Compliance & Privacy Guide
How Tadhkir handles data, opt-outs, and WhatsApp policy compliance
Data Privacy
What Data We Collect
From businesses:
- Business name, vertical, market, contact details
- Subscription and billing information (processed by Stripe/Paystack — we do not store card numbers)
- WhatsApp Business number
From your customers (on your behalf):
- Name, phone number, email (optional)
- Last visit date, language preference
- Reminder history (sent, delivered, read, opted out)
We act as a data processor on behalf of businesses (the data controllers). Each business is responsible for having a valid lawful basis to hold and use their customers' contact details.
Data Isolation
Every business's data is completely isolated. Row Level Security (RLS) is enforced at the database layer — no business can access another business's customers or reminders, even if they share the same database.
Data Retention
- Active customer data is retained for as long as the business account is active
- On account cancellation, data is retained for 30 days then permanently deleted
- Anonymised analytics (aggregated, no personal data) may be retained indefinitely
Sub-Processors
| Sub-Processor | Purpose | Location |
|---|---|---|
| Supabase | Database & authentication | AWS EU (Ireland) |
| Stripe | Payment processing (Gulf/UK/USA/EA) | USA / EU |
| Paystack | Payment processing (Nigeria/Ghana) | Nigeria |
| Vercel | Application hosting | USA (Edge: global) |
| Anthropic | AI Copilot (Claude) | USA |
Your Rights (GDPR / UK PDPA / Saudi PDPL)
- Access: Request a copy of your data at any time
- Rectification: Correct inaccurate data
- Erasure: Request deletion of your account and all associated data
- Portability: Export your customer data as CSV from the dashboard
- Objection: Object to specific processing activities
To exercise any right, contact: [email protected]
For UK residents with unresolved complaints: Information Commissioner's Office (ICO)
WhatsApp Messaging Compliance
Meta Business Messaging Policy
Tadhkir sends messages via the official WhatsApp Business API. All usage must comply with Meta's Business Messaging Policy.
Key rules:
- Messages must be relevant to the customer's relationship with the business
- No unsolicited marketing to people who haven't opted in
- No spam, no deceptive content, no illegal content
Message Categories
All Tadhkir templates are submitted under WhatsApp's Utility category:
| Category | What it covers | Tadhkir uses? |
|---|---|---|
| Utility | Appointment reminders, follow-ups, service notifications | ✅ Yes |
| Authentication | OTPs, verification codes | ❌ No |
| Marketing | Promotions, offers, new products | ❌ No |
Utility messages have a higher delivery rate and are less restricted than marketing messages.
Opt-Out Handling
Tadhkir enforces mandatory opt-out handling:
| Customer Reply | Action |
|---|---|
STOP |
Customer immediately deactivated — no further messages |
إلغاء (Arabic) |
Customer immediately deactivated |
SIMAMA (Kiswahili) |
Customer immediately deactivated |
BOOK |
Reminder status updated to booked |
Opt-outs are legally required under WhatsApp Business Policy and GDPR. Failure to honour opt-outs can result in your WhatsApp number being banned by Meta.
Template Approval
All WhatsApp message templates must be approved by Meta before they can be sent. Tadhkir submits templates on your behalf during onboarding. Approval typically takes 24–48 hours.
Civic & Political Messaging Compliance
Tadhkir supports Nigerian political aspirants, parties, and INEC offices under strict compliance rules.
Allowed (Utility Category)
- Rally reminders and congress schedules
- PVC collection notices and deadlines
- Voter registration deadlines
- Polling unit location updates
- Election day reminders
- Community meeting schedules
- Dues and membership reminders
Not Allowed
- Campaign slogans or endorsements
- "Vote for X" messaging
- Comparative attacks on opponents
- Any content that could constitute political advertising under INEC regulations
Tadhkir's civic templates are pre-approved for the Utility category only. Any attempt to use the platform for prohibited political advertising will result in immediate account suspension.
Security Practices
Data in Transit
All data is encrypted in transit via TLS 1.2+. Tadhkir enforces HTTPS on all routes with HTTP Strict Transport Security (HSTS).
Data at Rest
All data is encrypted at rest by Supabase (AES-256) on AWS infrastructure.
Authentication
- User authentication via Supabase Auth (email/password + JWT sessions)
- Sessions are cookie-based with
HttpOnlyandSecureflags - Row Level Security ensures every database query is scoped to the authenticated user's business
Access Controls
- Service role database access is server-side only — never exposed to the browser
- Admin access requires explicit whitelisting by Tadhkir operators
- All admin actions are logged with actor, timestamp, before/after values
GDPR Lawful Basis
Tadhkir businesses sending reminders to their customers should rely on one of the following lawful bases:
| Basis | When it applies |
|---|---|
| Legitimate interests | Reminding existing customers of appointments they've previously booked |
| Contractual necessity | Reminders related to an ongoing service contract (e.g. treatment plan) |
| Consent | Where the customer has explicitly opted in to receive WhatsApp messages |
Recommended: Include a brief opt-in notice at the point of booking or registration — "We'll send you a WhatsApp reminder when your next appointment is due." This covers legitimate interests and demonstrates consent.
Contact
For data, privacy, or compliance questions:
Istibqa Ltd Company No. 17089113 (England & Wales) Email: [email protected] Privacy Policy: tadhkirapp.com/privacy Terms of Service: tadhkirapp.com/terms