Privacy Policy

InfyReach Connect is a Mumbai-based Communications Platform as a Service (CPaaS) provider offering Bulk SMS, WhatsApp Business API, RCS messaging, Voice IVR, SMPP Gateway connectivity, and Lead Generation services to businesses across India.

For the purposes of India's DPDPA 2023, InfyReach Connect acts as a Data Fiduciary for personal data collected directly from our clients and website visitors, and as a Data Processor for end-user data (e.g., phone numbers and message content) that our clients process through our platform.

We collect only the minimum data necessary to provide, maintain, and improve our Services:

We use collected data for specific, lawful purposes only:

• Service Delivery: To activate accounts, route messages, process API requests, and deliver reports and analytics
• Billing & Finance: To generate invoices, track credit usage, process payments, and maintain financial records as required by Indian law
• KYC & Regulatory Compliance: To fulfill DLT registration requirements, TRAI guidelines, WhatsApp Business Account (WABA) onboarding requirements, and applicable legal or regulatory obligations
• Customer Support: To respond to queries, investigate issues, and resolve billing disputes
• Platform Improvement: To monitor performance, diagnose technical issues, and improve reliability and features — using anonymized or aggregated data where possible
• Security & Fraud Prevention: To detect and prevent unauthorized access, abuse, or fraudulent activity on our platform
• Communications: To send service notifications, policy updates, maintenance alerts, and (where you have opted in) product announcements or offers

InfyReach Connect acts solely as a technology intermediary for message delivery. With respect to message content:

• We process message content only to the extent required to route and deliver messages to the intended recipients
• We do not read, analyze, monetize, or retain message content for any purpose beyond delivery confirmation and troubleshooting
• Message content may be temporarily cached in transit as part of standard delivery processing and is not stored for extended periods beyond what is operationally necessary
• Message metadata (delivery status, timestamps, error codes) is retained for billing, reporting, and compliance purposes for the periods defined in Section 8
• Where required by a court order, law enforcement, or regulatory authority, we may be legally obligated to disclose certain message-related data

Our clients (businesses using our platform) are independently responsible — as Data Fiduciaries under DPDPA 2023 — for the personal data of their end users that they process through our platform, including obtaining valid consent before sending messages.

We share data only where necessary and with appropriate safeguards. Your data may be shared with the following categories of recipients:

• Telecom Operators & SMS Aggregators: Recipient phone numbers and message metadata are shared with telecom operators and routing partners strictly for message delivery
• Meta (for WhatsApp API): When using WhatsApp Business API services, message data flows through Meta's Cloud API infrastructure. Meta processes this data under its own Privacy Policy and WhatsApp Business Terms of Service
• Technology & Infrastructure Partners: Hosting providers, database services, and analytics tools that support our platform operations — bound by confidentiality and data processing agreements
• Legal & Regulatory Authorities: Government bodies, law enforcement, courts, TRAI, or other regulatory authorities as required by applicable law or legal process
• Professional Advisors: Lawyers, accountants, and auditors bound by professional confidentiality obligations

We do not share personal data with third parties for their independent marketing, advertising, or commercial purposes.

InfyReach Connect provides WhatsApp Business API access as a Business Solution Provider (BSP). When you or your end users interact via WhatsApp through our platform, the following applies:

• All WhatsApp messages are routed through Meta's Cloud API infrastructure, hosted by Meta. Meta independently processes this data under its WhatsApp Privacy Policy and WhatsApp Business Terms of Service.
• WhatsApp Business data — including conversation data and contact data — must not be used to create or enhance user profiles, or shared or sold to any third party, as prohibited by Meta's updated WhatsApp Business Solution Terms (effective January 15, 2026)
• WhatsApp Business data must not be used to train, fine-tune, or develop any AI or machine learning models for external use
• InfyReach Connect does not store WhatsApp message content beyond what is operationally required for delivery and DLR reporting

We implement industry-standard technical and organizational security measures to protect your data against unauthorized access, disclosure, alteration, or destruction. These measures include:

• Encryption of data in transit using TLS/SSL protocols
• Bcrypt password hashing for all account credentials
• Role-based access control (RBAC) limiting data access to authorized personnel only
• Regular automated backups with secure storage
• Server infrastructure hosted at ISO 27001 certified NTT Global Data Centers, Mumbai
• OTP-based multi-factor authentication (MFA) available for platform access

While we take all reasonable precautions, no internet-based system can guarantee absolute security. In the event of a personal data breach that poses a risk to your rights, we will notify affected parties as required under the DPDPA 2023 and applicable law.

We retain data only as long as necessary for the purpose for which it was collected, or as required by law:

• Account & Business Data: Retained for the duration of your active account and for 3 years following account closure, for legal and compliance purposes
• Message Metadata (DLR, delivery reports): Typically retained for 90 days for operational and billing purposes; longer periods may apply if required by regulatory obligations
• Financial Records & Invoices: Retained for a minimum of 7 years as required under Indian tax and accounting laws
• KYC Documents: Retained for the period required by TRAI and applicable telecom regulations, typically 5 years
• Support Communications: Retained for 1 year from resolution, or longer if related to an ongoing dispute or legal matter

Upon expiry of the applicable retention period, data is securely deleted or anonymized in a manner that prevents identification.

Our website uses cookies and similar tracking technologies to improve your browsing experience and measure website performance. The types of cookies we use include:

• Essential Cookies: Required for core website functionality such as session management and navigation. These cannot be disabled.
• Analytics Cookies: Used to collect anonymized data on page visits, traffic sources, and user behaviour to help us improve our website (e.g., Google Analytics)
• Preference Cookies: Used to remember your settings and preferences across sessions

You may disable non-essential cookies via your browser settings at any time without affecting your ability to use our core messaging services. Note that disabling cookies may affect certain website features.

Our website and communications may contain links to external websites or services, including Meta's platforms, telecom operator portals, and DLT registration portals. InfyReach Connect is not responsible for the privacy practices, data handling, or content of these third-party sites. We encourage you to review their respective privacy policies before sharing any personal information with them.

Our Services are intended solely for business use by adults (18 years and above). We do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently collected data from a minor, please contact us immediately at info@infyreachconnect.in and we will take steps to delete such data promptly.

We may update this Privacy Policy from time to time to reflect changes in our Services, applicable law, or regulatory requirements. The revised policy will be posted on this page with an updated effective date. For material changes, we will endeavour to notify active clients via email at least 7 days prior to the change taking effect.

Continued use of our Services following any update to this Privacy Policy constitutes your acceptance of the revised terms. We encourage you to review this page periodically.

For any privacy-related questions, data access requests, or to raise a grievance under the DPDPA 2023, please contact our designated Grievance Officer:

We are committed to resolving all privacy-related grievances within 30 days of receipt. If your concern is not resolved to your satisfaction, you may escalate the matter to India's Data Protection Board once it is operationally constituted under the DPDPA 2023.