SIMPLATEVibe messaging
Back to Home

Privacy Policy

Effective Date: June 12, 2026 • Last Updated: June 12, 2026

At Tizyou Tecnologia, through our product simplate, we build high-performance outbound messaging infrastructure for AI developers. We believe privacy is an engineering requirement, not a legal afterthought. This Privacy Policy outlines our strict data minimization practices and details exactly how we handle your information.

1. TL;DR (Executive Summary)

  • Zero Inbound Storage: We do not touch, read, or store inbound conversations. Your webhooks remain 100% yours.
  • Encrypted Credentials: Your WhatsApp Business (Meta) Access Tokens are encrypted with AES-256-GCM at rest and decrypted strictly in memory (RAM).
  • Minimal Logging: We only log outbound transaction telemetry required for debugging, LLM tracing, and billing.
  • No Selling: Your data is never sold, shared, or rented to third parties.

2. Minimum Data Collection

To provide our semantic gateway services, we collect only the absolute minimum required data:

  • Workspace DetailsAdministrative metadata about your developer account, such as workspace name, developer email, and API usage metrics.
  • Meta Access Tokens (Encrypted)To forward messages to the Meta Cloud API on your behalf, we store your WABA Access Tokens and Phone Number IDs. These credentials are encrypted immediately with AES-256-GCM before writing to the database.
  • Template MetadataWe sync and store the structure of your approved Meta WhatsApp templates (template names, language codes, and variable schemas like {"customer_name": 0}) to enable our automated semantic mapping engine. We do not store the static template body texts.
  • Outbound Message Logs (Telemetry)We maintain metadata logs for outbound messages. This telemetry includes:
    • Timestamp of transmission.
    • Anonymized/hashed recipient phone number or full number (only when explicitly selected for developer console tracing).
    • Outbound status (Success / Failure / Error codes).
    • Semantic variable payloads (for LLM tool execution audit trails).
    • Processing latency (in milliseconds).

3. What We Do NOT Collect & Do NOT Do

Our architecture is designed to enforce structural boundaries that protect user conversations:

  • No Inbound Webhook Storagesimplate is an outbound-only gateway. We do not manage, intercept, or process incoming user chats. Your WhatsApp inbound webhooks are routed directly from Meta to your own conversational engine; we never see or store inbound text, voice, or media.
  • No Chat Content ArchivesWe do not archive outbound message contents or body texts. Once a message is compiled semantically and successfully delivered to the Meta Cloud API, the compiled text payload is instantly flushed from our routing queues.
  • No Data MonetizationWe never share, sell, lease, or monetize your developer data, workspace logs, or client phone numbers with advertisers or data brokers.

4. Subprocessors

We rely on a minimal set of secure, industry-standard subprocessors to run our infrastructure:

  • Meta Platforms, Inc.: As the official provider of the WhatsApp Business Cloud API, all outbound messages are delivered directly to Meta’s servers.
  • Stripe, Inc.: We use Stripe to process secure payments, subscriptions, and billing transactions. No credit card numbers or billing address secrets are processed or stored on simplate servers.

5. GDPR & LGPD Compliance

Under the General Data Protection Regulation (GDPR) and the Brazilian General Data Protection Law (LGPD):

  • simplate as a Data Processorsimplate acts strictly as a Data Processor for the outbound telemetry and credentials managed inside your workspace.
  • Developer as the Data ControllerYou (the developer or customer integrating simplate) act as the Data Controller. You are solely responsible for ensuring you have established a valid legal basis (such as explicit opt-in consent) to message your end-users.
  • User RightsEnd-users wishing to exercise their rights of access, correction, or deletion of outbound metadata records must contact you (the Data Controller). Upon receiving a valid request, we will assist you in deleting relevant database log entries within standard regulatory timeframes.

6. Data Security & RAM-Only Decryption

We treat security as a vital component of reliability:

  • AES-256-GCM EncryptionAll stored integration credentials, Meta Cloud API tokens, and sensitive workspace configurations are encrypted at rest using industry-standard AES-256-GCM symmetric cryptography.
  • RAM-Only DecryptionSecrets and sensitive raw keys are decrypted exclusively in volatile memory (RAM) during API request execution. Decrypted tokens are never written to persistent disk storage, temporary files, or server error logs.
  • Infrastructure SecurityOur production databases and servers are hosted within secured, firewall-protected virtual private clouds (VPCs) with strict role-based access controls (RBAC) restricted to authorized system operations.