Privacy Policy
Last updated: May 30, 2026
Butter Technology Holdings ("Butter," "we," "us," or "our") is a Wyoming C Corporation that operates buildwithbutter.com and a suite of business software products including ButterPOS, ButterStore, ButterPay, ButterCX, and Bosku (collectively, the "Services").
This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use the Services, including when a merchant connects its WhatsApp Business Account to Butter through Meta's WhatsApp Business Platform (the WhatsApp Cloud API).
1. Who We Are & Data Controller
The controlling legal entity responsible for the Services is:
Butter Technology Holdings (Wyoming C Corporation)
1309 Coffeen Avenue STE 1200
Sheridan, Wyoming 82801, United States
Email: privacy@buildwithbutter.com
Butter provides a multi-tenant commerce and point-of-sale platform for food & beverage businesses (restaurants, cafés, and cloud kitchens), primarily in Indonesia. Our direct customers are these businesses (each a "merchant").
Controller / processor roles. For data about a merchant's own customers — for example, the people a merchant messages on WhatsApp — the merchant is generally the data controller and Butter acts as the merchant's processor (service provider), handling that data only on the merchant's instructions. For the operation of the Butter platform itself, and for the Platform Data that Meta shares with our application at the app level (described in Section 3), Butter is responsible as controller. In all cases, Butter is accountable for safeguarding the Platform Data we receive from Meta and for handling it in accordance with this Policy and Meta's terms.
2. Information We Collect
We collect the following categories of information:
- Account Information: Name, email address, phone number, business name, and login credentials.
- Business Data: Order data, inventory, pricing, customer lists, transaction history, and other operational data you submit to our Services.
- Messaging Data: When a merchant uses ButterCX or our WhatsApp Business Platform integration, we process messages, contact phone numbers, message metadata, and media exchanged between the merchant and its customers, solely to deliver the messaging service. This is described in more detail in Section 3.
- Payment Information: Bank account details, e-wallet identifiers, and transaction records, processed through licensed payment partners.
- Device & Usage Data: IP address, browser type, device identifiers, pages visited, and timestamps.
- Cookies & Similar Technologies: Used for authentication, preferences, and analytics.
3. Platform Data We Receive From Meta / WhatsApp
When a merchant connects its own WhatsApp Business Account ("WABA") to Butter through Meta Embedded Signup, Meta's WhatsApp Business Platform shares specific data with our application. We refer to this as "Platform Data." It includes:
Account & connection credentials (about the merchant's business):
- Per-merchant WhatsApp Business access tokens issued to our app to act on the merchant's behalf.
- Our Meta app credentials (such as our App ID and app secret).
- WhatsApp Business Account (WABA) IDs.
- WhatsApp phone number IDs.
- Meta Business (Business Manager) IDs.
Messaging data (about the merchant's customers):
- Inbound WhatsApp message content sent by a customer to the merchant.
- Customer WhatsApp phone numbers.
- Customer WhatsApp profile names.
- Media (such as images and documents) that customers send to the merchant.
- Message metadata and delivery/read status.
We receive this data through Meta's APIs and webhooks. We do not sell Platform Data, and we do not use it for advertising or to build profiles unrelated to providing the Services.
4. How We Use Information
We use information to:
- Provide, operate, and maintain the Services.
- Process transactions and deliver messages on a merchant's behalf, including via the WhatsApp Business Platform.
- Authenticate users and protect against fraud and abuse.
- Improve the Services, develop new features, and conduct analytics.
- Communicate with merchants about their account, support requests, and service updates.
- Comply with legal obligations under Indonesian law and the laws of jurisdictions in which we operate.
5. How We Use WhatsApp Business Platform Data
We use the Platform Data described in Section 3 only to operate the messaging features a merchant has configured, between that merchant and its own opted-in customers. Specifically, we use it to:
- Send transactional notifications — such as order confirmations and status updates — and authentication one-time passcodes (OTPs), using message templates approved by Meta.
- Receive customer messages and display them in the merchant's agent inbox so the merchant's staff can respond.
- Send optional auto-replies that a merchant has configured.
We honor the WhatsApp Business Messaging Policy: business-initiated messages use approved templates; free-form (non-template) replies are sent only within the 24-hour customer-service window opened by a customer's message; and we do not send marketing or unsolicited messages through this integration. Messages flow only between a merchant and its own customers — we do not message a merchant's customers for our own purposes, and we do not share one merchant's customer data with another merchant.
6. How We Share Information & Sub-Processors
We do not sell personal information. We share information only as follows:
- Sub-processors: The vendors listed below, who process data on our behalf under contractual confidentiality and data-protection obligations.
- Integration Partners: When a merchant connects a third-party service (e.g., GoFood, GrabFood, Google), we exchange the data necessary to operate that integration.
- Legal Compliance: When required by law, regulation, or valid legal process (see Section 11).
- Business Transfers: In connection with a merger, acquisition, or sale of assets, subject to confidentiality safeguards.
Sub-processors with access to Platform Data. We rely on the following sub-processors to operate the Services, including the WhatsApp Business Platform integration:
- Amazon Web Services (AWS) — cloud infrastructure: database, message queues, media storage, compute, and AI processing of message content via AWS Bedrock. Regions: ap-southeast-3 (Jakarta, Indonesia) and us-east-1 (United States).
- Better Stack — application logging and error monitoring. Logs may incidentally contain Platform Data, such as phone numbers.
- Pusher (Pusher Channels) — real-time delivery of inbound messages to the agent inbox user interface.
We also exchange data with Meta Platforms, Inc. as the provider of the WhatsApp Business Platform, in order to send and receive the messages a merchant has configured.
7. Data Security
We implement administrative, technical, and physical safeguards designed to protect information, including:
- Encryption of data in transit (TLS) and at rest.
- Encrypted storage of WhatsApp Business access tokens and other connection credentials.
- Role-based access controls, least-privilege access, and authentication for staff and systems.
- Network controls, logging, and regular security reviews.
No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.
8. Data Retention
We retain personal information for as long as a merchant's account is active and as needed to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements. More specifically:
- WhatsApp message content and media: retained while the merchant's account is active so it can be shown in the agent inbox and conversation history, and deleted within 90 days after the merchant disconnects the WhatsApp integration or offboards, except where a longer period is required by law.
- WhatsApp Business access tokens and connection credentials: stored encrypted and revoked and deleted promptly when a merchant disconnects its WABA or offboards.
- Logs and error-monitoring data (e.g., in Better Stack): retained for a limited period — typically up to 30 days — then automatically deleted.
- Transaction and tax records: retained for the period required under applicable financial and tax regulations.
When a merchant disconnects the WhatsApp Business Platform integration or offboards, we delete or de-identify the associated Platform Data within the timeframes above. Merchants and end users may also request deletion at any time — see Sections 9 and 10.
9. Your Rights
Subject to applicable law — including Indonesia's Personal Data Protection Law (Law No. 27 of 2022, "PDP Law") and, where it applies, the EU/UK General Data Protection Regulation (GDPR) — you may:
- Access, correct, or update your personal information.
- Request deletion of your account and associated data.
- Object to or restrict certain processing of your data.
- Withdraw consent where processing is based on consent.
- Request a copy of your data in a portable format, where applicable.
- Lodge a complaint with a supervisory authority.
To exercise any of these rights, email privacy@buildwithbutter.com or follow the instructions on our User Data Deletion page. If you are the customer of a merchant that uses Butter, we may direct or forward your request to that merchant, who controls that data, and assist them in responding.
10. User Data Deletion
You can request deletion of the personal data we hold about you at any time. Full, step-by-step instructions — for both merchants and the customers of a merchant — are available on our dedicated User Data Deletion page. In short, email privacy@buildwithbutter.com with the subject line "User Data Deletion Request"; we will acknowledge within 5 business days and complete deletion within 30 days, except where a longer retention period is required by law.
11. Government & Public-Authority Requests
We may receive requests for data from governments, law enforcement, or other public authorities. When we do, we review each request for legal validity, may challenge requests that are overbroad or unlawful, disclose only the minimum data necessary to comply, and document the request and our response. Where permitted by law, we will notify the affected merchant before disclosing their data.
12. Children's Privacy
The Services are not directed to individuals under the age of 17. We do not knowingly collect personal information from children. If you believe we have collected such information, contact us and we will delete it.
13. International Transfers
Your information may be processed in Indonesia, the United States, and other countries where our service providers operate (see Section 6). When we transfer personal data internationally, we use appropriate safeguards consistent with applicable law.
14. Compliance With Meta & Data-Protection Law
We comply with Meta's Platform Terms, the WhatsApp Business Messaging Policy, the Meta Developer Policies, and applicable data-protection laws, including Indonesia's PDP Law and the GDPR where it applies. We use Platform Data only to provide and improve the messaging features a merchant has configured, and not for any purpose prohibited by Meta's terms.
15. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated through the Services or by email. Continued use of the Services after changes take effect constitutes acceptance of the revised policy.
16. Contact Us
Butter Technology Holdings (Wyoming C Corporation)
1309 Coffeen Avenue STE 1200, Sheridan, Wyoming 82801, United States
Email: privacy@buildwithbutter.com
Website: buildwithbutter.com