Privacy Policy
Pipes.bot — WhatsApp Cloud API Proxy for AI Agents
Effective Date: February 2, 2026
Last Updated: February 2, 2026
1. Introduction
Pipes.bot is operated by ID49 Digital LLC ("we," "us," or "our"). We provide a managed WhatsApp Cloud API proxy service that connects self-hosted AI agents to WhatsApp through Meta's official Business API. This Privacy Policy explains how we collect, use, store, and protect your information when you use our platform, including our website, dashboard, APIs, and Clawdbot plugin (collectively, the "Service").
By creating an account or using the Service, you agree to the practices described in this policy. If you do not agree, please do not use the Service.
2. Information We Collect
2.1 Account Information
When you register for Pipes.bot, we collect:
- Email address — used for authentication, account recovery, and service communications.
- Personal phone number (in E.164 format) — used to route WhatsApp messages between you and your AI agent. This number is stored as your
fromNumberand linked to your tenant account.
2.2 Service Configuration Data
As you set up and use the Service, we store:
- API keys — hashed and stored securely. We retain only a short prefix (e.g.,
pk_live_abc...) for display purposes. The full key is never stored in plaintext. - Pool number activations — records linking your phone number to specific pool numbers, including optional labels you assign (e.g., "work," "personal").
- Webhook configuration — if you use Webhook delivery mode, we store your webhook URL and a webhook secret you provide for signature verification.
- Delivery mode preference — whether you use WebSocket (Clawdbot plugin) or Webhook (n8n, Make, Zapier, etc.) delivery.
- BYON connection details (if applicable) — WhatsApp Business Account ID, phone number ID, OAuth access tokens (encrypted at rest), and your chosen response mode (
OWNER_ONLYorALL_NUMBERS).
2.3 Message Data
Pipes.bot processes WhatsApp messages as a relay between you and your AI agent. Our message handling is designed to minimize data retention:
- Messages in transit are not persisted to any database.
- Messages queued while your agent is offline are held temporarily on our servers for a maximum of 24 hours or until delivered, whichever comes first. Queued messages are deleted immediately upon delivery or upon expiration.
- Message content is never logged. Our application logs record metadata (e.g., message IDs, timestamps, delivery status) but never the text or media content of your messages.
2.4 Technical & Usage Data
We automatically collect limited technical information to operate and improve the Service:
- Connection metadata — timestamps of when your plugin connects or disconnects, connection duration, and online/offline status.
- Message volume counts — aggregate counts of messages sent and received per tenant, used for usage limits and analytics. These counts do not include message content.
- Error and delivery logs — records of failed message deliveries or webhook delivery attempts, including HTTP status codes and error types (but not message content).
- Plugin version information — the version of your Clawdbot plugin and Clawdbot gateway, sent during WebSocket authentication.
2.5 Information We Do NOT Collect
- We do not collect your name, physical address, payment card details (until billing is implemented), or any demographic information.
- We do not read, analyze, train on, or store the content of your WhatsApp messages beyond the temporary queuing described above.
- We do not use cookies for advertising or tracking. Our dashboard may use session cookies strictly for authentication.
3. How We Use Your Information
We use the information we collect for the following purposes:
| Purpose | Data Used |
|---|---|
| Provide the Service | Email, phone number, API keys, activations, webhook config |
| Route messages | Phone number, pool number activations, BYON configuration |
| Queue offline messages | Message content (temporarily, in memory only) |
| Authenticate you | Email, session tokens, API key hashes |
| Notify you of agent status | Phone number (to send WhatsApp notifications when your agent goes offline/online) |
| Monitor service health | Connection metadata, error logs, message volume counts |
| Enforce usage limits | Message volume counts, plan tier |
| Improve the Service | Aggregated, anonymized usage metrics |
| Communicate with you | Email (service updates, security alerts) |
We do not use your data for advertising, profiling, or selling to third parties.
4. How We Share Your Information
4.1 Meta Platforms (WhatsApp)
To deliver messages via WhatsApp, we interact with Meta's WhatsApp Cloud API. This means:
- Your phone number and message content are transmitted to Meta's servers as part of the standard WhatsApp message delivery flow.
- Pool numbers are registered under Pipes.bot's WhatsApp Business Account (WABA). BYON numbers are registered under your own WABA.
- Meta's use of this data is governed by Meta's Privacy Policy and the WhatsApp Business Terms.
4.2 Infrastructure Providers
Our Service relies on the following infrastructure providers, which may process data on our behalf:
- CockroachDB (Cockroach Labs) — hosts our database. Governed by Cockroach Labs' Privacy Policy.
- Amazon Web Services (AWS) — provides object storage (S3). Governed by the AWS Privacy Notice.
These providers act as data processors under our instructions and are contractually obligated to protect your data.
4.3 Your AI Agent
Messages received on your behalf are forwarded to your self-hosted Clawdbot instance (via WebSocket or webhook). Pipes.bot does not control how your AI agent processes or stores this data. You are responsible for the privacy practices of your own AI agent.
4.4 Legal Requirements
We may disclose your information if required to do so by law or in response to valid legal process, such as a court order or subpoena. We will attempt to notify you before disclosing your information unless prohibited by law.
4.5 No Sale of Data
We do not sell, rent, or trade your personal information to any third party for any purpose.
5. Data Storage & Security
5.1 Infrastructure
| Component | Provider | Purpose |
|---|---|---|
| Database | CockroachDB Serverless | Account data, activations, API key hashes |
| Object storage | Amazon S3 | File and media storage |
| Real-time connections | Pipes.bot servers | WebSocket management, temporary message queue |
Data is stored across CockroachDB Serverless (which provides encryption at rest and in transit), Amazon S3 (with server-side encryption), and our own servers for real-time WebSocket connections.
5.2 Security Measures
- API keys are hashed before storage. The original key is shown once at creation and never stored or retrievable.
- BYON OAuth tokens are encrypted at rest using AES-256 encryption.
- Webhook signatures use HMAC-SHA256 to verify the integrity of messages delivered to your systems.
- Meta webhook verification uses the X-Hub-Signature-256 header to validate all inbound messages from WhatsApp.
- WebSocket connections are authenticated using API keys and secured with TLS (wss://).
- Rate limiting is applied to all API endpoints to prevent abuse.
- Admin access is restricted to authorized Pipes.bot team members and requires explicit
isAdminprivileges.
5.3 Data Retention
| Data Type | Retention Period |
|---|---|
| Account data (email, phone) | Until you delete your account |
| API key hashes | Until revoked by you or account deletion |
| Pool activations | Until deactivated by you or account deletion |
| Queued messages (offline) | Maximum 24 hours, deleted upon delivery or expiration |
| Messages in transit | Not persisted |
| Connection metadata | 90 days |
| Error/delivery logs | 30 days |
| Pending activation codes | 10 minutes (auto-expire) |
6. Your Rights & Choices
Depending on your jurisdiction, you may have the following rights:
6.1 Access & Portability
You can view your account data, active pool number activations, and API keys at any time through the Pipes.bot dashboard.
6.2 Correction
You can update your account information through the dashboard. To change your registered phone number, contact us at hi@pipes.bot.
6.3 Deletion
You can request deletion of your account and all associated data by contacting us at hi@pipes.bot. Upon account deletion, we will:
- Delete your user record, tenant data, and all pool activations.
- Revoke all API keys.
- Delete any queued messages.
- Remove any BYON connection data, including encrypted OAuth tokens.
Some data may be retained in backups for a limited period (up to 30 days) before being permanently deleted.
6.4 Deactivation
You can deactivate individual pool numbers at any time through the dashboard, which immediately stops message routing for that number.
6.5 Revoke API Keys
You can revoke any API key at any time through the dashboard, which immediately disconnects any plugin using that key.
6.6 Webhook Configuration
You can add, modify, or remove your webhook URL at any time through the dashboard.
7. Brazilian Data Protection (LGPD)
If you are located in Brazil, the Lei Geral de Protecao de Dados (LGPD) grants you additional rights, including:
- Confirmation of whether we process your personal data.
- Access to your personal data.
- Correction of incomplete, inaccurate, or outdated data.
- Anonymization, blocking, or deletion of unnecessary or excessive data.
- Data portability to another service provider.
- Deletion of data processed with your consent.
- Information about public and private entities with which we shared your data.
- Revocation of consent at any time.
To exercise any of these rights, contact us at hi@pipes.bot. We will respond within the timeframes established by applicable law.
Legal basis for processing: We process your personal data based on (a) performance of the contract (providing the Service), (b) your consent (where applicable), and (c) our legitimate interests (service improvement and security).
8. European Data Protection (GDPR)
If you are located in the European Economic Area (EEA), the General Data Protection Regulation (GDPR) grants you additional rights, including:
- The right to access, rectify, or erase your personal data.
- The right to restrict or object to processing.
- The right to data portability.
- The right to withdraw consent at any time.
- The right to lodge a complaint with a supervisory authority.
Legal bases for processing: We rely on (a) contractual necessity, (b) legitimate interests (service operation and security), and (c) consent (where required).
International transfers: Your data may be processed by our infrastructure providers (CockroachDB, AWS) in regions outside your country of residence. These providers maintain appropriate safeguards for international data transfers, including Standard Contractual Clauses where applicable.
To exercise your GDPR rights, contact us at hi@pipes.bot.
9. Children's Privacy
Pipes.bot is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at hi@pipes.bot and we will promptly delete it.
10. Third-Party Services
The Service integrates with third-party platforms. This Privacy Policy does not cover their practices:
- Meta Platforms (WhatsApp Cloud API) — Meta Privacy Policy
- Cockroach Labs (CockroachDB) — Cockroach Labs Privacy Policy
- Amazon Web Services (S3) — AWS Privacy Notice
- Your self-hosted AI agent (Clawdbot) — governed by your own configuration and practices.
- Automation platforms (n8n, Make, Zapier) — if you use webhook delivery, the data forwarded to your automation platform is governed by that platform's privacy policy.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page.
- Notify you via email or through the Pipes.bot dashboard.
- Where required by law, obtain your consent before applying changes.
We encourage you to review this policy periodically.
12. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at: