Conversation Automations Speak with us
Return to home

Document No. PP-001

Privacy Policy

A plain-language statement describing the personal data Vexa Order Support collects, why we collect it, and the rights every individual has in relation to that data.

Effective · 1 January 2026 Last revised · 4 May 2026 Version 1.2

Clause iWho we are

This policy is published by Vexa Order Support ("Vexa", "we", "our", "us"), an order communications service operating from Karachi, Pakistan. We operate WhatsApp Business Platform communications on behalf of e-commerce merchants ("Merchants") who engage us to send transactional and supportive messages to their customers ("End Users").

For data we hold about End Users, we generally act as a processor on behalf of the Merchant, who is the controller. For data we hold about Merchants and direct visitors to this website, we act as the controller. Where these roles differ, this policy explains which one applies.

Clause iiData we collect

The categories of personal data we process are limited and listed below.

From End Users on WhatsApp

  • WhatsApp phone number (received from the Merchant’s checkout)
  • Display name as it appears on the End User’s WhatsApp account
  • Order reference, store name, and order metadata supplied by the Merchant
  • The content of messages exchanged on the WhatsApp Business Platform
  • Delivery and read receipts where available from the Platform
  • Opt-in source, opt-in timestamp, and any subsequent opt-out

From Merchants

  • Business legal name, registration number, and trading addresses
  • Contact name, email, phone number, and role of authorised signatories
  • Payment information processed by our payment service provider
  • Operational data necessary to integrate Merchant systems with ours

From visitors to this website

  • IP address, browser, device, and approximate location for security and analytics
  • Referrer URL, pages visited, and timestamps
  • Information you provide when contacting us through any channel

We do not knowingly collect special categories of data (health, religion, political views, biometric data) from any End User in the course of providing the service.

Clause iiiWhy we use it

End User data is used strictly for the following purposes:

  • Sending order confirmations, status updates, and delivery notifications
  • Responding to customer enquiries during stated business hours
  • Routing escalations to the Merchant’s support team
  • Maintaining a consent ledger to demonstrate lawful messaging
  • Diagnostic logs to investigate delivery failures and quality issues
  • Complying with our obligations under WhatsApp Business Solution Terms

Merchant data is used to operate the commercial relationship: invoicing, contract administration, and provision of the service itself.

Website visitor data is used to keep the site available, secure, and to understand at an aggregate level which content is useful.

Clause vWhatsApp Business Platform

The service is delivered through the WhatsApp Business Platform, operated by WhatsApp LLC and governed by the WhatsApp Business Solution Terms, the WhatsApp Business Messaging Policy, the WhatsApp Commerce Policy, and the AI-Assisted Business Messaging Guidelines (January 2026). Messages sent and received on the Platform are subject to those terms in addition to this policy.

WhatsApp may collect additional metadata about messages (such as delivery timestamps and quality scores) for the purpose of operating the Platform. WhatsApp’s own privacy practices are described at whatsapp.com/legal/privacy-policy. This policy does not modify or replace WhatsApp’s policies.

We do not access an End User’s WhatsApp account beyond the messages directed to or from the Merchant’s registered business number. We do not read other conversations on the End User’s device. We cannot.

Clause viiSharing of data

We do not sell personal data and we do not share it for the purpose of cross-context behavioural advertising. We share data only with the following recipients, and only where strictly necessary:

  • Meta Platforms / WhatsApp LLC as the operator of the WhatsApp Business Platform.
  • The Merchant on whose behalf the message is sent — we surface conversations to them in shared inboxes.
  • Couriers integrated for the purpose of dispatching delivery alerts (PostEx, TCS, Trax, Leopards, M&P), where the Merchant has authorised the integration.
  • Sub-processors for hosting, error monitoring, and analytics; these parties are bound by data processing agreements consistent with this policy.
  • Authorities where compelled by valid legal process; we will challenge requests that are overbroad.

Clause viiiData retention

We retain personal data only for as long as necessary to provide the service or to satisfy a legal obligation. Specifically:

  • Conversation transcripts — 90 days from the last interaction, then deleted.
  • Consent ledger entries — for the life of the consent plus 24 months after withdrawal, as evidence of the opt-in’s lawful collection.
  • Order metadata — for the duration of our contract with the Merchant; returned or deleted on contract termination.
  • Invoicing & tax records — for the period required by applicable tax law, typically 6 years.
  • Website logs — 30 days, except for security incidents requiring further investigation.

Deletion is performed by overwriting; backups age out within 35 days and are also overwritten on the standard cycle.

Clause ixYour rights

Subject to applicable law, an individual whose data we hold may:

  • Request access to a copy of the personal data we hold
  • Request correction of inaccurate or incomplete data
  • Request deletion of personal data (subject to lawful retention)
  • Object to processing based on our legitimate interests
  • Withdraw consent at any time, without affecting prior lawful processing
  • Request portability of data in a structured, machine-readable format
  • Lodge a complaint with the relevant data protection authority

We respond to verified requests within 30 days. If we cannot fulfil a request in full, we will explain why. To make a request, see Clause xv.

Clause xSecurity

We use reasonable administrative, technical, and physical safeguards to protect personal data, including:

  • Encryption of data in transit (TLS 1.2 or higher) and at rest
  • Two-step verification on the WhatsApp Business Account
  • Access controls based on the principle of least privilege
  • Regular review of system logs for unauthorised access
  • Confidentiality obligations for all personnel and sub-processors
  • An incident response procedure with notification of affected parties

No system can be guaranteed perfectly secure. In the event of a personal data breach we will notify the affected Merchant and, where required by law, the relevant regulator and affected individuals, without undue delay.

Clause xiChildren

The service is not directed at children. We do not knowingly process the personal data of a child under 13 (or the equivalent minimum age in the applicable jurisdiction). If we become aware that we hold such data without the appropriate consent, we will delete it.

Clause xiiInternational transfers

Data may be processed on infrastructure located outside the country in which the End User resides, including by Meta Platforms in connection with the WhatsApp Business Platform. Where such transfers occur, we rely on appropriate safeguards, including the standard contractual clauses published by the relevant regulator and, where applicable, data processing addenda offered by Meta.

Clause xiiiCookies and similar technologies

This website uses a small number of cookies and similar storage mechanisms. We do not use cookies for advertising. The categories are listed below.

Strictly necessary

These are required for the site to operate — for example, remembering whether you have dismissed the cookie notice. They are set whether or not you accept analytics cookies. They expire within 12 months and contain no personal data.

Analytics

If you accept analytics cookies, we record aggregate, non-identifying data about which pages are visited, the country of the visitor at the country level, and basic device and browser categories. We use this to understand which content is useful and which is not. We do not use this data to identify you, build a profile, or target advertising.

Advertising

We do not deploy third-party advertising or retargeting cookies on this site. If at a future date we use a tracking pixel for measurement of an advertising campaign on a third-party platform, this clause will be updated in advance and you will be asked for fresh consent.

Managing your cookies

You may withdraw or change your choice at any time by clearing your browser’s storage for this site, after which the cookie notice will appear again on your next visit. Most browsers also let you block or delete cookies through their settings; doing so may affect parts of the site that rely on storage.

Clause xivUpdates to this policy

We may revise this policy from time to time to reflect operational changes or new legal requirements. The version number and last-revised date at the top of this document indicate the current version. Where a change is material, we will notify Merchants in writing and post a notice on this page in advance of the change taking effect.

Clause xvHow to contact us

For any privacy-related enquiry, including data subject requests, please contact us through one of the following channels:

For any matter that cannot be resolved with us, you may contact your local data protection authority. In Pakistan, this will be the authority designated under the Personal Data Protection Act once it enters into force.

This policy is a public commitment, not boilerplate. If anything in it is unclear, write to us. We will explain it in plain words.