Privacy Policy

Zapwa ("Zapwa", "we", "our", or "us") is a WhatsApp Business SaaS platform operated by Etechinfo Consultant Pvt. Ltd., a company incorporated in India and having its registered office at H-187, Sector 63, Noida, Uttar Pradesh 201301, India. Our CIN and other statutory details are available upon request at legal@zapwa.in.

This Privacy Policy explains how we collect, use, disclose, transfer, and safeguard personal data when you visit our website at zapwa.in, use our platform at app.zapwa.in, or otherwise interact with us (collectively, the "Service"). This policy applies to all users of the Service, including business customers ("Tenants") and the end-users of those customers whose data is processed through our platform.

This Privacy Policy is published in compliance with Rule 3(1)(a) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and in accordance with the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("IT Rules 2011").

By accessing or using the Service, you acknowledge that you have read, understood, and agreed to the collection, use, and sharing of your personal data as described in this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

The following terms have the meanings given to them below, consistent with the DPDP Act 2023 and the IT Rules 2011:

• Personal Data — Any data about an individual who is identifiable by or in relation to such data, including name, email address, phone number, IP address, and any combination of data that can identify a natural person.
• Sensitive Personal Data or Information (SPDI) — As defined under Rule 3 of the IT Rules 2011: passwords, financial information, physical or mental health conditions, sexual orientation, biometric data, and similar categories. Zapwa does not intentionally collect SPDI beyond encrypted passwords.
• Data Principal — The individual to whom the personal data relates. Under the DPDP Act, this is the natural person whose data is being processed.
• Data Fiduciary — The entity that determines the purpose and means of processing personal data. Our business customers (Tenants) are Data Fiduciaries for the data of their end-users.
• Data Processor — The entity that processes personal data on behalf of a Data Fiduciary. Zapwa acts as a Data Processor for the personal data of Tenants' end-users, and as a Data Fiduciary for the personal data of Tenant administrators and users.
• Customer / Tenant — A business or organisation that subscribes to and uses the Zapwa platform under a paid or trial subscription.
• End-User — A natural person who receives WhatsApp messages sent by a Tenant through the Zapwa platform.
• Service / Platform / Zapwa — The multi-tenant WhatsApp Business SaaS platform operated by Etechinfo Consultant Pvt. Ltd., available at app.zapwa.in and related subdomains.
• Consent — A free, specific, informed, unconditional, and unambiguous indication of the Data Principal's wishes by which they signify their agreement to the processing of their personal data for a specified purpose.
• Cookies — Small text files placed on your browser or device by a website to store information about your session, preferences, or usage patterns.

We use the personal data we collect for the following purposes:

• Provide and maintain the Service: Process your messages through the Meta WhatsApp Cloud API, populate your team inbox, manage your campaigns, and maintain your account workspace.
• Process transactions: Manage your subscription, process payments through our payment gateway, and issue GST-compliant invoices.
• Authenticate users: Verify your identity when you log in, maintain secure sessions, and protect against unauthorised access using JWT-based authentication.
• Send service-related communications: Email you about your account, subscription renewals, payment receipts, security alerts, platform updates, and policy changes.
• Provide customer support: Respond to your queries, troubleshoot issues, and escalate problems where necessary.
• Prevent fraud and abuse: Monitor for unusual activity, detect policy violations, verify compliance with Meta's messaging policies, and protect the platform from misuse.
• Comply with legal obligations: Respond to valid legal requests, court orders, or government directions under the IT Act 2000 and applicable Indian law.
• Improve the Service: Analyse aggregated, anonymised usage analytics to identify platform improvements, fix bugs, and develop new features.
• Marketing (with consent only): With your explicit consent, send you product updates, feature announcements, and promotional offers. You may opt out at any time using the unsubscribe link in any marketing email.
• Enforce Terms of Service: Investigate violations of our Terms of Service or Meta's WhatsApp Business Policy, and take appropriate action including account suspension or termination.

We do not train artificial intelligence or machine learning models on the personal data or message content of our customers or their end-users. We do not sell, rent, or trade your personal data or your end-users' data to any third party for advertising or marketing purposes.

We retain personal data only for as long as necessary for the purposes for which it was collected, and in accordance with applicable legal requirements:

Upon a valid account deletion request, we initiate deletion of all active data immediately. Backup snapshots are purged within 30 days. Tax and audit records are anonymised where possible and retained only to the minimum extent required by law.

We implement and maintain reasonable security practices and procedures as required under Rule 8 of the IT Rules 2011 and in accordance with the DPDP Act 2023. Our technical and organisational security measures include:

• Encryption in transit: All data transmitted between your browser and our servers, and between our servers and Meta, is encrypted using TLS 1.2 or higher. We do not allow unencrypted HTTP connections to our platform.
• Encryption at rest: Sensitive data including WhatsApp access tokens is encrypted at rest using AES-256. Passwords are stored exclusively as bcrypt hashes and are never stored or transmitted in plaintext.
• Access controls: Role-based access control (RBAC) is enforced at both the application and database layers. Admin accounts require multi-factor authentication (MFA). Principle of least privilege is applied to all internal systems.
• Webhook security: All incoming webhook events from Meta are verified using HMAC-SHA256 signature verification to prevent spoofing and replay attacks.
• JWT-based authentication: User sessions are managed using signed JSON Web Tokens (JWT) with short expiry windows. Tokens are invalidated on logout.
• Tenant isolation: Each business workspace is fully isolated at the data layer. Cross-tenant data access is prevented by design at the database query level.
• Security audits: We conduct regular security reviews of our codebase, infrastructure, and access controls. We maintain an incident response plan for security breaches.
• Incident response: In the event of a data breach, we will notify affected users and, where required, the Data Protection Board of India and relevant authorities, within the timelines specified by applicable law.

While we take these measures seriously, no internet-based service can guarantee absolute security. You are responsible for maintaining the confidentiality of your login credentials and notifying us promptly at support@zapwa.in if you suspect unauthorised access to your account.

To exercise any of these rights, please email privacy@zapwa.in with your registered email address and proof of identity. We will respond within 30 days of a verified request. For erasure requests, please see our Data Deletion Instructions.

Zapwa processes personal data primarily within India. Our primary servers are located in the Mumbai region. Backup servers are located in Singapore. All data transfers to Singapore are covered by appropriate contractual safeguards, including Data Processing Agreements with our cloud infrastructure providers.

Certain data is necessarily transferred to Meta Platforms, Inc. (USA) as part of the WhatsApp Business Cloud API messaging process. These transfers are subject to Meta's Standard Contractual Clauses and Privacy Policy.

For transfers of personal data from the European Economic Area (EEA) to countries not recognised as providing adequate protection, we rely on Standard Contractual Clauses (SCCs) as the legal transfer mechanism under GDPR.

For data originating in India, we comply with the applicable cross-border data transfer restrictions and notification requirements under the DPDP Act 2023 and any regulations notified thereunder, including any data localisation requirements for specific categories of sensitive data.

Zapwa uses only essential and functional cookies and browser storage mechanisms necessary to operate the Service securely. We do not use third-party advertising cookies, tracking pixels, or behavioural analytics tools such as Google Analytics or Meta Pixel.

For full details on the cookies we use, their purpose, duration, and how to control them, please read our Cookie Policy.

The Service is intended for use by businesses and professionals and is not directed at individuals under the age of 18 years. We do not knowingly collect, process, or store personal data from minors. If we become aware that we have inadvertently collected personal data from a person under 18, we will take immediate steps to delete that data.

If you are a parent or guardian and believe that a minor has provided us with personal data without your consent, please contact us at privacy@zapwa.in and we will promptly investigate and delete the data.

Our website and platform may contain links to third-party websites, services, or resources (including Meta's developer documentation and our payment gateway). These third-party sites have their own privacy policies, and we are not responsible for their content, privacy practices, or data handling. We encourage you to review the privacy policies of any third-party sites you visit through links on our platform.

We may update this Privacy Policy from time to time to reflect changes in our data practices, the services we offer, or applicable legal requirements. The revised policy will be posted on this page with an updated "Last Updated" date.

For material changes — that is, changes that significantly affect your rights or our data practices — we will provide at least 30 days' advance notice via email to your registered email address and/or via a prominent notice within the platform. Your continued use of the Service after the effective date of the revised Privacy Policy constitutes your acceptance of the changes.

If you do not agree to the revised Privacy Policy, you must stop using the Service and may request deletion of your account under Section 15 below.

In accordance with Rule 5(9) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and Section 13 of the DPDP Act 2023, we have designated a Grievance Officer to address complaints relating to the processing of personal data and our compliance with applicable law.

Response timelines: We will acknowledge receipt of your grievance within 24 hours of receipt and will resolve the grievance within 15 (fifteen) calendar days of acknowledgment. If resolution requires additional time due to complexity, we will inform you of the revised timeline.

Escalation: If you are not satisfied with our response, you may escalate your complaint to the Data Protection Board of India once it is constituted under the DPDP Act 2023, in accordance with the procedures notified by the Government of India.

For any questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us through the following channels: