Privacy Policy

When We Process Based on Consent

We process the following data based on your explicit consent:

• Account registration and profile information
• Customer Data you upload for WhatsApp messaging
• Marketing communications and newsletters
• Optional features and integrations you enable
• Non-essential cookies and analytics

When We Process for Legitimate Uses (Without Consent)

Under Section 7 of the DPDP Act, we may process personal data without consent for certain legitimate uses:

• Performance of Contract: Processing necessary to provide our services as agreed in our Terms of Service
• Legal Compliance: Complying with court orders, taxation laws (GST, Income Tax), and regulatory requirements
• Prevention of Fraud: Detecting and preventing fraudulent transactions, unauthorized access, or security threats
• Medical Emergency: If necessary to respond to a medical or health emergency involving you
• Employment Purposes: Processing employee data for payroll, HR management, and statutory compliance
• Publicly Available Data: Processing data you have made publicly available

Purpose Limitation

We process personal data only for the specific purposes for which consent was obtained or as permitted under legitimate uses. We do not use your data for any secondary or unrelated purposes without obtaining fresh consent.

No Pre-Checked Boxes

We never use pre-checked boxes or default opt-ins. All consent is obtained through explicit affirmative action where you must actively agree to each purpose of processing.

GDPR Legal Basis (For EU/UK Residents)

If you are in the European Economic Area (EEA) or UK, our legal bases under GDPR include:

• Consent (Article 6(1)(a))
• Performance of contract (Article 6(1)(b))
• Legal obligation (Article 6(1)(c))
• Legitimate interests (Article 6(1)(f)) - where applicable and balanced against your rights

Methods to Withdraw Consent

What Happens After Withdrawal

• We will stop processing your personal data for the purposes you withdrew consent for
• We will confirm your withdrawal within 48 hours via email
• Some services may become unavailable if consent is essential for providing them
• Data processed before withdrawal remains lawful
• We may retain certain data if required by law or for legitimate legal purposes
• You can re-consent at any time by contacting us or through your account settings

Unsubscribe from Marketing

To withdraw consent for marketing communications specifically:

• Click "Unsubscribe" link at the bottom of any marketing email
• Update preferences in Account Settings → Communication Preferences
• Reply "STOP" to any promotional SMS (if applicable)

Data Processing Roles

Understanding who is responsible for what:

• You (TEXTO Client): Act as the Data Fiduciary (under DPDP Act) / Data Controller (under GDPR) for your Customer Data. You determine what messages to send and to whom.
• TEXTO: Acts as a Data Processor for your Customer Data, processing it solely on your instructions to provide WhatsApp messaging services. TEXTO is a Data Fiduciary for your account information.
• Meta/WhatsApp: Also acts as a Data Processor for message delivery. WhatsApp is a Data Fiduciary for end users under the WhatsApp Privacy Policy.

Message Processing and Encryption

How WhatsApp messages are secured and processed:

• Messages sent via WhatsApp use Signal protocol end-to-end encryption
• As a BSP, TEXTO processes messages programmatically to enable automation features, chatbots, analytics, and routing
• We decrypt messages on our secure servers to provide these services, then re-encrypt for transmission to WhatsApp
• Meta/WhatsApp has access to message metadata (phone numbers, timestamps, delivery status) but not message content due to end-to-end encryption
• We implement strict access controls to ensure message content is only accessed when necessary to provide our services

Your Responsibilities as Data Fiduciary

• Obtain explicit opt-in consent from customers before sending WhatsApp messages (see Section 7 below)
• Comply with WhatsApp Business Policy, WhatsApp Business Terms, and DPDP Act
• Provide clear opt-out mechanisms to customers
• Maintain your own privacy policy explaining your WhatsApp messaging practices
• Ensure you are the Data Fiduciary for the customer data you process
• Not send prohibited content (spam, illegal content, misleading information)
• Honor customer requests to access, correct, or delete their data

What We Do NOT Do

• We do not sell, rent, or monetize your message content or customer phone numbers
• We do not use your Customer Data to train AI models or for any purpose other than providing services to you
• We do not share your Customer Data with third parties except as outlined in Section 9
• We do not send messages to your customers without your authorization
• We do not read message content except when necessary to provide services (troubleshooting, chatbot processing)

Quality and Compliance Monitoring

To maintain compliance with Meta's requirements and DPDP Act, we monitor:

• Quality ratings provided by WhatsApp (based on user blocks and reports)
• Message template approval and rejection rates
• Compliance with WhatsApp Business Policy
• Delivery rates and messaging patterns to detect spam or policy violations
• User feedback and complaints

Note: If your quality rating drops or we detect policy violations, we may restrict your messaging capabilities or terminate service to maintain compliance with Meta's requirements and protect our BSP status.

Valid Opt-In Methods

Acceptable methods for obtaining opt-in consent:

Opt-In Must Include

• Be explicit, clear, and unambiguous
• Specifically mention "WhatsApp" as the communication channel
• Clearly identify your business name
• Describe message types (order updates, promotions, support, etc.)
• Provide clear opt-out instructions
• Be documented with timestamps for audit
• Be free, specific, informed, unconditional, and based on clear affirmative action (DPDP requirement)

Opt-Out Requirements

You must provide easy opt-out mechanisms:

• Include opt-out instructions in messages (e.g., "Reply STOP to unsubscribe")
• Honor opt-out requests immediately (within 24 hours)
• Maintain a suppression list of opted-out users
• Send confirmation when user successfully opts out
• Ensure opt-out is as easy as opt-in (DPDP requirement)

Documentation Requirements

You must maintain records of opt-ins for at least 3 years:

• Date and time of consent
• Method of opt-in
• Exact consent language shown to user
• IP address or verification data where applicable
• User's acknowledgment or affirmative action

TEXTO provides tools to help you manage opt-ins and maintain compliance records, but you remain solely responsible for obtaining and documenting valid consent.

Specific Retention Periods

48-Hour Erasure Notice

Under DPDP Rules 2025, we will notify you at least 48 hours before automatic data erasure when the retention period expires. This gives you an opportunity to:

• Request an extension if you still need the data
• Download or backup your data
• Provide updated consent for continued storage

You will receive erasure notices via email registered with your account.

Secure Deletion Process

When data is deleted:

• Data is permanently erased from active databases
• Backups are overwritten within 90 days
• Data is anonymized or pseudonymized where deletion is not feasible
• Deletion logs are maintained for audit purposes
• You can request confirmation of deletion

Legal Hold Exceptions

We may retain data beyond normal retention periods if:

• Required by law (court order, regulatory investigation)
• Necessary for legal proceedings or dispute resolution
• Required for tax audits or financial compliance
• Essential for fraud investigation or security incident response

We will inform you if your data is subject to legal hold and resume normal deletion once the hold is lifted.

How to Exercise Your Rights

Response Timeframes

• DPDP Act: We respond within reasonable timeframe (typically 7-30 days)
• GDPR (EU residents): 30 days (extendable to 60 days for complex requests)
• CCPA (California): 45 days (extendable to 90 days)
• Correction requests (DPDP): Within 90 days as per Section 11(2)

Verification Process

To protect your privacy, we may ask you to verify your identity before processing requests. Verification may require:

• Matching email address with account records
• Answering security questions
• Government-issued ID verification (for sensitive requests)
• Two-factor authentication

Fees

Exercising your data rights is free of charge. However, we may charge a reasonable fee if:

• Requests are manifestly unfounded or excessive
• You request multiple copies of the same data
• Administrative costs are significant

We will inform you of any fees before processing such requests.

What is a Consent Manager?

A Consent Manager is a registered entity approved by the Data Protection Board of India that acts as a secure, impartial intermediary between you (Data Principal) and organizations (Data Fiduciaries) like TEXTO. It provides a unified platform to:

• Give, manage, review, and revoke consents across multiple services from one place
• View all your active consents in a centralized dashboard
• Receive clear, standardized privacy notices
• Audit which organizations have access to your data
• Withdraw consent easily with documented proof

How TEXTO Will Integrate with Consent Managers

Starting from when Consent Manager registration opens (expected November 13, 2026), you will be able to:

• Register with any Data Protection Board-approved Consent Manager
• Manage your TEXTO consents through that Consent Manager platform
• Give or withdraw consent for TEXTO services via the Consent Manager
• Receive privacy notices through the Consent Manager
• View complete audit trail of your consent history

Current Status (February 2026)

Benefits of Using a Consent Manager

• Centralized Control: Manage all your consents across different services in one dashboard
• Transparency: Clear visibility into who has your data and for what purpose
• Ease of Use: Withdraw multiple consents at once instead of contacting each company separately
• Verified Records: Cryptographic proof of all consent transactions maintained for 7 years
• Privacy Protection: Consent Managers cannot read your personal data - they only manage consent tokens

Technical Security Measures

Organizational Security Measures

• Employee background verification and security training
• Confidentiality agreements (NDAs) for all staff and contractors
• Least privilege principle - employees access only data necessary for their role
• Regular security awareness training and phishing simulations
• Incident response plan and security breach protocols
• Data classification and handling procedures
• Secure development lifecycle (SDLC) practices
• Third-party security assessments and vendor risk management

Compliance and Certifications

• SOC 2 Type II compliance (in progress)
• ISO 27001 Information Security Management System (planned)
• PCI-DSS compliance for payment processing (via payment processors)
• WhatsApp BSP security requirements
• DPDP Act reasonable security safeguards (Rule 6)
• Regular third-party security audits

Data Location and Storage

Primary Data Center: India (Mumbai, Bangalore)

Backup Data Centers: India (multi-region redundancy)

Cloud Providers: AWS Asia Pacific (Mumbai), Google Cloud India

For EU customers requiring GDPR compliance, we offer EU-based server hosting options. Meta/WhatsApp operates globally and may process data on both EU and US-based servers for message delivery purposes under Standard Contractual Clauses (SCCs).

Our Breach Response Process

1. Immediate Containment: Upon discovering a breach, we immediately contain it and assess the scope
2. Investigation: Determine nature, extent, cause, and impact of the breach
3. Immediate Notification: Notify affected Data Principals without delay (as soon as possible)
4. DPB Notification: Report to Data Protection Board of India within 72 hours of becoming aware
5. Remediation: Implement measures to mitigate harm and prevent recurrence
6. Documentation: Maintain detailed records of breach and response actions

What We Will Tell You

Breach notification will include:

• Nature of the breach (e.g., unauthorized access, data loss, ransomware)
• Categories and approximate number of affected Data Principals
• Types of personal data affected
• Likely consequences and potential harm
• Measures we have taken or plan to take to address the breach
• Contact details for further information (Grievance Officer, DPO)
• Steps you can take to protect yourself (e.g., change password, monitor accounts)

Notification Methods

• Email to address registered with your account (primary method)
• Prominent notice on TEXTO platform dashboard
• SMS notification (for severe breaches)
• Public announcement on website (if large-scale breach)
• Individual phone calls (for high-risk breaches affecting sensitive data)

Timeframes

• To Data Principals: Immediate notification without undue delay
• To Data Protection Board: Within 72 hours of becoming aware of the breach
• GDPR (EU residents): Within 72 hours to supervisory authority
• Follow-up Report: Detailed breach report with findings within 7 days

Age Requirements

• TEXTO Account: You must be 18 years or older to create a TEXTO business account
• WhatsApp Usage: WhatsApp requires users to be at least 13 years old (16 in EEA) as per WhatsApp Terms
• DPDP Act Definition: Anyone under 18 is considered a child and has additional protections

Verifiable Parental Consent

If we become aware that we have collected data from a child under 18, we will:

• Immediately suspend processing of that data
• Request verifiable parental/guardian consent using one of these methods:
  • Government-issued ID verification of parent
  • Digital Locker (DigiLocker) credentials of parent
  • Aadhaar-based e-KYC of parent (where permitted)
  • Credit card verification (small deposit method)
• Delete the data if consent is not obtained within 15 days

Prohibited Processing for Children

Under DPDP Rules, we are prohibited from:

• Behavioral monitoring or tracking of children
• Targeted advertising directed at children
• Profiling that may cause harm to the child
• Any processing that may harm the well-being of the child

Exemptions from Parental Consent (Rule 12)

Parental consent is NOT required when processing children's data for:

• Healthcare services or medical emergencies
• Educational purposes (with school's consent)
• Child safety and protection services
• Counseling or psychological support services
• As required by law or court order

If You Use TEXTO to Message Children

Report Underage Accounts

If you believe we have inadvertently collected data from a child under 18 without proper parental consent, please contact us immediately at privacy@texto.in with subject "Child Privacy Concern". We will investigate and take appropriate action within 48 hours.

Data Storage Locations

• Primary Storage: India (Mumbai, Bangalore data centers)
• EU Customers: Option for EU-based server hosting (Frankfurt, Ireland)
• Backups: Multi-region redundancy within India or EU (based on customer location)
• Meta/WhatsApp Servers: Global (US, EU, Asia) for message delivery
• Third-Party Services: May process data in various jurisdictions (see sub-processors list)

Transfer Mechanisms

When transferring data from India or EU to other jurisdictions, we use:

• Standard Contractual Clauses (SCCs): EU Commission-approved SCCs for transfers from EEA
• Data Processing Agreements (DPAs): Contractual safeguards with all Data Processors
• Adequacy Decisions: Transfers to countries recognized as adequate by EU Commission or Indian government
• Your Consent: Where required, explicit consent for specific transfers

DPDP Act Cross-Border Transfer Rules

Under the DPDP Act, cross-border data transfers are currently permitted, subject to:

• Compliance with all consent and notice requirements
• Ensuring adequate safeguards through contracts
• Government may restrict transfers to specific countries (blacklist) - we monitor such notifications
• Government may mandate data localization for certain categories (we will comply if notified)

Note: The Indian government may issue orders prohibiting or restricting transfers to certain countries without providing justification. We continuously monitor such orders and update our transfer practices accordingly.

Meta/WhatsApp Data Transfers

When you use WhatsApp Business API:

• Meta/WhatsApp is a US-based company with servers globally
• Message metadata (phone numbers, timestamps) may be processed in US or EU servers
• Meta uses EU-US Data Privacy Framework and Standard Contractual Clauses
• End-to-end encryption protects message content during transfer
• Review WhatsApp Privacy Policy for Meta's transfer mechanisms

Your Consent to Transfers

By using TEXTO services, you acknowledge and consent to the transfer of your information as described in this policy. We ensure all transfers maintain adequate security and comply with applicable data protection laws.

A. Service Providers and Sub-Processors

We engage trusted third-party service providers who perform services on our behalf under strict contractual obligations. These include:

• Meta Platforms, Inc. / WhatsApp: To facilitate message delivery via the WhatsApp Business Platform
• Cloud Infrastructure Providers: (e.g., AWS, Google Cloud, Microsoft Azure) to host our platform and data
• Payment Processors: (e.g., Stripe, Razorpay) to handle billing and payment processing
• Analytics Providers: To analyze platform usage and improve our services
• Customer Support Tools: To provide technical support and customer service
• Email Service Providers: To send transactional and marketing emails

All sub-processors are required to sign Data Processing Agreements (DPAs) and maintain security measures that meet or exceed industry standards. A complete list of our sub-processors is available upon request.

B. Meta/WhatsApp Data Sharing

When you use our WhatsApp Business API services:

• Meta/WhatsApp receives customer phone numbers and message metadata (timestamps, delivery status) necessary for message delivery
• Meta/WhatsApp processes this data under the WhatsApp Business Data Processing Terms
• Meta uses this data to provide the WhatsApp Business Platform services and may use aggregated, anonymized data to improve their services
• End users' use of WhatsApp is governed by the WhatsApp Privacy Policy

C. Legal Requirements and Protection of Rights

We may disclose your information if required to do so by law or in response to valid requests by public authorities, including:

• Compliance with legal obligations (court orders, subpoenas, regulatory investigations)
• Protection of our rights, privacy, safety, or property, and that of our users
• Investigation and prevention of fraud, security issues, or technical problems
• Detection and prevention of potential violations of our Terms of Service or applicable laws
• Protection against legal liability

D. Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any such change in ownership or control of your personal information. You will have the opportunity to opt-out of the transfer of your personal information.

E. With Your Consent

We may share your information with third parties when we have your explicit consent to do so.

GDPR Compliance (European Economic Area & UK)

For users in the European Economic Area (EEA) and United Kingdom, we adhere to the General Data Protection Regulation (GDPR) and UK GDPR:

• We act as a Data Processor for the Customer Data you provide through our platform
• We act as a Data Controller for your account information and usage data
• We have appointed a Data Protection Officer (DPO) who can be contacted at dpo@texto.in
• We maintain a Data Processing Agreement (DPA) with all customers processing EU personal data
• We ensure lawful basis for all data processing activities (consent, contract performance, legitimate interests, legal compliance)
• We implement Privacy by Design and Privacy by Default principles
• We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing

International Data Transfers

Your information may be transferred to and processed on computers located outside of your jurisdiction where data protection laws may differ:

• We primarily store data on servers located in India
• For EU customers, we offer EU-based server hosting options
• When transferring data from the EEA to countries without adequacy decisions, we use Standard Contractual Clauses (SCCs) approved by the European Commission
• Meta/WhatsApp operates globally and may process data in the United States and other jurisdictions under their own transfer mechanisms
• We ensure all data transfers comply with applicable data protection laws

By using our services, you acknowledge and consent to the transfer of your information as described in this policy. We take all reasonable steps to ensure your data is treated securely and in accordance with this Privacy Policy.

CCPA & CPRA Compliance (California)

For California residents, we comply with the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• We do not sell personal information to third parties
• We do not share personal information for cross-context behavioral advertising
• You have the right to know what personal information we collect and how it's used
• You can request deletion of your personal information
• You have the right to correct inaccurate personal information
• You will not be discriminated against for exercising your CCPA rights

DPDP Act 2023 Compliance (India)

For Indian residents, we comply with the Digital Personal Data Protection Act (DPDP Act) 2023:

• We process personal data lawfully, fairly, and transparently
• We limit data collection to what is necessary for specified purposes
• We maintain accuracy and keep data up to date
• We retain data only as long as necessary
• We implement appropriate security measures
• We have established a grievance redressal mechanism
• You can contact our Grievance Officer at grievance@texto.in

Other Jurisdictions

We also comply with data protection laws in other jurisdictions where we operate, including Brazil's LGPD (Lei Geral de Proteção de Dados), Canada's PIPEDA, and other applicable privacy regulations.

Our Breach Response Process

• Immediate containment and investigation of any suspected breach
• Assessment of the scope, nature, and potential impact of the breach
• Documentation of all breach-related activities and decisions
• Implementation of remediation measures to prevent future incidents

Notification Procedures

In the event of a data breach that affects your personal information or Customer Data:

• We will notify you without undue delay and within the timeframes required by applicable law (typically 72 hours for GDPR breaches)
• Notification will include: nature of the breach, categories and approximate number of affected individuals, potential consequences, and measures taken to address the breach
• We will notify relevant data protection authorities as required by law
• For business customers processing Customer Data, we will assist you in meeting your own breach notification obligations