Privacy Policy

1. Introduction

Welcome to Sippy ("we," "our," or "us"). Sippy is a WhatsApp-based payment service that allows users to send and receive digital dollars using phone numbers. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our service.

By using Sippy, you agree to the collection and use of information in accordance with this policy. This policy complies with Colombian data protection laws (Ley 1581 de 2012) and applicable regulations.

2. Data Controller

The data controller responsible for your personal information is:

3. Information We Collect

We collect the following types of information when you use our service:

3.1 Information You Provide

• Phone Number: Your WhatsApp phone number, which serves as your account identifier and wallet address.
• Messages: The messages you send to our WhatsApp bot to execute commands (e.g., "send $10 to +573001234567").

3.2 Information Collected Automatically

• Account Address: A unique payment address automatically generated and associated with your phone number.
• Transaction History: Records of dollar transfers you make or receive, stored on the Arbitrum network (a public blockchain).
• Account Activity: Timestamps of your last activity, daily transaction amounts for security limits.

4. Consent and Opt-In

By initiating a conversation with our WhatsApp bot (sending "start" or any message), you:

• Opt-in to receive messages: You consent to receive transactional messages, notifications, and responses from Sippy via WhatsApp.
• Consent to data processing: You agree to the collection and processing of your data as described in this policy.
• Acknowledge the service terms: You confirm that you have read and accept our Terms of Service.

You may withdraw your consent at any time by contacting us at hello@sippy.lat or by stopping interaction with our WhatsApp bot.

5. How We Use Your Information

We use the collected information for the following purposes:

• Provide Services: To create and manage your wallet, process transactions, and respond to your commands.
• Security: To enforce daily spending limits and detect fraudulent or unauthorized activity.
• Communication: To send you transaction confirmations, notifications, and support messages via WhatsApp.
• Service Improvement: To understand how our service is used and improve user experience.
• Legal Compliance: To comply with applicable laws, regulations, and legal requests.

Important: We only use data obtained through WhatsApp for purposes reasonably necessary to provide our payment service. We do not use your data for marketing or share it with third parties for advertising purposes.

6. Information We Do NOT Collect

To protect your privacy and security, we do NOT collect or request:

• Bank account numbers or banking credentials
• Credit or debit card numbers
• Government-issued identification numbers (cédula, passport)
• Passwords or PINs
• Biometric data

Warning: Sippy will never ask you to share sensitive financial information through WhatsApp. If someone requests this information claiming to be Sippy, do not respond and report it to us immediately.

7. Third-Party Services

We use the following third-party services to provide our service:

• Meta (WhatsApp Business API): To receive and send messages through WhatsApp. Your messages are processed through Meta's servers. WhatsApp Privacy Policy
• Coinbase (CDP - Coinbase Developer Platform): To securely create and manage payment accounts. Security keys are stored in Coinbase's secure infrastructure. Coinbase Privacy Policy
• Arbitrum Network: To process dollar transactions. Arbitrum is a public blockchain, meaning transaction data (amounts, addresses, timestamps) is publicly visible and permanently recorded.
• Blockscout: To retrieve transaction history and balance information.
• Groq (optional): When enabled, your message text may be sent to Groq's AI service for natural language processing to understand your commands. This feature can be disabled. Groq processes data per their Privacy Policy.

8. Data Storage and Security

We implement appropriate security measures to protect your information:

• Your wallet private keys are stored securely by Coinbase in their Trusted Execution Environment (TEE) and are never exposed to our servers.
• Your phone number and wallet address are stored in a secure PostgreSQL database with encrypted connections (TLS).
• Message handling: Message IDs are cached temporarily in memory for deduplication (approximately 2 minutes). Spam counters are maintained in memory and reset periodically. We do not permanently store message content in our database. However, server logs may include message content for operational purposes and may be retained by our hosting provider according to their data retention policies.
• Transaction data is stored on the Arbitrum network (a public blockchain), which provides a permanent and publicly visible record.

9. Data Retention

We retain different types of data for different periods:

• Account data (phone number, wallet address): Retained for as long as your account is active, or until you request deletion.
• Activity data (last activity timestamp, daily spending counters): Retained in the database for as long as your account is active. Daily spending counters reset automatically each day.
• Message cache (message IDs, spam counters): Stored in memory only, cleared on server restart or after short intervals (2 minutes for deduplication). Server logs containing message content may be retained by our hosting provider per their policies.
• Payment transactions: Permanently stored on the Arbitrum network (a public blockchain). This data cannot be deleted due to the immutable nature of blockchain records.

Requesting Data Deletion

To request deletion of your account and associated data, email us at hello@sippy.lat with subject line "Data Deletion Request" and include the phone number associated with your account. We will process your request within 15 business days and confirm deletion via email. Note: Transaction records on the Arbitrum blockchain cannot be deleted due to the immutable nature of public blockchains.

10. Your Rights

Under Colombian data protection law (Ley 1581 de 2012), you have the following rights:

• Right to Access: Request information about the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Deletion: Request deletion of your personal data, subject to legal retention requirements.
• Right to Revoke Consent: Withdraw your consent for data processing at any time.
• Right to Lodge a Complaint: File a complaint with the Superintendencia de Industria y Comercio (SIC) if you believe your rights have been violated.

To exercise any of these rights, please contact us at hello@sippy.lat.

11. Children's Privacy

Our service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at hello@sippy.lat so we can take appropriate action.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date. We encourage you to review this Privacy Policy periodically for any changes.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us: