Home Services About Contact Start a Conversation
Legal

Privacy Policy

Effective Date: March 15, 2026  ·  Last Updated: March 15, 2026

WhatsApp Business API Meta Business Verification Twilio SMS / 10DLC PCI DSS HIPAA TCPA / CAN-SPAM GDPR CCPA
01

Overview

Synqline ("we," "us," or "our") operates as a business automation and messaging consultancy. This Privacy Policy describes how we collect, use, protect, and disclose information in connection with our services, including WhatsApp Business API integration, SMS campaign management, chatbot development, and systems integration.

This policy applies to:

  • Visitors to synqline.io
  • Clients who engage our automation and messaging services
  • End-users who interact with messaging systems we build or manage on behalf of our clients
  • Individuals who contact us via our website, WhatsApp, or email

By using our services or website, you agree to the practices described in this policy. If you do not agree, please discontinue use of our services.

Note: This policy is intended to satisfy the requirements of Meta (Facebook) Business Verification, Twilio Messaging Services, PCI DSS, HIPAA, TCPA, CAN-SPAM, GDPR, and CCPA. If you have compliance-specific questions, contact us at [email protected].

02

Data We Collect

Information You Provide

  • Name, email address, company name, phone number (when you contact us)
  • Business details and requirements shared during onboarding
  • Payment information — processed exclusively by PCI-compliant third-party processors; we do not store card data

Automatically Collected Data

  • IP address, browser type, operating system, referring URLs
  • Pages visited, time spent, click behavior (via Cloudflare analytics)
  • Device identifiers and connection metadata

Messaging Data (On Behalf of Clients)

When we build or manage messaging systems for clients, we may process:

  • Phone numbers and opt-in records for SMS or WhatsApp campaigns
  • Message content and delivery status
  • Conversation logs required for chatbot functionality
  • Customer identifiers passed by client CRM or business systems

This data is processed under a data processing agreement with the client and is used solely to deliver the contracted service.

No Sensitive Personal Data by Default

We do not intentionally collect sensitive personal data (Social Security numbers, government IDs, biometric data, financial account numbers, or health information) unless explicitly required and agreed upon in writing for a specific engagement — in which case HIPAA and applicable security controls apply.

03

How We Use Data

  • Service Delivery: To provide, configure, and operate automation and messaging services
  • Communication: To respond to enquiries, send project updates, and provide support
  • Compliance & Legal: To meet obligations under applicable law, platform policies, and regulatory requirements
  • Security: To detect, prevent, and address fraud, abuse, or unauthorized access
  • Analytics: To understand website usage and improve our services (aggregate, non-identifiable data only)
  • Billing: To process payments through compliant third-party processors

We do not sell, rent, or trade personal data to third parties for their own marketing purposes.

04

WhatsApp Business API & Meta Compliance

Platform Relationship

Synqline is a WhatsApp Business Solution Provider (BSP) partner operating under Meta's WhatsApp Business Policy and Meta Platform Terms. All messaging conducted through our platform must comply with these terms.

User Opt-In Requirement

We only send WhatsApp messages to end-users who have explicitly opted in to receive communications. Opt-in must be:

  • Obtained through a clear and conspicuous disclosure
  • Specific to WhatsApp as the communication channel
  • Voluntarily provided — not a condition of purchasing a product or service
  • Documented and retained by the client operating the messaging campaign

Permitted Message Categories

Messages sent via WhatsApp Business API are limited to Meta-approved categories, including: utility messages, authentication messages, and marketing messages (where a valid opt-in exists). Prohibited content includes spam, illegal content, misleading information, and unsolicited commercial messages.

Opt-Out & User Controls

End-users may opt out of WhatsApp communications at any time by:

  • Replying STOP or UNSUBSCRIBE to any message
  • Blocking the business number in WhatsApp
  • Contacting the client business directly to request removal

Opt-out requests are honored within 24 hours. Once opted out, the user will not receive further messages from that campaign.

Meta Business Verification

Synqline maintains verified business status with Meta. This verification confirms our legal business identity and ensures compliance with Meta's commercial messaging policies. Client businesses operating under our BSP umbrella must also complete Meta's Business Verification process before accessing WhatsApp Business API.

Data Localization

WhatsApp message metadata is processed via Meta's infrastructure. Message content may transit Meta's servers in accordance with Meta's Privacy Policy. We recommend clients review Meta's data residency policies for regional compliance requirements.

05

SMS Messaging (Twilio / 10DLC)

TCPA Disclosure: By providing your phone number and consenting to receive SMS messages, you agree to receive automated text messages from us or our clients. Message and data rates may apply. Message frequency varies.

Consent & Opt-In

We operate SMS campaigns in compliance with the Telephone Consumer Protection Act (TCPA), CAN-SPAM Act, and carrier requirements under The Campaign Registry (TCR) 10DLC program. SMS messages are only sent to individuals who have:

  • Provided express written consent to receive text messages
  • Been informed of the message types and approximate frequency
  • Been informed that consent is not a condition of any purchase
  • Been provided clear opt-out instructions at time of opt-in

10DLC Campaign Registration

All SMS campaigns utilizing 10-digit long codes (10DLC) are registered with The Campaign Registry through our Twilio account. Registration includes:

  • Brand identity verification
  • Campaign use case declaration (e.g., customer care, marketing, notifications)
  • Sample message content review
  • Opt-in and opt-out flow documentation

Unregistered or improperly registered traffic may be filtered by mobile carriers. We do not operate campaigns that violate carrier guidelines or TCR policies.

SMS Opt-Out Keywords

The following standard keywords are supported on all SMS campaigns:

STOPUnsubscribe
STOPALLUnsubscribe all
UNSUBSCRIBEUnsubscribe
CANCELUnsubscribe
ENDUnsubscribe
QUITUnsubscribe
HELPGet support info
INFOCampaign info

Opt-out is immediate. Confirmation of opt-out is sent within one message. Re-opt-in is permitted at any time by texting START.

No Sharing with Third Parties for Marketing

Mobile phone numbers and SMS consent information will not be shared with or sold to third parties or affiliates for their own marketing or promotional purposes. This data is used solely to operate the specific SMS campaign for which consent was granted.

Prohibited SMS Content

We strictly prohibit and do not facilitate the following content categories (SHAFT):

  • Sex / adult content
  • Hate speech
  • Alcohol (to minors or without age-gate verification)
  • Firearms
  • Tobacco / vaping
  • Additionally: illegal substances, gambling without proper licensing, phishing, malware
06

PCI DSS Compliance

Our Scope

Synqline is a messaging and automation services company. We do not directly process, store, or transmit payment card data. All payment transactions are handled by PCI DSS Level 1 certified third-party payment processors. Our PCI DSS obligations are governed by SAQ-A (Self-Assessment Questionnaire A) as a merchant that fully outsources payment processing.

Payment Data Handling

  • No cardholder data is stored on our systems, servers, or databases at any time
  • Payment forms on our website (if any) route directly to PCI-compliant processors via tokenization or hosted payment pages
  • We do not capture, log, or retain Primary Account Numbers (PAN), CVV/CVC codes, PINs, or magnetic stripe data
  • Staff are trained not to accept payment card data via email, chat, or unencrypted channels

Client Obligations

If Synqline builds or integrates a payment workflow within a messaging automation system for a client, the following conditions apply:

  • Payment processing must be routed through a client-owned PCI DSS compliant processor
  • Synqline will not store or log card data within chatbot flows or messaging platforms
  • Clients are responsible for their own PCI DSS compliance scope and attestation
  • A written data processing agreement will govern any integration touching payment data

Incident Response

In the event of a suspected breach involving payment data, we will notify affected parties within 72 hours in accordance with applicable breach notification laws and PCI DSS Requirement 12.10.

07

HIPAA Compliance

Important: Synqline's standard services are not designed for the transmission or storage of Protected Health Information (PHI). Engagements involving PHI require a signed Business Associate Agreement (BAA) prior to project commencement.

When HIPAA Applies

HIPAA obligations apply when Synqline is engaged by a Covered Entity (healthcare provider, health plan, or healthcare clearinghouse) or their Business Associates to build or manage communication systems that may involve PHI. In such cases:

  • A signed Business Associate Agreement (BAA) is required before any PHI is shared with or processed by Synqline
  • Minimum Necessary Standard applies — we only access the PHI necessary to perform contracted services
  • PHI is never used for marketing, sold, or disclosed beyond the scope of the BAA
  • All subcontractors and sub-processors that may access PHI must execute their own BAAs

Technical & Administrative Safeguards

For HIPAA-covered engagements, Synqline implements:

  • Encryption: PHI in transit is encrypted using TLS 1.2 or higher; PHI at rest is encrypted using AES-256
  • Access Controls: Role-based access limiting PHI access to authorized personnel only
  • Audit Logging: Activity logs for all systems accessing PHI, retained per HIPAA requirements (minimum 6 years)
  • Workforce Training: HIPAA privacy and security training for all staff handling PHI
  • Incident Response: Documented breach notification procedures compliant with HIPAA Breach Notification Rule (45 CFR §164.400–414)

WhatsApp & SMS for Healthcare

WhatsApp and standard SMS channels are not considered HIPAA-compliant by default due to the absence of BAAs with Meta and carriers. If a healthcare client requires messaging automation:

  • Messages must be limited to appointment reminders and general notifications that do not contain clinical PHI
  • PHI must not be included in message content (e.g., diagnoses, test results, medication details)
  • Patient consent for messaging must be obtained and documented separately from general treatment consent
  • A HIPAA-compliant messaging platform with an available BAA must be used for any PHI-containing communications

Patient Rights

For HIPAA-covered engagements, individuals retain all rights under the HIPAA Privacy Rule, including the right to access, amend, and receive an accounting of disclosures of their PHI. Requests should be directed to the Covered Entity (your healthcare provider), who will coordinate with Synqline as required under the BAA.

08

Data Sharing & Third Parties

Service Providers

We share data with trusted service providers who assist in delivering our services, under contractual data processing agreements:

  • Twilio Inc. — SMS and voice messaging infrastructure (Privacy Policy)
  • Meta Platforms, Inc. — WhatsApp Business API infrastructure (Privacy Policy)
  • Cloudflare, Inc. — Website hosting, CDN, and edge security (Privacy Policy)
  • Resend, Inc. — Transactional email delivery

Legal Disclosures

We may disclose personal data when required by law, court order, or regulatory authority, or when necessary to protect the rights, property, or safety of Synqline, our clients, or the public.

Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity, subject to the same privacy protections described in this policy.

No Sale of Data

We do not sell, rent, or exchange personal data for monetary or other consideration. This applies expressly to SMS opt-in data, which will never be shared with third parties for marketing purposes.

09

Security

We implement industry-standard technical, administrative, and physical safeguards to protect data against unauthorized access, alteration, disclosure, or destruction:

  • All data in transit is encrypted via TLS 1.2+
  • Access to client data is restricted to authorized personnel on a need-to-know basis
  • Systems are monitored for unauthorized access and anomalous activity
  • Software dependencies are kept up to date with security patches applied promptly
  • Credentials and API keys are stored in environment-isolated secret managers, never in source code

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

10

Data Retention

  • Website enquiries: Retained for up to 2 years or until the business relationship ends
  • Client project data: Retained for the duration of the engagement plus 3 years, unless a longer period is required by law
  • SMS opt-in records: Retained for a minimum of 4 years to support TCPA compliance
  • WhatsApp opt-in records: Retained for the duration of the campaign plus 2 years
  • HIPAA-covered PHI: Retained for a minimum of 6 years from creation or last effective date per 45 CFR §164.530(j)
  • Payment records: Retained per applicable tax and financial regulations (typically 7 years); no raw card data is retained

Upon expiration of the applicable retention period, data is securely deleted or anonymized.

11

Your Rights

All Users

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate or incomplete data
  • Deletion: Request deletion of your data, subject to legal retention requirements
  • Opt-Out of Communications: Unsubscribe from SMS (reply STOP), WhatsApp (reply STOP), or email (click Unsubscribe) at any time

EEA / UK Residents (GDPR)

  • Right to data portability
  • Right to restrict or object to processing
  • Right to withdraw consent at any time (without affecting prior lawful processing)
  • Right to lodge a complaint with your local supervisory authority

Our lawful basis for processing is: contract performance (for service delivery), legitimate interests (for security and analytics), and consent (for marketing communications).

California Residents (CCPA / CPRA)

California residents have the right to know what personal information is collected, the right to delete, the right to opt out of sale (we do not sell data), and the right to non-discrimination for exercising privacy rights. To submit a request, email [email protected] with the subject line "CCPA Request."

Submitting a Request

To exercise any of the above rights, contact us at [email protected]. We will respond within 30 days (or as required by applicable law). We may verify your identity before fulfilling the request.

12

Children's Privacy

Our services are directed to businesses and are not intended for individuals under the age of 13 (or 16 in the EEA). We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, contact us immediately at [email protected] and we will delete it.

13

Policy Changes

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or platform policies. When we make material changes, we will update the "Last Updated" date at the top of this page. Continued use of our services after changes are posted constitutes acceptance of the revised policy.

For significant changes affecting messaging consent or data rights, we will provide direct notice to active clients via email.

14

Contact Us

For privacy requests, compliance questions, BAA inquiries, or to report a concern:

Synqline
Privacy & Compliance
[email protected]
synqline.io/contact

For HIPAA-specific requests or to request a Business Associate Agreement, please email with the subject line "BAA Request".

For TCPA / SMS opt-out issues not resolved through keyword reply, email with the subject line "SMS Opt-Out" and include your phone number.