1 Definitions and Scope

This Privacy Policy ("Policy") describes how ChatOrbit ("the Company", "we", "us", or "our"), operated by Hiren Chheta, collects, uses, stores, shares, and protects information when you use our WhatsApp Business automation platform, website, dashboard, APIs, and all related services (collectively, the "Service").

This Policy applies to:

• Business Users — Individuals or entities who register for a ChatOrbit account to manage WhatsApp Business communications ("you" or "your" in most contexts).
• End-Users / Customers — Individuals who interact with a Business User's WhatsApp number via our platform ("end-users" or "customers").
• Website Visitors — Anyone who visits our website or landing pages.

By using our Service, you acknowledge that you have read and understood this Policy. If you do not agree with this Policy, please discontinue use of the Service.

2 Information We Collect

2.1 Information You Provide Directly

Data Category	Specific Data Points	Purpose
Account Registration	Full name, email address, phone number, business name, business address, business category	Create and manage your account
WhatsApp Business Details	Phone Number ID, WhatsApp Business Account ID (WABA ID), business profile info, Meta App credentials (access tokens)	Connect your WhatsApp Business Account to our platform
Payment & Billing	Billing name, billing address, GST/tax ID. Card details are processed by Razorpay; we do NOT store full card numbers, CVV, or expiry dates.	Process subscriptions and payments
AI Training Data	Product catalogs, FAQs, business descriptions, custom instructions, knowledge base documents	Train your AI assistant to respond accurately
Custom Replies	Keyword triggers, auto-reply templates, flow configurations	Configure automated messaging workflows
Support Communications	Emails, chat messages, or feedback you send to our support team	Provide customer support and improve Service

2.2 Information Collected Through WhatsApp Messaging

When your customers interact with your WhatsApp Business number via our platform, we process the following on your behalf:

Data Category	Specific Data Points	Purpose
Message Content	Text messages, media files (images, documents, audio, video, stickers) exchanged between your business and customers	Deliver and display messages; power AI responses
Customer Identifiers	Phone numbers and WhatsApp profile names as provided by WhatsApp Business API	Identify customers in conversations; CRM functionality
Message Metadata	Timestamps, delivery status (sent, delivered, read), message IDs	Track delivery; analytics; troubleshooting
Order Data	Items, quantities, amounts, order status extracted from conversations	Order management and payment tracking

2.3 Information Collected Automatically

Data Category	Specific Data Points	Purpose
Device & Browser	Browser type and version, operating system, device type, screen resolution	Optimize dashboard experience
Usage Data	Features used, pages visited, click patterns, session duration	Improve Service; analytics
Log Data	IP addresses, access timestamps, referral URLs, error logs	Security monitoring; debugging
Cookies & Similar Tech	Session cookies, preference cookies (see Section 17)	Authentication; user preferences

2.4 Information We Do NOT Collect

• We do NOT collect biometric data, genetic data, or health information.
• We do NOT collect racial or ethnic origin, religious beliefs, political opinions, or sexual orientation.
• We do NOT collect full credit/debit card numbers (processed exclusively by Razorpay).
• We do NOT access end-user conversations for advertising, profiling, or selling to third parties.

3 Legal Basis for Processing

We process personal data based on the following legal grounds, as required by GDPR (Article 6), India's DPDPA (Section 4), and similar regulations:

Legal Basis	Applicable Processing Activities
Consent	Marketing emails; optional analytics cookies; AI training on your data; processing end-user data (consent obtained by Business User)
Performance of Contract	Account creation; providing the Service; processing payments; sending and receiving WhatsApp messages; customer support
Legitimate Interest	Service improvement; fraud prevention; security monitoring; aggregated analytics (with safeguards ensuring your rights are not overridden)
Legal Obligation	Tax compliance; responding to lawful government requests; data breach notifications

You may withdraw consent at any time where consent is the legal basis for processing. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

4 How We Use Your Information

We use the information we collect for the following specific purposes:

• Service Delivery: Operate the platform, send and receive WhatsApp messages on your behalf, manage chatbot flows, and process customer orders.
• AI-Powered Responses: Use your training data and conversation context to generate automated AI responses to customer inquiries (see Section 5 for full AI disclosure).
• Account Management: Manage your subscription, process billing through Razorpay, and provide account-level analytics.
• Communication: Send you service-related notifications (security alerts, billing confirmations, feature updates, scheduled maintenance). These are transactional and not marketing.
• Marketing (with consent): Send promotional emails about new features or offers only if you have opted in. You can unsubscribe at any time.
• Analytics & Improvement: Analyze aggregated, anonymized usage patterns to improve performance, fix bugs, and develop new features.
• Security: Detect fraud, prevent abuse, and protect the integrity of our Service and your account.
• Legal Compliance: Comply with tax laws, respond to lawful legal process, and enforce our Terms of Service.

5 AI Processing and Disclosure

ChatOrbit uses artificial intelligence to power automated customer responses. This section explains exactly how AI is used, what data it processes, and how we ensure transparency.

5.1 How AI Works in ChatOrbit

• When a customer sends a message to your WhatsApp Business number, our system may route it to an AI model to generate a contextual response.
• The AI uses your uploaded training data (product info, FAQs, business description) combined with conversation context to generate relevant responses.
• Message content is sent to our AI processing provider (currently OpenAI) via secure, encrypted API calls for the sole purpose of generating a response.
• We do NOT use customer messages to train, fine-tune, or improve general-purpose AI models. Your data is used solely for your business's chatbot.

5.2 AI Transparency and Labeling

• AI-generated responses include a disclosure label so customers know they are communicating with an automated system.
• Customers can request to speak with a human agent at any time. Human handoff is supported and encouraged.
• Business Users can review, edit, and override AI responses through the dashboard.

5.3 AI Data Safeguards

• Data sent to AI providers is encrypted in transit (TLS 1.2+).
• We use API configurations that prevent our AI providers from retaining or training on your data.
• No personally identifiable information (PII) is shared with AI providers beyond the minimum necessary for generating a response (conversation context and training data).
• AI providers are bound by Data Processing Agreements (DPAs) that ensure compliance with GDPR and other applicable regulations.

6 WhatsApp Messaging Compliance

ChatOrbit operates in strict compliance with Meta's WhatsApp Business Policy, WhatsApp Commerce Policy, and WhatsApp Business Terms of Service.

6.1 Opt-In Requirements

We require that Business Users obtain verifiable customer opt-in before sending business-initiated messages through WhatsApp. This means:

• The customer must voluntarily provide their phone number and explicitly consent to receive WhatsApp messages from the business.
• Opt-in can be obtained via website form, in-store sign-up, paper form, or any method that clearly indicates WhatsApp messaging consent.
• The business name must be clearly identified at the point of opt-in.
• Business Users are solely responsible for maintaining records of customer opt-in.

6.2 24-Hour Messaging Window

We enforce Meta's 24-hour customer service window policy:

• Free-form messages (including AI-generated responses) can only be sent within 24 hours of the customer's last inbound message.
• Outside the 24-hour window, only pre-approved Meta message templates may be sent.
• Our platform automatically enforces this restriction at the technical level.

6.3 Opt-Out Mechanism

Customers can opt out of receiving WhatsApp messages at any time by:

• Sending the word "STOP", "stop", "unsubscribe", or "opt out" to the business number.
• Requesting removal through any channel (phone, email, in-person).
• Blocking the WhatsApp Business number directly.

Business Users using ChatOrbit must honor opt-out requests promptly (within 24 hours). Our platform provides opt-out tracking and automation to help ensure compliance.

6.4 Content Restrictions

ChatOrbit enforces content policies consistent with Meta's WhatsApp Business Policy:

• Prohibited content includes spam, phishing, illegal goods/services, adult content, misleading claims, and content that violates intellectual property rights.
• We reserve the right to suspend or terminate accounts that violate these restrictions.
• Automated content moderation filters are in place to detect policy violations.

7 Data Sharing and Third Parties

We share personal data only when necessary and only with the categories of recipients listed below. We never sell personal data.

Recipient	Data Shared	Purpose	Safeguards
Meta / WhatsApp	Messages, phone numbers, WABA credentials	Deliver messages via WhatsApp Cloud API	Meta's Data Processing Terms; encryption
AI Providers (OpenAI)	Conversation context, training data excerpts	Generate AI responses	DPA; API-level data non-retention; encryption
Payment Processor (Razorpay)	Billing name, email, payment details	Process subscription payments	PCI DSS Level 1; Razorpay Privacy Policy
Cloud Infrastructure	All Service data (encrypted)	Host and operate the platform	SOC 2 Type II; encryption at rest; DPA
Analytics (Aggregated)	Anonymized, aggregated usage data only	Service improvement; performance monitoring	No PII shared; aggregation and anonymization
Legal / Government	As required by valid legal process	Comply with law; protect rights	Only upon valid court order or legal obligation

Business Transfers: In the event of a merger, acquisition, bankruptcy, or sale of all or a portion of our assets, personal data may be transferred as part of the transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.

8 Sub-Processors

We use the following sub-processors to deliver our Service. Each has a Data Processing Agreement (DPA) in place:

Sub-Processor	Service	Location	Data Processed
Meta Platforms, Inc.	WhatsApp Cloud API	United States / Global	Messages, phone numbers
OpenAI, Inc.	AI response generation	United States	Conversation context
Razorpay Software Pvt. Ltd.	Payment processing	India	Billing data
MongoDB, Inc.	Database hosting	Configurable region	All application data (encrypted)

We will notify Business Users of any material changes to our sub-processor list at least 30 days in advance via email.

9 International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence. When we transfer personal data internationally, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): We use EU-approved SCCs for transfers of EEA/UK personal data to countries without an adequacy decision.
• Data Processing Agreements: All sub-processors are bound by DPAs that require equivalent levels of data protection.
• Encryption: All data in transit is encrypted via TLS 1.2+ regardless of destination.
• India DPDPA Compliance: Cross-border transfers from India are made in compliance with the Digital Personal Data Protection Act, 2023 and any rules notified by the Government of India regarding restricted jurisdictions.

10 Data Retention and Deletion

We retain personal data only for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required by law.

Data Type	Retention Period	After Expiry
Account data	Duration of active account + 90 days after closure	Permanently deleted
Customer messages & conversations	12 months from date of message	Automatically purged
Order & payment data	12 months after order completion/cancellation (or as required by tax law)	Automatically purged
AI training data	Duration of active account + 30 days	Permanently deleted
Log & analytics data	12 months	Automatically purged
Billing records	As required by applicable tax law (typically 5–7 years)	Deleted after legal obligation expires
Support communications	24 months	Automatically purged

Early Deletion: You may request deletion of your data at any time (see Section 12). We will process deletion requests within 30 days. Certain data may be retained longer where required by law (e.g., tax records, fraud prevention records).

Account Deletion: When you delete your ChatOrbit account, we will delete or anonymize all associated personal data and customer data within 30 days, except data we are legally required to retain.

11 Data Security

We implement industry-standard technical and organizational measures to protect your data:

11.1 Technical Measures

• Encryption in Transit: All data transmitted between your browser, our servers, and third-party APIs is encrypted using TLS 1.2 or higher (HTTPS).
• Encryption at Rest: Sensitive data including API tokens, WhatsApp access tokens, and credentials are encrypted using AES-256.
• Authentication: Secure JWT-based authentication with bcrypt password hashing (cost factor 12+). Support for two-factor authentication (2FA).
• Access Controls: Role-based access controls (RBAC) ensure employees access only data necessary for their role.
• Input Validation: Comprehensive server-side input validation and sanitization to prevent injection attacks.
• Rate Limiting: API rate limiting and DDoS protection to prevent abuse.

11.2 Organizational Measures

• Regular security assessments and code reviews.
• Principle of least privilege for all team members.
• Security awareness training for all personnel.
• Vendor security assessments before onboarding sub-processors.
• Incident response procedures (see Section 20).

12 Your Rights (All Jurisdictions)

Regardless of where you are located, we provide the following rights to all users:

How to Exercise Your Rights

Submit requests via any of the following methods:

• Email: hirenchheta123@gmail.com
• Dashboard: Settings → Privacy → Data Requests (self-service, when available)
• Mail: ChatOrbit, Attn: Privacy Team, India (address provided upon request)

We will acknowledge your request within 72 hours and fulfill it within 30 days. If we need more time (up to 60 additional days for complex requests), we will notify you with an explanation.

We may verify your identity before processing requests to protect your data from unauthorized access.

13 GDPR-Specific Rights (EEA/UK)

If you are located in the European Economic Area (EEA) or the United Kingdom, the following additional rights apply under the General Data Protection Regulation (GDPR) and UK GDPR:

• Automated Decision-Making (Article 22): Our AI generates suggested responses, but Business Users retain full control to review, edit, and approve messages before they are sent. You have the right to request human review of any automated decision that significantly affects you.
• Right to Lodge a Complaint: You have the right to lodge a complaint with your local Supervisory Authority if you believe our processing of your personal data violates the GDPR. A list of EEA Supervisory Authorities is available at edpb.europa.eu.
• Data Protection Officer: For GDPR-related inquiries, contact our designated point of contact at hirenchheta123@gmail.com.
• International Transfers: For transfers of EEA/UK data outside of the EEA/UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, as described in Section 9.

14 CCPA/CPRA Rights (California)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: You can request that we disclose the categories and specific pieces of personal information we collect, the categories of sources, the business purpose, and the categories of third parties we share data with.
• Right to Delete: You can request deletion of personal information we collected from you, subject to certain exceptions (e.g., legal obligations).
• Right to Correct: You can request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do NOT sell personal information. We do NOT share personal information for cross-context behavioral advertising. Therefore, there is no need to opt out — but you retain this right should our practices ever change.
• Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information for purposes beyond what is necessary to provide the Service.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

Categories of Personal Information Collected (per CCPA):

• Identifiers (name, email, phone number, IP address)
• Commercial information (subscription history, payment records)
• Internet/network activity (usage data, log data, cookies)
• Professional/employment information (business name, role)

Do Not Sell or Share My Personal Information: ChatOrbit does not sell or share (as defined by CCPA/CPRA) personal information. This applies to all users, not just California residents.

To submit a CCPA request, email hirenchheta123@gmail.com with the subject line "CCPA Request". We will respond within 45 days.

15 India DPDPA Rights

If you are located in India, the following rights apply under the Digital Personal Data Protection Act, 2023 (DPDPA):

• Right to Access: You (as a "Data Principal") have the right to obtain a summary of your personal data being processed and the processing activities related to it.
• Right to Correction and Erasure: You have the right to request correction of inaccurate or misleading data, completion of incomplete data, updating of outdated data, and erasure of data that is no longer necessary for the purpose for which it was collected.
• Right to Grievance Redressal: You have the right to have your grievances addressed. See Section 21 for Grievance Officer details.
• Right to Nominate: In the event of your death or incapacity, you have the right to nominate another person to exercise your rights under the DPDPA.
• Consent Withdrawal: Upon withdrawal of consent, we will cease processing your data and delete it within 30 days, unless retention is required by Indian law.

16 Meta Platform Data Deletion

In compliance with Meta Platform Terms and Developer Policies, we provide the following data deletion mechanisms:

16.1 Data Deletion Request Callback

ChatOrbit implements Meta's Data Deletion Request Callback. When a user requests deletion of their data from Facebook/Meta:

• Meta sends a signed deletion request to our callback URL.
• We initiate the deletion process within 24 hours of receiving the request.
• A confirmation code and status check URL are provided to the user.
• All data associated with the user's Meta/Facebook account is permanently deleted within 30 days.

16.2 Manual Data Deletion

You can also request data deletion at any time by:

• Emailing hirenchheta123@gmail.com with the subject "Data Deletion Request".
• Using the "Delete My Account" option in the ChatOrbit dashboard (Settings → Account → Delete Account).

16.3 Scope of Deletion

Upon receiving a valid deletion request, we delete:

• Your account profile and registration data.
• All WhatsApp Business Account connection data and access tokens.
• All customer conversation history and message content.
• All AI training data and chatbot configurations.
• All order and payment metadata (unless required by tax law).
• All analytics and usage data associated with your account.

Data retained for legal obligations (tax records, fraud prevention logs) will be deleted when the retention obligation expires.

17 Cookies and Tracking Technologies

17.1 Cookies We Use

Cookie Type	Purpose	Duration	Required?
Essential / Strictly Necessary	Authentication, session management, security (CSRF protection)	Session / 24 hours	Yes — Service cannot function without these
Functional / Preferences	Remember language preferences, theme selection (dark/light mode), dashboard settings	12 months	No — but opt-out may degrade experience
Analytics (if enabled)	Aggregated, anonymized usage statistics to improve Service performance	12 months	No — opt-in only; requires consent

17.2 What We Do NOT Use

• We do NOT use advertising cookies or third-party tracking pixels.
• We do NOT use cross-site tracking technologies.
• We do NOT participate in advertising networks or real-time bidding.
• We do NOT use browser fingerprinting.

17.3 Managing Cookies

You can manage cookie preferences through your browser settings. Most browsers allow you to block or delete cookies. Note that blocking essential cookies will prevent you from using the Service.

18 Children's Privacy

ChatOrbit is a business-to-business (B2B) service designed for use by businesses and professionals. Our Service is NOT directed at individuals under the age of 18 (or the applicable age of majority in your jurisdiction).

• We do not knowingly collect personal data from children under 18.
• We do not knowingly allow children to register for accounts.
• If we become aware that we have inadvertently collected personal data from a child under 18, we will delete such data promptly and without requiring a request.
• If you believe a child has provided us with personal data, please contact us immediately at hirenchheta123@gmail.com.

This policy is consistent with the requirements of the U.S. Children's Online Privacy Protection Act (COPPA), India's DPDPA provisions on children's data, and GDPR Article 8.

19 Third-Party Links

Our Service may contain links to third-party websites, services, or applications that are not operated by us. These include, but are not limited to, Meta/WhatsApp, Razorpay, and OpenAI.

• We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites or services.
• We strongly encourage you to review the privacy policy of every site you visit.
• The inclusion of a link does not imply endorsement of the linked site.

20 Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify affected users via email within 72 hours of becoming aware of the breach (as required by GDPR Article 33 and India DPDPA).
• Notify relevant authorities: Report to the applicable Supervisory Authority (for GDPR), the Data Protection Board of India (for DPDPA), and any other relevant regulatory body as required by law.
• Describe the breach: Provide details of the nature of the breach, categories and approximate number of individuals affected, likely consequences, and measures taken or proposed to address the breach.
• Mitigate harm: Take immediate steps to contain the breach, prevent further unauthorized access, and minimize impact.

21 Grievance Officer (India)

In compliance with India's Digital Personal Data Protection Act, 2023 (Section 13) and Information Technology Act, 2000, we have appointed a Grievance Officer:

22 Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

• Material Changes: We will notify you via email at least 30 days before the changes take effect, and update the "Last Updated" date at the top of this page.
• Minor Changes: Non-material changes (e.g., formatting, clarifications) will be reflected with an updated "Last Updated" date.
• Continued Use: Your continued use of the Service after the effective date of changes constitutes acceptance of the updated Policy. If you disagree with any changes, you may delete your account before the effective date.

We encourage you to review this Policy periodically.

23 Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy, your personal data, or our data practices, please contact us:

Purpose	Contact
General Privacy Inquiries	hirenchheta123@gmail.com
Data Deletion Requests	hirenchheta123@gmail.com (Subject: "Data Deletion Request")
GDPR / CCPA / DPDPA Rights Requests	hirenchheta123@gmail.com (Subject: "[Law] Request")
Grievance Officer (India)	hirenchheta123@gmail.com
General Support	hirenchheta123@gmail.com
Company	ChatOrbit (operated by Hiren Chheta), India