Privacy Policy

Last updated: 11 May 2026

This policy applies to the personal data of your (registration, billing, and usage data). For information on how we handle the personal data of your company's end customers, please see our .

1. Who we are

The entity responsible for the processing of personal data collected on this website and the WhatSMS platform is:

Entity: Evidente Despertar, Lda.
VAT: PT514785691
Headquarters: Portugal
Privacy contact: privacy@whatsms.pt

2. Scope of this policy

This policy describes the processing of personal data in the following situations:

Visiting the website whatsms.pt
Creating and managing a WhatSMS account
Using the platform at app.whatsms.pt
Using the «WhatSMS Gateway» Android app (Google Play Store)
Support communications and commercial contact

It does not cover the personal data of your company's end customers — these are handled within a Controller/Processor relationship, regulated by a .

3. Data we collect

3.1 Account and registration data

Full name and professional email address
Company name and VAT number (for billing)
Phone number (optional, for support)
Password (stored with bcrypt hash — never in plain text)

3.2 Payment data

Payments are processed by Stripe Payments Europe, Ltd. (regulated entity in Ireland/EU). Evidente Despertar, Lda. never stores credit card data — only Stripe customer and subscription references, and invoice history.

3.3 Platform usage data

Features accessed and usage frequency
Access logs with timestamp and IP address
Account settings (channels, agents, flows)
Support tickets and communications with our team

3.4 Technical data

IP address (anonymized after 90 days)
Device type, operating system, and browser
Session and authentication cookies (see )

4. Android App «WhatSMS Gateway»

The WhatSMS Gateway app (available on the Google Play Store) acts as an SMS gateway between the WhatSMS platform and the device's mobile network.

Permissions requested and their purpose:

SEND_SMS / RECEIVE_SMS: sending and receiving SMS messages on behalf of the configured WhatSMS account
READ_PHONE_STATE: identifying available SIM cards for send channel configuration
CAMERA: QR code scanning for secure device pairing with the WhatSMS account
RECEIVE_BOOT_COMPLETED: automatic service start after device reboot
POST_NOTIFICATIONS: local notifications about service status (active/stopped, errors)
INTERNET: communication with the WhatSMS API to receive pending messages and report delivery status

Data processed by the app:

Device authentication token — stored locally with AES-256 encryption
Recipient phone number and SMS message body — in transit only, not permanently stored on device
FCM token — transmitted to the WhatSMS server exclusively for push notifications

The app does NOT:

Read, store or transmit SMS messages received from third parties on the device
Process messages without valid WhatSMS account authentication

4. Legal basis and purposes of processing

Data	Purpose	Legal basis (GDPR Art. 6)
Account data	Account creation and management, authentication	para. 1, point (b) — performance of a contract
Billing data	Payment processing, issuing invoices	para. 1, points (b) and (c) — contract + tax legal obligation
Usage data	Service provision, technical support, platform improvement	para. 1, points (b) and (f) — contract + legitimate interest
Technical data	Security, fraud prevention, error diagnosis	para. 1, point (f) — legitimate interest
Email	Product communications, news (newsletter)	para. 1, point (a) — consent (opt-in)

When processing is based on legitimate interest, we have performed the balancing test and concluded that our interests do not override your fundamental rights. You may object at any time (see section 8).

5. Data recipients

Your personal data is not sold to third parties. It is shared only with the processors strictly necessary for the provision of the service:

Processor	Purpose	Location
Hetzner Online GmbH	Server and database hosting	Germany and Austria (EU)
Stripe Payments Europe, Ltd.	Payment and subscription processing	Ireland (EU)
Cortecs AI, Lda.	Natural language processing and artificial intelligence (Sovereign Cloud, EU AI Act compliant)	Portugal (EU)

All processors are located in the European Union and we have entered into data processing agreements with them under Article 28 of the GDPR. We do not transfer data to countries outside the EU/EEA.

6. Retention periods

Active account data: kept throughout the duration of the subscription.
After cancellation: data is deleted within 30 days (period during which you can export everything). You can request immediate deletion by emailing privacy@whatsms.pt.
Billing data: retained for 10 years by legal obligation (VAT Code and Portuguese tax legislation).
Security and access logs: 90 days, after which the IP is anonymized.
Support communications: 3 years from the resolution of the request (legitimate interest for documentation).
Newsletter / marketing communications: until withdrawal of consent (opt-out available in any email).

7. Data security

We implement appropriate technical and organizational measures to protect your personal data:

Encrypted communications with TLS 1.3 (HTTPS mandatory)
Databases and backups encrypted at rest
Multi-factor authentication available for all accounts
Tenant data isolation (your account is completely isolated)
Automatic daily backups with 30-day retention in the EU
Data access restricted to staff with operational need
Periodic security reviews and vulnerability monitoring

8. Your rights

As a data subject, the GDPR grants you the following rights, which you can exercise by emailing privacy@whatsms.pt:

Access (Art. 15): obtain confirmation that we process your data and receive a copy of it.
Rectification (Art. 16): correct inaccurate or incomplete data (available directly in account settings).
Erasure (Art. 17): request the deletion of your data, except when retention is required by law.
Restriction (Art. 18): restrict processing in certain circumstances (e.g., while verifying accuracy).
Portability (Art. 20): receive your data in a structured, machine-readable format (JSON/CSV).
Objection (Art. 21): object to processing based on legitimate interest or for direct marketing purposes.
Withdrawal of consent: when processing is based on consent, you can withdraw it at any time without affecting the lawfulness of previous processing.

We respond to requests to exercise rights within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the CNPD (National Data Protection Commission) at www.cnpd.pt.

9. Automated decisions

WhatSMS provides artificial intelligence features (natural language processing, message classification, automated suggestions) processed by Cortecs AI, Lda., a Portuguese provider compliant with the EU AI Act. No automated decisions with significant legal effects are taken based solely on this processing. When such processing occurs, users will be informed and may request human intervention under Article 22 GDPR.

10. Cookies

For detailed information on the cookies we use, please see our .

11. Minors

The WhatSMS platform is intended exclusively for professionals and companies. We do not intentionally collect personal data from minors under 18. If you become aware that a minor has provided data without parental authorization, contact us immediately so we can delete it.

12. Updates to this policy

This policy may be updated to reflect changes in the service, legislation, or our practices. In case of material changes, we will notify users with an active account by email at least 30 days in advance. The "last updated" date at the top of this page always indicates the version in effect.

13. Contact

For questions about this policy or exercising rights:

Email: privacidade@whatsms.pt
Evidente Despertar, Lda. — VAT PT514785691 — Portugal