Privacy Policy

1. Who We Are

Skyroot Marketing is a WhatsApp Business API platform operated by Skyroot Marktech Pvt Ltd, a company registered in India. We provide businesses ("Clients") with tools to send WhatsApp marketing campaigns, manage conversations, and automate messaging workflows using Meta's official WhatsApp Cloud API.

Data Controller: Skyroot Marktech Pvt Ltd
Registered Address:Downtown, 201-46, Baner Annex, Orbisolu, Baner, Pune, Maharashtra 41104
Contact: info@skyrootmarktech.com

2. Information We Collect

2.1 Information You Provide Directly

• Account Registration: Name, business name, email address, phone number, password (hashed).
• Business Verification: GST number, company name, registered address (used only for Meta Business Verification purposes).
• WhatsApp Business Account (WABA) Credentials: WABA ID, Phone Number ID, System User Access Tokens — stored AES-256-GCM encrypted.
• Billing Information: Plan selection, invoice details. Payment processing is handled by third-party gateways; we do not store card data.

2.2 Contact Data Uploaded by Clients

Clients upload their end-customer contact lists (names and WhatsApp phone numbers) to the platform for sending campaigns. This data is stored in the client's isolated workspace (tenant schema) and is not accessible to other clients or used by Skyroot Marketing for any purpose other than delivering the requested WhatsApp messages.

2.3 Message Content

We store message templates created by clients, campaign records, and message delivery logs (sent, delivered, read, failed timestamps). Actual message content sent to end-customers is transmitted through Meta's WhatsApp Cloud API and is subject to Meta's data policies.

2.4 Automatically Collected Data

• IP address, browser type, device information
• Platform usage logs (pages visited, features used, timestamps)
• Webhook events received from Meta (delivery receipts, read receipts, inbound messages)
• Error logs and performance metrics

3. How We Use Your Information

• Provide the Service: Authenticate users, process campaigns, deliver messages via WhatsApp API, generate analytics.
• Account Management: Billing, support, plan enforcement, workspace provisioning.
• Security: Fraud detection, abuse prevention, audit logging of sensitive actions.
• Compliance: Responding to legal obligations, Meta policy requirements, and Indian data protection regulations.
• Platform Improvement: Aggregated, anonymized usage analytics to improve features. We do not profile individual end-customers.
• Communications: Transactional emails (password reset, billing receipts, template approval notifications). We do not send marketing emails without your consent.

We do not sell your data or your contacts' data to any third party. We do not use end-customer contact lists for advertising purposes.

4. WhatsApp Data & Meta Compliance

Our platform operates on Meta's WhatsApp Business Cloud API. By using this platform, you agree that:

• You have obtained valid consent from all end-customers before messaging them on WhatsApp, as required by Meta's Business Policy and applicable Indian law.
• All contacts you upload have opted in to receive WhatsApp communications from your business.
• Message content complies with Meta's WhatsApp Business Policy and applicable spam/commercial communication regulations.
• You are the data controller for your customers' data; Skyroot Marketing acts as a data processor on your behalf.

We transmit message data to Meta's servers to deliver WhatsApp messages. Meta's privacy policy governs how Meta processes that data. See: WhatsApp Privacy Policy.

We maintain webhook integrations with Meta to receive delivery receipts and inbound messages. These events are processed and stored to provide you with campaign analytics and inbox functionality.

5. Data Sharing & Third Parties

We share your data only in the following limited circumstances:

• Meta Platforms Inc.: Required to deliver WhatsApp messages via the Cloud API. WABA credentials, message content, and phone numbers are transmitted to Meta's API endpoints.
• Cloud Infrastructure: We use cloud hosting providers (e.g., AWS) to host our platform. Data is stored on servers within the infrastructure provider's secure environment.
• Database & Cache Services: PostgreSQL (database), Redis (queue/cache) — all within our controlled infrastructure, not shared with third parties.
• Payment Processors: Billing data is handled by PCI-DSS compliant payment gateways. We share only what is necessary to process your subscription payment.
• Legal Requirements: We may disclose data if required by Indian law, court order, or government authority, or to protect the rights and safety of our users and platform.

We do not share your data with advertisers, data brokers, or any third party for marketing purposes.

6. Data Retention

• Active Account: Data is retained for the duration of your subscription plus 30 days after cancellation or suspension.
• Campaign Logs: Basic (30-day retention), Pro (90-day retention) — as per plan limits.
• Deleted Workspaces: Soft-deleted; data purged after 30 days.
• Audit Logs: Retained for 12 months for compliance and security purposes.
• Backups: Database backups may retain data for up to 30 days beyond deletion.

You can request deletion of your data at any time by contacting us at info@skyrootmarktech.com or using our data deletion request form.

7. Your Rights

As a platform user (Client), you have the following rights with respect to your data:

• Access: Request a copy of personal data we hold about you.
• Correction: Update inaccurate or incomplete information in your account settings.
• Deletion: Request deletion of your account and associated data.
• Data Portability: Request an export of your contacts, campaign history, and message logs in CSV format.
• Restriction: Request that we limit processing of your data in certain circumstances.
• Objection: Object to processing of your data for specific purposes.

To exercise any of these rights, email us at info@skyrootmarktech.com. We will respond within 30 days. Note that some rights may be limited by legal obligations or legitimate business interests.

For end-customers of our clients (recipients of WhatsApp messages): Rights requests regarding messages you received should be directed to the business that contacted you. They are the data controller for your information.

8. Security

We take security seriously and implement industry-standard measures to protect your data:

• All data in transit is encrypted using TLS 1.2+.
• WhatsApp API access tokens are encrypted at rest using AES-256-GCM.
• Secrets and credentials are stored in secure vaults (AWS Secrets Manager), never in source code.
• All sensitive admin actions are logged in an append-only audit log.
• Two-factor authentication is available and recommended for all accounts.
• Regular security reviews and access control audits are performed.
• Database access is restricted to application servers; no public database endpoints.

No system can guarantee absolute security. In the event of a data breach that affects your rights, we will notify you within 72 hours of becoming aware of it, as required by applicable law.

9. Cookies

We use only essential cookies necessary for the platform to function:

• Session cookies: To keep you logged in during your session.
• CSRF tokens: Security tokens to prevent cross-site request forgery.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We do not use Google Analytics or similar tracking services.

10. Children's Privacy

Our platform is intended solely for business use and is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us at info@skyrootmarktech.com and we will promptly delete such information.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

• Update the "Last updated" date at the top of this policy.
• Notify active account holders via email at least 7 days before the changes take effect.
• Display a notice in the platform dashboard.

Continued use of the platform after the effective date constitutes acceptance of the updated policy.

12. Contact Us