Privacy Policy

We collect the following information depending on context:

• Account data: name, email address, phone number, and password of users who register on the platform.
• Business data (tenant): company name, industry, billing information, and bot configuration.
• End-user data: phone numbers, names, WhatsApp messages, and AI-extracted information (key facts) from conversations with your bots. This information is processed on behalf of your business (you are the controller; we are the processor).
• Engagement data: email open events, link click events, and per-contact engagement scores generated when you send email campaigns through the platform. See §6 below.
• Usage data: API logs, conversation metrics, response times, and technical device information.

Controller vs Processor: for data your bots collect from your end users, you are the data controller and OpenedLink is the data processor. For data we hold about you as a platform customer, OpenedLink is the controller.

We use the collected information to:

• Provide, maintain, and improve OpenedLink services.
• Process WhatsApp conversations through AI models (Anthropic's Claude).
• Send notifications, reminders, and email campaigns on your behalf to your customers.
• Generate analytics and reports on your bots' performance.
• Fulfill legal obligations and prevent fraudulent use.
• Send you communications about the service, updates, and billing.

We process data based on:

• Contract performance (GDPR Art. 6(1)(b)): to provide the services you contracted.
• Legitimate interest (Art. 6(1)(f)): to improve security, detect fraud, optimize the platform, and (for B2B email campaigns to existing customers) to measure engagement.
• Consent (Art. 6(1)(a)): for marketing communications, optional features (analytics cookies, per-broadcast tracking opt-in), and any processing of special-category data (Art. 9(2)(a)) — e.g. health-adjacent context disclosed in conversation when the bot is configured for a clinical or wellness vertical.
• Legal obligation (Art. 6(1)(c)): where applicable law requires it (audit log retention, sub-processor change notification, breach reporting, Art. 13(2)(f) automated-decision-making transparency).

For end users in jurisdictions with telephone-marketing rules (US TCPA, CAN-SPAM, CASL), we maintain a prior-express-consent audit trail for every WhatsApp opt-in / opt-out event in our consent-events tables — see §6 (engagement tracking) and §9 (your rights) for the demonstrability detail.

We do not sell your personal information. We share data only with the third-party sub-processors listed at openedlink.com/legal/sub-processors. That list is kept current per GDPR Art. 28(2) and includes AI inference (Anthropic, OpenAI), email delivery (Brevo), cloud infrastructure (Google Cloud Platform), messaging (Meta WhatsApp), payment processing (Paddle), and BI tooling (Metabase). Each sub-processor is governed by a Data Processing Agreement (DPA). Material sub-processor changes are notified to customers 30 days in advance.

Cross-border transfers:

• United States destinations (Anthropic, Google Cloud Platform, OpenAI, Meta) — primary mechanism: EU-US Data Privacy Framework (DPF) adequacy decision (Commission Implementing Decision (EU) 2023/1795). Each US sub-processor we use is DPF-certified. Fallback: Standard Contractual Clauses (SCCs) Module 2 or 3 executed with each sub-processor.
• United Kingdom destination (Paddle, our payment provider) — UK GDPR Art. 45 adequacy decision in force since 2021-06-28. SCCs / IDTA fallback documented.
• Intra-EEA destinations (Brevo) — no cross-border safeguards required.

We have completed a Schrems II Transfer Impact Assessment per EDPB Recommendations 01/2020 evaluating destination-country legal regimes and identifying supplementary technical, contractual, and organisational measures (TLS 1.3 in transit, AES-256-GCM at rest, identifier pseudonymisation, no-training tier enforcement on AI inference, transient retention, logging redaction).

We do NOT allow our AI sub-processors (Anthropic, OpenAI) to use your conversations or content to train their models. Non-training tier enforcement is contractually required and verified by an automated CI gate against the platform's source code.

Your data is stored on Google Cloud Platform servers located in the United States (us-central1, Iowa). We implement security measures including:

• AES-256-GCM encryption for sensitive credentials (WhatsApp tokens, API keys, MFA secrets).
• HTTPS/TLS 1.3 connections for all communications.
• Automatic daily backups with 30-day retention.
• Role-based access control + JWT authentication + mandatory MFA for platform admins.
• Audit log immutability per Art. 5(2) demonstrability — a Postgres trigger rejects UPDATE / DELETE / TRUNCATE on the audit log.
• Activity monitoring and security alerts.

Breach notification: no system is 100% secure. In the event of a personal-data breach affecting your data, we will (1) within 72 hours of discovery, notify you via the in-app security-notice banner that mounts at the top of the admin panel; acknowledging the banner records your acknowledgement to the audit log per Art. 5(2); (2) within 72 hours where required by Art. 33(1), notify the competent supervisory authority; (3) without undue delay where required by Art. 34(1), notify affected end users when the breach is likely to result in a high risk to their rights and freedoms.

When you (as a tenant) send email campaigns through OpenedLink, we embed a 1×1 tracking pixel and rewrite outbound links through our redirect endpoint to capture open events and click events per recipient.

Legal basis per recipient category: Art. 6(1)(f) legitimate interest for B2B / existing-customer recipients; Art. 6(1)(a) consent for marketing recipients (cold outreach, opt-in lists).

No third-party tracking: events terminate at our own redirect endpoint, not Brevo's tracking system or any analytics vendor. The IP address is captured only for fraud detection (not stored long-term).

Recipient rights: every email includes a one-click unsubscribe link (List-Unsubscribe header per RFC 8058 + visible footer link). Unsubscribing removes the recipient from future sends and writes a row to our opt-out audit table.

WhatsApp messaging: every opt-in and opt-out (whether the recipient texts STOP, you mark them opted-out from the admin panel, or Meta returns a 131047/131049 policy error) writes to the contact_opt_out_events table and updates the contact's opted-out-channels array atomically — preventing further sends to that channel until the recipient re-affirms consent. This is the demonstrability record for TCPA prior-express-consent + GDPR Art. 7(1) requirements.

OpenedLink bots may perform automated processing that materially affects you. Where that processing produces decisions with legal effects or that similarly significantly affect you, GDPR Article 22 grants you specific rights.

The platform supports several tool categories that bot operators can enable:

• Lead qualification / scoring — informational classification, reviewed by a human operator. Does NOT trigger Art. 22(1).
• Auto-handoff — routing decision to a human operator. Does NOT trigger Art. 22(1).
• Auto-decline / auto-disqualification — when a tenant configures the bot to NOT follow up with you based on automated classification (no human review). TRIGGERS Art. 22(1).
• Auto-grant / price-setting — when a tenant configures the bot to grant or deny a discount, extend a trial, or set a credit limit based purely on the bot's classification. TRIGGERS Art. 22(1).

When you interact with a bot that has Art. 22-triggering automation configured, the bot's WhatsApp profile description AND the bot's identity prompt include an explicit notice. You can also ask the bot directly whether automated decisions are being made about you.

Your rights under Art. 22(3): you have the right to (1) request human review — a person at the tenant's company examines and re-evaluates the bot's decision; (2) express your point of view — explain context the bot may have missed; (3) contest the decision — formally challenge the outcome.

How to exercise: email privacy@openedlink.com stating the bot you interacted with + the decision you wish to contest, OR use the DSAR form at /privacy/dsar (Automated decision review option). The conversation transcript + the bot's classification are preserved and can be exported under your Art. 15 access rights.

What we do NOT do: we do NOT sell your conversation transcripts; we do NOT use your conversations to train AI models; we do NOT make automated decisions about credit, employment, or insurance.

Per-tenant variation: different tenants configure their bots differently. The disclosures above describe what the platform supports; the specific decisions a particular bot makes are surfaced in the bot's identity prompt + profile description, and in the tenant's own privacy notice.

We retain your data for as long as necessary to provide the service. Highlights:

• Active account data: while the subscription is active.
• Conversations and messages: 24 months from last activity (per tenant configurable).
• System logs: 90 days.
• Audit log: 1825 days (5 years; immutable, append-only per Art. 5(2)).
• Billing data: 7 years per legal requirements.
• Visitor cookie consent records (public site): 730 days (≈24 months) from the date you gave consent. Admin-panel consent records follow the admin-user account lifecycle.

You may request deletion of your data at any time. We will proceed within 30 days (subject to Art. 17(3) limitations + the audit log immutability where the rows reference legitimate-interest enforcement events).

Under GDPR + applicable equivalent legislation in your jurisdiction (LGPD in Brazil, LFPDPPP in Mexico, Decreto 1377 in Colombia), you have the right to:

• Access (Art. 15) — request a copy of the data we hold about you, including the data fed to and the output of any automated decision-making (Art. 22) processing.
• Rectification (Art. 16) — correct inaccurate or incomplete data.
• Erasure (Art. 17) — request deletion of your data ("right to be forgotten"). Subject to Art. 17(3) exceptions.
• Portability (Art. 20) — receive your data in a structured, machine-readable format.
• Objection (Art. 21) — object to processing your data for marketing purposes; this triggers immediate cessation of marketing sends to you.
• Restriction (Art. 18) — request that we limit processing in certain cases (contested accuracy, unlawful processing you don't want erased, retention for legal claims, pending objection resolution). When restriction is in force, we mark the affected records read-only via an immutable audit-log entry.
• Not be subject to automated decisions (Art. 22) — see §7 above.
• Withdraw consent (Art. 7(3)) — for any consent-basis processing, including the analytics cookie tier and marketing communications. Withdrawal does not affect the lawfulness of processing before withdrawal.

To exercise any of these rights, contact us at contact@openedlink.com or use the DSAR form at /privacy/dsar. We will respond within 30 days. Per Art. 7(1), we maintain a demonstrability record of every consent capture and every opt-in/opt-out event — see §6 for the marketing/messaging audit trail.

We use a tiered consent model: strictly-necessary cookies are always on (JWT session, CSRF, OAuth state); analytics + marketing tiers require explicit opt-in via the cookie banner.

The full list of cookies — names, lifetimes, providers, and per-tier breakdown — is at openedlink.com/legal/cookie-policy.

We do NOT use third-party advertising cookies or visitor-tracking tools (no Google Analytics, Hotjar, Mixpanel, PostHog, etc.). You can configure your browser to reject cookies, although this may affect the functionality of the admin panel — disabling strictly-necessary cookies will prevent the platform from working.

We may update this Privacy Policy periodically. We will notify you by email about material changes with at least 15 days notice. Continued use of the service after the effective date implies acceptance of the new policy.