← Home · Privacy Policy · Terms of Service

Privacy Policy

Last updated: May 12, 2026

1. Who We Are

This Privacy Policy describes how Badoworks Company ("we", "us", "our"), operating the platform Siten Yayında (the "Service") accessible at sy.badosoftware.com.tr, collects, uses, and protects information when our business customers ("Customers") use our service to manage their own customer communications and outreach.

Contact:
Badoworks Company — Operated by the data controller
Email: bahadir@badoworks.com
Web: https://sy.badosoftware.com.tr

2. Scope of This Policy

Our platform is a B2B SaaS tool used by small and medium businesses (our "Customers") to manage their CRM and to communicate with their own end-customers ("End-Customers") via WhatsApp Business API and email.

This policy covers two types of personal data:

Customer Data — information about businesses using our platform (account login, contact email, business name).
End-Customer Data — information our Customers provide to us about their own customers (phone numbers, names, business addresses, message history) so that the Customer can communicate with them through our platform.

When we process End-Customer Data, we act as a data processor on behalf of our Customer, who is the data controller. Each Customer is responsible for having a lawful basis (consent, legitimate interest, contractual necessity) to share End-Customer Data with us.

3. What Data We Collect

From Our Customers (Account Owners)

Account credentials: username, hashed password
Business contact: business name, contact email, full name
Login activity: last login timestamp, IP address (for security)
Integration credentials: WhatsApp Business Account access tokens (encrypted at rest), Brevo email API keys, Meta App configuration

From End-Customers (Contacts Stored by Our Customers)

Contact details: phone number (E.164 format), name, business name, address, email, website URL
Business metadata: industry/sector, location, public review ratings, SEO score derived from publicly available website information
Communication history: WhatsApp messages (incoming and outgoing), timestamps, message status (sent/delivered/read), media attachments
Customer journey state: CRM stage (New, Interested, Quote Sent, Won, Lost), notes, assigned representative

Technical Data

Browser type, IP address (for security and abuse prevention)
Session cookies (functional, used for login state)
We do not use third-party advertising or analytics cookies.

4. How We Use Data

Service operation: to provide login, store customer records, deliver messages via WhatsApp Business API and Brevo email.
Customer support: to investigate and resolve issues reported by our Customers.
Security: to detect abuse, prevent unauthorized access, and comply with platform provider policies (Meta, Brevo).
Service improvement: aggregated, non-identifying usage statistics to improve our product.

We do not sell personal data. We do not use End-Customer Data for our own marketing. We do not share data with third-party advertising networks.

5. Meta / WhatsApp Business API

Our Service uses the WhatsApp Business Cloud API provided by Meta Platforms Ireland Ltd. to enable our Customers to send messages from and receive messages on their own WhatsApp Business phone numbers.

Outbound messages outside the 24-hour customer service window use only Meta-approved message templates, in compliance with WhatsApp Business Messaging Policy.
Inbound messages are received via Meta webhooks and stored in our database so that our Customer can view and respond.
We honor opt-out keywords (STOP, IPTAL, HAYIR, UNSUBSCRIBE, etc.) automatically: the conversation is archived, the End-Customer is marked as opted-out, and no further outbound messages are sent.
Phone numbers and email addresses transmitted to Meta APIs (e.g., for Conversions API, if enabled) are SHA-256 hashed before transmission.

Use of WhatsApp Business API is also governed by Meta's privacy practices. See: WhatsApp Business Messaging Policy and Meta Privacy Policy.

6. Email (Brevo)

We use Brevo (Sendinblue) to send transactional and outreach emails on behalf of our Customers. End-Customer email addresses are shared with Brevo only when our Customer initiates an email send to that contact. See: Brevo Privacy Policy.

7. Where Data Is Stored

Data is stored on servers located in Türkiye (our hosting provider) within the European Union region. Backups are encrypted. We do not knowingly transfer personal data outside of Türkiye/EU jurisdictions, except as required for the use of Meta/Brevo APIs, which are governed by their own data processing agreements.

8. Retention

WhatsApp messages: retained for the lifetime of the account, unless deleted by our Customer.
CRM records: retained until the Customer deletes them or closes their account.
Opted-out contacts: retained as a suppression list to prevent future contact attempts.
Logs (security, error logs): retained for up to 90 days.

When a Customer closes their account, all related data is deleted within 30 days, except where retention is required by law.

9. Your Rights (KVKK / GDPR)

Under Türkiye's Personal Data Protection Law (KVKK Law No. 6698) and the EU General Data Protection Regulation (GDPR), individuals have the following rights:

Right to know whether their data is being processed
Right to access their personal data
Right to request correction of inaccurate data
Right to request deletion or anonymization
Right to object to processing
Right to data portability
Right to lodge a complaint with the supervisory authority (in Türkiye: KVKK Authority — kvkk.gov.tr)

To exercise these rights, please contact us at bahadir@badoworks.com. Note that for End-Customer Data, requests should first be directed to the Customer (business) that controls that data. We will assist the Customer in fulfilling such requests as a data processor.

10. Security

Passwords are stored as cryptographic hashes (Werkzeug PBKDF2-SHA256).
Transport is encrypted via HTTPS (TLS 1.2+).
API access tokens are stored in encrypted database fields and access is restricted to authorized server processes.
We follow data minimization: we collect and process only what is necessary to operate the service.

11. Public Authority Requests

If we receive a lawful request from a public authority for personal data, we follow these principles:

Required legal review of the legality of the request
Challenging requests we consider unlawful or overbroad
Data minimization — disclosing only the minimum information required by law
Documenting the request, our response, and the legal reasoning

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to account owners and via a notice on this page. The "Last updated" date at the top reflects the latest version.

13. Contact

Questions or requests about this Privacy Policy can be sent to bahadir@badoworks.com.