BotWave is committed to responsible, transparent data protection practices. This page explains our obligations as both a data controller (for your account data) and a data processor (for your customers' conversation data), and how we fulfil them under the Nigeria Data Protection Regulation (NDPR) 2019.
Two distinct roles
- 🏢 Data Controller — for data you provide when registering and using the BotWave dashboard (your account data, payment data, bot configurations)
- 🤝 Data Processor — for your customers' WhatsApp messages and conversation data processed on your behalf when your bot operates
1. Data Controller Information
Controller Name: BotWave
Trading As: BotWave
Registered Jurisdiction: Nigeria
Principal Address: Lagos, Nigeria
Data Protection Officer: [email protected]
NITDA Data Protection Compliance Registration: In progress
2. Legal Basis for Processing
We rely on the following lawful bases for processing personal data under the NDPR:
| Processing Activity | Legal Basis |
|---|---|
| Account registration and management | Contract performance |
| Subscription billing and payment | Contract performance / Legal obligation |
| Delivering bot services (routing WhatsApp messages) | Contract performance (with you as controller on behalf of your customers) |
| Sending transactional emails (invoices, alerts) | Contract performance |
| Platform security and fraud prevention | Legitimate interests |
| Product improvement using anonymised analytics | Legitimate interests |
| Marketing communications (newsletters) | Consent (with opt-out on every email) |
| Retaining financial records | Legal obligation (FIRS Act) |
| reCAPTCHA verification on sign-up | Legitimate interests (fraud prevention) |
3. Data Categories We Process
3.1 Account Holder Data (Controller role)
- Identity data: first name, last name, business name, business type
- Contact data: email address, phone number (E.164)
- Technical data: IP addresses, browser and device identifiers, session tokens
- Commercial data: subscription plan, payment method details (tokenised — full card numbers are never stored by BotWave), invoice history
- Configuration data: bot settings, flow configurations, knowledge base documents, working hours
3.2 End-Customer Data (Processor role)
When your WhatsApp bot operates, BotWave processes the following data about your customers strictly on your instruction:
- WhatsApp phone numbers (partially masked in system logs; stored in full in your conversation database)
- Message content (text bodies of inbound and outbound messages)
- Timestamps of messages and delivery events
- Detected language and confidence score (used to personalise responses)
- Conversation status (active, escalated, resolved)
- Opt-out status (contacts who have sent STOP keywords)
You are the data controller for your customers' data. You are responsible for ensuring you have a valid legal basis to process your customers' data via BotWave and for maintaining any required privacy notices with your customers.
3.3 Special Category Data
BotWave does not intentionally collect or process special category data (health, biometric, political, religious, or financial data). You must not configure bots to solicit such data from your customers.
4. Data Subject Rights
Individuals whose data we process have the following rights. The procedures for exercising them differ depending on the role in which we process data:
4.1 Rights as BotWave Account Holder
Submit requests directly to [email protected]. We will respond within 30 days.
- Right of Access (NDPR Article 3.1(5)) — Request a full export of your personal data
- Right to Rectification — Correct inaccurate data via your account Settings page or by contacting us
- Right to Erasure — Request deletion of your account and all associated data (subject to legal retention obligations)
- Right to Data Portability — Receive your conversation data in JSON or CSV format
- Right to Object — Object to processing based on legitimate interests
- Right to Restrict Processing — Request temporary restriction of processing while a dispute is resolved
4.2 Rights as End-Customer of a BotWave Bot
If you are a customer who interacted with a WhatsApp bot powered by BotWave, your data is controlled by the business that deployed that bot, not by BotWave directly. Please contact that business for data requests. BotWave will cooperate with legitimate requests forwarded to us by our customers (controllers).
You can also opt out of further messages from any BotWave-powered bot at any time by replying STOP to any message. This will immediately cease AI responses from that bot.
5. International Data Transfers
BotWave's primary infrastructure is hosted in Germany (EU) via Contabo GmbH. Your data benefits from EU-level data protection standards.
Certain sub-processors (Meta, Anthropic, Google, Paystack) operate in the United States. Data transferred to these processors is subject to the following safeguards:
- Standard Contractual Clauses (SCCs) as approved by the EU Commission
- Sub-processor Data Processing Agreements (DPAs) in place with all US-based processors
- Data minimisation — only the minimum data necessary is shared with each sub-processor
Message content sent to Anthropic's Claude AI model for generating bot responses is processed under Anthropic's zero-retention policy for API use — Anthropic does not train models on API prompt data.
6. Data Retention Schedule
| Data Category | Retention Period | Basis |
|---|---|---|
| Account registration data | Account lifetime + 90 days | Contract |
| Conversation & message data | 12 months from conversation date | Legitimate interests (customer service) |
| Knowledge base documents | Until user deletes + 7 days after account closure | Contract |
| Payment invoices & transaction records | 7 years | Legal obligation (FIRS) |
| Application access logs | 90 days | Legitimate interests (security) |
| Security incident records | 3 years | Legal obligation (NDPR) |
| Marketing consent records | Until consent withdrawn + 3 years | NDPR compliance |
| Opt-out records (STOP commands) | Indefinite (to honour the opt-out) | Legal obligation |
Automated deletion processes run weekly. Data scheduled for deletion is marked, quarantined for 7 days to allow error recovery, then permanently purged.
7. Technical & Organisational Security Measures
7.1 Technical Controls
- Encryption in transit: All traffic enforced over TLS 1.2+ (HSTS enabled). Certificate issued by Let's Encrypt, renewed automatically.
- Encryption at rest: Database encrypted using MySQL AES-256 encryption for sensitive fields; server-level disk encryption enabled
- Password hashing: bcrypt with cost factor 12 — passwords are never stored in plain text or reversible format
- API token security: Meta access tokens and API keys stored encrypted; never exposed in logs, error messages, or client-facing responses
- Network isolation: Database accessible only from localhost; no external port exposure; firewall allows only ports 80, 443, and 22 (restricted SSH)
- Rate limiting: Authentication endpoints rate-limited; bot message rate-limited to 10 replies/minute per account
- CSRF protection: Laravel's CSRF tokens enforced on all state-changing requests
- XSS protection: Output escaping enforced in all templates; Content Security Policy headers applied
- SQL injection prevention: Parameterised queries via Laravel Eloquent ORM — no raw user input in SQL
- Session security: HTTP-only, SameSite=strict session cookies; sessions stored server-side in database
7.2 Organisational Controls
- Access to production systems is restricted to authorised personnel on a need-to-know basis
- All team members with data access sign confidentiality agreements
- Production credentials are not stored in version control (Git) — enforced via .gitignore
- Regular security reviews and dependency audits using
composer auditandnpm audit - Automated database backups retained for 30 days with off-site replication
8. Sub-processors
We maintain an up-to-date list of approved sub-processors. Material changes to this list will be communicated to customers with at least 14 days' notice, providing the right to object.
| Sub-processor | Purpose | Data Shared | Location | DPA |
|---|---|---|---|---|
| Contabo GmbH | VPS hosting | All platform data (stored on their infrastructure) | Germany | ✅ |
| Meta Platforms Inc. | WhatsApp Business API | Phone numbers, message content (via webhook) | USA | ✅ |
| Paystack Inc. | Payment processing | Email, payment method (tokenised) | Nigeria/USA | ✅ |
| Anthropic PBC | AI response generation | Bot prompt + conversation context (anonymised) | USA | ✅ |
| Google LLC | reCAPTCHA v3 | IP address, browser fingerprint (sign-up only) | USA | ✅ |
9. Data Breach Procedure
In the event of a personal data breach, BotWave will:
- Detect & Contain — Immediately isolate the affected system and revoke compromised credentials
- Assess — Evaluate the scope, nature, and likely impact on data subjects within 24 hours
- Notify NITDA — Report to the National Information Technology Development Agency within 72 hours of confirming the breach, as required by NDPR Article 2.9
- Notify Affected Users — Contact affected users by email within 72 hours with details of: what happened, what data was affected, what we are doing about it, and steps you can take
- Remediate — Implement corrective measures to prevent recurrence
- Document — Maintain a full record of the breach, assessment, and response for regulatory purposes
To report a suspected security vulnerability, please email [email protected]. We operate a responsible disclosure policy and will respond within 48 hours.
10. NDPR Compliance Statement
BotWave processes personal data of Nigerian data subjects and is therefore subject to the Nigeria Data Protection Regulation (NDPR) 2019, issued by the National Information Technology Development Agency (NITDA) under the NITDA Act 2007.
Our NDPR compliance measures include:
- Appointment of a Data Protection Officer (DPO)
- Maintenance of a Data Processing Register documenting all processing activities
- Data Protection Impact Assessments (DPIAs) conducted for high-risk processing activities
- Staff training on data protection obligations and NDPR requirements
- Annual NDPR compliance audit (to be conducted by a NITDA-licensed data protection compliance organisation)
- Data subject request procedure with 30-day response commitment
- Lawful basis documented for all processing activities (see Section 2)
We are committed to full compliance with the NDPR and any subsequent regulations issued by NITDA. Our Data Protection Policy is reviewed annually or when material changes occur.
11. Data Protection Officer (DPO)
Our Data Protection Officer is responsible for overseeing BotWave's data protection strategy and implementation. Contact the DPO for:
- Data subject access requests
- Exercising any NDPR rights
- Concerns about how your data is being handled
- Data Processing Agreements (DPAs) for enterprise customers
- Reporting potential data breaches
Contact the DPO
📱 +234 703 152 5786 (WhatsApp)
🏢 BotWave, Lagos, Nigeria
We aim to respond to all DPO enquiries within 5 business days.
To escalate a complaint, you may contact the National Information Technology Development Agency (NITDA) at nitda.gov.ng or by post to NITDA, Plot 2 Gbadamosi Adewale Crescent, Maitama, Abuja, Nigeria.