Privacy Policy
Version: 2026-07-06 · Effective date: July 6, 2026
This Privacy Policy describes how Gestic O.R.S.A. (CUIT 30-71607311-0, Castelli 1056, Brandsen, Buenos Aires, Argentina) — operator of GoSendAPI Cloud (the “Service”) — processes personal data, in compliance with the Argentine Personal Data Protection Law No. 25.326 and applicable regulations. Where the recipient of a message is subject to a different data protection regime (e.g. GDPR for EU residents, LGPD for Brazil), that regime also applies to the extent required.
1. Two roles
We process personal data in two different roles:
- As data controller (responsable del tratamiento) — for personal data of the Customer’s account users (name, email, phone, authentication credentials, billing data), for our own purposes: account administration, security, billing, product analytics, and legal compliance.
- As data processor (encargado del tratamiento) — for personal data of End Users that flows through the Service (WhatsApp phone numbers, message contents, media, delivery status). Here the Customer is the data controller and instructs us; we act on the Customer’s behalf and only for the purposes of delivering the Service.
2. Personal data we process
2.1 As controller (about our Customers)
- Account data: full name, business name, email, phone, password hash, authentication tokens;
- Billing data: tax ID (CUIT / VAT ID), billing address, invoice history;
- Usage data: IP address, user agent, timestamps of logins, API keys used, log of administrative actions;
- Support data: correspondence you send us (email, in-app messages, screenshots);
- Marketing data (only with consent): preferences to receive product updates.
2.2 As processor (about End Users of our Customers)
- WhatsApp identifiers: phone number of the End User;
- Message content: text, media (images, video, audio, documents), interactive replies, template variables sent or received through the Service;
- Metadata: message IDs assigned by Meta (
wamid), timestamps, delivery/read/failed events, conversation categorization, pricing tier; - Contact profile: name and profile picture URL as returned by Meta, plus any custom attributes the Customer stores on the contact (tags, notes, external ID);
- Support data associated with the End User: assignments, closed/open status, agent notes.
3. Sources
- Directly from you when you register, configure the Service, or send us information;
- From Meta, when the End User interacts with your WhatsApp Business number and Meta forwards the event to us via webhook;
- From your systems, when you call our API to send a message, upload a contact, or configure a customer;
- Automatically through cookies and log entries (see § 8).
4. Purposes and legal basis
- Providing the Service and executing the Terms of Service (contractual necessity) — sending and receiving messages, storing conversations, delivering webhooks, exposing the inbox and the API, billing.
- Security and abuse prevention (legitimate interest and legal obligation) — detecting spam, fraud, unauthorized access, applying the kill switch, cooperating with Meta.
- Legal compliance (legal obligation) — retention required by tax, commercial, or telecom regulations; responding to lawful requests from authorities.
- Product improvement and analytics (legitimate interest) — internal analytics, error tracking, capacity planning. Where required by law, we perform this on aggregated or pseudonymized data.
- Marketing about our own Service (consent) — sending product updates only where you have opted in.
5. Sharing with third parties
We share personal data only with the following categories of recipients, and only to the extent necessary:
- Meta Platforms, Inc. (and affiliates including WhatsApp LLC) — because the Service is a Tech Provider on top of the WhatsApp Business Cloud API. Message content, phone numbers, and metadata flow to Meta as part of message delivery. Meta acts as an independent controller/processor for its own purposes as described in Meta’s own privacy policies.
- Infrastructure providers — cloud hosting, database, object storage, email delivery, error monitoring. We select providers with appropriate data protection safeguards and act under written data processing terms with them.
- Payment processors — for billing (e.g. Stripe or a local Argentine payment processor). Card data is not stored on our servers.
- Professional advisors — lawyers, auditors, accountants, bound by confidentiality.
- Authorities, regulators, and courts — when we are legally required, when necessary to enforce our Terms, or to protect our or a third party’s rights.
- A successor — in the event of merger, acquisition, or sale of assets, personal data may be transferred to the successor subject to this Policy.
We do not sell personal data.
6. International transfers
The Service may store or process personal data outside of Argentina, including in the United States and the European Union. When we transfer personal data internationally, we do so under the safeguards permitted by Law 25.326 and by the receiving jurisdiction’s law (adequacy decisions, standard contractual clauses, or explicit consent).
7. Retention
- Account data — kept while your account is active, and for up to 5 years after termination to meet tax, accounting, and regulatory obligations (or longer if required by law).
- Message content and metadata — kept as long as the Customer’s account is active or as configured by the Customer. On account termination, we delete or return the data within 30 days, unless retention is required by law.
- Logs — up to 90 days for operational logs; up to 12 months for security-relevant audit logs.
- Backups — encrypted backups may retain the data for up to 30 additional days after deletion.
The Customer can request early deletion of specific contacts or conversations through the Service or by writing to privacy@gosendapi.com.
8. Cookies and log data
The Service uses:
- Strictly necessary cookies for authentication (session cookies) and CSRF protection — cannot be disabled without breaking the Service;
- Preference cookies to remember locale and theme;
- Analytics in aggregated or pseudonymized form to understand usage patterns. We do not use third-party advertising cookies.
Server logs record IP address, user agent, endpoint, timestamp, and response code.
9. Security
We apply commercially reasonable technical and organizational measures:
- Encryption in transit (TLS 1.2+) and at rest for sensitive data;
- Password hashing using industry-standard algorithms;
- API keys are scoped and revocable;
- Access controls on our own systems, with logging of administrative actions;
- Vulnerability response: report suspected security issues to
security@gosendapi.com.
No system is impenetrable. We commit to notify affected Customers of a security incident that materially affects their data within the timeframes required by law.
10. Your rights
Under Law 25.326 and, where applicable, GDPR / LGPD, the data subject has the right to:
- Access — obtain confirmation and a copy of the personal data we process;
- Rectification — correct inaccurate or outdated data;
- Deletion — request erasure (subject to retention obligations);
- Objection — object to processing based on legitimate interest;
- Portability — receive their data in a structured, commonly used, machine-readable format;
- Withdraw consent — where processing is based on consent, at any time, without affecting the lawfulness of prior processing.
Exercise these rights by writing to privacy@gosendapi.com. We will respond within 10 business days for Argentine data subjects, or within the timeframe required by the applicable law for other jurisdictions. You also have the right to lodge a complaint with the Argentine Agency of Access to Public Information (https://www.argentina.gob.ar/aaip) or with the competent authority in your jurisdiction.
When we process End User data as a processor, End Users should typically contact the Customer (the business that messaged them). We will assist the Customer in responding.
11. Children
The Service is not directed to children under 18. If we learn we have collected data of a child without parental consent, we will delete it.
12. Changes to this Policy
We may update this Policy from time to time. Material changes are announced at least 7 days in advance at this URL and, where legally required, by direct notice to Customers.
13. Contact
- Data controller: Gestic O.R.S.A., CUIT 30-71607311-0
- Legal address: Castelli 1056, Brandsen, Province of Buenos Aires, Argentina
- Privacy inquiries:
privacy@gosendapi.com - General legal inquiries:
legal@gosendapi.com - Security inquiries:
security@gosendapi.com
This Privacy Policy forms part of the Terms of Service.