Data Breach & Incident Notification Policy

Data Breach & Incident Notification Policy

Last updated: 2026-07-16

This data breach policy applies to the website, products and services offered under the brand WAAPI, operated by WAAPI (“we”, “us”, “our”), acting as the business. By accessing or using our services you agree to this data breach policy. If you do not agree, please discontinue use of the services.

1. Purpose

No operator can honestly promise that a breach will never happen. What we can commit to is how we behave when one does: contain it, tell you quickly, tell you the truth, and fix the cause. This policy records that commitment and the timelines that bind us.

2. What counts as a breach

Any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data or customer service data — whether caused by an external attacker, a sub-processor, or our own error.

3. What we do

  1. Detect & contain — isolate affected systems, revoke compromised credentials and tokens, and stop the ongoing exposure.
  2. Assess — establish what data, whose data, how much, and what the risk to those people is.
  3. Notify you — where a breach affects your data we notify you without undue delay and in any case within 72 hours of becoming aware, with what we know, what we do not yet know, and what you should do.
  4. Notify authorities — where legally required, we report to the Data Protection Board of India under the DPDP Act, 2023, to CERT-In within the timelines of its directions, and to the relevant supervisory authority under the GDPR.
  5. Remediate & report — fix the root cause and give you a written post-incident report.

4. Where you are the controller

For the contacts and messages you hold on the platform, you are the controller and hold the duty to notify your own data principals and regulator. We will give you the information you need to do so, promptly and in usable form.

5. Sub-processor breaches

Our sub-processors are contractually required to notify us without undue delay. A breach at a channel, AI or payment provider is passed on to you under the same timelines above, with whatever detail the provider gives us.

6. No cover-ups

We will not delay or minimise notification to protect our reputation. If we got something wrong, the post-incident report will say so.

7. Reporting a suspected breach to us

If you believe data has been exposed, contact us immediately at support@thewaapi.com marked “Security incident”.

Governing law & jurisdiction

This document is governed by the laws of India. For operators in India this includes the Information Technology Act, 2000, the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and the Consumer Protection Act, 2019. Where we serve customers in other jurisdictions we honour applicable local requirements, including the EU/UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), to the extent they apply. Courts at India have exclusive jurisdiction, subject to any non-waivable consumer rights in your country of residence.

Contact us

WAAPI is operated by WAAPI. For any question about this document, contact us: