Privacy Policy

waInteract (operating as "waCRM") is a Software-as-a-Service (SaaS) WhatsApp Business CRM platform provided by WhatBotz / OEM Key Software Solutions ("the Company"). Our registered services are accessible at app.wainteract.com and all associated subdomains.

This Privacy Policy applies to:

• ✓
  All visitors to app.wainteract.com and related landing pages
• ✓
  Registered users, account holders, administrators, agents, and resellers
• ✓
  Business customers ("Controllers") and their end-users ("Data Subjects") who interact via the WhatsApp Business API integrated into our platform
• ✓
  Users of our free tools (e.g., WhatsApp Chat Link Generator)
• ✓
  Anyone who contacts us via email, chat, or social media
• ✓
  API developers using our REST API or webhooks

This policy does not apply to third-party websites, services, or applications that may be linked from our platform. We encourage you to review the privacy policies of any third-party services you use.

2.1 Data You Provide Directly

2.2 Data Collected Automatically

• 📡
  Log Data: IP address, browser type, operating system, referrer URL, pages visited, timestamps, HTTP response codes
• 🍪
  Cookies & Local Storage: Session tokens, preference cookies, analytics identifiers (see Section 11)
• 📱
  Device Data: Device type, screen resolution, language settings, time zone
• 📊
  Usage Analytics: Features used, buttons clicked, time spent on pages, error logs, API call patterns
• 🔔
  WhatsApp Webhook Events: Message delivery statuses (sent, delivered, read, failed), message timestamps, reaction data

2.3 Data From Third Parties

• M
  Meta / Facebook: WhatsApp Business Account information, phone number verification status, template approval status, messaging limits, Business Manager data
• 💳
  Payment Processors: Transaction status, subscription status, refund events
• 🔗
  OAuth Providers: If you sign in via Google or other SSO, we receive your name, email, and profile picture from that provider

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we rely on the following legal bases under Article 6 of the GDPR:

Our platform integrates with the WhatsApp Business Cloud API, owned and operated by Meta Platforms, Inc. By using waInteract, you acknowledge and agree that your WhatsApp messaging data is subject to both this Privacy Policy and Meta's applicable policies.

5.1 Our Obligations Under Meta's Policies

• ✓
  We are a registered WhatsApp Business Solution Provider (BSP) and comply with Meta's WhatsApp Business Solution Provider Agreement, WhatsApp Business Policy, and Commerce Policy
• ✓
  We do not use WhatsApp message data to build user profiles for advertising purposes
• ✓
  We do not sell WhatsApp message content or metadata to any third parties
• ✓
  We comply with Meta's data retention and deletion requirements upon account termination
• ✓
  We use Meta's APIs solely for the purposes stated in our terms: enabling our business clients to communicate with their customers via WhatsApp
• ✓
  We store WhatsApp API access tokens securely and never expose them to unauthorised parties
• ✓
  We respect Meta's guidelines on prohibited content, spam prevention, and message frequency

5.2 What Meta Receives

When messages are sent or received through the WhatsApp Business Cloud API, the message data passes through Meta's infrastructure. Meta processes this data in accordance with their own WhatsApp Privacy Policy and Meta Privacy Policy. We recommend you and your customers review those policies.

5.3 End-User Consent for WhatsApp Messaging

5.4 Template Messages

All outbound template messages (HSMs) sent via our platform must be pre-approved by Meta. We store your approved templates but do not modify them without your instruction. Template content submitted to Meta for approval is subject to Meta's review processes and their policies on prohibited content.

5.5 Message Storage

Inbound and outbound WhatsApp messages are stored in our encrypted database to power the inbox, conversation history, and analytics features. Message content is stored for the duration of your subscription plus a grace period (see Section 9). You may export or delete message data at any time from your account settings.

waInteract integrates with and uses the following categories of third-party services. Each has their own privacy policy which governs how they handle your data:

We share personal data only in the following limited circumstances:

• 🔧
  Service Providers (Sub-Processors): We share data with vetted third-party vendors who assist us in operating the platform (hosting, payments, email delivery, analytics). They are contractually bound to process data only on our instructions and in compliance with applicable data protection law.
• 🏛️
  Legal Requirements: We may disclose data when required by law, regulation, court order, subpoena, or government authority. We will, where legally permitted, notify you of such requests before complying.
• 🛡️
  Protection of Rights: We may share data to prevent fraud, enforce our Terms of Service, protect the safety of our users or the public, or investigate potential violations.
• 🔄
  Business Transfers: If waInteract undergoes a merger, acquisition, asset sale, or bankruptcy, user data may be transferred to the acquiring entity. You will be notified of any such change and given the opportunity to delete your account before the transfer takes effect.
• ✅
  With Your Consent: We may share data for purposes not listed here if you have given us explicit, specific consent to do so.
• 🌐
  Resellers / Partners: If you signed up through an authorised waInteract reseller, the reseller may have access to your account information and billing status as necessary to manage your subscription. Resellers are bound by our Partner Agreement and Data Processing terms.

Our servers and infrastructure may be located in various countries including but not limited to India, the United States, Singapore, Germany, and Ireland. If you are located in the EEA, UK, or another jurisdiction with data transfer restrictions, your personal data may be transferred to countries that may not provide the same level of data protection as your home country.

8.1 Safeguards for International Transfers

We rely on the following transfer mechanisms to ensure adequate protection when transferring data internationally:

You may request a copy of the transfer mechanism we use for your data by contacting our DPO at support@wainteract.com.

We retain personal data only for as long as necessary to fulfil the purposes described in this policy, unless a longer retention period is required by law.

Depending on your location, you may have various rights regarding your personal data. We honour these rights for all users globally, regardless of whether your local law requires them:

How to Exercise Your Rights

To submit a rights request:

• 📧
  Email us at support@wainteract.com with the subject line "Data Rights Request – [Right Type]"
• 🔐
  Include your registered email address and a government-issued ID for verification (to protect you from fraudulent requests)
• ⏱️
  We will acknowledge your request within 72 hours and fulfil it within 30 days (extendable to 90 days for complex requests with notice)
• 💰
  Rights requests are free of charge. We may charge a reasonable fee for manifestly unfounded, excessive, or repetitive requests

We use cookies and similar technologies (local storage, session storage, pixel tags) to operate the platform, remember your preferences, and understand how you use our services.

Managing Cookies

• ⚙️
  Browser Settings: You can configure your browser to refuse all or certain cookies, or to alert you when cookies are being set. Note that disabling necessary cookies may impair platform functionality.
• 🍪
  Cookie Banner: On your first visit, you will see a cookie consent banner where you can accept or decline optional cookies.
• 📊
  Google Analytics Opt-Out: Install the Google Analytics Opt-Out Browser Add-On to prevent analytics data collection.
• 📧
  All Tracking Opt-Out: Email support@wainteract.com to opt out of all non-essential tracking across our services.

We implement comprehensive, industry-standard security measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction.

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• ⏱️
  Notify affected users within 72 hours of becoming aware of the breach (GDPR requirement)
• 🏛️
  Notify the relevant supervisory authority within 72 hours where required by law
• 📋
  Provide details of the breach, likely consequences, and measures taken to address it
• 🔧
  Implement immediate remedial actions and provide guidance on protective steps you can take

If we become aware that we have inadvertently collected personal data from a minor under the relevant age threshold:

• ✕
  We will immediately delete the data from our systems
• ✕
  We will terminate the associated account
• ✕
  We will not use that data for any purpose whatsoever

If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at support@wainteract.com.

Business clients using our platform to communicate with consumers should ensure that they do not use our platform to collect or process personal data of children without appropriate parental consent and safeguards, in compliance with COPPA, GDPR's provisions on children, and applicable local laws.

California residents have specific rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). This section supplements the rest of our Privacy Policy.

Categories of Personal Information Collected (Last 12 months)

Your California Rights

• ✓
  Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources, purposes, and third parties we share it with
• ✓
  Right to Delete: Request deletion of your personal information, subject to certain exceptions
• ✓
  Right to Correct: Request correction of inaccurate personal information
• ✓
  Right to Opt-Out: We do not sell or share personal information for cross-context behavioural advertising. This right is already exercised
• ✓
  Right to Limit Use of Sensitive PI: Request that we limit the use of sensitive personal information to what is necessary for the service
• ✓
  Right to Non-Discrimination: We will not discriminate against you (e.g., deny service, charge different prices) for exercising your CCPA rights

To submit a CCPA rights request, email support@wainteract.com with "CCPA Request" in the subject line. We will respond within 45 days (extendable by 45 days with notice).

Authorised Agent: You may designate an authorised agent to make CCPA requests on your behalf, provided you submit written authorisation and we can verify both the agent's and your identity.

waInteract is headquartered and operationally active in India and is committed to complying with the Digital Personal Data Protection Act, 2023 (DPDPA) enacted by the Government of India.

Your Rights Under DPDPA 2023

• ✓
  Right to Information: Know what personal data we process, the purposes, and the identities of data fiduciaries and processors
• ✓
  Right to Correction & Erasure: Request correction of inaccurate or incomplete data and erasure of data no longer necessary for the purpose it was collected
• ✓
  Right to Grievance Redressal: Lodge complaints through our Grievance Officer (see contact details in Section 19). We will respond within 30 days
• ✓
  Right to Nominate: Nominate another individual to exercise your rights on your behalf in case of death or incapacity
• ✓
  Right to Withdraw Consent: Withdraw your consent at any time, where consent was the basis for processing. Withdrawal does not affect lawfulness of prior processing

Grievance Officer (India)

We are committed to complying with all rules and regulations promulgated under DPDPA 2023 as they come into effect, including registering as a Significant Data Fiduciary if required by the Data Protection Board of India.

For users located in Brazil, the Lei Geral de Proteção de Dados (LGPD – Law No. 13,709/2018) provides specific rights and requires us to disclose the following:

• ✓
  Confirmation of Processing: Right to confirm whether we process your personal data
• ✓
  Access: Right to access the personal data we hold about you
• ✓
  Correction: Right to correct incomplete, inaccurate, or outdated data
• ✓
  Anonymisation or Deletion: Right to request anonymisation or deletion of unnecessary or excessive data, or data processed in non-compliance with the LGPD
• ✓
  Data Portability: Right to receive your personal data in an interoperable format
• ✓
  Information on Sharing: Right to be informed about public and private entities with which we have shared your data
• ✓
  Revocation of Consent: Right to revoke consent at any time
• ✓
  Opposition: Right to oppose processing based on grounds other than consent where not compliant with LGPD
• ✓
  Review of Automated Decisions: Right to request human review of decisions made solely based on automated processing
• ✓
  Complaint to ANPD: Right to file a complaint with the Autoridade Nacional de Proteção de Dados (ANPD)

Legal bases we rely on under LGPD include: consent (Art. 7, I), performance of a contract (Art. 7, V), legitimate interest (Art. 7, IX), and compliance with legal obligations (Art. 7, II).

waInteract serves users globally and is committed to complying with applicable data protection laws wherever our users are located. Below is a summary of our compliance commitments for other key jurisdictions:

We may update this Privacy Policy from time to time to reflect changes in our practices, services, legal requirements, or for other operational reasons. We are committed to transparent communication about any material changes.

How We Notify You

• 📧
  Email Notification: For material changes, we will send an email to the registered email address on file at least 30 days before the changes take effect
• 🔔
  In-App Notice: A prominent banner will appear in your dashboard notifying you of the update
• 📋
  Changelog: We maintain a changelog at the top of this page showing the "Last Updated" date and a summary of changes
• ✅
  Re-Consent: Where required by law (e.g., GDPR for consent-based processing), we will seek fresh consent for new processing activities

Your continued use of the platform after the effective date of revised policies constitutes your acceptance of the changes. If you disagree with any material change, you may terminate your account before the change takes effect and request deletion of your data.

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us using the details below:

Supervisory Authorities

If you believe we have not handled your data appropriately, you have the right to lodge a complaint with your local data protection supervisory authority:

• 🇪🇺
  EU Residents: Your national Data Protection Authority (list at edpb.europa.eu)
• 🇬🇧
  UK Residents: Information Commissioner's Office (ICO) at ico.org.uk
• 🇮🇳
  India Residents: Data Protection Board of India (once established under DPDPA 2023)
• 🇺🇸
  California Residents: California Privacy Protection Agency (CPPA) at cppa.ca.gov
• 🇧🇷
  Brazil Residents: Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd
• 🇦🇺
  Australia Residents: Office of the Australian Information Commissioner (OAIC) at oaic.gov.au
• 🌍
  Other Jurisdictions: Please contact us and we will direct you to the appropriate authority for your country