ChatBridge legal

Privacy Policy

Effective: 2026-05-17

Placeholder content. This document is a non-binding draft generated for development. It has not been reviewed by a lawyer and must not be used as-is in production.

1. Who we are

ChatBridge is operated by 1370 (Pty) Ltd, a company registered in South Africa ("ChatBridge", "we", "our", "us"). This Privacy Policy explains what personal information we collect when you use the ChatBridge service (the "Service") and how we use, share, and protect it.

For questions about this policy or to exercise any of your rights, contact chatbridge@stripedape.tech. For data-protection-specific enquiries (including requests under POPIA, GDPR, or the UK GDPR) use the same address — your message will be routed to the person responsible for privacy at ChatBridge.

2. Scope

This policy applies to personal information we process about you in two capacities:

  • As a controller of your account data (the information you provide to register and use the Service).
  • As a processor of the customer data you upload to the Service about your own contacts. You are the controller of that data and are responsible for having a lawful basis to process it. How we process it on your behalf is described in section 9 (Sub-processors) and section 14 (Security), and incorporated by reference into our Terms of Service as a data processing arrangement.

3. Information we collect

We collect the following categories of personal information:

  • Account data — your email address, name, profile image, authentication tokens and session metadata, handled by our authentication provider Clerk.
  • Business profile — the business name, WhatsApp number, currency, and quote terms you enter in your settings.
  • Customer data you provide — the names, phone numbers, email addresses, notes, tags, statuses, follow-up dates, quotes, line items, payments, and message templates you enter or import about your own customers.
  • Billing data — when you purchase a paid subscription, our payment processor Paystack collects payment instrument details on its own servers. We receive only a customer and subscription identifier, the plan, the status, and the next renewal date. We do not see or store your card number.
  • Activity and audit data — server-side records of actions you take in the app (for example "customer.created" or "quote.sent"), used for support, security, and abuse prevention.
  • Technical data — IP address, browser type and version, device information, language, timezone, and approximate location (derived from IP, used to default your billing currency). Logged by our hosting provider Vercel and our infrastructure.
  • Cookies and similar storage — see section 12.

4. What we don't collect

We do not read, intercept, scrape, or store the contents of your WhatsApp messages. The Service only constructs click-to-chat URLs that open the official WhatsApp client on your device with a pre-filled message — anything you say in WhatsApp stays in WhatsApp. We do not have access to your WhatsApp contacts list or chat history.

We do not use customer data for advertising and we do not sell personal information.

5. Legal bases for processing

Where the GDPR or UK GDPR applies to our processing, we rely on the following legal bases:

  • Performance of a contract — to provide the Service you have signed up for and to process payments for paid plans.
  • Legitimate interests — to secure the Service, prevent abuse, maintain audit logs, respond to support requests, and improve the Service. We balance these interests against your rights and freedoms.
  • Legal obligation — to comply with tax, accounting, and other legal obligations.
  • Consent — for any processing that requires consent, such as optional marketing emails. You can withdraw consent at any time.

Under POPIA, the conditions for lawful processing in sections 8–25 apply, including accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation.

6. How we use information

  • To provide, operate, and maintain the Service for you.
  • To authenticate your sessions and protect against fraud and abuse.
  • To process payments and manage subscriptions (paid plans).
  • To respond to your support requests and communicate operational notices.
  • To diagnose technical issues and improve performance, reliability, and security.
  • To comply with legal obligations and enforce our Terms of Service.

We do not engage in solely automated decision-making that produces legal or similarly significant effects on you.

7. Sharing personal information

We share personal information only in the following circumstances:

  • With sub-processors who help us run the Service (see section 9).
  • With professional advisors (lawyers, accountants, auditors) bound by confidentiality, where reasonably required.
  • To comply with a lawful request from a regulator, court, or other public authority, or to enforce our rights or those of others.
  • In connection with a merger, acquisition, financing, or sale of assets — subject to standard confidentiality protections and notice where required by law.

8. Marketing communications

We may send you operational emails about your account, billing, security, and important Service changes. These are not marketing and you cannot opt out while you have an active account. Any optional marketing emails are sent only with your prior consent and you can unsubscribe at any time.

9. Sub-processors

We rely on the following third parties to deliver the Service. Each is bound by a written contract that requires appropriate confidentiality and security obligations.

  • Clerk (United States) — authentication, session management, and user identity. Processes account data.
  • Supabase (European Union, eu-west-1) — managed PostgreSQL database hosting. Processes account, business profile, customer, quote, payment, template, reminder, and activity data.
  • Vercel (United States and global edge regions) — application hosting, CDN, and request logging. Processes technical data and serves the application.
  • Paystack (Nigeria; payment processing only when you purchase a paid plan) — collects payment instrument details on its own systems and provides us with a customer code, subscription code, plan, status, and renewal date. We never see card data.

We will update this list when we add, remove, or replace a sub-processor. Material changes will be announced with at least 14 days' notice in the app or by email.

10. International transfers

Some of our sub-processors are located outside South Africa and outside the European Economic Area. Where personal data is transferred to a jurisdiction without an adequacy decision, the transfer is protected by appropriate safeguards — typically the European Commission's Standard Contractual Clauses (and, for transfers from the UK, the UK International Data Transfer Addendum) and supplementary measures such as encryption in transit and at rest. You may request a copy of the safeguards by emailing us.

11. Retention

We retain your account data and the customer data you have entered for as long as your account is active. When you delete your account we delete your business profile, customer records, quotes, payments, reminders, templates, and activity logs from our active database within 30 days. Encrypted backups are retained for up to 90 days after which they are overwritten in the normal backup rotation.

Limited records may be retained for longer where required by law (for example, tax records) or to protect our legal interests.

12. Cookies and similar storage

ChatBridge uses cookies and similar browser storage strictly for the following purposes:

  • Strictly necessary — session cookies set by Clerk to keep you signed in and to protect against cross-site request forgery.
  • Preferences — local storage to remember your theme preference (light, dark, or system).

We do not use advertising or cross-site tracking cookies. We do not use third-party analytics that profile individual users.

13. Your rights

Depending on your jurisdiction (POPIA in South Africa, GDPR in the EU, UK GDPR in the UK, and similar laws elsewhere) you have rights which may include:

  • Access — to confirm whether we hold personal information about you and obtain a copy.
  • Correction — to ask us to correct inaccurate or incomplete data.
  • Deletion — to ask us to delete your data, subject to our legal retention obligations.
  • Restriction — to ask us to restrict certain processing.
  • Objection — to object to processing based on legitimate interests.
  • Portability — to receive your data in a structured, commonly used, machine-readable format.
  • Withdrawal of consent — for any processing that relies on your consent.

To exercise any of these rights, email chatbridge@stripedape.tech. We will respond within the time required by applicable law (within one month under GDPR; within a reasonable period under POPIA).

You also have the right to lodge a complaint with a supervisory authority — in South Africa, the Information Regulator (inforegulator.org.za); in the EU, your local data protection authority; in the UK, the Information Commissioner's Office.

14. Security

We use reasonable and appropriate technical and organisational measures to protect personal information against accidental or unlawful loss, alteration, disclosure, or access. These include encryption in transit (TLS), encryption at rest, role-based access to production systems, audit logging, dependency scanning, and a principle of least privilege for employees and contractors.

No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

15. Data breaches

In the event of a personal-information breach that is likely to result in risk to you, we will notify you and the relevant supervisory authority within the timeframes required by applicable law (without undue delay and, under POPIA and GDPR, generally within 72 hours of becoming aware of the breach where feasible).

16. Children

The Service is not directed to children and we do not knowingly collect personal information from anyone under 18. If you become aware that a child has provided personal information to us, please contact us and we will delete it.

17. Changes to this policy

We may update this policy from time to time. If we make material changes, we will announce them by email or by a notice in the app at least 14 days before they take effect. The "Effective" date at the top of this page indicates when the current version was last updated.

18. Contact

1370 (Pty) Ltd, South Africa. chatbridge@stripedape.tech.