Privacy Policy

1. Introduction

ObisDevs ("we", "us", or "our") operates SalesUp (https://salesup.space), an enterprise-grade WhatsApp AI automation platform. This Privacy Policy explains how we collect, use, disclose, and protect your personal data in compliance with the Nigeria Data Protection Act 2023 (NDPA), Nigeria Data Protection Commission (NDPC) regulations, and the General Data Protection Regulation (GDPR).

By using SalesUp, you consent to the data practices described in this policy.

2. Data Controller and Processor Roles

2.1 Our Role: ObisDevs acts as a Data Controller for your account information and as a Data Processor for your customers' data that you process through our Service.

2.2 Your Role: When you use SalesUp to communicate with your customers, you act as a Data Controller for your customers' personal data. You are responsible for obtaining proper consent and complying with NDPA requirements.

3. Information We Collect

3.1 Account Information:

• Email address
• Password (encrypted with bcrypt)
• Business name and contact information
• Payment information (processed by Paystack, we store only transaction references)

3.2 Service Usage Data:

• WhatsApp session information and QR codes
• Knowledge base documents and embeddings
• Product catalog data and images
• Bot configuration settings (temperature, personality, prompts)
• Message metadata (timestamps, message IDs, delivery status) - content is HMAC-encrypted
• API usage statistics and performance metrics

3.3 Customer Data (Processed on Your Behalf):

• WhatsApp phone numbers of your customers
• Message metadata (timestamps, interaction patterns, delivery status)
• Important: Customer message content is transmitted with HMAC-SHA256 encryption and processed in real-time. We do not store plaintext message content; only encrypted metadata for analytics and system functionality

3.4 Technical Data:

• IP addresses and device information
• Browser type and version
• Session cookies and authentication tokens
• Error logs and diagnostic information

4. How We Use Your Information

4.1 Service Provision:

• Authenticate and manage your account
• Process WhatsApp messages and generate AI responses
• Store and retrieve knowledge base content for RAG functionality
• Manage product catalogs and send product information
• Process payments and manage subscriptions

4.2 Service Improvement:

• Monitor system performance and uptime
• Analyze usage patterns to improve features
• Debug errors and technical issues
• Develop new features and enhancements

4.3 Communication:

• Send transactional emails (welcome, payment confirmations, expiry warnings)
• Provide customer support and respond to inquiries
• Send service updates and important notices
• Send weekly activity summaries (if opted in)

4.4 Legal Compliance:

• Comply with NDPA, GDPR, and other applicable laws
• Respond to legal requests and prevent fraud
• Enforce our Terms of Service

5. Legal Basis for Processing (NDPA & GDPR)

We process your personal data based on the following legal grounds:

• Consent: You provide explicit consent when creating an account and accepting our Terms
• Contract Performance: Processing is necessary to provide the Service you subscribed to
• Legitimate Interests: We process data to improve our Service, prevent fraud, and ensure security
• Legal Obligation: We process data to comply with Nigerian laws and regulations

6. Data Security Measures

We implement industry-standard security measures to protect your data:

6.1 Encryption:

• SSL/TLS: All data in transit is encrypted using TLS 1.2+ protocols
• AES-256: Sensitive data at rest is encrypted with AES-256 encryption
• Password Hashing: Passwords are hashed using bcrypt with salt

6.2 Access Controls:

• JWT Authentication: Secure session management with JSON Web Tokens
• Row-Level Security (RLS): Database policies ensure users can only access their own data
• HMAC Verification: Webhook requests are verified using HMAC-SHA256 signatures
• API Rate Limiting: Protection against brute force and DDoS attacks

6.3 Infrastructure Security:

• Hosted on secure cloud infrastructure (Vercel, Supabase)
• Regular security updates and patches
• Automated backups and disaster recovery
• Continuous monitoring and intrusion detection

7. Data Sharing and Third-Party Services

We share your data only with trusted third-party service providers necessary to operate the Service:

7.1 Essential Service Providers:

• Supabase (PostgreSQL): Database hosting and authentication (USA, GDPR-compliant)
• Vercel: Application hosting and CDN (USA, GDPR-compliant)
• Pinecone: Vector database for RAG functionality (USA, GDPR-compliant)
• OpenAI: AI language models for response generation (USA, GDPR-compliant)
• Paystack: Payment processing (Nigeria, licensed by CBN)
• ImproveMax: Email delivery service

7.2 Data Processing Agreements: All third-party processors are bound by data processing agreements that comply with NDPA and GDPR requirements.

7.3 No Data Selling: We do not sell, rent, or trade your personal data to third parties for marketing purposes.

8. International Data Transfers

8.1 Cross-Border Transfers: Some of our service providers are located outside Nigeria (primarily in the USA and EU). We ensure adequate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by NDPC
• GDPR-compliant data processing agreements
• Encryption of data in transit and at rest

8.2 Your Consent: By using SalesUp, you consent to the transfer of your data to these jurisdictions under the safeguards described above.

9. Your Data Rights (NDPA & GDPR)

Under NDPA and GDPR, you have the following rights:

9.1 Right to Access: Request a copy of all personal data we hold about you.

9.2 Right to Rectification: Request correction of inaccurate or incomplete data.

9.3 Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data, subject to legal retention requirements.

9.4 Right to Data Portability: Receive your data in a structured, machine-readable format (JSON/CSV).

9.5 Right to Restrict Processing: Request limitation of how we process your data.

9.6 Right to Object: Object to processing based on legitimate interests or for direct marketing.

9.7 Right to Withdraw Consent: Withdraw consent at any time (does not affect prior processing).

9.8 Right to Lodge a Complaint: File a complaint with the Nigeria Data Protection Commission (NDPC) at https://ndpc.gov.ng

To exercise these rights, contact us at: support@salesup.space

10. Data Retention

10.1 Active Accounts: We retain your data for as long as your account is active and for the duration of your subscription.

10.2 Terminated Accounts: After account termination, we retain data for 30 days to allow for account recovery, then permanently delete it unless:

• Required by Nigerian law (e.g., tax records for 6 years)
• Necessary for legal claims or disputes
• Needed for fraud prevention and security

10.3 Backup Retention: Encrypted backups are retained for 90 days for disaster recovery purposes.

10.4 Anonymized Data: We may retain anonymized, aggregated data indefinitely for analytics and research.

11. Cookies and Tracking Technologies

11.1 Essential Cookies: We use cookies necessary for authentication and session management:

• Authentication tokens (JWT)
• Session identifiers
• Security tokens (CSRF protection)

11.2 No Third-Party Tracking: We do not use third-party analytics or advertising cookies.

11.3 Cookie Control: You can disable cookies in your browser settings, but this may affect Service functionality.

12. Email Communications and Preferences

12.1 Transactional Emails: We send essential emails (account verification, payment confirmations, security alerts) that cannot be opted out of.

12.2 Marketing Emails: We send weekly activity summaries and product updates. You can opt out at any time:

• Click "Unsubscribe" in any marketing email
• Manage preferences in your account settings
• Contact support@salesup.space

13. Children's Privacy

SalesUp is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If we discover that a child has provided us with personal data, we will delete it immediately. If you believe a child has provided us with personal data, contact us at support@salesup.space

14. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify the Nigeria Data Protection Commission (NDPC) within 72 hours
• Notify affected users via email without undue delay
• Provide details of the breach, potential impact, and remedial actions
• Take immediate steps to contain and remediate the breach

15. AI and Automated Decision-Making

15.1 AI Processing: SalesUp uses AI models (OpenAI GPT, Anthropic Claude, Google Gemini) to generate customer responses. These are automated processes, but you maintain control over:

• AI model selection and temperature settings
• Knowledge base content that informs AI responses
• Bot personality and response guidelines
• Ability to review and override AI-generated content

15.2 No Profiling: We do not use AI for automated decision-making that produces legal effects or significantly affects individuals without human oversight.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will:

• Notify you via email at least 30 days before material changes take effect
• Update the "Last Updated" date at the top of this policy
• Post a notice on our website and dashboard

Your continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy.

17. Contact Information

Data Protection Officer:

• Email: support@salesup.space
• General Inquiries: hello@salesup.space
• Website: https://salesup.space

Nigeria Data Protection Commission:

• Website: https://ndpc.gov.ng
• Email: info@ndpc.gov.ng

18. Consent and Acknowledgment

By using SalesUp, you acknowledge that you have read, understood, and agree to this Privacy Policy. You consent to the collection, use, and processing of your personal data as described herein.