Privacy Policy

Last updated: April 28, 2026

1. Introduction

Lagash Ltd (company number SC826467), operating WhatsSMS.io (https://whatssms.io), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our service.

2. Data We Collect

We collect the following types of data:

  • Account Data: Name, email address, phone number, and password when you register
  • Messaging Data: Messages sent and received through our platform, contact lists, and communication logs
  • Device Data: Information about connected Android devices and WhatsApp accounts
  • Usage Data: How you interact with our platform, features used, and activity logs
  • Payment Data: Billing information processed securely through third-party payment providers
  • API Keys: Third-party AI provider API keys you provide for chatbot functionality

3. How We Use Your Data

We use your data to:

  • Provide and maintain our service
  • Process and deliver messages on your behalf
  • Manage your account and subscription
  • Process payments and affiliate commissions (including attributing referrals using cookies as described in our Cookies section)
  • Communicate with you about your account and service updates
  • Improve our service and develop new features
  • Comply with legal obligations

4. Processing of Shopify Merchant Data

When a merchant installs the WhatsSMS.io Shopify application from the Shopify App Store,Lagash Ltd processes Shopify merchant data as a processor, or sub-processor where applicable, on behalf of the merchant who operates the Shopify store. We process this data only to provide the Shopify app functionality selected by the merchant.

Categories of Shopify data may include shop domain, OAuth access data needed to operate the integration, order and checkout identifiers, order financial and fulfillment fields, line items, and customer, shipping, or billing contact fields such as name, email, phone number, and address when those fields are included in Shopify payloads sent to the app.

We use Shopify data to provide app configuration, message templating, merchant-configured automations, COD confirmation workflows, delivery logs, and Shopify compliance webhooks. We do not sell Shopify order or customer personal data.

Shopify access tokens and WhatsSMS API secrets are stored server-side. Merchants enter their WhatsSMS API key into the embedded Shopify app; the key is encrypted at rest on our app servers and is not intentionally exposed to the merchant browser after submission.

Sub-processors for the Shopify app include hosting and infrastructure providers used to run the Shopify app, database services used by the app, and the WhatsSMS API hosted at https://app.whatssms.io or another configured WhatsSMS API host, as needed to deliver messaging features.

Shopify data may be processed in the United Kingdom and in other countries where our infrastructure providers operate. Where required, we use appropriate safeguards for international transfers.

For data subject requests involving Shopify store data, buyers should contact the Shopify merchant first because the merchant is the controller for that store data. Merchants can contact us at [email protected] so we can assist with access, deletion, or other lawful requests related to the app.

The Shopify app receives and processes Shopify mandatory compliance webhooks including customers/data_request, customers/redact, and shop/redact. We use these webhooks to provide relevant stored app data, delete or anonymize customer references, and delete shop-scoped app data within Shopify's required timeframe.

5. Data Storage and Security

We implement appropriate technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction. Your data is stored on secure servers and encrypted in transit using TLS. API keys are stored in encrypted format.

6. Third-Party Services

We use third-party services for payment processing, AI functionality, and analytics. These services have their own privacy policies. When you provide AI API keys, your messages may be processed by your chosen AI provider according to their terms.

7. Your Rights (GDPR)

Under GDPR and applicable data protection laws, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Request deletion of your data
  • Restrict processing of your data
  • Data portability
  • Object to processing
  • Withdraw consent at any time

To exercise any of these rights, contact us at [email protected].

8. Cookies

We use essential cookies required for the service to function. When someone visits WhatsSMS.io through an affiliate referral link, we may set a first-party cookie to record which affiliate referred them; that cookie typically lasts for 90 days so that a later sign-up can be attributed fairly. This is operational attribution, not third-party advertising. Analytics, if used, are privacy-focused and anonymized.

9. Data Retention

We retain your data for as long as your account is active or as needed to provide our service. After account deletion, we retain data for up to 30 days for recovery purposes, then permanently delete it unless required by law.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through the service. The updated policy takes effect upon posting.

11. Contact

For privacy-related inquiries, contact us at [email protected] or by phone at +44 7770 649691.

Lagash Ltd, 23c Craigmount Place, Dundee, Scotland, DD2 4QJ · Company Number: SC826467