Privacy Policy

Privacy Policy

Last updated: 2026-07-16

This privacy policy applies to the website, products and services offered under the brand WAAPI, operated by WAAPI (“we”, “us”, “our”), acting as the business. By accessing or using our services you agree to this privacy policy. If you do not agree, please discontinue use of the services.

Who we are

BrandWAAPI
Registered legal nameWAAPI
Registered addressIndia
Emailsupport@thewaapi.com

1. Data we collect

  • Account data — name, business name, email address, phone number, billing and tax details.
  • Service data — contacts, messages, templates, media, campaigns and settings you store or transmit through the platform. You are the controller of this data; we process it on your instructions as your processor.
  • Channel data — data returned by the third-party platforms you connect (WhatsApp, Facebook, Instagram, Google Business Profile, ad accounts), such as message threads, reviews, listings and campaign metrics.
  • Technical data — IP address, device and browser information, usage logs and cookies (see our Cookies Policy and Location Data Policy).

2. How we use data

We use personal data to provide and secure the services, process payments, provide support, meet legal obligations, prevent abuse, and — with your consent where required — send service and marketing communications. We do not sell personal data, and we do not use your service data to train our own or any third party’s AI models. See our AI & Automated Processing Policy.

3. Legal bases

Where the GDPR applies we rely on contract performance, legitimate interests (service security and improvement), consent (marketing, non-essential cookies) and legal obligation. In India, processing follows the DPDP Act, 2023 on the basis of consent and legitimate uses.

4. Who we share data with

Data is shared only with: (a) the sub-processors we use to run the platform, each listed below and in full in our Third-Party Services register; (b) authorities where the law requires; (c) a successor in a business transfer. Every processor is bound by data-processing terms. Our full disclosure rules are in the Data Sharing & Disclosure Policy.

  • WhatsApp Business Platform (Cloud API) (Meta Platforms Ireland Ltd. (EEA/UK) / Meta Platforms, Inc. (rest of world)) — Sending and receiving WhatsApp business messages, registering and managing business phone numbers, submitting and managing message templates, and receiving delivery, read and inbound-message webhooks.
  • Facebook Login, Pages & Business Manager (Meta Platforms Ireland Ltd. / Meta Platforms, Inc.) — Optional social sign-in, WhatsApp Embedded Signup (connecting your WhatsApp Business Account), and reading the Pages and business assets you explicitly grant access to.
  • Instagram Professional Platform (Meta Platforms Ireland Ltd. / Meta Platforms, Inc.) — Reading and replying to Instagram messages and comments on the professional accounts you connect, and publishing content you schedule through the platform.
  • Meta Ads (Marketing API, Pixel & Conversions API) (Meta Platforms Ireland Ltd. / Meta Platforms, Inc.) — Creating, managing and reporting on advertising campaigns for the ad accounts you connect, and — where you enable it — sending website/conversion events so campaign performance can be measured.
  • Google Business Profile API (Google Business Messages) (Google LLC / Google Ireland Ltd.) — Managing the Google Business Profile locations you connect: reading and publishing posts and media, reading and replying to reviews, and reading performance insights.
  • Google Ads API (Google LLC / Google Ireland Ltd.) — Creating, managing and reporting on Google Ads campaigns for the ad accounts you explicitly link to the platform.
  • Sign in with Google (Google Identity Services) (Google LLC / Google Ireland Ltd.) — Optional social sign-in to the panel.
  • Google Analytics / Google Tag Manager (Google LLC / Google Ireland Ltd.) — Aggregate measurement of website and panel usage, where the site owner has enabled it.
  • Firebase (Cloud Messaging, Crashlytics, Analytics) (Google LLC) — Delivering push notifications to the mobile apps, crash reporting and aggregate app analytics.
  • Google Gemini API (Google LLC) — Generating AI assistance you explicitly request — drafting replies, composing posts, summarising conversations and answering business questions.
  • OpenAI API (OpenAI, L.L.C. / OpenAI Ireland Ltd.) — Generating AI assistance you explicitly request, where the platform routes your request to this provider.
  • Razorpay (Razorpay Software Private Limited (India)) — Collecting subscription, wallet top-up and usage payments, and — where you authorise a mandate — charging recurring subscription renewals.
  • PhonePe Payment Gateway (PhonePe Private Limited (India)) — Collecting UPI and card payments for subscriptions and wallet top-ups.
  • MongoDB Atlas (MongoDB, Inc.) — Managed database hosting for all platform data.
  • Transactional email (SMTP provider) (The SMTP provider configured for the account) — Delivering transactional email — sign-up verification, one-time passwords, invoices and service notices.

5. Google user data — Limited Use

WAAPI’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Full detail is in our Google API Services & Limited Use Disclosure.

6. Meta platform data

Data obtained from the WhatsApp Business Platform, Facebook, Instagram and Meta advertising APIs is used solely to provide the features you enable, is never sold, and is never used for advertising unrelated to your own campaigns. See our Meta Platform Policy.

7. International transfers

Data may be processed in data centres outside your country — including in the European Union and the United States, where several of our channel and AI providers operate. Where required we use appropriate safeguards such as standard contractual clauses.

8. Retention

Account data is kept for the life of the account and thereafter as required for tax and legal record-keeping. Message and log data is retained per the windows in our Data Retention Policy, after which it is deleted or anonymised.

9. Your rights

Subject to applicable law you may access, correct, export or delete your personal data, withdraw consent, or object to certain processing. Indian users may exercise DPDP Act rights including grievance redressal (see our Grievance Redressal Policy); EU/UK users may lodge a complaint with their supervisory authority; California residents have CCPA rights including non-discrimination. To delete your account and data, follow our Account & Data Deletion Policy.

10. Children

The services are for business use and are not directed to children under 18. We do not knowingly collect children’s data.

11. Security

See our Data Security Policy and our Data Breach & Incident Notification Policy.

Governing law & jurisdiction

This document is governed by the laws of India. For operators in India this includes the Information Technology Act, 2000, the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and the Consumer Protection Act, 2019. Where we serve customers in other jurisdictions we honour applicable local requirements, including the EU/UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), to the extent they apply. Courts at India have exclusive jurisdiction, subject to any non-waivable consumer rights in your country of residence.

Contact us

WAAPI is operated by WAAPI. For any question about this document, contact us: