This Privacy Policy explains what data Whitrack collects, how we use it, and your rights. It applies to our website, web app, and API.
What we collect
- Account data — email, name, hashed password, business profile, billing info (handled by Stripe; we never see card numbers).
- Customer data you import — names, phone numbers, emails, addresses, job history, message transcripts. Processed on your behalf under our Data Processing Addendum.
- Usage data — requests, feature usage, errors, device info. Used to improve the product and debug issues.
- Cookies — a single first-party session cookie (`wt_session`, HttpOnly, 30-day expiry). No third-party ad trackers.
How we use it
- To operate the Service and respond to your requests
- To send transactional messages (billing, security, outage notices)
- To improve the product with aggregated, de-identified metrics
- To comply with legal obligations
We do not sell personal data. We do not train AI models on your customer data without opt-in.
Subprocessors
We use vetted providers: AWS (hosting), Stripe (payments), Twilio (SMS/voice), WhatsApp Business, Resend (email), Anthropic/OpenAI (AI drafting). A current list is available at our DPA page.
Security
All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Passwords are hashed with bcrypt. See our Security page for more.
Your rights
You can access, correct, export, or delete your personal data at any time from your account. For customer data you process through Whitrack, your end customers can exercise their rights by contacting you directly; we will assist on request.
If you're in the EEA, UK, or California, you have additional rights under GDPR/CCPA. Email privacy@whitrack.com and we'll respond within 30 days.
Data retention
Active accounts: we keep your data for the life of the account. After deletion: 30-day backup window, then permanent deletion. You can export all data in CSV/JSON from Settings at any time.
Contact
Questions? Email privacy@whitrack.com.