Privacy Policy

Last updated: 8/11/2025.

Overview

CrowsStack is committed to privacy, security, and transparency. This Privacy Policy explains what data we collect, how we process it, and your rights. It specifically addresses our use of communications APIs, including WhatsApp Cloud API and other cloud API providers, in addition to core CrowsStack services.

Scope

This policy applies to visitors, users, and organizations using CrowsStack services, our website, and any messaging functionality integrated via third-party APIs (e.g., WhatsApp Cloud API).

Data We Collect

• Account and Profile: name, email address, organization details, role, and account preferences.
• Billing: contact details, company information, and payment identifiers processed by our payment partners.
• Technical and Usage: device information, IP address, timestamps, performance metrics, and activity logs generated by our services and infrastructure.
• Communications Data:
  • Metadata: sender/recipient identifiers (e.g., phone numbers or IDs), timestamps, delivery status, and routing information required to deliver messages.
  • Message Content: the text and attachments you or your end-users send or receive through integrated channels (e.g., WhatsApp Cloud API). We process this content only to provide the service and troubleshoot delivery.

How We Use Data

• Provide, maintain, and improve our services and infrastructure.
• Authenticate users, enforce security, and prevent abuse.
• Route, deliver, and troubleshoot messages via supported APIs (e.g., WhatsApp Cloud API).
• Provide support, resolve incidents, and improve reliability and performance.
• Comply with legal obligations and enforce our Terms of Service.

WhatsApp Cloud API and Other Cloud APIs

When you enable WhatsApp Cloud API or other cloud messaging providers with CrowsStack:

• Lawful Basis and Consent: You must obtain and maintain appropriate consent from your end-users to receive messages. You are responsible for honoring opt-outs and for sending only lawful, non-spam communications.
• Limited Processing: We process message content and metadata strictly to route and deliver messages, display them to authorized users, and provide support/troubleshooting. We do not use message content for advertising or model training.
• Data Sharing: We share communications data with the selected API provider as necessary to send/receive messages (e.g., Meta Platforms for WhatsApp Cloud API). These providers act as independent controllers or processors for their respective services and may retain logs per their own policies.
• Retention: We retain message metadata and minimal content only for as long as necessary to provide the service, comply with law, or resolve issues. You may request shortened retention where feasible.
• Opt-Out: End-users can opt out by replying with an applicable stop command (e.g., “STOP” where supported) or by contacting your organization. You must promptly honor opt-out requests.

Subprocessors and Third Parties

We use carefully selected providers for hosting, storage, observability, and communications. Depending on your configuration, these may include infrastructure hosts, email providers, and messaging API vendors (e.g., Meta Platforms for WhatsApp Cloud API). We contractually require appropriate security and confidentiality commitments from our subprocessors. A current list of material subprocessors can be provided upon request.

International Data Transfers

Where data is transferred outside your region, we rely on appropriate safeguards (such as Standard Contractual Clauses or equivalent mechanisms) and implement technical and organizational measures to protect your data.

Security

We implement administrative, technical, and physical safeguards designed to protect data, including network isolation, access controls, encryption in transit where applicable, and operational logging. No system is perfectly secure; we continuously improve our controls and monitor for vulnerabilities.

Retention

We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy, comply with legal obligations, resolve disputes, and enforce agreements. You may request deletion or shortened retention subject to technical and legal constraints.

Your Rights

Depending on your jurisdiction, you may have rights to access, correct, delete, port, or restrict processing of your personal data, and to object to certain processing. You may also withdraw consent at any time where processing is based on consent. We will honor verified requests consistent with applicable law.

Children’s Data

Our services are not directed to children. We do not knowingly collect personal data from children. If you believe a child has provided personal data, contact us to request deletion.

Changes to This Policy

We may update this policy to reflect changes in technology, law, or our services. We will post updates here with a new “Last updated” date and, where appropriate, provide additional notice.

Contact

For privacy inquiries or to exercise your rights, email privacy@crowsstack.cloud. For general questions, contact hello@crowsstack.cloud.