Privacy Policy

Inovitrix Technologies (“Company,” “we,” “our,” or “us”) operates the Zapi Dial (“Service”). This Privacy Policy explains how we collect, use, disclose, and protect information about you when you use our Service. We are committed to protecting your personal data and processing it in accordance with applicable Indian and international data protection laws, including the Digital Personal Data Protection Act, 2023 (DPDP Act).

1. Information We Collect

1.1 Information You Provide

• Account data: Name, email address, phone number, password (stored as a bcrypt hash), and business details provided at registration.
• Contact data: Information about your contacts that you upload or sync, including names, phone numbers, email addresses, and custom fields.
• Message content: Campaign messages, templates, and any media you create and send through the Service.
• Payment information: Billing details processed by our payment provider Razorpay. We do not store full card numbers on our servers.
• Support communications: Any information you share when contacting our support team.

1.2 Information Collected Automatically

• Usage data: Pages visited, features used, clicks, and session duration collected via server logs.
• Technical data: IP address, browser type, operating system, and referring URLs.
• Message delivery data: Delivery status, read receipts, and error codes returned by Meta's WhatsApp API.

1.3 Information from Third Parties

• If you sign in with Google or Microsoft (OAuth), we receive your name, email, and profile picture from those providers.
• We receive webhook notifications from Meta containing message delivery and response data.

2. How We Use Your Information

• To create and manage your account and workspace (tenant).
• To transmit your WhatsApp campaign messages via the Meta API.
• To process payments and manage your subscription.
• To send transactional emails (account verification, OTPs, password resets, billing receipts).
• To provide customer support, diagnose technical issues, and improve the Service.
• To monitor for fraud, abuse, and violations of our Terms and Conditions.
• To comply with our legal obligations under Indian law and other applicable jurisdictions.
• To send you service announcements and important updates (you cannot opt out of these as they are essential to the Service).

3. Legal Basis for Processing

Under the DPDP Act, 2023 and applicable EU/UK GDPR (for international users), we process your personal data on the following legal bases:

4. How We Share Your Information

We do not sell your personal data. We may share information with:

• Meta Platforms: Message content and recipient phone numbers are transmitted to Meta via the WhatsApp Business API to deliver messages.
• Razorpay: Payment information for processing subscriptions and refunds.
• Amazon Web Services (AWS): Cloud infrastructure (servers, databases, queues) for hosting the Service.
• Email providers: Transactional email delivery (verification, OTPs).
• Law enforcement / legal processes: When required by law, court order, or to protect our legal rights.

5. Data Retention

6. Your Rights

Depending on your location, you may have the following rights:

• Access: Request a copy of personal data we hold about you.
• Correction: Request correction of inaccurate data.
• Erasure: Request deletion of your personal data (subject to legal retention requirements).
• Portability: Receive your data in a structured, machine-readable format.
• Objection: Object to processing based on legitimate interests.
• Withdrawal of Consent: Where processing is based on consent, withdraw it at any time.

To exercise these rights, email us at privacy@inovitrix.com. We will respond within 30 days.

7. Data Security

We implement industry-standard measures including:

• TLS/HTTPS encryption in transit.
• bcrypt hashing for passwords; sensitive credentials encrypted at rest.
• Multi-tenant data isolation — each workspace is logically separated using a unique tenantId.
• Rate limiting and brute-force protection on authentication endpoints.
• Two-factor authentication (2FA) available for all accounts.
• Regular security audits and dependency vulnerability scanning.

No method of transmission or storage is 100% secure. We will notify you promptly in the event of a data breach affecting your personal data.

8. International Data Transfers

The Service is hosted on AWS infrastructure which may process data in regions outside India. When transferring data internationally, we ensure appropriate safeguards are in place (Standard Contractual Clauses or equivalent mechanisms). Message data transmitted to Meta is subject to Meta's own privacy policy and data transfer mechanisms.

9. Cookies and Tracking

We use session-based authentication cookies (JWT tokens via NextAuth) that are necessary for the Service to function. We do not use third-party advertising cookies or tracking pixels. You can clear cookies via your browser settings, which will log you out of the Service.

10. Children's Privacy

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has provided us data, please contact us and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy periodically. The effective date at the top reflects the latest revision. For significant changes, we will email registered users at least 14 days before the change takes effect.

12. Contact & Grievance Redressal

For any privacy concerns or to exercise your rights, contact our Data Protection Officer:

If you are dissatisfied with our response, you may lodge a complaint with the Data Protection Board of India once it becomes operational under the DPDP Act, 2023.