Privacy Policy

This Privacy Policy describes how Sandeshly ("we", "us", the "Platform") handles personal information when you use our WhatsApp marketing platform.

1. Roles under the DPDP Act, 2023

The Platform is a tool that lets businesses ("Tenants") send WhatsApp messages to their own customers using Meta's WhatsApp Business Cloud API. Two distinct relationships exist:

• Tenant ↔ End-recipient. The Tenant decides who to message and what to send. Under India's Digital Personal Data Protection Act, 2023, the Tenant is the Data Fiduciary for the end-recipients in their contact list and is responsible for obtaining consent, providing notice, and honouring data principal rights.
• Platform ↔ Tenant. We provide the software and store the data the Tenant uses. Under the DPDP Act, we are a Data Processor acting on the Tenant's instructions, except for our minimal use of Tenant account data described in Section 4.

2. What we store about Tenants

• Account information: business name, contact name, email address, password hash (we never store plaintext passwords).
• Authentication telemetry: login times, IP addresses, user-agent strings, and outcomes of login attempts.
• WhatsApp Cloud API credentials: phone number id, WhatsApp Business Account id, display phone number, and an encrypted permanent access token.
• Acceptance record of these Terms / Privacy Policy.

3. What we store about end-recipients

When a Tenant uploads a CSV or sends a campaign, we store:

• Phone number (E.164 format), name (if provided), and tags.
• Opt-in status as marked by the Tenant.
• The original CSV filename and which Tenant user uploaded it.
• For each message sent: the rendered message body, recipient phone number, timestamps for sent/delivered/read, Meta's message id, and any error code returned by Meta.
• Verbatim copies of incoming Meta webhook payloads, capped at 200 KB each, used for dispute resolution.

4. How we use the data

• To operate, secure, and debug the Platform.
• To compute usage and bill the Tenant.
• To investigate fraud, abuse, or violations of our Terms.
• To respond to Tenant support requests.
• To comply with legal obligations, court orders, and regulator inquiries.
• To produce aggregated, anonymised statistics about Platform usage.

We do not use end-recipient phone numbers, names, or message content for our own marketing, AI training, or other commercial purposes outside the operational uses listed above without explicit written consent from the relevant Data Fiduciary.

5. Sharing

• Meta. Message content and recipient phone numbers are sent to Meta to deliver the message. Meta's processing is governed by the WhatsApp Business Solution Terms.
• Service providers. Our hosting, database, and monitoring providers, under data-processing agreements.
• Authorities. Only when legally compelled (court order, regulator request, etc.).
• We never sell personal data.

6. Retention

• Account and audit data: retained while the account is active and for 12 months after closure for security and legal purposes, then deleted.
• Raw webhook payloads: rolled off after 90 days unless an active dispute requires retention.
• Daily usage counters: retained for 3 years for billing reconciliation.

A Tenant may request earlier deletion at any time by writing to privacy@yourdomain.com.

7. Security

• WhatsApp access tokens are encrypted at rest using Fernet (authenticated AES).
• Passwords are hashed with bcrypt; we cannot recover plaintext passwords.
• TLS in transit when deployed behind a properly-configured TLS terminator.
• Restricted database file access on the host operating system.

The Platform is not currently certified to ISO 27001 or SOC 2. Contact us if you have specific security requirements before signing up.

8. Your rights under the DPDP Act

For data we hold as a Data Fiduciary (i.e. data about your Tenant account), you may:

• request access to your personal information;
• request correction of inaccuracies;
• request erasure (subject to legal retention obligations);
• withdraw consent;
• lodge a grievance with the Data Protection Board of India.

Write to privacy@yourdomain.com. We will acknowledge within 7 days and respond substantively within 30 days.

For data about your own customers (end-recipients) where you are the Data Fiduciary, you must provide a privacy notice and consent flow to them yourself. We will assist by providing the data we hold on you on your written instruction.

9. Children

The Platform is not intended for use by anyone under 18. We do not knowingly process personal data of minors as a Data Fiduciary.

10. International transfers

Our primary infrastructure is in India. We may use providers with infrastructure outside India only as permitted by the DPDP Act and rules notified by the Government of India.

11. Cookies

We use a single session cookie to keep you signed in. It is HTTP-only, lax-same-site, and contains no personal information beyond a session identifier.

12. Changes to this Policy

We will post material changes on this page and notify Tenants via in-app banner or email at least 14 days before the change takes effect.

13. Grievance Officer / Contact

In accordance with the Digital Personal Data Protection Act, 2023 and the Information Technology (Intermediary Guidelines) Rules, the following individual is designated as the Grievance Officer for Sandeshly:

The Grievance Officer will acknowledge complaints within 7 days and respond substantively within 30 days, in keeping with statutory timelines.

For general queries you may also write to hello@yourdomain.com. Privacy-specific queries: privacy@yourdomain.com.