Adronx ("we", "our", or "us") operates a multi-tenant SaaS platform for WhatsApp Business messaging and Meta advertising management. This Privacy Policy explains what data we collect, why we collect it, and how we keep it safe. By using our services, you agree to this policy.
1Information We Collect
Account & Identity Data
When you register or are invited to Adronx, we collect your first name, last name, email address, and password (stored as a bcrypt hash — we never store your plain-text password).
Organisation & WhatsApp Data
To connect your WhatsApp Business Account, we store your WABA ID, phone number ID, display phone number, and an AES-256 encrypted copy of your Meta access token. We never expose this token in API responses.
Messaging & Contact Data
We store the contacts you import or create, including their names, phone numbers, email addresses, and tags. We also store messages exchanged through our platform along with delivery and read status metadata provided by WhatsApp.
Advertising Data
When you connect a Meta ad account, we store your ad account ID, associated page ID, campaign settings, creative content, and performance metrics (impressions, clicks, spend, ROAS) fetched via the Meta Marketing API.
Usage & Technical Data
We collect structured logs including request timestamps, correlation IDs, and error details. These logs do not include message content. We also collect authentication events such as login times and IP addresses.
2How We Use Your Data
- To provide and operate the Adronx platform, including sending and receiving WhatsApp messages on your behalf.
- To run and optimise Meta ad campaigns using our AI budget optimisation engine (Gaussian Thompson Sampling).
- To authenticate users, manage organisation roles and permissions, and secure your account.
- To send transactional emails such as invitation emails, password reset links, and import completion notifications.
- To generate analytics and aggregated metrics shown on your dashboard (conversation counts, message trends, campaign ROAS).
- To comply with applicable laws and enforce our Terms of Service.
We do not use your data to train AI models. The Claude AI model used for campaign explanations is called via Anthropic's API on a per-request basis and does not retain your data.
3Data Sharing
We do not sell, rent, or trade your personal data. We share data only with the following sub-processors to operate the service:
- Microsoft Azure (West Europe) — cloud infrastructure, App Service hosting, Azure Service Bus message queuing, and Azure Container Apps.
- MongoDB Atlas — primary database for all platform data, stored in the EU region.
- Meta (Facebook/WhatsApp) — WhatsApp Cloud API for message delivery; Meta Marketing API for ad campaign management. Data shared is limited to what is required for these operations.
- Anthropic — AI-generated natural language explanations for budget optimisation decisions, sent as anonymised performance summaries.
- SMTP provider — for transactional email delivery (invitation and password reset emails).
We may disclose data if required by law, court order, or to protect the rights, property, or safety of Adronx, our users, or the public.
4Data Retention
We retain your data for as long as your account is active or as needed to provide the service. Specific retention periods:
- Refresh tokens — 7 days from issuance; automatically purged when revoked or expired.
- Password reset tokens — 1 hour from issuance; marked as used upon successful reset.
- Messages & contacts — retained for the life of your subscription. Upon account deletion, data is soft-deleted immediately and purged within 90 days.
- Logs — structured logs are retained for up to 30 days for security and debugging purposes.
To request deletion of your data, please contact us at privacy@adronx.com.
5Your Rights
Depending on your location, you may have the following rights under applicable privacy laws (including GDPR and CCPA):
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data via your Profile settings or by contacting us.
- Erasure — request deletion of your account and associated personal data.
- Portability — receive your data in a structured, machine-readable format.
- Objection / Restriction — object to or restrict certain processing activities.
- Withdraw Consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email privacy@adronx.com. We will respond within 30 days.
6Security
We implement industry-standard technical and organisational measures to protect your data:
- Encryption in transit — all API traffic is served over HTTPS (TLS 1.2+). HTTP requests are automatically redirected to HTTPS.
- Encryption at rest — Meta access tokens are encrypted with AES-256 before storage. Passwords are hashed with bcrypt.
- Access control — JWT-based authentication with short-lived access tokens (30 minutes) and 7-day refresh tokens stored as SHA-256 hashes.
- Secrets management — all production credentials are stored in Azure Key Vault and injected via Managed Identity. No secrets are stored in source code.
- Rate limiting — messaging endpoints are rate-limited to 60 requests per minute per organisation to prevent abuse.
Despite these measures, no system is perfectly secure. If you discover a security vulnerability, please report it responsibly to security@adronx.com.
7Cookies
The Adronx web application uses the following types of storage:
- HttpOnly cookies — used to store your refresh token securely. These cookies are not accessible via JavaScript.
- localStorage — used to store your access token, token expiry, and language preference (
adronx_lang). This data remains on your device and is cleared on logout.
The landing page (adronx.com) stores only your language preference in localStorage and uses no third-party tracking cookies or analytics scripts.
8Third-Party Links
Our platform integrates with Meta (Facebook/WhatsApp) and may display links to external services. We are not responsible for the privacy practices of third-party services. We encourage you to review their privacy policies before connecting any external account.
9Children's Privacy
Adronx is a business-to-business platform intended for users aged 18 and over. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us immediately at privacy@adronx.com.
10Policy Changes
We may update this Privacy Policy periodically. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify registered users by email. Continued use of the platform after the effective date constitutes acceptance of the revised policy.
11Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please reach out: