Privacy Policy

This Privacy Policy describes the information handling practices applicable to Attio WhatsApp Sync, including our websites, application interfaces, APIs, connected services, customer support interactions, operational security functions, billing flows, and related business activities that reference or incorporate this Privacy Policy (collectively, the "Service"). This document is intended to operate as a global baseline notice and, to the extent required by applicable law, a supplemental regional notice for individuals located in, or whose personal data is otherwise regulated by, jurisdictions including the European Economic Area ("EEA"), the United Kingdom ("UK"), Switzerland, the United States, Brazil, Mexico, Argentina, Colombia, and other jurisdictions with materially analogous data protection or consumer privacy requirements.

Because the Service is designed to connect business communication systems with customer relationship management workflows, our role can vary depending on the context. In many circumstances, a customer using the Service determines which contacts, conversations, attributes, records, or workspaces are connected, and we process that information on the customer's behalf. In other circumstances, we independently determine the purposes and means of processing for account administration, fraud prevention, billing, product analytics, service improvement, legal compliance, security monitoring, and dispute management. When applicable law draws distinctions among concepts such as "controller," "processor," "business," "service provider," "operator," "responsável," "operador," "responsable," and "encargado," those distinctions will apply according to the facts of the relevant processing activity.

1. Scope, Applicability, and Interpretive Priority

This Privacy Policy applies to personal data, personal information, or equivalent legally protected information that we collect, use, disclose, transmit, store, analyze, secure, or otherwise process in connection with the Service. It does not apply to information that has been irreversibly anonymized or de-identified in accordance with applicable law, or to data processed exclusively by third-party platforms under their own independent terms and notices where we do not receive or control that information.

If you are using the Service through an organization, workspace, employer, agency, or principal account holder, that organization may separately control your use of the Service and may provide independent notices, policies, contractual instructions, or acceptable-use requirements. In the event of a conflict between this Privacy Policy and a separate written data processing addendum or other negotiated agreement between us and a customer, the negotiated agreement will control to the extent of the conflict with respect to customer-controlled data, except where applicable law requires a different result.

2. Categories of Information We Process

Depending on the manner in which the Service is configured and used, we may process the following categories of information:

  • Account, identity, and contact data, including names, business email addresses, phone numbers, session identifiers, team membership data, invite metadata, authentication tokens, and account administration records.
  • Integration and credential data, including credentials, tokens, encrypted connection state, scoped API permissions, device linkage state, refresh or verification artifacts, and other technical information required to establish, maintain, secure, or terminate connections between the Service and supported third-party systems.
  • Communications and CRM-linked data, including message text, timestamps, directionality, associated contact names, phone identifiers, note metadata, conversation linkage data, selected groups, filtering preferences, and related synchronization outputs written to or read from customer systems.
  • Transactional and commercial data, including plan status, subscription or billing metadata, payment processor references, service configuration choices, and customer support or contractual records.
  • Device, network, and usage data, including IP address, approximate geolocation inferred from network metadata, browser or operating system information, diagnostic logs, error traces, webhook payload metadata, routing data, security events, and product interaction telemetry.
  • Support, feedback, and operational communications, including inquiries, support tickets, product feedback, survey-style submissions, complaint records, and follow-up correspondence.
  • Sensitive or special-category information, only to the extent that such information is embedded in customer communications, imported customer records, or support materials that a customer or user elects to process through the Service. We do not intentionally require special-category or sensitive personal data for the ordinary consumer-facing operation of the Service and ask customers not to use the Service for regulated or high-risk processing unless they have independently determined the Service is appropriate and lawful for that use case.

3. Sources of Information

We may collect information directly from you, from the organization that provides your access to the Service, from connected third-party platforms such as Attio, WhatsApp-related integrations, Meta, payment processors, support channels, analytics tools, infrastructure providers, and security or anti-abuse systems. We may also derive information from raw operational events, customer configurations, synchronization outcomes, service logs, and integrity checks used to determine connection health, billing status, and access rights.

4. Purposes of Processing and Legal Bases

Subject to applicable law, we process information for the following purposes:

  • To provision, authenticate, operate, maintain, troubleshoot, and improve the Service.
  • To connect, synchronize, format, transmit, receive, reconcile, or present communications and CRM-related records across integrated systems.
  • To administer accounts, team access, settings, support requests, invoices, subscriptions, and business relationships.
  • To secure the Service, detect or prevent misuse, fraud, spam, abuse, unauthorized access, unlawful conduct, policy violations, and operational failures.
  • To analyze product usage, service quality, performance, and reliability, including through session replay, diagnostics, logging, and analytics technologies used to understand feature adoption and product issues.
  • To comply with legal obligations, respond to lawful requests, establish or defend legal claims, enforce contracts, and preserve evidence.

Where the GDPR, UK GDPR, Swiss data protection rules, LGPD, or similar laws apply, the legal bases for the above processing may include: performance of a contract; taking steps at your request before entering into a contract; compliance with legal obligations; our legitimate interests or the legitimate interests of our customers, users, and counterparties in secure, auditable, and reliable business communications and CRM operations; and, where required, consent. If we rely on consent, you may withdraw it at any time, although that will not affect the lawfulness of processing before withdrawal and may not affect processing carried out on another lawful basis.

5. Disclosures to Third Parties

We may disclose information to the following categories of recipients, subject to applicable law and appropriate contractual or statutory safeguards:

  • Hosting, cloud, storage, observability, security, customer support, email, and infrastructure vendors that help us operate the Service.
  • Integrated third-party platforms designated by the customer or necessary to provide the Service, including CRM systems, messaging-related providers, and payment processors.
  • Professional advisers, auditors, insurers, financing sources, legal counsel, and potential acquirers in connection with corporate transactions, diligence, or risk management.
  • Governmental authorities, regulators, courts, law enforcement, or counterparties where disclosure is required or reasonably necessary to comply with law, protect rights, or prevent harm.
  • Other parties at your direction or with your authorization.

We do not represent that every disclosure will be characterized identically under every statute. To the extent a particular U.S. state law, consumer privacy framework, or similar regime treats a disclosure differently than we do for ordinary commercial purposes, we will interpret and address the disclosure as required by the applicable law governing that processing activity.

6. International Data Transfers

The Service may involve cross-border processing and storage of personal data in jurisdictions other than the jurisdiction in which the data originated. Where required by applicable law, we implement transfer mechanisms intended to provide an adequate level of protection, which may include adequacy decisions, standard contractual clauses approved by the European Commission, the UK International Data Transfer Agreement or the UK Addendum, and other lawfully recognized mechanisms, assessments, or supplementary measures. Operational necessity alone does not eliminate transfer compliance obligations; accordingly, transfer practices may be adapted over time to reflect regulatory developments, vendor changes, or new guidance.

7. Retention

We retain personal data for the period reasonably necessary to fulfill the purposes described in this Privacy Policy, including to maintain active integrations, preserve synchronized records that the customer has chosen to create, troubleshoot service incidents, maintain security and audit integrity, comply with tax and accounting obligations, defend or resolve disputes, and meet legal or regulatory requirements. Retention periods vary based on the nature of the data, the sensitivity of the processing, the contractual relationship, the existence of litigation or investigations, and the feasibility of deletion or de-identification without undermining service integrity, security, or evidentiary obligations.

8. Security

We use administrative, technical, organizational, and physical safeguards designed to reduce the risk of unauthorized access, destruction, loss, alteration, disclosure, or misuse of data. These safeguards may include encryption in transit and at rest where applicable, access controls, segmentation, credential handling protections, logging, rate limiting, change management, secure development practices, and incident response procedures. No method of transmission, storage, or processing is absolutely secure, and therefore we cannot guarantee absolute security.

9. Children and Restricted Uses

The Service is intended for business and professional use and is not directed to children. We do not knowingly market the Service to children or intentionally collect personal information directly from children in a manner that would trigger child-specific consent or notice obligations. Customers remain responsible for evaluating whether the Service is suitable for their own industry, sector, or regulated use cases, including healthcare, financial services, employment, minors' data, or other high-risk categories.

10. Automated Decision-Making and Profiling

The Service may use rules-based automation, filtering logic, deduplication, matching heuristics, synchronization conditions, and operational diagnostics to route records, suppress configured content, or determine whether particular messages or records should be synchronized, displayed, retried, or blocked. We do not describe these functions as decisions producing legal or similarly significant effects on individuals for purposes of applicable privacy laws unless and until a particular deployment context, customer workflow, or law requires that characterization.

11. Regional Notices and Supplemental Rights

EEA, UK, and Switzerland

Individuals in the EEA, UK, and Switzerland may have rights, subject to legal limitations and exemptions, including the right to request access to personal data; rectification of inaccurate or incomplete personal data; erasure; restriction of processing; objection to processing based on legitimate interests or direct marketing; data portability in a structured, commonly used, and machine-readable format where applicable; withdrawal of consent; and complaint to a competent supervisory authority. Where we process customer-controlled data solely on behalf of a customer, we may refer the request to the relevant customer or require the request to be submitted through the customer.

If the GDPR or UK GDPR applies, we may rely on Article 6(1)(b), 6(1)(c), 6(1)(f), and, where necessary, 6(1)(a) legal bases or their local analogues. Where international transfers are restricted, we may rely on adequacy, SCCs, the UK Addendum, the UK IDTA, or other recognized safeguards, together with supplementary measures where appropriate.

United States

Residents of certain U.S. states may have rights under applicable state privacy laws, including rights to know or confirm whether personal information is processed; access specific pieces or categories of personal information; correct inaccuracies; delete personal information; obtain portable copies of certain personal information; opt out of certain processing for targeted advertising, sale, sharing, or profiling in furtherance of decisions producing legal or similarly significant effects; appeal a refusal of a request where such appeal rights apply; and exercise rights through an authorized agent where permitted by law. Rights, exceptions, definitions, and verification standards vary materially by state, and some rights may not apply to all data categories or all users.

We do not state that every disclosure, analytics event, or operational transfer is exempt from every statutory definition of "sale," "sharing," or "targeted advertising" in every state. Instead, we evaluate those concepts according to the applicable law governing the relevant processing context and will handle verified requests accordingly. We do not discriminate unlawfully against individuals for exercising applicable privacy rights.

Brazil

To the extent the LGPD applies, titulares may have rights including confirmation of the existence of processing, access, correction of incomplete, inaccurate, or outdated data, anonymization, blocking or deletion of unnecessary or excessive data or data processed in non-compliance with the LGPD, portability where applicable, deletion of personal data processed with consent, information about public and private entities with which data has been shared, information about the possibility of denying consent and the consequences of such denial, revocation of consent, and petition to the ANPD, subject to legal limitations and operational feasibility.

Mexico

Where Mexican privacy law applies, individuals may have ARCO rights (access, rectification, cancellation, and opposition), as well as rights to revoke consent or limit the use or disclosure of personal data, subject to applicable legal conditions, identity verification, and exceptions. Requests should clearly describe the right being exercised and provide sufficient information to locate the relevant records.

Argentina, Colombia, and Other LATAM Jurisdictions

Depending on the applicable law, individuals in Argentina, Colombia, and other Latin American jurisdictions may have rights to be informed, access, update, rectify, suppress, object to, or otherwise contest the processing of personal data, as well as rights associated with habeas data or local data protection procedures. If a local law grants a broader or more specific right than this notice expressly describes, we will interpret this Privacy Policy in a manner intended to preserve that non-waivable right.

12. How to Exercise Privacy Rights

To submit a privacy request, contact hello@appstronauts.shop. We may request additional information to verify identity, authority, residency, or the scope of the request. We may deny, limit, or defer a request to the extent permitted by applicable law, including where we cannot verify identity, where the request is manifestly unfounded or excessive, where disclosure would adversely affect the rights of another person, where an exemption applies, or where we act solely on behalf of a customer and the request must be directed to that customer. If applicable law grants a right to appeal a denial, we will provide information about that process in our response.

13. Changes to This Privacy Policy

We may revise this Privacy Policy from time to time to reflect changes in the Service, legal requirements, vendor relationships, operational practices, or regulatory guidance. The version posted on this page will include an updated effective date. Material changes may be communicated through the Service, by email, or through other appropriate means where required by law.

14. Contact Information

Privacy-related inquiries, verified rights requests, complaints, or questions about this Privacy Policy may be directed to hello@appstronauts.shop.

Last Updated: March 14, 2026

Need help?Chat with me