standard server log data including IP addresses, browser type, operating system, and pages accessed solely for security monitoring and platform reliability. This data is not used for advertising or sold to third parties.
3.5 WhatsApp Business API Data
Our platform integrates with the Meta WhatsApp Business Cloud API. Data received through this integration includes message payloads delivered via webhook. We verify the authenticity of all webhook payloads using HMAC-SHA256 signature verification as required by Meta.
4. How We Use Your Information
- To deliver, display, and store messages between customers and business staff
- To track message delivery and read status via WhatsApp status callbacks
- To allow authorized business staff to manage and respond to customer conversations
- To authenticate platform users and maintain secure sessions
- To monitor platform health, detect errors, and ensure reliability
- To comply with applicable laws, regulations, and Meta Platform Policies
We do not sell, rent, or share personal data with third parties for marketing purposes. We do not use message content to train AI models or for profiling.
5. Data Storage & Security
All data is stored in Supabase, a SOC 2 Type II certified cloud database hosted on AWS. Data is encrypted at rest and in transit using industry-standard TLS 1.2/1.3 and AES-256 encryption.
We enforce Row Level Security (RLS) on all database tables, ensuring that data is accessible only to authorized users. Service role credentials are never exposed to client-side code.
We retain conversation data for as long as the business account is active, or as required by applicable law. Upon account termination, data is deleted within 90 days.
6. Third-Party Services
Meta (WhatsApp Business Cloud API)
We use Meta's WhatsApp Business Cloud API to send and receive messages. Message content and metadata may be processed by Meta in accordance with their WhatsApp Privacy Policy.
Supabase
We use Supabase for database storage and authentication. Data is processed in accordance with Supabase's Privacy Policy.
7. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access: Request a copy of personal data we hold about you
- Correction: Request correction of inaccurate data
- Deletion: Request deletion of your personal data
- Portability: Request a machine-readable export of your data
- Objection: Object to processing of your data in certain circumstances
To exercise any of these rights, email anurag@xentori.com. We will respond within 30 days.
8. Data Deletion
You can request deletion of all personal data associated with your account or conversations at any time by emailing anurag@xentori.com with the subject line "Data Deletion Request".
Requests are processed within 30 days. You will receive a confirmation email once deletion is complete. Residual data may remain in encrypted backups for up to 90 additional days before being purged.
If you connected to Xentori via a Meta integration, you can also submit a data deletion request directly through Facebook/Meta settings. We will process such requests within the same 30-day window.
9. Cookies
Xentori uses session cookies solely for authentication purposes. We do not use tracking cookies, advertising cookies, or third-party analytics cookies. Session cookies expire when you sign out or after a period of inactivity.
10. Children's Privacy
Xentori is a business-to-business platform intended for use by adults (18 years or older) in a professional capacity. We do not knowingly collect personal information from individuals under 13. If you believe a minor has provided us with personal data, please contact us and we will delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users at least 14 days before taking effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy.
12. Contact Us
For privacy-related questions, data requests, or concerns, contact: