Data Retention Policy
Data Retention Policy
Last updated: 2026-07-16
This data retention policy applies to the website, products and services offered under the brand WAAPI, operated by WAAPI (“we”, “us”, “our”), acting as the business. By accessing or using our services you agree to this data retention policy. If you do not agree, please discontinue use of the services.
1. Principle
Data is kept only as long as it is needed for the purpose it was collected for, or as long as the law requires — whichever is longer — and is then deleted or irreversibly anonymised.
2. Retention windows
| Data | Retained for | Then |
|---|---|---|
| Account & profile | Life of the account | Deleted within 30 days of confirmed account deletion |
| Messages & conversations | 90 days (rolling) | Automatically deleted |
| Contacts, templates, flows, campaigns | Life of the account | Deleted on account deletion |
| Media & files | Life of the account | Deleted on account deletion |
| Webhook events | 7 days | Automatically deleted |
| Security & audit logs | 90 days | Automatically deleted |
| Invoices, payments & tax records | 8 years | Retained — statutory requirement, survives account deletion |
| Encrypted backups | Rolling backup cycle | Purged on rotation after active-system deletion |
3. Why some data survives deletion
Tax and accounting law requires us to keep records of what you paid and what we invoiced. We also retain the minimum needed to resolve a live dispute, enforce our agreement, or comply with a legal hold. Retained data stays protected and is deleted once the retention purpose ends.
4. Data at third parties
Data held by a connected platform — your message history inside WhatsApp, your listing on Google, your campaign records at an ad platform — is retained under that platform’s policy, not ours. Deleting your account with us does not delete it there.
5. Early deletion
You can delete most data yourself at any time from the panel, and can request full account deletion under our Account & Data Deletion Policy.
Governing law & jurisdiction
This document is governed by the laws of India. For operators in India this includes the Information Technology Act, 2000, the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and the Consumer Protection Act, 2019. Where we serve customers in other jurisdictions we honour applicable local requirements, including the EU/UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), to the extent they apply. Courts at India have exclusive jurisdiction, subject to any non-waivable consumer rights in your country of residence.
Contact us
WAAPI is operated by WAAPI. For any question about this document, contact us:
- Email: support@thewaapi.com
- Registered address: India