Privacy Policy

Effective: 12 June 2026 | GDPR Compliant

Nair ("we", "our", or "us") operates a WhatsApp-based AI ordering agent for small businesses. This policy explains how we collect, use, and protect personal data of customers and shop owners in line with Regulation (EU) 2016/679 (GDPR).

1. Data We Collect

Data Type	Example	Source
WhatsApp phone number	+216 55 123 456	Customer's WhatsApp message
WhatsApp message content	"Je veux un café"	Customer's WhatsApp message
Order data	Product, quantity, total price	Customer's order intent
Payment status	COD confirmed / pending	Shop owner action
Business info	Shop name, WhatsApp Business number	Shop owner (onboarding)
Lead contact info	Name, WhatsApp number, message	Landing page form
Cookie (visitor ID)	UUID stored in localStorage	Analytics beacon on landing page

We do not collect special categories of data (health, religion, political views, biometric data). We do not profile or make automated decisions about individuals.

2. Purpose & Legal Basis

Purpose	Legal Basis (GDPR)
Process customer orders via WhatsApp	Contract performance (Art. 6(1)(b))
Send order confirmations and delivery updates	Contract performance (Art. 6(1)(b))
Manage shop owner onboarding and settings	Contract performance (Art. 6(1)(b))
Lead follow-up (early access form)	Consent (Art. 6(1)(a)) — explicit opt-in required
Website analytics (anonymous visitor ID)	Legitimate interest (Art. 6(1)(f)) — minimal tracking, no cross-site profiling

3. Data Retention

Data	Retention Period	Reason
WhatsApp messages (transient)	Up to 30 days	Operational necessity; not persisted to DB long-term
Order records (anonymized after erasure)	7 years	Tax and legal compliance (EU VAT law)
Customer WA ID (after erasure request)	Anonymized immediately; order data retained anonymously	Legal obligation to keep business records
Lead form submissions	Until withdrawn or 2 years of inactivity	Business follow-up
Shop owner WhatsApp settings	Duration of account + 1 year	Account recovery
Analytics cookie (localStorage)	12 months or until cleared by user	Session continuity

4. Data Sharing

We do not sell, rent, or trade personal data. Data may be shared with:

Meta / WhatsApp — messages pass through WhatsApp Business API; their privacy policy applies to that leg of the journey.
Stripe — payment processing for EU customers; Stripe acts as independent controller.
OpenAI — message content is sent to OpenAI's API for intent classification; processed under OpenAI's Data Processing Agreement.
Polsia infrastructure — app hosting (Render), database (Neon), analytics (internal beacon). Hosting within EU where applicable.

5. Cookies

Our website uses a single analytics cookie (polsia_vid, UUID stored in localStorage) to measure page visits. It is not used for advertising or cross-site tracking. It is not subject to the cookie consent banner because it is not a traditional HTTP cookie — it lives in JavaScript localStorage and has no impact on EU ePrivacy requirements.

Third-party services used by the site (Google Fonts, Stripe Checkout) may set their own cookies. Their privacy policies govern those.

6. Your Rights

As an EU data subject, you have the following rights under GDPR:

Right	Description	How to exercise
Art. 15 Access	Request a full copy of your personal data	`GET /api/customer-data?waid=YOUR_WA_ID`
Art. 17 Erasure	Request deletion of your personal data	`DELETE /api/customer-data?waid=YOUR_WA_ID`
Art. 20 Portability	Receive your data in machine-readable JSON	Use the access endpoint above — output is JSON
Art. 21 Object	Object to processing based on legitimate interest	Contact us below with your request
Art. 13/14 Complaint	File a complaint with your national Data Protection Authority (DPA)	Find your DPA at edpb.europa.eu

To exercise access or erasure rights, replace YOUR_WA_ID with your full WhatsApp number (including the country code, no spaces). Example:

GET https://nair-ai.polsia.app/api/customer-data?waid=21655123456

7. International Transfers

If your data is processed outside the EEA, we rely on Standard Contractual Clauses (SCCs) or adequacy decisions as the legal safeguard. OpenAI's API processes data in the US under their GDPR-compliant Data Processing Agreement.

8. Changes to This Policy

We will notify material changes by posting a revised policy here with an updated effective date. For significant changes, we will send a notice to shop owners via WhatsApp and/or email where available.

Contact us

For data rights requests, privacy questions, or complaints:
Email: privacy@nair-ai.polsia.app

Data controller: Nair (Polsia Inc.) · 12 June 2026