Introduction

This Privacy Policy explains how WhatsDesk ("we", "our", or "us") collects, uses, shares, and protects personal information when you use our website, apps, and services, including our Shopify app (collectively, the "Services"). By using the Services, you agree to the practices described here. If you do not agree, please do not use the Services.

Scope

This Policy applies to information we process about:

(a) merchants and their staff who install and use the WhatsDesk app
(b) end customers who contact a merchant via WhatsDesk (for example, via widget, email, voice, or video)
(c) visitors to our website

Quick Summary

We process the minimum data needed to provide a voice- and video-first helpdesk for Shopify and other channels.
We store ticket content (including audio/video and transcripts) so teams can support their customers and maintain history.
We do not sell personal information. We use service providers and sub-processors to run the Services (e.g., hosting and payments).
Merchants control their workspace data. We offer internal tools to export, correct, and delete data, and honor legal requests under GDPR, CCPA/CPRA, and India's DPDP Act.

Definitions

Merchant: The Shopify store or organization that installs and administers WhatsDesk.
Agent/User: An individual invited by a Merchant to use WhatsDesk (e.g., support agent, admin).
Customer: An end user who interacts with the Merchant through WhatsDesk.
Personal Data: Any information relating to an identified or identifiable individual.
Processing: Any operation performed on Personal Data (collection, storage, use, disclosure, etc.).

Data We Collect

We collect and process the following categories of data:

Account & Org Data: Merchant name, store URL, contact details, login identifiers, team members, roles and permissions.
Billing Data: Plan, subscription status, billing contact, payment tokens and transaction metadata processed by our payment provider (see "Sub-processors"). We do not store full card numbers.
Ticket & Communication Data: Messages, email content and headers, attachments, public ticket links, timestamps, and status.
Audio, Video & Screen Clips: Voice notes, video replies, and lightweight screen recordings uploaded by Agents or Customers.
Transcripts & Translations: Machine-generated or human-edited transcripts of audio/video and translations for multilingual support.
Device & Usage Data: IP address, device and browser type, app version, log files, and events to maintain security and improve performance.
Cookies & Similar Tech: Cookies or local storage to keep you signed in, remember preferences, and measure usage (see "Cookies").

How We Collect Data

Directly from you (e.g., when creating an account, sending a ticket, recording a voice or video reply).
Automatically via the app or browser (e.g., logs, diagnostics, and usage).
From third-party platforms you connect (e.g., Shopify, email).

How We Use Data

Provide, operate, and secure the Services (including recording, storing, and delivering audio/video and transcripts).
Authenticate users, manage accounts, billing, and plan limits (e.g., included audio/video minutes).
Facilitate communications between Merchants and Customers, including email routing and public ticket links.
Monitor quality, debug issues, and prevent fraud or abuse.
Improve and develop features (for example, translation quality and voice/video reliability).
Send service-related messages (e.g., onboarding tips, policy updates, security notices).
Comply with legal obligations and enforce our terms.

Legal Bases (where applicable)

Contract: processing necessary to provide the Services to Merchants.
Legitimate interests: ensuring security, improving the Services, and supporting users in ways expected and proportionate.
Consent: where required for certain optional features (e.g., marketing emails) or local law.
Legal obligations: complying with requests from authorities or retaining records as required by law.

How We Share Information

With service providers and sub-processors who help us operate the Services (hosting, storage, analytics, payments, email delivery, customer support).
With the Merchant and its authorized users within the same workspace.
With authorities or other parties when we believe it's necessary to comply with law, protect rights, or prevent harm.
In connection with a business transaction (e.g., merger or acquisition), subject to safeguards.

Sub-processors

We engage third parties to process Personal Data on our behalf for limited purposes. Key sub-processors include:

Infrastructure & Storage: Amazon Web Services (AWS) — hosting, databases, and object storage.
Payments: Dodo Payments — subscription processing and related payment operations.
Email Delivery: Email service provider (e.g., Amazon SES or equivalent) — transactional emails.
Error Monitoring & Logs: Monitoring provider(s) — application diagnostics and uptime monitoring.
Analytics: Privacy-respecting product analytics provider(s) — usage trends and feature adoption.

We maintain an up-to-date list of sub-processors and will provide notice of material changes as required by law.

Shopify App Specific Disclosures

Data Access

When you install the WhatsDesk app, we access Shopify data strictly necessary to provide the Services. This may include basic store information and customer/order references to give context in tickets.

Use of Shopify Data

We use Shopify data solely to provide and improve the Services for the Merchant who installed the app. We do not sell Shopify data.

Uninstall & Data Deletion

When you uninstall the app, we automatically revoke future access. We delete or anonymize Personal Data that we no longer have a legal basis to retain, typically within 48 hours for access tokens and within 30 days for ticket data unless a longer period is required by law or expressly requested by the Merchant.

Shopify Redaction Requests

We honor Shopify's mandatory webhooks for customer data erasure, data access, and shop redaction, and will fulfill such requests within the timelines required by Shopify and applicable law.

Data Retention

We retain Personal Data for as long as necessary to provide the Services, comply with our legal obligations, resolve disputes, and enforce agreements. Default retention periods include:

Tickets, messages, and attachments: Until the Merchant deletes them or 24 months after ticket closure, whichever is earlier, unless retention is required by law.
Audio, video, and screen clips: 12 months by default; Merchants may delete earlier from within the workspace.
Transcripts and translations: Same as the associated ticket or clip.
Account and billing records: As required by tax and accounting laws (typically 7 years).
Diagnostic logs: Up to 12 months, unless needed for security investigations.

Security

We use administrative, technical, and physical safeguards designed to protect Personal Data, including encryption in transit (TLS), encryption at rest, access controls, least‑privilege permissions, network isolation, and regular backups.

Important: No method of transmission or storage is 100% secure; we encourage Merchants to use role‑based access and strong authentication.

International Data Transfers

If Personal Data is transferred across borders, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) or other mechanisms permitted by applicable law. By using the Services, you authorize us to process and store data in regions where we or our service providers operate.

Your Privacy Rights

Access, correction, deletion, and portability of Personal Data, subject to applicable law.
Objection or restriction to certain processing, where permitted.
Withdrawal of consent where processing is based on consent.
Nondiscrimination for exercising privacy rights (for California residents).

Requests are generally routed through the Merchant as the data controller for Customer data. Merchants may contact us to assist with fulfilling requests.

Cookies & Tracking

We use cookies and similar technologies to operate the Services (e.g., session management, authentication), remember preferences, and measure usage. You can control cookies through your browser settings; disabling cookies may limit functionality.

Children's Privacy

The Services are not directed to children under the age of 13 (or higher age where required by local law). We do not knowingly collect Personal Data from children. If you believe a child has provided Personal Data to us, please contact us so we can take appropriate action.

India (DPDP Act) Disclosures

For users in India, we comply with the Digital Personal Data Protection Act, 2023 (DPDP). We acknowledge complaints within a reasonable period and aim to resolve them within 30 days.

Grievance Officer: Chief Product Officer

Email: support@whatsdesk.com

EU/EEA & UK Disclosures (GDPR/UK GDPR)

Where the GDPR or UK GDPR applies, WhatsDesk is generally a processor of Customer Personal Data on behalf of the Merchant (the controller). For Merchant account data, WhatsDesk is a controller. We can provide a Data Processing Addendum (DPA) on request.

California (CCPA/CPRA) Disclosures

We do not sell or share Personal Data for cross‑context behavioral advertising. We process Personal Data for the business purposes described in this Policy. California residents can exercise their rights as described above.

Data Deletion and Export

Merchants may delete tickets, clips, and users from the workspace at any time. Upon termination, we will delete or anonymize Personal Data that we no longer have a legal basis to retain, following the timelines noted above. Exports of ticket history can be requested by the Merchant.

Changes to This Policy

We may update this Policy from time to time. We will post the updated version with a new "Last updated" date and, where appropriate, provide additional notice.

WhatsDesk Privacy Policy