Privacy Policy

This Privacy Policy describes how OrderBot ("we", "us", "our") collects, uses, stores, and shares information when you use our services. By using OrderBot, you agree to the practices described here.

1. Information we collect

From merchants

• Business name, owner name, and contact phone number
• Business type, address, and operating settings
• WhatsApp Business Account ID and phone number ID provided by Meta
• Product catalogue, prices, and inventory levels you choose to enter
• Account credentials (passwords are stored only as one-way bcrypt hashes — we cannot read them)

From your customers (via WhatsApp)

• Phone numbers, display names, and message content sent to your WhatsApp Business number
• Order details derived from those messages (items, quantities, delivery address, payment method)
• Order history, loyalty status, and credit ledger entries you record about them

Automatically collected

• Server access logs (IP address, user agent, timestamps)
• WhatsApp message delivery status webhooks from Meta
• Errors and performance telemetry

2. How we use information

• To provide the OrderBot service — parsing messages, creating orders, sending replies, tracking inventory and credit
• To improve the AI accuracy, by aggregating anonymous patterns about language and ordering behaviour
• To send service-related communications to merchants (account alerts, billing notices)
• To detect and prevent fraud, abuse, and security incidents
• To comply with legal obligations

3. How we share information

We share data only with the following service providers, strictly as needed to provide the service:

• Meta (WhatsApp Cloud API) — to send and receive WhatsApp messages
• Anthropic — to process message text with the Claude language model for intent and order extraction
• Supabase — to store merchant and customer data securely
• Upstash — for real-time session and queue storage
• Railway / Vercel — for application hosting

We do not sell personal data to third parties. We may disclose information when required by law or to protect the safety of our users.

4. Data retention

Order, customer, and ledger data is retained as long as the merchant's account is active. On account termination, data is retained for 30 days to allow recovery, then permanently deleted. Conversation context in Redis is automatically expired after one hour. Aggregate anonymous analytics may be retained indefinitely.

5. Your rights

You have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your account and associated data
• Object to or restrict certain processing
• Export your data in a portable format

To exercise these rights, contact us via the details on our contact page.

6. Security

We use industry-standard practices including HTTPS in transit, encrypted database storage at rest, scoped service tokens, bcrypt password hashing, and row-level access controls. No system is perfectly secure, but we take reasonable steps to protect your data.

7. Children's privacy

OrderBot is intended for use by businesses. We do not knowingly collect data from individuals under the age of 13. If you believe a child's data has been collected, contact us and we will delete it.

8. International transfers

Our service providers (Meta, Anthropic, Supabase, Vercel) may store and process data in locations outside Pakistan, including the United States and the European Union. By using OrderBot you consent to these transfers.

9. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated to merchants via email or the dashboard. The "Last updated" date at the top of this page reflects the most recent revision.

10. Contact

Questions about this policy or your data should be sent through our contact page.