Privacy Policy

Last updated: June 2026

This Privacy Policy describes how Desk 24/7 ("we", "us", "our") collects, uses, discloses, and manages information — including data accessed via the WhatsApp Business Platform — when you use our service at app.desk-247.com or our marketing website at desk-247.com. By using Desk 24/7 you agree to the practices described here.

About our app and its use of the WhatsApp Business Platform

Desk 24/7 is a WhatsApp-native CRM platform for small businesses. We integrate with the WhatsApp Business Platform (Cloud API) operated by Meta Platforms, Inc. to provide a shared inbox, booking management, and automated messaging on behalf of businesses that connect their WhatsApp Business Account (WABA) to our service.

Through this integration we access the following WhatsApp Business Platform data, strictly on behalf of the business that has authorised the connection:

  • Inbound and outbound messages — message content, sender and recipient phone numbers, timestamps, message IDs, media attachments, and delivery status updates received via Meta webhooks.
  • Message history — up to 180 days of historical 1-to-1 chat delivered by Meta on first connect via History webhooks.
  • Message template data — template names, languages, categories, component content, review status, and quality scores received via Meta's message_template_* webhooks after templates are submitted for Meta's review.
  • WhatsApp Business Account metadata — WABA ID, phone number ID, and account status changes received via account_update webhooks.

How we use WhatsApp Business Platform data

Data accessed through the WhatsApp Business Platform is used solely to provide the features the business has enabled. Specifically, we use it to:

  • Display inbound and outbound messages in the business's shared inbox and deliver them to the correct staff in real time.
  • Enable staff to send replies and outbound messages to customers through the business's WhatsApp number.
  • Power the automated bot trigger system (e.g. /start), which responds to customer-initiated keywords with a configurable welcome message and booking CTAs.
  • Manage the booking lifecycle — recognising customer intents from messages, creating and updating bookings, and sending booking confirmations and reminders.
  • Track each customer's 24-hour user-initiated messaging session so the business knows when a message is free to send versus subject to a Meta-billed template charge.
  • Submit, update, and delete WhatsApp message templates on the business's behalf via the Meta Graph API, and reflect Meta's review decisions in the dashboard.
  • Detect and reconnect the WABA if the business's WhatsApp connection status changes.
  • Provide inbox and session analytics to help the business understand customer engagement and plan broadcast campaigns within their open session windows.

We do not use WhatsApp Business Platform data to:

  • Train machine learning or AI models.
  • Serve advertisements or build advertising profiles.
  • Profile end customers for purposes beyond delivering the business's own CRM and booking features.
  • Share or sell data to data brokers, advertisers, or any third party for their own independent use.

Other information we collect

  • Account data — name, email address, hashed password, and Google Sign-In identity when business staff register.
  • Business profile — business name, timezone, logo, subscription plan, and WABA details entered during onboarding.
  • Booking data — customer name, phone, email, appointment time, service, notes, and booking status created through the WhatsApp booking flow or the dashboard.
  • Service configuration — service names, descriptions, availability schedules, and bot CTA text entered by business staff.
  • Usage and analytics data — inbox activity, session windows, booking metrics, and broadcast engagement generated as the platform operates.
  • Contact form submissions — name, email, and message content submitted via the desk-247.com marketing site.
  • Technical data — IP address, browser type, error logs, and API request metadata collected automatically.

Disclosure and third-party sharing

We disclose data only to the third-party providers strictly required to operate the platform:

  • Meta Platforms, Inc. — WhatsApp Cloud API for message delivery and template submission. Data sent to Meta is governed by Meta's Privacy Policy and the WhatsApp Business Terms.
  • Amazon Web Services — cloud infrastructure (RDS, DynamoDB, S3, EC2, CloudWatch) for storage and compute. Data is processed within AWS under our control.
  • SendGrid (Twilio) — transactional email delivery for booking confirmations, reminders, and staff verification emails.
  • Google — Google Sign-In for staff authentication via OAuth 2.0. We receive only a verified email address and do not access any other Google account data.
  • HitPay (planned) — payment processing for booking deposits. Payment card data will never transit Desk 24/7 servers.

We do not sell, rent, license, or trade personal data or WhatsApp Business Platform data to any third party. We do not share data with advertising networks. We may disclose data if required by applicable law, a valid court order, or to protect the legal rights or safety of our users or the public.

Data storage and security

WhatsApp message data is stored in Amazon DynamoDB. Business configuration, staff accounts, and booking records are stored in Amazon RDS. Conversation previews and session state are cached ephemerally in Redis with automatic expiry. All data is held within AWS infrastructure.

We protect data through the following measures:

  • All data in transit is encrypted with TLS. AWS services use encryption at rest.
  • WhatsApp access tokens are stored server-side only (encrypted in the database and Redis) and are never placed in client-side tokens, API responses, or logs.
  • Staff passwords are stored as bcrypt hashes and never in plaintext.
  • Application secrets are loaded at runtime from AWS SSM Parameter Store — no credentials are hardcoded or stored in the application environment.
  • Staff dashboard access requires email verification and an authenticated session.
  • Failed event processing is routed to dead-letter topics so no data is silently lost.

Data retention and deletion

  • WhatsApp messages — retained for the business's configured retention window. Messages deleted by the sender on WhatsApp are flagged and their content removed from our store; edited messages are updated to reflect the latest content.
  • Booking records — retained for the duration of the business's active subscription and a reasonable period thereafter for audit purposes.
  • Staff account data — retained while the account is active and deleted within 30 days of a verified closure request.
  • Session cache and conversation previews — held in Redis with a time-to-live; automatically evicted when inactive.
  • Logs and analytics — retained for up to 90 days for operational troubleshooting.

Business owners may request deletion of all their business data — including WhatsApp message history, booking records, and account information — by emailing [email protected]. We will complete deletion within 30 days, except where retention is required by applicable law. End customers who wish to have their data removed should contact the business directly; we will fulfil deletion requests made by businesses on behalf of their customers.

Your rights

Business users and, where applicable, end customers may have the right under applicable law to access, correct, delete, restrict, or receive a portable copy of their personal data, or to object to or withdraw consent for certain processing. To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

Cookies

The marketing site (desk-247.com) uses only essential cookies required for the contact form and basic site operation — no advertising or tracking cookies. The dashboard (app.desk-247.com) uses first-party session cookies and local storage to maintain authenticated sessions and UI preferences. Google Sign-In may set cookies governed by Google's Privacy Policy.

Changes to this policy

We may update this policy from time to time. Material changes will be reflected in the updated date above and, where appropriate, communicated to business account holders by email. Continued use of the platform after a change constitutes acceptance of the revised policy.

Contact

Questions about this policy or requests regarding your data? Email [email protected].