Privacy Policy
Effective date: 17 May 2025 · Last updated: 19 January 2026
Waaru is operated by Narayana Nexus, incorporated in India. We run the Waaru platform at waaru.app, which helps businesses automate and manage customer conversations on WhatsApp.
This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights over it. It applies to businesses that sign up for Waaru (“customers”) and to end users whose WhatsApp messages are processed through Waaru on behalf of our customers.
This Policy is governed by India’s Digital Personal Data Protection Act, 2023 (DPDP Act) and the DPDP Rules, 2025. By creating an account, you accept this Privacy Policy and our Terms of Service.
1. Our role in relation to your data
For Waaru customers (businesses that sign up):
We are a Data Fiduciary. We determine the purpose and means of processing your personal data — your account details, billing information, and how you use the platform.
For end users (the customers who message your WhatsApp number):
We are a Data Processor. We process end-user message data only on your instruction, to operate the automations you have configured. The business using Waaru is the Data Fiduciary for their own customers. This relationship is governed in detail by our Data Processing Agreement, which forms part of our Terms of Service.
2. What data we collect and why
2.1 Account data you provide at signup
| Data | Purpose | Legal basis |
|---|---|---|
| Full name | Account identification | Consent |
| Work email | Authentication, transactional emails, product updates | Consent |
| Mobile number | Account profile | Consent |
| Company name, website, industry, size | Workspace setup | Consent |
| Google profile (if using Google login) | Authentication | Consent |
We do not store your Google profile picture.
2.2 WhatsApp connection data
| Data | Purpose |
|---|---|
| WhatsApp Business Account ID | Linking your Meta account to Waaru |
| Phone number and Phone Number ID | Sending and receiving messages |
| Business profile (name, description) | Displaying in your dashboard |
| Meta access tokens | Authenticating API calls to Meta on your behalf |
Meta access tokensare stored using AES-256 encryption at rest. Tokens are rotated automatically when you reconnect your WhatsApp instance from the dashboard. We never store your Meta App Secret — only the access tokens required to make API calls on your behalf.
2.3 WhatsApp conversation data (your customers’ data)
When your automation runs through Waaru, we process:
| Data | Purpose |
|---|---|
| Message content (text, media) | Running your flows, showing conversation history in your inbox |
| Your customers’ phone numbers | Routing conversations |
| WhatsApp display names | Showing names in your inbox |
| Media files sent in conversations | Delivering and storing files |
| WhatsApp Form submission responses | Storing form answers as variables in your flows |
This data belongs to your customers. We process it solely to operate your automations as you have configured them. We do not use your customers’ message content for our own marketing, analytics, or any purpose beyond running your flows and inbox.
AI Model Training:We do NOT use your customers’ WhatsApp conversation data, or any data from your workspace, to train AI models. When you use AI features (Anthropic Claude, OpenAI GPT, or Google Gemini), we send only the context necessary to generate a response — and we do NOT permit those AI providers to use that data for training their models.
2.4 Billing data
| Data | Purpose |
|---|---|
| Razorpay customer ID and subscription ID | Managing your subscription (India and other markets) |
| Dodo Payments customer ID (where used) | Managing your subscription (alternative to Razorpay) |
| Subscription plan and status | Determining feature access |
We do not store card numbers or bank details. All payment processing is handled by Razorpay (PCI-DSS compliant) and Dodo Payments.
2.5 Technical and usage data
| Data | Purpose |
|---|---|
| Session tokens | Keeping you logged in |
| IP address (server logs) | Security and fraud prevention |
| Features used, flows created, messages sent | Product analytics and improvement |
| Your bot flow configurations | Running your automations |
2.6 How we use your data to improve and market Waaru
In addition to operating the platform, we use data about your Waaru account and usage for the following purposes:
| Purpose | Data used |
|---|---|
| Sending product updates, feature announcements, and tips | Your email address |
| Informing you about plan upgrades or features relevant to your usage | Your subscription tier, features you use |
| Publishing aggregated, anonymised platform statistics | Anonymised — never linked to your identity |
| Internal analytics to understand feature adoption and improve the product | Usage patterns — never sold to third parties |
By creating an account you agree to receive product updates and occasional marketing communications from Waaru. You can opt out at any time by clicking the unsubscribe link in any email, or by emailing legal@waaru.app. Opting out of marketing does not affect transactional emails such as billing receipts, security alerts, and authentication emails.
We never use the message content of your customers’ WhatsApp conversations for marketing purposes.
3. Third-party services we use
| Service | Purpose | Their privacy policy |
|---|---|---|
| Meta Platforms Ireland Limited | WhatsApp Cloud API — sending and receiving messages | facebook.com/policy.php |
| Amazon Web Services (AWS) | Cloud infrastructure, database, and storage — hosted in Mumbai, India | aws.amazon.com/privacy |
| Vercel Inc. | Application hosting and deployment | vercel.com/legal/privacy-policy |
| PostHog Inc. | Product analytics — understanding how you use Waaru features | posthog.com/privacy |
| Google Analytics | Website traffic analytics — page views, referrers, geographic data | policies.google.com/privacy |
| Google Tag Manager | Tag management for analytics and tracking | policies.google.com/privacy |
| Razorpay Software Pvt. Ltd. | Payment processing (India and other markets) | razorpay.com/privacy |
| Dodo Payments | Payment processing (alternative to Razorpay, where selected) | dodopayments.com/legal/privacy-policy |
| Resend Inc. | Authentication and transactional emails | resend.com/legal/privacy-policy |
| Anthropic PBC | AI-powered auto-replies (Claude) when you enable the AI Copilot feature | anthropic.com/privacy |
| Google LLC | Google OAuth login; AI-powered auto-replies (Gemini) where selected | policies.google.com/privacy |
| OpenAI LLC | AI-powered auto-replies (GPT models) where selected | openai.com/policies/privacy-policy |
| Cloudflare Inc. | DNS proxy, DDoS protection, security filtering, and Turnstile CAPTCHA on signup/login forms | cloudflare.com/privacypolicy |
| Google Workspace | Internal team collaboration and email — does not process customer data | workspace.google.com/privacy |
Cross-border data transfers
Some of the services listed above are hosted or operated outside India. By using Waaru, you acknowledge and consent to the transfer of your data to these countries as follows:
| Service | Data Location | What is transferred |
|---|---|---|
| Vercel | United States | Application session data, account data |
| PostHog | United States | Product analytics (anonymised usage patterns) |
| Anthropic | United States | AI feature inputs (when you use AI Copilot) |
| OpenAI | United States | AI feature inputs (when you use GPT models) |
| Meta/Ireland | Ireland / United States | WhatsApp message data (for message delivery) |
| United States | Analytics, OAuth, AI feature inputs (when you use Gemini) |
All cross-border transfers are conducted under standard contractual clauses as required under the DPDP Act, 2023, and applicable laws. We ensure that these third parties provide adequate protection for your personal data.
Our agent inbox feature runs on software hosted entirely on our own servers. Your conversation data for this feature does not leave our infrastructure.
We do not sell your data to any third party.
4. WhatsApp data deletion
You can request deletion of your WhatsApp conversation data at any time. When you disconnect your WhatsApp Business Account (WABA) from Waaru, or when you close your Waaru account, your WhatsApp conversation data is handled as follows:
Upon WABA disconnection:
- Conversation history, message content, and associated customer phone numbers are retained for 30 days before being permanently deleted
- This retention window allows you to reconnect without data loss and protects against accidental disconnection
- Media files are deleted after 7 days
Upon account closure:
- All WhatsApp conversation data is deleted within 30 days after your billing period ends
- Media files are deleted within 7 days
- This applies regardless of whether your WABA is still connected or not
To check deletion status or request expedited deletion: Visit waaru.app/deletion-status or email us at legal@waaru.app. We process deletion requests within 30 days, and you will receive a confirmation when deletion is complete.
Exception: We may retain certain data where required by applicable law, a court order, or a request from a competent government or regulatory authority. In such cases, data will be retained only to the extent and for the duration required, and will not be used for any other purpose.
5. Data retention
| Data type | Retention |
|---|---|
| Account data | For the lifetime of your account, deleted within 30 days after your billing period ends on account closure |
| WhatsApp conversation history | Retained while your account is active, deleted within 30 days after your billing period ends on account closure |
| WhatsApp conversation history (after WABA disconnection only) | 30 days from disconnection, then permanently deleted |
| Media files | 7 days after account closure or WABA disconnection |
| Billing records | 7 years as required by Indian accounting law |
| Server logs | 90 days |
| Analytics data (PostHog, Google Analytics) | Retained per each service's policy (PostHog: 30 days for free tier; Google Analytics: 14 months by default) |
Notwithstanding the above, we may retain certain data for longer periods where required by applicable law, a court order, or a request from a competent government or regulatory authority. In such cases, data will be retained only to the extent and for the duration required, and will not be used for any other purpose.
6. Your rights under the DPDP Act, 2023
As a data principal under the DPDP Act, you have the right to:
- Access— Know what personal data we hold about you
- Correction— Ask us to correct inaccurate data
- Erasure— Request deletion of your personal data (subject to legal retention requirements)
- Grievance redressal— Raise a complaint with our Grievance Officer
- Nominate— Nominate another person to exercise rights on your behalf in case of death or incapacity
To exercise any of these rights, email us at legal@waaru.app. We will respond within 30 days.
7. Data security
We use industry-standard security measures including:
- Encryption in transit (TLS) for all data
- Encrypted storage for sensitive tokens (Meta API keys, access tokens) using AES-256
- Row-level tenant isolation so one customer cannot access another’s data
- Authentication via signed JWT tokens with short expiry
- Timing-safe comparison for all webhook signature verification
- Cloudflare Turnstile CAPTCHA on signup and login forms to prevent automated bot attacks
While we take data security seriously, no system is completely immune to risk. We recommend that you do not share your Waaru account credentials and that you contact us immediately at legal@waaru.app if you suspect any unauthorised access.
8. Children’s data
Waaru is a B2B platform for businesses. We do not knowingly collect personal data from individuals under 18. If you believe a minor has provided us data, contact us at legal@waaru.app and we will delete it promptly.
9. Changes to this policy
We will update this page when our practices change and revise the “Last updated” date at the top. For material changes, we will notify registered customers by email at least 14 days before the change takes effect. Continued use of Waaru after that date constitutes acceptance of the updated policy.
10. Grievance Officer
In accordance with the DPDP Act, 2023, our Grievance Officer can be contacted at:
Email: legal@waaru.app
Narayana Nexus, Gondia, Maharashtra, India
We will acknowledge grievances within 48 hours and resolve them within 30 days.