Legal & Compliance

Legal Documents

Last updated: April 2026 · TumaFlow is committed to transparency and data protection.

Privacy Policy

Effective: April 1, 2026 · Version 1.0

TumaFlow ("we", "our", or "us") operates the TumaFlow platform accessible at tumaflow.io. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service. Please read it carefully.

1. Information We Collect

1.1 Account Information

When you register, we collect your full name, email address, and a hashed password. We never store your plaintext password — it is irreversibly hashed using BCrypt before being saved to our database.

1.2 Message & Campaign Data

To operate the service, we store the phone numbers you send messages to, the WhatsApp message templates you use, delivery statuses (sent, delivered, read, failed), and timestamps for each outbound message. This data is necessary to provide delivery tracking and campaign analytics.

1.3 WhatsApp Webhook Events

We receive delivery receipt webhooks from Meta's WhatsApp Business Cloud API. These include message IDs (WAMIDs), delivery timestamps, and status codes. We log raw webhook payloads for up to 90 days for debugging purposes.

1.4 Usage & Technical Data

We automatically collect:

  • IP addresses and approximate geolocation (country-level)
  • Browser type, version, and operating system
  • Pages visited and time spent on each page
  • Referral URLs and UTM parameters
  • Error logs and performance traces

1.5 Billing Information

If you subscribe to a paid plan, payment processing is handled entirely by our payment processor (Stripe). We store only a tokenized reference and your subscription tier — we never see or store full card numbers.

2. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the TumaFlow platform
  • Process and deliver WhatsApp messages on your behalf
  • Send transactional emails (password resets, billing receipts)
  • Monitor and analyze usage patterns to improve the service
  • Detect, prevent, and investigate fraud or abuse
  • Comply with legal obligations and respond to lawful requests
  • Communicate service updates, security alerts, and support messages

We do not sell your personal data to third parties or use your message content to serve you advertisements.

3. Data Sharing & Disclosure

3.1 Service Providers

We share data with trusted third-party vendors that help us run the platform, including:

  • Meta Platforms, Inc. — to send WhatsApp messages via their Business Cloud API
  • PostgreSQL / Cloud hosting provider — for database storage
  • Stripe — for payment processing
  • Vercel — for hosting the web application

All service providers are contractually obligated to protect your data and use it only for the purposes we specify.

3.2 Legal Requirements

We may disclose your information if required to do so by law, court order, or governmental authority, or if we believe disclosure is necessary to protect our rights, prevent fraud, or ensure the safety of our users.

3.3 Business Transfers

If TumaFlow is involved in a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website.

4. Data Retention

We retain your data for the following periods:

  • Account data — for the life of your account plus 30 days after deletion
  • Message logs — 12 months from the date of sending
  • Webhook logs — 90 days
  • Billing records — 7 years (tax compliance)

5. Security

We implement industry-standard security measures including TLS encryption in transit, AES-256 encryption at rest for sensitive fields, HMAC-SHA256 webhook signature verification, and JWT-based stateless authentication. However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

6. Children's Privacy

TumaFlow is a business-to-business service intended for users aged 18 and older. We do not knowingly collect personal data from children under 13. If you believe we have inadvertently collected such data, contact us immediately at legal@tumaflow.io.

7. Your Rights

Depending on your jurisdiction, you may have the right to access, correct, or delete your personal data. For a full description of your rights under the GDPR, please review our GDPR page.

8. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by email or via an in-app notice at least 14 days before the changes take effect. Your continued use of the service after changes become effective constitutes acceptance of the new policy.

9. Contact Us

If you have questions or concerns about this Privacy Policy, please contact: