Privacy Policy

Last updated: May 20, 2026

1. General Provisions

This Privacy Policy defines the procedure for processing and protecting personal data of users of the Fiwano integration platform (WhatsApp, Instagram, Facebook Messenger). Use of the service implies unconditional consent of the user to this Policy and the conditions for processing personal information specified therein.

Fiwano (hereinafter referred to as the "Service") is operated by Individual Entrepreneur Roman Babakin (P/E Roman Babakin), registered in Georgia. The Service provides technical integration between your systems and Meta communication channels (WhatsApp Business, Instagram, Facebook Messenger).

Fiwano's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

1.1. Applicable Law

Fiwano processes personal data in accordance with the following legal frameworks:

Regulation (EU) 2016/679 (GDPR) — for users located in the European Economic Area (EEA) and the United Kingdom (UK GDPR / Data Protection Act 2018).
Directive 2002/58/EC (ePrivacy Directive), Article 5(3) — governs the storing of information, or gaining access to information already stored, in the terminal equipment of a user (the “cookie rule”).
Standard Contractual Clauses (SCCs) — Commission Implementing Decision (EU) 2021/914 (Module Two: Controller → Processor; Module Three: Processor → Sub-processor), together with the UK ICO International Data Transfer Addendum where the data exporter is in the United Kingdom, as the safeguard relied on for international transfers of personal data from the EEA / UK to Georgia (see Section 5.2 below).
Law of Georgia on Personal Data Protection (No. 7405-Ib of 14 June 2023) — as the operator (Individual Entrepreneur Roman Babakin) is registered in Georgia.
United States — State Consumer Privacy Laws, including the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA), and other state privacy statutes as they come into effect. See Section 8 for U.S. resident rights.
United States — Federal: the Children’s Online Privacy Protection Act (COPPA, 15 U.S.C. §§ 6501–6506) and Section 5 of the Federal Trade Commission Act (prohibiting unfair or deceptive practices). The Service is not directed to children under 13 and we do not knowingly collect personal information from them.
India — Digital Personal Data Protection Act, 2023 (DPDP Act) — for personal data of Data Principals in India, to the extent applicable to Fiwano's role and processing activities. See Section 1.3.
Brazil — Lei Geral de Proteção de Dados Pessoais (LGPD, Law No. 13.709/2018) — for personal data of titulares in Brazil, to the extent Fiwano offers services to data subjects located in Brazil or processes data collected in Brazil (LGPD Art. 3). See Section 1.4.

Where the requirements of these frameworks differ, we apply the stricter standard. For GDPR purposes the data controller for account, security, billing, and analytics data is Individual Entrepreneur Roman Babakin (contact details in Section 10). Our role differs for customer-routed message content — see Section 1.2.

Under the GDPR (and the UK GDPR), Fiwano takes on two distinct roles depending on the data:

Controller (GDPR Art. 4(7)) — for account, authentication, security, audit, billing, and consented analytics data that we determine the purposes and means of processing for operating the Service. Our lawful bases are: performance of the user contract (Art. 6(1)(b)) for account and billing data; our legitimate interest in operating and securing the Service (Art. 6(1)(f)) for security logging, fraud prevention, and essential cookies; legal obligation (Art. 6(1)(c)) where applicable; and the user’s consent (Art. 6(1)(a)) for analytics cookies.
Processor / Sub-Processor (GDPR Art. 4(8) and Art. 28) — for personal data contained in messages and message metadata that you, the customer, route through your connected WhatsApp Business, Instagram Messaging, and Facebook Messenger channels to or from your end-users. You determine why those communications occur and the lawful basis on which you contact your end-users. Fiwano processes that data on your documented instructions, which you give by configuring the Service (webhook URLs, channels, API keys, templates, retry settings). Where your own contract requires it, we act as a sub-processor for a downstream controller in your customer chain.

The terms required by GDPR Art. 28 between you (the controller) and Fiwano (the processor) are set out in the Terms of Service Data Processing Addendum (DPA) section, which is automatically incorporated when you accept the Terms. Enterprise customers may request a standalone signed DPA mirroring that section. The DPA includes: subject matter, duration, nature and purpose of processing, types of personal data, categories of data subjects, sub-processor list, security measures, breach notification commitment, and end-of-processing data deletion/return.

Fiwano does not use customer-routed message content for any independent purpose. We do not read it, train models on it, profile end-users, build derived datasets from it, sell or share it, or use it for advertising. Successfully delivered message content is not retained in our systems beyond the operational retry window described in Section 4.2.

1.3. India DPDP Act: Roles and Processing Model

For users and customers in India, Fiwano is designed as a limited-purpose technical integration service. We do process personal data because receiving, transmitting, securing, retrying, and deleting message payloads are all forms of processing. However, we do not use routed message content for advertising, profiling, resale, or independent business purposes.

Fiwano generally acts as the Data Fiduciary for account, authentication, security, product analytics (where consented), and billing-related data that we determine how to process for operating the Service. For message content and message metadata routed between Meta channels and your configured systems, you are responsible for deciding the purpose and lawful basis of communication with your end-users. In that context, Fiwano acts as a technical service provider/data processor operating under your configuration and instructions: we relay messages, sign webhooks, perform short retry attempts, and remove successfully delivered content from transient processing storage.

We do not promise India data residency. Personal data may be processed on infrastructure outside India where this is necessary to operate the Service, secure the platform, process billing through Paddle, or communicate with Meta APIs. If India introduces additional transfer restrictions applicable to the Service, we will update this Policy and our operational processes accordingly.

1.4. Brazil LGPD: Roles and Processing Model

For users and customers in Brazil, the LGPD applies because Fiwano offers the Service to data subjects (titulares) in Brazil and may process data collected in Brazil. For account, billing, security, and analytics data, Fiwano acts as the controlador for its own operating purposes. For personal data contained in messages and metadata that you route through connected Meta channels, the customer acts as controlador and Fiwano acts as operador, processing that data only under customer configuration and instructions.

Brazilian data subjects have the rights listed in LGPD Art. 18, including confirmation of processing, access, correction, anonymization or deletion of unnecessary or excessive data, portability, information about public and private entities with which data has been shared, and information about the possibility of denying consent and the consequences of doing so. Requests are handled through the contact address in Section 10 after reasonable identity verification.

International transfers of personal data from Brazil to Georgia and to EU hosting locations are handled under the LGPD Chapter V framework, including, where applicable, standard contractual clauses aligned with ANPD-published model clauses (Resolução CD/ANPD No. 19/2024), the customer’s own legitimate transfer basis, or another authorized mechanism. We do not promise Brazil data residency.

The contact address in Section 10 serves as Fiwano’s privacy contact point for LGPD requests. Brazilian customers remain responsible for lawful basis, consent, opt-out handling, marketing-message rules, and any sector-specific obligations for their own end-users.

2. Data Collected

2.1. Data Provided by User

When creating an account and connecting communication channels, we process the following data:

Account information (email, name, password hash)
Access tokens from Meta (Facebook) for access to WhatsApp Business Account, Instagram, and Facebook Page
Channel identifiers (WhatsApp Business Account ID, Phone Number ID, Instagram Account ID, Page ID)
Channel metadata (phone numbers, names, verification statuses)
Connection session data (OAuth state, connection statuses)

2.2. Data from Google Sign-In

The Fiwano portal supports signing in with a Google account. This section specifically documents how data obtained through Google Sign-In is accessed, used, stored, and deleted.

Data Accessed

When you choose to sign in with Google, we request only the minimum data available through Google's standard OpenID Connect authentication scope (openid email profile):

Your email address — used to identify your account
Your display name — used as your account name within the portal
Your Google account identifier (internal ID) — used to recognize you on subsequent sign-ins

No profile pictures or other Google user data are stored. We do not access Google Drive, Gmail, Calendar, Contacts, or any other Google service beyond the email address, display name, and internal identifier described above.

Data Usage

Google account data is used exclusively to:

Create or identify your account on fiwano.com
Authenticate you when you sign in to the portal
Display your name within the portal dashboard

Google user data is not used for advertising, marketing, profiling, analytics, or any purpose unrelated to operating your portal account. It is not combined with data from other sources for tracking or targeting.

Data Sharing

Google user data obtained through sign-in is not sold, rented, or shared with any third parties for their own purposes. It is accessible only to the server-side application code that operates fiwano.com. Incidental access by infrastructure providers (hosting, database) is limited to the technical operation of the service under standard service agreements, and not used for any independent purpose.

Data Storage and Protection

Your email address, display name, and Google account identifier are stored in a PostgreSQL database on a private dedicated server. The following protections are applied:

All data is transmitted exclusively over HTTPS (TLS)
Database access is restricted to server-side application code with no public exposure
Server access is restricted by firewall rules and SSH key authentication
Regular encrypted database backups are stored securely

Data Retention and Deletion

Google account data is retained for as long as your portal account is active.

You can unlink your Google account from your Fiwano account at any time from your Profile page — this removes the Google sign-in link without deleting your account.
To request full deletion of your account and all associated data including any data received from Google, contact us at contact@fiwano.com. Deletion will be completed within 30 calendar days of a verified request.

2.3. Data Received from Meta

When processing incoming messages via webhooks from Meta, we receive:

Message content from users
Message metadata (sender ID, send time, message type)
Delivery and read status data
Sender profile information (name, profile picture — where available)

This data is transmitted to your configured webhook URL and is not stored in the Service longer than necessary for processing and delivery. If your webhook endpoint is temporarily unavailable, payloads may be stored in encrypted form for short retry windows and deleted after successful delivery or retry expiry.

3. Data Processing Purposes

Personal data is processed for the following purposes:

Ensuring the functioning of integration with Meta channels (WhatsApp, Instagram, Facebook Messenger)
Transmitting messages between users and your systems via webhooks
Managing channel connections and their statuses
Processing subscription and billing through Paddle
Ensuring security and preventing fraud
Compliance with legal requirements

4. Data Storage and Protection

4.1. Encryption

All access tokens from Meta are stored in encrypted form using the Fernet algorithm (symmetric encryption). The encryption key is stored separately from the data and is not shared with third parties. User passwords are hashed using bcrypt.

4.2. Retention Periods

Successfully delivered message content — not retained. The inbound webhook payload is relayed to your configured endpoint and is not stored in our systems beyond the in-memory delivery attempt.
Message retry payloads — if your endpoint is temporarily unavailable, the payload is encrypted at rest (Fernet / AES) and placed in a short-lived retry queue. The retry queue applies up to 7 attempts over approximately 11 minutes and a hard time-to-live of 20 minutes from the initial failure. After successful delivery, or on expiry of the 20-minute TTL, the encrypted payload is purged. We do not maintain a long-term archive of message content.
Webhook delivery metadata logs (idempotency keys, status codes, timestamps, no message bodies beyond what is required for idempotency) — up to 30 days.
Meta access tokens — stored Fernet-encrypted until the channel is disconnected or the token is revoked; the encryption key is held separately from the data.
Connection session data — deleted after the connection process is completed.
API keys — stored only as SHA-256 hashes. The plaintext key is shown to the user once at creation and is never recoverable from our systems.
Audit logs and security logs — retained for the lifetime of the account and for 3 years after account deletion, for security, fraud prevention, and legal-defense purposes.
Consent records (consent_records) — retained for the lifetime of the account and for 3 years after account deletion. Anonymous pre-signup records (not linked to any account) are retained for 3 years from the date of collection. These records are required to demonstrate consent compliance under GDPR Art. 7(1).
Account and billing records — retained while the account is active and for the period required by applicable accounting, tax, and consumer-law obligations after account closure.

Fiwano does not provide any operator-side user interface for reading customer message content. There is no analytics, classification, profiling, or model-training pipeline applied to customer-routed message data.

4.3. Technical Security Measures

Use of HTTPS for all connections
Webhook verification via HMAC-SHA256 signatures
API key authentication with rate limiting
Regular access token refresh (7 days before expiry)
Data isolation between user accounts

5. Sub-Processors and International Transfers

5.1. Sub-Processors and Independent Recipients

Fiwano relies on the following categories of third parties to operate the Service. Some act as our sub-processors (processing personal data on our behalf, under our instructions and a written data-processing arrangement); others act as independent controllers for their own purposes (notably the payment processor and the messaging platform operator). Each is listed with its role and the data category it receives.

Recipient	Role	Purpose / Data
Your Webhook Endpoints	Recipient under your control	Inbound messages and status updates are delivered to the URL you configure, using HMAC-SHA256 signed HTTPS requests.
Meta Platforms, Inc. / Meta Platforms Ireland Ltd.	Independent controller (and our sub-processor for message transit)	WhatsApp Cloud API, Instagram Messaging API, Facebook Messenger API. Receives channel credentials, message content and metadata for transit, and end-user profile fields as exposed by the Meta APIs. Governed by Meta’s own terms and privacy policies.
Paddle.com Market Limited	Independent controller (Merchant of Record)	Subscription billing, invoicing, payment, tax collection, refund processing. Receives email, name, billing address, payment method (handled by Paddle), and tax identifiers (e.g. GSTIN, EU VAT, CNPJ) that you provide at checkout. See Paddle Buyer Privacy Policy and Paddle Checkout Buyer Terms.
Google LLC (Google Analytics 4)	Processor (sub-processor)	Anonymous, IP-anonymized usage analytics on marketing pages. Loaded only after analytics-cookie consent is given.
Google LLC (Sign-In / OIDC)	Processor	Optional account authentication via `openid email profile`. See Section 2.2.
GitHub, Inc.	Processor	Optional account authentication via OAuth (email, login).
Hosting / infrastructure provider (currently EU region)	Processor (sub-processor)	Compute, database hosting, encrypted backups. Personal data is stored encrypted at rest and isolated per tenant.
Transactional email provider	Processor (sub-processor)	Sending account, verification, and operational alert emails.

Personal data is not transferred to any other third parties, is not sold, is not shared for cross-context behavioral advertising, and is not used for marketing purposes outside Fiwano’s own communications about the Service.

5.2. International Transfers

Fiwano is operated from Georgia (country) with primary hosting in the European Union. Personal data may therefore be transferred to and processed in those locations, and to the locations of the sub-processors listed above (notably Meta and Paddle, which operate globally).

For transfers of personal data from the European Economic Area or the United Kingdom to Fiwano in Georgia, we rely on appropriate safeguards under GDPR Chapter V / UK GDPR, principally the European Commission’s Standard Contractual Clauses (Implementing Decision (EU) 2021/914), in Module Two (Controller → Processor) where the customer is the controller and Fiwano is the processor, and in Module Three (Processor → Sub-processor) where the customer is itself a processor for a downstream controller. For United Kingdom transfers, the UK Information Commissioner’s Office International Data Transfer Addendum to the EU SCCs applies. These clauses are incorporated by reference into the DPA section of the Terms of Service when you accept the Terms; enterprise customers may request a standalone signed copy.

For transfers of personal data from Brazil, we rely on the LGPD Chapter V mechanisms, including, where applicable, standard contractual clauses aligned with ANPD-published model clauses (Resolução CD/ANPD No. 19/2024), the customer’s own legitimate transfer basis, or other authorized mechanisms.

We monitor notifications from MeitY (India) and other regulators that may restrict cross-border transfers and will update our infrastructure or contractual arrangements as required.

5.3. Personal Data Breach Notification

Where Fiwano becomes aware of a confirmed personal data breach affecting personal data processed on behalf of a customer, Fiwano will notify the customer’s account contact without undue delay and, where feasible, within 72 hours of confirmation, including the information required by GDPR Art. 33(3) (UK GDPR, LGPD Art. 48, and DPDP reporting are addressed on the same operational SLA). Notification to data protection regulators and to data subjects is, for customer-routed message data, the controller customer’s responsibility; Fiwano provides reasonable assistance.

6. User Rights

Users have the right to:

Receive information about stored data
Request correction of inaccurate data
Request deletion of data (by disconnecting channels and deleting the account)
Withdraw consent to data processing (by deactivating the account)
Export their data

For India Data Principals, these rights include the rights available under the DPDP Act, including the right to access information about processing, request correction or erasure of personal data, raise a grievance, and nominate another person to exercise rights where applicable. Requests are handled through the contact address below after reasonable identity verification.

For Brazilian data subjects, these rights include the rights available under LGPD Art. 18, including confirmation of processing, access, correction, anonymization, deletion, portability, information about sharing, and review of automated decisions where applicable. For U.S. residents, additional state-law rights are described in Section 8.

To exercise these rights, contact us at contact@fiwano.com.

7. Cookies and Similar Technologies

This section describes every cookie set by fiwano.com, its purpose, lifetime, and the legal basis on which it is stored. We use only first-party cookies; we do not load third-party advertising or cross-site tracking pixels.

7.1. Categories

Cookies are grouped into two categories presented in the consent banner:

Essential (strictly necessary) — required for the site to function: user authentication, session continuity, CSRF protection, and remembering your cookie choice. Under ePrivacy Directive Art. 5(3) these are exempt from the consent requirement because they are strictly necessary to provide a service explicitly requested by you. They are always on and cannot be disabled while you use the platform.
Analytics (optional) — anonymous usage measurement (Google Analytics 4 with IP anonymization, when enabled). These are only set after you click Accept all in the consent banner, and you can withdraw consent at any time from Profile → Cookies — this is as easy as giving consent (GDPR Art. 7(3)).

We do not set marketing, advertising, profiling, or cross-site tracking cookies.

7.2. Cookies We Set

Name	Category	Purpose	Lifetime
session	Essential	Keeps you signed in (HttpOnly, Secure).	Session / up to 30 days
csrftoken	Essential	CSRF protection for state-changing requests.	Session
fw_consent	Essential	Stores your cookie-banner choice so we don’t ask again.	12 months
fw_anon	Essential	Pseudonymous identifier used solely to link a pre-signup consent decision to your account at registration. Not used for tracking.	12 months
_ga, _ga_*	Analytics (optional)	Google Analytics 4 — aggregated, IP-anonymized usage statistics. Set only with your consent.	Up to 24 months

Cookie names ending in _* represent the variable Google Analytics property suffix.

7.3. Legal Basis

Essential cookies: processed on the basis of our legitimate interest in operating a secure service (GDPR Art. 6(1)(f)) and exempt from the consent requirement under ePrivacy Directive Art. 5(3).
Analytics cookies: processed only after your freely given, specific, informed and unambiguous consent (GDPR Art. 6(1)(a) and ePrivacy Directive Art. 5(3)). No analytics scripts are loaded before consent is given.

7.4. How to Manage or Withdraw Consent

On the cookie banner, choose Essential only to refuse analytics.
At any later time, open Profile → Cookies and toggle analytics off.
You can also delete cookies through your browser settings; the banner will reappear on the next visit on devices where you are not logged in.
Cross-device continuity. When you log in on a new browser or device, we re-apply your most recently recorded consent decision (read from consent_records) so you are not asked to re-consent on every device. To change that decision, use Profile → Cookies; the new choice will propagate to every future device you log in from.

Every consent decision is recorded in an append-only audit log (consent_records) including timestamp, IP address, user agent, source (banner / signup form / profile) and policy version, so we can demonstrate compliance on request (GDPR Art. 7(1)). See Section 4.2 for the retention period.

8. Your Rights under U.S. State Privacy Laws

This section applies to residents of U.S. states with comprehensive consumer privacy laws (currently California, Virginia, Colorado, Connecticut, Utah, and other states with equivalent statutes). Where these laws use different terminology, the rights below are provided to the broadest extent required.

8.1. Notice at Collection (CCPA/CPRA § 1798.100)

In the preceding 12 months Fiwano collects the following categories of personal information directly from you or generated through your use of the Service:

Identifiers — email address, account ID, IP address.
Customer records — name and contact details you provide.
Commercial information — subscription plan, billing records (processed by Paddle).
Internet/network activity — log data, request metadata, aggregated analytics (only with your consent).
Inferences — usage patterns derived from analytics, only when analytics consent is given.
Content you route through integrations — messages, attachments and metadata exchanged with WhatsApp / Instagram / Messenger on your behalf, processed strictly to deliver the Service.

We retain each category only as long as necessary for the purposes described in this Policy and our Terms of Service, after which the data is deleted or anonymized.

8.2. No Sale, No Sharing for Cross-Context Behavioral Advertising

We do not sell your personal information and we do not share it for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA and equivalent state laws. Because we do not engage in these activities, no “Do Not Sell or Share My Personal Information” link is required; however, you may always contact us to confirm.

We also do not use or disclose sensitive personal information for purposes other than those permitted without a right to limit (CCPA/CPRA § 1798.121).

8.3. Your Rights

Right to know / access — request the categories and specific pieces of personal information we have collected about you, the sources, purposes, and recipients.
Right to delete — request deletion of personal information we have collected, subject to legal exceptions (e.g. fraud prevention, legal obligations).
Right to correct — request correction of inaccurate personal information.
Right to portability — receive a copy of your personal information in a portable, readily usable format.
Right to opt out of targeted advertising, sale, or profiling — not applicable, as we do not engage in any of these activities.
Right to non-discrimination — we will not deny, charge different prices for, or provide a different level of Service because you exercised any privacy right.
Right to appeal (VCDPA, CPA, CTDPA, UCPA) — if we decline a request, you may appeal by replying to our response within 45 days.

8.4. How to Exercise Your Rights

Email contact@fiwano.com from the address associated with your account. We will verify your identity through your account credentials and respond within 45 calendar days (extendable once by 45 days if reasonably necessary, with notice). Authorized agents may submit requests with written authorization signed by you; we may require you to verify the request directly with us.

California residents may also request information disclosed for direct marketing purposes under California Civil Code § 1798.83 (“Shine the Light”); we do not disclose personal information to third parties for their direct marketing.

8.5. Children’s Privacy (COPPA)

The Service is intended for businesses and adult professionals. We do not knowingly collect personal information from children under 13. If you believe a child has provided personal information, contact us and we will delete it.

9. Changes to Privacy Policy

We reserve the right to make changes to this Privacy Policy. We will notify you of significant changes via email or dashboard notification. We recommend reviewing this page periodically.

10. Contact Information

For questions related to personal data processing, please contact us:

Operator: Individual Entrepreneur Roman Babakin (P/E Roman Babakin), registered in Georgia

Email: contact@fiwano.com

Website: fiwano.com