Privacy
1. Who We Are
OneWin is a personal hackathon project built and operated by Naim Miah (“I,” “me,” or “OneWin”). Under GDPR and similar laws, I am the data controller—I decide why and how your data is processed.
2. Data I Collect
| Category | Examples | Purpose |
|---|---|---|
| Account & Contact Data | WhatsApp phone number, display name, profile picture URL | To identify you and send you messages |
| Message Data | Text you send to my WhatsApp bot, timestamps, media links | To generate automated replies, personalize content, and debug |
| Usage Metrics | API logs, device type, error reports | To monitor performance and improve the service |
| AI-Generated Content | Summaries, recommendations, or automated responses | To deliver the core OneWin features |
I do not intentionally collect sensitive categories (race, religion, health, etc.). If you send them in a message, they’re processed only as needed to fulfill your request and then deleted per Section 5.
3. Legal Bases for Processing
| Legal Ground | When It Applies |
|---|---|
| Consent (Art. 6 (1)(a) GDPR) | You opt-in by messaging the bot. You can withdraw any time (just DM “DELETE”). |
| Contract (Art. 6 (1)(b)) | Needed to deliver hackathon features you ask for. |
| Legitimate Interest (Art. 6 (1)(f)) | Basic analytics, security, and preventing abuse. |
4. How I Share Data
| Recipient | Reason |
|---|---|
| Meta (WhatsApp Cloud API) | Transport of messages between you and OneWin |
| Supabase | Secure data storage and serverless functions |
| OpenAI | Generate smart replies or summaries (only the text you send, no phone numbers) |
| Legal Authorities | Only if compelled by a valid subpoena or court order (see Section 8) |
I never sell or rent your data—full stop.
5. Retention
Messages & logs: 30 days, then auto-deleted.
Analytics: Aggregated and anonymized after 90 days.
Pulled media (images, voice notes): Streamed and never permanently stored.
You can nuke everything earlier by sending “DELETE” to the bot or emailing me (see Section 10).
6. Your Rights
Depending on where you live, you can:
Ask for a copy of your data (right of access)
Correct inaccuracies (rectification)
Delete it (erasure)
Restrict or object to processing
Port it to another service
Shoot a note to [email protected] and I’ll respond within 30 days.
7. Security
End-to-end HTTPS everywhere
Row-level security in Supabase
Least-privilege API keys stored in n8n’s encrypted credential vault
Routine dependency updates & vulnerability scans
No system is 100 % bullet-proof, but I treat your data like my own.
8. Government & Law-Enforcement Requests
I require a valid subpoena or court order before handing over any user data. If the request looks over-broad or unlawful, I will challenge it. All requests are logged with date, scope, and legal basis. Where legally allowed, I will notify you before disclosure.
9. Children’s Privacy
OneWin is not aimed at children under 13 (or the age required by local law). If I learn that a child’s data slipped in, I’ll delete it promptly.
10. Contact
Questions, complaints, or data-rights requests:
Naim Miah
Email: [email protected]
Address: 123 Main St, Apt 4B, Queens, NY 11101, USA
11. Changes to This Policy
I may update this page to match new features or laws. Material changes will be announced in-app (or via DM) at least 7 days before they take effect.
Plain-English promise: I collect only what I need to make OneWin work, hold it only as long as necessary, and never monetize or overshare it. If that ever changes, you’ll hear it from me first.