Privacy Policy
How Wallu.ai collects, uses, stores, and deletes your data — including data from connected platforms such as TikTok, YouTube, Instagram, Facebook, and X — and your privacy rights.
1. Introduction
Welcome to Wallu.ai ("we," "our," or "us"). We are committed to protecting your personal information and your right to privacy. Wallu.ai is an AI-powered platform that provides social media scheduling, video creation, email marketing, customer support automation, and related services. If you have any questions or concerns about this privacy notice, or our practices with regards to your personal information, please contact us at contact@wallu.ai.
2. Information We Collect
We collect personal information that you voluntarily provide to us when you register on the website, connect third-party accounts, use our services, or otherwise contact us. The categories of information we collect include:
Account Information
- Names and email addresses
- Profile pictures (via social login or upload)
- Billing information (processed securely by Stripe; we do not store raw card numbers)
- Account credentials (passwords stored as salted hashes)
Content You Provide
- Uploaded files (images, videos, documents, knowledge base content)
- Social media posts, captions, and scheduling configurations you create
- Email templates, campaigns, and subscriber lists you manage
- Chat histories and AI conversation logs
Third-Party Social Media Data
When you connect a third-party social media or platform account (e.g., YouTube, Twitter/X, Instagram, TikTok), we receive limited data from that platform as permitted by the scopes you authorize. This may include your public profile information, account identifiers, and OAuth access tokens. Specific data received per platform is described in Section 5.
Usage Data
- Log data (IP address, browser type, pages visited, timestamps)
- Feature usage analytics (anonymized and aggregated)
- Device information
3. How We Use Your Information
We use the information we collect for the following purposes:
- To create and manage your account and provide the services you request.
- To post content to connected social media accounts on your behalf, at your direction.
- To send transactional emails (e.g., receipts, password resets, service alerts).
- To process payments and manage subscriptions via Stripe.
- To improve platform functionality using aggregated, anonymized analytics.
- To power AI features (content generation, scheduling suggestions, support automation) — see Section 6.
- To comply with legal obligations and enforce our Terms of Service.
- To communicate service updates, security notices, and (with your consent) promotional messages.
We do not sell your personal data to third parties, use it to serve behavioral advertising, or share it for purposes beyond delivering the services you have authorized.
4. Sharing Your Information
We may share your information in the following limited circumstances:
- Service Providers: We share data with vetted third-party processors (listed in Section 7) who assist us in operating the platform, subject to data processing agreements.
- At Your Direction: When you connect a social account and trigger a post, upload, or action, data is transmitted to that platform on your behalf.
- Legal Obligations: We may disclose information where required by law, court order, or governmental authority.
- Business Transfers: In the event of a merger, acquisition, or sale of assets, user data may be transferred as part of that transaction. We will notify you via email and/or prominent notice on the site.
- Protection of Rights: To protect the rights, property, or safety of Wallu.ai, our users, or the public.
5. Social Media & Third-Party Platform Integrations
Wallu.ai allows you to connect various third-party platforms to automate and manage your social presence. Below is a description of each integration, the permissions (scopes) we request, what actions we perform, and how you can revoke access. We request only the minimum permissions necessary to deliver the features you choose to use.
Google / YouTube
Wallu.ai's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
- Scopes: youtube.upload, openid, email, profile
- Actions: Upload videos you create in Wallu.ai directly to your YouTube channel; authenticate your account.
- Data stored: OAuth access and refresh tokens (encrypted). No YouTube video content is stored on our servers beyond the upload process.
- Not used for: Advertising, selling data to third parties, or any purpose beyond the feature you authorized.
- Revoke access: myaccount.google.com/permissions
Twitter / X
- Scopes: tweet.read, tweet.write, users.read, offline.access
- Actions: Post tweets and threads, upload media, read your public profile information.
- Data stored: Encrypted OAuth 2.0 access and refresh tokens, your Twitter user ID and display name.
- Revoke access: twitter.com/settings/connected_apps
Instagram (via Meta)
- Scopes: instagram_business_basic, instagram_business_content_publish, instagram_business_manage_comments, instagram_business_manage_messages, instagram_business_manage_insights, pages_show_list, pages_read_engagement
- Actions: Read Instagram Business account profile info (username, ID) and media metadata; publish images, videos, and Reels; read engagement metrics (views, reach, impressions, likes, comments, saves, shares) for analytics; receive incoming comments and direct messages via webhooks and respond via public reply or private DM according to user-configured automation rules.
- Comments, messages, and AI processing: When our Comment Automation or DM Automation features are enabled, incoming Instagram comments and direct messages are received via Meta webhooks and may be sent to our third-party AI providers (Anthropic Claude, OpenAI, Google Gemini, Groq — see Section 6) to generate automated replies, classify intent, or moderate spam/toxicity. You control which rules are active; we do not process messages for any user who has not explicitly enabled these features. Comment/message content is stored in your Wallu.ai inbox and conversation logs for up to 90 days, after which it is purged. We do not use this content to train AI models — neither our own nor our providers' — beyond the AI providers' standard non-training API defaults.
- Data stored: Encrypted account access tokens, Instagram account ID and username, automation rule definitions, conversation history (user comments/DMs received and bot replies sent), and aggregated analytics metrics. We do not sell, share, or transfer Instagram data to any third party.
- Data deletion: When you disconnect your Instagram account or delete your Wallu.ai account, all stored Instagram data (tokens, account IDs, cached metadata, conversation history, automation rules) is permanently deleted within 24 hours. We also support Meta's data deletion callback — when you remove our app via Facebook Settings, we automatically process the deletion request. You may request deletion of specific messages or the full conversation log at any time by contacting us.
- Compliance: Wallu.ai's use of information received from Meta APIs adheres to the Meta Platform Terms and Meta's Data Use Policy. We request only the minimum permissions necessary for the features you use.
- Revoke access: Facebook App Settings
TikTok
Wallu.ai integrates with TikTok using TikTok's Login Kit and Content Posting API. Our access to and use of TikTok data complies with the TikTok Developer Terms of Service and the TikTok Developer Guidelines.
- Scopes: user.info.basic, video.publish, video.upload
- Actions: Authenticate your TikTok account (Login Kit) and upload/publish videos you create in Wallu.ai to your TikTok account with the captions and settings you provide. We read your basic profile (open ID, username, display name, avatar) to display it in the posting interface, as required by TikTok's UX guidelines.
- Data received & stored: Encrypted OAuth access and refresh tokens, your TikTok open ID / union ID, username, display name, and avatar URL. Video content you send for publishing is transmitted to TikTok during the upload/publish process only and is NOT retained on our servers beyond that process.
- Data deletion: When you disconnect your TikTok account or delete your Wallu.ai account, all stored TikTok data (tokens, IDs, cached profile metadata) is permanently deleted within 24 hours. You may request deletion at any time by emailing contact@wallu.ai.
- No sale, no training: We do NOT sell, rent, or share your TikTok data with third parties, and we do NOT use TikTok data to train AI models (ours or our providers').
- Consent: TikTok data is accessed and used only with your explicit authorization, and only for the features you enable.
- Revoke access: TikTok app → Profile → Settings and privacy → Security & permissions → Apps and websites (or Manage app permissions).
Facebook / Meta Pages
- Scopes: public_profile, pages_show_list, pages_read_engagement, pages_manage_posts, pages_manage_metadata, pages_messaging, read_insights
- Actions: List and manage your Facebook Pages, publish and delete Page posts (text, image, video), read Page engagement metrics for analytics, receive incoming Page comments and messages via webhooks, and respond via public reply or private DM according to user-configured automation rules.
- Comments, messages, and AI processing: When our Comment Automation or DM Automation features are enabled, incoming Page comments and messages are received via Meta webhooks and may be sent to our third-party AI providers (Anthropic Claude, OpenAI, Google Gemini, Groq — see Section 6) to generate automated replies, classify intent, or moderate spam/toxicity. You control which rules are active; we do not process messages for any user who has not explicitly enabled these features. Comment/message content is stored in your Wallu.ai inbox and conversation logs for up to 90 days, after which it is purged. We do not use this content to train AI models.
- Data stored: Encrypted long-lived Page access tokens, Page IDs and names, automation rule definitions, conversation history (user comments/messages received and bot replies sent), and aggregated analytics metrics. We do not sell, share, or transfer Facebook/Meta data to any third party.
- Data deletion: When you disconnect your Facebook account or delete your Wallu.ai account, all stored Facebook data (tokens, Page IDs, cached metadata, conversation history, automation rules) is permanently deleted within 24 hours. Meta data deletion callbacks are supported and processed automatically. You may request deletion of specific messages or the full conversation log at any time by contacting us.
- Compliance: Wallu.ai's use of information received from Meta APIs adheres to the Meta Platform Terms and Meta's Data Use Policy.
- Revoke access: Facebook App Settings
- Scopes: boards:read, boards:write, pins:read, pins:write, user_accounts:read
- Actions: Create Pins (images and videos) to your boards, read your board list to let you select a destination.
- Data stored: Encrypted OAuth tokens, Pinterest account ID and username, board names.
- Revoke access: Pinterest Settings → Security → Apps with access to your account.
- Scopes: identity, submit, read, mysubreddits
- Actions: Submit posts to subreddits you choose, read subreddit rules and requirements, list your subscribed subreddits.
- Data stored: Encrypted OAuth tokens, Reddit username.
- Revoke access: Reddit Preferences → Apps (or reddit.com/prefs/apps).
Slack
- Permissions: users:read, message listening and posting
- Actions: Receive messages from workspace users, send AI-powered replies, manage conversation tickets.
- Data stored: Encrypted Slack app tokens, workspace ID.
- Revoke access: Slack workspace Settings → Manage Apps → Revoke.
Discord
- Access: Bot token (you provide your own Discord bot credentials)
- Actions: Read and respond to messages in authorized servers, manage support tickets, send AI-generated replies.
- Data stored: Encrypted bot token, server (guild) ID, configuration preferences.
- Revoke access: Remove the bot from your Discord server at any time via Server Settings → Integrations.
WhatsApp (Meta Business API)
- Access: Business API access token and phone number ID (you provide your own Meta Business account credentials)
- Actions: Send and receive WhatsApp messages, send template messages, handle inbound customer conversations via AI.
- Data stored: Encrypted access token, phone number ID.
- Revoke access: Meta Business Manager → System Users → Revoke token.
LinkedIn (Optional)
- Actions: Post content to your LinkedIn profile or company page when enabled.
- Revoke access: LinkedIn Settings → Data Privacy → Third-party applications.
Telegram (Optional)
- Access: Bot token (you provide)
- Actions: Receive and respond to messages in Telegram chats via AI-powered automation.
- Revoke access: Delete your bot via BotFather, or disconnect in Wallu.ai settings.
For all integrations: OAuth tokens are encrypted at rest using AES-256. Access is revocable at any time either through the respective platform's settings or through your Wallu.ai account settings under Integrations. Revoking access immediately invalidates stored tokens for that platform.
6. AI Services & Data Processing
Wallu.ai uses third-party AI providers to power features such as content generation, scheduling suggestions, knowledge-base question answering, and support automation. When you use these features, relevant portions of your input (e.g., a prompt, document excerpt, or conversation message) are sent to these providers for processing.
- OpenAI: Text generation, voice transcription (Whisper), and TTS. Data processed per OpenAI's Privacy Policy. API data is not used to train OpenAI models by default.
- Google Gemini: Multimodal AI generation. Processed per Google's enterprise data processing terms.
- Anthropic Claude: Text generation and reasoning tasks.
- Groq: Fast inference for supported models.
- Replicate / Flux: AI image generation from text prompts.
We do not intentionally send personally identifiable information to AI providers beyond what is necessary for the feature in use. Prompts and responses may be logged temporarily for debugging but are not used to train our own models. You may request deletion of AI interaction logs by contacting us.
7. Third-Party Service Providers
We work with the following categories of third-party processors. Each is bound by appropriate data processing agreements and maintains industry-standard security certifications:
- Stripe — Payment processing (PCI-DSS compliant). We do not store raw card numbers.
- Amazon Web Services (AWS) — Cloud infrastructure, file storage (S3), email delivery (SES), and serverless video rendering (Lambda). SOC 2 / ISO 27001 certified.
- Postal — Self-hosted outbound email delivery (primary), with Amazon SES as fallback.
- Twilio — SMS delivery for marketing and notifications (when SMS features are used).
- Modal.com — GPU compute for AI rendering tasks (e.g., globe/map generation).
- Qdrant — Vector database for knowledge-base semantic search.
- AI Providers — OpenAI, Google, Anthropic, Groq, Replicate (see Section 6).
8. Data Retention
We retain your personal information for as long as your account is active or as needed to provide services. Specifically:
- Account data is retained until you delete your account or request deletion.
- OAuth tokens for connected social accounts are deleted immediately when you disconnect the account or delete your Wallu.ai account.
- Billing records are retained for 7 years as required by financial regulations.
- AI chat and generation logs may be retained for up to 90 days for debugging, then purged.
- Uploaded media files are retained until you delete them or your account is closed.
You may request deletion of your account and all associated data at any time through Settings → Account → Delete Account, or by emailing contact@wallu.ai.
9. Data Protection & Security
We implement appropriate technical and organizational security measures to protect your personal information. These include:
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2+ (HTTPS).
- Encryption at rest: Sensitive data, including OAuth tokens and credentials, is encrypted at rest using AES-256.
- Access controls: Personal data access is restricted to authorized personnel on a strict need-to-know basis, subject to confidentiality agreements.
- OAuth token security: Tokens are stored encrypted, scoped to minimum required permissions, and invalidated immediately upon disconnection or account deletion.
- Webhook validation: Inbound webhooks from Meta, WhatsApp, and other platforms are validated using HMAC-SHA256 signature verification before processing.
- Password security: User passwords are hashed using bcrypt with a sufficient cost factor; plaintext passwords are never stored.
- Rate limiting: API endpoints are rate-limited to prevent abuse and unauthorized access attempts.
- Third-party certifications: Our primary infrastructure providers (AWS, Stripe) maintain SOC 2, ISO 27001, and/or PCI-DSS certifications.
- Periodic reviews: We conduct regular reviews of our data collection, storage, and processing practices.
No method of transmission over the internet or electronic storage is 100% secure. If you believe your data or account has been compromised, please contact us immediately at contact@wallu.ai.
Data breach notification: In the event of a data breach that affects your personal information, we will notify affected users and relevant regulatory authorities (including Meta, where applicable) within 72 hours of becoming aware of the breach, as required by GDPR and platform partner agreements.
10. Your Privacy Rights
Depending on your location, you may have the following rights under applicable data protection laws (including GDPR for EEA/UK residents and CCPA for California residents):
- Access: Request a copy of the personal data we hold about you.
- Rectification: Request correction of inaccurate personal data.
- Erasure: Request deletion of your personal data ("right to be forgotten").
- Restriction: Request that we restrict the processing of your data in certain circumstances.
- Data Portability: Request your data in a structured, machine-readable format.
- Objection: Object to processing based on legitimate interests.
- Withdraw Consent: Withdraw any consent you have given at any time (including disconnecting social accounts).
- Non-discrimination (CCPA): You will not be discriminated against for exercising your privacy rights.
To exercise any of these rights, contact us at contact@wallu.ai. We will respond within 30 days. Account deletion and social account disconnection can also be performed directly in your Wallu.ai account settings.
11. Cookies & Tracking
We use essential cookies to maintain your authenticated session and remember your preferences. We do not use third-party advertising cookies or tracking pixels. You may disable cookies in your browser settings, but doing so may affect the functionality of the platform.
12. Children's Privacy
Wallu.ai is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a child, please contact us immediately and we will delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the "Last Updated" date at the top of this page and, where appropriate, by sending you an email notification. We encourage you to review this policy periodically.
14. Contact Us
If you have questions or concerns about this Privacy Policy or our data practices, please contact us:
- Email: contact@wallu.ai
- Website: wallu.ai
15. Third-Party Assets & Attributions
Some visuals in Wallu.ai are created using third-party assets under their respective open licenses:
- Earth & globe imagery: Earth textures by Solar System Scope, licensed under CC BY 4.0. Textures may be resized or recompressed for use in Motion Studio.
