Privacy Policy

Transparent data processing principles, security commitments, and GDPR-compliant user rights management.

  1. Home
  3. Privacy Policy

Table of Contents

Introduction

Welcome to RapidPro.app, a cloud-based Software-as-a-Service platform operated by Humanics SARL (incorporated in Dakar, Senegal). We are committed to respecting your privacy and protecting personal data. This Privacy Policy explains what information we collect, how we use and protect it, and your rights. It is aligned with international standards, including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), among others. This Policy is incorporated into our Terms & Conditions. If any provision of this Policy conflicts with the Terms regarding personal data, this Policy will govern those privacy matters. By using RapidPro.app, you agree to the practices described in this Privacy Policy.

Important Roles: For the purposes of data protection law, our clients (the organizations or individuals who subscribe to use RapidPro.app) act as the Data Controllers for any personal data they collect or manage through the RapidPro platform. Humanics SARL acts as a Data Processor on our clients’ behalf when handling such data, solely to provide the service. In contrast, Humanics SARL is the Data Controller for personal data that we collect directly from our website visitors and account holders (e.g. when you register an account or contact us for support).

Definitions

For clarity in this Policy, we use the following definitions:

  • “RapidPro.app” or the “Service” – The cloud-based RapidPro hosting and related services provided by Humanics SARL. This includes managed RapidPro instances, associated web portals, APIs, and support services.
  • “Client” – An organization or individual that has signed up for a RapidPro.app account (the Data Controller for Client Data).
  • “End User” – An individual who interacts with a Client’s RapidPro workflows (for example, recipients of messages or survey respondents). End Users are typically the data subjects whose personal data may be processed through the Service at a Client’s direction.
  • “Personal Data” – Any information relating to an identified or identifiable natural person. This includes information like names, contact details, and any other data that can identify someone, as defined under GDPR (referred to as “Personal Information” under CCPA).
  • “Client Data” – Any content or data that Clients or their End Users submit, upload, or collect via RapidPro.app (e.g. contact lists, phone numbers, messages, survey responses, etc.). Clients retain ownership and control of Client Data. We process Client Data solely to provide the Service as per our agreements.
  • “Data Controller” – The entity that determines the purposes and means of processing personal data. For Client Data, this is the Client (you) who uses our Service. For data we collect about our own website users or account holders, Humanics SARL is the controller.
  • “Data Processor” – The entity that processes personal data on behalf of the Data Controller. Humanics SARL acts as a Data Processor for Client Data that our Clients input into RapidPro.app.

Other capitalized terms not defined here have the meanings given in our Terms & Conditions.

Roles and Responsibilities

Client as Data Controller: If you are a RapidPro.app Client, you are the Data Controller for any personal data you collect, upload, or manage using our Service. This means you are responsible for ensuring that the personal data of your End Users is collected and used in compliance with applicable laws (GDPR, CCPA, and any other data protection regulations). You must provide any required notices to individuals, obtain any necessary consents (e.g. consent from message recipients to be contacted), and honor any privacy rights requests from individuals under the law. Humanics SARL is not responsible for your obligations as a Data Controller, and we expressly disclaim liability for any violations or misuse of personal data that occur due to a Client’s actions. For example, if a Client uploads personal data without proper consent or uses the Service to send unsolicited messages in violation of law, the Client bears sole responsibility for those actions.

Humanics SARL as Data Processor: When we process Client Data on your behalf, we do so only on your instructions and for the purpose of providing and supporting the Service. We will not use your Client Data for our own purposes, aside from limited use to maintain and improve the Service (such as aggregated usage analytics that do not reveal any personal identities). We treat Client Data as confidential and do not access it except as necessary to operate or support the Service (for example, for backups, troubleshooting an issue you report, or as required for security). Our personnel are bound by confidentiality obligations. We will not share Client Data with any third party except as needed to provide the service (under similar confidentiality and data protection obligations with our subcontractors) or if required by law as described in Data Sharing below. If you are subject to specific regulations (e.g. EU GDPR) and require a dedicated Data Processing Agreement (DPA), we are willing to sign a standard DPA outlining each party’s responsibilities for protecting personal data. Please contact us to arrange this if needed.

By using RapidPro.app, you acknowledge these roles. In summary, you own and control your data, and we process it for you under your guidance. We will take appropriate measures to safeguard it as described in this Policy. If you or your End Users have any questions about personal data handled in a RapidPro workflow, the initial point of contact should generally be you (the Client), since you determine how that data is used. We will, however, assist our Clients in fulfilling their privacy obligations where applicable (for example, by providing tools to delete or retrieve End User data, or by cooperating with a Client’s request to respond to an individual’s rights).

Personal Data We Collect

We only collect personal data that is necessary to provide our services and operate the RapidPro.app platform. This includes:

  • Account and Registration Information: When you register for an account or use our Service, we collect personal information such as your first name, last name, email address, phone number, and a password for your account. We also ask for information about your organization (e.g. organization name) and your position/title within that organization, as well as your country of residence and preferred language or gender (if you choose to provide them). We may record your subscription plan and billing details (e.g. plan type, payment status) in order to manage your account. Please note: We do not collect any government-issued identification numbers (such as national ID or passport numbers) or any biometric identifiers from users for registration or use of the Service – we simply do not require this information.
  • Contact and Communication Data: If you communicate with us (for example, via support email or a contact form), we will collect your contact details (like email address, phone number) and any information you provide in your message. This may include support queries or feedback. We use this data to respond to you and keep records of our communications.
  • Client Data (End-User Information): Through your use of RapidPro, you and your End Users may submit or generate personal data. For example, you might upload contact lists containing phone numbers or email addresses of individuals, or collect information via SMS or WhatsApp messages, surveys, or chatbots designed in RapidPro. This “Client Data” can include any type of personal information you ask your End Users to provide (such as names, contact info, survey responses, etc.), as well as the content of communications sent through the platform. Importantly, we do not collect this data for ourselves; we only process it on your behalf as a data processor in order to deliver the Service functionality. Client Data remains under your ownership and control. We strongly advise our Clients not to collect sensitive personal data (e.g. health information, financial account numbers, government ID numbers, information about children under the age of consent) through the platform unless absolutely necessary and only with appropriate legal grounds and safeguards. Our Terms prohibit using the Service to process certain sensitive data without proper measures. We do not knowingly receive any biometric data, social security numbers, or government ID data in Client Data, and our platform is not designed to process biometric identifiers.
  • Payment Information: If you subscribe to a paid plan, payment transactions may be handled by a third-party payment processor (e.g. Stripe). We do not store your full credit card details on our systems. We may keep basic billing information such as your billing contact name, billing address, and the last four digits of a payment card or transaction IDs, which are needed for invoicing, receipts, and account verification. All payments are processed securely by our payment provider in accordance with industry standards; we only receive confirmation of payment and limited details necessary to associate the payment with your account.
  • Automatically Collected Data (Logs and Analytics): Like most online services, we and our third-party partners collect certain information automatically when you visit our website or use the platform. This includes log data such as your IP address, browser type and version, device type, operating system, referring URLs, pages viewed, and the dates/times of access. We also record actions you take in the platform (for instance, login times, features used, etc.) and technical events (such as errors or performance metrics). Some of this data is collected via cookies and similar tracking technologies (explained in our Cookie Policy below). This information helps us ensure the Service is delivered properly, secure, and improving over time. On its own, log and usage data typically does not directly identify you by name, but it might be linked to your account or device and so can be considered personal data in certain contexts. Where required by law, we treat such identifiers as personal data.
  • Cookies and Tracking Technologies: We use cookies and similar technologies on our websites and platform interfaces to collect information about your interactions and preferences. For details on what cookies we use and why, see the Cookie Policy section of this document.

No Collection of Sensitive Categories: As noted, we do not request or collect sensitive personal data from our Clients or website users for our own purposes. This means we do not ask you to provide data like racial or ethnic origin, political opinions, religious beliefs, health information, genetic or biometric data, or criminal background as a condition of using RapidPro.app. We also do not knowingly collect information from minors (children) in our direct interactions – see Children’s Privacy below. If you believe we have inadvertently collected sensitive personal data or data from a minor, please contact us so we can delete it. Clients should also avoid uploading or collecting sensitive data via our Service unless they have ensured compliance with applicable law and obtained explicit consent where required.

Cookie Policy

Cookies are small text files placed on your device to store information that can be read by a web server in the domain that issued the cookie. We use cookies and similar tracking technologies to ensure our website and services function properly, to analyze usage, and to remember your preferences. This section explains how we use cookies, what choices you have, and the legal basis for doing so.

Types of Cookies We Use: RapidPro.app uses both first-party cookies (set by us) and third-party cookies (set by service providers acting on our behalf) for various purposes. The cookies on our site fall into the following categories:

  • Essential Cookies: These cookies are necessary for the website and platform to function and cannot be switched off in our systems. They enable core functionality such as user authentication, session management, account navigation, and security. For example, when you sign in, we set an essential cookie to maintain your logged-in session. Without these cookies, services you have requested (like accessing secure account pages or using the platform features) cannot be provided. We use essential cookies to enable features like logging in and account management. These cookies do not require user consent under GDPR, as they are used solely to provide the service you explicitly request, and our legal basis for using them is our legitimate interest or contractual necessity to operate a functional service.
  • Performance and Analytics Cookies: These cookies help us understand how visitors use our website and platform by collecting information about usage and error events. They do not collect information that directly identifies a visitor. Instead, they provide aggregated statistics that we use to improve the user experience and troubleshoot issues. For instance, we might use Google Analytics or similar tools which set cookies to track page load times, user navigation patterns, and interaction frequencies. This data helps us identify areas to optimize and ensure the Service is running smoothly. We treat these cookies as non-essential, meaning we will request your consent to use them where required. Under GDPR, our legal basis for performance analytics is consent (for EU/EEA users) or our legitimate interests in maintaining quality of service (for users in jurisdictions where consent for analytics is not mandatory), as appropriate.
  • Functionality Cookies: These cookies allow our site to remember choices you make and provide enhanced, more personalized features. They may be set by us or third-party providers to remember settings like your preferred language, time zone, or other customization on the platform. For example, a functionality cookie may remember your dashboard display preferences or that you have seen a particular in-app tutorial so it doesn’t show again. Using these cookies, we aim to make your experience more convenient and tailored. We will obtain consent for functionality cookies when required by law. The legal basis for using them is consent or, where applicable, our legitimate interest in providing a user-friendly service.
  • Targeting/Advertising Cookies: RapidPro.app does not use advertising cookies to deliver third-party ads. We do not run third-party advertising on our platform or sell advertising space, so we generally do not deploy the typical ad targeting cookies that track users across sites. In some cases, we might use similar technologies for limited promotional purposes – for example, to inform you of our own new features or services that may be relevant to you. If we ever engage in any form of targeted outreach, it would be within the scope of our own marketing and only with appropriate consent. As of the date of this Policy, we do not set any cookies for third-party advertising networks on our site. If this changes in the future, we will update this Policy and obtain any necessary opt-in consent.
  • Third-Party Cookies and Services: Some third-party services that we use to operate RapidPro.app may set their own cookies when you visit our site or use our service. For example, we use third-party analytics (such as Google Analytics), customer support chat tools (which may use cookies to enable the chat function), and infrastructure providers. These third parties may deploy cookies to deliver their services (e.g. a support chat widget remembering your session, or analytics tracking unique visits). We do not have direct control over third-party cookies. However, we carefully select reputable providers and require that any third-party cookies on our site be used only for the purposes we authorize, and consistent with this Policy. Third-party cookies are identified as such in your browser settings. This Cookie Policy does not cover cookies set by third-party sites that are not under our control.

User Choices and Consent for Cookies: When you first visit our website, you will be presented with a cookie notice or banner requesting your consent for non-essential cookies (such as analytics or functionality cookies), in accordance with GDPR and similar laws. You have the right to accept or decline such cookies. If you opt-in, we will store a cookie on your device to remember your preferences. You can manage or withdraw your consent at any time – for example, by adjusting the cookie settings on our site (if available) or by clearing cookies in your browser. In addition, most web browsers allow you to control cookies through their settings preferences. You may set your browser to refuse cookies or to alert you when cookies are being set. Please note, if you disable all cookies (especially essential cookies), some parts of our Service may not function properly – for instance, you may not be able to log in or use certain features.

We will not set non-essential cookies on your device without your consent where required by applicable law. For users in the EU/EEA, the legal basis for non-essential cookies (analytics/functionality) is your consent per GDPR Article 6(1)(a). For strictly necessary cookies, our legal basis is Article 6(1)(b) (they are needed to perform the service you request) or Article 6(1)(f) (our legitimate interest in operating a secure, efficient website).

For more information on cookies, including how to see what cookies have been set on your device and how to manage or delete them, you may visit resources like aboutcookies.org. By using our site with your browser set to accept cookies, you consent to our use of cookies as described in this section (unless and until you actively opt-out or withdraw consent via the methods provided).

How We Use Personal Data

We use the personal data we collect for the following purposes, and we ensure that we have an appropriate legal basis for each use:

  • Providing and Improving the Service: We process your personal data in order to set up and maintain your account, provide you with access to a dedicated RapidPro instance, and enable the functionality of the platform. This includes using your information to authenticate you when you log in, to save your workspace configurations, and to run your messaging workflows as instructed. We also use data (like usage logs and analytics) to monitor the performance of the platform, fix bugs, and continuously improve and develop new features. Legal Basis: This processing is necessary for the performance of our contract with you (Article 6(1)(b) GDPR) to provide the services you requested. In some aspects, we rely on legitimate interests (Art. 6(1)(f) GDPR) – for example, using aggregated usage data to improve service reliability is in our interest in running a stable service, and it does not override your rights since it typically does not identify individuals.
  • Customer Support and Communications: We use contact information like your email and phone number to communicate with you about the service. This includes sending service-related announcements (such as notices of maintenance or security updates), responding to your inquiries or support tickets, and providing customer support or training. We may also send you updates about new features or offerings that are part of the Service, or important information about your account (for example, reminders about subscription renewal or changes to our policies). Legal Basis: For essential communications related to the Service and your account, our basis is performance of contract (we must communicate with you to fulfill our service obligations) or legitimate interests in ensuring customer success and satisfaction. For any optional or promotional communications (such as newsletters or marketing of new services), we will either rely on legitimate interest with a clear opt-out option, or seek your consent as required by law. You can unsubscribe from marketing emails at any time by using the provided “unsubscribe” link or contacting us, and opting out will not affect your core service usage.
  • Processing Payments and Billing: If you purchase a subscription, we use personal data to process your payments and manage billing. This includes using your name and billing contact details for invoicing, and sharing necessary information with our payment processor (e.g. charging your credit card through a secure token). We maintain records of transactions for accounting, auditing, and tax compliance. Legal Basis: Payment processing is done to fulfill our contract (Art. 6(1)(b) GDPR) – to provide the paid service you requested. Compliance with financial laws and record-keeping is also a legal obligation (Art. 6(1)(c) GDPR).
  • Security and Abuse Prevention: We process certain data (like IP addresses, log-ins, and user activity) to monitor for suspicious or fraudulent activity, to maintain the security of our platform, and to enforce our Terms & Conditions. This includes using automated systems to detect misuse of the Service (for example, spamming or unauthorized access attempts) and intervening when necessary to prevent harm. We also may use data to investigate and prevent fraud, attacks, or illegal activities and to comply with applicable laws (such as export restrictions or sanctioned-party screening, if relevant). Legal Basis: These activities are within our legitimate interests in protecting our business, service, and users (Art. 6(1)(f) GDPR). In some cases, they are also part of our legal obligations (Art. 6(1)(c)), such as when cooperating with law enforcement or handling reports of illegal content.
  • Compliance with Legal Requirements: We may process and disclose personal data where necessary to comply with a legal obligation. For instance, we might retain certain information to meet tax and accounting regulations, or disclose information in response to valid legal process (such as a court order or subpoena). We will only do so to the extent required by law and will attempt to notify you of any such requests, when legally permissible, as described further below. Legal Basis: Legal obligation (Art. 6(1)(c) GDPR) and, where applicable, legitimate interests in cooperating with lawful requests.
  • Aggregate and Anonymized Data Uses: We may use personal data in an aggregated or anonymized form (such that individuals cannot be identified) for purposes like creating usage statistics, analyzing trends, benchmarking system performance, and improving our services. For example, we might track the total number of messages sent through our platform each month or the average response rate to a certain type of campaign, without any reference to specific individuals. Such data no longer constitutes “Personal Data” under GDPR/CCPA once fully anonymized. Legal Basis: Not applicable once anonymized (as it is no longer personal data); for aggregated data that might still indirectly relate to individuals, we base this on legitimate interests in understanding and improving our service, ensuring any privacy impacts are minimal.

We do not use personal data for any purposes other than those described above. In particular, we do not sell your information or use it for third-party advertising. We also do not engage in any automated decision-making or profiling that produces legal or similarly significant effects on you without human involvement (such as credit scoring or employment decisions by algorithm). Any automated processes in RapidPro (like auto-sending a message based on a workflow trigger) are configured by our Clients and do not reflect decisions made by us about an individual’s personal status.

If we intend to use your personal data for a new purpose that is not compatible with the purposes listed above, we will update this Privacy Policy and, if required, obtain your consent or give you the opportunity to opt out.

Legal Bases for Processing

For individuals in the European Economic Area (EEA), United Kingdom, or other jurisdictions that require a legal justification for processing personal data, we rely on the following legal bases under GDPR for the activities described:

  • Performance of a Contract (GDPR Art. 6(1)(b)): We process personal data that is necessary to provide the RapidPro.app service and fulfill our contract with you. This includes account data, messaging data, and other information essential to running the platform at your request. When you create an account and agree to our Terms, a contract is formed, and we must process your data to perform that agreement (e.g. hosting your RapidPro instance, delivering messages you send, etc.).
  • Consent (GDPR Art. 6(1)(a)): We rely on your consent for certain processing that is not strictly necessary for the service. This includes, for example, placing non-essential cookies (analytics or functional cookies) on your device (as detailed in our Cookie Policy), or sending you marketing communications about our products and services. Where we ask for consent, you have the right to withdraw it at any time. Withdrawal of consent will not affect the lawfulness of processing already carried out, but it will stop the future processing of your data for the purpose you withdrew consent from (e.g. if you unsubscribe from marketing emails, we will stop sending them).
  • Legitimate Interests (GDPR Art. 6(1)(f)): We process certain data as necessary for our legitimate business interests, provided those interests are not overridden by your data protection rights. We have a legitimate interest in ensuring the security of our platform, improving our services, supporting our customers, and running a sustainable business. For example, it is in our interest to use certain analytics to understand platform performance, to prevent fraud/abuse on our service, and to communicate important service updates to customers. When we rely on this basis, we carefully consider and balance our interests against your privacy rights, and we take steps to minimize the impact on your privacy (for instance, by using pseudonymized or aggregated data where feasible). You have the right to object to processing based on legitimate interests in certain cases – see Your Rights below.
  • Legal Obligation (GDPR Art. 6(1)(c)): In some cases, we must process personal data to comply with a law or regulation. Examples include retaining invoices for tax purposes or providing information to authorities if we are legally required to do so. We will only process the minimum data necessary to meet our legal obligations.
  • [For Client Data] Public Interest / Controller’s Legal Basis: Note that for personal data that Clients (as Controllers) collect through RapidPro.app, it is the Client’s responsibility to ensure they have a valid legal basis for that processing. Depending on context, a Client may rely on consent (e.g. an NGO obtains consent from individuals to collect survey responses), legitimate interest (e.g. a government agency sending non-marketing informational messages for a public interest purpose), or another basis. Humanics SARL, as a Processor, does not determine the legal basis for Client Data – we simply act on the Client’s instructions. We will, however, assist clients in meeting their legal compliance (for instance, by signing DPAs or enabling consent mechanisms in RapidPro flows as needed).

If you have questions about the legal basis for any specific processing of your personal data, you can contact us (see Contact section) and we will provide additional information.

Sharing and Disclosure of Personal Data

Humanics SARL understands the importance of keeping your personal data private. We do not sell, rent, or trade your personal information to third-party marketers or anyone else. We will never monetize your data. We only share personal data in a few specific circumstances, described below, and always under appropriate safeguards:

  • Service Providers (“Processors”): We use trusted third-party companies to help us operate and support the RapidPro.app Service. These include, for example, cloud infrastructure providers (for server hosting and storage), data center operators, email delivery services, SMS gateway providers (if needed for sending messages), analytics services, error tracking and monitoring services, customer support tools, and payment processors. We share only the necessary personal data with these providers for them to perform their functions on our behalf. For instance, we may share your account email with an email service to send a verification message, or share your phone number with an SMS provider if you’ve enabled SMS two-factor authentication or sending messages via that gateway. Each of our service providers is contractually bound to protect your data, use it only for the purposes we specify, and to adhere to confidentiality and security obligations. They are not permitted to use your data for their own unrelated purposes. A list of our key subprocessors can be provided on request (and may be outlined on our website or DPA).
  • Within Humanics SARL and Affiliates: Humanics SARL is a single operating entity in Senegal, and we currently do not have separate parent or affiliate companies that share in the data. If this ever changes (for example, if we establish a subsidiary for EU operations), we may share data within our corporate group as necessary to provide the service (e.g. centralized customer support or engineering), under essentially the same policies. Any internal sharing would still be limited to what is necessary and personnel with access would be under confidentiality obligations.
  • At Your Direction (Integrations): We will share or transfer data with third parties when you explicitly ask us to or consent to it. For example, if you configure an integration in RapidPro that sends data to a third-party system (like exporting contact data to a government database or syncing with a CRM via API), we will transmit data to that third party at your instruction. Similarly, if you use a feature to download or export your data, we are providing it to you for you to share as you see fit. These are not disclosures we initiate, but rather ones you initiate as part of the service functionality. In such cases, you are responsible for the third-party relationship, and their use of the data will be governed by their terms and privacy policy – not by ours. We are not responsible for how third parties handle data once it leaves our platform at your request. We simply facilitate the connection as configured by you. We advise you to review any third-party services’ privacy practices before integrating them with RapidPro.
  • Legal Compliance and Protection: We may disclose personal data to third parties (such as courts, law enforcement or government agencies) if we believe in good faith that such disclosure is necessary to: (a) comply with any applicable law, regulation, legal process, or enforceable governmental request; (b) enforce our Terms & Conditions or other agreements, investigate potential violations, or protect the security or integrity of our platform; or (c) protect the rights, property, or safety of Humanics SARL, our users, or the public from harm or illegal activities. If we receive a government or law enforcement request for user data, our policy is to scrutinize the request and only comply if required by law and scoped to specific legally-required data. Wherever possible, we will notify you of any such request before disclosing your data, so you have an opportunity to object or seek legal remedies, unless we are legally prohibited from doing so. We will also cooperate with any reasonable requests you have to contest or limit a mandatory disclosure. We will refuse overly broad or unlawful data requests. In summary, we only provide data to authorities as required by law and after careful review.
  • Business Transfers: If Humanics SARL is involved in a potential or actual merger, acquisition, investment financing, due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, personal data may be transferred to a successor or affiliate as part of that transaction. We would ensure any such entity is bound by confidentiality and privacy obligations at least as protective as those in this Policy. If a change in ownership occurs, we will provide notice to users (for example, via email or a prominent notice on our site) explaining any choices you may have regarding your personal data. Your information would remain subject to the promises made in any pre-existing Privacy Policy unless you agree otherwise.
  • With Your Consent: In cases not covered above, if we want or need to share your personal data with a third party, we will ask for your consent. You have the right to authorize or refuse such sharing. For instance, if we ever wanted to publish a customer testimonial or case study that includes personal information, we would only do so with explicit permission from the individuals involved.

Outside of the situations above, we will not disclose your personal data to any third party. In particular, Humanics SARL does not sell your personal information to anyone, and we have not sold personal information in the past. We do not share data with advertisers or data brokers. Any information shared with our service providers is only for legitimate business purposes as described and not for those providers’ own use beyond what’s necessary to assist us.

We also do not monetize End User data or client content in any way. All Client Data processed on our platform remains confidential and under your control; we simply hold it and process it for you as described. We may disclose aggregated, anonymized information (e.g. overall usage metrics) publicly or to partners, but such information will not identify any individual or specific organization.

Client Data Processing and Protection

This section provides more detail on how we handle Client Data (the information our Clients input about their End Users or use in their messaging campaigns) in our role as a Data Processor:

  • Use Limitation: We process Client Data only to provide and support the RapidPro.app Service and as otherwise instructed by our Clients. We do not use Client Data for any independent purposes outside of what is needed to deliver the service functionality. For example, if you upload a list of phone numbers and names to send a survey, we will store that list and make it available in your workspace, and our system will use it to send messages when you trigger a flow – but we will not use those contacts for any purpose outside your account’s operations. We will not contact your End Users on our own or extract personal data from your Client Data for our marketing or analytics. The only analyses we might perform on Client Data would be in aggregate to optimize system performance or storage (e.g. measuring total message throughput) without identifying individuals.
  • No Unauthorized Access: Humanics SARL personnel do not access the content of Client Data unless it is necessary for a legitimate reason, such as resolving a support issue, debugging a technical problem, or investigating a security incident. Even in such cases, only authorized staff will access the minimum data needed, and any access is logged and monitored. By default, your data stays isolated and only accessible to you and authorized users you designate on your account. We design our systems so that routine operations do not require reading Client content. For instance, backups and transfers are automated. If you seek support that requires looking at your data, we will seek your permission when feasible. We also logically segregate each Client’s data from others: each client’s RapidPro instance and database is separate, and no customer can access another’s data. Even in a multi-tenant environment, proper separation is maintained so that your data is only accessible by your account and not by other clients.
  • Confidentiality: We consider Client Data to be confidential information. We will not disclose it to any third party except as described under Sharing and Disclosure (e.g. to our subprocessors for service delivery, or if compelled by law). Our employees and contractors are bound by confidentiality agreements to protect client information. Additionally, any non-public information you share with us, such as business plans, custom integration details, or support tickets, will likewise be treated as confidential on our side. We expect clients to similarly treat any non-public information about our service (like special pricing or non-public documentation) as confidential. Both parties agree to implement reasonable measures to safeguard each other’s confidential information and not to use or disclose it outside the scope of the service relationship.
  • Data Security Measures: We detail our security practices in the Data Security section, but in brief, we apply strong technical and organizational measures to Client Data: encryption in transit and at rest, access controls, network security, etc.. We also ensure any subprocessors handling Client Data meet high security standards. We conduct periodic risk assessments and maintain a security program following industry best practices.
  • Subprocessing: As noted, we use certain third-party processors (subprocessors) to help in data processing (for example, cloud hosting providers or communication APIs). We vet all subprocessors for strong security and privacy practices. Each is bound by a data processing agreement that mirrors our commitments to Clients (including GDPR-standard clauses when applicable) to ensure they only process data for the specified purpose and protect it. We remain liable for the actions of our subprocessors in their handling of Client Data, subject to the terms of our agreements.
  • Assistance with Data Subject Requests: If you, as a Client, receive a request from one of your End Users to exercise their privacy rights (such as accessing or deleting their data), we will assist you as needed. The RapidPro platform provides tools to search, export, and delete data like contact information and message history, which you can use to fulfill such requests. If an End User were to contact us directly regarding data that is your Client Data, we will, if possible, refer them to you (since you control that data) or notify you of the request. We will not grant any third-party access to Client Data unless required by law, and even then, through the processes described earlier (with notice to you when permitted). In essence, we will cooperate with you to ensure you can meet obligations to your data subjects.
  • Data Processing Agreement (DPA): We understand certain laws (like GDPR) require a formal DPA between Data Controller and Processor. Our Terms & Conditions incorporate many data protection provisions by reference to this Privacy Policy. However, we are happy to sign a separate DPA for Clients who need it for compliance. Our DPA outlines in more detail aspects like processing scope, duration, assistance, subprocessors, breach notification, etc., aligned with Article 28 GDPR requirements. To request a DPA, please contact us at the email in the Contact section.

In summary, we act as faithful custodians of your Client Data. You retain full ownership of all Client Data that you upload or generate on RapidPro.app, and we obtain no rights to it except the limited rights necessary to host and process it for you. We will not monetize or improperly disclose it. If you choose to stop using RapidPro.app, we will return or delete your Client Data as described below. We want you to feel confident entrusting us with your data – it’s a responsibility we take very seriously.

Data Retention

We will retain personal data only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by law.

Account Data: For users of RapidPro.app, we keep your account information and profile data while your account remains active. This is necessary to provide you with the Service. If you decide to cancel your subscription or your account otherwise terminates, we will generally delete or anonymize your personal information within a reasonable period after the account is closed. By default, we aim to delete account data within [X] days of termination, except for information we are required to keep longer. For example, we may retain some basic information in our business records (such as invoices, payment records, and your organization’s name) for accounting, audit, and legal compliance purposes. If you simply stop using your account (and it is not formally closed), we may contact you after a period of inactivity to ask if you wish to maintain the account. If we determine an account has been abandoned or disused for an extended time, we reserve the right to deactivate and eventually delete it after attempts to reach you, as permitted by our Terms. We will not delete an active account’s data without notice.

Client Data: We retain Client Data (the data within your RapidPro flows, contacts, messages, etc.) for as long as you are a subscriber and using our Service. You are free to delete or export specific data from the platform at any time via the provided tools (for instance, you can delete contacts or messages in your workspace). We perform regular backups of databases to ensure recoverability and business continuity. These backups are encrypted and retained for a limited retention cycle (typically a rolling period, e.g., 30 days of backups), after which they are overwritten or deleted. If you delete data in the platform, it will be removed from the live database promptly, but it may persist in our encrypted backups until those backups expire on their normal schedule. We do not use old backups to restore data unless needed for disaster recovery, and any restoration will follow strict procedures.

After Termination: Upon termination or cancellation of your subscription, we will provide options regarding your Client Data. In general, once your service ends, your RapidPro instance will be taken offline. We may retain the data for a brief grace period (e.g., 30-60 days) in case you reactivate your account or need to retrieve any data that was not exported. During this grace period, your data remains subject to this Privacy Policy and we will not actively process it except as needed for storage. After the grace period, we will permanently delete or anonymize the Client Data in our production systems, unless we are legally required to retain it longer. We may also, if feasible, return specific data to you upon request before deletion (for example, providing a final export of your database). Any residual data in backups will be overwritten in the normal backup rotation. If you need us to retain data longer (for example, if you are transitioning to another service and need extra time), or if you need immediate deletion of all data upon termination, please contact us to discuss arrangements – we aim to be flexible within legal and technical constraints. Our goal is to ensure that when you leave the service, your data does not linger in our systems beyond what is necessary.

Web Analytics Data: If we have collected analytics data about your visits to our website (through cookies or logs), those records are typically aggregated and retained for analysis for a certain period (commonly 12-24 months) before being deleted or anonymized. We use retention settings in tools like Google Analytics to automatically delete user-level data after a set time. Raw web server logs are generally rotated and deleted on a shorter timeframe (e.g., every few weeks or months) unless needed for security investigations.

Communication Records: If you contacted us for support or questions, we may retain those communications (emails, support tickets, chat logs) as long as necessary to address your issue and for our internal reference. Support tickets may be kept for a period (e.g., 2 years) to help us analyze service issues and improve. If you prefer we delete a specific support correspondence and it doesn’t conflict with our legal obligations, you can request deletion.

Legal Requirements: We may need to retain certain data for longer periods if required by law. For instance, financial records and transactions might be kept for the duration required by tax law (which could be several years depending on jurisdiction). Similarly, if a legal claim is pending, we might preserve relevant data until it is resolved. In all cases, retention will be limited to the purpose (e.g., complying with law or defending a legal claim) and data will be deleted or anonymized when no longer needed.

We store personal data securely throughout its lifecycle. When we no longer need personal data, we will take steps to delete it or anonymize it so that it can no longer be associated with an identified person, in accordance with applicable laws. If deletion or anonymization is not immediately possible (for example, the data is stored in long-term backups), we will ensure it remains securely protected and isolated from further active use until deletion is possible.

If you have any specific questions about our data retention practices (for example, if you want to know if we still have certain information about you), please contact us.

Data Security

Humanics SARL employs robust technical and organizational security measures to protect personal data and Client Data against unauthorized access, alteration, disclosure, or destruction. We are committed to keeping your data secure and have designed our infrastructure and procedures with security as a top priority. Key measures we have in place include:

  • Encryption: All data transmitted between your devices and our servers is encrypted in transit using industry-standard protocols (HTTPS/TLS). This means that any personal data (including message content, login credentials, etc.) sent to our platform is protected from eavesdropping while in transit. Additionally, we encrypt personal data at rest in our databases and storage systems. Encryption keys are securely managed and stored. For example, your account password is stored in hashed form (we never store plaintext passwords). Sensitive fields, if any, may be encrypted at the application level as needed.
  • Access Controls: We limit access to personal data strictly to authorized personnel who need to know that information in order to perform their job duties. Different levels of access are granted based on role (principle of least privilege). Administrative access to servers and databases is restricted to a small number of trained engineers and is protected with strong authentication (such as multi-factor authentication and SSH keys). Our staff are trained on data security and privacy procedures. Every Humanics SARL employee or contractor with potential access to personal data is bound by a confidentiality agreement.
  • Network Security: We protect our servers and network with modern security tools and practices. Firewalls are in place to restrict inbound and outbound traffic to only what is necessary. We actively monitor for suspicious activities or unauthorized access attempts. Our infrastructure (which may be hosted on reputable cloud providers like Amazon Web Services) benefits from their physical and environmental security controls as well. We regularly apply security patches and updates to our software and systems to address any vulnerabilities in a timely manner.
  • Audits and Testing: We conduct periodic security audits and assessments of our systems. This may include internal reviews, third-party penetration testing, and vulnerability scanning. We also review our security policies and incident response plans regularly to ensure they remain effective and up-to-date with evolving threats. Any issues identified are remediated with high priority.
  • Organizational Policies: We maintain a comprehensive security policy that covers data handling, incident response, user account management, and acceptable use of systems. Our team is trained to identify and report potential security incidents. We limit the use of production data in testing environments. When we engage vendors or subprocessors, we ensure they meet stringent security requirements. We also have procedures for data backup, as described below, and business continuity/disaster recovery strategies.
  • Data Isolation: As mentioned, each Client’s data is logically separated from others’. Your data is stored in dedicated databases or schemas accessible only by your organization’s account credentials. This prevents any accidental cross-access. We also isolate development/test environments from production data.
  • Backups: We perform regular encrypted backups of critical data to guard against data loss. Backups are stored securely and tested periodically for restore capability. In the event of a hardware failure or other incident, we can restore data from these backups. Note that if a catastrophic event were to occur, our responsibility is to restore from the latest available backup; we cannot guarantee no data loss beyond that point. We also encourage clients to export important data periodically for their own backup needs (for instance, exporting important contact lists or reports as an extra safeguard).
  • Monitoring and Logging: We maintain logs of key activities in the system, including access logs, which can help detect and trace any unauthorized behavior. We utilize tools to alert us of unusual patterns (such as multiple failed login attempts or spikes in usage that could indicate abuse). Our operational team has on-call procedures to respond quickly to security alerts.

While we strive to use commercially acceptable means to protect your personal data, it is important to understand that no method of transmission over the Internet, and no method of electronic storage, is 100% secure. We cannot guarantee absolute security of information. However, we continuously update and improve our security measures to meet or exceed industry standards.

Your Responsibilities: You also play a crucial role in keeping data safe. We urge you to use a strong, unique password for your RapidPro.app account and to keep it confidential. Do not share your login credentials with unauthorized persons. If your account is protected by multi-factor authentication (if we offer this feature), we strongly encourage you to enable it. If you believe your account credentials have been compromised or there has been any unauthorized access, please notify us immediately. Humanics SARL is not liable for any loss or damage arising from unauthorized use of your account due to your failure to secure your credentials. Additionally, if you download or export data from our Service, you are responsible for storing it securely on your own systems. We recommend you implement appropriate security for any data you manage outside our platform.

Incident Response: In the event we discover a data breach that affects your personal data, we will notify you and any relevant supervisory authorities as required by law. We have a process in place to investigate and handle security incidents, mitigate any harm, and prevent recurrence. Our team will work diligently to address any breach and keep you informed of relevant developments.

By using RapidPro.app, you acknowledge that you understand the inherent risks of data transmission and storage in digital systems, but also that we are taking all reasonable measures to protect your data. We continually evaluate new security technologies and practices to further enhance our protection of your privacy.

International Data Transfers

Humanics SARL is based in Senegal, and our Service is used by clients around the world. The personal data that we collect or process may be transferred to, and stored at, servers and facilities located in countries different from your own. This means that if you are located in the European Union (EU) or European Economic Area (EEA), or the United Kingdom, or any other region with data protection laws, your personal data may be transferred to a country that is not deemed “adequate” by your local authorities (for example, to Senegal, the United States, or other jurisdictions where our service providers operate). In particular, we may process data in United States and EU (Ireland) data centers, as well as in Senegal, depending on how our infrastructure and backups are managed. Our primary hosting environment is [specify location if known, e.g., “in Europe” or “in AWS data centers located in X region”]; however, some support and operational data may flow to our team in Senegal or to service providers in other countries (such as the U.S.).

Whenever we transfer personal data internationally, we take steps to ensure appropriate safeguards are in place to protect it, as required by GDPR and other laws. These safeguards include:

  • Standard Contractual Clauses (SCCs): For transfers from the EEA/UK to Senegal or any country not deemed to have adequate data protection, we will enter into the European Commission’s approved Standard Contractual Clauses (and the UK’s International Data Transfer Addendum, if applicable) with the data importer (whether that’s Humanics SARL in Senegal or a third-party service provider in a non-adequate country). These clauses contractually require the recipient to protect personal data to EU privacy standards. We also implement any supplementary measures as needed (such as encryption in transit and at rest, as described above) to ensure transferred data remains protected.
  • Adequacy and Equivalent Protections: Where we transfer data to a country that has an adequacy decision from the EU (meaning the EU has determined that country’s laws provide sufficient data protection), we rely on that decision as the transfer mechanism. For example, if any of our data is stored in a country with adequacy, such as (hypothetically) Canada or Switzerland, we can transfer under that basis. In the absence of adequacy, we rely on SCCs as noted.
  • Service Providers’ Compliance: Many of our key service providers (such as global cloud hosting or payment processors) participate in and comply with international frameworks or have their own SCCs in place. For instance, if we use Amazon Web Services or Google Cloud, those providers typically ensure compliance via SCCs and robust security measures. We flow down data transfer requirements to our subprocessors and confirm they handle EU/UK data in lawful ways.
  • Your Consent in Certain Cases: In some limited cases, we might ask for your explicit consent to transfer data internationally (GDPR Art. 49(1)(a)), such as if a one-off transfer is needed in relation to your support query and no other mechanism is available. However, our general approach is to rely on structured safeguards like SCCs rather than consent, to ensure continuity of protection.

By using RapidPro.app or submitting information to us, you acknowledge that your personal data may be transferred to other jurisdictions as described. We will ensure such transfers comply with applicable laws and that your data remains protected to the standards of this Privacy Policy. If you would like more information about our international data transfer practices or to obtain a copy of the SCCs in place, you can contact us at the information provided.

Please note that Senegal itself has a data protection law and authority (CDP – Commission de Protection des Données Personnelles). Humanics SARL complies with applicable Senegalese data protection regulations as well. However, we understand that for EU personal data, EU law governs the transfer requirements.

We will update this section if we join any recognized frameworks or if the legal landscape changes (for example, if new transatlantic data transfer frameworks or adequacy decisions are adopted that apply to our transfers).

Your Privacy Rights

Depending on your location and applicable law, you have certain rights regarding your personal data. We are committed to honoring these rights and provide mechanisms for you to exercise them. The following is an overview of rights under the GDPR (for EU/EEA and equivalent jurisdictions) and under the CCPA (for California residents). If you are located elsewhere (e.g., in Senegal or another African country with privacy laws), you may have similar rights; we extend the essence of these rights to all users where reasonably possible, even if not legally required in all jurisdictions.

Rights Under GDPR

If you are in the European Union, EEA, UK, or other jurisdiction with similar laws, you have the following rights with respect to your personal data that we hold as a Data Controller (for example, your account data or website usage data):

  • Right to Be Informed: You have the right to be given clear, transparent information about how your personal data is collected and used. We fulfill this through this Privacy Policy and related notices.
  • Right of Access: You have the right to request a copy of the personal data we hold about you, and to obtain information about how we process it. This is often called a “Data Subject Access Request.” Upon verification of your identity, we will provide you with a copy of your data in a common format, typically within one month as required by GDPR.
  • Right to Rectification: You have the right to have inaccurate personal data corrected or completed if it is incomplete. You can update some of your account information directly through your account profile tools. For any other corrections, you can contact us and we will rectify the information if we agree it is inaccurate.
  • Right to Erasure (Right to be Forgotten): You have the right to request deletion of your personal data when it is no longer needed for the purposes for which it was collected, or if you withdraw consent (where applicable) or object to processing, or if we have processed your data unlawfully. This right is not absolute – sometimes we must retain certain data (e.g., for legal obligations). However, we will honor legitimate erasure requests and delete your data where required by law. For example, you may delete your account via the account settings, or request us to delete specific information.
  • Right to Restrict Processing: You have the right to ask us to limit the processing of your data in certain circumstances. For instance, if you contest the accuracy of data, you can request a restriction while we verify it. Or if you object to our use of data based on legitimate interest, you can request restriction pending review. When processing is restricted, we can still store your data but not use it further (except for certain things like legal claims) until the restriction is lifted.
  • Right to Data Portability: You have the right to receive your personal data that you provided to us in a structured, commonly used, machine-readable format, and to have it transmitted to another controller where technically feasible. This right applies to data processed by us by automated means, based on your consent or a contract. In practice, this could mean we provide you with a CSV or JSON export of your account data upon request, which you could then import into a different service.
  • Right to Object: You have the right to object to certain types of processing. You can object to processing based on legitimate interests on grounds relating to your particular situation – we will then stop processing unless we have compelling legitimate grounds that override your interests, or the processing is needed for legal claims. You also have an absolute right to object to your personal data being used for direct marketing purposes – if we ever were to do any direct marketing, we would stop immediately upon your objection (and as noted, you can always unsubscribe from marketing emails). If you object to any analytics or research processing, we will consider your request and comply if required.
  • Right not to be subject to Automated Decision-Making: You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal or similarly significant effects. As mentioned, RapidPro.app does not engage in such automated decision making about users without human intervention. If that changes, we will inform you and ensure appropriate safeguards, including the right to contest and obtain human review.
  • Right to Withdraw Consent: If we rely on your consent for any processing (for example, for sending marketing emails or using optional cookies), you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of processing before withdrawal. It may mean we can’t provide certain services (for example, if you withdraw consent to cookies that are not strictly necessary, some site functionality may not work). We will make it as easy as possible to withdraw consent, mirroring the way you gave it (for instance, an unsubscribe link in emails, or toggling off a setting).
  • Right to Lodge a Complaint: If you believe we have infringed your data protection rights, you have the right to lodge a complaint with a supervisory authority, particularly in the EU Member State or country where you live, work, or where the issue occurred. We do, however, encourage you to contact us first so we can try to resolve your concern directly. In France (as an example, since Senegal does not have an EU supervisory authority), this would be the CNIL; in Senegal, you can contact the Commission of Personal Data (CDP).

You may exercise these rights by contacting us (see Contact Information below). We will respond to your requests within one month, or inform you if we need more time (up to an additional two months for complex requests). We will not discriminate against you for exercising any of these rights. Please note that for security, we will need to verify your identity (for example, by confirming your email or asking for information about your account) before fulfilling certain requests, especially those involving access or deletion of data.

Also, note that many of these rights apply to the data for which we are Data Controller (your account and usage data). For Client Data where we act as a Processor for your organization, if an End User contacts us directly to exercise their rights, we will notify you and assist in responding, but we typically cannot directly fulfill such requests without instruction from the Client Data Controller.

Rights Under CCPA

If you are a resident of California, you have specific rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). These include:

  • Right to Know (Access): You have the right to request that we disclose what personal information we have collected, used, disclosed, and (if applicable) sold about you in the past 12 months. This includes the categories of personal information, the categories of sources of that information, the business or commercial purposes for collecting it, the categories of third parties with whom we shared it, and the specific pieces of personal information we hold about you. (Please note: because we do not sell personal info, our disclosure will reflect that, and because we only share with service providers for business purposes, we will detail those categories). A lot of this information is provided in this Privacy Policy. In summary, in the last 12 months, we have collected the following categories of personal information from California consumers: Identifiers (such as name, email, phone number, IP address); Customer Records Information (such as contact address if provided, company affiliation); Commercial Information (subscription plan and purchase history) – though we do not collect traditional consumer purchase history beyond our own service subscriptions; Internet or Network Activity (usage logs and cookie data); Professional Information (organization and job title); and Inferences (very limited, we do not profile for inferences about preferences, except possibly inferring language or time zone from settings). We do not collect sensitive categories like social security numbers, driver’s license numbers, financial account numbers (aside from what is needed for billing, which is processed by third-party), biometric information, precise geolocation, or sensory data. We also do not knowingly collect information of persons under 16 years old. We have not sold any personal information in the past 12 months, including information of minors under 16. We have disclosed personal information to service providers for business purposes in the past 12 months in the categories of: identifiers (to our cloud and email providers), internet activity (to analytics providers), and professional info (to our CRM/support tools), as described in the Sharing section. California law also considers certain uses of cookies as “sharing” for cross-context behavioral advertising; we do not engage in cross-site behavioral advertising, so we do not “share” personal info in that sense. You may request the above information from us up to twice in a 12-month period, free of charge.
  • Right to Delete: You have the right to request that we delete personal information we have collected from you and retained, subject to certain exceptions. Upon a verifiable deletion request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies. Note that the CCPA allows retaining information needed to, for example, complete the transaction for which it was collected, detect security incidents, comply with legal obligations, or other limited purposes. In practice, if you request deletion, we will remove the personal data that is not required for ongoing service or legal compliance. For instance, if you are an active customer, deletion of all data may require account cancellation. If you are a past customer, we can delete most data but may keep billing records as required by law. We will inform you of any data we cannot delete and why, when responding to your request.
  • Right to Correct: Under CPRA, California residents also have the right to request correction of inaccurate personal information maintained by us. If you believe any information we have is incorrect, please let us know and upon verification we will correct it (or allow you to correct it directly when feasible).
  • Right to Opt-Out of Sale or Sharing: As noted, we do not sell personal information, and we do not share it for cross-context advertising. Therefore, there is no need for you to opt-out of the sale of your data – we have already opted out by policy. If that ever changes, we will provide a “Do Not Sell or Share My Personal Information” link or mechanism as required by law. For completeness: sale in CCPA is broadly defined, but it excludes sharing with service providers for business purposes (which is what we do). We also do not knowingly “share” data for targeted advertising. Thus, by default, your data is not sold or shared beyond the service provider context. If you still wish to formally record a preference (for instance, to opt-out of any potential future sale), you may contact us and we will note your preference and confirm that we do not sell data.
  • Right to Limit Use of Sensitive Personal Information: CPRA introduces a right to limit use of sensitive personal info. However, we do not collect or use sensitive personal information for any purposes that trigger this right (we do not use or disclose sensitive info in ways other than providing the services requested or as otherwise minimally necessary). Therefore, this right is not applicable to our operations at this time.
  • Right of Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. This means we will not deny you service, charge you a different price, or provide a lesser quality of service because you made a privacy rights request. (Note: If deletion of certain data makes it impossible to continue providing you a service, we will inform you and it might result in closure of your account – but that is a logical consequence of the request, not a discriminatory action or penalty).

Submitting CCPA Requests: To exercise your California rights to know, delete, or correct, you (or your authorized representative) can contact us through the methods listed in Contact Information below, preferably via email. Please indicate that you are making a “CCPA request” and specify which right you seek to exercise. We will need to verify your identity to a reasonable degree of certainty before fulfilling a CCPA request. This may involve matching information you provide with information we have on file (for instance, verifying your name, email, and perhaps requiring a reply from the email we have on record). For access or deletion of highly sensitive data, we may require additional verification or a signed declaration. If you have an authorized agent submitting the request on your behalf, we will require proof of the agent’s authority and verification of either you or the agent directly.

We aim to respond to verifiable consumer requests within 45 days as required by CCPA. If we need more time (up to an additional 45 days), we will inform you of the reason and extension in writing. Any disclosures we provide will cover the 12-month period preceding the receipt of the request, unless you request a longer period as allowed (CPRA allows going beyond 12 months in some cases). Where applicable, we will deliver our written response electronically in a secure format.

If we cannot fulfill a request, we will explain the reasons (for example, we could not verify your identity, or the data falls under an exemption). Rest assured, we will not provide certain sensitive pieces of information in response to access requests if the law does not require it (for example, we will not reveal your password or any sensitive security answers, and we will not disclose any SSN or payment card numbers if we had them except in the secure manner prescribed by law).

For California residents who interact with us in the context of a business (B2B communications) or as job applicants/employees, please note that certain CCPA rights (like the right to know and delete) were partially limited for those contexts until January 1, 2023, but we still endeavor to honor requests in good faith regardless of that. Now that CPRA has removed those exemptions, all individuals are covered by the rights listed above.

If you have questions about your rights or how to exercise them, please contact us. We are dedicated to treating your data with respect and enabling you to have control over it.

Children’s Privacy

We do not knowingly collect or solicit personal information from anyone under the age of 13 (or under the age of 16 in jurisdictions where 16 is the age of digital consent, such as parts of the EU) without appropriate consent or authorization. The RapidPro.app Service, as outlined in our Terms, is intended for adult use – you must be at least 18 years old (or the age of majority in your jurisdiction) to register for an account. We do not direct our services to children, and we require that individuals under 18 do not use our platform for their own personal use. Any accounts suspected to be operated by minors may be suspended until verifiable parental consent is provided or the account is proven to be managed by an adult.

If you are a parent or guardian and believe that a child under the relevant age has provided personal information to us without your consent, please contact us immediately. We will take steps to promptly delete the information and terminate any account, as applicable.

For End User data: Our Clients might sometimes use RapidPro to engage with youth (for example, an NGO might run an educational SMS campaign targeting teenagers). In such cases, the Client as Data Controller is responsible for ensuring that any collection of personal data from minors complies with applicable laws (such as obtaining verifiable parental consent under COPPA for children under 13 in the U.S., or under 16 under GDPR unless member state law sets a lower age, etc.). Humanics SARL, as a Data Processor, will process that data as instructed but relies on the Client to have obtained any necessary consents. If we become aware that a Client is using our Service in a manner that collects data from children without proper safeguards or consent, we may suspend or terminate such use in line with our Terms and legal obligations.

In summary, we do not knowingly collect information from children and our website and services are directed at users who are at least 13 years old (16 in certain regions, 18 to create an account). If we learn that we have inadvertently gathered personal data from a child under those ages without appropriate permission, we will delete that data as soon as possible.

Third-Party Services and Links

RapidPro.app may contain links to websites or services operated by third parties, or allow you to interface with third-party products (as discussed in Sharing and Integrations). Examples include: links to partner websites, embedded content like videos or maps, or optional integrations with messaging providers. Please note that this Privacy Policy applies only to data handled by Humanics SARL and RapidPro.app. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party websites or services that are outside our platform.

If you follow a link to a third-party site (for example, a link to documentation or a payment portal that is not on our domain), any personal information you provide on that site is governed by their privacy policy, not ours. We encourage you to review the privacy policies of every website or service you visit. The inclusion of a third-party link or integration does not imply that we endorse or have vetted their privacy practices.

In the context of third-party integrations or data flows that you enable within RapidPro (for instance, sending data to an external API), while we facilitate the connection, we cannot ensure or warrant how that third party will handle the data once it is in their possession. As noted, any issues or breaches that occur on a third-party service are outside of our control and responsibility. We advise you to choose integration partners carefully and use additional agreements or safeguards with them if needed.

We do make efforts to ensure that our official partners and service providers have privacy standards that align with ours. We perform due diligence on third-party providers and require agreements that protect our users’ data when we share it. However, we cannot guarantee the absolute integrity of any third-party; therefore, we disclaim liability for the actions of third parties beyond our direct control.

In summary, please exercise caution when using third-party services or following links from our platform. If you have concerns about a third-party service we use (for example, our use of a particular analytics tool or chat support tool), feel free to contact us for more information. We value transparency and will provide as much information as we can about how your data is shared and protected.

Changes to this Privacy Policy

We may update or revise this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. If we make changes, we will post the updated policy on our website and update the “Last Updated” date at the top. If changes are significant, we will also provide a more prominent notice – for example, by emailing all account holders or by placing a banner notice on our site.

Your continued use of RapidPro.app after any such update constitutes your acceptance of the revised Privacy Policy, to the extent permitted by law. However, if the changes require your consent (for example, if in the future we were to start processing data for a new purpose that originally required consent), we will obtain that consent. We encourage you to review this Policy periodically to stay informed about how we are protecting your information.

If you do not agree with any updates to the Privacy Policy, you should stop using the Service and you may close your account. We will respect prior commitments to the extent required – for instance, we will not materially reduce your privacy rights under this Policy without your consent.

Disclaimers and Liability

No Warranties: While we are committed to protecting your privacy, this Privacy Policy is not a warranty or guarantee that the services will be free from any data security incidents or that it will fit any particular purpose for you. Our platform is provided subject to the disclaimers and limitations of liability in our Terms & Conditions. In particular, RapidPro.app is provided “as is” and we make no explicit warranties regarding absolute security or error-free operation. We hereby disclaim any liability to the fullest extent permitted by law for any indirect, consequential, or punitive damages that may arise from data breaches, unauthorized access, or other privacy-related incidents, except to the extent such disclaimer is prohibited by applicable law. Our liability, if any, will be limited according to our Terms and applicable law.

Client Responsibility for Compliance: As noted earlier, Clients bear responsibility for the lawfulness of the data they collect and process using our Service. Humanics SARL shall not be held liable for any claims, damages, or legal penalties arising from a Client’s failure to obtain proper consent, provide notice, or otherwise meet their obligations under privacy laws. By using RapidPro.app, you agree to indemnify and hold Humanics SARL harmless for any third-party claims or regulatory fines that result from your misuse of the Service or violation of data protection laws, to the extent allowed by law (this is further detailed in our Terms & Conditions). We provide tools and information to assist you, but ultimate compliance (especially with respect to your End Users’ data) rests with you.

Third-Party Acts and Omissions: We are not responsible for the acts, omissions, or security of third parties that we do not control. This includes third-party integration partners, telecom carriers (if, for instance, an SMS message content is intercepted over a telephone network outside our system), or other users of the Service. If personal data is compromised due to a vulnerability or misuse on a third-party site or service, our liability is disclaimed. For example, if you export data from our Service and then that data is stolen from your own systems, we are not responsible for that subsequent breach.

Force Majeure: Humanics SARL will not be liable for any data disclosure or loss that occurs due to events beyond our reasonable control, such as natural disasters, war, terrorism, government actions, widespread internet outages, or other force majeure events. We will, however, do our best to maintain and restore services in such events as per our disaster recovery plans.

These disclaimers and liability limits apply to the maximum extent permitted under applicable law. Some jurisdictions do not allow the exclusion of certain warranties or the limitation/exclusion of liability for incidental or consequential damages, so some of these limitations may not fully apply to you. In such cases, our liability will be limited to the extent permitted by law.

Please refer to our Terms & Conditions for further details on limitation of liability and indemnification, as those provisions govern the overall relationship. This Privacy Policy is intended to be consistent with those provisions and not to create additional liabilities beyond them.

Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, you can reach out to us using the contact details below. We are here to help and will do our best to address your inquiries promptly and thoroughly.

Humanics SARL (Operator of RapidPro.app)
Business Address: Cité Keur Gorgui, Dakar, Senegal. (This is our principal office address for official correspondence.)
Email: privacy@rapidpro.app (for privacy-specific inquiries)
Support Email: support@rapidpro.app (for general inquiries or support requests)
Telephone: +221 33 824 77 54 (available during business hours GMT for urgent matters)
Website: You may also contact us through our website’s support portal or contact form.

We typically respond to all legitimate requests or questions within 2 business days, and within at most 30 days for formal data requests. Communication is available in English and French.

If you need to send us any legal notices or service of process, please do so at the mailing address above, and send an email notification as well for quicker handling.

 

Thank you for reading our Privacy Policy. We value your trust and are committed to safeguarding your privacy while providing a powerful platform for your messaging and data collection needs. If you have any further questions or suggestions regarding privacy or data protection, please do not hesitate to contact us. Your feedback helps us improve and ensure we meet the high standards expected by our user community and the global regulatory environment.

 

Get started

Start Your RapidPro Project Today

Transform your communication strategy now. Choose the hosting solution that matches your specific needs and requirements.

Get started
Contact sales
RapidPro hosting platform dashboard showing a conversational flow for a "Healthy Life Journey" campaign.