WhatsApp data handling.

When a customer messages your business via WhatsApp, the WhatsApp Business Cloud API sends us:

• Phone number of the sender (in international format)
• Display name (as set by the user in their WhatsApp profile)
• Message content (text messages only — we do not process images, video, audio, or documents)
• Timestamp of each message
• WhatsApp message IDs (for delivery tracking and read receipts)

We do not receive or store WhatsApp profile photos, status updates, contact lists, or group membership information.

WhatsApp conversation data is used exclusively to:

• Power the AI agent — message content is sent to the configured LLM (e.g., OpenAI GPT, Anthropic Claude, xAI Grok) to generate responses
• Build conversation memory — rolling summaries are created so the agent remembers context across sessions
• Extract user profiles — name, preferences, and purchase history are extracted to personalise future interactions
• Display in the dashboard — conversations are visible to the business owner in their Cyrus dashboard for review and human takeover
• Generate analytics — aggregated, anonymised metrics (conversation volume, resolution rate, response time) are shown in the analytics dashboard

We do not use WhatsApp data for advertising, sell it to third parties, or use it to train our own AI models.

• Message content — stored in our PostgreSQL database, encrypted at rest, retained for the lifetime of the business account. Deleted within 90 days of account closure.
• Session memory — stored in Redis with a 7-day TTL. Automatically expires.
• Conversation summaries — stored in PostgreSQL alongside the conversation record.
• Phone numbers — stored as the external_user_id for the conversation. Used to link conversations across sessions.

WhatsApp message content is processed by these third-party services:

• All WhatsApp webhook payloads are verified using HMAC-SHA256 signature validation
• TLS encryption in transit for all API communications
• Channel credentials (WhatsApp tokens) are encrypted using Fernet symmetric encryption
• Row-level tenant isolation — each business can only access their own conversations
• API keys with domain restrictions for widget embeds
• Rate limiting per API key and per IP address

Business owners can:

• View all WhatsApp conversations in their dashboard
• Export conversation data via API
• Delete individual conversations
• Request full account deletion (all data removed within 90 days)

End users (WhatsApp customers) can request data deletion by contacting the business directly, or by emailing [email protected].

Cyrus complies with the WhatsApp Business Policy and the WhatsApp Business Solution Terms. Specifically:

• We only send messages within the 24-hour customer service window unless using approved templates
• We do not send spam, bulk unsolicited messages, or prohibited content categories
• We display opt-out instructions when required
• We do not share WhatsApp user data across unrelated business accounts