Privacy Policy

Effective April 23, 2026 · Last updated April 23, 2026

Talfan ("we", "us", "our") helps businesses run customer support over WhatsApp and other messaging channels. This Privacy Policy explains what personal information we collect when you use the Talfan platform, how we use it, and the choices you have. It applies to visitors of talfan.ai, the product at app.talfan.ai, and any Talfan-operated integration (including WhatsApp Cloud API connections made through Meta's Embedded Signup).

1. Who the controller is

Talfan is the data processor for the conversations and customer data handled on behalf of our business customers ("Tenants"). The Tenant is the controller of their end-customers' data. For our own website visitors and Tenant admin accounts, Talfan is the controller.

2. Information we collect

Information you provide

• Account data — name, email, password hash, phone number, tenant/workspace name.
• Onboarding inputs — WhatsApp Business Account ID, phone-number ID, display name, verified business details you authorize us to receive through Meta's Embedded Signup.
• Billing details — only what our payment processor requires. We do not store card numbers.

Information we receive from messaging platforms

• Inbound messages your customers send to your WhatsApp number, including text, media references, and the sender's WhatsApp ID (phone number).
• Delivery receipts, template status updates, and message echoes from Meta's Graph API.
• Long-lived access tokens tied to your WhatsApp Business Account, encrypted at rest and scoped to your tenant.

Information we generate

• Ticket and conversation records, AI-generated replies and drafts, resolution metadata, CSAT ratings.
• Product analytics (page views, feature usage) used to improve Talfan.
• Security logs (IP address, user agent, timestamps) for authentication and fraud prevention.

3. How we use information

• Deliver and operate the service — route messages, draft AI responses, show dashboards.
• Authenticate you and keep your account secure.
• Send service emails (account alerts, policy changes). You cannot opt out of these while your account is active.
• Comply with Meta's WhatsApp Business Messaging Policy and other legal obligations.
• Improve Talfan — in aggregate, de-identified form only.

We do not sell personal information. We do not use your customers' message content to train foundation models. Content sent to AI providers is scoped to the single conversation and governed by the provider's zero-retention settings where available.

4. Sub-processors

We share data with a small number of service providers under data processing agreements:

• Meta Platforms, Inc. — WhatsApp Cloud API messaging.
• OpenAI (and equivalent LLM providers) — AI drafting and classification, zero-retention where offered.
• Cloud hosting — managed Postgres and Redis in EU/US regions.
• Error tracking — Sentry, with PII scrubbing enabled.

A current sub-processor list is available on request at legal@talfan.ai.

5. How long we keep data

• Active tenant data is kept for as long as the tenant account is active.
• Conversation history is retained for 24 months by default; tenants can configure shorter retention.
• On account closure, data is deleted within 30 days, except where retention is legally required.

6. Your rights

Under GDPR, UK GDPR, and similar frameworks you have the right to access, correct, export, or delete your personal data, and to object to or restrict certain processing. Tenants can fulfil most of these directly in the product; for anything else, email privacy@talfan.ai. End-customers should contact the Tenant first — we will assist the Tenant in responding.

7. International transfers

Data may be processed in countries outside your own. Where required, we rely on Standard Contractual Clauses and additional safeguards (encryption in transit and at rest, role-based access controls).

8. Security

• TLS 1.2+ in transit, AES-256 at rest.
• Per-tenant encryption keys for WhatsApp access tokens.
• Principle of least privilege for Talfan staff; audit logs for production access.
• Security incidents are reported to affected Tenants within 72 hours of discovery.

9. Cookies

The marketing site and product use first-party cookies for authentication, CSRF protection, and anonymized analytics. We do not use third-party advertising cookies.

10. Children

Talfan is a B2B product. It is not directed to children under 16 and we do not knowingly collect information from them.

11. Changes to this policy

We may update this policy when the product or regulations change. Material changes will be announced in-app or by email to tenant admins at least 14 days before taking effect.