Privacy Policy
Last updated: July 2, 2026
niiko (“niiko”, “we”, “us”) is a multi-tenant workspace platform operated by Vorluno. This policy explains what data we collect, how we use it, and the rights you have over it.
Who this applies to, and two different roles we play
niiko is B2B2C software: a business (“Customer”, “Workspace”) signs up for niiko to run their own operations — sales, messaging, scheduling — including data about the Customer’s own end-clients and contacts.
- For Customer account data (the business that signs up: workspace owner, team members, billing contact), niiko is the controller. We decide how that data is used, as described in this policy.
- For data a Customer uploads or generates through niiko about their own clients and contacts (names, phone numbers, message content, notes, documents), the Customer is the controller and niiko is the processor. We process that data only under the Customer’s instructions, under a Data Processing Agreement (DPA) available to every Customer. If you are an end-client of one of our Customers and have a question about your data, please contact that business directly — they decide how your data is handled, and we act on their instructions.
What we collect
- Account data: name, email, organization name, role, password hash, billing details (handled by our payment processor — we never see full card numbers).
- Content you or your Customer’s contacts create: messages sent and received through connected channels (WhatsApp, email), notes, documents, uploaded files, CRM records, scheduling data.
- WhatsApp Business Platform Data (see dedicated section below — Meta requires this to be called out separately).
- Usage data: pages visited, features used, device/browser information, IP address, collected via product analytics (PostHog) and error monitoring (Sentry).
- Support communications: anything you send us when you contact support.
We do not knowingly collect data from anyone under 18. niiko is a B2B product for business use.
How we use WhatsApp Business Platform Data (Meta Platform Data)
niiko is a Meta Tech Provider. When a Customer connects their own WhatsApp Business Account to niiko (through Meta’s Embedded Signup), niiko sends and receives WhatsApp messages exclusively on behalf of that Customer, using that Customer’s own WhatsApp Business Account and phone number.
- We never share one Customer’s WhatsApp Platform Data with another Customer.
- We never use WhatsApp Platform Data for advertising, and we never sell it.
- Each Customer pays Meta directly for their own WhatsApp usage — niiko does not resell or mark up WhatsApp messaging costs.
- A Customer can disconnect their WhatsApp number at any time from Settings → Integrations. Disconnecting revokes niiko’s access to that WhatsApp Business Account; see Data Deletion Instructions for how message data already stored is deleted.
How we use your data
- To provide the service you or your Customer signed up for (sending/receiving messages, storing records, scheduling, running the AI agent features you’ve configured).
- To secure the platform (fraud prevention, abuse detection).
- To improve the product (aggregated, and never using the contentof a Customer’s end-client conversations to train any model we don’t control — see AI section below).
- To communicate with you about your account (transactional email). Marketing email, if any, always includes an unsubscribe link.
We do not sell personal data, and we do not use it for third-party advertising.
AI features
Some niiko features use large language models (Anthropic’s Claude family) to draft messages, qualify leads, or summarize conversations.
- We access these models through OpenRouter, a routing provider that forwards our request to the underlying model. In other words, the content we send (e.g. message text) passes through OpenRouter and is processed by the AI model to generate a response. Each provider handles that content under its own data-processing terms; Zero Data Retention is not yet in place, so you should assume the request may be retained for a limited period under the providers’ standard terms. We’ll update this section when that changes.
- We do not send unnecessary personal data to the AI provider beyond what’s needed to generate the response.
- A human is always able to review AI-drafted content before it’s sent, and today AI does not make automated decisions with legal or similarly significant effects on end-clients without a human in the loop.
Who we share data with (sub-processors)
We use the following service providers to run niiko. Each has a role limited to providing their specific service, and each is bound by a data processing agreement:
| Provider | Purpose |
|---|---|
| Meta (WhatsApp Business Platform) | Sending/receiving WhatsApp messages on behalf of Customers |
| OpenRouter | Routing AI requests to the underlying language models |
| Anthropic | Claude models for AI-assisted drafting, qualification, and summarization |
| Resend | Transactional and, where opted in, marketing email |
| PayPal | Payment processing and billing |
| DigitalOcean | Application and database hosting |
| Cloudflare | DNS, CDN, and security (WAF) |
| PostHog | Product analytics |
| Sentry | Error monitoring |
| Axiom | Log storage |
This list will grow as we add integrations (e.g. e-signature, accounting sync) — we’ll keep it current and notify Customers of material changes.
How long we keep data
- Account and workspace data: kept while your account is active, plus a 30-day grace period after cancellation (in case you want to export or reactivate), then deleted.
- Financial records (invoices, ledger entries): kept for the period required by tax law (typically several years), even after account deletion, as required by law.
- Logs and telemetry: kept for a short, limited window (typically under 30 days) and contain no personal content by design.
- Backups: retained on a rolling cycle (typically under 35 days); if we restore from backup, we re-apply any pending deletions before the system returns to normal operation.
Your rights
Depending on where you’re located, you may have the right to access, correct, export (in a portable format), restrict, or delete your personal data, and to object to certain processing. If your data was submitted to niiko by a business you’re a client of (an end-client scenario), please direct these requests to that business first — they control the data and we act on their instructions. For requests about your own niiko account, contact us at [email protected].
We aim to respond to verified requests within the timeframe required by applicable law (e.g. one month under GDPR, 45 days under CCPA).
International data
Our team operates from Panama; our infrastructure and most service providers are US-based. If you’re in the EU/UK, we rely on appropriate safeguards (such as Standard Contractual Clauses) for these transfers where required.
Security
We use encryption in transit and at rest, per-tenant data isolation (row-level security in our database), and access controls limiting who on our team can see your data. No system is perfectly secure, but we design for it from the start rather than bolting it on.
Changes to this policy
We’ll update the “Last updated” date above and, for material changes, notify Customers by email.
Contact
Questions about this policy or your data: [email protected]