Privacy Policy

Last updated: 2026-05-23

1. Who we are

Barq is operated by Hashem Abu Alteen, a registered Israeli sole proprietor (Osek Patur). Barq provides an AI-powered messaging assistant that helps small businesses respond to customers on WhatsApp, Facebook Messenger, and Instagram. This policy explains what personal data Barq processes, why, and what rights you have over it. It is published in accordance with the Israeli Protection of Privacy Law, 5741-1981, including Amendment 13 (in force from 14 August 2025).

2. Scope of this policy

This policy applies to personal data Barq processes about its direct customers (the business owners who register a Barq account) and about the operational logs and conversation content Barq stores to deliver the Service.

It does not govern how a Business decides to collect, use, retain, or disclose personal data about its own end customers. For data Barq processes on a Business's behalf, the Business is the controller (בעל מאגר / בעל שליטה) and Barq is the processor (מחזיק); the Business's own privacy notice and its agreement with its end customers govern those determinations. The roles are set out in our Terms of Service §7 (Roles and responsibilities).

3. Data Barq processes

• Account data — the email address, name, business phone number, and password (hashed) you provide when registering.
• Business profile data — business name, type, hours, knowledge base content, FAQs, escalation preferences, and other configuration you upload.
• Channel credentials — encrypted access tokens for the WhatsApp Business Account, Facebook Page, or Instagram Business account you connect through Meta's Embedded Signup or Facebook Login for Business. Tokens are encrypted at rest using AES-256-GCM with a versioned keyring.
• Conversation content — messages exchanged between your business and your customers on the channels you connect, the phone numbers and display names of those customers, transcriptions Barq generates from voice notes (stored in a separate column from the original audio reference), and metadata such as delivery and read status.
• Operational and usage logs — records of API calls, queue processing, error reports, and performance metrics. Sensitive request bodies and authorization headers are redacted before they are written to error-monitoring tooling.
• Billing data — when you upgrade to a paid plan, our payment processor handles card details directly; Barq stores only the metadata it needs to recognise your subscription (plan, billing status, invoice references).

4. Why Barq processes this data

• To run the Service: route inbound messages, generate replies, deliver them through the connected channel, and show conversation history in your dashboard.
• To trigger escalation notifications to you by email, in-dashboard alerts, and where you enable it WhatsApp template messages from your own connected number.
• To enforce plan limits, detect abuse, and protect the Service.
• To operate the disclosure and human-handoff features required by Meta's Business and AI-Assisted-Messaging policies and (for end users in the EU from 2 August 2026) by Article 50 of the EU AI Act.
• To meet legal, tax, and accounting obligations of an Israeli Osek Patur (receipt issuance, retention).

5. Storage and retention

Barq stores conversation content (incoming and outgoing messages including voice-note transcriptions) in its own systems to operate the Service, show history, and improve reliability. We do not pass conversations through and discard them — they are retained for the life of your Barq account.

• Conversation content and customer messages — retained while your Barq account is active. After account closure or on written deletion request, deleted or anonymised within ninety (90) days, except where law or the defence of a legal claim requires longer retention.
• Operational and usage logs — retained for a limited period (currently approximately ninety (90) days) and then deleted or anonymised, except where a longer period is needed for security-incident investigation or to comply with law.
• Account and billing data — retained for the life of your account plus twelve (12) months for tax and accounting records.
• Backups — rolling 30-day backups. Deletion requests are honoured on the next backup cycle after the deletion is processed.

6. AI processing

Some features use a third-party AI provider to generate replies. Only the content needed to produce the reply (the relevant message, recent conversation context, and the Business's knowledge-base entries) is sent to that provider. Barq contractually restricts its AI provider from using your Business's data, or your end customers' data, to train or improve general-purpose AI models.

AI output may be inaccurate or inappropriate. You remain the sender of record and retain in-dashboard controls (pause AI, take over a conversation) to supervise and override replies. On the first AI-generated reply in a conversation, Barq adds a short disclosure indicating that the response was produced automatically.

7. Sub-processors

Barq engages third-party service providers (cloud hosting, infrastructure, AI processing, error monitoring, transactional email) to operate the Service. Those providers process personal data only on Barq's instructions, under confidentiality and security obligations no less protective than Barq's obligations to its customers. Barq remains responsible for their performance.

The current named list (provider, purpose, region, transfer mechanism, last-updated date) is published at /sub-processors and updated when a sub-processor changes.

8. Cross-border transfers

Some of Barq's sub-processors (including the AI provider) operate from outside Israel, including from the United States — a jurisdiction where data-protection rules may differ from Israeli law. By using Barq you consent to the transfer of personal data to those providers for the purpose of operating the Service.

Such transfers are made in accordance with the Protection of Privacy (Transfer of Information to Databases Abroad) Regulations, 5761-2001, under contractual safeguards binding the recipient to protection equivalent to that required under Israeli law (regulation 2(4) undertaking + regulation 3 written commitment against onward transfer absent consent). Where a sub-processor is established in the European Union, Barq relies on the EU adequacy mechanism for the transfer.

9. Your rights

Under the Israeli Protection of Privacy Law (as amended), you have the right to:

• Access (§13) — receive a detailed account of the personal data Barq holds about you.
• Correction (§14) — request correction or amendment of inaccurate data.
• Deletion (Amendment 13) — request deletion of personal data in the cases provided for by law. See the Data Deletion page for the request process.
• Withdraw consent for processing that relies on your consent (without affecting processing already carried out).
• Object or restrict processing in the cases provided for by law.
• Receive your data in a portable format.
• Lodge a complaint with the Israeli Privacy Protection Authority (Ministry of Justice).

Requests should be sent to privacy@heybarq.com. Barq will acknowledge within seven (7) days and respond within a reasonable period taking into account the request and applicable law.

10. Security

Barq operates a security baseline aligned with the Israeli Privacy Protection (Data Security) Regulations, 5777-2017 high-tier controls: access tokens encrypted at rest with AES-256-GCM using a versioned keyring; TLS for database and external connections; access logs retained for at least twenty-four (24) months; segregation between customer accounts; periodic risk surveys; written holder-agreement coverage for every sub-processor that handles personal data; an incident-notification process to the Israeli Privacy Protection Authority and to affected customers in the cases required by law.

11. Children

Barq is intended for use by businesses and is not directed at children under sixteen (16). Barq does not knowingly collect personal data from children. If you believe a child's data has reached Barq, contact us so we can remove it.

12. Cookies and analytics

The Barq marketing site uses a cookieless server-side analytics provider in the European Union and Vercel platform analytics — neither sets identifying cookies in your browser. The Barq dashboard sets a session cookie that is strictly necessary to keep you signed in. Barq does not use cross-site tracking, ad-targeting cookies, or social-media tracking pixels.

13. Data Protection Officer (DPO)

At Barq's current scale, the founder personally owns the DPO function. Amendment 13's mandatory-appointment triggers are tracked, and if the scope of Barq's processing later requires the formal appointment of a DPO, this page will be updated with the appointee's contact details.

14. Changes to this policy

Barq updates this policy as practices change. The “Last updated” date at the top reflects the latest revision. Material changes will also be notified by email to active customers.

15. Contact

Privacy questions and rights requests: privacy@heybarq.com.
Operating entity: Hashem Abu Alteen (Osek Patur, Israel).