Privacy Policy
Last updated: 2026-05-08 · Service: Masterz (masterz.me)
This Privacy Policy describes how Masterz ("we", "us", or the "Service") collects, uses, and shares information when a business ("Customer") uses our omnichannel CRM to manage conversations with their own end-users ("End Users") across Facebook Messenger, Instagram Direct, WhatsApp, and SIP phone calls.
Two-tier data model. Masterz processes End-User messages on behalf of the Customer who connected the channel. End Users should refer to the Customer's own privacy notice for the relationship between them and the Customer; this policy describes only the technical processing performed by Masterz as a data processor.
1. Information we collect
1.1 Customer (account holder) information
- Account profile: name, email address, password hash, avatar URL.
- Company profile: company name, slug, billing plan tier, time zone, theme settings.
- Role and permission assignments within the Customer's company.
- Authentication metadata: IP address, user agent, login timestamps.
1.2 End-User (conversation) information
When the Customer connects a Facebook Page, Instagram Business account, WhatsApp number, or SIP trunk, we receive and store:
- End-User's channel-side identifier (Facebook PSID, Instagram IGSID, WhatsApp
wa_id phone number, SIP from-URI).
- Public profile fields the channel exposes: display name, profile picture, locale.
- Message content: text, attachment URLs (image/video/audio/file references), timestamps, delivery and read receipts.
- Public comments on Facebook posts and Instagram media that the Customer's connected page receives.
- Phone call metadata for SIP channels: from/to numbers, start/end timestamps, call recordings (only when explicitly enabled by the Customer).
- AI-generated reply suggestions and the End-User context used to generate them (Phase 9).
1.3 Technical data
- Webhook delivery records: every inbound event from Meta Graph and WAHA is logged for replay and debugging in the
integration_logs table.
- Outbound API call records: every send / read-receipt / template request to a third-party API (Meta Graph, WAHA, OpenAI) is logged.
- Audit logs: who created / updated / deleted roles, users, invitations, and channel connections, with IP and user agent.
2. How we use information
- To deliver the Service: route messages between channels and the Customer's agents, persist conversation history, send replies, generate AI suggestions when enabled.
- To secure the Service: rate-limit logins, detect anomalous activity, audit sensitive actions.
- To bill Customers: count active users, messages, and AI replies against their plan.
- To improve the Service: anonymized, aggregated usage statistics.
3. How we share information
We share information only as needed to deliver the Service:
| Recipient | What is shared | Why |
|---|
| Meta Platforms | Outbound message text/media destined for Messenger, Instagram, or WhatsApp end-users; webhook subscription metadata. | To deliver the Customer's messages to their End Users on Meta channels. |
| OpenAI | The last N messages of a conversation + relevant knowledge-base chunks, when AI reply is enabled. | To generate suggested or auto-replies on the Customer's behalf. Only when the Customer explicitly opts in per channel. |
| WAHA / SIP providers | Outbound message and call data, when the Customer has connected such a provider. | To deliver the Customer's communications on those transports. |
| Hosting infrastructure | Encrypted storage of all of the above. | To run the Service. |
We do not sell End-User personal data. We do not use Meta-derived data for advertising.
4. Data retention
- Conversations and messages are retained as long as the Customer's account is active.
- Integration logs are retained for 30 days then automatically pruned.
- Audit logs are retained for the lifetime of the Customer's account.
- When a Customer closes their account, all of their company-scoped data (users, customers, conversations, channel accounts, audit logs) is deleted within 30 days.
- End-User data deletion requests can be initiated via our Data Deletion page or programmatically via Meta's data-deletion callback.
5. Encryption and security
- All web traffic is served over TLS (HTTPS).
- Channel credentials (Page Access Tokens, WhatsApp access tokens, SIP secrets, OpenAI keys) are encrypted at rest using Laravel's
encrypted:array cast (AES-256-CBC under the application's APP_KEY).
- Passwords are stored as bcrypt hashes (12 rounds).
- The application logs
[redacted] markers in place of secret fields wherever request/response bodies are persisted for debugging.
6. Your rights
If you are an End User of a Customer using Masterz, you can:
- Request access to or deletion of your data — see Data Deletion for the process.
- Stop messaging the Customer's connected channel; we will retain only what's necessary to honor the Customer's record-keeping obligations.
- Contact the Customer directly, who is the data controller for your information.
If you are a Customer, you can manage and export your data at any time via the Settings area of the Service, or by emailing hello@masterz.me.
7. Children's privacy
The Service is not directed at children under 13. We do not knowingly collect data from children under 13.
8. Changes to this policy
We will post material changes to this policy at this URL and update the "Last updated" date above. Customers will be notified by email of changes that affect their use of the Service.
9. Contact
Questions about this policy can be sent to hello@masterz.me.