Privacy Policy

Last updated: May 2026

1. Overview

This Privacy Policy explains how ZapText ("we", "us") collects, uses, shares, retains, and protects personal data when you use our AI WhatsApp bot platform at zaptext.shopand related services (the "Service"). ZapText is based in India; our Service complies with India's Digital Personal Data Protection Act, 2023 (DPDP), and we apply comparable protections for users outside India.

2. Two Roles: Controller and Processor

  • For our customer accounts (the business owners who sign up at zaptext.shop), we act as the Data Controller. We decide what data we collect from you and why.
  • For end-customer datathat flows through your bot (your customers' phone numbers, messages, booking details), you are the Data Controller and we are the Data Processor. We process this data only on your documented instructions to operate your bot. You are responsible for lawful basis and responding to end-customer data requests.

3. What We Collect

From you (the account holder)

  • Name, email, password (via Clerk)
  • Business name, address, city, WhatsApp bot number, personal contact number
  • Payment details (processed by Razorpay — we store only the payment ID, not card data)
  • Product configuration you upload (menu, services, pricing, FAQs)
  • Opt-in attestation timestamp for WhatsApp compliance
  • Usage logs (IP, user-agent, actions) for security and debugging

From your customers (processed on your behalf)

  • WhatsApp phone number
  • Inbound and outbound message text and media
  • Booking / order details provided in conversation
  • Payment screenshots (for UPI verification), processed and then discarded

4. How We Use It

  • To provide the Service: route WhatsApp messages, generate AI replies, manage bookings and orders.
  • To bill you via Razorpay and keep your subscription active.
  • To send you service notifications, security alerts, and product emails via ZeptoMail (Zoho).
  • To debug and improve the platform with aggregated, non-identifying usage data.
  • To comply with law and enforce our Terms.
  • We do not sell personal data. We do not use your customer conversations to train AI models.

5. Sub-processors and Third Parties

We share data only with the sub-processors required to operate the Service:

  • Clerk (authentication)
  • Cloud infrastructure providers — store customer / bot data and host the application
  • Third-party large-language-model providers — generate AI replies. Vendor mix may change over time; current vendors are listed in our latest sub-processor schedule, available on request to the Grievance Officer.
  • Meta / WhatsApp Business Platform — delivers messages to end customers, and provides per-tenant access tokens via Embedded Signup (see Section 12 below)
  • Razorpay — processes subscription payments
  • ZeptoMail (Zoho) — sends transactional email
  • Vercel — hosts the web application

Each sub-processor has its own privacy policy. We select providers that offer comparable data-protection commitments.

6. International Transfer

Some sub-processors (Vercel, Google, Clerk) may store or process data outside India, including in the United States. Where data leaves India, we rely on standard data transfer mechanisms and the providers' equivalent safeguards. By using the Service you consent to this transfer.

7. Retention

  • Account + bot configuration: retained while your subscription is active.
  • Conversation history: retained for 12 months from the message date, then archived.
  • After subscription termination: data is retained for up to 90 days to allow recovery, then permanently deleted from live systems. Backup copies may persist up to 180 days before being overwritten.
  • Billing records: retained for 7 years as required under Indian law.

8. Your Rights

You have the right to:

  • Access a copy of the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Delete your data (subject to legal retention requirements).
  • Restrict or object to specific processing.
  • Port your data in a portable format.
  • Withdraw consent where consent is the lawful basis — this won't affect earlier processing.
  • Lodge a complaint with the Data Protection Board of India.

To exercise any right, email hello@zaptext.shop. We respond within 30 days.

For requests from end customers (i.e., people who messaged a bot on our platform), you should contact the business that owns the bot first — they are the Data Controller for that data. We will assist them to fulfil your request.

9. Security

  • TLS encryption in transit for all connections.
  • Authentication via Clerk with industry-standard password storage.
  • HMAC-SHA256 verification on all inbound WhatsApp webhooks (when configured).
  • Timing-safe signature comparison on Razorpay callbacks.
  • Rate limiting on sensitive endpoints.
  • Admin access is limited and audited.

No security is perfect. If we learn of a material breach affecting your data, we will notify you without undue delay as required by law.

10. Children

ZapText is for businesses and is not directed at anyone under 18. We do not knowingly collect personal data from children. If you believe a minor has signed up, email us and we will delete the account.

11. WhatsApp-specific Notes

WhatsApp messages between a bot and its end customer are delivered by Meta's WhatsApp Business Platform. Messages routed via the Business API are notend-to-end encrypted in the traditional consumer-WhatsApp sense — this is how Meta's platform is designed. We recommend your bot's welcome message informs customers that they are chatting with an AI assistant and not a human.

12. WhatsApp Business Platform Connection (Embedded Signup)

When you connect your WhatsApp number to ZapText via Meta's official Embedded Signup flow, we receive the following data from Meta on your behalf:

  • A long-lived access token issued by Meta for your WhatsApp Business Account.
  • Your WhatsApp Business Account ID (waba_id).
  • The phone-number ID Meta has assigned to your registered WhatsApp number (phone_number_id).
  • Your Meta Business Portfolio ID (business_id).
  • Your Meta-approved WhatsApp display name and its review status.

We use this data solely to:

  1. Send and receive WhatsApp messages on your behalf.
  2. Subscribe our app to your WABA's webhook events so we can route inbound customer messages to your bot.
  3. Surface your bot's status (active, awaiting Meta review, reconnect required, disconnected) on your dashboard.

How we store this data

  • The access token and your phone-number registration PIN are encrypted at rest using AES-256-GCM. The encryption key is held separately from the database and supports rotation without service interruption.
  • Tokens and PINs are never logged, never written to error messages, and never exposed in admin views.
  • Your encrypted credentials are stored in a dedicated table scoped to your bot record. Deleting your bot cascade-deletes these rows.

Revoking ZapText's access

You can revoke our access to your WhatsApp Business Account at any time from business.facebook.com→ Business Settings → Connected Apps → Remove. Meta will notify our webhook within minutes, after which we mark your connection as disconnected and stop all outbound messaging from our side.

Meta data-deletion requests

If you request data deletion from Meta (Facebook Settings → Apps and Websites → Removed), Meta will forward the request to our Data Deletion Callback URL at https://zaptext.shop/api/meta/data-deletion. We log every such request and process it asynchronously; you can check the status of any request at https://zaptext.shop/meta/data-deletion-status?code=<your_confirmation_code>.

Data retention after disconnect

When you disconnect (either via our dashboard or via Meta Business Settings), we keep your connection row marked as disconnected for audit purposes but the encrypted token and PIN become inert (Meta refuses our requests). To delete your data entirely, email hello@zaptext.shop with your business name and we will hard-delete within 30 days.

13. Cookies

We use cookies only for essential functions: session authentication (Clerk) and active-bot selection. We do not use third-party advertising cookies.

14. Changes to This Policy

We may update this policy. Material changes will be notified via email or in-product banner at least 15 days before taking effect.

15. Contact

For privacy questions, contact our Data Protection point-of-contact at hello@zaptext.shop.