VerkurLog in

Privacy Policy

Last updated: July 5, 2026

Verkur ("Verkur", "we", "us") operates verkur.com and the associated dashboard and API (together, the "Service"). This policy explains what data we collect, why, how long we keep it, and what rights you have over it. It applies to anyone with a Verkur account and to the WhatsApp numbers connected through it.

1. What the Service is for

Verkur lets you connect your own WhatsApp number and send messages from your own backend through a simple API. The Service is intended for outbound marketing and transactional notifications (for example order updates, appointment reminders, and one-time passwords/OTP codes) — it is a send-only platform. We do not store, log, or process the content of any messages your WhatsApp number receives.

You are responsible for how the numbers you send to consented to receive messages from you, and for complying with WhatsApp's own Business Messaging Policy and applicable anti-spam/telecom regulations in the countries you send to.

2. Data we collect

  • Account data: your name/organization name, email address, and a securely hashed password (we never store your password in plain text). If you use social/third-party login in the future, we'll update this section accordingly.
  • WhatsApp session data: the connection credentials Baileys (the library we use to connect to WhatsApp) generates when you scan a QR code to link your number, and your number's connection status. This data is encrypted at rest and is what lets your session stay connected between visits — it is functionally equivalent to being logged into WhatsApp Web.
  • Message metadata: for every message sent through the Service, we store the sender and recipient numbers, message content, delivery status (queued/sent/delivered/read/failed), and timestamps — this is what powers your Messages log and delivery-status tracking.
  • API keys: we store a one-way hash of each API key you generate, plus a short, non-secret prefix for display purposes. The full key is shown to you once, at creation, and never again.
  • Audit & security logs: see Section 3 below.
  • Technical data: IP address, browser user-agent, and timestamps, captured on security-relevant actions (see Section 3) and standard web server/reverse-proxy logs.

3. Audit and security logging

We keep two distinct kinds of logs, for different purposes:

  • API activity (per API key): a record of message-send calls made with each of your API keys — recipient, status, and timestamp — visible to you in the dashboard so you can audit your own integration's usage.
  • Account activity log: account-level security events — sign-ins/sign-outs, password resets, API key creation/revocation, webhook changes, and WhatsApp session connect/disconnect events — including the IP address and browser used, kept to help you and us detect unauthorized access to your account. This log is retained indefinitely as a security measure and is not used for any purpose beyond account security and abuse investigation.

4. How we use your data

  • To operate the Service: authenticate you, maintain your WhatsApp connection, and send your messages.
  • To show you delivery status and usage of your own account and API keys.
  • To detect, investigate, and prevent fraud, abuse, and unauthorized access.
  • To send you account-related email (password resets, email verification, service notices) via Resend, our transactional email provider.
  • To communicate with you about the Service, including changes to these terms or to pricing.

We do not sell your data, and we do not use message content for advertising.

5. Data retention

  • While your account is active, we retain account data, message logs, and audit logs as described above for as long as needed to provide the Service.
  • After account deletion: we retain your data for 14 days following deletion, after which it is permanently removed from active systems (backups age out on their own separate retention schedule). Automated self-service deletion is coming soon — until then, contact us to request deletion.

6. Third-party services

We use a small number of third-party providers to operate the Service: a cloud hosting provider (for compute and the database), and Resend (for transactional email delivery). These providers process data only as needed to provide their service to us and are bound by their own privacy and security commitments.

7. Security

Passwords are hashed with argon2id and never stored in plain text. WhatsApp connection credentials and webhook signing secrets are encrypted at rest. Dashboard sessions use secure, httpOnly cookies with CSRF protection; the API uses per-key authentication and rate limiting.

Found a security issue? Please report it to security@verkur.com rather than filing a public issue or disclosing it elsewhere. We ask that you give us a reasonable opportunity to investigate and address a report before any public disclosure.

8. Pricing and usage charges

The Service may currently be free or in an introductory period. We may introduce usage-based or subscription charges at any time going forward. If we do, we'll give notice before charges apply to your account, and continued use of the Service after that notice takes effect constitutes acceptance of the then-current pricing.

9. Your rights

You can access, correct, or request deletion of your account data at any time by contacting us. Where applicable law (such as GDPR) grants you additional rights — access, portability, objection, or restriction of processing — we honor those requests; contact us to exercise them.

10. Changes to this policy

We may update this policy as the Service evolves. Material changes will be reflected by updating the "Last updated" date above; where changes are significant, we'll also notify account holders by email.

11. Contact

Questions about this policy or your data: privacy@verkur.com. Security reports: security@verkur.com.