GDPR

Milan Motavar
By Milan MotavarSeptember 20254 min read

At SendZen, we design our platform with privacy and compliance at the core. The General Data Protection Regulation (GDPR) is the foundation of how we collect, store, and process data for customers in the European Union.

Our goal is to ensure transparency, give users control over their data, and meet the highest standards of data protection.

Data Collection

We only collect the data necessary to deliver our service.

  • Account data: name, email, and organization details to manage user accounts.
  • WhatsApp configuration data: business IDs, phone numbers, and tokens to connect with Meta's WhatsApp Cloud API.
  • Usage data: message logs, delivery receipts, and error events, used solely for monitoring and troubleshooting.

We do not collect more than what is required to provide and improve the service.

Data Storage

All data is stored securely within AWS Europe (Ireland) (eu-west-1) by default for EU customers.

  • Encryption at rest: All personally identifiable information (PII) is encrypted using AWS KMS.
  • Encryption in transit: All traffic to and from SendZen APIs is secured with TLS 1.2+.
  • Secrets management: WhatsApp tokens and business IDs are managed securely using AWS Secrets Manager.

This ensures GDPR data residency and security requirements are met.

Data Processing

We process data only to provide messaging services.

  • Message delivery: Send messages via WhatsApp Cloud API.
  • Status tracking: Process delivery, read, and failure receipts.
  • Account management: Handle billing, subscription, and authentication workflows.

We do not sell, share, or monetize user data.

User Rights Under GDPR

GDPR grants users specific rights, and SendZen supports them fully:

  • Access: Users can request a copy of the data stored about them.
  • Correction: Users can update or correct personal information at any time.
  • Deletion: Users can request permanent deletion of their data ("right to be forgotten").
  • Portability: Users can export their data in a portable format.

Requests can be submitted through the account dashboard or by contacting our support team. We respond to all requests within GDPR-mandated timelines.

Data Minimization and Retention

We store data only for as long as it is needed:

  • Message logs are retained for operational and audit purposes, then automatically purged after retention limits.
  • Account data remains until the account is deleted.
  • Backups are encrypted and purged according to our retention schedule.

This keeps data lean while meeting legal and operational requirements.

Sub-Processors

We work with trusted sub-processors such as AWS, Vercel, and Stripe to deliver services. All sub-processors meet GDPR compliance requirements and are listed transparently on Our Sub-Processors page.

Our Commitment

GDPR is not a checkbox for us. It is part of how we operate:

  • We minimize what we collect.
  • We encrypt everything by default.
  • We give users full control over their data.
  • We maintain auditability for compliance reviews.

Our customers rely on SendZen for critical messaging. Protecting data and respecting privacy is a responsibility we take seriously.

If you have questions about our GDPR practices or need a Data Processing Agreement (DPA), please contact us at hi@sendzen.io.

GDPR - SendZen Blog | SendZen