Data Protection Policy
Data Protection Policy
Last updated: 2026-07-16
This data protection policy applies to the website, products and services offered under the brand WAAPI, operated by WAAPI (“we”, “us”, “our”), acting as the business. By accessing or using our services you agree to this data protection policy. If you do not agree, please discontinue use of the services.
1. Roles
For the business data you upload and the messages you exchange with your own customers, you are the data controller (the “Data Fiduciary” under the DPDP Act) and we are your processor (“Data Processor”) — we act on your documented instructions. For your own account, billing and support data, we are the controller. Our processor obligations are contracted in the Data Processing Addendum.
2. Principles we apply
- Purpose limitation — data is processed only to deliver the services you have asked for.
- Data minimisation — we request the minimum fields needed, and request the minimum third-party permissions needed.
- Accuracy — you can correct your data at any time from the panel.
- Storage limitation — data is retained only as long as needed; see the Data Retention Policy.
- Integrity & confidentiality — see the Data Security Policy.
- No sale of personal data, and no use of your service data to train AI models.
3. Your obligations as controller
You must have a lawful basis and, where required, valid consent for every contact you upload and every message you send. You must honour opt-outs and deletion requests from your own contacts, and pass through to us any request that requires action on our side. You must not upload special-category or sensitive personal data (health, financial account credentials, biometric, government identifiers) unless your plan explicitly supports it and you have a lawful basis.
4. Data subject / Data principal requests
If one of your contacts approaches us directly, we will refer them to you as the controller and notify you, unless the law requires otherwise. We will assist you in responding within statutory timelines.
5. Records & audit
We maintain records of processing activities and can provide reasonable information to help you demonstrate compliance. Audit rights, where applicable, are set out in the Data Processing Addendum.
6. Cross-border transfer
Delivering messages and AI features necessarily transfers data to the channel and AI providers listed in our sub-processor register, which operate outside India. By using those features you instruct us to make those transfers, subject to the safeguards described in the Privacy Policy.
Governing law & jurisdiction
This document is governed by the laws of India. For operators in India this includes the Information Technology Act, 2000, the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and the Consumer Protection Act, 2019. Where we serve customers in other jurisdictions we honour applicable local requirements, including the EU/UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), to the extent they apply. Courts at India have exclusive jurisdiction, subject to any non-waivable consumer rights in your country of residence.
Contact us
WAAPI is operated by WAAPI. For any question about this document, contact us:
- Email: support@thewaapi.com
- Registered address: India