Privacy Policy
Last updated: July 2026
This Privacy Policy explains how Advanced Digital Online (Pty) Ltd (trading as “BusinessFlow”) collects, uses, stores, and protects your personal information when you use our platform and services, including our WhatsApp Business integration.
1. Who We Are
BusinessFlow is a multi-tenant customer relationship management (CRM) platform for South African service-based businesses, including insurance brokers, therapy practices, and professional services firms. Our registered office is in South Africa.
Responsible party: Advanced Digital Online (Pty) Ltd
Information Officer: reachable at privacy@businessflow.co.za
Contact email: privacy@businessflow.co.za
2. Information We Collect
2.1 Account Information
When you register for BusinessFlow, we collect your name, email address, organisation name, and role. This information is required to create and manage your account.
2.2 Client Data
Our business customers may store information about their clients and related parties in BusinessFlow. Depending on how they use the platform, this may include identity and contact information, policy, claims, tax, financial, communication, and document data, and may include special personal information. This data is owned and controlled by the business customer. The customer is ordinarily the responsible party under POPIA, and BusinessFlow processes this data as its operator.
Our customers are responsible for having a lawful basis to collect and use their Client Data, and for giving their clients the privacy notices required by law before providing that data to BusinessFlow.
2.3 WhatsApp Integration Data
When you connect your WhatsApp Business Account to BusinessFlow, we collect and store:
- WhatsApp Business Account (WABA) identifier and phone number
- Business access token (encrypted at rest using AES-256 encryption)
- Message content sent and received through the platform
- Message delivery status (sent, delivered, read, failed)
- Opt-in and opt-out records for messaging consent
2.4 Usage Data
We collect technical usage and diagnostic information to operate, secure, and improve our services. This may include page views, feature usage, and error information. We use Vercel Analytics for website analytics and Sentry for error tracking and monitoring. We take measures to minimise personal information in diagnostic information, but it should not be treated as anonymous in every circumstance.
2.5 Cookies and Similar Technologies
Our website and platform use essential technologies and may use cookies, local storage, or similar technologies provided by analytics and monitoring services. You can control many of these technologies through your browser settings. Where consent is required by applicable law, we will seek it before using non-essential technologies.
3. How We Use Your Information
We use collected information to:
- Provide and maintain the BusinessFlow platform
- Enable WhatsApp messaging between businesses and their clients
- Track message delivery and consent status
- Send system notifications (password resets, account alerts)
- Secure the platform, prevent misuse, and fix technical issues
- Respond to privacy requests and provide support
- Improve our services using technical usage and diagnostic information
- Comply with legal obligations
4. Data Storage and Security
Your core application data is stored primarily on infrastructure located in South Africa. Certain sub-processors that support the platform (see Section 6) may process limited data outside South Africa; where this happens, we rely on the safeguards described in Section 6. We implement the following security measures:
- Encryption at rest: Sensitive data (access tokens, API credentials) is encrypted using AES-256 with PBKDF2 key derivation
- Encryption in transit: All data is transmitted over HTTPS/TLS
- Access control: Multi-tenant isolation ensures each organisation can only access their own data
- Authentication: JWT-based authentication with session management
- Database security: PostgreSQL with role-based access and encrypted connections
5. Data Retention
- Account data: Retained for the duration of your subscription, plus 90 days after cancellation
- WhatsApp messages: Retained as part of the communication history for as long as the business account is active
- Opt-in/opt-out records: Retained indefinitely for compliance purposes
- Error logs: Retained for 30 days
- Audit trails: Retained for 12 months
6. Third-Party Data Sharing
We share data with the following third parties only as necessary to provide our services:
- Meta Platforms (WhatsApp Business Platform): Message content and phone numbers are transmitted through Meta's WhatsApp Cloud API to enable messaging functionality. Meta's use of this data is governed by their own privacy policy.
- Azure (Microsoft): Email delivery via Azure Communication Services
- Sentry: Error tracking and monitoring. We take measures to minimise personal information in diagnostic data sent to Sentry.
We do not sell your personal information to third parties.
International transfers: some of these sub-processors (including Meta, Microsoft, Sentry, and our hosting providers) operate infrastructure outside South Africa, so providing the service may involve transferring personal information across borders. Where we transfer personal information outside South Africa, we do so in accordance with Section 72 of POPIA — relying on the recipient being subject to comparable data-protection safeguards, or on your consent, or where the transfer is necessary to perform our contract with you.
7. POPIA Compliance
We comply with the Protection of Personal Information Act (POPIA) of South Africa. For BusinessFlow account, billing, security, and website data, Advanced Digital Online (Pty) Ltd is the responsible party. For Client Data a business customer stores in BusinessFlow, that customer is ordinarily the responsible party and BusinessFlow is its operator. Our role-specific obligations include:
- Personal information is collected for a specific, lawful purpose
- We process Client Data only to provide, secure, support, and operate the platform for the customer, subject to applicable agreements and instructions
- Customers remain responsible for informing their clients about their collection and use of Client Data
- Personal information is kept accurate and up to date
- Appropriate security measures are in place to protect personal information
- Data subjects can exercise their rights under POPIA
8. Your Rights
Where we are the responsible party for your personal information, you have the right to:
- Access: Request a copy of the personal information we hold about you
- Correction: Request correction of inaccurate personal information
- Deletion: Request deletion of your personal information (subject to legal retention requirements)
- Object: Object to the processing of your personal information
- Complain: Lodge a complaint with the Information Regulator if you believe we have not handled your personal information lawfully
To exercise any of these rights, contact us at privacy@businessflow.co.za. We will respond within a reasonable period and within any timeframe required by POPIA.
If your personal information was provided to BusinessFlow by one of our business customers, please contact that business first. It is ordinarily the responsible party for your Client Data; we will assist it with a valid request where required.
You also have the right to complain to the Information Regulator (South Africa): inforegulator.org.za.
9. WhatsApp Messaging Consent
BusinessFlow customers using the WhatsApp integration must obtain and retain evidence of a recipient's valid opt-in before sending business-initiated messages. They must also comply with Meta's 24-hour customer-service window and use Meta-approved templates where required. An inbound message or a successful send does not by itself establish consent for future business-initiated messages.
We provide records and tools that may help customers manage opt-ins and supported opt-out requests. You can ask a business to stop its WhatsApp messages by replying “STOP” where that option is available or by contacting the business directly. The business that sent the message remains responsible for promptly honouring your request across its communications.
10. Data Deletion
You may request deletion of your data at any time. For data deletion requests related to our WhatsApp integration, you can use Meta's data deletion request process or contact us directly at privacy@businessflow.co.za.
You can check the status of a data deletion request at /data-deletion-status.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The “Last updated” date at the top of this page reflects the most recent revision.
12. Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us:
- Email: privacy@businessflow.co.za
- Company: Advanced Digital Online (Pty) Ltd