BotWave ("we", "our", "us") operates botwave.ng — a WhatsApp AI automation platform for Nigerian businesses. This Privacy Policy explains how we collect, use, store, and protect your personal data. By using BotWave, you agree to the practices described here.
We comply with the Nigeria Data Protection Regulation (NDPR) 2019, the NITDA Act 2007, and applicable sections of the General Data Protection Regulation (GDPR) where relevant to international users.
1. Information We Collect
1.1 Account Registration
When you create a BotWave account, we collect:
- First name, last name, and business name
- Email address and password (stored as a bcrypt hash)
- Phone number (E.164 format, used to verify WhatsApp access)
- Business type and sector
- IP address and browser user-agent at registration
1.2 Platform Usage Data
As you use BotWave, we automatically collect:
- Dashboard activity and feature usage (bot creation, conversation counts, settings changes)
- Error logs, performance metrics, and diagnostic data
- Subscription status, payment history, and billing events from Paystack
- API request logs (timestamps, endpoints, response codes — no message content in API logs)
1.3 WhatsApp Conversation Data
When your customers message your bot, we process and store on your behalf:
- Customer WhatsApp phone numbers (partially masked in logs; stored in full in your conversations database)
- Inbound message content and timestamps
- Bot responses generated by our AI service
- Conversation metadata: language detected, escalation status, resolution time
- Media message references (image/audio IDs from Meta — content is not downloaded or stored by BotWave)
1.4 Data You Provide
- Knowledge base content (documents, URLs, text) you upload to train your bots
- Bot flow configurations and greeting messages
- Agent profiles and working hours settings
- Broadcast campaign content and recipient lists
2. How We Use Your Data
We use the data we collect to:
- Deliver the service — route incoming WhatsApp messages to the correct bot, generate AI responses, and deliver them back to your customers
- Manage your account — authenticate logins, enforce subscription limits, and process payments via Paystack
- Improve the platform — analyse aggregated, anonymised usage patterns to build better features
- Send transactional emails — welcome emails, invoice receipts, and critical service notifications (you cannot opt out of these)
- Comply with legal obligations — respond to valid regulatory requests and maintain required records
- Prevent fraud and abuse — detect account sharing, API abuse, and policy violations
We do not sell your personal data to third parties. We do not use your customer conversations for advertising profiling.
3. WhatsApp & Meta Data
BotWave integrates with the WhatsApp Business Platform (Meta Cloud API). When you connect a WhatsApp Business number to BotWave:
- Your Phone Number ID and WhatsApp Business Account ID (WABA ID) are stored on our servers to route messages correctly
- Your Meta Access Token is stored encrypted at rest and is never exposed in logs or API responses
- Inbound messages are received via Meta's webhook and immediately dispatched to our processing queue — they are not stored on Meta's behalf beyond what Meta's own platform retains
- Outbound messages are sent via the Meta Graph API; delivery receipts (sent/delivered/read) are logged but message content is not re-stored from receipts
Meta's own data practices are governed by the WhatsApp Privacy Policy and Meta Privacy Policy. We encourage you to review those documents as they apply to your use of WhatsApp Business.
4. Data Sharing
We share data only with the following categories of sub-processors, under strict data processing agreements:
| Sub-processor | Purpose | Location |
|---|---|---|
| Contabo GmbH | Cloud server hosting (VPS) | Germany / EU |
| Meta Platforms Inc. | WhatsApp Business API delivery | USA |
| Paystack Inc. | Payment processing | Nigeria / USA |
| Anthropic PBC | AI language model (Claude) for bot responses | USA |
| Google LLC | reCAPTCHA v3 (bot detection on sign-up) | USA |
| Bunny CDN | Font delivery | EU |
We may also disclose your data when required by Nigerian law, court order, or NITDA directive.
5. Data Retention
- Account data — retained for the lifetime of your account plus 90 days after closure
- Conversation & message data — retained for 12 months from the date of the conversation; you may delete individual conversations from your dashboard at any time
- Knowledge base content — retained until you delete it; deleted within 7 days of account closure
- Payment records — retained for 7 years as required by Nigerian financial regulation (FIRS Act)
- Access logs — retained for 90 days, then automatically purged
6. Your Rights Under the NDPR
Under the Nigeria Data Protection Regulation 2019 and applicable law, you have the right to:
- Access — request a copy of the personal data we hold about you
- Correction — ask us to correct inaccurate or incomplete data
- Erasure — request deletion of your data (subject to legal retention obligations)
- Portability — receive your data in a structured, machine-readable format
- Restriction — ask us to limit how we process your data in certain circumstances
- Objection — object to processing based on legitimate interests
- Withdraw consent — where processing is based on your consent, you may withdraw it at any time
To exercise any of these rights, email [email protected]. We will respond within 30 days as required by the NDPR.
You also have the right to lodge a complaint with the National Information Technology Development Agency (NITDA) if you believe your data has been mishandled.
7. Security
We implement the following technical and organisational measures to protect your data:
- All data in transit is encrypted using TLS 1.2+ (HTTPS enforced site-wide)
- Sensitive credentials (API tokens, payment keys) are encrypted at rest using AES-256
- Passwords are hashed using bcrypt (cost factor 12) — we never store plain-text passwords
- Database access is restricted to the application server via localhost only (no external port exposure)
- Two-factor authentication is available for admin accounts
- Regular automated backups with off-site storage
- All staff with data access operate under confidentiality obligations
No system is 100% secure. In the event of a data breach that affects your personal data, we will notify you within 72 hours of discovery, as required by the NDPR.
8. Cookies & Local Storage
BotWave uses the following cookies:
- Session cookie (
botwave_session) — strictly necessary; maintains your login session. Expires when you close your browser or after 120 minutes of inactivity - CSRF token (
XSRF-TOKEN) — strictly necessary; prevents cross-site request forgery - reCAPTCHA cookies — set by Google on the registration page to detect bots; governed by Google's Privacy Policy
We do not use advertising, analytics, or tracking cookies.
9. Children's Privacy
BotWave is a B2B platform intended for business use. We do not knowingly collect personal data from individuals under the age of 18. If you become aware that a minor has provided us with personal data, please contact [email protected] and we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email (to the address on your account) and by posting a prominent notice on the BotWave dashboard at least 14 days before the change takes effect. Your continued use of the service after the effective date constitutes acceptance of the updated policy.
11. Contact Us
For privacy enquiries, data subject requests, or concerns, contact our Data Protection Officer:
- Email: [email protected]
- WhatsApp: +234 703 152 5786
- Address: BotWave, Lagos, Nigeria
- NITDA Complaints: nitda.gov.ng