Privacy Policy
Asistn is a WhatsApp customer-service automation platform. We help business owners reply to customers on WhatsApp automatically with an AI assistant trained on their own brand voice. This policy explains what information we collect about you and about the customers who message your business, how we use it, who we share it with, and the choices and rights you have over it. We try to keep this readable — if anything is unclear, write to us at [email protected].
01Who we are
"Asistn", "we", "us" or "our" refers to the operator of the Asistn service available at asistn.com. We are based in Indonesia. For purposes of data-protection law, Asistn acts as a data controller for the information we collect about our customers (business owners who sign up for an account) and as a data processor for the personal data that business owners route through our platform about their own customers (the "end users" messaging a business on WhatsApp).
If you are an end user trying to understand how the business you message uses Asistn, please contact that business directly — they are the data controller for your messages. We can also help; see section 16.
02What we collect
We collect the following categories of information:
Account information
- Name, email address, and password (stored hashed) when you create an account.
- Business name, country, industry, and time zone when you complete onboarding.
- Profile photo or logo if you upload one.
WhatsApp Business connection
- WhatsApp Business Account ID, Phone Number ID and verified display name.
- The long-lived System User access token we use to send and receive messages on your behalf.
- Webhook secrets and verification tokens used to authenticate calls from Meta.
Customer (end-user) data routed through your account
- WhatsApp display name and phone number of each contact who messages you.
- The full content of inbound and outbound WhatsApp messages — text, media URLs, captions, message types, timestamps and delivery status.
- Customer attributes extracted by the AI: intent summary, lead status, scoring, ad source, language, and any fields you configure (e.g. address, order ID).
- Notes and labels you or your team add to a contact.
Generated content
- AI-generated draft replies, message suggestions and follow-up plans.
- Agent memory entries: short summaries the AI writes about a conversation so it can recall context next time.
- Quality scores and reflections the AI writes about its own performance.
Billing
- Plan, billing cycle and renewal date.
- Payment-method metadata (card brand, last four digits, expiry). Full card numbers are handled by our payment processor and never touch our servers.
- Invoices, tax IDs and billing addresses you provide.
Device, log and usage data
- IP address, browser type, operating system and approximate location (city / country) derived from your IP.
- Pages viewed, features used, buttons clicked, sessions and crash logs.
- API requests and webhook deliveries, with the corresponding response codes and latency.
Lead-magnet inputs
- If you use our free "System Prompt Generator", we collect the WhatsApp screenshots and/or transcripts you upload, plus the business name, WhatsApp number and industry you enter. We use those to generate your custom system prompt and to follow up with you about Asistn.
Communications with us
- Emails, chat messages and support tickets you send to us, including any attachments.
03Why we process it
We use the data above to:
- Run the service. Send and receive WhatsApp messages on your behalf, generate AI replies, store and search conversation history, route conversations to team members, and deliver every feature listed in your plan.
- Improve your AI. Use your past conversations to give the AI context for new ones (memory, reflections, brand voice), and let you train or override prompts and tone.
- Bill you and fulfil our contract. Activate your plan, charge your card, send invoices, handle taxes, and manage renewals or cancellations.
- Protect the platform. Detect fraud, spam, abuse, brute-force log-in attempts and policy violations; investigate incidents; back up the database.
- Comply with law. Respond to lawful requests, enforce our Terms, meet WhatsApp Business policy, and keep records we are required to keep (e.g. invoicing, tax).
- Communicate with you. Send transactional emails (sign-up confirmation, password reset, billing receipts, security alerts) and — only with your opt-in — product updates, tips and announcements.
- Build aggregate insights. Compute platform-wide statistics in anonymised, aggregated form so we can improve the product. We do not share individual messages.
04Legal basis (UU PDP, GDPR)
Where Indonesia's Law No. 27 of 2022 on Personal Data Protection (UU PDP), the EU GDPR, the UK GDPR, or similar regimes apply, we rely on the following bases:
| Basis | Where we use it |
|---|---|
| Contract | Providing the Asistn service to account holders, billing, and customer support. |
| Legitimate interest | Securing the platform, detecting abuse, debugging, and limited direct marketing of similar Asistn products to existing customers. |
| Consent | Lead-magnet form submissions, optional marketing email, and any sensitive processing we ever ask you to opt into. |
| Legal obligation | Tax, accounting, anti-fraud, and government data requests. |
You can withdraw consent at any time without affecting processing already carried out.
05How AI uses your data
Asistn uses large language models to generate replies, summaries, scores and classifications. Here is exactly how that works:
- When a customer messages your business, we send the message — together with your system prompt, recent conversation history, agent memory entries and relevant knowledge-base snippets — to one or more model providers (see section 7) so they can generate a reply.
- Model providers process the data solely to return a response. We instruct them via the standard API not to log prompts for training, and we only work with providers that contractually agree to those terms.
- We do not use your customer messages to train our own models or to train any third-party model. Your data is not pooled across other Asistn customers.
- Within your own workspace, the AI does build memory from prior conversations so it can be useful next time. That memory stays in your workspace.
- AI output is generated automatically and can be wrong. Sensitive decisions (closing a sale, refunds, legal commitments) should be reviewed by a human. See our Terms.
- You can ask us to disable AI replies for an individual contact or for your whole workspace at any time from the settings page.
07Sub-processors
A sub-processor is a vendor we trust to handle data on our behalf. We require each to sign a data-processing agreement, encrypt data in transit and at rest, and to use the data only to perform the contracted service. Our current sub-processors are:
| Vendor | Purpose | Region |
|---|---|---|
| Meta Platforms (WhatsApp Business Cloud API) | Sending and receiving WhatsApp messages on your behalf | USA / global |
| Anthropic, OpenAI, Google AI, OpenRouter | LLM inference for AI replies, summaries and scoring | USA / EU |
| Manifest (manifest.build) | LLM routing and cost-tracking layer in front of the above | USA |
| Supabase / PostgreSQL hosting | Primary database for account, contacts, messages and settings | Singapore |
| Vercel | Web application hosting, edge functions and CDN | Global |
| Amazon Web Services / Cloudflare R2 | Object storage for media attachments and uploaded screenshots | Singapore |
| Resend | Transactional email delivery | USA |
| Stripe / Xendit | Payment processing and invoicing | USA / Indonesia |
| Sentry | Error monitoring and crash reporting | USA |
| PostHog | Self-hosted product analytics | EU |
We update this list when we add or change vendors. If you need a signed sub-processor list, copies of DPAs, or notice when we change vendors, email us.
08International transfers
Some of the vendors above are based outside Indonesia. When we transfer personal data across borders, we rely on legally recognised mechanisms — Standard Contractual Clauses in the case of EU/UK transfers, and equivalent safeguards or your consent as required by UU PDP. We assess each vendor's protections before onboarding them and on a recurring basis afterwards.
09Data retention
We keep data only as long as we need it:
| Category | Retention |
|---|---|
| Account data | For the life of your account, plus 30 days after closure. |
| WhatsApp conversation history | For the life of your account, unless you delete a conversation or trigger a workspace wipe. Default agent-memory entries are retained for 18 months and then summarised down. |
| Media attachments | 30 days from receipt (configurable per workspace; max 180 days). |
| Lead-magnet submissions | 24 months for follow-up, then deleted. |
| Billing & invoices | 10 years (Indonesian tax law) or as required locally. |
| Server & security logs | 90 days. |
| Backups | Encrypted backups for 35 days. Deleted records age out of backups within that window. |
You can request earlier deletion under section 11. Some data — invoices, fraud signals — we are legally required to keep.
10Security
We take security seriously. Our controls include:
- TLS 1.2+ for all data in transit between you, our service and our sub-processors.
- AES-256 encryption at rest for the production database and object storage.
- Passwords stored as salted bcrypt hashes. We never see your password in plain text.
- Role-based access control and per-workspace row-level security in the database.
- Multi-factor authentication for staff accessing production systems.
- Webhook signatures (HMAC-SHA256) on every inbound message from Meta.
- Daily encrypted backups and quarterly restore drills.
- Vulnerability scanning, dependency auditing and a private bug-bounty program.
No system is perfectly secure. If we discover a personal-data breach that risks your rights, we will notify the relevant supervisory authority and you, where required, within the statutory window (72 hours in the EU; 3×24 hours under UU PDP).
11Your rights
Depending on where you live, you have some or all of the following rights:
- Access — get a copy of the personal data we hold about you.
- Correction — fix data that is wrong or incomplete.
- Deletion — ask us to erase your data, subject to legal exceptions.
- Portability — receive your data in a machine-readable format (JSON or CSV).
- Objection — object to processing based on legitimate interests, including profiling and direct marketing.
- Restriction — ask us to pause processing while a dispute is resolved.
- Withdraw consent — where we rely on consent, you can withdraw it any time.
- Lodge a complaint — with your local supervisory authority. In Indonesia this will be the agency designated under UU PDP; in the EU, your national DPA.
The fastest way to exercise most of these rights is from the Account → Privacy page in your dashboard. You can also email us at [email protected]. We respond within 30 days.
12Cookies & tracking
Our marketing site uses a small number of cookies — strictly necessary cookies for authentication and a self-hosted analytics cookie (PostHog) that records anonymous page-view counts and feature use. We do not run third-party advertising cookies and we do not load Google Analytics on the marketing site.
The dashboard uses session cookies to keep you signed in and a small number of preference cookies (theme, locale). You can clear cookies from your browser at any time; doing so will sign you out.
We honour Global Privacy Control signals when set by your browser and treat them as an opt-out of any non-essential tracking.
13Children
Asistn is a business tool. We do not knowingly collect personal data from anyone under the age of 18. If you believe a child has provided us with personal data, please email [email protected] and we will delete it.
14For WhatsApp users
If you sent a message to a business that uses Asistn and you are wondering what happens to it: that business is the controller of your conversation. We process your message on their behalf to help them respond — typically with an AI-drafted reply. We do not share your phone number or messages with any other business, with advertisers, or with the public.
You can ask the business to stop messaging you at any time by replying STOP or asking them directly. You can also block the number in WhatsApp.
15Changes to this policy
We may update this policy from time to time. When we do, we will update the "Last updated" date at the top and, for material changes, give you at least 14 days' notice by email or in-app banner before the new policy takes effect. Continuing to use Asistn after the effective date means you accept the updated policy.
16Contact
Questions, concerns or rights requests — please reach out. We answer every email.