Privacy Policy

WhatIsUp.dev is a developer tool. We collect what we need to run the service and nothing else. We do not sell your data. We do not run ad networks. You can export or delete your account at any time from the dashboard.

The longer version below covers what we collect, why, who else processes it, how long we keep it, and how you exercise your rights under LGPD (Brazil), CCPA (California), and GDPR-style frameworks.

The service is operated by Adriano Nes, a sole proprietor based in Brazil and the United States, doing business as WhatIsUp.dev. Contact: hello@whatisup.dev. For LGPD and GDPR data-protection enquiries: dpo@whatisup.dev.

Under LGPD we act as controller for account data and as operator (processor) for the message content you push through the API. Under GDPR we are the controller for account data and a processor for message content. Under CCPA/CPRA we are the business.

Account data

• Email address (from your sign-in provider).
• Display name (if provided by Google/GitHub at sign-in).
• Authentication identifiers from Firebase (the uid; we never see your password).
• Locale and theme preferences (so your dashboard follows you across devices).
• Plan + billing state (trial timestamp, paid-tier status; payment details live at Stripe).

Operational data

• Channel pairings (your WhatsApp account session keys, encrypted at rest).
• Phone number(s) you connect.
• API key metadata (prefix, scopes, last-used timestamp; the secret is hashed).
• Webhook endpoint URLs you configure.
• Webhook delivery records (status, retry count, response code).
• Audit log entries for security-relevant actions.

Message content

Messages sent or received through the API pass through our servers en route to your configured webhook. We persist the envelope (event metadata, signature, status) so you can retry a delivery, but we automatically null the body of successful payloads after seven days and failed/retrying payloads after thirty days. You can shorten either window via your gateway configuration.

Technical data

• IP address and User-Agent for security logging.
• Request latency, error rate, and queue depth metrics (no per-user tracking).
• Browser console and product-feedback emails you choose to send us.

We do not run ad networks, marketing pixels, or third-party analytics on the customer dashboard. The marketing site uses minimal first-party analytics for traffic counts (referer, country, page). No fingerprinting.

• To run the service you signed up for (the obvious one).
• To bill you, when applicable.
• To detect and respond to abuse, fraud, or attacks against the platform.
• To comply with legal obligations (tax, anti-money-laundering, lawful requests from authorities).
• To send you transactional email about your account (welcome, trial-ending notice, payment receipt, security alerts).

We do not use your message content to train AI models. We do not sell, rent, or share your data with marketers. Sub-processors below have contractually limited use.

The service runs on the following third parties:

• Vercel — hosting for the dashboard and marketing site (United States, EU regions). Logs are processed there.
• Railway — backend gateway hosting and Postgres (United States, US-West region).
• Firebase (Google) — authentication identity provider (United States).
• Resend — transactional email delivery (United States).
• Stripe — payment processing (United States, global). We do not see your card number; Stripe collects it directly.
• WhatsApp / Meta — by definition, when you push messages through us they ultimately land on Meta’s WhatsApp infrastructure, which has its own terms.

We update this list when we add or remove a sub-processor. If you operate under GDPR/LGPD and need a signed Data Processing Addendum, email dpo@whatisup.dev.

Account and operational data is stored on Railway US-West. Customers in Brazil and the EU therefore experience a transfer of personal data outside their jurisdiction. We rely on the European Commission’s Standard Contractual Clauses (SCCs) and on the LGPD’s Article 33 international-transfer mechanisms. Sub-processors above have their own SCCs in place.

• Account data: as long as your account exists, plus thirty days after deletion.
• Audit log entries: thirteen months (rolling window). Some entries are retained longer when required for legal or accounting purposes.
• Webhook delivery payloads: seven days for success, thirty days for failure.
• Customer-deletion records: indefinite, in a separate customer_deletions table that captures the deletion event itself for audit (email, plan, reason). Required to honor your “account closed” attestation.
• Billing records: as required by tax law in the relevant jurisdiction (typically five to ten years).

You have the right to:

• Access the data we hold about you. Email us; we reply within thirty days.
• Export your data in a machine-readable format (we send a JSON archive containing your account, channels, API keys, webhooks, audit, and message envelopes).
• Correct any inaccurate data. Most fields are editable from your settings.
• Delete your account. Use the Danger zone in settings, or email us. We cascade-delete your account within seven days and confirm by email.
• Restrict or object to processing. Tell us; we will pause the relevant pipeline.
• Withdraw consent at any time, where consent is the legal basis.
• File a complaint with your data-protection authority (ANPD, EU DPA, the FTC).

California residents have additional rights under CCPA/CPRA, including the right to know what categories of personal information we collect, the right to opt out of any “sale” or “share” (we do neither), and the right to limit the use of sensitive personal information. To exercise any right, email dpo@whatisup.dev.

We use TLS 1.3 in transit. Database disks are encrypted at rest. API key secrets are stored hashed (we never see the plaintext after issuance). Webhook signing secrets and channel session keys are encrypted at rest with a separate KMS-style master key. We follow least-privilege access controls internally; only Adriano currently has production access.

No system is unbreakable. If we discover a breach affecting your data, we will email you within seventy-two hours.

The service is not directed at children under sixteen. We do not knowingly collect their data.

When the policy changes materially we email registered customers and update the “Last updated” date above. Minor copy edits and clarifications happen without notice; the GitHub history is the canonical change log (link from the footer).

For privacy questions: dpo@whatisup.dev. For everything else: hello@whatisup.dev. Our postal address is on file with the relevant tax authorities and available on request.