Legal

Privacy Policy

Effective date: 25 December 2025

Company: Loopcrunch PLT
Contact: support@chatcrunch.io

1. Introduction

Welcome to chatcrunch.io ("chatcrunch.io", "we", "us", "our"). chatcrunch.io provides an AI-powered WhatsApp inbox and automation platform (the "Service") that helps businesses manage WhatsApp conversations, automate replies, route chats to team members, and optionally use documents (PDFs, product catalogs, etc.) to improve AI responses.

This Privacy Policy explains how we collect, use, disclose, store, and protect personal data in connection with the Service and related websites (collectively, the "Platform"). This Policy is intended to meet the requirements of Meta/Facebook App Review and applicable privacy laws including GDPR and CCPA where relevant.

2. Scope

This Policy applies to:

  • Users of the Platform (customers, administrators, agents).
  • End users who communicate with customers via WhatsApp and whose messages are processed by the Service.
  • Visitors to chatcrunch.io and related marketing pages.

3. Data We Collect

We collect the following categories of data as necessary to provide and improve the Service:

  • Account & Registration Data: business name, contact email, account administrator name and email, password (encrypted), user display name, role (admin/agent).
  • Contact & Support Data: emails and messages you send our support team, support ticket logs, and related metadata.
  • WhatsApp Conversation Data: incoming and outgoing WhatsApp messages, timestamps, media attachments (images, documents, audio), phone numbers, and message metadata required to store, display, and deliver messages.
  • Uploaded Files and Knowledge Bases (RAG): files you upload (PDFs, docs, CSVs, images) to build a knowledge base for RAG (Retrieval-Augmented Generation).
  • Usage & Device Data: IP addresses, browser and device information, pages visited, referrer, and other analytics information.
  • Payment & Billing Data (if applicable): billing contact, invoices, and payment records (we do not store full credit card numbers; payment processors may store that information).
  • Analytics & Telemetry: Google Analytics collects usage statistics and performance metrics.

4. How We Use Your Data

We use personal data to:

  • Provide, operate, and maintain the Service (message routing, storage, agent UI).
  • Facilitate WhatsApp Cloud API onboarding and API token management.
  • Process and store messages and media so your team can reply and manage conversations.
  • Build and query RAG embeddings from files you upload to improve AI accuracy for your tenant.
  • Provide customer support, billing, and account administration.
  • Monitor and improve the Service, including usage analytics and error logging.
  • Detect and prevent fraud, abuse, and other illegal activities.
  • Comply with legal obligations.

5. WhatsApp & Meta (Facebook) Data Practices

chatcrunch.io integrates with the WhatsApp Cloud API (Meta). When you connect your WhatsApp Business Account through the Embedded Signup flow or via API tokens, the Platform will receive and process WhatsApp messages and media from your account under the permissions you grant.

  • We act as a processor on behalf of your business for WhatsApp message processing. Your business remains the controller of its customers’ WhatsApp data.
  • We store and transmit WhatsApp messages to provide the chat inbox, AI replies, and related features.
  • Access tokens and webhook metadata are stored encrypted and only used to call Meta’s APIs to send/receive messages and manage webhooks.

6. AI, RAG, and Machine Learning

chatcrunch.io uses AI models and retrieval-augmented generation (RAG) to generate replies and assist agents. Key points:

  • Files and documents you upload for RAG are processed to create embeddings. These embeddings and associated metadata are stored and used to provide context-aware AI replies for your tenant.
  • We may log AI prompts and responses for debugging, quality improvement, and safety monitoring.
  • We do not sell your data or your uploaded documents. Data used for AI model improvement is subject to your explicit consent; unless you opt-in, we will not use tenant data to train models outside your tenant’s usage context.
  • If you request deletion of your knowledge base, we will remove documents, embeddings, and related derived data as described below.

7. Storage & Third-Party Services

We store and process data using the following providers:

  • Supabase: Primary database and authentication storage.
  • Cloudflare R2: Object storage for media and uploaded files.
  • Akamai / Cloudflare CDN: Content delivery and caching for static assets and public media endpoints.
  • Google Analytics: For product and marketing analytics.

We use encrypted storage for sensitive tokens and secrets. Access to production systems is limited to authorized personnel under confidentiality obligations.

8. Data Retention

We retain personal data as long as necessary to provide the Service, comply with legal obligations, and resolve disputes.

  • Account & billing data: Retained while account active and for up to 7 years after account termination for legal and tax purposes.
  • WhatsApp messages and attachments: Retained per tenant settings (default retention: 12 months). Tenants can request export or deletion.
  • Uploaded RAG documents & embeddings: Retained until tenant requests deletion or the tenant account is terminated. Embeddings derived from uploaded documents will be deleted upon request.
  • Logs and analytics: Retained in aggregated or anonymized form for up to 24 months.

9. Your Rights (GDPR, CCPA & other rights)

Depending on your location and applicable law, you may have certain rights including:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate personal data.
  • Deletion: Request deletion of your personal data.
  • Data portability: Request export of your data in a commonly used format.
  • Restrict processing / object: Request that we restrict or stop processing your personal data.
  • Opt-out of profiling or targeted marketing.

To exercise any of these rights, email us at support@chatcrunch.io. We will respond within the statutory periods required by law.

10. Account Deletion, Data Export & Deletion Requests

If you wish to delete your account, export data, or remove uploaded documents/embeddings:

  • Email support@chatcrunch.io with your account details and request type.
  • For security, we will verify the requestor’s identity before processing.
  • We will process data export or deletion requests in a timely manner, typically within 30 days, unless a longer period is required by law or to complete the request securely.

11. Security

We implement industry-standard technical and organizational security measures, including:

  • Encryption of sensitive data at rest and in transit (TLS for network transit; AES-256 for data at rest where applicable).
  • Encrypted storage of API tokens and session keys.
  • Access controls and role-based access for employees.
  • Regular security reviews, patching, and backups.
  • Logging and incident response procedures.

No internet-connected system is 100% secure. If we become aware of a data breach affecting personal data, we will notify impacted customers and data protection authorities as required by law.

12. Cookies and Tracking

We use cookies and similar technologies for authentication, session management, analytics, and marketing. You can manage cookie preferences via your browser. Google Analytics may use cookies to measure and analyze website traffic.

13. Third-Party Processors & Disclosures

We may share personal data with third-party service providers who perform services on our behalf (e.g., Supabase, Cloudflare/Akamai, payment processors, email delivery services). These processors are only permitted to use data as necessary to provide services to chatcrunch.io. We may disclose personal data if required by law (e.g., court order) or to protect the rights, property, or safety of chatcrunch.io, our users, or others.

14. International Transfers

chatcrunch.io may transfer and process data across national borders (e.g., storing data in cloud infrastructure in multiple regions). We implement appropriate safeguards (standard contractual clauses, encryption, access controls) to protect international transfers.

15. Children

Our Service is not directed to children under 16. We do not knowingly collect personal data from children. If we learn that we have collected data of a child under 16 without parental consent, we will take steps to delete it.

16. Changes to this Policy

We may update this Privacy Policy from time to time. We will post the revised Policy on this page with a new “Last updated” date. Where required by law, we will provide notice of material changes.

17. Contact & Data Requests

If you have questions about this Privacy Policy or wish to exercise your data rights (access, deletion, export), please contact:

Email: support@chatcrunch.io
Company: Loopcrunch PLT
Address: Kuala Lumpur, Malaysia

18. Additional Notices for Meta / Facebook App Review

To comply with Meta’s App Review, note that:

  • chatcrunch.io uses the WhatsApp Cloud API to access messages and media after the tenant authorizes the connection.
  • Access tokens and webhook metadata are stored encrypted and only used to call Meta’s APIs for that tenant.
  • Uploaded documents used for RAG are processed to build embeddings and are not used to train public models without explicit tenant consent.
  • For any request to delete data originating from Meta (e.g., data subject requests), tenants should contact support@chatcrunch.io and we will assist promptly.
  • We do not share WhatsApp message content with Meta beyond what Meta already has via their platform; we process messages only as needed to provide the Service.
Privacy Policy | Chatcrunch