Privacy Policy
Last updated: March 15, 2026 — Effective immediately
Makolet.store ("we", "us", "our") operates a WhatsApp-native B2B mini market SaaS platform that connects convenience stores with customers via WhatsApp ordering. This policy explains exactly what data we collect, why, how we store it, who can access it, and your rights. We believe in full transparency.
1. Who This Policy Applies To
This policy covers three types of users:
- Store Owners (Tenants): Business owners who register stores on our platform
- Customers: End users who order from stores via WhatsApp or our web storefront
- Delivery Couriers: Drivers who fulfill deliveries through our driver app
2. Data We Collect
2.1 Store Owner Data
| Data | Purpose | Retention |
|---|---|---|
| Business name, email, phone, address | Account creation, store setup, customer-facing display | Duration of account + 3 years |
| Business registration number, tax ID | Legal compliance, invoice generation | 7 years (Israeli tax law) |
| Product catalog, prices, inventory | Store operations, customer ordering | Duration of account |
| PayPal account email | Subscription billing (499 ILS/month) | Duration of subscription + 1 year |
| Staff member names, emails, roles | Multi-user access control (RBAC) | Duration of employment |
| WhatsApp Business phone number ID | Customer messaging via Meta Cloud API | Duration of account |
2.2 Customer Data
| Data | Purpose | Retention |
|---|---|---|
| Phone number (WhatsApp) | Order communication, account identification | Duration of activity + 2 years |
| Name (if provided) | Order personalization, delivery labels | Duration of activity + 2 years |
| Delivery address | Order fulfillment, delivery routing | 90 days after last order |
| Order history, items, totals | Order tracking, receipts, analytics | 7 years (tax/legal) |
| Allergy/dietary preferences | Nutritional intelligence, safe product filtering | Duration of activity |
| Credit account balance (if BNPL enabled) | Buy Now Pay Later store credit | Duration of account + 3 years |
2.3 Courier Data
| Data | Purpose | Retention |
|---|---|---|
| Name, phone, ID document | Identity verification, contact | Duration of service + 3 years |
| GPS location (during active deliveries) | Real-time tracking, ETA calculation, route optimization | 30 days |
| Delivery history, earnings | Payout calculation, performance tracking | 7 years (tax/legal) |
2.4 Automatically Collected Data
- IP Address: Rate limiting, fraud detection, geolocation. Stored in event logs for 90 days.
- User Agent: Device type detection for responsive UI. Stored in event logs for 90 days.
- Session Data: Authentication tokens (JWT, 24-hour expiry). Stored in Redis, auto-expired.
- Page Views: Google Analytics 4 (GA4) via Measurement Protocol, if configured by store owner. Subject to Google's privacy policy.
3. How We Use Your Data
3.1 Core Service Operations
- Process orders placed via WhatsApp or web storefront
- Send order confirmations, status updates, and delivery notifications via WhatsApp
- Calculate delivery fees, ETAs, and optimal routes
- Generate invoices and receipts
- Manage store credit (BNPL) accounts and payment reminders
3.2 Security & Fraud Prevention
- Fraud Detection: Real-time anomaly scoring (0-100) based on transaction velocity, geographic patterns, amount deviations, time patterns, and device fingerprinting. Score above 75 blocks the transaction.
- Rate Limiting: Redis-backed sliding window rate limiting on all API endpoints to prevent abuse
- Audit Trail: All state changes logged to an immutable event log with microsecond timestamps, IP, and user agent for compliance and security investigation
3.3 Analytics & Improvement
- Aggregated, anonymized analytics for store owners (sales trends, customer retention, popular products)
- Tenant health scoring for proactive support
- "Frequently bought together" recommendations based on co-purchase analysis
4. Third-Party Services & Data Sharing
We do NOT sell your personal data. We never have and never will. Data is shared only with the following service providers, solely to operate the platform:
| Service | Data Shared | Purpose |
|---|---|---|
| Meta (WhatsApp Cloud API) | Customer phone numbers, message content | WhatsApp messaging for orders, notifications, bot interactions |
| PayPal | Store owner email, payment amounts | Subscription billing, order payments, refunds |
| Google Maps Platform | Addresses (anonymized) | Geocoding, delivery routing, distance calculation |
| Google Business Profile | Store business data (owner-initiated) | Business verification, reviews sync, hours sync |
| Google Analytics (GA4) | Anonymized page views, events | Store analytics (opt-in by store owner) |
| Bing IndexNow | Store page URLs only | Search engine indexing for store discoverability |
4.1 Optional Integrations (Store Owner Choice)
Store owners may optionally connect the following services. Data is shared only when explicitly configured:
- Clover / Square POS: Product catalog and inventory sync
- Xero / QuickBooks: Invoice and payment sync for accounting
- Mailchimp / HubSpot: Customer contact sync for marketing (with customer consent)
- Wolt / Gett: External delivery provider dispatch
- Supplier APIs: Automated inventory replenishment
All integration credentials are encrypted with AES-256-CBC before storage. Webhook payloads are signed with HMAC-SHA256.
5. Data Storage & Security
5.1 Infrastructure
- Database: MariaDB 10.11+ with encrypted connections
- Cache: Redis 7.2 for sessions, rate limits, and real-time state
- Application: PHP 8.4 with strict type safety
- Transport: TLS 1.2+ enforced (HSTS with 1-year max-age, includeSubDomains, preload)
5.2 Security Measures
- Authentication: JWT tokens with 24-hour expiry, mandatory
expclaim validation - Passwords: bcrypt hashing (cost factor 12), never stored in plaintext
- API Keys: SHA-256 hashed, prefixed with
mk_live_, per-key Redis rate limiting - Encryption: AES-256-CBC for integration credentials, platform settings
- CSP: Content Security Policy with nonce-based script loading, no unsafe-inline for scripts
- Headers: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
- Webhook Verification: HMAC-SHA256 signature validation on all inbound webhooks
- Backups: Daily automated backups with SHA-256 checksum verification, 30-day rotation
5.3 What We Do NOT Store
- Credit card numbers (payments handled entirely by PayPal)
- WhatsApp message content after processing (messages are transient)
- Biometric data
- Social media profiles or passwords
6. Data Retention & Deletion
| Data Category | Retention Period | Basis |
|---|---|---|
| Event/audit logs | 90 days (1 year for security events) | Security, debugging |
| Session data | 24 hours (auto-expired) | Authentication |
| Delivery GPS data | 30 days | Dispute resolution |
| Order records | 7 years | Israeli tax/legal requirements |
| Account data | Duration + 3 years | Legal, re-activation |
| Bulk export files | 48 hours (auto-deleted) | Temporary download |
| Database backups | 30 days (rotated) | Disaster recovery |
7. Your Rights
Under GDPR, Israeli Privacy Protection Law (PPLA), and applicable data protection regulations, you have the right to:
- Access: Request a full export of all data we hold about you (available via Dashboard > Settings > Data Export, or by email request)
- Rectification: Correct any inaccurate data through your dashboard or by contacting us
- Erasure ("Right to be Forgotten"): Request deletion of your personal data. We will comply within 30 days, except where retention is required by law (tax records, legal disputes)
- Data Portability: Export your data in CSV or JSON format at any time via the dashboard
- Object: Object to processing for marketing purposes. Marketing communications require explicit opt-in consent.
- Restrict Processing: Request we limit how we process your data while a dispute is resolved
- Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting prior processing
How to exercise your rights: Email privacy@makolet.store with your request. We will verify your identity and respond within 30 days. Store owners can also use Dashboard > Settings > Data Export for self-service access.
8. Cookies & Local Storage
We use minimal client-side storage:
| Technology | Purpose | Duration |
|---|---|---|
auth_token cookie |
JWT authentication (HttpOnly, Secure, SameSite=Strict) | 24 hours |
admin_token cookie |
Admin session authentication (HttpOnly, Secure, SameSite=Strict) | 8 hours |
IndexedDB (whatsappmyshopping_offline) |
Driver app offline delivery cache | Until sync completes |
| Service Worker cache | Offline page support, static asset caching | Until new version deployed |
| localStorage (cart, preferences) | Shopping cart persistence, language preference | Until cleared by user |
We do not use third-party advertising cookies, cross-site tracking pixels, or fingerprinting scripts.
9. Marketing Communications
- Store owners may send WhatsApp campaigns to customers who have opted in via prior purchase or explicit consent
- Customers can opt out at any time by replying "STOP" to any WhatsApp message or through the store's opt-out mechanism
- We track marketing consent status per customer per store and respect unsubscribe requests immediately
- Abandoned cart reminders are sent only to customers with an active session (within 24 hours of cart activity)
10. Children's Privacy
Makolet.store is a B2B platform for businesses. Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a minor, we will delete it within 72 hours.
11. International Data Transfers
Our servers are hosted in Israel. If you access the platform from outside Israel, your data will be transferred to and processed in Israel, which has been recognized by the European Commission as providing adequate data protection. For transfers to other jurisdictions (e.g., when using PayPal or Google services), we rely on the service providers' standard contractual clauses and privacy frameworks.
12. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights:
- We will notify the Israeli Privacy Protection Authority within 72 hours
- We will notify affected users without undue delay via email and/or WhatsApp
- We will document the breach, its effects, and remedial actions in our audit trail
13. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. When we make material changes:
- We will update the "Last updated" date at the top
- We will notify store owners via email and dashboard notification at least 30 days before changes take effect
- Continued use of the platform after the effective date constitutes acceptance
14. Contact & Data Protection Officer
Privacy Inquiries & Data Requests:
privacy@makolet.store
Data Protection Officer (DPO):
dpo@makolet.store
General Support:
Support Portal
WhatsApp:
+972-54-786-5418
Mailing Address:
Makolet.store
Tel Aviv, Israel