8 Jun 2026

0 Comments

Privacy Policy

Last updated: June 11, 2026

This Privacy Policy explains how WA MARK (“WA_MARK”, “we”, “us” or “our”) collects, uses, shares and protects personal data in connection with the WA_MARK platform available at app.wamark.in and www.wamark.in, together with our APIs, mobile and desktop interfaces, and related services (the “Service”).

We take privacy seriously. WA_MARK is a WhatsApp marketing, CRM and automation platform, which means personal data is at the centre of what we do — both the data of the businesses who subscribe to us and the data those businesses handle about their own customers. This policy describes both, and is written to meet our obligations under the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the UK GDPR, India’s Digital Personal Data Protection Act, 2023, and the requirements of the WhatsApp Business Platform and Meta’s Platform Terms.

If you have any questions, our contact details are at the end of this policy.

1. The two roles we play, and why it matters

WA_MARK serves businesses (“Customers”) who use our platform to communicate with their own contacts over WhatsApp and other channels. Depending on whose data is involved, we act in one of two distinct roles under data protection law.

We are a data controller for personal data relating to our Customers and the individuals who administer or use a Customer account — for example, the person who signs up, the team members they invite, and the billing contact. We decide why and how this data is processed, and this policy governs that processing.

We are a data processor for the personal data that a Customer uploads, imports, collects or exchanges through the Service about their contacts and end-users — for example, the phone numbers in a Customer’s contact list, the content of WhatsApp conversations between a Customer and its customers, and the responses captured by a Customer’s chatbot. For this data the Customer is the controller and decides the purposes of processing; we process it only on the Customer’s documented instructions, as set out in our Data Processing Agreement (“DPA”). If you are an end-user and you want to know how a particular business uses your data, or you wish to exercise your rights in respect of it, you should contact that business directly. We will support our Customers in responding to you, but we cannot make decisions about data we do not control. Section 11 explains how we handle requests that reach us directly.

The remainder of this policy is written primarily from our perspective as a controller. Where we describe data we handle as a processor, we say so explicitly.

2. The personal data we collect

2.1 Data you give us when you use WA_MARK as a Customer

When you create and operate an account, we collect:

Identity and account data — your full name, sign-in email address, phone number, profile photo, and the password you set (stored only as a salted hash, never in plain text).
Business data — your business’s legal name, GST or other tax identification number, company registration number, registered address, business category, website(s), and your WhatsApp Business Account Number. This information appears on the invoices we issue to you.
Contact-person and relationship data — the details of the person nominated as your business contact, and the name, phone and email of any Relationship Manager assigned to your account by our team.
Authentication and security data — two-factor authentication enrolment (including authenticator-app secrets where you enable TOTP), one-time codes, and session preferences such as “keep me signed in”.
Payment and billing data — your plan, wallet balances, transaction and order identifiers, and GST invoice records. Card and bank details entered at checkout are collected and processed directly by our payment processor (see Section 7); we do not store full card numbers on our systems.
Support data — the contents of support tickets, ticket conversation threads, and any information you choose to share with us when you ask for help.

2.2 Data we collect automatically

When you use the Service we automatically collect certain technical and usage data, including your IP address (which we also use to suggest your country code and display currency), device and browser information, log data, pages visited, features used, and metrics such as messages sent and AI tokens consumed. We use essential and functional cookies and similar technologies for this; see Section 12.

2.3 Data we process on behalf of our Customers (processor role)

When operating their account, a Customer may upload, generate or transmit personal data about their own contacts and end-users. This typically includes:

contact records — names, phone numbers, email addresses, company, country, tags, lifecycle stage, custom fields, and opt-in/opt-out status;
the content and metadata of WhatsApp (and, where enabled, other-channel) conversations between the Customer and its contacts, including delivery and read status;
information captured by chatbots and WhatsApp Flows, such as answers to questions and submitted form fields; and
documents and URLs a Customer adds to the Knowledge Center to ground their AI assistant.

We process this data solely to provide the Service to that Customer, on their instructions. The Customer is responsible for having a lawful basis — including any required consent or opt-in — to collect this data and to message their contacts, and for providing those contacts with their own privacy notice.

2.4 Data we receive from third parties

We receive limited data from the integrations that power the Service — for example, your WhatsApp Business profile details, quality rating and messaging limits from the WhatsApp Business Platform; payment confirmations from our payment processors; and, where you connect Google, the authorisation and account information needed to operate the Google Spreadsheet step in your chatbots. We describe these third parties in Section 7.

3. How and why we use personal data, and our legal bases

As a controller, we rely on the following legal bases under Article 6 GDPR.

To perform our contract with you (Article 6(1)(b)). We process your identity, account, business, authentication and billing data to create and secure your account, provide the Service, process payments and issue invoices, operate your wallet, enforce plan entitlements, and provide customer support.

For our legitimate interests (Article 6(1)(f)), where these are not overridden by your rights. These interests include keeping the Service secure and preventing fraud and abuse; understanding how the Service is used so we can maintain and improve it; managing our relationship with you, including through an assigned Relationship Manager; and communicating with you about service changes. Where we rely on legitimate interests we have assessed that our processing is proportionate and have balanced it against your interests; you may object as described in Section 11.

To comply with a legal obligation (Article 6(1)(c)), including retaining tax and accounting records (such as GST invoices) for the periods required by law, and responding to lawful requests from public authorities.

With your consent (Article 6(1)(a)), for any optional processing for which we ask for it — for example, certain non-essential communications. You may withdraw consent at any time without affecting processing already carried out.

When we process data as a processor on a Customer’s behalf, the legal basis for that processing is the Customer’s responsibility as controller; our processing is governed by the Customer’s instructions and our DPA.

We do not sell personal data, and we do not use the personal data in Customer accounts, or data obtained through the WhatsApp Business Platform, to build or enrich our own marketing or advertising profiles. Section 5 describes our WhatsApp-specific commitments in detail.

4. Artificial intelligence features

WA_MARK offers AI features, including suggested replies in the team inbox, AI agents that answer from a Customer’s Knowledge Center using retrieval-augmented generation, and AI-assisted suggestions in the chatbot builder. We want to be clear about how these work.

Our AI features are provided only as part of the Service and are not offered as an independent product trained on our Customers’ data. When an AI feature runs, the relevant text (for example, a customer message and the grounding documents a Customer has provided) is sent to the AI provider configured for that workspace — either the Customer’s own provider account and API key, or, where the Customer has not configured one, a platform-wide provider key that we maintain. We pass this data to the provider only to generate the requested output for that Customer.

We select AI providers that meet appropriate security and confidentiality standards, and we do not authorise them to use data sent through the Service to train their general models. The AI providers we may use are listed in Section 7.

Our AI features support human work — they suggest, draft and answer; they do not make decisions that produce legal or similarly significant effects about an individual. We do not carry out automated decision-making within the meaning of Article 22 GDPR. If this changes, we will update this policy and implement the safeguards the law requires.

5. WhatsApp Business Platform data — our specific commitments

WA_MARK is built on the WhatsApp Business Platform (the WhatsApp Cloud API) provided by Meta. Our use of data obtained through that platform (“WhatsApp Data”) is subject to Meta’s Platform Terms, the WhatsApp Business Terms, and the WhatsApp Business Messaging Policy, in addition to applicable law. In particular:

We use WhatsApp Data, including the content of message threads and information about the people our Customers message, only as reasonably necessary to support our Customers’ messaging with those people and to provide the Service. We do not use it for any unrelated purpose.
We do not sell, rent, license or otherwise distribute WhatsApp Data to data brokers or other third parties. We share it only with the infrastructure and processing subproviders listed in Section 7, each of which acts on our behalf under contract, and only to the extent needed to deliver the Service.
We do not use WhatsApp Data to build, augment or enrich profiles of individuals for advertising or for any purpose other than serving the Customer’s own communications.
We act as a Third-Party Service Provider to our Customers in respect of their WhatsApp Business Accounts. We process WhatsApp Data solely on the written instructions of the Customer that controls the relevant WhatsApp Business Account, and we maintain industry-standard security, privacy and data-protection measures as described in Section 9.
Each Customer connects their own WhatsApp Business Account through an isolated, per-account webhook configuration, and data is partitioned per tenant at the database level so that one Customer cannot access another Customer’s WhatsApp Data.

Meta is an independent controller for the data it processes in operating the WhatsApp Business Platform. Meta’s own handling of that data is described in the WhatsApp and Meta privacy policies.

6. Multiple WhatsApp numbers, team access and isolation

A single Customer account may operate several WhatsApp Business numbers, each functioning as its own self-contained space with a separate inbox, metrics and prepaid wallet. Access to each number is controlled by the Customer through a per-number access matrix and role-based permissions, so that a Customer’s staff member sees only the numbers and modules they have been assigned. We enforce these access controls on our servers, not merely in the interface. This design is part of how we keep personal data confined to the people authorised to handle it.

7. How we share personal data

We share personal data only as described below. Every third party that processes personal data on our behalf does so under a written contract that requires it to protect the data and to use it only for the purposes we specify.

Service subprocessors. We use a focused set of providers to operate the Service:

Provider	Purpose	Personal data involved
Meta Platforms / WhatsApp	Core WhatsApp messaging (WhatsApp Cloud API)	Phone numbers, message content and metadata, WhatsApp Business profile data
Amazon Web Services (AWS)	Cloud hosting and storage of the application and database	All categories stored by the Service
Razorpay (and, where enabled, other payment gateways such as Stripe, PayPal or UPI providers)	Processing subscription and wallet payments, issuing receipts	Billing identifiers and payment data entered at checkout
OpenAI, Anthropic, Google (Gemini) and/or NVIDIA	Powering AI replies, AI agents and AI-assisted features	The message text and grounding content submitted to an AI feature
Google	“Sign in with Google” and the chatbot Google Spreadsheet integration	Authorisation tokens and the data a Customer chooses to write to a sheet
Our transactional email provider (SMTP)	Sending verification codes, password links, invitations and notifications	Name, email address and the contents of those messages

The specific subprocessors engaged for a given Customer may vary with the features that Customer uses (for example, the AI provider depends on the workspace configuration). Customers acting as controllers can obtain our current subprocessor list and details under their DPA.

Within a Customer’s own organisation. Personal data in a Customer account is accessible to the users that Customer authorises, according to the roles and number-access permissions the Customer configures.

For legal and safety reasons. We may disclose personal data where we believe in good faith that disclosure is necessary to comply with a legal obligation or lawful request, to enforce our terms, or to protect the rights, property or safety of WA_MARK, our Customers or others.

In a business transfer. If we are involved in a merger, acquisition, financing or sale of assets, personal data may be transferred as part of that transaction. We will notify you and ensure any successor honours this policy or provides equivalent protection.

We do not share personal data with third parties for their own independent marketing.

8. International data transfers

WA_MARK operates from India, and several of our subprocessors are located in the United States, the European Union and other countries. This means personal data may be transferred to, and processed in, countries outside the one in which you are located, including countries that have not received an adequacy decision from the European Commission.

Where we transfer personal data of individuals in the European Economic Area or the United Kingdom to a country without an adequacy decision, we put in place an appropriate transfer mechanism — in most cases the European Commission’s Standard Contractual Clauses (and the UK Addendum where relevant) — together with any supplementary measures needed to protect the data. Where a subprocessor is certified under a recognised framework such as the EU–US Data Privacy Framework, we may rely on that certification. You can request more information about the safeguards we use by contacting us.

9. How we protect personal data

We maintain technical and organisational measures appropriate to the risk, including:

Tenant isolation — every Customer’s data is segregated at the database level using PostgreSQL Row-Level Security, so that each query is scoped to a single tenant.
Encryption — traffic to and from the Service is protected with TLS; one-time codes are stored only as HMAC hashes; passwords are hashed with bcrypt.
Access control — role-based permissions, server-side enforcement of access to sensitive pages, two-factor authentication, and session management that rejects challenge tokens from being reused as valid sessions.
Platform hardening — security headers, per-IP rate limiting on authentication and one-time-password endpoints, signature-verified inbound webhooks that fail closed in production, and upload restrictions on file type and size.
Secret handling — credentials and API secrets are stored server-side and are never returned to the browser.

No system can be guaranteed perfectly secure, but we work to protect personal data and to detect and respond to incidents. If a personal data breach is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority and, where required, affected individuals, in accordance with Articles 33 and 34 GDPR. When we act as a processor, we will notify the affected Customer without undue delay so they can meet their own obligations.

10. How long we keep personal data

We keep personal data only for as long as we need it for the purposes described in this policy.

We retain Customer account data for the duration of the account relationship. After an account is closed, we delete or anonymise the data within a reasonable period, except where we are required to retain certain records for longer — for example, invoices and tax records that we must keep to comply with Indian tax law. One-time codes are short-lived and expire automatically. Usage logs are kept for a limited period for security and troubleshooting.

For personal data we process on behalf of a Customer, we retain it for as long as the Customer’s account is active and the Customer instructs us to, and we delete or return it following termination of the Customer’s subscription, subject to a short grace period, in accordance with the DPA. A Customer can also delete contacts and other records within the Service at any time.

When our platform administrators permanently delete a Customer at the Customer’s request, this triggers a full wipe of that Customer’s data from the Service.

11. Your rights

Subject to the conditions and exceptions in applicable law, you have the following rights in relation to personal data we hold about you as a controller:

Access — to obtain confirmation of whether we process your data and a copy of it;
Rectification — to have inaccurate data corrected and incomplete data completed;
Erasure — to have your data deleted in certain circumstances (“the right to be forgotten”);
Restriction — to ask us to limit our processing in certain circumstances;
Portability — to receive certain data in a structured, commonly used, machine-readable format and to have it transmitted to another controller where technically feasible;
Objection — to object to processing based on our legitimate interests, and to object at any time to processing for direct marketing;
Withdrawal of consent — to withdraw any consent you have given, at any time; and
To lodge a complaint with a data protection supervisory authority (see Section 15).

To exercise any of these rights, contact us using the details in Section 15. We will respond within the timeframe required by law (under the GDPR, within one month, extendable for complex requests). We will not charge a fee unless your request is manifestly unfounded or excessive, and we may need to verify your identity first.

If your request relates to data we process for a business Customer (for example, you are a contact of a business that uses WA_MARK), we are a processor and cannot decide on your request ourselves. We will, without undue delay, either forward your request to the relevant Customer or direct you to them, and we will assist that Customer in responding as our DPA requires.

11.1 Additional rights for California residents (CCPA/CPRA)

If you are a California resident, you also have the right to: know the categories and specific pieces of personal information we have collected, the sources, the business or commercial purpose, and the categories of third parties to whom we disclose it; delete personal information we collected from you (subject to legal exceptions); correct inaccurate personal information; opt out of the “sale” or “sharing” of personal information and limit the use of sensitive personal information; and to receive non-discriminatory treatment for exercising these rights.

We do not sell personal information for money. However, our use of advertising and analytics cookies on our marketing website (see Section 12) — such as the Meta Pixel and Google Ads tags — may be considered a “sale” or “sharing” of personal information for cross-context behavioural advertising under the CCPA/CPRA. You can opt out of this at any time using the browser and ad-partner controls described in Section 12, or by contacting us using Section 15, and we will give effect to your request, including any Global Privacy Control (GPC) browser signal we are required to honour. To make a request to know, delete or correct, contact us using Section 15; you may use an authorised agent, and we will verify your identity before responding. We will respond within the time required by law (generally 45 days, extendable once where permitted).

12. Cookies, analytics and advertising technologies

WA_MARK uses cookies and similar technologies that are strictly necessary to operate the Service — for example, to keep you signed in, to maintain your session securely, and to remember interface preferences such as a collapsed sidebar. We also use functional cookies to detect your country and display currency from your IP address. On our public marketing website (www.wamark.in) we also use analytics and advertising technologies provided by third parties:

Google Analytics — to understand how visitors find and use our pages so we can improve them (for example, pages viewed, approximate location, device type and referral source).
Meta Pixel and Conversions API, and Google Ads tags — to measure the effectiveness of our advertising and to show relevant ads to people who have visited our site (“retargeting”). These technologies may set cookies and share certain information — such as the pages you visit, the actions you take, your IP address and an online identifier — with Meta Platforms and Google.

We do not use analytics or advertising cookies inside the signed-in WA_MARK application (app.wamark.in), and we never use data belonging to our business Customers, or to their end-customers, for our own advertising.

Your choices. You can control non-essential (analytics and advertising) cookies in any of these ways: through your browser settings; by opting out of interest-based ads in your Meta ad preferences and your Google ad settings; by installing the Google Analytics opt-out add-on; or through industry tools such as Your Online Choices (EU/UK) and DAA WebChoices (US). Where applicable law requires your prior consent for non-essential cookies (for example, under the EU/UK GDPR), we obtain that consent before such cookies are set, and you can withdraw it at any time. Disabling strictly necessary cookies may stop parts of the Service from working.

12.1 Advertising data from Meta — our commitments

When you interact with our ads on Meta platforms (Facebook, Instagram or WhatsApp) — for example by clicking a Click-to-WhatsApp ad or submitting a lead form — we may receive personal data such as your name, phone number, email address and your message or form answers, together with campaign metadata (such as which ad you clicked). Consistent with Meta’s Advertising Standards and Business Tools terms, we handle this data as follows:

we use it only on our own behalf — to respond to your enquiry, provide the Service you asked about, and measure and improve our own advertising;
we share it only with service providers acting on our instructions (see Section 7) — never with ad networks, ad exchanges, data brokers or other advertising or monetisation services;
we never sell it, never combine (“commingle”) it with data from other advertisers’ campaigns — each business Customer’s data on WA_MARK is isolated to that Customer (see Section 6) — and never use it to build, append to or augment profiles of people beyond our own customer and lead records; and
our lead forms never request sensitive information such as government identifiers, account numbers or other financial information, usernames or passwords, health or insurance information, criminal history, or information about race or ethnicity, religion, political affiliation, sexual orientation or trade-union membership.

13. Children

The Service is intended for businesses and is not directed to children. We do not knowingly collect personal data directly from children under the age of 16 as account users. Our Customers are responsible for ensuring that their own use of the Service to communicate with individuals complies with the law, including any rules concerning minors. If you believe a child has provided us with personal data as an account user, please contact us and we will take appropriate steps to delete it.

14. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements or the Service. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you through the Service or by email before the changes take effect. We encourage you to review this policy periodically.

15. How to contact us

WA MARK

Privacy and data protection enquiries: support@wamark.in
Data Protection Officer: support@wamark.in

Grievance Officer (India). In accordance with India’s Digital Personal Data Protection Act, 2023 and the Information Technology Act and rules, our Grievance Officer is:
Tasleem Mohammed — support@wamark.in

EU / UK representative.We have not appointed a representative in the EU or UK under Article 27 GDPR; if you are in the EEA or UK you can contact us directly at support@wamark.in for any data protection matter.

If you are in the EEA or UK and believe we have not handled your personal data properly, you have the right to lodge a complaint with your local data protection supervisory authority. We would, however, appreciate the chance to address your concerns directly before you do, so please consider contacting us first.

This document is the privacy policy of the WA_MARK platform and is published at www.wamark.in.

Tag

Prev Post Next Post