Privacy Policy
Last updated: 2026-07-01
This Privacy Policy explains how WP FOSS LLC (“WPfoss”, “we”, “us”, “our”) collects, uses, shares, and protects personal data when you visit wpfoss.com, use our application at agents.wpfoss.com, our APIs and webhooks, or interact with the AI sales agents we build and operate for our clients.
WPFOSS is a registered Data Controller and Data Processor certified by the Office of the Data Protection Commissioner (ODPC) – Kenya, under the Data Protection Act, 2019. This policy is written to meet our obligations under that Act.
1. Who we are, and when we are a Controller or Processor
WPfoss is operated by WP FOSS LLC, a company registered in Delaware, United States, and registered with the Office of the Data Protection Commissioner (ODPC) in Kenya. We serve clients in Kenya and internationally, and this policy is governed primarily by the Kenya Data Protection Act, 2019. You can reach our privacy team any time at hello@wpfoss.com.
- We are the Data Controller for the personal data relating to your account, billing, support requests, marketing preferences, and your use of our website and application.
- We are the Data Processor for the personal data contained in the messages, contacts, and conversations that flow through the AI agents we build for you. For that data you are the Controller, and we process it only on your documented instructions.
2. Information we collect
Information you give us
- Account & contact details: name, email, phone number, company name, role, and billing details you submit through our forms or when you sign up.
- Workspace configuration: your offer, prices, policies, FAQs, knowledge-base content, and agent instructions used to train and run your AI agent.
- Communications with us: emails, calls, and support messages, including any attachments you choose to share.
Business data processed through the agents
- Contacts you import or that arrive through inbound messages (name, phone, email, social profile identifiers, and any custom fields).
- Conversation content across connected channels, including text, voice notes, images, videos, and documents your customers send.
- The inputs and outputs of any automations or integrations you configure.
Payment information
Payments are processed by Stripe (cards), Safaricom M-Pesa (mobile money), and Zoho (checkout and billing). We do not store full card numbers, PINs, or other sensitive payment credentials on our servers. We retain only limited details such as a payment reference, the last four digits or masked identifier, and the billing details tied to your account.
Information from connected accounts
- Profile and page data from Google and Meta when you connect those accounts, for example to enable calendar booking or to authenticate your WhatsApp Business or Instagram account.
- Messages and profile identifiers sent by your customers through any channel you connect.
Information we collect automatically
- Usage data (pages and features used, actions taken, errors encountered).
- Device and connection data (IP address, browser, operating system, referrer), and approximate, city-level location derived from your IP.
- Server logs and security events, such as sign-in attempts and rate-limit triggers.
3. How we use information
- To provide, operate, maintain, and improve our services.
- To run AI conversations through Anthropic Claude, and to understand media such as voice notes, images, and videos through Google Gemini.
- To deliver and manage messages across connected channels (WhatsApp and Instagram, and any others you connect).
- To process payments, manage your subscription, and detect billing fraud.
- To provide support and respond to your requests.
- To keep our services secure and prevent abuse, fraud, and security incidents.
- To produce aggregated, de-identified analytics that help us improve.
- To send service messages (security, billing, and account notices) and, with your consent, occasional marketing.
- To meet our legal and regulatory obligations.
We do not sell personal data, and we do not share it with third parties for advertising.
4. AI processing & transparency
We do not use your data to train public AI models. AI conversations are processed by Anthropic Claude, and certain media-understanding tasks are handled by Google Gemini, under terms that prohibit training their generally available models on your data.
On our Enterprise plan you can bring your own Anthropic API key. In that case, AI usage is billed by Anthropic directly to your account, and your agreement with Anthropic governs that usage in addition to this policy.
Our AI does not make legally binding decisions about individuals on its own. We offer a human-in-the-loop mode and recommend it for high-value or sensitive interactions. You are the Controller for your customers’ messages; we act as your Processor and handle that data only on your instructions.
5. Lawful basis for processing
Under the Data Protection Act, 2019, we rely on one or more of the following bases:
- Performance of a contract — to deliver the services you signed up for.
- Consent — for marketing messages and optional analytics or marketing cookies, which you can withdraw at any time.
- Legitimate interests — for security, fraud prevention, and improving our services, balanced against your rights.
- Legal obligation — for tax, accounting, and other regulatory requirements.
6. Sharing & sub-processors
We share personal data only with vetted providers who help us deliver the services, each bound by a data-protection agreement. We do not sell personal data.
| Provider | Purpose |
|---|---|
| Anthropic | AI language model powering the sales agents |
| Gemini media understanding (voice, image, video); Calendar & Drive access when you connect them; website analytics | |
| Meta Platforms | WhatsApp Business API and Instagram messaging |
| Stripe | Card payment processing |
| Safaricom (M-Pesa) | Mobile-money payments |
| Zoho | Checkout, billing, and business operations |
| Calendly | Scheduling discovery and strategy calls |
We may also share data with professional advisors (legal, accounting, audit) under confidentiality, with authorities where legally required, and in connection with a merger or sale of assets subject to appropriate protections.
7. International transfers
Some of our providers process data outside Kenya. Where personal data is transferred across borders, we do so in line with the Data Protection Act, 2019, relying on appropriate safeguards such as data-protection contract terms with each provider, transfers to countries or recipients that offer adequate protection, or your consent where required.
8. Data retention
- Account data: kept for as long as your account is active.
- Conversation & contact data: retained by default while your account is active and for a reasonable period after, and configurable to a shorter window on request.
- Financial records: retained for up to seven years to meet tax and accounting obligations.
- Backups: retained for up to 90 days after deletion from active systems.
- Server logs & security events: typically up to 12 months.
- Aggregated, de-identified analytics: retained indefinitely, as it does not identify anyone.
When you cancel, you can export your data for 30 days, after which we delete it from active systems in the normal course and from backups within the windows above.
9. Your rights
Under the Data Protection Act, 2019, you have the right to:
- Be informed of how your personal data is used.
- Access the personal data we hold about you.
- Ask us to correct data that is inaccurate, misleading, or out of date.
- Ask us to delete your personal data, subject to legal limits.
- Object to, or ask us to restrict, certain processing.
- Receive your data in a portable, commonly used format.
- Withdraw consent at any time, without affecting processing done before you withdrew it.
To exercise any of these, email hello@wpfoss.com and we will respond within 30 days. You also have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC), Kenya at odpc.go.ke.
10. Children
Our services are intended for business use and are not directed at children. We do not knowingly collect personal data from anyone under the age of 18 without the consent of a parent or guardian. If you believe a child has provided us data, contact us and we will delete it.
11. Cookies & tracking
- Essential cookies for sign-in, sessions, and security (required for the service to work).
- Functional cookies that remember your preferences.
- Analytics cookies for aggregated usage insights, set only with your consent.
You can change or clear cookies in your browser at any time without breaking the site.
12. Security
We use administrative, technical, and physical safeguards to protect personal data, including:
- Encryption in transit (TLS) and encryption at rest for sensitive credentials and tokens.
- Role-based access control on a least-privilege basis.
- Audit logging of administrative actions and regular security reviews.
- A documented incident-response plan.
No system is perfectly secure. If we become aware of a personal-data breach likely to pose a risk to your rights, we will notify the ODPC within 72 hours where required, and affected users without undue delay.
13. Marketing communications
We send marketing only with your consent, and every marketing email includes an unsubscribe link. Service messages (security alerts, billing, and important account notices) are sent regardless of marketing preferences because they are needed to run the service.
14. Legal disclosures
We may disclose personal data where we believe in good faith it is required by law, court order, or a lawful regulatory request, or where necessary to protect the rights, safety, or property of WPfoss, our clients, or the public. Where lawful, we will let you know in advance.
15. Changes to this policy
We may update this policy from time to time. For material changes we will give notice on this page or by email before they take effect; for minor changes we will update the “Last updated” date above.
16. Contact
For any privacy question or to exercise your rights, contact us at hello@wpfoss.com. Please include enough detail for us to verify your identity and act on your request.
