Privacy Policy

1. Overview

Enfinito (“we,” “our,” or “us”) operates the Enfinito WhatsApp Business API Gateway platform, accessible at our website and associated services (collectively, the “Service”). This Privacy Policy describes how we collect, use, store, and protect your personal information when you use our Service.

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree to this policy, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• ›Full name
• ›Email address (stored as an AES-256-GCM encrypted value and a one-way SHA-256 hash for lookup)
• ›Password (hashed with bcrypt, cost factor 12 — the plaintext is never stored)
• ›Profile photo (optional, uploaded by you)
• ›Bio / description (optional)

2.2 Google Sign-In (OAuth 2.0)

If you choose to sign in with Google, we receive from Google your name, email address, and profile photo URL. We store your Google account ID to link the OAuth identity to your Enfinito account. We do not store Google access tokens or refresh tokens beyond the authentication flow.

2.3 WhatsApp Business Credentials

To connect WhatsApp instances, you provide Meta / WhatsApp Business API credentials (Phone Number ID, WhatsApp Business Account ID, Access Token, App Secret, App ID). These are encrypted with AES-256-GCM using a server-side key before storage. The plaintext values are only decrypted in memory at the moment they are needed to make API calls and are never logged.

2.4 Usage Data

• ›Message logs: direction (inbound / outbound), recipient phone number, message type, delivery status, WhatsApp message ID (wamid)
• ›API key usage: last-used timestamp
• ›Rate-limiting data: request counts by IP address or API key (ephemeral, cleared on window reset)

2.5 Technical Information

• ›IP address (used for rate limiting and security; not linked to your profile)
• ›HTTP request metadata for security monitoring

3. How We Use Your Information

• ›Provide, operate, and improve the Service
• ›Authenticate your identity and maintain session security
• ›Process and relay WhatsApp messages on your behalf
• ›Generate and validate API keys
• ›Send transactional emails (account approval notifications, password reset links)
• ›Enforce rate limits and prevent abuse
• ›Comply with legal obligations

We do not use your data for advertising, sell it to third parties, or use it for any purpose beyond operating the Service you signed up for.

4. Google API Services

When you authenticate with Google Sign-In, Enfinito requests only the minimum necessary OAuth scopes:openid, email, and profile.

• ›We use data obtained via Google APIs solely to authenticate you and populate your Enfinito profile.
• ›We do not access Gmail, Google Drive, Google Contacts, or any other Google product beyond identity.
• ›Data obtained from Google APIs is not transferred to, shared with, or used by any third parties.
• ›Data obtained from Google APIs is not used for serving advertisements.
• ›Google access tokens are not persisted to our database.

5. Data Security

We implement multiple independent layers of protection for your data:

Despite these measures, no transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we continuously work to protect your information.

6. Third-Party Services

6.1 Meta / WhatsApp Business Platform

The core function of our Service is to relay API requests to Meta's WhatsApp Business Platform. When you send or receive WhatsApp messages, your message content and recipient phone numbers are transmitted to Meta's servers. Meta's use of this data is governed by WhatsApp Business Terms of Service and Meta's Privacy Policy.

6.2 Google (OAuth 2.0)

If you use Google Sign-In, your authentication is handled by Google. Google's use of data is governed by Google's Privacy Policy.

6.3 Email Delivery

Transactional emails (password reset, account approval) are sent via an SMTP provider. Only your email address and the content of the notification are shared with the email provider for delivery purposes.

7. Data Sharing & Disclosure

We do not sell, trade, or rent your personal information. We may share information only in these circumstances:

• ›With your explicit consent
• ›To comply with a legal obligation, court order, or enforceable government request
• ›To protect the rights, property, or safety of Enfinito, our users, or the public
• ›In connection with a merger, acquisition, or sale of assets — you will be notified via email before your data is transferred or becomes subject to a different privacy policy

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• ›Access — request a copy of the personal data we hold about you
• ›Correction — request correction of inaccurate or incomplete data
• ›Deletion — request deletion of your account and associated data
• ›Data Portability — request your data in a structured, machine-readable format
• ›Objection — object to processing of your data in certain circumstances
• ›Withdraw Consent — if processing is based on consent, you may withdraw at any time

To exercise any of these rights, contact us at privacy@enfinito.cloud. We will respond within 30 days.

You can delete your Enfinito account at any time from your account settings. Upon deletion, your profile data, WhatsApp credentials, and API keys are permanently removed. Message logs associated with your instances are also deleted.

9. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service.

• ›Account data: retained while your account is active; deleted within 30 days of account deletion request
• ›Message logs: retained for 90 days by default; deleted on account deletion
• ›Password reset tokens: single-use; automatically invalidated after 1 hour
• ›Rate-limiting counters: ephemeral; cleared after the rate-limit window expires
• ›Backup data: may be retained for up to 30 additional days in encrypted backups

10. Cookies & Tokens

Enfinito uses the following browser storage mechanisms:

These are strictly necessary cookies. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

11. Children's Privacy

The Service is not directed to individuals under the age of 16 (“children”). We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information without parental consent, please contact us at privacy@enfinito.cloud. We will take steps to remove that information promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the “Last Updated” date at the top of this page and, where appropriate, by sending an email to the address associated with your account.

Your continued use of the Service after any changes constitutes acceptance of the new policy. We encourage you to review this page periodically.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy, please contact us: