Privacy Policy

ChatSarthi ("we," "us," or "our") is committed to protecting the privacy of our users ("Business Clients") and their end-customers. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our platform and the WhatsApp Business API services. By using ChatSarthi, you agree to the practices described in this policy.

1. Compliance with Meta Policies

As an official Meta Technical Provider, ChatSarthi strictly adheres to the Meta Business SDK Terms, WhatsApp Business Terms of Service, and the WhatsApp Business Messaging Policy. We ensure that all data processing activities via the WhatsApp Business API are compliant with Meta's technical, security, and privacy requirements. Business Clients accessing the API through ChatSarthi are also bound by Meta's policies.

2. Information We Collect

We collect information necessary to provide our chatbot and automation services:

• Business Account Information: Name, email address, phone number, business name, and business registration details provided at sign-up.
• WhatsApp Business API Data: We process messages, phone numbers, and media sent or received via the WhatsApp Business API on behalf of our Business Clients. This includes end-customer names, phone numbers, and conversation content.
• Lead Data: Information collected by chatbot flows — such as property requirements, travel preferences, budget, and contact details — stored in the lead dashboard on behalf of the Business Client.
• Technical Data: IP addresses, browser types, device information, and usage patterns on our platform, collected automatically for security and performance purposes.
• Payment Data: Transaction references processed via Razorpay. We do not store card numbers or UPI credentials — these are handled entirely by Razorpay's PCI-DSS compliant infrastructure.

3. Data Processing on Behalf of Business Clients

ChatSarthi acts as a Data Processor for the information provided by our Business Clients' end-customers. Our Business Clients are the Data Fiduciaries under the Digital Personal Data Protection (DPDP) Act 2023.

• Purpose Limitation: We process data solely to provide automated chatbot responses, lead management, and customer support services as directed by the Business Client. We do not use end-customer data for our own marketing.
• Data Processing Agreement: Business Clients may request a formal Data Processing Agreement (DPA) by writing to support@chatsarthi.com. The DPA governs our obligations as a Data Processor under DPDP 2023.
• Encryption: All messages processed via the WhatsApp Business API are protected by end-to-end encryption provided by WhatsApp. Data at rest is stored in AES-256 encrypted databases.

4. DPDP Act 2023 Compliance (India)

In accordance with India's Digital Personal Data Protection Act 2023, we observe the following principles:

• Lawful Consent: Business Clients are required to obtain valid, informed consent from end-customers before initiating WhatsApp conversations. ChatSarthi's chatbot templates include a built-in consent notice at the start of every conversation.
• Data Minimisation: We collect and process only the personal data that is strictly necessary for the chatbot's stated purpose.
• Rights of Data Principals: End-customers (Data Principals) may request access, correction, or erasure of their personal data by contacting the Business Client directly. Business Clients can action these requests via the ChatSarthi dashboard's "Delete Lead Data" function.
• Data Fiduciary Responsibility: Business Clients are responsible for ensuring their use of ChatSarthi complies with the DPDP Act, including obtaining consent and honouring Data Principal rights.
• Breach Notification: In the event of a personal data breach, we will notify affected Business Clients within 72 hours of becoming aware of the breach, consistent with our obligations under applicable law.

5. Data Retention

We retain personal data only for as long as necessary to provide our services or as required by law:

• WhatsApp Message Logs: Retained for 90 days from the date of the conversation, after which they are automatically purged from our servers.
• Lead Dashboard Data: Retained for 3 years from the date of creation, or until the Business Client deletes the lead, whichever comes first.
• Business Account Data: Retained for the duration of the active subscription plus 1 year after account closure, for legal and billing purposes.
• Payment Records: Retained for 7 years as required under Indian financial regulations.
• Backup Data: Database backups are retained for 30 days and then permanently deleted.

Business Clients may request early deletion of their data by contacting support@chatsarthi.com.

6. Opt-Out and Unsubscribe

End-customers who no longer wish to receive WhatsApp messages from a Business Client's chatbot can opt out at any time:

• Via WhatsApp: Reply with STOP, OPT OUT, or UNSUBSCRIBE to any message from the chatbot. The system will automatically cease sending further messages within 24 hours.
• Via Business Client: Contact the Business Client directly and request removal from their contact list. The Business Client can delete lead data from the ChatSarthi dashboard immediately.
• WhatsApp Settings: End-customers may also block any WhatsApp Business number directly through WhatsApp's native blocking feature.

ChatSarthi does not send promotional messages to end-customers on its own behalf. All messages originate from and are controlled by our Business Clients.

7. Cookies and Local Storage

Our website (chatsarthi.com) uses the following:

• Session Storage: Used to maintain your login session securely. Cleared when you close your browser tab.
• Local Storage: Used to store your chatbot language preference, demo selections, and UI state. No personal data is stored in local storage.
• Authentication Tokens: Supabase JWT tokens are stored in local storage to keep you logged into the dashboard. These are encrypted and expire automatically.
• No Third-Party Tracking Cookies: We do not use Google Analytics, Facebook Pixel, or any third-party advertising cookies. We do not track users across websites.

By continuing to use chatsarthi.com, you consent to the use of the local storage items described above, which are strictly necessary for the platform to function.

8. Cross-Border Data Transfers

ChatSarthi takes a privacy-first approach to data location:

• Primary Servers: Our website, database, and API are hosted on a Virtual Private Server (VPS) located in Mumbai, India (Hostinger infrastructure). All lead data, chatbot conversation logs, and Business Client account data are stored in India.
• WhatsApp Message Routing: Messages sent and received via the WhatsApp Business API are routed through Meta's infrastructure, which operates servers in the United States and other countries. This is an inherent feature of the WhatsApp platform and applies to all WhatsApp Business API providers globally. By using our service, Business Clients and their end-customers acknowledge this routing.
• Payment Processing: Payment data is processed by Razorpay, which operates within India and complies with RBI regulations and PCI-DSS standards.
• Email Infrastructure: Transactional emails (OTP, welcome, password reset) are sent via Zoho Mail / Brevo, which may route through servers outside India. These emails contain no sensitive personal data beyond what is necessary to deliver the email.

9. Children's Data

ChatSarthi's services are intended solely for registered business entities and their adult representatives. We do not knowingly collect, store, or process personal data from individuals under the age of 18. If a Business Client's end-customers include minors, the Business Client is solely responsible for obtaining appropriate parental or guardian consent as required by applicable law. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly.

10. Automated Decision-Making

ChatSarthi's chatbot platform uses automated logic to qualify leads and advance conversation flows. This includes:

• Automatically categorising leads as Hot, Warm, or Cold based on responses and keywords detected in conversations.
• Triggering follow-up messages based on time elapsed since last interaction.
• Routing conversations to a live agent based on predefined triggers.

These automated processes do not make legally binding decisions about end-customers. They are tools provided to assist Business Clients in managing their leads. Business Clients retain full control and human oversight over all final decisions. End-customers may request review of any automated categorisation by contacting the Business Client.

11. Data Sharing and Disclosure

We do not sell, rent, or trade personal data. We share information only in the following circumstances:

• With Meta and WhatsApp: To facilitate the delivery of messages via the official WhatsApp Business API. Governed by Meta's Data Policy.
• With Razorpay: For payment processing. Governed by Razorpay's Privacy Policy.
• With Hosting Providers: Hostinger (Mumbai, India) for server infrastructure, under strict data processing terms.
• With Email Providers: Zoho Mail / Brevo for transactional email delivery.
• Legal Requirements: When required by Indian law, court order, or government authority. We will notify Business Clients of such requests unless legally prohibited from doing so.
• Business Transfer: In the event of a merger, acquisition, or sale of assets, data may be transferred to the successor entity, subject to the same privacy protections.

12. Data Security

We implement enterprise-grade security measures consistent with Meta Technical Provider standards:

• SSL/TLS encryption (HTTPS) for all data in transit via Let's Encrypt certificates.
• AES-256 encrypted database storage with restricted, role-based access control.
• One-time password (OTP) authentication via WhatsApp is required for all Business Client account logins.
• Redis-based rate limiting and brute-force protection on all authentication endpoints.
• Daily automated database backups retained for 30 days.
• Regular security reviews to maintain Meta Technical Provider compliance standards.

13. Grievance Officer (DPDP Act 2023)

In accordance with the Digital Personal Data Protection Act 2023, ChatSarthi has designated a Grievance Officer to address privacy-related complaints and data principal requests:

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top of this page. For material changes, we will notify Business Clients via email to their registered email address at least 14 days before the changes take effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

15. Contact Us

For any privacy-related inquiries, data deletion requests, or to exercise your rights under the DPDP Act 2023, please contact: