1. Privacy Policy Overview

WhatsApp Flow ("we," "us," "our," "Company," or "Service Provider") is a Trello Power-Up that enables users to receive real-time WhatsApp notifications about Trello board, list, and card events. We are committed to protecting your privacy and ensuring transparency about how we collect, use, share, and protect your personal information.

This Privacy Policy explains:

• What information we collect and how we collect it
• How we use and process your information
• Who we share your information with
• How we store and protect your information
• How long we keep your information
• Your rights and choices regarding your personal data
• How to contact us about privacy

Important: If you do not agree with this Privacy Policy, you should not install or use WhatsApp Flow. By using our Service, you acknowledge that you have read and understood this Privacy Policy.

2. Information We Collect

2.1 Information You Provide Directly

We collect information when you actively provide it to us:

Type of Information	Description	Purpose
Phone Number	Your WhatsApp-enabled phone number	To send you WhatsApp notifications
Verification Code Input	The 6-digit code you enter to verify ownership	To verify you own the phone number
Trello Board/List/Card IDs	Identifiers of Trello resources you configure	To know which events to monitor
Notification Preferences	Your selected event types and notification rules	To customize your notification experience
User ID	Your Trello user ID (received from Trello OAuth)	To link configurations to your account

2.2 Information Collected Automatically

We automatically collect certain information when you use our Service:

• Webhook Event Data: Information from Trello webhooks about card changes, member additions/removals, label changes, due date updates, etc. (structured metadata only—not the full card content)
• IP Address: Your IP address for security logging, fraud detection, and understanding geographic usage patterns
• Device Information: Information about your browser, device type, operating system, and browser version
• Timestamps: When you verify your phone, request notifications, and interact with the service
• Usage Analytics: Which features you use, verification code requests, message delivery status, and error logs
• Service Performance Data: Response times, error rates, and system performance metrics

2.3 Information NOT Collected

We are transparent about what we intentionally do NOT collect:

• Passwords or Authentication Tokens: We never store your Trello or WhatsApp passwords
• Payment Information: We do not process payments (WhatsApp Flow is free)
• Private Content: Card descriptions, comments, attachments, or private messages
• Profile Data: Your Trello profile picture, bio, or personal Trello settings
• Location Data: We use IP addresses for logging, not for tracking your location

3. Legal Basis for Data Processing

3.1 GDPR Legal Bases (EEA/UK Users)

For users in the European Economic Area or United Kingdom, we process personal data based on the following legal bases:

3.2 CCPA Legal Basis (US Users)

For residents of California and other US states with privacy laws, we process personal information as a service provider and/or for the purposes identified in this policy.

4. How We Use Your Information

4.1 Service Delivery

• Send WhatsApp notifications for Trello events you've subscribed to
• Verify your phone number ownership via SMS/WhatsApp verification code
• Store and manage your notification preferences and configurations
• Authenticate your requests and maintain session security
• Provide technical support when you encounter issues

4.2 Service Improvement and Analytics

• Analyze usage patterns to identify which events are most useful to users
• Monitor service reliability and performance
• Detect and fix bugs in the Power-Up
• Develop new features based on user needs
• Create anonymized and aggregated reports on Power-Up usage

4.3 Security and Fraud Prevention

• Detect and prevent unauthorized access or abuse of the service
• Monitor for suspicious patterns that may indicate fraud or security breaches
• Implement security measures to protect all users
• Investigate and resolve security incidents

4.4 Legal and Compliance Purposes

• Comply with applicable laws, regulations, and legal requests
• Enforce our Terms of Service and other agreements
• Protect our legal rights and the rights of our users
• Maintain audit trails and records as required by law

4.5 We Do NOT Use Your Information For:

• Selling your personal data to advertisers or third parties
• Marketing products unrelated to Trello notifications
• Building behavioral profiles for targeted advertising
• Discriminatory or biased decision-making
• Any purpose you have not consented to

5. Compliance with Trello Data and Privacy Practices

5.1 Trello Integration and Data Handling

WhatsApp Flow is designed as a Trello Power-Up and operates in full compliance with Trello's and Atlassian's data and privacy practices.

5.2 Trello Data We Receive

Through Trello webhooks, we receive the following types of Trello data:

• Board, List, and Card IDs: Identifiers to track which resources triggered the event
• Event Metadata: Type of change (created, updated, deleted, etc.)
• Timestamp: When the event occurred
• Member Information: Trello member IDs involved in the event (not names or emails)
• Card Field Changes: Metadata about what changed (label added, due date changed, etc.) - NOT the card content

5.3 Trello Data We Do NOT Store

We specifically do NOT collect or store:

• Card descriptions, comments, or content
• Attachment data or files
• Custom field values or private information
• Trello member email addresses or profile information
• Organization data or team member lists
• Payment or billing information from Trello

5.4 User Control Over Trello Data

Users have complete control over their Trello data integration:

• Users can uninstall WhatsApp Flow at any time, which immediately stops all data collection
• Users can disable notifications for specific boards or event types
• Users can request deletion of all stored configuration data
• Users maintain full control over which Trello resources are connected

5.5 Trello Data Retention

• Event data is processed and discarded immediately after notification is sent
• Board/list/card IDs are retained only as long as the Power-Up is installed
• No historical Trello data is archived or retained beyond 30 days
• When the Power-Up is uninstalled, all Trello-related data is deleted within 24 hours

6. How We Share Your Information

6.1 Information Sharing Overview

We share your information only as necessary to provide the service and as permitted by law. We do not sell your data.

6.2 Information Sharing Table

Meta WhatsApp Business API Your phone number Deliver WhatsApp messages Data Processing Agreement Cloudflare All data (encrypted) Infrastructure hosting and processing Cloudflare Enterprise Agreement Trello/Atlassian Board/card IDs only Receive webhook events Trello Power-Up Platform Agreement Law Enforcement Any information as required Legal compliance Valid court order or subpoena

6.3 Meta WhatsApp Business API

When you enable WhatsApp notifications:

• Your phone number is transmitted to Meta's servers to deliver messages
• Meta may process this data according to their Privacy Policy and WhatsApp Terms of Service
• Message delivery is logged by Meta and WhatsApp
• We have a Data Processing Agreement with Meta covering data protection obligations
• We do not store or share your WhatsApp tokens or encryption keys with other parties

6.4 Cloudflare Infrastructure

Your data is processed and stored through Cloudflare's infrastructure:

• Cloudflare acts as our data processor and infrastructure provider
• Data is encrypted in transit (TLS) and at rest
• Cloudflare's Privacy Policy applies to their processing
• Cloudflare maintains multiple data center locations; your data may be replicated for redundancy
• Cloudflare employees cannot access your data without authorization

6.5 Trello and Atlassian

WhatsApp Flow integrates with Trello:

• We receive webhook events from Trello (board/card/member changes)
• We do NOT share your WhatsApp phone number with Trello or Atlassian
• Your Trello account data remains governed by Atlassian's Privacy Policy
• We use Trello OAuth tokens only to authenticate your account (tokens are not shared)

6.6 Service Providers and Processors

We may share data with third-party service providers who assist us in operating the service. All processors are bound by confidentiality obligations and data protection agreements.

6.7 Legal Requirements and Enforcement

We may disclose your information if required by law, legal process, or government request, including:

• Compliance with court orders or subpoenas
• Response to government agency requests (law enforcement, regulators)
• Protection of our legal rights and your safety
• Prevention of fraud, security threats, or illegal activity

When possible and legally permissible, we will notify you of such requests.

6.8 Business Transfers

If WhatsApp Flow is acquired, merges with another company, or undergoes other business transfers, your information may be transferred as part of that transaction. You will be notified of any such change and any choices you may have.

6.9 No Sale of Personal Information

We do not sell, rent, lease, or share your personal information with third parties for their direct marketing purposes or for money. Under CCPA and similar laws, we have not sold personal information in the past 12 months and do not intend to do so.

7. Data Storage, Security, and Retention

7.1 Where and How We Store Your Data

Your data is stored in the following locations:

• Cloudflare Workers KV: Verification codes, configuration data, and user preferences
• Cloudflare Durable Objects: Session state and real-time configuration
• Primary Data Centers: US-based Cloudflare facilities with redundancy
• Backup Systems: Encrypted backups retained for disaster recovery

7.2 Data Protection and Security Measures

Important Limitation: While we implement industry-standard security measures, no system is completely secure. We cannot guarantee absolute security of your information. You use our Service at your own risk, though we work diligently to protect your data.

7.3 Data Retention Schedule

Type of Data	Retention Period	Reason for Retention
Verification Codes	10 minutes	Only needed for verification; automatically deleted after use or timeout
Phone Numbers	Until Power-Up removal	Necessary to send notifications; deleted when you uninstall Power-Up
Configuration Data	Until Power-Up removal	Stores your notification preferences and board settings
Event Logs	30 days	Debugging, troubleshooting, and performance analysis
Error/Crash Logs	90 days	Identifying and fixing system issues
Security/Audit Logs	1 year	Legal compliance and fraud investigation
Deleted Account Data	30 days (backup)	Recovery in case of accidental deletion

7.4 Deletion of Your Information

When you uninstall WhatsApp Flow or request account deletion:

• Your phone number and configuration data are marked for deletion immediately
• Your data is purged from active systems within 24 hours
• Backup copies are retained for 30 days, then permanently deleted
• Event logs are aggregated and anonymized after 30 days
• Some information may be retained as required by law

8. Your Privacy Rights and Choices

8.1 Rights Under GDPR (EEA/UK)

If you are located in the European Economic Area or United Kingdom, you have the following rights:

• Right to Access: Request what personal data we hold about you
• Right to Correction: Request correction of inaccurate data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your data in certain circumstances
• Right to Restrict Processing: Request that we limit how we use your data
• Right to Data Portability: Request your data in a structured, machine-readable format
• Right to Object: Object to certain types of processing, including marketing
• Rights Related to Automated Decision-Making: Request human review if automated decisions significantly affect you
• Right to Lodge a Complaint: File a complaint with your local data protection authority

8.2 Rights Under CCPA (California Residents)

If you are a California resident, you have the following rights:

• Right to Know: Request what personal information we have collected and how we use it
• Right to Delete: Request deletion of personal information we have collected from you
• Right to Opt-Out: Opt out of the sale or sharing of your personal information
• Right to Correct: Request correction of inaccurate personal information
• Right to Limit Use: Limit how we use sensitive personal information
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights
• Right to Appeal: Appeal our denial of your request

8.3 Rights Under Other US State Laws

Other states (Virginia, Colorado, Connecticut, Utah, etc.) offer similar privacy rights. Contact us to exercise rights applicable in your state.

8.4 How to Exercise Your Rights

We will verify your identity before processing requests to protect your privacy.

8.5 Notification Preferences

You can control your notification experience:

• Choose which event types trigger WhatsApp notifications
• Disable notifications for specific boards
• Update or change your phone number at any time
• Temporarily pause notifications without uninstalling the Power-Up
• Uninstall the Power-Up at any time to stop all notifications

8.6 Opt-Out of Additional Communications

If we send you emails about service updates, product announcements, or other communications, you can opt out by:

• Clicking the "Unsubscribe" link in any email
• Contacting us at privacy@whatsappflow.app
• Note: You may still receive transactional emails (account confirmations, security alerts) even if you opt out

9. Cookies and Tracking Technologies

9.1 Our Cookie Policy

WhatsApp Flow uses cookies and similar technologies minimally:

• Session Cookies: Temporary cookies used only for login functionality and session management
• Local Storage: Browser local storage to save your preferences locally (not transmitted to our servers)
• We do NOT use: Persistent tracking cookies, third-party cookies, or behavioral advertising cookies

9.2 Third-Party Analytics

We do not use Google Analytics, Mixpanel, or similar third-party analytics services that would track you across the web.

9.3 Managing Cookies

You can disable cookies in your browser settings. Note that disabling cookies may affect your ability to use certain features of the Power-Up.

10. International Data Transfers

10.1 Data Transfer Mechanisms

Your personal information is primarily stored in the United States (Cloudflare data centers). If we need to transfer data internationally:

• We use Standard Contractual Clauses (SCCs) approved by the European Commission
• We implement supplementary technical and organizational measures
• For EEA/UK users, we comply with GDPR Chapter V requirements
• For Swiss users, we comply with the Swiss FADP

10.2 Data Protection Frameworks

WhatsApp Flow complies with applicable data transfer frameworks:

• EU-US Data Privacy Framework: We comply with the DPF principles for data transfers from EU/UK to US
• Swiss-US DPF: We comply with the Swiss extension for Swiss residents

10.3 Your Consent to International Transfers

By using WhatsApp Flow, you acknowledge that your data will be transferred to, stored in, and processed in the United States and potentially other countries where Cloudflare or our service providers operate. These countries may have different data protection laws than your country of residence. We implement safeguards to ensure your data remains protected.

11. Data Requests from Authorities

11.1 Government and Law Enforcement Requests

We may disclose personal information to government authorities, law enforcement agencies, or judicial bodies if:

• We receive a valid court order, subpoena, warrant, or other legal process
• We believe disclosure is necessary to comply with applicable law or regulation
• We believe disclosure is necessary to protect the safety, rights, or property of users or the public
• We believe disclosure is necessary to prevent fraud, security threats, or illegal activity

11.2 Our Transparency and Notification Practices

• When legally permitted, we will attempt to notify you of government requests for your data
• We will not disclose more information than legally required
• We will challenge overly broad, vague, or illegal requests
• We maintain a log of requests for internal compliance

12. Children's Privacy

12.1 Age Restrictions

WhatsApp Flow is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13.

12.2 Parental Consent

If a parent or guardian believes we have collected information from a child under 13, please contact us immediately at privacy@whatsappflow.app. We will delete such information promptly.

12.3 Teen Privacy (Ages 13-18)

For users ages 13-18, we provide the same privacy protections as adult users. Parents/guardians should monitor their teen's use of our service.

13. Third-Party Links and Services

WhatsApp Flow may contain links to third-party websites and services, including:

• Trello/Atlassian websites
• Meta/WhatsApp documentation
• Cloudflare resources

Important: We are not responsible for the privacy practices of these third-party services. Please review their privacy policies before providing any personal information:

• Atlassian Privacy Policy
• Meta Privacy Policy
• WhatsApp Terms of Service
• Cloudflare Privacy Policy

14. Do Not Track Signals

Some browsers include a "Do Not Track" (DNT) feature. Currently, there is no industry standard for how websites should respond to DNT signals. WhatsApp Flow does not track users across the web, so DNT has limited applicability. We will update this section if standards evolve.

15. California Consumer Privacy Act (CCPA) Disclosures

15.1 Categories of Personal Information Collected

Category	Examples	Source
Identifiers	Phone number, Trello user ID, IP address	User-provided, automatically collected
Commercial Information	N/A (free service, no purchases)	N/A
Internet Activity	Browsing history, clicks, device info	Automatically collected
Geolocation Data	Approximate location via IP address	Automatically collected
Sensory Information	N/A	N/A
Professional Information	Job title, company (if provided in Trello)	User-provided
Inferences	User preferences, event interests	Derived from usage

15.2 Purposes of Collection

• Providing the WhatsApp Flow service
• Verifying your phone number
• Service improvement and analytics
• Security and fraud prevention
• Legal compliance

15.3 Sale or Sharing of Personal Information

We have NOT sold personal information in the past 12 months and do not intend to do so. Under CCPA, we have not shared personal information for cross-context behavioral advertising in the past 12 months.

16. European Union GDPR Disclosures

16.1 Data Controller and Representatives

Data Controller: WhatsApp Flow

16.2 Legal Basis for Processing

As outlined in Section 3.1 above, we process personal data under Article 6 GDPR based on contract performance, legitimate interests, compliance obligations, and your consent.

16.3 Data Subject Rights and Contact

For GDPR-specific requests, contact: privacy@whatsappflow.app with "[GDPR]" in the subject line.

16. Changes to This Privacy Policy

16.1 Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will make updates available on this page with an updated "Last Updated" date.

16.2 Significant Changes

If we make significant changes to this Privacy Policy that materially affect how we collect, use, or share your personal information, we will:

• Provide notice through the Power-Up (in-app notification)
• Send email notification to the primary contact email on your Trello account
• Allow at least 30 days before the changes take effect

16.3 Your Continued Use

Your continued use of WhatsApp Flow after any updates to this Privacy Policy constitutes your acceptance of those updates. If you do not agree with updated practices, you should uninstall the Power-Up and stop using our Service.

17. How to Contact Us

17.1 Data Protection Authorities

If you believe we have violated your privacy rights and we have not resolved your concern, you may file a complaint with the appropriate data protection authority in your jurisdiction:

• EEA/UK: Your national data protection authority (DPA)
• California: California Attorney General's Office
• Other US States: Your state attorney general or privacy office