Privacy Policy for Bashly

1. Information We Collect

1.1 Information You Provide

We may collect the following information when you use Bashly:

• Your name and WhatsApp display name
• Your WhatsApp phone number (in E.164 format)
• Email address (only if you contact us directly)
• Event details you share (date, venue, guest list, theme, budget)
• Guardian contact details (for organisers under 18, as required by POPIA)
• Any content you submit through the Service (text, voice notes, images)

1.2 Information from the WhatsApp Business API

When you message Bashly on WhatsApp, we receive the following from the WhatsApp Business API (operated by Meta):

• Your WhatsApp phone number
• Your WhatsApp profile name (if shared by you)
• Message content you send to our number (text, voice notes, images, documents)
• Message timestamps and delivery/read status

We only access data necessary to operate the Service and only for messages you actively send to Bashly. We do not receive data about conversations you have with other WhatsApp users.

1.3 Automatically Collected Information

We may automatically collect:

• IP address
• Browser type and version
• Device information
• Usage data (pages visited, actions taken)

1.4 Viral Mechanics and Product Analytics

Bashly logs how its sharing mechanic works so we can measure whether the product is delivering value. Specifically, we record which invite and recap cards are shared, which event pages are visited, and which new host sign-ups are traceable to a shared card from an existing host. This is the smallest instrumentation that lets us answer "is the product growing?" with data rather than guesswork.

How this works in practice:

• When a host shares their invite or recap card, the share URL includes a short token (e.g. ?s=ab12cd). This token is stored in our database alongside the event it belongs to.
• When a guest opens an Event Page via that URL, we log one page-view event that includes the token. If the token is not recognised, we log the view without attribution.
• If a guest later creates their own event, we check whether their session originated from a shared token and record that connection.

What we do not do:

• We do not use cookies to track guests across sessions or sites.
• We do not fingerprint guests or build cross-site profiles.
• We do not sell this data or share it with advertisers.
• We do not log per-keystroke, scroll-depth, or heatmap-style telemetry.

Hosts may request deletion of all their analytics data at any time (see Section 8). A deletion sweep removes all entries in our telemetry and token tables keyed to the host's account.

2. How We Use Your Information

We use the collected information to:

• Provide, operate, and maintain the Service
• Generate your Party Pack, manage RSVPs, and coordinate your event
• Send event-related messages, reminders, and updates to you and your guests on WhatsApp
• Improve and personalise the Service
• Respond to support enquiries
• Comply with the WhatsApp Business Policy and POPIA
• Detect and prevent fraud, spam, or misuse

3. Legal Basis for Processing

Bashly is operated in South Africa and primarily serves South African users. We process personal information under the following lawful bases set out in POPIA:

• Your consent (by messaging Bashly and opting in to the Service)
• Performance of a contract (to deliver the Party Pack you have requested)
• Compliance with legal obligations (including the Children's Act and POPIA)
• Our legitimate interests (improving the Service, preventing abuse, maintaining security)

4. Sharing of Information

We do not sell your personal data.

We may share your information with:

• WhatsApp / Meta Platforms, Inc.: delivers your messages via the WhatsApp Business API. Meta currently processes WhatsApp Business data in the United States.
• 360dialog GmbH(Berlin, Germany): our WhatsApp Business Solution Provider. Routes API traffic between Bashly and Meta's WhatsApp infrastructure.
• Anthropic, PBC (Claude AI): generates conversational responses and Party Pack content. Processed in the United States.
• Supabase: database hosting in the af-south-1 (Cape Town) region.
• Vercel: application hosting; functions run in regional data centres including the United States.
• PayStack: processes payments where applicable.
• Legal or regulatory authorities where required by law.

All third parties are contractually required to protect your data and use it only for specified purposes.

5. Data Retention

We retain your information only as long as necessary to:

• Provide the Service
• Comply with legal obligations
• Resolve disputes and enforce agreements

You may request deletion of your data at any time (see Section 8).

6. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

• Encryption (where applicable)
• Secure servers
• Access controls

However, no system is completely secure, and we cannot guarantee absolute security.

7. Your Rights

Depending on your location, you may have the right to:

• Access your personal data
• Correct inaccurate data
• Request deletion
• Restrict or object to processing
• Data portability

To exercise these rights, contact us at: hello@bashly.io

8. Data Deletion Instructions

You can request deletion of all data associated with your Bashly account at any time by:

• Sending the message "delete my data" to Bashly on WhatsApp
• Emailing us at hello@bashly.io with your WhatsApp phone number

We will confirm and complete the deletion within 30 days, except where we are required to retain information to comply with a legal obligation or resolve a dispute.

9. Children's Privacy

Our Service is not intended for individuals under the age of 13 (or equivalent minimum age in your jurisdiction). We do not knowingly collect data from children.

10. International Data Transfers

Bashly is operated from South Africa. Your event data (organiser profile, guest list, RSVPs, Party Pack content) is stored in South Africa via Supabase (af-south-1 region).

Your WhatsApp messages and related metadata (phone number, profile name, message content, delivery status) are processed by Meta Platforms, Inc. under the WhatsApp Business API, which currently stores this data in the United States. Meta handles WhatsApp Business data under its published Data Protection Addendum and Standard Contractual Clauses for international transfers.

Other processors that may process data outside South Africa:

• Anthropic (Claude AI): United States
• 360dialog GmbH (WhatsApp Business Solution Provider): Germany / European Union
• Vercel (application hosting): multi-region, including the United States

We rely on the following lawful bases for these international transfers under POPIA Section 72:

• Section 72(1)(a): your consent. By initiating a conversation with Bashly on WhatsApp, having been informed of these transfers in this Privacy Policy, you consent to your data being processed by the recipients listed above.
• Section 72(1)(b): performance of contract. The transfer is necessary to deliver the WhatsApp-based party planning service you have requested.
• Adequate safeguards: each processor is bound by contractual data protection clauses providing protections equivalent to POPIA, including encryption in transit and at rest, access controls, and limited use of your data only for the purposes of delivering our service.

You can withdraw your consent at any time by requesting deletion of your data (see Section 8). Once requested, we will stop further processing and instruct our processors to do the same, subject to any retention obligations under applicable law.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify users of any significant changes by updating the effective date or via the Service.

12. Contact Us

If you have any questions about this Privacy Policy, please contact us at:

Email: hello@bashly.io

Website: https://bashly.io

13. Compliance with WhatsApp and Meta Policies

Bashly complies with the WhatsApp Business Terms of Service, WhatsApp Business Policy, and Meta Platform Terms. We only use data obtained through the WhatsApp Business API for the permitted purpose of providing the Service to you, and we do not use it for advertising, profiling, or resale.

We are not affiliated with, endorsed by, or sponsored by Meta Platforms, Inc. or WhatsApp LLC.