Privacy Policy

Effective date: June 30, 2026

This policy explains how WADA BV, trading as Dualhook, handles personal data when you use Dualhook. It should be read with our Terms, DPA, Subprocessors page, and Security / TOMs annex.

1. Who We Are

Dualhook is operated by WADA BV, Sint-Paulusplaats 10, 2000 Antwerpen, Belgium. VAT number: BE0786.772.938. Enterprise number: 0786.772.938.

We have not appointed a Data Protection Officer. Privacy, legal, and data deletion requests can be sent to contact@dualhook.com.

2. Our Role

Dualhook acts as a controller for data we use to run our business and service, including account administration, billing, support, security, fraud prevention, legal compliance, service analytics, and administrative communications.

Dualhook acts as a processor where we process customer-controlled operational data through the service on your behalf, such as connection configuration, webhook metadata, health checks, template metadata, audit logs, support attachments, and customer-supplied operational metadata.

You remain the controller, or processor acting for your own controller, for WhatsApp end-user data, Meta assets, contact lists, opt-ins, opt-outs, notices, message handling, downstream systems, and business decisions about your WhatsApp use.

3. Data We Process

  • Account and organization data: Clerk user and organization identifiers, email addresses, roles, membership metadata, and session data.
  • Connection configuration: WABA ID, phone number ID, business ID, webhook URL, verify token, access token, connection status, and error metadata.
  • Operational metadata: webhook event type, associated IDs, delivery status, trace IDs, timestamps, error messages, health-check results, quality/account status, and template metadata.
  • Billing data: Stripe customer, subscription, invoice, payment status, tax/VAT, and billing profile metadata. Card details are handled by Stripe.
  • Support data: support tickets, messages, user/admin metadata, and uploaded attachments.
  • Email data: recipient email address, subject, delivery metadata, rendered email snapshot, and related log data for service, support, billing, lifecycle, announcement, and alert emails.
  • Analytics data: website and dashboard page views, basic session/device metadata, and limited pseudonymous dashboard metadata described below.

4. WhatsApp Message Content

In the standard Webhook Override flow, message-path webhooks are routed by Meta to the endpoint you configure. Dualhook is not a shared inbox or message-storage layer, and the service is designed so that Dualhook does not store WhatsApp message content as product data.

If you connect downstream tools such as CRMs, automation platforms, inboxes, or data warehouses, those tools become part of your own processing environment. You are responsible for their notices, security, retention, and lawful basis.

5. How We Use Data

  • Provide, operate, monitor, secure, troubleshoot, and support Dualhook.
  • Authenticate users, enforce organization boundaries, manage roles, and protect against unauthorized access.
  • Configure and maintain WhatsApp webhook routing, template-related workflows, health checks, operational alerts, and exports.
  • Bill customers, manage subscriptions, issue invoices, process payments, collect taxes, and enforce plan limits.
  • Send mandatory service notices such as support, billing, payment, subscription, and account-access emails.
  • Send optional lifecycle nudges, product/admin announcements, and critical alerts according to your email preferences.
  • Analyze aggregate and pseudonymous usage patterns to improve reliability, product quality, and support.
  • Comply with legal obligations, resolve disputes, prevent fraud or abuse, and enforce our Terms.

6. Legal Bases

Where GDPR or similar law applies and Dualhook acts as controller, we rely on contract performance for account, subscription, support, and service operation; legitimate interests for security, fraud prevention, service analytics, product improvement, and non-invasive administrative communications; legal obligation for tax, accounting, sanctions, and compliance records; and consent where legally required.

Where Dualhook acts as processor, we process personal data under your instructions and the Data Processing Addendum.

7. Cookies and Analytics

We use essential cookies and similar technologies for authentication, security, session management, and dashboard preferences. Clerk sets authentication/session cookies. Dualhook also uses a first-party dashboard navigation cookie to remember the last active connection.

We use Umami Cloud for privacy-focused analytics on marketing and dashboard pages. In our current configuration, Umami does not use analytics cookies. We process page views and basic session/device metadata. On authenticated dashboard pages, we may attach a pseudonymous Clerk user ID and limited role metadata for support and troubleshooting. We do not send names, email addresses, phone numbers, or WhatsApp message content to Umami.

The dashboard loads the Meta / Facebook SDK to support WhatsApp Embedded Signup and related Meta integration flows. That SDK may interact with Meta services according to Meta's own terms and privacy notices. We do not use advertising or marketing cookies in Dualhook.

8. Email Preferences

Some emails are necessary service emails and cannot be disabled from the dashboard, including support, billing, payment, subscription, and account-access notices.

Organization admins can manage optional lifecycle/setup nudges, product/admin announcements, and critical connection/platform alerts from Dashboard > Compliance. Optional emails also include signed unsubscribe links for the relevant organization and category. Heartbeat reminder emails are managed per connection from the connection Overview tab.

9. Retention

Workspace admins can configure retention for webhook logs and health checks in Dashboard > Compliance. Available retention windows are 7, 30, or 90 days.

Support attachment blobs are deleted 7 days after a support ticket is closed, after which related attachment metadata may remain only as needed for the ticket record.

Other account, billing, security, support, and audit records are kept for as long as reasonably needed to provide the service, comply with legal obligations, resolve disputes, prevent fraud or abuse, enforce our Terms, and maintain backups.

Billing, invoice, tax/VAT, subscription, payment-status, credit-note, and related accounting records may be retained after an account or organization is deleted where needed for tax, accounting, fraud-prevention, dispute, chargeback, audit, or legal obligations. We limit retained financial records to billing/accounting facts and payment metadata; payment card details are handled by Stripe.

You can request deletion by emailing contact@dualhook.com. We will delete data Dualhook controls unless retention is required for legal, billing, security, fraud-prevention, dispute, audit, or backup reasons.

10. Subprocessors and Transfers

We use subprocessors listed on our Subprocessors page to provide authentication, hosting, database, email, analytics, support storage, and billing services. The list includes links to provider legal or trust materials where public.

Data may be processed outside your country or region. Where required, we rely on provider DPAs, Standard Contractual Clauses, transfer safeguards, and other lawful transfer mechanisms described in the DPA and provider materials. We do not claim exclusive EU-region data residency.

11. Security

We apply technical and organizational measures described in our Security / TOMs annex, including authentication, organization-scoped access controls, encrypted connection secrets, private support attachment storage, webhook validation, rate limits, logging, and configurable retention for operational logs.

12. Your Rights

Depending on your location and the data involved, you may have rights to access, correct, delete, restrict, object to, or port personal data, and to lodge a complaint with a supervisory authority.

If your request relates to data we process as your processor, we may ask you to use your organization admin account or direct the request to the relevant customer controller. If your request relates to data we control, contact us at contact@dualhook.com.

13. Changes

We may update this policy as Dualhook, our providers, or legal requirements change. If we make material changes, we will take reasonable steps to notify customers, such as posting an updated policy or sending an administrative notice.