Privacy Policy
Last updated: April 22, 2024
1. Who We Are
AttendSure ("Company," "we," "our," or "us") connects your calendar to WhatsApp and Stripe to send confirmations and reminders and optionally collect deposits for appointments.
2. Scope
This Privacy Policy explains how we collect, use, disclose, and secure:
- "Customer/Workspace Data" – information you provide when creating and configuring your workspace (e‑mail, name, business details, timezone, reminder rules).
- "End‑Client Data" – your customers’ contact and appointment details used to deliver WhatsApp confirmations and reminders (e.g., name, phone number, appointment time, service).
- "Usage Data" – device info, IP, logs, and analytics related to how you use the site and app.
3. What We Collect & Why
| Category | Examples | Purpose | Legal Basis (GDPR) |
|---|---|---|---|
| Account & Auth Data | Name, e‑mail, auth identifiers (e.g., OAuth), language/timezone | Create & secure your workspace | Contract (Art 6-1-b) |
| Billing Data | Billing address, last-4 of card, Stripe customer/subscription IDs | Process payments & send invoices | Contract / Legitimate Interest |
| Calendar & End‑Client Data | Appointment time, service, attendee name and phone; external event IDs; consent status; button interactions; delivery/read status | Deliver confirmations/reminders in WhatsApp and manage deposits | Processor role – you supply lawful basis |
| Usage & Device Data | IP address, browser, pages, error logs, API call metadata | Improve service, prevent abuse, analytics | Legitimate Interest |
| Cookies / Local Storage | Session token, feature flags | Keep you logged in, remember settings | Consent (where required) |
4. How We Use Information
- Operate and improve the AttendSure service
- Authenticate users and secure accounts
- Send confirmations/reminders in WhatsApp using your approved templates
- Provide Stripe payment links for deposits and record status
- Send transactional e‑mails (onboarding, billing, security notices)
- Respond to support requests and improve the product
- Only send WhatsApp messages to end‑clients who have provided prior opt‑in consent
We do not use End‑Client Data for advertising, profiling outside the scope of the service, or sell it to third parties. We do not engage in automated decision‑making with legal or similarly significant effects beyond scheduling reminders and operational messaging you configure.
5. Our Role Under GDPR
- Data Processor for End‑Client Data – you are the Controller and must ensure lawful grounds (e.g., explicit opt‑in to receive WhatsApp messages).
- Data Controller for Customer/Workspace and Usage Data – we are the Controller and responsible for that information.
We only send WhatsApp messages to end‑clients who have explicitly opted in to receive WhatsApp communications from your business.
6. When We Share Information
| Recipient | Reason | Safeguards |
|---|---|---|
| Infrastructure Providers (e.g., AWS eu-north-1) | Hosting, databases, file storage | Standard contractual clauses, encryption at rest and in transit |
| Meta (WhatsApp Business Platform) | Message delivery over WhatsApp Business Cloud API; processed solely to deliver messages on our behalf; Meta may retain message content for up to 30 days to ensure delivery and troubleshoot issues | SCCs; WhatsApp Business policies |
| Stripe, Inc. | Payment processing | PCI-DSS compliant; we never store full card details |
| Google APIs | Calendar sync (OAuth) | OAuth 2.0; limited-scope access |
| Email Service (MailerSend / SES) | Transactional e-mails | Vendor DPA |
| Managed Redis/Queue (Upstash) | Background jobs and scheduling | EEA region where available |
| Legal or law enforcement | Where required by law | We'll notify you unless legally prohibited |
We never allow sub-processors to use the data for their own purposes.
7. International Data Transfers
We store data in the European Union. When we transfer data outside the EEA (e.g., to Stripe US or Meta), we rely on Standard Contractual Clauses and, where applicable, the EU‑US Data Privacy Framework adequacy decision.
8. Security
- TLS 1.2+ encryption in transit
- AES-256 encryption at rest
- Role-based access controls, least-privilege keys
- Regular penetration tests and automated vulnerability scans
- Continuous backups with 30-day retention
9. Data Retention & Deletion
- End‑Client messaging and delivery metadata – retained per your workspace retention setting (default 90 days).
- Account & Billing Data – retained for the life of your account and up to 6 years for tax/audit obligations.
- You may request deletion of all End‑Client data in Settings → Legal & Compliance; we complete the wipe within 24–72 hours (including sub‑processors).
- Archived encrypted backups roll off after 30 days.
Facebook/Meta Login data deletion: If you used Facebook Login for Business to access AttendSure, you can remove our app and request deletion of associated data by removing AttendSure in your Facebook settings (Settings → Apps and Websites) or by visiting Facebook Apps & Websites settings. You can also e‑mail us at privacy@attendsure.com to request deletion.
Note: We cannot delete message content from a recipient's personal WhatsApp app; deletion applies to records stored in our systems and sub‑processors under our control.
10. Your Rights
Depending on your jurisdiction, you may have rights to: access, correct, delete, restrict processing, port data, object to processing, or lodge a complaint with a supervisory authority.
Email privacy@attendsure.com to exercise any of these rights; we respond within 30 days.
11. Cookies & Analytics
We use strictly‑necessary cookies for authentication and preferences. We do not use invasive analytics at MVP stage. If we add non‑essential analytics later, we will present a consent banner and update our Cookie Notice.
12. Children's Privacy
The service is not directed to anyone under 16. We do not knowingly collect personal data from children.
13. Changes to This Policy
We may update this Policy from time to time. We will post the new version on this page and, if the changes are material, notify you by e-mail at least 14 days before they take effect.
14. Contact Us
AttendSure
Attn: Privacy Team
Registered office: Poland
Email: privacy@attendsure.com