Privacy Policy

ZAPREACH ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use the ZAPREACH platform.

This Policy is compliant with the Information Technology Act, 2000, the IT (Reasonable Security Practices and Procedures and SPDI) Rules, 2011, and the Digital Personal Data Protection Act, 2023 (DPDPA).

By registering or using ZAPREACH, you consent to the data practices described in this Policy as a Data Principal under the DPDPA 2023.

ZAPREACH acts as a Data Fiduciary under DPDPA 2023 and a Data Controller under applicable international standards. Contact us at: privacy@zapreach.io

3.1 Information You Provide

• Account data: Name, email address, password (hashed), company name, phone number.
• WhatsApp configuration: WhatsApp Business Account ID, Phone Number ID, API token (encrypted at rest).
• Contact data: Names, phone numbers, email addresses of your customers that you import or create.
• Campaign & message content: Message templates, campaign settings, sent messages.
• Payment data: Billing address, GST number. Full card details are processed directly by Razorpay — we do not store card numbers.
• Support communications: Messages you send to our support team.

3.2 Automatically Collected Data

• IP address, browser type, device information, and operating system.
• Usage data: pages visited, features used, session duration, click paths.
• Log data: error logs, API request logs (for debugging and security).
• Cookies and similar tracking technologies (see Section 9).

3.3 Data from Third Parties

• Meta / WhatsApp: Message delivery status (sent, delivered, read, failed), template approval status, webhook events.
• Razorpay: Payment status, transaction IDs, and payment confirmation details.
• Google LLC (OAuth 2.0): If you choose "Continue with Google", we receive via the Google OAuth 2.0 protocol:
  • Your full name as registered with Google.
  • Your Google account email address (used as your ZAPREACH login identity).
  • Your Google profile picture URL (displayed as your avatar).
  We do not receive your Google password, payment methods, contacts, or any other Google account data. The OAuth token is used only to verify your identity at sign-in and is not stored beyond the session. Google sign-in users do not have a ZAPREACH password — account security depends on your Google account credentials.

• To create and manage your account and authenticate your identity.
• To provide, operate, and improve the Platform.
• To process payments via Razorpay and manage your subscription.
• To send WhatsApp campaigns and automated messages on your behalf through Meta's API.
• To provide customer support and respond to your queries.
• To send transactional emails (account alerts, invoice receipts, plan renewals).
• To detect, prevent, and address fraud, abuse, spam, and security incidents.
• To comply with legal obligations under Indian law.
• To send promotional communications about ZAPREACH features — you may opt out at any time via the unsubscribe link or account settings.

We process personal data only for the specific purpose for which it was collected, in accordance with the purpose limitation principle under DPDPA 2023.

• Consent: Registration, marketing communications, cookie placement.
• Contractual necessity: Processing needed to deliver the subscribed service.
• Legal obligation: Compliance with Indian tax laws, IT Act, and court orders.
• Legitimate interests: Security monitoring, fraud prevention, product analytics.

We do not sell your personal data. We share data only in the following circumstances:

• Meta Platforms, Inc.: Message content and recipient phone numbers are transmitted to Meta's WhatsApp Business API to deliver messages on your behalf. Meta's data processing is governed by their Data Policy.
• Razorpay Software Pvt. Ltd.: Billing information is shared to process payments. Razorpay is PCI-DSS certified and operates under RBI guidelines. View their Privacy Policy.
• Google LLC: When you sign in via Google OAuth, your authentication request is processed by Google's servers. ZAPREACH receives only the profile data described in Section 3.3. Google's data processing is governed by Google's Privacy Policy.
• Cloud infrastructure providers: Hosting providers process data solely on our instructions under data processing agreements.
• Legal authorities: We may disclose data in response to lawful requests from Indian government agencies, courts, or law enforcement, as required under the IT Act 2000 or DPDPA 2023.
• Business transfers: In the event of a merger, acquisition, or sale of assets, user data may be transferred. You will be notified with an option to delete your account before any such transfer.

• Active accounts: Data is retained for the duration of your subscription.
• After account deletion: Personal data is deleted within 90 days, except where retention is required by law (e.g. financial records retained for 7 years under Indian accounting laws).
• Backup copies: May persist in encrypted backups for up to 180 days after deletion.
• Message logs: Retained for 12 months for delivery tracking and dispute resolution, then anonymised or deleted.

ZAPREACH implements security practices as required under Rule 8 of the IT (SPDI) Rules, 2011:

• Passwords stored as bcrypt hashes — never in plain text. Google OAuth users have no ZAPREACH password; their identity is verified exclusively through Google's secure OAuth 2.0 flow.
• WhatsApp API tokens encrypted at rest using AES-256.
• All data in transit protected by TLS 1.2 or higher.
• Database access restricted to authorised personnel with role-based access controls.
• Regular security audits and vulnerability assessments.
• Incident response plan for data breaches, with notification within 72 hours as required by DPDPA 2023.

We use cookies and similar technologies for authentication (session cookies), security (CSRF protection), analytics, and user preferences. You can control cookies through your browser settings; however, disabling essential cookies may prevent access to certain features.

As a Data Principal under DPDPA 2023, you have the right to:

• Access: Request a summary of your personal data we hold.
• Correction: Request correction of inaccurate or incomplete data.
• Erasure: Request deletion of your personal data (subject to legal retention requirements).
• Grievance redressal: Raise a complaint with our Data Protection Officer.
• Withdraw consent: Withdraw previously given consent. This will not affect lawful processing prior to withdrawal.
• Nominate: Nominate another person to exercise rights on your behalf in the event of death or incapacity.

To exercise your rights, email us at privacy@zapreach.io. We will respond within 30 days.

ZAPREACH is not directed at children under 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us personal data, contact us at privacy@zapreach.io for immediate deletion.

Data may be processed in countries outside India for the following purposes:

• Meta Platforms, Inc. (USA): Message content and recipient data transmitted to Meta's WhatsApp Business API for message delivery.
• Google LLC (USA): Authentication requests for Google OAuth sign-in are processed on Google's servers. Only the profile data described in Section 3.3 is returned to ZAPREACH.
• Razorpay (India): Payment processing remains within India under RBI regulations.

All cross-border transfers comply with applicable provisions under DPDPA 2023 and are governed by data processing agreements with standard contractual clauses.

In accordance with the IT Act, 2000 and IT (Intermediary Guidelines) Rules, 2021, we have designated a Grievance Officer:

We may update this Privacy Policy periodically. Material changes will be notified via email and in-app banner at least 7 days before they take effect. Continued use of the Platform after the effective date constitutes your acceptance.