Privacy Policy

Effective date: February 25, 2026

1. Introduction

Dualhook is operated by WADA ("we", "us", "our"), the company that owns dualhook.com. We provide a privacy-first WhatsApp coexistence configuration service that enables businesses to use the WhatsApp Mobile App and Cloud API together by routing message webhooks directly to your server.

Our core principle is simple: we never see your messages. Meta delivers webhooks directly to your endpoint via Webhook Override. We store only the configuration data needed to set this up.

For any questions about this policy or your data, contact us at contact@dualhook.com.

2. Data We Collect and Store

We collect and store only the minimum data required to operate the service:

Organization Data

Organization identifiers synced from our authentication provider (Clerk). We store only the organization ID and timestamps.

Connection Configuration

When you connect a WhatsApp Business Account, we store:

  • WhatsApp Business Account ID
  • Phone Number ID and Business ID
  • Access token (for Meta API calls on your behalf)
  • Your webhook URL and verify token
  • Connection status and error information

Subscription and Billing Data

We store Stripe subscription metadata: subscription ID, customer ID, plan tier, subscription status, and billing period dates. Payment methods and card details are stored by Stripe, not by us.

Webhook Event Metadata

We log management events from Meta (such as template status updates, phone number quality changes, and account updates). We store only the event type, associated IDs, and delivery status. No message content is ever stored or processed.

Template Metadata

Message template information synced from Meta: template name, language, approval status, category, and structural components.

Health Check Data

Phone number health status, quality rating, and account mode as reported by the Meta API.

Website and Product Analytics

We use Umami (cloud.umami.is) for privacy-focused analytics on our marketing pages and authenticated dashboard pages. This includes page views and basic session/device metadata provided by the Umami tracker.

On dashboard pages, we may attach a pseudonymous internal user identifier (your Clerk user ID) and limited session metadata (such as role) to help us troubleshoot account and configuration issues. We do not send names, email addresses, phone numbers, or WhatsApp message content to Umami.

3. Data We Do NOT Collect

We do not store, read, intercept, or log:

  • WhatsApp message content (text, images, videos, documents)
  • Conversation data or contact lists
  • Media files of any kind
  • End-user personal data from your WhatsApp conversations

Our Webhook Override architecture means messages flow directly from Meta to your server. Dualhook is never in the message path.

4. Third-Party Services

We use the following third-party services, each with their own privacy policies:

  • Clerk (authentication) — Manages user accounts, passwords, sessions, and email addresses. We do not store passwords or user profile data ourselves.
  • Stripe (billing) — Processes payments and stores credit card information. We store only Stripe IDs and subscription metadata.
  • Meta / WhatsApp (API) — We interact with the Meta Graph API to configure WhatsApp Business accounts on your behalf. Access tokens are stored to make API calls. Meta's privacy policy applies to data processed through their platform.
  • Turso (database hosting) — Hosts our database infrastructure. They process data on our behalf as a data processor.
  • Umami Cloud (analytics) — Provides privacy-focused website and product analytics for our marketing and dashboard pages. For authenticated dashboard sessions, we may send a pseudonymous internal user identifier (Clerk user ID) and limited non-sensitive session metadata (for example, role) for support and troubleshooting.

5. Cookies

We use essential cookies set by Clerk for authentication sessions and a first-party dashboard navigation cookie to remember the last active connection. We also use Umami for privacy-focused analytics on marketing and dashboard pages.

In our current Umami configuration, we do not use analytics cookies. We do not use advertising or marketing cookies.

6. Data Retention

Connection data and operational metadata are retained while your account is active. Workspace admins can configure operational retention in the Dashboard > Compliance section. Available retention windows are 7, 30, or 90 days for webhook logs and health checks.

Upon account deletion or a valid erasure request, we delete associated connection data and operational metadata from our systems, except where limited retention is required for legal, security, fraud prevention, or financial recordkeeping obligations.

7. Data Deletion Instructions (Meta App Review)

For data deletion requests related to Dualhook and WhatsApp integration, email contact@dualhook.com with the subject line Data Deletion Request - Dualhook.

Please include the organization/workspace identifier and, if applicable, your WhatsApp Business Account ID or Phone Number ID so we can locate records quickly.

We verify request authority, process valid deletion requests within 30 days, and send confirmation once deletion is completed. If Dualhook does not control a specific dataset (for example, message content on Meta infrastructure), we will identify the correct controller.

8. Compliance Controls

Dualhook includes built-in controls designed for compliance workflows:

  • Configurable retention settings for webhook logs and phone health checks in Dashboard > Compliance.
  • CSV export of webhook delivery logs for audit and incident review.
  • Organization-scoped access controls and metadata isolation per workspace.
  • Privacy-first architecture where message content is not proxied or stored by Dualhook.

9. Your Rights Under GDPR

As an EU-based service, we comply with the General Data Protection Regulation (GDPR). You have the following rights regarding your personal data:

  • Right of Access — Request a copy of all personal data we hold about you.
  • Right to Rectification — Request correction of inaccurate data.
  • Right to Erasure — Request deletion of your data ("right to be forgotten").
  • Right to Data Portability — Request your data in a structured, machine-readable format.
  • Right to Restriction — Request restriction of processing of your data.
  • Right to Object — Object to processing of your data.
  • Right to Withdraw Consent — Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at contact@dualhook.com. We will respond within 30 days.

10. Data Security

All connections to our service use HTTPS. Access to data is restricted to authenticated organization members via Clerk. Database access is scoped per-organization to enforce multi-tenant isolation.

11. International Data Transfers

Your data may be processed in regions where our infrastructure providers (Turso, Clerk, Stripe, and Umami Cloud) operate. These providers maintain appropriate safeguards for international data transfers in compliance with GDPR requirements.

12. Children's Privacy

Dualhook is a business-to-business service not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children.

13. Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated effective date. We encourage you to review this page periodically.

14. Contact

WADA (owner and operator of Dualhook and dualhook.com) is responsible for this policy. For any questions about this privacy policy or your personal data, contact us at contact@dualhook.com.