Privacy Policy

Last updated: 2026-05-12

This Privacy Policy explains how YAAP ("we", "us") processes personal data of WhatsApp users ("you") who interact with merchants using the YAAP conversational commerce platform.

1. Who is the data controller

YAAP, with registered offices in Bogotá, Colombia. Privacy inquiries: admin@yaap.bot.

2. What data we process

  • Identifiers — your WhatsApp phone number and the public profile name WhatsApp shares with the business you contact.
  • Conversation content — text messages, button selections, and list selections you send to a merchant operating on YAAP.
  • Commerce data — products you view or add to a cart, orders you place, and the delivery address you provide.
  • Payment metadata — payment status, gateway reference, and amounts. We do not store card numbers; payments are processed by our payment partners (see Section 5).
  • Operational metadata — message timestamps, error logs, and aggregated usage metrics needed to operate the service.

3. Why we process it (purposes & legal basis)

  • To deliver the service you requested (contract performance) — answering your messages, generating payment links, confirming orders, sending shipping updates.
  • To prevent abuse and fraud (legitimate interest) — rate limiting, signature validation, deduplication of webhook events.
  • To comply with tax and commercial recordkeeping (legal obligation) — retaining order and invoicing data per applicable law.

4. AI processing of your messages

Your messages are processed by an AI assistant to recognize intent, search the merchant's catalog, and generate replies. We send the relevant message text and conversational context to large-language-model providers strictly to produce the response. Providers operate under their own terms and privacy commitments and are bound to act as data processors on our behalf.

5. Sub-processors and recipients

We share the minimum data necessary with the following processors so the service can function:

  • Meta Platforms, Inc. — WhatsApp Business Platform (message transport).
  • Microsoft Azure — application hosting and database.
  • Groq Inc. and/or OpenRouter — AI model inference.
  • OpenAI — embeddings used for product search.
  • Wompi (Bancolombia) — payment processing for Colombia.
  • Stripe, Inc. — payment processing for Mexico.
  • Envia.com — shipping label generation and tracking.

The merchant you contact (the business operating its WhatsApp number on YAAP) is an independent data controller for the order and fulfillment data you share with them.

6. International transfers

Some sub-processors are located outside Colombia and Mexico. Where applicable we rely on contractual data-protection clauses or equivalent safeguards as required by Colombian Law 1581/2012 and Mexico's LFPDPPP.

7. Retention

  • Conversation messages: up to 24 months from your last interaction.
  • Order and invoice records: up to 5 years (or longer where required by tax law).
  • Operational logs: up to 30 days.

8. Your rights

You may access, rectify, delete, restrict processing, or export your personal data. To exercise these rights, write to admin@yaap.bot from the phone you used to message the merchant, including the merchant name and the action you want taken. We respond within 15 business days.

See Data Deletion for the deletion process specifically.

9. Security

We use TLS in transit, encrypted database storage at rest, role-based access control, and per-tenant token encryption (AES-256) for the WhatsApp credentials each merchant entrusts to us.

10. Children

The service is not directed at children under 13. Do not use the service if you are under the minimum age permitted in your jurisdiction.

11. Changes to this policy

We will update this page when our practices change and revise the "Last updated" date at the top.

12. Contact

Questions or complaints: admin@yaap.bot. You may also lodge a complaint with the Superintendencia de Industria y Comercio (Colombia) or the INAI (Mexico).