Privacy Policy

Last updated: March 26, 2026

This Privacy Policy describes how ZapClaw ("ZapClaw", "we", "us", or "our") collects, uses, stores, and protects the information of users ("you") when using our services, including our website (zapclaw.app) and software platform.

ZapClaw is a SaaS platform that provides a lightweight WhatsApp message gateway, connecting business phone numbers to the official Meta Cloud API and bridging messages to/from external systems via webhooks and REST API.

By signing up for ZapClaw or using it in any way, you agree to the terms of this Privacy Policy. If you do not agree, you should not use ZapClaw.

1. Our Commitment to Privacy and Data Protection

At ZapClaw, your data privacy and security are our top priority. We operate in full compliance with the Brazilian General Data Protection Law (LGPD), Law No. 13,709 of August 14, 2018, and applicable international privacy regulations. We are committed to limiting data processing to the minimum necessary to fulfill our purposes, ensuring that your information is secure and used responsibly.

2. Data We Collect

To provide our services, ZapClaw may collect the following information:

2.1 Registration Information

When creating your account, we request data such as company name, email address, and password for authentication purposes.

2.2 Usage Data

We collect information about how you interact with our platform, such as features used, session duration, and navigation data. This helps us improve the user experience and optimize our services.

2.3 WhatsApp Business Data

When you connect your WhatsApp Business number to our platform via Meta's Embedded Signup, we receive and store:

• Phone number identifier (phone_number_id)
• WhatsApp Business Account identifier (waba_id)
• Access token — stored encrypted with AES-256-GCM

This data is necessary for us to send and receive messages on your behalf through the official Meta WhatsApp Business API.

2.4 Message Content

ZapClaw is a tool for managing and routing WhatsApp messages. We are not responsible for the content of messages you send or receive through the platform. Message content is the sole responsibility of the user. While we may have technical access to this data for service functionality (such as webhook forwarding), ZapClaw does not actively monitor the content of your communications and does not use them for purposes beyond the contracted service.

2.5 Webhook Data

We receive notifications from Meta about message delivery status (sent, delivered, read) and incoming messages from your customers. This data is processed to display information on your dashboard and to forward events to your configured webhook URL.

3. Use of Information

We use the collected information exclusively for the following purposes:

• Service Provision and Maintenance: To operate, maintain, and improve ZapClaw, ensuring it functions correctly and you have access to all contracted features.
• Message Routing: To forward inbound WhatsApp messages to your configured webhook URL and to send outbound messages via the Meta Cloud API on your behalf.
• User Communication: To send important notifications about the service, updates, and information related to your account.
• Platform Security: To protect ZapClaw and its users against fraudulent activities, misuse, and unauthorized access.
• Legal Compliance: To comply with legal and regulatory obligations.

4. Legal Basis for Data Processing

Under the LGPD, your personal data is processed based on the following legal grounds:

• Contract execution: Data is necessary for the provision of services contracted by you.
• Consent: For specific purposes, such as marketing communications, we will request your express consent.
• Legitimate interest: To improve our services and ensure platform security.
• Legal obligation: To comply with legal and regulatory requirements.

5. Confidentiality and Data Security

ZapClaw maintains the confidentiality of received data and will not use it for any purpose other than providing our services.

We adopt technical and organizational measures to prevent unauthorized alteration, loss, or access to personal data, including:

• AES-256-GCM encryption for access tokens and sensitive data at rest
• HTTPS/TLS communications in transit
• JWT-based access control authentication
• Complete data isolation between different customer accounts (multi-tenant)
• Meta webhook signature validation (X-Hub-Signature-256)
• API key authentication with SHA-256 hashing (keys are never stored in plain text)

While we work to preserve the integrity and security of your personal information, no system is 100% secure. You are responsible for keeping your credentials private and should inform us immediately of any unauthorized use of your account.

6. Information Sharing

ZapClaw does not sell your personal information. We may share your data only in the following situations:

• Meta Platforms, Inc.: We share necessary data with Meta for the functioning of the WhatsApp Business API, in accordance with the WhatsApp Business Terms of Service.
• Webhook Forwarding: When you configure a webhook URL, inbound messages and status updates are forwarded to that URL. You are responsible for the security of your webhook endpoint.
• Service Providers: We may share information with third parties that provide services on our behalf (e.g., hosting services), provided these third parties commit to protecting your information.
• Legal Requirement: We may disclose your information if required by law, court order, or legal process.

7. Data Retention

We will retain your personal information only for the time necessary to fulfill the purposes for which it was collected, including legal, accounting, or reporting obligations.

After cancellation of your account, your data will be retained for 30 days for recovery purposes and then permanently deleted, except when retention is required by law.

8. Your Rights as Data Subject

In compliance with the LGPD, you have the following rights:

• Access: Obtain confirmation of data processing and access to the personal data we hold about you.
• Rectification: Request correction of incomplete, inaccurate, or outdated data.
• Anonymization, Blocking, or Deletion: Request anonymization, blocking, or deletion of unnecessary or excessive data.
• Portability: Request the portability of your data to another service provider.
• Deletion: Request the deletion of personal data processed based on consent.
• Revocation of Consent: Revoke consent for data processing at any time.

To exercise any of these rights, contact us at contato@zapclaw.app or through the Data Deletion page.

9. Cookies and Similar Technologies

Our site may use essential cookies for platform functionality (such as session and authentication cookies). We do not use third-party tracking cookies for advertising.

10. International Data Transfer

Your data may be processed on servers located outside Brazil. When this occurs, we ensure that the transfer is carried out in accordance with the LGPD, with adequate protection measures.

11. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of significant changes through our communication channels. Continued use of our services after publication of changes constitutes acceptance of the new terms.

12. Contact

If you have any questions about this Privacy Policy or ZapClaw's privacy practices, contact us:

• Email: contato@zapclaw.app