Sabi Effective Date: March 2026 Last Updated: March 2026
This Privacy Policy explains how Sabi ("we", "our", or "us") collects, uses, stores, and protects your personal data when you use our mobile application and platform. We are committed to protecting your privacy and complying with the Nigeria Data Protection Regulation (NDPR) 2019 and applicable data protection laws.
By using Sabi, you agree to the collection and use of your information as described in this policy.
Business Name: Appedge CAC Registration: [INSERT RC NUMBER FROM CAC CERTIFICATE] Address: Lagos, Nigeria Email: olomuvoke01@gmail.com
We are the Data Controller for personal data collected through the Sabi platform.
Account data:
Your name, email address, and profile photo (collected via Facebook OAuth at signup)
Your Facebook User ID (used to authenticate your session)
Business data:
Your business name
Your business website URL (if provided for scraping)
Business information you paste or upload (text files, PDFs, Word documents)
Your WhatsApp Business phone number
Payment data:
Your subscription plan and billing history
Payment reference numbers from Paystack
We do NOT store your card details — these are handled entirely by Paystack
WhatsApp conversation data:
Inbound messages sent by your customers to your WhatsApp bot number
Outbound messages sent by the AI or by you in Manual Overdrive
Message delivery and read receipts
Customer WhatsApp IDs (phone numbers) and Business-Scoped User IDs (BSUIDs)
Timestamps of all messages
Usage data:
App sessions and feature usage patterns
Bot performance metrics (AI reply count, handoff rate, deflection rate)
Error logs and crash reports (via Sentry)
Device data:
Device type, operating system, and app version
Expo push notification token (for delivering alerts to your phone)
From Facebook/Meta:
Your public profile information at login
Your Meta Business Portfolio ID and WhatsApp Business Account ID (WABA ID)
Your WhatsApp phone number ID after connection
From your business website (via Firecrawl):
Publicly available text content from your website pages
This content is used solely to build your bot's knowledge base
Account data — used to create and manage your Sabi account. Legal basis: contract performance.
Business data — used to build and maintain your bot's knowledge base. Legal basis: contract performance.
Phone number — used to connect your WhatsApp number to the platform. Legal basis: contract performance.
Conversation data — used to deliver AI replies, display Shadow Chat, and provide analytics. Legal basis: contract performance.
Customer WhatsApp IDs — used to route messages to the correct conversation. Legal basis: contract performance.
Payment data — used to process subscriptions and refunds. Legal basis: contract performance.
Usage data — used to improve the product, fix bugs, and detect abuse. Legal basis: legitimate interest.
Push notification token — used to send handoff alerts and system notifications. Legal basis: contract performance.
Error logs — used to debug issues and maintain service reliability. Legal basis: legitimate interest.
We do not use your data or your customers' data for advertising, profiling, or sale to third parties.
When your customers send WhatsApp messages to your business bot, they become data subjects whose personal data Sabi processes on your behalf. In this relationship:
You are the Data Controller — you determine why customer messages are processed
Sabi is the Data Processor — we process customer messages only to deliver the service you have contracted us for
What we collect about your customers:
Their WhatsApp phone number or BSUID
The content of their messages to your bot
Message timestamps, delivery status, and read receipts
What we do NOT do with customer data:
We do not contact your customers directly
We do not share customer data with other Sabi users
We do not use customer message content to train AI models
We do not sell customer data to any third party
Your obligations as Data Controller: You are responsible for ensuring you have a lawful basis to process your customers' personal data via Sabi. We recommend informing your customers that their WhatsApp messages are handled by an AI assistant.
We share your data with the following third-party service providers solely to operate the Sabi platform:
Meta (WhatsApp Cloud API) — purpose: WhatsApp message routing — location: USA — privacy policy: meta.com/privacy
OpenAI — purpose: AI response generation — location: USA — privacy policy: openai.com/privacy
Supabase — purpose: database and authentication — location: USA/EU — privacy policy: supabase.com/privacy
Firecrawl — purpose: website scraping — location: USA — privacy policy: firecrawl.dev/privacy
Paystack — purpose: payment processing — location: Nigeria — privacy policy: paystack.com/privacy
Expo — purpose: push notification delivery — location: USA — privacy policy: expo.dev/privacy
Sentry — purpose: error monitoring — location: USA — privacy policy: sentry.io/privacy
Facebook (OAuth) — purpose: user authentication — location: USA — privacy policy: meta.com/privacy
We do not share your data with any other parties except:
When required by Nigerian law or a valid court order
When necessary to protect the safety of any person
In connection with a merger, acquisition, or sale of our business (you will be notified)
Where your data is stored: All Sabi data is stored in Supabase's managed PostgreSQL database. Data is stored in servers located in the United States or European Union depending on your region.
How we protect your data:
All data is encrypted at rest using AES-256 encryption
All data in transit is encrypted using TLS 1.3
Your WhatsApp System User access token is stored in Supabase Vault — an encrypted secrets manager — and is never stored in plaintext
Row-Level Security (RLS) is enforced on all database tables — no user can access another user's data even in the event of an application bug
API keys for all third-party services are stored as encrypted server-side environment secrets and are never exposed in the mobile app
Nightly security checks: Sabi runs a nightly check on WhatsApp access tokens. If a token is found to be invalid or expiring, you are notified via push notification and prompted to re-authenticate. This protects against silent bot failures.
Account data — retained until you delete your account, plus 30 days.
Conversation messages — retained for 90 days by default.
Business knowledge base — retained until you delete or refresh it.
Payment records — retained for 7 years in compliance with Nigerian tax law requirements.
Error logs — retained for 30 days.
Deleted account data — permanently deleted within 30 days of account deletion.
You can request earlier deletion of conversation data for specific customers at any time from within the app.
As a data subject under the Nigeria Data Protection Regulation (NDPR) 2019, you have the following rights:
Right of access: You can request a copy of all personal data we hold about you.
Right to rectification: You can correct inaccurate or incomplete data by updating your profile in the app or contacting us.
Right to erasure: You can request deletion of your personal data. We will comply within 30 days except where we are required to retain data by law.
Right to data portability: You can request your data in a machine-readable format (JSON or CSV).
Right to object: You can object to processing based on legitimate interest. We will review and respond within 14 days.
Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time. This does not affect the lawfulness of processing before withdrawal.
Right to lodge a complaint: You have the right to lodge a complaint with Nigeria's National Information Technology Development Agency (NITDA), the supervisory authority for NDPR compliance in Nigeria.
To exercise any of these rights, contact us at olomuvoke01@gmail.com. We will respond within 14 days.
Your customers whose data is processed through your Sabi bot also have data subject rights. As the Data Controller, you are responsible for handling requests from your customers. If a customer contacts Sabi directly about their data, we will direct them to you as the appropriate Data Controller.
Some of our third-party providers (OpenAI, Supabase, Expo, Sentry) are located in the United States. When we transfer your data internationally, we ensure appropriate safeguards are in place including:
Standard Contractual Clauses (SCCs) where required
Using only providers who comply with internationally recognised data protection standards
Processing only the minimum data necessary for each third-party integration
Sabi is intended for business owners and is not directed at persons under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately and we will delete it.
The Sabi mobile app does not use cookies. We use:
Supabase session tokens — stored securely on your device to maintain your login session
Expo push notification tokens — stored to deliver alerts to your device
Sentry session tracking — used for error reporting only, contains no personally identifiable information
We do not use advertising trackers, analytics SDKs, or social media pixels.
Sabi uses OpenAI's GPT-4o-mini to generate automated responses to your customers' WhatsApp messages. This constitutes automated processing under NDPR.
How it works:
Customer sends a message to your WhatsApp number
Sabi loads your knowledge base and recent conversation history
GPT-4o-mini generates a response based solely on your knowledge base content
The response is sent back to the customer
Important limitations:
The AI does not make decisions that have legal or significant effects on individuals
The AI cannot access any information outside your knowledge base
If the AI cannot confidently answer a question, it escalates to you via a human handoff notification
You retain full control at all times via the Manual Overdrive feature
OpenAI data usage: Message content sent to OpenAI for response generation is subject to OpenAI's API data usage policy. OpenAI does not use API data to train their models by default. See openai.com/privacy for details.
We may update this Privacy Policy from time to time. We will notify you of material changes via:
A push notification in the Sabi app
An email to your registered address
Changes take effect 14 days after notification. Continued use of Sabi after that date constitutes acceptance of the updated policy.
For any privacy-related questions, requests, or complaints:
Email: olomuvoke01@gmail.com Address: Lagos, Nigeria Response time: We aim to respond within 14 days
To file a complaint with the supervisory authority: National Information Technology Development Agency (NITDA) Address: Plot 28 Port Harcourt Crescent, Off Gimbiya Street, Garki, Abuja Website: nitda.gov.ng Email: info@nitda.gov.ng
This Privacy Policy was last updated in March 2026 and is compliant with the Nigeria Data Protection Regulation (NDPR) 2019.