Privacy Policy
Last updated: April 5, 2026
1. Introduction
BulkWA ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our web application at bulkwa.app ("the Service"). BulkWA is a WhatsApp bulk messaging platform that enables businesses and individuals to send personalized messages at scale using their own WhatsApp accounts.
By accessing or using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree with this policy, please do not use the Service.
2. Information We Collect
2.1 Account Information
When you create an account, we collect your email address, full name, and a password (hashed, never stored in plaintext). If you sign up with Google OAuth, we receive your name, email, and profile photo from Google. We use this information solely to authenticate you and provide the Service.
2.2 Contact Data
When you upload spreadsheets (CSV, Excel, Google Sheets), we store the contact data including phone numbers, names, and any additional fields from your file. This data is associated with your account and is not shared with other users. You are responsible for ensuring you have obtained proper consent from individuals whose data you upload.
2.3 WhatsApp Session Data
When you connect your WhatsApp account by scanning a QR code, we store encrypted session credentials necessary to maintain your connection. We do not store your WhatsApp password. Your WhatsApp session data is encrypted at rest using industry-standard encryption (AES-256). Session credentials are automatically deleted when you disconnect your WhatsApp account.
2.4 Message Content and Delivery Data
We store records of messages you send through BulkWA, including message content, message templates, recipient phone numbers, delivery status, timestamps, and campaign metadata. Incoming replies are also stored to power the reply inbox feature. Message content is used solely to deliver your messages and provide delivery reporting.
2.5 Payment Information
Payment processing is handled entirely by Stripe. We do not store credit card numbers, bank account details, or other sensitive financial information on our servers. We store only your Stripe customer ID, subscription plan, and subscription status to manage your account.
2.6 Usage and Analytics Data
We automatically collect information about how you interact with the Service, including IP addresses, browser type and version, device type, operating system, pages visited, feature usage, campaign performance metrics, and error logs. This helps us improve the product, diagnose technical issues, and understand usage patterns.
2.7 Cookies and Similar Technologies
We use essential cookies required for authentication and session management. These cookies are strictly necessary for the Service to function and cannot be disabled. We do not use third-party advertising cookies or cross-site tracking technologies. See Section 8 for more details.
3. How We Use Your Information
We use the information we collect for the following purposes:
- To provide, operate, maintain, and improve the Service
- To process your transactions and manage your subscription
- To deliver WhatsApp messages on your behalf and report delivery status
- To send transactional emails (welcome messages, security alerts, billing notifications, and service updates)
- To monitor and enforce our Terms of Service and Acceptable Use Policy
- To respond to your support requests and communicate with you
- To detect, investigate, and prevent fraud, abuse, or unauthorized access
- To analyze usage patterns and improve user experience
- To comply with legal obligations, resolve disputes, and enforce agreements
We do not use your personal data for automated decision-making or profiling that produces legal effects.
4. Data Sharing and Third Parties
We do not sell, rent, or trade your personal data. We share information only with the following third-party service providers who process data on our behalf:
- Supabase -- for database hosting, authentication, and file storage. Your account data, contact lists, and message records are stored in Supabase-managed PostgreSQL databases.
- Stripe -- for payment processing. Stripe receives your payment method details directly and processes all billing transactions. We never see or store your full card number.
- Resend -- for transactional email delivery. Resend receives your email address to deliver account notifications, billing receipts, and service alerts.
- WhatsApp (via Baileys library) -- for message delivery. Message content and recipient phone numbers are transmitted to WhatsApp servers for delivery to your recipients. BulkWA uses the open-source Baileys library to interface with WhatsApp Web protocols.
We may also disclose your information if required by law, court order, or governmental regulation, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
5. Data Security
We implement appropriate technical and organizational measures to protect your data, including:
- Encryption in transit using TLS/SSL for all data transfers
- Encryption at rest for WhatsApp session credentials (AES-256)
- Secure password hashing using bcrypt
- Role-based access controls for internal systems
- Regular security reviews and updates
- Automatic session expiration and logout
However, no method of electronic transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security.
6. Data Retention and Deletion
We retain your data according to the following schedule:
- Account data: retained for as long as your account is active and for 30 days after account deletion
- Message history: retained for 90 days after sending, then automatically purged
- Contact data: retained until you delete it or close your account
- WhatsApp session data: retained until you disconnect your WhatsApp account or close your account
- Usage logs and analytics: retained for 12 months, then aggregated and anonymized
- Billing records: retained as required by applicable tax and financial regulations (typically 7 years)
When you delete your account, we remove your personal data within 30 days, except where retention is required by law. You may request early deletion of specific data by contacting us.
7. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Access the personal data we hold about you
- Request correction of inaccurate or incomplete data
- Request deletion of your data ("right to be forgotten")
- Export your data in a portable, machine-readable format (data portability)
- Object to or restrict processing of your data
- Withdraw consent at any time (where processing is based on consent)
- Lodge a complaint with a supervisory authority
7.1 For EEA/UK Residents (GDPR)
If you are located in the European Economic Area or the United Kingdom, we process your personal data under the following legal bases: (a) performance of a contract when providing the Service, (b) our legitimate interests in operating and improving the Service, and (c) your consent where specifically requested. You have the right to access, rectify, erase, restrict processing, data portability, and to object to processing. To exercise these rights, contact us at asher023@gmail.com. We will respond to your request within 30 days.
7.2 For California Residents (CCPA)
If you are a California resident, you have the right to: (a) know what personal information we collect about you, (b) request deletion of your personal information, (c) opt out of the sale of your personal information (note: we do not sell personal information), and (d) not be discriminated against for exercising your privacy rights. To exercise these rights, contact us at asher023@gmail.com. We will verify your identity before processing your request and respond within 45 days.
To exercise any of these rights, contact us at asher023@gmail.com.
8. Cookies and Tracking
We use only essential, strictly necessary cookies for authentication and session management. These cookies are required for the Service to function properly and include:
- Authentication tokens to keep you logged in
- Session identifiers for security purposes
- Preference cookies to remember your settings
We do not use third-party advertising cookies, cross-site tracking pixels, or social media tracking scripts. You can control cookies through your browser settings, but disabling essential cookies may prevent the Service from functioning correctly.
9. Children's Privacy
BulkWA is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from minors. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that information promptly. If you believe a minor has provided us with personal data, please contact us at asher023@gmail.com.
10. International Data Transfers
Your information may be transferred to and processed in countries other than your own. Our service providers (Supabase, Stripe, Resend) may process data in the United States and other jurisdictions. We ensure that appropriate safeguards are in place, including standard contractual clauses where applicable, to protect your data in accordance with this Privacy Policy.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will notify you of material changes by email or through a prominent notice within the Service at least 14 days before the changes take effect. Your continued use of the Service after the effective date of changes constitutes acceptance of the updated policy. We encourage you to review this page periodically.
12. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at:
We aim to respond to all privacy-related inquiries within 30 days.