Privacy Policy
Privacy Policy
Last Updated: June 2026
At Chimera, your privacy is our top priority. We are a full-funnel digital marketing agency committed to protecting your personal information and ensuring transparency in how we collect, use, and share data. This Privacy Policy explains what information we collect, why we collect it, and how we safeguard it.
This Privacy Policy explains how Chimera (“we”, “us”, “our”) collects, uses, stores, and shares information when our customers (businesses) and their end customers interact with our WhatsApp Business platform (the “Service”). The Service enables businesses to operate AI-assisted customer support, ordering, and booking conversations on WhatsApp through Meta’s official WhatsApp Business Cloud API.
We act as a Meta Tech Provider. Each business customer owns its WhatsApp Business Account (WABA) and is the controller of personal data exchanged with its end customers. Chimera acts as a processor of that data on the business customer’s behalf, under the terms of our customer agreement.
1. Who this policy covers
- Business users: employees and authorised representatives of organisations that sign up to use the Service.
- End customers: individuals who message a business via WhatsApp that uses our Service to respond.
-
Website visitors: people who visit
thechimeramarketing.com.
2. Information We Collect
We may collect the following types of information from you:
- Personal Information: Name, email address, phone number, company name, job title, and billing details provided through contact forms, newsletters, or service inquiries.
- Non-Personal Information: Browser type, device information, IP address, location data, and website usage analytics.
- Cookies & Tracking Data: We use cookies and similar technologies to analyze website traffic, personalize content, and improve user experience.
2.1 From business users
- Account information: name, work email, password (stored hashed), organisation name.
- WhatsApp Business Account metadata received via Meta’s Embedded Signup flow: WABA ID, phone number ID, display phone number, and an access token issued by Meta. Tokens are stored encrypted at rest using AES-256-GCM.
- Knowledge content uploaded to the platform (e.g. product documents, FAQs) so the AI assistant can answer end customer questions.
- Agent configuration, message templates, and operator activity within the Service.
2.2 From end customers (via WhatsApp)
- WhatsApp phone number, WhatsApp profile name, and the content of messages the end customer sends to the business’s WhatsApp number.
- Message metadata: timestamps, delivery/read status, message IDs, conversation history.
- Any content the end customer voluntarily shares in a conversation (e.g. an order reference number).
We do not collect WhatsApp data from end customers who have not messaged a business using the Service.
2.3 Automatically
- Standard server logs (IP address, user agent, request paths) for security, debugging, and abuse prevention. Logs are retained for a limited operational period.
3. How We Use Your Information
We use the information described above only for the purposes listed below:
- Provide, maintain, and improve our digital marketing services.
- Communicate with you regarding inquiries, updates, and promotional offers.
- Deliver tailored advertising and marketing campaigns across platforms.
- Analyze performance metrics to enhance service delivery.
- Fulfill legal and contractual obligations.
- Operating the Service: routing messages between the business’s WhatsApp number and our platform, generating AI responses from the business’s own uploaded knowledge, and sending replies via the WhatsApp Business Cloud API.
- AI processing: end-customer messages are processed by a large language model (currently OpenAI’s API, used as a sub-processor) to generate replies that stay scoped to the business’s declared domain. We do not use end customer messages to train AI models. We do not send AI-generated general-purpose chatbot replies. The agent stays within the business service scope, in line with WhatsApp Business policy.
- Human handoff: when the AI cannot answer, conversations are routed to the business’s human staff via our dashboard.
- Security, abuse prevention, and debugging.
- Communication with business users about account, security, and service issues.
- Compliance with applicable law and with Meta’s WhatsApp Business Platform policies.
We do not sell personal data, do not use it for cross-business advertising, and do not share business data between tenants of the Service.
4. Legal basis (for users in the EEA/UK)
- Performance of a contract with our business users (and, indirectly, with end customers using the business’s service).
- Legitimate interests in operating, securing, and improving the Service.
- Consent, where required (for example, end customers initiate the conversation by messaging the business).
- Legal obligation, where applicable.
5. Sharing of Information
We do not sell or rent your data. However, we may share your information with:
- Trusted partners who assist in service delivery (e.g., email platforms, analytics providers, or advertising networks).
- Legal authorities, if required by law or to protect our rights and users.
- Third-party service providers who support our operations under strict confidentiality agreements.
5.1 Sub-processors and sharing
We share data only with the following categories of recipients:
- Meta Platforms, Inc. — to send and receive WhatsApp messages via the WhatsApp Business Cloud API.
- OpenAI — to generate AI replies. Message content is sent to OpenAI’s API for inference only; per OpenAI’s API terms, data sent to the API is not used to train OpenAI models.
- Cloud infrastructure providers hosting the Service’s servers and databases.
- The business customer whose WhatsApp number an end customer messaged. End customer messages are visible to that business’s operators inside our dashboard. They are not visible to any other business.
- Authorities, where legally required.
Each business customer’s data is logically isolated from every other business customer’s data within the Service.
6. Data Retention
We retain your personal information only as long as necessary to fulfill the purposes outlined in this policy or as required by law. You can request data deletion at any time by contacting us directly.
- Conversation messages and knowledge content are retained for as long as the business customer maintains an active account, or until earlier deletion as instructed by the business.
- WhatsApp access tokens are retained while the WhatsApp connection is active; they are deleted when the connection is removed.
- Operational server logs are retained for a limited period for security and debugging.
- On account termination, business customer data is deleted within 30 days, subject to legal hold requirements.
7. Storage, encryption, and security
- Service data is stored in PostgreSQL databases. Access tokens for WhatsApp Business Accounts are encrypted at rest using AES-256-GCM.
- Uploaded knowledge documents are processed, indexed, and the raw uploaded bytes are purged after indexing completes; only the derived text chunks and vector embeddings are retained.
- All communication with the Service and with Meta is over HTTPS/TLS.
- Access to production systems is restricted to authorised Chimera personnel.
- Webhook callbacks from Meta are authenticated using HMAC-SHA256 signature verification on every request.
8. Cookies and Tracking Technologies
Our website uses cookies to enhance functionality and analyze visitor behavior. You can manage or disable cookies in your browser settings; however, some website features may not function properly if cookies are disabled.
9. Data Security
10. Your Rights
Depending on your location, you may have the right to access, correct, export, restrict, or delete personal data we hold about you, and to object to certain processing. End customers who wish to exercise these rights should typically contact the business they messaged, because that business is the controller of the conversation. We will assist business customers in responding to such requests.
To make a request directly to Chimera, email infothechimeramarketing.com. We respond within 30 days.
Depending on your location, you may have the following rights regarding your data:
- Access to your personal information.
- Correction of inaccurate or outdated data.
- Deletion of your data (“Right to be Forgotten”).
- Restriction or objection to certain processing activities.
- Data portability to another service provider.
Business users can request deletion of their account and associated data by emailing infothechimeramarketing.com from the account email address. End customers should contact the business they messaged.
Instructions and the deletion request channel are available at: https://thechimeramarketing.com/privacy#data-deletion (this section).
12. International transfers
The Service operates from infrastructure that may be located outside the country where you reside, including the United States and the European Union. Where applicable, we rely on appropriate safeguards (such as Standard Contractual Clauses) for international data transfers.
13. Children
The Service is not directed to children under 13 (or the higher minimum age set by local law). We do not knowingly collect personal data from children. If we become aware that we have done so, we will delete it.
14. Changes to This Policy
We may update this Privacy Policy periodically to reflect changes in our practices or for legal reasons. Updated versions will be posted on this page with the revised date. The “Last updated” date at the top reflects the latest revision. Material changes will be communicated to business users by email.
15. Contact Us
If you have any questions about this Privacy Policy or our data handling practices, please contact us:
The Chimera Marketing
3350 West Lincoln Avenue,
Anaheim, California 92801,
United States
Privacy contact: info@thechimeramarketing.com
Phone: +1 (714) 823‑9543
