Notifykitnotifykit
Taming Notify Solutions (202603115672)

Legal

Privacy, terms, and compliance documents for Notifykit customers and end-users. Last updated: 5 May 2026.

Privacy Policy

This Privacy Policy explains how Taming Notify Solutions (“Notifykit”, “we”, “us”) collects, uses, stores, and protects personal data when you use our website, dashboard, and API services. By using Notifykit, you agree to the practices described here.

1. What we collect

  • Account data: email address, company name, billing address, and payment method handled by Stripe.
  • Usage data: API request logs, message delivery status, error rates, and dashboard activity.
  • End-recipient data: WhatsApp phone numbers and message content that you send through our API. We process this strictly as your data processor.
  • Technical data: IP address, browser type, device identifiers, and cookies for authentication and analytics.

2. How we use it

  • To provide, operate, and maintain the Notifykit messaging service.
  • To authenticate users, enforce rate limits, and prevent abuse.
  • To bill you accurately and manage subscription status via Stripe.
  • To send transactional emails (invoices, alerts, security notices) via Brevo.
  • To comply with legal obligations, including Meta’s WhatsApp Business Terms.

3. WhatsApp opt-ins

You may only send WhatsApp messages to recipients who have provided explicit opt-in consent. Notifykit provides opt-in recording via the API, but you are the data controller responsible for obtaining lawful consent. We reserve the right to suspend accounts that send messages without documented opt-in.

4. Data retention

  • Message content and delivery logs: retained for 90 days, then purged automatically.
  • Audit logs (who sent what, when): retained for 2 years for compliance.
  • Billing records: retained for 7 years per Malaysian tax law.
  • Account data: retained while your account is active, plus 30 days after closure.

5. Cookies

We use essential cookies for authentication and session management. We do not use third-party advertising cookies. You can disable non-essential cookies in your browser, but this may limit dashboard functionality.

6. Third-party services

  • Meta Platforms, Inc. — WhatsApp Cloud API message delivery
  • Stripe, Inc. — payment processing
  • Brevo (Sendinblue) — transactional email
  • Cloudflare, Inc. — CDN, DNS, and security

7. Your rights

Under Malaysian Personal Data Protection Act 2010 (PDPA) and applicable GDPR principles, you may request access to, correction of, or deletion of your personal data. To exercise these rights, email us at info@tamingsolutions.com. We will respond within 30 days.

8. Security

We encrypt data in transit with TLS 1.3 and at rest using AES-256. API keys are bcrypt-hashed. Access to production systems is limited to founders and requires hardware-key 2FA. We run automated backups to Cloudflare R2 daily.

9. Changes

We may update this policy as laws or our service evolve. Material changes will be emailed to the account owner 14 days before taking effect.

Terms of Service

These Terms of Service (“Terms”) govern your access to and use of Notifykit’s website, API, and dashboard (collectively, the “Services”). By creating an account or sending an API request, you agree to these Terms.

1. Eligibility

You must be at least 18 years old and legally capable of entering contracts. If you use Notifykit on behalf of an organisation, you warrant that you have authority to bind that organisation.

2. Accounts

  • You are responsible for maintaining the confidentiality of your API keys and account credentials.
  • You must notify us immediately of unauthorised use or security breaches.
  • We may suspend or terminate accounts that violate these Terms or Meta’s WhatsApp Business Terms.

3. Acceptable use

You may use Notifykit only for lawful, utility messaging purposes. Prohibited uses include:

  • Spam, phishing, or fraudulent messages of any kind.
  • Marketing or promotional content sent without explicit recipient opt-in.
  • Messages that violate any law, including hate speech, harassment, or threats.
  • Circumventing rate limits, abusing free tiers, or reverse-engineering the API.
  • Sending messages to numbers scraped from public sources without consent.

We reserve the right to suspend service immediately and without notice for any violation, and to report illegal activity to the appropriate authorities.

4. Pricing and payment

  • Fees are charged monthly or annually in Malaysian Ringgit (MYR) via Stripe.
  • Subscription fees are non-refundable except where required by law.
  • Overage charges apply when you exceed your tier’s conversation quota.
  • We may adjust pricing with 30 days’ written notice.

5. Intellectual property

Notifykit retains all rights to its software, trademarks, and branding. You retain ownership of your customer data. You grant us a limited licence to process that data solely to deliver the Services.

6. Service level

We aim for 99.9% API uptime, measured monthly. Downtime excludes scheduled maintenance, force majeure, and third-party failures (including Meta’s WhatsApp infrastructure). We do not offer formal SLA credits at this time.

7. Limitation of liability

To the maximum extent permitted by Malaysian law, Notifykit’s total liability for any claim arising from these Terms shall not exceed the amount you paid us in the 12 months preceding the claim. We are not liable for indirect, incidental, or consequential damages, including lost profits or data loss.

8. Termination

You may cancel your subscription at any time via the dashboard or by emailing us. We will retain your data for 30 days after closure, then purge it permanently. We may terminate immediately for breach of these Terms or Meta policy violations.

9. Governing law

These Terms are governed by the laws of Malaysia. Any dispute shall be resolved in the courts of Kuala Lumpur.

WhatsApp Business Policy

Notifykit operates under Meta’s WhatsApp Business Solution Provider (BSP) programme. All customers must comply with Meta’s WhatsApp Business Terms of Service and WhatsApp Business Policy. This section summarises the key rules that apply when you send messages through Notifykit.

1. Utility-only messaging

Notifykit is strictly a utility-messaging service. You may only send messages that fall into Meta’s approved utility categories:

  • Transaction confirmations (orders, payments, bookings)
  • Shipping and delivery updates
  • Appointment reminders and reschedules
  • Account alerts (security, password reset, balance)
  • Operational notifications (shift hand-offs, plant alarms, system alerts)

Promotional, marketing, or advertising content is prohibited unless sent via an approved marketing template under a separate customer-owned WABA arrangement (Path B).

2. Opt-in requirement

Every recipient must provide explicit opt-in consent before receiving WhatsApp messages. Opt-in must clearly state that the user is consenting to receive messages from your business on WhatsApp. Keep records of opt-ins for at least 12 months.

3. Message quality

  • Maintain a high-quality rating on Meta’s dashboard.
  • Do not send messages that result in high block or report rates.
  • Respond to user-initiated conversations within 24 hours.

4. Prohibited content

The following are never permitted via Notifykit, regardless of consent:

  • Adult content, gambling, or illegal substances
  • Deceptive or misleading claims
  • Hate speech, harassment, or discrimination
  • Content that infringes intellectual property rights
  • Messages designed to evade spam detection

5. Enforcement

Meta monitors quality ratings and may restrict or suspend a WABA without warning. Notifykit enforces per-tenant rate limits and auto-kill switches to protect shared WABA health. If your account causes quality-rating degradation, we may suspend it immediately and without refund.

6. Template approval

All message templates must be pre-approved by Meta before use. Notifykit provides a library of standard utility templates. Custom templates can be submitted for review; approval typically takes 24–48 hours.

Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Taming Notify Solutions (“Processor”) and you (“Controller”). It sets out the terms for processing personal data in compliance with the Malaysian Personal Data Protection Act 2010 (PDPA) and GDPR where applicable.

1. Roles

You are the data controller for end-recipient personal data (phone numbers, names, message content). Notifykit is the data processor, acting only on your documented instructions.

2. Purpose and scope

We process personal data solely to deliver WhatsApp messages, handle delivery receipts, and provide the dashboard and API services you subscribe to. We do not use personal data for any other purpose.

3. Sub-processors

We use the following sub-processors to deliver the Services. By using Notifykit, you authorise these sub-processors:

  • Meta Platforms, Inc. — message delivery via WhatsApp Cloud API
  • Stripe, Inc. — payment processing
  • Brevo (Sendinblue) — transactional email
  • Cloudflare, Inc. — CDN, DNS, WAF, and object storage (R2)
  • DigitalOcean, LLC — cloud hosting infrastructure

We will notify you 14 days in advance of adding any new sub-processor that processes personal data, and you may object on reasonable grounds.

4. Security measures

  • TLS 1.3 for all data in transit; AES-256 for data at rest.
  • API keys hashed with bcrypt; dashboard sessions use signed HTTP-only cookies.
  • Production access restricted to founders with hardware-key 2FA.
  • Automated daily backups encrypted and stored in Cloudflare R2.
  • Annual security reviews and dependency audits.

5. Data subject rights

We will assist you in responding to data subject requests (access, correction, deletion) within 30 days. You remain responsible for verifying the identity of the requester.

6. Breach notification

We will notify you without undue delay and no later than 48 hours after becoming aware of any personal data breach that affects your data. We will provide reasonable assistance to help you meet your own breach-notification obligations.

7. Data location and transfers

Primary data processing occurs in Singapore (DigitalOcean SGP1). Backup data is stored in Cloudflare R2 (US/EU regions). WhatsApp message delivery is handled by Meta’s global infrastructure. By using the Services, you consent to these transfers.

8. Termination and deletion

On account termination, we will delete or return all personal data within 30 days, except where retention is required by law. Backups are purged according to our 90-day retention schedule.

9. Audit

You may request a summary of our security practices once per year at no charge. On-site audits require 30 days’ notice and are limited to once per 12 months.