Privacy Policy & POPIA Compliance

1. Introduction

MoyaLinked ("we", "us", "our") is a self-hostable WhatsApp CRM platform. This Privacy Policy explains what personal information we collect, why we collect it, how we use it, who we share it with, and what rights you have over it.

We are committed to complying with South Africa's Protection of Personal Information Act 4 of 2013 (POPIA) as well as other applicable data-protection laws. Where MoyaLinked is self-hosted, the deploying organisation acts as the Responsible Party under POPIA and is responsible for ensuring lawful processing of all personal information stored in their instance.

2. Who This Policy Applies To

This policy covers three categories of people:

Workspace Owners — businesses or individuals who sign up for and operate a MoyaLinked instance.
Agents & Admins — team members invited into a workspace to manage conversations, contacts, and deals.
End Contacts — customers or leads whose WhatsApp messages and contact details are stored in the CRM.

3. Information We Collect

3.1 Account & Profile Data

When you create an account we collect:

Full name and email address
Password (stored as a bcrypt hash — never in plaintext)
Profile avatar image (optional, up to 2 MB)
Your role within a workspace (Owner, Admin, or Agent)

3.2 Contact & Customer Data

Workspace Owners and Agents add and receive contact records that may include:

Name, WhatsApp phone number, email address, company name
A profile avatar associated with the contact
User-defined custom fields (e.g. age, location, purchase history, any attribute the workspace owner chooses to record)
Tags and internal notes written by agents

3.3 WhatsApp Message & Conversation Data

All inbound and outbound WhatsApp messages are stored, including:

Message text and timestamps
Media attachments — images, videos, documents, audio files (via URL references)
Location data shared by contacts (latitude, longitude, place name)
Message delivery and read-receipt status
Emoji reactions
Conversation status (open / pending / closed)

3.4 WhatsApp Business API Credentials

To connect to Meta's WhatsApp Cloud API, workspace owners provide a Meta access token and webhook token. These are stored encrypted using AES-256-GCM encryption and are never exposed to agents or third parties.

3.5 Subscription & Payment Data

If you subscribe to a paid plan, we collect billing-related data through Paystack (our payment processor):

Your email address and subscription plan
Paystack customer ID and subscription reference codes
Payment status and next payment date

We do not store credit card numbers. All card data is handled exclusively by Paystack in accordance with PCI-DSS standards.

3.6 Automation & Activity Logs

When automated workflows execute, we log which automation ran, which contact it affected, each step's outcome, and any error messages. These logs are used for debugging and audit purposes.

3.7 Support Ticket Data

If you submit a support request, we store your name, email address, the subject and description of your issue, and any follow-up messages between you and our support agents.

3.8 Technical & Usage Data

MoyaLinked does not use Google Analytics, Mixpanel, Sentry, or any third-party behavioural tracking tools. We do not place tracking pixels, and we do not sell usage telemetry to any party.

4. How and Why We Use Your Information

Under POPIA, personal information may only be processed if there is a lawful basis (called a "condition for lawful processing"). The table below maps each data type to its purpose and lawful basis.

Data	Purpose	Lawful Basis (POPIA)
Name, email, password	Create and secure your account	Performance of a contract
Contact records	Customer relationship management	Legitimate interest of the workspace owner
WhatsApp messages & media	Deliver, display, and archive conversations	Performance of a contract; legitimate interest
Location data	Display location messages shared by contacts	Consent (contact chose to share location in WhatsApp)
API credentials (encrypted)	Authenticate with Meta's WhatsApp Cloud API	Performance of a contract
Subscription & payment data	Manage billing, invoicing, and plan entitlements	Performance of a contract; legal obligation
Automation logs	Debugging, auditing, and platform reliability	Legitimate interest
Support ticket data	Respond to and resolve support requests	Legitimate interest; performance of a contract

5. Sharing of Personal Information

We do not sell personal information. We share data only with the following parties and only to the extent necessary:

Meta Platforms (WhatsApp Cloud API)— message text, phone numbers, media, and delivery-status events are transmitted to and from Meta to facilitate WhatsApp messaging. Meta's own privacy policy governs their handling of this data.
Paystack — email address and subscription information are shared with Paystack to process payments and manage subscriptions.
Supabase — if you use our hosted deployment, your data is stored in a Supabase PostgreSQL database. If you self-host, you control the database infrastructure entirely.
Workspace team members — agents and admins you invite to your workspace can access contacts, conversations, messages, and deals within that workspace. Access is governed by Row-Level Security policies in the database.
Legal obligations — we may disclose personal information if required to do so by law, court order, or regulation, or to protect the rights and safety of our users.

6. POPIA Compliance (South Africa)

The Protection of Personal Information Act 4 of 2013 (POPIA) came into full effect on 1 July 2021. It regulates how organisations collect, store, use, and share the personal information of South African residents. Below we explain how MoyaLinked aligns with each of POPIA's eight conditions for lawful processing.

6.1 Accountability

The workspace owner is the Responsible Partyas defined by POPIA — they determine the purpose and means of processing personal information in their MoyaLinked instance. Where MoyaLinked (or its hosting provider) processes data on the workspace owner's behalf, it acts as an Operator.

Workspace owners must appoint an Information Officer (as required by POPIA s.55) and ensure their use of MoyaLinked complies with applicable legislation.

6.2 Processing Limitation

We only collect personal information that is adequate, relevant, and not excessive relative to the purpose. Specifically:

We do not collect sensitive special-category information (race, religion, health, political views, etc.) unless a workspace owner deliberately creates a custom field for it — in which case the workspace owner bears responsibility for compliance.
Contact data received via WhatsApp is limited to what the contact voluntarily shares in conversation.

6.3 Purpose Specification

Personal information is collected for specific, explicitly defined purposes (see Section 4 above). It is not processed in a manner incompatible with those purposes.

6.4 Further Processing Limitation

Data is not repurposed for secondary uses — for example, contact phone numbers are used solely to facilitate CRM operations within your workspace, not for external marketing by us.

6.5 Information Quality

Workspace owners and agents are responsible for ensuring the accuracy of contact records. MoyaLinked provides the ability to update or delete contact information at any time.

6.6 Openness

This Privacy Policy constitutes our notification to data subjects of how their personal information is processed. Workspace owners are responsible for informing their own contacts (data subjects) about how their WhatsApp messages and personal data are stored in the CRM, as required by POPIA s.18.

6.7 Security Safeguards

We implement the following technical safeguards:

Encryption at rest — Meta API tokens and webhook secrets are encrypted using AES-256-GCM.
Encryption in transit — all data is transmitted over TLS/HTTPS.
Row-Level Security (RLS) — database policies ensure users can only access data belonging to their own workspace.
Webhook signature verification — inbound webhooks from Meta (HMAC-SHA256) and Paystack (HMAC-SHA512) are cryptographically verified before processing.
Password hashing — passwords are stored as bcrypt hashes via Supabase Auth.
No third-party tracking — no analytics services, tracking pixels, or behavioural telemetry are used.

Despite these measures, no system is 100% secure. In the event of a data breach that poses a risk to data subjects, we will notify affected parties and the Information Regulator as required by POPIA s.22 within a reasonable timeframe.

6.8 Data Subject Participation (Your Rights)

Under POPIA, you have the following rights regarding your personal information:

Right of access — you may request a copy of the personal information we hold about you.
Right to correction — you may request that inaccurate or incomplete information be corrected.
Right to deletion — you may request that your personal information be deleted, subject to legal retention obligations.
Right to object — you may object to the processing of your personal information on grounds relating to your particular situation.
Right to lodge a complaint — if you believe your rights have been violated, you may lodge a complaint with the Information Regulator of South Africa: inforegulator.org.za.

To exercise any of these rights, contact us at privacy@moyalinked.app. We will respond within 30 days.

7. Data Retention

We retain personal information for as long as your account is active or as needed to provide our services. Specifically:

Account data — retained until you delete your account.
Contact records, messages, and conversations — retained indefinitely unless you delete them within the application, or request deletion via privacy@moyalinked.app.
Payment records — retained for 5 years as required by South African tax legislation.
Automation logs — retained for 90 days for debugging purposes, after which they may be purged.

When a contact is deleted, all associated records (messages, notes, custom field values, conversation history) are permanently deleted via database cascade.

8. Cross-Border Data Transfers

Your data may be transferred to and stored on servers located outside South Africa, including:

Meta's infrastructure (USA / EU) — for WhatsApp message delivery.
Supabase hosting regions — for hosted deployments; self-hosters control their own server location.
Paystack (Nigeria / internationally) — for payment processing.

Under POPIA s.72, transfers to countries outside South Africa are permitted where the recipient is subject to a law, binding corporate rules, or a binding agreement that upholds substantially similar principles for lawful processing. We take reasonable steps to ensure our third-party processors meet these requirements.

9. Cookies & Local Storage

MoyaLinked uses session cookies set by Supabase Auth to maintain your login state. We do not use advertising cookies, third-party tracking cookies, or fingerprinting techniques. No cookie consent banner is required beyond session management, as we process only strictly necessary cookies.

10. Children's Privacy

MoyaLinked is a business-to-business tool not directed at children. We do not knowingly collect personal information from anyone under 18 years of age. If you believe a minor's information has been submitted, please contact us at privacy@moyalinked.app and we will delete it promptly.

11. Changes to This Policy

We may update this policy from time to time. When we make material changes, we will update the effective date at the top of this page and, where appropriate, notify you by email. Continued use of MoyaLinked after the effective date constitutes acceptance of the revised policy.

12. Contact & Information Officer

For any privacy-related questions, requests, or complaints, please contact our Information Officer:

Email: privacy@moyalinked.app
Response time: within 30 days as required by POPIA

If you are not satisfied with our response, you may escalate to the Information Regulator of South Africa:

Website: inforegulator.org.za
Email: inforeg@justice.gov.za
Physical address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001