Privacy Policy
Privacy that matches how graftly actually works.
This policy explains what graftly collects, why we collect it, who we share it with, and what responsibilities stay with the businesses using graftly to message their own customers through WhatsApp.
Service scope
Website, onboarding, dashboard, client portals, email and WhatsApp workflows
Address
40a Rhiwbina Hill, Cardiff, UK, CF14 6UQ
1. Who we are
graftly is a UK-based software service operated by Box A Design LTD, available at usegraftly.com. We help businesses create jobs, quotes and invoices through WhatsApp and manage those records through a web dashboard and client portal.
This policy applies to the graftly website, onboarding flow, dashboard, support interactions, customer portal pages, and WhatsApp-related workflows that are handled through graftly.
The data controller for website, account and service-operations data is Box A Design LTD, of 40a Rhiwbina Hill, Cardiff, UK, CF14 6UQ.
2. Personal data we collect
The exact data depends on how you use the service, but graftly may collect and store the following categories of information:
✓
Account and business profile data: name, email address, password hash handled by Supabase Auth, WhatsApp number, business name, plan, support contacts, and settings you choose inside the app.
✓
Operational business records: client names, phone numbers, email addresses, job details, quote and invoice data, notes, line items, statuses, PDFs, reminder history, and payment status information entered by you.
✓
Communications data: messages sent to or from graftly through WhatsApp, onboarding verification messages, support emails, contact form messages, and responses sent through our client portal or acceptance flows.
✓
Voice and AI processing inputs: if you use voice notes or natural-language parsing, the audio or message content may be processed to transcribe and interpret the request.
✓
Technical and security data: IP address, browser and device data, authentication cookies, log data, timestamps, and limited diagnostic information needed to run and secure the service.
3. How we use personal data
✓
Create and manage your graftly account and business workspace.
✓
Verify ownership of your WhatsApp number and route messages correctly.
✓
Generate, store, and deliver quotes, invoices, reminders, and customer portal links.
✓
Process your messages, including natural-language and voice-note workflows, so the product can perform the action you requested.
✓
Provide support, troubleshoot issues, monitor abuse, and keep the service secure.
✓
Meet legal, tax, accounting, fraud-prevention, and regulatory obligations.
✓
Improve reliability, quality, and product functionality using service data and operational metrics.
4. Our lawful bases
✓
Contract: to provide the graftly service you signed up for, including account access, document creation, support, and service communications.
✓
Legitimate interests: to secure the platform, prevent misuse, investigate incidents, improve product quality, and respond to support requests.
✓
Legal obligation: where we need to retain or disclose information for tax, accounting, fraud, law enforcement, or other legal compliance reasons.
✓
Consent: for non-essential advertising cookies and Meta Pixel tracking, which we only load after you actively choose “Accept all” on the cookie banner. You can withdraw consent at any time.
5. Controller vs processor roles
For your own account, website usage, billing, support and platform operations, graftly usually acts as the data controller.
For customer and job data that you upload or send into graftly so that we can generate quotes, invoices, reminders, and customer communications on your behalf, graftly usually acts as your data processor or service provider, and your business remains the controller.
Important for WhatsApp and Meta
If you use graftly to message your own customers, you are responsible for giving the right privacy notices, obtaining any required opt-ins, and honouring opt-out or stop requests. That responsibility stays with the business using graftly.
6. Who we share data with
We share data only where needed to operate graftly, comply with law, or protect the service. Our core infrastructure and service providers currently include:
✓
Supabase for authentication, database, storage and backend functions.
✓
Vercel for hosting the web application.
✓
Twilio and WhatsApp/Meta for WhatsApp message delivery, verification messages, and message transport.
✓
Meta Platforms (Conversions API) for ad performance measurement — only when you have consented to advertising cookies. We may send hashed email addresses and anonymised event data (page views, sign-up, subscription) to Meta via their server-side Conversions API.
✓
Resend for transactional email where email delivery is used.
✓
Anthropic for message understanding and structured parsing tasks.
✓
OpenAI for voice-note transcription where voice transcription is enabled.
✓
Professional advisers, auditors, insurers and authorities where reasonably necessary for legal, compliance, fraud, or security reasons.
If you later connect third-party tools such as accounting software, we may also transfer relevant data to those tools at your direction.
7. International transfers
Some of our service providers process data outside the UK. Where that happens, we rely on appropriate safeguards such as contractual protections, provider security commitments, and other lawful transfer mechanisms recognised under UK data protection law.
8. Retention
✓
Account and workspace data is kept while your account is active and for a limited period afterward where reasonably necessary for support, legal, audit, or fraud-prevention reasons.
✓
Operational business records such as jobs, quotes, invoices and PDFs are retained for as long as your workspace remains active unless you delete them sooner or law requires longer retention.
✓
Support and contact records are typically retained for up to 24 months after the relevant conversation or account closure.
✓
Security and technical logs are retained only for as long as reasonably necessary for security, monitoring, and incident response.
9. Cookies and similar storage
graftly uses two categories of cookies and similar browser storage:
✓
Essential cookies: these are strictly necessary to operate the service. They keep you signed in, secure your account session, remember your cookie preference, and handle authentication. These do not require consent and cannot be disabled without breaking the service.
✓
Advertising cookies (with consent only): if you click “Accept all” on the cookie banner, we load Meta Pixel — a tag from Meta Platforms, Inc. This measures how people reach graftly via Meta ads (Facebook, Instagram). It may set cookies such as _fbp and _fbc, and sends anonymised event data (page views, sign-up completion, subscription starts) to Meta for ad performance measurement. We also send some of these events directly to Meta via their Conversions API, which may include a hashed version of your email address for matching purposes. You can withdraw consent at any time by clearing your browser's local storage for this site or by contacting us at hello@usegraftly.com.
We do not use advertising cookies without your consent. If you choose “Essential only”, no Meta Pixel is loaded and no advertising data is collected or sent.
10. Security
We use reasonable technical and organisational measures designed to protect data, including authenticated access controls, encrypted transport, provider-level security controls, and internal restrictions on who can access operational data.
No internet service can promise absolute security, so you should also keep your own devices, passwords, email account and WhatsApp account secure.
11. Your rights
Depending on your location and the circumstances, you may have rights to access, correct, delete, restrict, object to, or request portability of personal data. You may also have the right to complain to the UK Information Commissioner's Office if you believe your privacy rights have been infringed.
12. Updates to this policy
We may update this policy from time to time to reflect product changes, legal requirements, or provider changes. We will update the date at the top of the page when we do.
For general questions, visit our contact page or write to Box A Design LTD, 40a Rhiwbina Hill, Cardiff, UK, CF14 6UQ.