๐Ÿ”’ GDPR Compliant

Privacy Policy

Last updated: February 27, 2026 ย ยทย  Applies to all SocialAPI users and sub-processors

1 Who We Are

This Privacy Policy is published by Zivaan Solutions, a company incorporated in India, operating the SocialAPI platform ("we", "us", "our"). SocialAPI provides a WhatsApp Business API SaaS platform enabling businesses to send, receive, and manage WhatsApp communications at scale.

For the purposes of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and equivalent data protection laws in other jurisdictions, Zivaan Solutions acts as:

  • Data Controller โ€” for the personal data of our own users (account holders, administrators, agents) who directly use the SocialAPI platform
  • Data Processor โ€” for the personal data of end-users (your customers' contacts) that you, the Customer (as Data Controller), instruct us to process via the platform

This Policy applies to all data collected, processed, or stored in connection with your use of the Service, our website, our APIs, and any related communications.

2 Definitions

  • Personal Data: Any information that relates to an identified or identifiable natural person ("Data Subject")
  • Processing: Any operation or set of operations performed on Personal Data, including collection, storage, use, disclosure, or deletion
  • Data Controller: The natural or legal person who determines the purposes and means of processing Personal Data
  • Data Processor: A party that processes Personal Data on behalf of the Data Controller
  • Data Subject: The individual to whom the Personal Data relates
  • WABA: WhatsApp Business Account โ€” a verified business profile on Meta's WhatsApp platform
  • Sub-processor: A third-party entity engaged by us to process Personal Data in the context of providing the Service
  • Supervisory Authority: A public authority responsible for monitoring compliance with data protection laws

3 Data We Collect

We collect the following categories of data:

A. Account & Registration Data

  • Full name, business name, email address, phone number
  • Password (stored as a one-way hash โ€” never in plaintext)
  • Company size, industry, country
  • WhatsApp Business Account ID, phone number display name, and WABA credentials

B. Billing & Financial Data

  • Subscription plan, billing cycle, invoice history
  • Payment method details (processed securely via our payment gateway; we do not store card numbers)
  • GST/VAT identification numbers where applicable

C. Usage & Technical Data

  • API request logs (timestamps, endpoints, response codes) โ€” retained for debugging and security
  • Webhook delivery logs and message delivery status records
  • IP addresses, browser user-agent strings, and session identifiers
  • Feature usage patterns and dashboard interaction analytics

D. Message & Contact Data (Processed on Your Behalf)

  • WhatsApp phone numbers, names, and custom attributes of your contacts (as entered into the CRM)
  • Message content โ€” text, media files, templates โ€” sent or received via your WABA
  • Conversation history between your agents and contacts
โ„น๏ธ Note: Message content and contact data are processed entirely under your instructions as the Data Controller. We do not analyze or use this content for our own commercial purposes.

5 How We Use Your Data

We use the data we collect to:

  • Provide the Service: Register your account, connect your WABA, route API calls, deliver webhooks, and power all platform features
  • Process Payments: Invoice you, process subscription renewals, and handle billing inquiries
  • Customer Support: Respond to support tickets, troubleshoot technical issues using your API logs with your permission
  • Security & Fraud Prevention: Detect, investigate, and prevent unauthorized access, abuse, and violations of our Acceptable Use Policy
  • Platform Improvement: Analyze aggregate, anonymized usage patterns to develop new features and optimize performance
  • Legal Compliance: Fulfill legal obligations, respond to lawful government requests, and enforce our Terms of Service
  • Communications: Send essential service notifications (account alerts, billing, security), and โ€” with your consent โ€” product updates and newsletters

We will never sell your personal data to third parties. We will never use the personal data of your contacts for our own marketing or advertising purposes.

6 Data Sharing & Sub-Processors

We share personal data only with vetted third-party sub-processors necessary to deliver the Service. These parties are bound by contractual data processing agreements and are prohibited from using your data for their own purposes.

Sub-ProcessorPurposeData CategoryLocation
Meta Platforms, Inc.WhatsApp message delivery via Cloud APIMessage content, phone numbersUSA / Global
Cloud Infrastructure ProviderHosting, databases, storageAll platform dataIndia / Singapore
Payment GatewaySubscription billing & invoicingBilling & financial dataIndia
Email Service ProviderTransactional & support emailsEmail address, nameUSA

We may disclose personal data to government authorities or law enforcement when required by a valid legal order. We will notify you of any such request where legally permissible.

7 International Data Transfers

As a global SaaS platform, your data may be transferred to and processed in countries outside your own, including countries that may not provide the same level of data protection as your home jurisdiction.

Where we transfer personal data from the European Economic Area (EEA) to a third country (such as the USA or India), we ensure an adequate level of protection through one or more of the following mechanisms:

  • The European Commission's Standard Contractual Clauses (SCCs) โ€” incorporated by reference into our Data Processing Agreements
  • An adequacy decision issued by the European Commission for the destination country
  • Binding Corporate Rules where applicable

Specifically, data transferred to Meta Platforms, Inc. is subject to Meta's own SCCs and Data Processing Terms, available on Meta's website. You acknowledge and accept this as a necessary condition of using the WhatsApp Cloud API.

You may request a copy of the applicable transfer safeguards by contacting us at privacy@socialapi.com.

8 Data Retention Policy

We retain personal data for the minimum period necessary for the purposes outlined in this Policy:

  • Account Data: Retained for the duration of your active subscription, plus 30 days post-cancellation to allow data export. Permanently deleted thereafter.
  • Message & Contact Data: Retained for the duration of your subscription. Upon account deletion, purged within 30 days.
  • API & Webhook Logs: Retained for 90 days for debugging and security purposes, then automatically purged.
  • Billing Records & Invoices: Retained for 7 years in compliance with Indian financial record-keeping requirements (or as required by applicable law).
  • Security & Fraud Logs: Retained for 12 months to enable incident investigation.

Upon the expiry of any retention period, data is either securely deleted (overwritten) or anonymized so that it can no longer be linked to an individual. You may request early deletion under your GDPR rights (see Section 9).

9 Your GDPR Rights

If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction with equivalent data protection laws, you have the following rights in relation to your personal data. We will respond to all legitimate requests within 30 days (extendable by up to 2 months for complex cases).

GDPR Art. 15

Right of Access

Receive a copy of all personal data we hold about you and information on how it is processed.

GDPR Art. 16

Right to Rectification

Request correction of inaccurate or incomplete personal data held about you without undue delay.

GDPR Art. 17

Right to Erasure

Request deletion of your personal data (the "right to be forgotten") where no overriding legal basis for retention exists.

GDPR Art. 18

Right to Restriction

Request that we limit processing of your data in certain circumstances, for example while a dispute is resolved.

GDPR Art. 20

Right to Portability

Receive your personal data in a structured, machine-readable format and transfer it to another controller.

GDPR Art. 21

Right to Object

Object to processing based on legitimate interests or for direct marketing purposes, including profiling.

GDPR Art. 22

Automated Decision-Making

Not be subject to decisions made solely by automated processing that significantly affects you, without human review.

GDPR Art. 7

Right to Withdraw Consent

Withdraw any previously given consent at any time without affecting the lawfulness of prior processing.

๐Ÿ“ง To exercise any of these rights, please submit a request to privacy@socialapi.com with subject line "GDPR Data Subject Request" and include your account email and the specific right you wish to exercise. We may verify your identity before processing the request.

10 Cookie Policy

Our website and platform use cookies and similar tracking technologies (e.g., local storage, session tokens) to provide functionality and enhance your experience. Categories of cookies used:

  • Essential / Strictly Necessary: Required for authentication (session cookies, JWT tokens), security (CSRF tokens), and core platform functionality. These cannot be disabled without disrupting the Service.
  • Functional / Preference: Remember your preferences (e.g., selected language, dashboard layout settings). Retained for the session or up to 30 days.
  • Analytics: Aggregate, anonymized data about how users interact with the platform (page views, feature usage). We use this data to improve the Service. Requires consent.
  • Third-Party: Some pages may include embeds from third-party services (e.g., video players, maps) which may set their own cookies subject to those parties' privacy policies.

On your first visit, you will be presented with a cookie consent banner. You can manage or withdraw your non-essential cookie preferences at any time through the cookie settings on our website or by clearing your browser cookies.

Browser-Level Control: Most browsers allow you to block or delete cookies. Please note that disabling essential cookies may impair platform functionality.

11 Data Security Measures

We implement technical and organizational security measures appropriate to the risk, designed to protect your personal data against accidental loss, unauthorized access, disclosure, alteration, or destruction. These measures include:

  • Encryption in Transit: All data transmitted between your browser/client and our platform is encrypted using TLS 1.2 / TLS 1.3 (HTTPS)
  • Encryption at Rest: Sensitive database fields and stored credentials are encrypted using AES-256
  • Access Controls: Role-based access control (RBAC) ensures employees and systems can only access data necessary for their function
  • API Authentication: All API requests require authentication via time-limited API keys with scoped permissions
  • Audit Logging: Administrative actions are logged for accountability and forensic investigation
  • Regular Security Reviews: We conduct periodic internal security audits and vulnerability assessments
  • Data Breach Response: We maintain an incident response plan and will notify affected users and relevant supervisory authorities of a personal data breach within 72 hours of becoming aware of it, as required by GDPR Art. 33/34

Despite these measures, no method of transmission over the Internet is entirely secure. You transmit data at your own risk. If you become aware of any security vulnerability or incident, please report it immediately to security@socialapi.com.

12 Children's Privacy

The SocialAPI Service is intended solely for use by businesses and individuals who are 18 years of age or older. We do not knowingly collect, solicit, or process personal data from children under the age of 16 (or the applicable age of digital consent in your jurisdiction).

If you believe that we have inadvertently collected personal data from a child, please contact us immediately at privacy@socialapi.com and we will take prompt steps to delete such data from our systems.

13 Changes to this Privacy Policy

We reserve the right to update or amend this Privacy Policy at any time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:

  • Sending an email notification to the address associated with your account at least 14 days before the change takes effect
  • Displaying a prominent notice on the SocialAPI dashboard and website
  • Updating the "Last updated" date at the top of this page

Your continued use of the Service after any modification to this Privacy Policy constitutes your acceptance of the revised Policy. We encourage you to review this Policy periodically. Previous versions of this Policy are available on request.

14 Contact Us & Lodge a Complaint

If you have any questions about this Privacy Policy, wish to exercise your data subject rights, or have concerns about how we handle your personal data, please contact our Data Protection team:

Zivaan Solutions โ€” Data Protection Team

๐Ÿ“ง Privacy & GDPR: privacy@socialapi.com

๐Ÿ“ง Security Incidents: security@socialapi.com

๐Ÿ“ง General Support: support@socialapi.com

๐ŸŒ zivaansolutions.com

Right to Lodge a Complaint: If you believe your data protection rights have been violated, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction. In India, complaints may be directed to the Data Protection Board of India (established under the Digital Personal Data Protection Act, 2023). In the EU/EEA, you may contact your local Data Protection Authority (DPA).

We take all privacy complaints seriously and will investigate and respond to any concerns raised in good faith, typically within 30 days.

Also see: Terms of Service