You're viewing:WhatSnap LLC·BYOD self-serve
View Done-for-You equivalent →

Privacy Policy

For WhatSnap LLCBYOD self-serve.

Effective May 19, 2026

1. Who we are

WhatSnap LLC ("WhatSnap," "we," "us," "our") is a Wyoming limited liability company at 30 N Gould Street, Suite R, Sheridan, WY 82801, United States.

We operate the WhatSnap software-as-a-service offering described in our Terms of Service — a messaging infrastructure platform that bridges customer-owned devices and messaging accounts (iMessage, SMS, WhatsApp, Twilio) to GoHighLevel and other supported customer relationship management systems.

This Privacy Policy explains how we collect, use, share, and protect personal data when you (a) visit our websites, including whatsnap.ai, and app.whatsnap.ai; (b) sign up for, use, or administer the Services; (c) communicate with us by email, chat, or phone; or (d) attend our events, webinars, or demos.

Quick navigation: Categories of data · How we use it · Sharing · Retention · Your rights · Contact

2. Two distinct roles: controller and processor

WhatSnap holds two different roles depending on the data category:

2.1 We act as a controller

We are an independent data controller for personal data we collect about visitors, prospects, customers, and authorized users in connection with operating our business — for example, your name, business email, billing address, account credentials, support tickets, website analytics, and marketing preferences. For this data, we determine the purposes and means of processing.

2.2 We act as a processor

We act as a processor (or, in CCPA terms, a "service provider") on behalf of our Customer when we transmit, replicate, and store the message content, attachments, and Recipient phone numbers and identifiers that Customer routes through the Services. Customer is the controller of that data — Customer determines (i) who to contact, (ii) what to say, (iii) when to send, and (iv) whether the Recipient has given the required consent.

Where we act as a processor:

  • we process the data only on documented instructions from Customer (the instructions are embedded in Customer's use of the Services and in any signed Data Processing Addendum);
  • we do not sell, lease, or rent it; we do not use it for our own marketing; we do not use it to train general-purpose machine-learning models;
  • we apply the security commitments in Section 6; and
  • on termination of the Customer's account, we delete or return the data in accordance with Section 7 and the DPA.

Customer — not WhatSnap — is responsible for obtaining the consent of, and providing notice to, the people Customer messages through the Services. Customer warrants this responsibility under Section 5.2 of the Terms. If you are a Recipient who received a message routed through WhatSnap and want to exercise privacy rights regarding that message, your first contact should be the business that messaged you. WhatSnap will reasonably cooperate with that business to action your request, and where required by law will action it directly (see Section 8).

3. Categories of personal data we collect

3.1 Information you give us directly

  • Account and profile. Name, business email, phone number, company name, role, password (hashed).
  • Billing. Billing name, billing address, last four digits of payment card and card type. Full card numbers are collected and stored by our PCI-DSS-compliant payment processor (Stripe); we do not see or store full PAN data.
  • Communications. Support tickets, chat messages with us, recorded sales or onboarding calls (with consent), emails.
  • Marketing. Preferences, event-registration data, survey responses.

3.2 Information collected automatically

  • Usage. Pages viewed, features used, clicks, search queries, timestamps, referring/exiting URLs, language, time zone.
  • Device and network. IP address (used for approximate location at city/country level, fraud prevention, rate limiting), browser type and version, operating system, screen size, device identifiers, performance metrics.
  • Cookies and similar technologies. First-party and third-party cookies and similar identifiers; see Section 9.
  • Telemetry from the WhatSnap Agent / mobile clients. Connection status, line health, message-queue depth, error codes. We collect this to deliver and support the Service.

3.3 Information we process on Customer's behalf (processor role)

When Customer uses the Services to send or receive messages:

  • Message content (body text, attachments such as images, audio, video, documents) routed between Customer Devices and the supported CRM.
  • Message metadata (sender line, recipient identifier, timestamps, delivery status, read receipts where available, channel — iMessage / SMS / WhatsApp / Twilio).
  • Recipient personal data (phone number, Apple ID / WhatsApp profile name where the channel exposes it).
  • Customer's contact records and tags routed through the CRM bridge.

We process this data only to operate the Service for Customer (Section 2.2).

3.4 Information from third parties

  • CRM and integration partners. When Customer connects GoHighLevel (or another supported CRM), we receive limited account, sub-account, conversation, and contact data necessary to operate the bridge.
  • Authentication providers. If you sign in via Google or another SSO, we receive your identifier and email from that provider.
  • Payment processors. Stripe shares last four digits, card brand, billing country, and transaction status with us.
  • Analytics and advertising partners. Aggregate data on referrals and ad conversions.

3.5 Sensitive personal data

We do not knowingly collect sensitive personal data (e.g., racial or ethnic origin, religion, genetic data, biometric data, health information, sexual orientation, immigration status, precise geolocation, financial account login credentials). Customer must not transmit such data through the Services unless Customer has independent legal authority to do so and, where the data is Protected Health Information, only under a separate Business Associate Agreement (see Section 5.5 of the Terms).

4. How we use personal data

Purpose Legal basis (GDPR / UK GDPR)
Provide and operate the Services; replicate messages between Customer Devices and CRM; authenticate Users; bill for usage Performance of a contract (Art. 6(1)(b))
Customer support, error investigation, account administration Performance of a contract / legitimate interests (Art. 6(1)(b), (f))
Security, fraud prevention, abuse detection, rate limiting, IP-based geolocation Legitimate interests (Art. 6(1)(f)); legal obligation (Art. 6(1)(c)) where applicable
Product analytics, aggregated usage statistics, service improvement Legitimate interests (Art. 6(1)(f))
Marketing and product communications (newsletters, feature announcements) Consent (Art. 6(1)(a)); legitimate interests for existing customers under "soft opt-in" rules
Tax, accounting, audit, regulatory recordkeeping Legal obligation (Art. 6(1)(c))
Responding to legal process, defending claims, enforcing the Terms Legitimate interests (Art. 6(1)(f)); legal obligation (Art. 6(1)(c))

For data we process as a processor on Customer's instructions (Section 2.2), the legal basis sits with Customer as controller, not with us.

We do not use Customer Data, message content, or Recipient personal data to train general-purpose machine-learning models. We may use aggregated, de-identified statistics to improve the Service.

5. How we share personal data

We share personal data only with the categories of recipients listed below, and only as needed for the purposes in Section 4.

5.1 Subprocessors and service providers

We engage trusted third parties that process personal data on our behalf under written contracts that require appropriate confidentiality and security. Categories include:

  • Cloud hosting and infrastructure (e.g., AWS, Google Cloud, Cloudflare)
  • Database and storage (e.g., managed PostgreSQL/Redis/object storage providers)
  • Payment processing (Stripe)
  • Transactional email and notifications (e.g., Postmark, Resend, or equivalent)
  • Customer-support tooling (e.g., Intercom, HelpScout, or equivalent)
  • Error monitoring and observability (e.g., Sentry, Datadog, or equivalent)
  • Product analytics (e.g., PostHog, Mixpanel, or equivalent)
  • Carrier and platform APIs (Twilio, where Customer configures it)
  • Tax compliance (e.g., Stripe Tax, Avalara, or equivalent)

A current and complete list of subprocessors is maintained at whatsnap.ai/legal/subprocessors and is updated when subprocessors are added or replaced. Customers may subscribe to changes via that page.

5.2 GoHighLevel and other CRM platforms

Where Customer connects a CRM, we exchange the data necessary to operate the bridge with that CRM under the CRM's own privacy and security commitments. The CRM is acting as an independent processor for Customer, not as our subprocessor.

5.3 Carriers, aggregators, and messaging platforms

Outbound messages, by definition, must be transmitted through the relevant carrier or platform (Apple iMessage / iCloud, Meta WhatsApp, the cellular carrier connected to the Customer's SIM, the Twilio API, etc.). We have no separate contractual privacy relationship with these third parties beyond the standard terms imposed by them. Their handling of message content is governed by their own privacy policies.

5.4 Professional advisers and acquirers

We may share personal data with our legal, accounting, audit, banking, and insurance advisers. If WhatSnap is involved in a merger, acquisition, financing, reorganization, sale of all or substantially all assets, or bankruptcy, personal data may be transferred to the counterparty or acquirer subject to commitments at least as protective as this Policy.

We may disclose personal data when we believe in good faith that disclosure is required by law, regulation, court order, subpoena, or other legal process, or to protect the rights, property, or safety of WhatSnap, our customers, or others.

For any other sharing, we will ask for your consent first.

5.7 We do not sell personal data for money

We do not sell personal data for money. Certain disclosures involving advertising cookies on the marketing site (whatsnap.ai) may be considered a "sale" or "sharing" under the California Consumer Privacy Act / California Privacy Rights Act and analogous state laws. You may opt out as described in Section 8.4.

6. Security

We use administrative, technical, and physical safeguards designed to protect personal data against unauthorized access, disclosure, alteration, or destruction, including:

  • TLS in transit and at-rest encryption for stored data (where supported by the storage layer)
  • Role-based access control with least-privilege principles for our personnel
  • Multi-factor authentication for production system access
  • Logging and monitoring of administrative access
  • Regular vulnerability scanning and dependency updates
  • Annual security reviews and penetration testing by a third party
  • Documented incident-response process

No method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security, and you use the Services at your own risk to the extent permitted by law.

In the event of a security breach affecting personal data, we will notify affected Customers and regulators as required by applicable law (including the California breach-notification statute, GDPR Art. 33–34 where we act as controller or as processor in support of a controller, and analogous state and international statutes).

7. How long we keep personal data

Data category Retention period
Account and profile data For the life of the account, plus thirty-six (36) months after closure (audit, dispute resolution, recordkeeping). Earlier on verified deletion request, except where retention is required by law.
Message content and attachments routed through the Services (processor role) For the duration of the Customer's subscription. On account closure, deleted or anonymized within ninety (90) days, except where (i) Customer has executed an Order Form requiring different retention, (ii) retention is required to comply with legal, regulatory, or audit obligations, or (iii) data is subject to active legal hold.
Billing and tax records Seven (7) years to comply with U.S. tax and financial-recordkeeping requirements.
Security and audit logs Raw logs: ninety (90) days. De-identified or aggregated security signals may be retained longer for fraud-trend analysis.
Support tickets and communications Five (5) years from last interaction.
Marketing data Until you unsubscribe, plus a suppression record retained indefinitely so we do not re-message you.
Aggregated, de-identified data May be retained indefinitely.

If you exercise a deletion right under Section 8, we will action it within the period required by applicable law (typically 30–45 days). Some data may persist in encrypted backup snapshots until those snapshots are rotated according to our backup retention policy (currently up to 35 days).

8. Your rights

The rights below are conditional on applicable law. Where a stricter standard applies, we apply it.

8.1 GDPR / UK GDPR rights (EEA, UK, Switzerland)

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten") — request deletion, subject to legal-retention exceptions.
  • Restriction — request that we limit processing in certain circumstances.
  • Portability — receive a machine-readable copy of data you provided.
  • Objection — object to processing based on legitimate interests, including direct marketing.
  • Withdrawal of consent — where processing is consent-based, you may withdraw at any time without affecting prior processing.
  • Lodge a complaint — with your local supervisory authority. We invite you to contact us first.

For data we process as a processor on Customer's behalf (message content, Recipient phone numbers), contact the business that sent or received the message first; we will reasonably cooperate.

8.2 California (CCPA / CPRA)

California residents may request:

  • the categories and specific pieces of personal information we have collected, disclosed, sold, or shared in the prior 12 months;
  • correction of inaccurate personal information;
  • deletion (subject to statutory exceptions);
  • to opt out of "sale" or "sharing" (we honor browser Global Privacy Control signals as a valid opt-out where applicable);
  • to limit use and disclosure of any sensitive personal information.

We do not discriminate against California residents for exercising rights.

8.3 Other U.S. state privacy laws

We extend equivalent rights — access, deletion, correction, portability, opt-out of targeted advertising and sale where applicable — to residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, and Delaware, to the extent required by those statutes.

8.4 How to make a request

Email [email protected] from the email address associated with your data (or, if you are a Recipient, with enough information for us to find you) and describe the right you want to exercise. We will verify your identity using account information and may request additional verification for sensitive requests. Authorized agents are accepted with written authorization. We will respond within the period required by applicable law (typically 30–45 days, extendable as the statute allows).

8.5 Marketing opt-out

Every commercial email we send includes an unsubscribe link. You can also email [email protected]. Opting out of marketing does not affect transactional or service messages (security alerts, billing notices, change-of-terms notices).

8.6 Do Not Track and Global Privacy Control

We do not currently respond to Do Not Track browser signals because no industry consensus exists for how to interpret them. We honor Global Privacy Control (GPC) signals from supporting browsers as a valid opt-out of "sale" and "sharing" under U.S. state privacy laws to the extent required.

9. Cookies and similar technologies

We use cookies, pixels, web beacons, and similar technologies on our websites to (a) keep you signed in; (b) remember preferences; (c) measure traffic and engagement; (d) measure marketing campaign performance; (e) prevent fraud and abuse. Categories:

  • Strictly necessary — required to operate the Services and cannot be disabled.
  • Functional — remember preferences and improve the experience.
  • Analytics — help us understand how the Service is used.
  • Marketing — measure ad performance on third-party platforms (e.g., LinkedIn, Google, Meta).

You can manage cookies through your browser, our cookie banner (where shown — required in the EU/UK and California), or industry opt-outs at youronlinechoices.eu or optout.aboutads.info.

10. International data transfers

WhatSnap is headquartered in the United States and our primary infrastructure is in the United States. If you access the Services from outside the United States, your data will be transferred to, stored in, and processed in the United States and other jurisdictions where our subprocessors operate.

For transfers from the European Economic Area, the United Kingdom, or Switzerland, we rely on the EU Standard Contractual Clauses (Module 2 for controller-to-processor, Module 3 for processor-to-processor), the UK International Data Transfer Addendum (IDTA), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) approved equivalents, as applicable. Where additional supplementary measures are required (post-Schrems II), we apply technical (encryption, pseudonymization) and contractual safeguards. Copies of the relevant SCCs are available on request at [email protected].

11. Children

The Services are not directed to and are not intended for children under sixteen (16). We do not knowingly collect personal data from children under sixteen. If you believe a child has provided us personal data, contact [email protected] and we will delete it.

12. Automated decision-making

We do not engage in solely automated decision-making that produces legal or similarly significant effects on individuals under Article 22 of the GDPR.

13. Direct-marketing messages to Recipients

WhatSnap never sends marketing messages to Recipients on its own initiative. Every message routed through the Service is sent by Customer, from Customer's own device or messaging account, to a Recipient that Customer has selected and (per the Terms and AUP) has obtained consent from. Recipients should direct privacy or unsubscribe requests to the business that messaged them; we will reasonably cooperate.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. Non-material changes are effective on posting. Material changes (changes to data categories, sharing categories, or your rights) take effect no earlier than thirty (30) days after we post the updated Policy and notify Customer's account administrator by email. The "Last revised" date at the top reflects the most recent update.

15. Contact

WhatSnap LLC — Attn: Privacy 30 N Gould Street, Suite R Sheridan, WY 82801 United States

If you are an EU/UK resident and we cannot resolve your concern, you have the right to lodge a complaint with your local supervisory authority. For Wyoming residents, complaints may be directed to the Wyoming Attorney General.

Other BYOD self-serve agreements

Questions about this document? [email protected]

View all legal documents →
Privacy Policy | WhatSnap LLC | WhatSnap