Privacy Policy

1. Introduction

This Privacy Policy explains how Ona.Chat collects, uses, and protects your personal data when you use our services.

2. Data Controller

3. Data We Collect

• Identification Data: Name, email, phone number
• Billing Data: Payment details (processed by third-party providers like Stripe)
• Login Data: Username, password
• WhatsApp Business Data: Messages sent and received via WhatsApp, phone numbers, multimedia content (images, documents, videos), business profile information, message templates
• Usage Data: Interactions, preferences, activity logs
• Cookies & Analytics: We use Google Analytics 4 (GA4) to analyze site usage. Analytics cookies (such as _ga) are only set after you consent via our cookie banner. When consent is denied, GA4 operates in cookieless mode, collecting only aggregated, non-identifying data. We also use server-side analytics (Google Analytics Measurement Protocol) to track key conversion events such as demo bookings. You can change your cookie preferences at any time using the 'Cookie Settings' link in the website footer.
• Facebook & Instagram Lead Ads Data: Name, email, phone number, and any other information submitted by users through Facebook or Instagram Lead Ad forms associated with our clients' advertising campaigns, retrieved via Meta's Graph API on behalf of the advertiser

4. How We Use Your Data

• To provide and maintain our services
• To manage your account and subscription
• To process payments and invoices
• To facilitate WhatsApp Business communications between businesses and their customers
• To create and manage WhatsApp message templates
• To communicate with you (support, updates, marketing if consented)
• To ensure platform security
• To provide aggregated and anonymous analytics of service usage to improve the application
• To retrieve and process lead data from Facebook and Instagram Lead Ad forms on behalf of advertisers using our CRM platform
• To enable advertisers to promptly follow up with potential customers who submitted their Lead Ad forms
• To use aggregated and anonymized lead data for analytics purposes to improve advertising performance (without re-identifying individuals)

5. Legal Basis for Processing

We process data based on:

• Consent
• Contractual necessity
• Legal obligations
• Legitimate interests

6. Data Sharing

We share data with:

• Payment processors: Stripe
• Hosting and infrastructure providers: Railway (servers located in the Netherlands)
• Meta/WhatsApp: For WhatsApp Business messaging services and for retrieving lead data from Facebook and Instagram Lead Ad forms via the Graph API
• Analytics provider: Google (Google Analytics 4 for website usage analysis; data is collected on EU-based servers before any further processing)
• Legal authorities: When legally required

These providers act as data processors on our behalf and are contractually obligated to protect your data.

7. International Transfers

Our servers are located in the Netherlands (within the European Union). Some data processors may be located outside the EU. In such cases, we ensure appropriate safeguards are in place according to GDPR, including standard contractual clauses approved by the European Commission.

8. Data Retention

We retain personal data as long as necessary for service provision and legal compliance. After account deletion, data may be kept for a limited period for legal or security reasons. For analytics data collected via Google Analytics 4, event data is retained for 2 months and user-level data for 14 months, after which it is automatically deleted by Google.

9. Your Rights

You have the right to:

• Access your data
• Request correction or deletion
• Restrict or object to processing
• Data portability
• Withdraw consent at any time
• File a complaint with the Spanish Data Protection Agency (AEPD)

To opt out of analytics tracking, click 'Cookie Settings' in the website footer and reject cookies, or install the Google Analytics opt-out browser add-on.

To exercise your other rights, email us at rafael@ona.chat

10. Security

We implement appropriate technical and organizational measures to protect your data against unauthorized access, loss, alteration, or disclosure. This includes encryption, access controls, and regular security audits.

11. Meta Platform Integrations

Ona integrates with multiple Meta platform services to provide its CRM functionality to businesses. This includes the WhatsApp Business API for messaging and the Facebook/Instagram Lead Ads API for lead retrieval. Data processed through Meta's platforms is subject to both this Privacy Policy and Meta's Privacy Policy.

12. Facebook & Instagram Lead Ads

Ona acts as an authorized CRM platform on behalf of advertisers to retrieve and manage lead data from Facebook and Instagram Lead Ad forms.

12.1 Data Collection

When a potential customer fills out a Lead Ad form on Facebook or Instagram associated with one of our client's Pages, our system receives a webhook notification from Meta and retrieves the submitted information (such as name, email address, and phone number) via Meta's Graph API. This data is used exclusively to create a contact record in the advertiser's CRM workspace.

12.2 Purpose of Data Use

• To automatically create lead/contact records in the advertiser's CRM, eliminating manual data entry
• To enable advertisers to follow up with potential customers who expressed interest by submitting a Lead Ad form
• To provide aggregated and anonymized analytics to help advertisers improve their advertising performance, provided such data cannot be re-identified

12.3 Access Control

Only Facebook Page administrators can configure the Lead Ads integration within our platform. They select which Lead Ad forms to sync and how form fields map to CRM contact fields. Lead data is accessible only within the advertiser's organization workspace and is not shared across organizations.

12.4 Restrictions on Data Use

13. Changes to This Policy

We may update this Privacy Policy occasionally. Changes will be posted on our website and, in case of substantial changes, will be notified via email. We recommend reviewing this policy periodically.

14. Contact

For any questions, concerns, or to exercise your data protection rights, contact us at: