Lumave

For Meta App Reviewers · Tech Provider

Lumave on theWhatsApp Business Platform

Lumave is a Brazilian SaaS for aesthetic clinics. We integrate the WhatsApp Business Platform Cloud API as a Tech Provider, letting each clinic connect its own WABA via Meta Embedded Signup.

Tech Provider model

Lumave is a Brazilian SaaS (CNPJ Lumave Tecnologia Ltda). We are not a Solution Partner with a shared phone number — each clinic-customer connects its own WhatsApp Business Account (WABA) and phone number through Meta Embedded Signup directly inside Lumave.

Verified business

Lumave Tecnologia is verified in Meta Business Manager (Business ID 2880541778943749) with the "Provider of Technology" badge.

Cloud API, server-to-server

After Embedded Signup we exchange the returned authorization code for a long-lived system user access token, encrypt it at rest, and call graph.facebook.com from our Node.js backend. Individual message sends are server-to-server and do not surface a Meta login screen.

Embedded Signup

Onboarding flowend-to-end

Every step a clinic owner sees when connecting a WhatsApp Business Account through Lumave. This is the canonical flow demonstrated in our App Review screencast.

1
Clinic owner clicks "Connect WhatsApp Business"
Inside Lumave under Settings → WhatsApp, the OWNER clicks our CTA which loads the Facebook JS SDK and calls FB.login with our Configuration ID and the scopes whatsapp_business_messaging, whatsapp_business_management, and public_profile.
2
Meta Embedded Signup popup — Business Portfolio selection
Meta-hosted popup. The clinic owner selects (or creates) the Business Portfolio. This is the first asset selection scene visible during an App Review screencast.
3
WhatsApp Business Account (WABA) selection
The clinic selects an existing WABA or creates a new one. The WABA name is visible to the user — a second asset selection scene.
4
Phone number selection and (optional) OTP
The clinic selects a phone number to register. If the number is new, Meta sends an OTP via SMS or voice for verification.
5
Permission grant
Meta presents the consent screen listing every requested scope. The clinic owner explicitly approves whatsapp_business_messaging and whatsapp_business_management before any data is shared with Lumave.
6
Lumave receives the callback and starts sending messages
The popup returns a code, WABA id, and phone number id to our frontend, which forwards them to /whatsapp/embedded-signup/callback. The backend exchanges the code for a token, encrypts and stores it, and the clinic can immediately send/receive WhatsApp messages from our inbox UI.

Permissions

Scopes werequest

Each permission below is requested only because the clinic-facing product actively uses it today. We do not request permissions for future features.

whatsapp_business_messaging

Send appointment confirmations, reminders, no-show follow-ups, and post-care instructions as approved templates (utility category). Reply to patient-initiated conversations within the 24h customer service window. Upload and retrieve media (clinical photos, post-care PDFs, voice messages). Manage business profile per WABA. Register and re-register phone numbers during signup.

whatsapp_business_management

Discover and list WABAs after Embedded Signup. Register phone numbers, configure two-step verification, manage number migrations. Create, submit, and poll status of message templates. Subscribe to webhooks per WABA for inbound messages, template status updates, account updates, and phone quality updates.

public_profile

Identify the clinic owner who initiated the Embedded Signup so we can attribute the WABA connection to the right Lumave user.

Data handling

Storage, retention &security

How conversation content, media, and tokens are protected once they reach Lumave.

Message bodies, media references, and metadata are stored encrypted at rest (AES-256) in our PostgreSQL database, isolated per clinic via Row-Level Security.
Media files are stored in Cloudinary with private access URLs that require authentication.
Long-lived system user access tokens are encrypted at rest and never logged, returned to clients, or exposed in errors.
Webhook payloads are validated with HMAC-SHA256 signatures using the App Secret before any processing.
Retention: 20 years for medical-record-linked conversations (CFM 1.821/2007); 5 years for administrative conversations; deletion-on-demand via [email protected] or https://lumave.com.br/exclusao-dados.
No data is shared with third parties beyond essential sub-processors (Meta, Cloudinary, Railway/AWS), all listed in the public Privacy Policy and bound by DPAs.

Need to verify something during App Review?

Contact us directly. We provide reviewer test credentials, a test phone number flow, and screen-recording assistance to confirm any aspect of the integration.

Email the founder Privacy Policy Data Deletion Terms of Service

For Meta App Reviewers · Tech Provider

Lumave on theWhatsApp Business Platform

Lumave is a Brazilian SaaS for aesthetic clinics. We integrate the WhatsApp Business Platform Cloud API as a Tech Provider, letting each clinic connect its own WABA via Meta Embedded Signup.

Tech Provider model

Verified business

Lumave Tecnologia is verified in Meta Business Manager (Business ID 2880541778943749) with the "Provider of Technology" badge.

Cloud API, server-to-server

Embedded Signup

Onboarding flowend-to-end

Every step a clinic owner sees when connecting a WhatsApp Business Account through Lumave. This is the canonical flow demonstrated in our App Review screencast.

1
Clinic owner clicks "Connect WhatsApp Business"
Inside Lumave under Settings → WhatsApp, the OWNER clicks our CTA which loads the Facebook JS SDK and calls FB.login with our Configuration ID and the scopes whatsapp_business_messaging, whatsapp_business_management, and public_profile.
2
Meta Embedded Signup popup — Business Portfolio selection
Meta-hosted popup. The clinic owner selects (or creates) the Business Portfolio. This is the first asset selection scene visible during an App Review screencast.
3
WhatsApp Business Account (WABA) selection
The clinic selects an existing WABA or creates a new one. The WABA name is visible to the user — a second asset selection scene.
4
Phone number selection and (optional) OTP
The clinic selects a phone number to register. If the number is new, Meta sends an OTP via SMS or voice for verification.
5
Permission grant
Meta presents the consent screen listing every requested scope. The clinic owner explicitly approves whatsapp_business_messaging and whatsapp_business_management before any data is shared with Lumave.
6
Lumave receives the callback and starts sending messages
The popup returns a code, WABA id, and phone number id to our frontend, which forwards them to /whatsapp/embedded-signup/callback. The backend exchanges the code for a token, encrypts and stores it, and the clinic can immediately send/receive WhatsApp messages from our inbox UI.

Permissions

Scopes werequest

Each permission below is requested only because the clinic-facing product actively uses it today. We do not request permissions for future features.

whatsapp_business_messaging

whatsapp_business_management

public_profile

Identify the clinic owner who initiated the Embedded Signup so we can attribute the WABA connection to the right Lumave user.

Data handling

Storage, retention &security

How conversation content, media, and tokens are protected once they reach Lumave.

Message bodies, media references, and metadata are stored encrypted at rest (AES-256) in our PostgreSQL database, isolated per clinic via Row-Level Security.
Media files are stored in Cloudinary with private access URLs that require authentication.
Long-lived system user access tokens are encrypted at rest and never logged, returned to clients, or exposed in errors.
Webhook payloads are validated with HMAC-SHA256 signatures using the App Secret before any processing.
Retention: 20 years for medical-record-linked conversations (CFM 1.821/2007); 5 years for administrative conversations; deletion-on-demand via [email protected] or https://lumave.com.br/exclusao-dados.
No data is shared with third parties beyond essential sub-processors (Meta, Cloudinary, Railway/AWS), all listed in the public Privacy Policy and bound by DPAs.

Need to verify something during App Review?

Contact us directly. We provide reviewer test credentials, a test phone number flow, and screen-recording assistance to confirm any aspect of the integration.

Email the founder Privacy Policy Data Deletion Terms of Service

Lumave on theWhatsApp Business Platform

Tech Provider model

Verified business

Cloud API, server-to-server

Onboarding flowend-to-end

Clinic owner clicks "Connect WhatsApp Business"

Meta Embedded Signup popup — Business Portfolio selection

WhatsApp Business Account (WABA) selection

Phone number selection and (optional) OTP

Permission grant

Lumave receives the callback and starts sending messages

Scopes werequest

whatsapp_business_messaging

whatsapp_business_management

public_profile

Storage, retention &security

Need to verify something during App Review?

Lumave on theWhatsApp Business Platform

Tech Provider model

Verified business

Cloud API, server-to-server

Onboarding flowend-to-end

Clinic owner clicks "Connect WhatsApp Business"

Meta Embedded Signup popup — Business Portfolio selection

WhatsApp Business Account (WABA) selection

Phone number selection and (optional) OTP

Permission grant

Lumave receives the callback and starts sending messages

Scopes werequest

whatsapp_business_messaging

whatsapp_business_management

public_profile

Storage, retention &security

Need to verify something during App Review?