Privacy Policy

1. Who we are

Duhbi LLC, a New Mexico limited liability company, with its principal place of business at 500 4th Street NW, Albuquerque, NM 87102, USA ("Duhbi", "we", "us", "our"), provides a structured WhatsApp order-intake workflow for e-commerce sellers. This Privacy Policy explains how we handle personal data when you use our website at duhbi.com, our dashboard, and the Duhbi platform.

For most data we hold about an end customer's WhatsApp messages, the seller is the data controller and Duhbi is the data processor. The seller decides why messages are sent and stored; we operate the technical infrastructure on their behalf. The accompanying Data Processing Agreement governs that relationship.

For data about sellers themselves (signup, billing, account use), Duhbi is the data controller. This policy covers both relationships.

2. What data we collect

From sellers (account holders)

Account info: name, email, phone number, business name, country.
Billing info: handled by our payment processor; we never see full card numbers.
WhatsApp Business Account info: business display name, phone number, and verification metadata, obtained through Meta's Embedded Signup.
Usage data: dashboard interactions, feature usage, IP address, browser type, session timestamps.

From the seller's end customers (processed on the seller's behalf)

WhatsApp message content: the messages your customers send and the replies generated.
Customer identifiers: WhatsApp phone number or LID (Meta privacy identifier), display name.
Order data: name, address, city, phone, items ordered, price, delivery preferences — only when the customer provides them through the workflow.
Conversation metadata: message timestamps, language, ad referral source, conversation state.

From visitors to our website

Essential cookies: session cookies needed to keep you logged in.
Analytics: aggregated, privacy-preserving page-view counts. We do not run third-party advertising trackers on duhbi.com.

3. How we use the data

To run the order-intake workflow on behalf of sellers (process messages, generate replies, log orders).
To provide the dashboard, send notifications, and trigger alerts (new orders, escalations, hot leads).
To improve the workflow's quality through aggregated, de-identified review of conversations the seller has approved for training.
To bill sellers and prevent fraud.
To comply with legal obligations and Meta's WhatsApp Business Platform policies.

We do not sell personal data, and we do not use end-customer message content for cross-tenant model training without explicit seller approval per conversation.

4. Legal basis (GDPR Art. 6)

Contract: processing necessary to deliver the service to sellers and to sellers' customers under the order workflow.
Legitimate interests: security, fraud prevention, product improvement using aggregated data.
Legal obligation: tax records, regulatory requests, abuse reporting.
Consent: for any optional marketing communications. Always revocable in one click.

5. Sub-processors

We use the following sub-processors. Each is bound by data-processing terms and only processes data on our instructions.

Sub-processor	Purpose	Region
Supabase, Inc.	Database, authentication, file storage	EU (Frankfurt)
Stripe, Inc.	Payment processing for subscriptions	USA (with SCCs)
Meta Platforms Ireland Ltd.	WhatsApp Business Platform — message delivery	EU (Ireland)
Anthropic, PBC	AI model inference for reply generation	USA (with EU SCCs)
Google LLC	Google Sheets sync (when seller enables it), Gemini AI inference	EU / USA (with SCCs)
OpenAI, L.L.C.	Voice transcription (Whisper) when audio messages are received	USA (with SCCs)
Hetzner Online GmbH	Application server hosting	EU (Germany / Finland)

The current list is also published in the Data Processing Agreement. We notify sellers in advance of any new sub-processor.

6. International transfers

Most processing happens in the EU. Where data leaves the EU (Anthropic, OpenAI, Google AI, parts of Meta), transfers are governed by the European Commission's Standard Contractual Clauses (SCCs) and supplementary measures (encryption in transit and at rest, access logging, data minimisation).

7. Retention

Messages and conversations: kept for as long as the seller's account is active. Sellers can delete individual conversations or wipe all data from the dashboard.
AI turn logs: automatically purged after 90 days.
Dedup logs and operational metadata: rotating windows of 7–90 days.
Account & billing records: retained for legally required periods (typically 6–10 years for tax records) after account closure.

8. Your rights (GDPR / equivalent)

Access, correct, or delete your personal data.
Object to or restrict processing.
Receive your data in a portable format.
Withdraw consent at any time (where consent is the legal basis).
Lodge a complaint with your local data protection authority.

End customers should contact the seller they messaged first — the seller is the data controller of those messages. If we cannot resolve a request through the seller, we will assist directly. Email privacy@duhbi.com.

8.1 How to request data deletion

You can request deletion of your personal data at any time. We honour deletion requests from sellers (account holders) and from end customers whose messages we process on a seller's behalf.

For sellers

Sign in to your Duhbi dashboard, go to Settings → Account → Delete account. This permanently removes your account, all conversations, leads, orders, and training data within 30 days. You can also email privacy@duhbi.com from the address registered on your account and we will process the deletion manually.

For end customers (people who messaged a seller using Duhbi)

Contact the seller you messaged first — they are the controller of the conversation and can delete it from their dashboard. If the seller cannot be reached or refuses, email privacy@duhbi.com with:

Subject line: Data Deletion Request
The phone number you used to message the seller
The seller's business name (if you remember it)

We will confirm deletion by email within 30 days. There is no fee.

What gets deleted

All messages and conversations associated with your phone number
Your name, address, and any other personal data we processed
Order records linked to your phone number (kept only as long as required by Moroccan / EU tax law, then deleted)

Some anonymised analytics (e.g., conversation counts with no identifiers) may be retained for service improvement.

8.2 California / US State Privacy Rights

Duhbi LLC is incorporated in New Mexico. Residents of certain US states have additional privacy rights under state law, including California (CCPA / CPRA), Colorado (CPA), Virginia (VCDPA), Connecticut (CTDPA), and Utah (UCPA).

You have the right to:

Know what categories of personal information we collect about you, the sources, and the business purposes.
Access a copy of the personal information we hold about you.
Correct inaccurate personal information.
Delete personal information, subject to limited legal exceptions.
Opt out of the "sale" or "sharing" of personal information.
Non-discrimination — we will not deny service or charge a different price for exercising any of these rights.

Duhbi does not sell personal information and does not "share" personal information for cross-context behavioural advertising as those terms are defined under California law. We do not knowingly process the personal information of anyone under 16.

To exercise any of these rights, email privacy@duhbi.com from the email address associated with your account or include enough information for us to verify your identity. We will respond within 45 days (extendable once by 45 days if reasonably necessary).

If you believe we have not honoured a privacy right, you may complain to the California Privacy Protection Agency or your state Attorney General.

9. Security

TLS 1.2+ for all traffic.
Encryption at rest for all data stores.
AES-256-GCM for sensitive credentials (e.g., delivery carrier API keys).
Per-tenant authentication and row-level isolation.
Audit logging of admin actions.
Vulnerability disclosure: security@duhbi.com.

10. Children

Duhbi is for businesses. We do not knowingly collect personal data from anyone under 16. If we learn we have, we'll delete it.

11. Changes to this policy

We will notify sellers by email and post a notice in the dashboard at least 30 days before any material change. Continued use of Duhbi after the effective date constitutes acceptance.

12. Contact

Privacy questions: privacy@duhbi.com

Data Protection Officer: dpo@duhbi.com

Security: security@duhbi.com