Privacy Policy

We use collected information for the following purposes:

• Platform operation: To provide, maintain, and improve our WhatsApp automation services.
• Message processing: To route, deliver, and store messages between businesses and their customers via the WhatsApp Business API.
• Chatbot functionality: To process conversation content and generate automated responses based on configured workflows.
• Account management: To manage business client accounts, billing, and technical support.
• Compliance and security:To detect fraud, abuse, or violations of our terms of service and Meta's policies.
• Analytics: To generate anonymized usage statistics that help us improve platform performance.
• Legal obligations: To comply with applicable laws and respond to lawful requests from authorities.

We do not sell, rent, or trade personal data to third parties for advertising or marketing purposes.

We process personal data based on the following legal grounds:

• Contractual necessity: Processing required to fulfill our service agreement with business clients.
• Legitimate interests:To operate, maintain, and improve the platform in ways that do not override users' privacy rights.
• Legal compliance: Where required by applicable law in Colombia, the United States, or other jurisdictions where we operate.
• Consent: For processing not covered by the above, we obtain explicit consent from the relevant party.

TEFA AI operates as a technology provider using the WhatsApp Business API, hosted by Meta Platforms, Inc. As a result, message data transmitted through our platform also passes through Meta's infrastructure. Meta's own privacy policy governs how Meta processes this data. We encourage users to review Meta's Privacy Policy.

Our platform connects client WhatsApp Business Accounts to our servers via API integrations authorized by the business client. We act as a data processor on behalf of our business clients, who are the data controllers for conversations with their end customers.

We share data only in the following circumstances:

• With Meta:Message routing through the WhatsApp Business API requires transmitting data to Meta's servers.
• With cloud infrastructure providers: We use AWS (Amazon Web Services) for hosting and data storage. These providers are bound by confidentiality obligations.
• With business clients: We provide business clients access to conversation data generated through their own WhatsApp channels.
• For legal reasons: If required by law, court order, or governmental authority.
• Business transfers: In the event of a merger, acquisition, or asset sale, data may be transferred subject to equivalent privacy protections.

We retain business client data for the duration of the service agreement and for up to 12 months after account termination, unless a longer retention period is required by law. Conversation data (messages) is retained for the period configured by each business client, with a default of 90 days. Clients may request earlier deletion.

After the retention period, data is securely deleted or anonymized from our systems.

We implement industry-standard security measures to protect your data, including:

• Encryption in transit using TLS/HTTPS for all API communications
• Encryption at rest for stored data on our cloud infrastructure
• Role-based access controls limiting who can access data internally
• Regular security audits and vulnerability assessments
• Secure token management for API credentials

Despite these measures, no system is 100% secure. We will notify affected clients promptly in the event of a confirmed data breach.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure: Request deletion of your personal data, subject to legal retention requirements.
• Portability: Request your data in a structured, machine-readable format.
• Objection: Object to certain types of processing, including processing based on legitimate interests.
• Withdrawal of consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, please contact us at privacy@tefa.ai. We will respond within 15 business days.

Our web platform (tefa.ai) may use cookies and similar technologies for authentication, session management, and analytics. We do not use cookies for cross-site advertising tracking. You may configure your browser to reject cookies, though some features of the platform may not function correctly as a result.

TEFA AI operates in Colombia and the United States. Data may be processed and stored in servers located in the United States (AWS infrastructure). When transferring data internationally, we ensure adequate safeguards are in place in accordance with applicable data protection laws, including Colombia's Law 1581 of 2012 (Habeas Data).

Our platform is intended for business use only and is not directed at children under the age of 13. We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected such data, we will delete it promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will notify business clients via email or through the platform. The date of the most recent revision is indicated at the top of this document. Continued use of our platform after changes constitutes acceptance of the updated policy.

For questions, requests, or complaints regarding this Privacy Policy, please contact us:

• Product: TEFA AI
• Email: tefa@tefa.ai
• Website: https://tefa.ai