Privacy Policy

This Privacy Policy describes how EvolvePro Tech Solutions Private Limited ("Splashify Pro", "we", "us", or "our") collects, uses, discloses, stores, and protects information about you when you visit splashifypro.com (the "Website"), use our mobile applications, or subscribe to our software services (collectively, the "Services").

We are a Meta-verified WhatsApp Business Solution Provider (BSP) headquartered in India. We are committed to protecting your privacy and complying with applicable data protection laws, including the Digital Personal Data Protection Act, 2023 ("DPDP Act") of India and, where applicable, the EU General Data Protection Regulation ("GDPR").

By accessing or using our Services, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree, please do not use our Services.

For the purposes of the DPDP Act and GDPR, the data controller / data fiduciary responsible for your personal data is:

You may contact our Data Protection Officer at dpo@splashifypro.in for any privacy-related questions, complaints, or requests to exercise your rights.

3.1 Information you provide to us

• Account information: name, email address, mobile number, business name, GSTIN (where applicable), billing address, password (stored only as a salted bcrypt hash).
• Payment information: processed securely by our payment partners (Razorpay, Zoho Payments, PhonePe, PayU). We do not store full card numbers, CVV, or UPI PIN. We retain only payment-method tokens, last 4 digits of card, payment references, and transaction status.
• Business content: WhatsApp message templates, broadcast content, chatbot flows, contact lists you upload, custom contact fields, AI agent knowledge base content, media (images, videos, documents) you upload to our platform.
• Communications: support tickets, demo requests, contact-form submissions, chat-widget conversations with our Maya AI assistant, and email correspondence.
• KYC documents: for RCS messaging activation, business verification, or compliance purposes — government-issued business identifiers, registration certificates, and authorised-signatory information.

3.2 Information we collect automatically

• Device & log data: IP address, browser type, operating system, device identifiers, referring URL, pages visited, timestamps, click events, and session duration.
• Cookies & similar technologies: session cookies, preference cookies, and analytics cookies (see Section 8 below for details).
• WhatsApp / Instagram / RCS data: when you connect your business channels, we receive and process inbound and outbound message metadata, contact phone numbers, message status events (sent / delivered / read), and webhook payloads from Meta and partner networks.
• Customer-of-customer data: when your end-customers message your connected WhatsApp / Instagram / RCS number, we process their phone numbers, profile names (where shared by Meta), and message content. You are the data controller / fiduciary for this data; we act as a data processor on your behalf.

3.3 Information from third parties

• Meta (Facebook & Instagram): when you connect your WhatsApp Business Account or Instagram via Embedded Signup, Meta provides us with your account details, phone numbers, page identifiers, and webhook events.
• Payment partners: Razorpay, Zoho, PhonePe, and PayU share payment confirmation, refund status, and dispute information.
• Reseller partners: if you are a client of a Splashify Pro reseller, the reseller may share your account information with us as part of provisioning.

We use your personal data for the following lawful purposes:

• Service delivery: create and manage your account, authenticate logins, provision WhatsApp / Instagram / RCS channels, route messages, store templates and conversation history, process broadcasts, run chatbot flows, generate AI agent responses.
• Billing & payments: process subscription payments, generate GST-compliant invoices, deduct per-message charges from your wallet, issue refunds, prevent fraud.
• Customer support: respond to support tickets, troubleshoot issues, provide demos, train you on platform features.
• Service improvement: analyse aggregated, de-identified usage patterns to improve features, fix bugs, and prioritise roadmap.
• Communications: send transactional emails (account confirmations, password resets, billing receipts, security alerts) and, with your consent, promotional emails about new features.
• Legal & compliance: comply with applicable laws, court orders, regulatory requirements, Meta WhatsApp Business policies, and to enforce our Terms of Service.
• Security: detect and prevent abuse, fraud, account takeovers, spam, and platform misuse.

Under the DPDP Act and GDPR, we rely on the following lawful bases:

• Performance of contract: to provide the Services you have signed up for.
• Legitimate interests: for service security, fraud prevention, product improvement, and communicating service-essential updates.
• Legal obligation: to comply with tax, accounting, anti-money laundering, and other regulatory requirements.
• Consent: for marketing communications, optional analytics cookies, and any processing not covered by the bases above. You may withdraw consent at any time without affecting the lawfulness of prior processing.

We do not sell your personal data. We share information only with the parties listed below, and only to the extent necessary to deliver the Services:

6.1 Service providers (sub-processors)

• Meta Platforms, Inc. — WhatsApp Business API, Instagram Graph API, Click-to-WhatsApp Ads, Conversion API.
• Payment gateways — Razorpay, Zoho Payments, PhonePe, PayU (transaction processing only).
• Cloud infrastructure — DigitalOcean (compute, storage, ScyllaDB clusters), CDN providers (asset delivery).
• AI providers — Sarvam AI (Indian-language chatbot replies), Anthropic (advanced AI features). Knowledge-base content and conversation context you opt to send to AI agents are transmitted to these providers under their privacy terms.
• Email & notifications — transactional email providers, OneSignal (push notifications), WhatsApp OTP delivery.
• Analytics — Google Analytics 4, Google Tag Manager, Meta Pixel, Sentry (error tracking) — see Section 8.
• Billing & invoicing — Zoho Books for GST-compliant invoicing.

6.2 Resellers

If you signed up through a Splashify Pro reseller (white-label partner), the reseller can access your account, billing, and usage information necessary to provide support and manage your subscription. Resellers are contractually bound to handle your data in line with this Privacy Policy.

6.3 Legal disclosures

We may disclose information when required by Indian law, a valid court order, or a legitimate request from law enforcement. We will notify you of such disclosure unless legally prohibited.

6.4 Business transfers

If we undergo a merger, acquisition, or sale of assets, your information may be transferred to the successor entity. You will be notified by email and on this site.

We retain personal data only as long as necessary for the purposes collected:

• Active accounts: as long as your account is active.
• Closed accounts: account information retained for 90 days for recovery, then anonymised or deleted (except where law requires longer retention).
• Billing & tax records: retained for at least 8 years to comply with the Indian Income Tax Act and GST regulations.
• Conversation history: retained as long as your account is active or until you delete it from your dashboard. Backups are retained for an additional 30 days for disaster recovery.
• Activity & audit logs: retained for 12 months for security and compliance.

We use the following categories of cookies on our Website:

• Strictly necessary: session cookies, CSRF tokens, authentication tokens. Required for the Services to function — cannot be disabled.
• Functional: remembers your preferences (language, billing cycle).
• Analytics: Google Analytics 4, Google Tag Manager — measure traffic and feature usage.
• Advertising: Meta Pixel — measures ad effectiveness and enables retargeting via Facebook & Instagram. We pass conversion events through Meta's Conversions API for cross-device measurement.

You can manage cookies through your browser settings. Blocking analytics or advertising cookies will not affect access to the Services but may reduce personalisation.

We protect your data with the following technical and organisational measures:

• Encryption in transit: all traffic uses TLS 1.2 or higher.
• Encryption at rest: sensitive fields (access tokens, integration credentials) are encrypted with AES-256.
• Authentication: bcrypt-hashed passwords, JWT-based session tokens, two-factor authentication via WhatsApp OTP and email OTP.
• Access controls: role-based permissions, principle of least privilege, audit logs for all admin actions.
• Infrastructure: isolated network zones, automated security patching, DDoS protection, rate limiting.
• Backups: daily automated backups with encryption, retained for 30 days.
• Incident response: documented breach-notification procedure. In the event of a personal data breach affecting you, we will notify you within 72 hours of discovery, as required by the DPDP Act.

No system is 100% secure. While we use industry-standard safeguards, we cannot guarantee absolute security. You are responsible for protecting your account credentials.

Subject to the DPDP Act, GDPR (where applicable), and other relevant laws, you have the following rights regarding your personal data:

• Right to access: request a copy of the personal data we hold about you.
• Right to correction: request correction of inaccurate or incomplete data.
• Right to erasure: request deletion of your data, subject to legal retention obligations.
• Right to data portability: receive your data in a structured, machine-readable format and request transfer to another controller (where technically feasible).
• Right to withdraw consent: at any time, without affecting the lawfulness of prior processing.
• Right to grievance redressal: raise complaints with our DPO. If unresolved, you may escalate to the Data Protection Board of India under the DPDP Act, or to your local supervisory authority under GDPR.
• Right to nominate: nominate another individual to exercise your rights in case of death or incapacity (DPDP Act, Section 14).

To exercise any of these rights, email dpo@splashifypro.in from your registered email address. We will respond within 30 days.

Your data is primarily stored on servers located in India. Some sub-processors (Meta, Anthropic, Google) may process data outside India. When this occurs, we rely on:

• Standard Contractual Clauses (SCCs) for transfers from the EU.
• Compliance with the Indian Government's notified country list under DPDP Act Section 16.
• Contractual data-protection terms with each sub-processor.

Our Services are intended for businesses and are not directed to individuals under 18 years of age. We do not knowingly collect personal data from children. If you become aware that a child has provided us personal data without parental consent, contact dpo@splashifypro.in and we will delete the information promptly.

If you use the Splashify Pro Email API at partner.splashifypro.com to send email to your own end-customers, additional terms apply. In that scenario you act as the Data Fiduciary / Controller for the recipient personal data you send through our service, and we act as the Data Processor. The full processor obligations, sub-processor list, retention schedule, breach notification process, and audit rights live in our partner-side legal documents:

• Data Processing Agreement — DPDP Act 2023 + GDPR Article 28 written contract.
• Acceptable Use Policy — banned content, banned recipient practices, regulated industries.
• Anti-Spam Policy — consent rules, list-acquisition restrictions, unsubscribe handling.
• Auto-Action System — automated thresholds that throttle, pause, or terminate accounts.
• Incident Response — vulnerability reports, abuse reports, breach notifications.

For email recipient data, we retain message bodies for 30 days, delivery metadata (open/click/bounce events) for 18 months, and suppression-list entries until the partner removes them or terminates the account. All processing is on the partner's documented instructions.

Recipients who wish to exercise rights under the DPDP Act or GDPR regarding email they received should contact the sender (the partner) directly — we process recipient data only on the sender's instruction. Where we receive direct requests from recipients, we forward them to the responsible partner within 48 hours.

The Services may contain links to third-party websites (e.g., payment gateway pages, documentation hosted on partner platforms). We are not responsible for the privacy practices of those sites. Review their privacy policies before providing personal data.

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. The "Effective" date at the top of this page indicates the latest revision. Material changes will be notified by email and via a prominent notice on the Website at least 7 days before they take effect. Your continued use of the Services after changes take effect constitutes acceptance.

For privacy questions, requests to exercise your rights, or grievances: