Legal
Privacy Policy
Last updated: 12 June 2026 (rev 5) · Aligned with UU PDP 27/2022 (Indonesia) and GDPR data-minimization principles.
The short version
- What we keep
- Your account, encrypted WhatsApp session credentials, message delivery logs, contacts you import, synced chats you request, and media you choose to send.
- What we purge
- The automatic contact cache created by the WhatsApp library is purged every hour. Contacts you intentionally import remain until you delete them.
- What we never do
- Sell data, share with advertisers, or use message content to train AI models.
- Where it lives
- Self-hosted PostgreSQL on Lintasarta Cloudeka (Indonesia), Redis, and Cloudflare R2 for media object storage.
1. Who is collecting your data
Shiftwa.id is operated by Arsyaddev (Indonesia). For the purposes of UU PDP 27/2022 we are the Pengendali Data Pribadi (data controller) for account data you submit and the data your WhatsApp sender accounts generate while paired with our gateway. For GDPR purposes this policy describes processing in our Indonesia-region database on Lintasarta Cloudeka.
2. Data we collect
Account data
Email address and an Argon2id-hashed password for sign-in, optional Telegram chat ID once you link the operator bot, and your tier + notification preferences. We never store the plaintext password.
WhatsApp session credentials
When you pair a WhatsApp number by scanning the QR code the underlying Signal-protocol keys are stored in our database so the session can stay online. These credentials are not human-readable and are never shown back to you or any third party. They are deleted when you remove the sender or close your account.
Message delivery logs
For every message you send through the API we record: recipient phone number (the one your code supplied), routing decision (which sender was picked), delivery status, timestamp, and latency. Message bodies are retained briefly for delivery troubleshooting and then dropped on the schedule below.
Media uploads
If you send an image, document, video, or audio file, the file is uploaded directly from your browser or system to Cloudflare R2 using a short-lived upload URL. We store the object key, MIME type, size, and optional original filename so the gateway can deliver it and so you can inspect the message later.
Operational telemetry
Aggregated daily counts per sender and per status (used for the dashboard charts). API key fingerprints and last-used timestamps. Session connect / disconnect events for alerting.
3. Intentional data and automatic cache
Shiftwa stores contacts when you intentionally add them, import a CSV or spreadsheet, or use the contact-import feature from a connected phone. You control those contact lists and can remove them from the dashboard.
Separately, the WhatsApp library creates an automatic cache of names and JIDs it observes. A scheduled job truncates the underlying whatsmeow_contacts table every hour. Product contact lists do not depend on that automatic cache.
We also don’t collect: IP addresses for analytics, browser fingerprints, third-party advertising IDs, or any data about your message recipients beyond what you submit or explicitly choose to import or sync.
4. Why we collect each thing (lawful basis)
- Account data — performance of contract (signing you up and giving you a dashboard).
- WhatsApp session credentials — performance of contract (keeping your sender online so we can deliver the messages you ask us to).
- Message delivery logs — legitimate interest (delivery audit, billing accuracy, operator visibility) plus contract performance.
- Operational telemetry — legitimate interest (capacity planning, abuse detection, incident response).
5. How long we keep things
The retention periods below are our current default. Specific numbers may be adjusted following the final legal review noted above — if they tighten, your existing data is purged on the new schedule.
- Active account data: for the lifetime of your account.
- Closed account: identifying fields are deleted within 30 days. Aggregated, non-identifying counts may persist for operational health.
- Message bodies: follow the active plan's retention window, from 7 days on Free to 365 days on Business Max, then are removed from the live log while delivery metadata remains for audit.
- Imported contacts: until you remove the contact or contact list, close the account, or request deletion.
- Synced CS conversations: follow the per-number auto-delete setting where configured. Delivery metadata may remain for audit.
- Unsent media uploads: 24 hours, then deleted from Cloudflare R2 and from our upload tracking table.
- Sent media: follows the same retention posture as message bodies unless you delete it earlier.
- Message metadata: 12 months on the live log; daily aggregates kept up to 24 months for the dashboard.
- WhatsApp session credentials: until you remove the sender or it is logged out from the phone side, then purged within 24 hours.
- Telegram link tokens: 1 hour TTL; expired tokens are swept hourly.
- whatsmeow_contacts (third-party PII cache): purged every hour. Effective retention is the cron interval.
6. Who we share it with
We don’t sell your data. We don’t share it with advertisers. We don’t use message content to train AI models. Production data lives on PostgreSQL infrastructure that Shiftwa operates directly — no managed-database vendor holds your records. The third parties that do see slices of your data to operate the service:
- Resend — transactional email (verification, operator alerts) by recipient email only.
- Telegram Bot API — operator alerts to chats you opt into. We only post message status, never the bodies you send through the gateway.
- Meta / WhatsApp — your paired numbers are connected to WhatsApp itself. Their privacy practices govern what they do with delivery metadata on their end.
- Payment gateway (Duitku or Midtrans) — only when you initiate a paid upgrade. Receives your account email, the invoice amount, and our internal order ID so it can collect the payment and notify us when it settles. Never sees the recipient phone numbers, message bodies, or your API keys.
- Cloudflare R2— media object storage for files you choose to send. Objects are encrypted at rest and downloaded through Shiftwa's authenticated API proxy.
Our development and staging environments use a managed PostgreSQL provider (Neon) for engineering convenience. By internal policy real customer data never lands there — only synthetic test data generated by the engineering team.
If we add a new sub-processor we will update this list before routing data through it.
7. Your rights
Under UU PDP and GDPR you have the right to access a copy of your data, correct inaccuracies, request deletion, restrict or object to processing, and request portability. Most of these are one click away in your dashboard (settings → close account triggers a full deletion run). For anything else, email support@shiftwa.dev with the email address on your account and we’ll act within 14 days.
8. Security
Passwords are hashed with Argon2id. WhatsApp session credentials and refresh tokens are stored as hashes or library-managed encrypted blobs. All connections to Shiftwa and to our sub-processors are over TLS. Database access is restricted to the backend service identity. Operator alerts are routed through channels you explicitly opt into.
We don’t claim perfect security — no one can — but if we ever detect unauthorized access to your account or data we’ll notify you within 72 hours of discovery, as required by UU PDP.
9. Changes to this policy
If we materially change how we process your data we’ll bump the “Last updated” date at the top and email account holders before the change takes effect. Earlier versions can be requested at the same address as for any other data request.
10. Contact
Privacy questions, data requests, or DPO contact: support@shiftwa.dev. General support lives on the contact page.