Privacy Policy

1. Who We Are

Indescape Technologies ("Indescape", "we", "us", "our") is a SaaS company registered under Indian law, providing a WhatsApp CRM and automation platform for Indian small and medium businesses. Our registered address is in India.

As a Data Fiduciary under the Digital Personal Data Protection Act, 2023 (DPDP Act), we are responsible for determining the purposes and means of processing personal data on our platform.

For privacy-related matters, contact us at: privacy@indescape.com

2. Information We Collect

2.1 Account and Business Information

When you register an Indescape account, we collect:

• Business name, type, and description
• Owner name, email address, and mobile number
• GST number (if provided for invoicing)
• WhatsApp Business Account (WABA) credentials via Meta Embedded Signup
• Subscription plan and billing information (processed via Razorpay)

2.2 Customer Data You Upload

When you use Indescape to manage your customers, you upload or import customer data to our platform. This may include:

• Customer names and WhatsApp phone numbers
• Email addresses and other contact details
• Purchase history, booking records, and tags you create
• WhatsApp conversation history and message logs

2.3 Usage and Technical Data

• IP addresses and browser/device information
• Pages visited, features used, and time spent on the platform
• API request logs for debugging and security purposes
• Error logs (anonymised where possible)

3. How We Use Your Information

We use your information to:

• Provide, operate, and maintain the Indescape platform
• Process your WhatsApp messages, campaigns, and automation flows through the Meta WhatsApp Business API
• Send you service emails: account confirmation, billing receipts, trial expiry notices, and product updates
• Generate GST-compliant invoices for your subscription
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations including the DPDP Act 2023 and GST regulations
• Improve the platform through aggregated, anonymised analytics

We do not sell your personal data or your customers' data to any third party. We do not use your customers' data for our own marketing purposes.

4. Legal Basis for Processing

Under the DPDP Act 2023, we process personal data on the following grounds:

• Contract performance: Processing necessary to provide the Indescape service you have subscribed to
• Legitimate interests: Security monitoring, fraud prevention, and product improvement (where not overridden by your rights)
• Legal compliance: Processing required to meet our obligations under Indian law (GST, DPDP, IT Act)
• Consent: For any optional communications or uses not covered above, we will obtain your explicit consent

5. Data Storage and Security

5.1 Where Data is Stored

Your data is stored on cloud infrastructure located primarily in the Asia-Pacific region (Singapore / India). We use reputable cloud providers with ISO 27001 certification and SOC 2 compliance.

5.2 Security Measures

We implement industry-standard security controls including:

• AES-256-GCM field-level encryption for sensitive personal data (phone numbers, email addresses, WhatsApp message content)
• Bcrypt password hashing (never stored in plaintext)
• HTTPS/TLS 1.2+ for all data in transit
• JWT-based authentication with short-lived tokens
• Rate limiting and account lockout to prevent brute-force attacks
• Regular security audits and dependency updates

5.3 Data Breach Notification

In the event of a personal data breach that poses risk to Data Principals, we will notify affected users and the Data Protection Board of India within the timeframes required by the DPDP Act 2023.

6. Data Sharing and Third Parties

We share data only as necessary to provide the service. Our key third-party processors are:

• Meta Platforms Inc. — For WhatsApp Business API message routing. Messages you send via Indescape pass through Meta's infrastructure. Meta's WhatsApp Business Policy applies.
• Razorpay Software Pvt. Ltd. — Payment processing for subscriptions. We do not store card or UPI details; Razorpay handles PCI-DSS compliance.
• Cloud infrastructure providers — Hosting and database services (data stored in Asia-Pacific region).
• Shipping partners (Shiprocket, Delhivery, Blue Dart, DTDC etc.) — Only when you use the commerce module and trigger shipping integrations. Only order and recipient data needed for that shipment is shared.

We do not share data with any other third parties without your explicit consent, except where legally required by a court order or government authority under Indian law.

7. Your Rights under DPDP Act 2023

As a Data Principal under the DPDP Act 2023, you have the following rights regarding your personal data held by Indescape:

• Right to access: Request a summary of personal data we hold about you and how it is being used
• Right to correction: Request correction of inaccurate or incomplete personal data
• Right to erasure: Request deletion of your personal data (subject to legal retention requirements)
• Right to grievance redressal: Lodge a complaint with our Grievance Officer if you believe your rights have been violated
• Right to nominate: Nominate another person to exercise your rights in the event of death or incapacity

If your request is not addressed satisfactorily, you may approach the Data Protection Board of India once it is constituted under the DPDP Act 2023.

8. WhatsApp and Meta Data

Indescape uses Meta's official WhatsApp Business Platform APIs to enable WhatsApp CRM, messaging, automation, and commerce workflows for verified businesses. When you connect your WhatsApp Business Account to Indescape via Meta Embedded Signup:

• We receive and store your WhatsApp Business Account ID, phone number ID, and a system user access token
• We receive incoming WhatsApp messages via Meta's webhook system and store them for CRM purposes
• We send outbound messages on your behalf via the WhatsApp Business API
• Meta may store message metadata according to their own Privacy Policy

You can disconnect your WhatsApp Business Account from Indescape at any time from Settings. This will revoke our access token and stop message routing.

For Meta's data deletion requests, see our Data Deletion page.

9. Cookies and Tracking

Our marketing website (indescape.com) uses minimal cookies:

• Strictly necessary cookies: Required for the website to function (session management, CSRF protection)
• Analytics cookies: Anonymised usage statistics to understand how visitors use the site (no personal identification)

The Indescape dashboard (app.indescape.com) uses browser localStorage to maintain your login session. No advertising or cross-site tracking cookies are used.

10. Data Retention

We retain your data for as long as your account is active and as required by law:

• Account data: Retained while your account is active + 90 days after cancellation for recovery purposes
• Customer data (contacts, messages): Retained while your account is active; deleted within 30 days of account closure
• Billing records: Retained for 7 years as required under Indian GST and Companies Act regulations
• Security logs: Retained for 90 days

You can request early deletion of your personal data from Settings → Privacy & Compliance → Delete Account. Billing records required by law cannot be deleted before their statutory retention period.

11. Children's Data

Indescape is a B2B SaaS platform intended for use by business owners and their staff. It is not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, contact us immediately at privacy@indescape.com and we will delete it promptly.

12. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Send a notice to your registered email address at least 14 days before changes take effect
• Display an in-app notification in the Indescape dashboard

Your continued use of Indescape after the effective date of a revised policy constitutes your acceptance of the changes.