Forwardly

Privacy Policy

Last updated: April 2026

1. Who We Are

Forwardly ("we", "us", "our") operates the website and service at forwardly.online. We are the data controller for personal data collected through our platform. For data protection enquiries, contact us at privacy@forwardly.online.

2. Data We Collect

We collect the following categories of data:

Account Data

  • Email address (required to create an account)
  • Password (stored as a one-way cryptographic hash — we cannot read it)
  • Account creation date and subscription plan

WhatsApp Session Data

  • Encrypted WhatsApp authentication credentials stored on our servers, necessary to maintain your connection
  • Your WhatsApp phone number (used to identify your session)
  • We do not read, store, or access your personal WhatsApp messages or contacts beyond what is necessary to operate the Service

Usage Data

  • WhatsApp group names and member counts (synced by you)
  • Message content you compose and send through the Service
  • Broadcast history, delivery statistics, and campaign data
  • Leads (replies from group members to your broadcasts)
  • IP address and browser information for security purposes

Payment Data

  • Payment processing is handled by Stripe. We do not store card numbers or full payment details. We receive a Stripe customer ID and subscription status only.

3. How We Use Your Data

We use your data to:

  • Provide and operate the Service
  • Authenticate you and maintain your session securely
  • Send transactional emails (password resets, account notices)
  • Monitor for abuse, fraud, and violations of our Terms of Service
  • Improve and develop the Service (aggregated, anonymised analytics only)
  • Comply with legal obligations

We do not sell your personal data to third parties. We do not use your data for advertising.

4. Legal Basis for Processing (GDPR)

For users in the UK and European Economic Area, we process your data under the following legal bases:

  • Contract: Processing necessary to provide the Service you have signed up for
  • Legitimate interests: Security monitoring, fraud prevention, and service improvement
  • Legal obligation: Where we are required to process data to comply with applicable laws
  • Consent: Where you have explicitly consented (e.g. marketing communications, if applicable)

5. Data Storage and Security

Your data is stored on servers operated by Render (cloud infrastructure provider) located in Frankfurt, Germany (EU). Redis data is processed by Upstash. We implement the following security measures:

  • All data in transit is encrypted via TLS/HTTPS
  • Passwords are hashed using bcrypt and never stored in plaintext
  • WhatsApp session credentials are stored on isolated encrypted disk storage
  • Database access is restricted and protected by SSL
  • Access to production systems is limited to authorised personnel only

No security system is impenetrable. In the event of a data breach that affects your rights, we will notify you and the relevant supervisory authority as required by law.

6. Data Retention

We retain your data for as long as your account is active. Specifically:

  • Account data is retained until you request deletion or your account is terminated
  • Broadcast and campaign history is retained for your reference while your account is active
  • WhatsApp session files are deleted immediately when you disconnect or delete your account
  • Uploaded image files are deleted immediately after a broadcast completes
  • Following account deletion, residual data in backups may persist for up to 30 days before being overwritten

7. Your Rights (GDPR)

If you are located in the UK or EEA, you have the following rights regarding your personal data:

  • Right of access: Request a copy of the personal data we hold about you
  • Right to rectification: Request correction of inaccurate or incomplete data
  • Right to erasure: Request deletion of your personal data ("right to be forgotten")
  • Right to restriction: Request that we limit how we use your data
  • Right to portability: Request your data in a machine-readable format
  • Right to object: Object to processing based on legitimate interests
  • Right to withdraw consent: Where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at privacy@forwardly.online. We will respond within 30 days. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or your local EEA supervisory authority.

8. Third-Party Services

We use the following third-party services which may process your data:

  • Render — cloud hosting and database infrastructure (Frankfurt, EU)
  • Upstash — Redis queue infrastructure
  • Stripe — payment processing (PCI DSS compliant)
  • Resend — transactional email delivery

Each of these providers operates under their own privacy policies and data processing agreements. We have Data Processing Agreements in place where required by GDPR.

9. Cookies

We use minimal cookies necessary for the Service to function (authentication tokens stored in localStorage). We do not use tracking cookies or third-party advertising cookies.

10. Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If you become aware that a child has provided us with personal data, please contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a prominent notice on the Service. Your continued use of the Service after changes take effect constitutes your acceptance of the updated policy.

12. Contact Us

For any privacy-related questions, data requests, or concerns:
privacy@forwardly.online

Terms of Service · Back to signup