Legal

Privacy Policy

Last updated: 12 June 2026 · Effective: 12 June 2026

1. Introduction & scope

This Privacy Policy explains how Commoat ("Commoat", "we", "us", or "our") collects, uses, shares, transfers, and protects information when you use our WhatsApp CRM platform, websites, applications, and related services (the "Service"), and when you otherwise interact with us. It works alongside our Terms & Conditions. By using the Service, you acknowledge the practices described here. We process personal data in accordance with applicable Indian law, including the Information Technology Act, 2000 and the rules made under it, and the Digital Personal Data Protection Act, 2023 (the "DPDP Act").

2. Our role (controller and processor)

When we handle information about our own account holders, website visitors, and prospects, we act as a controller. When you use Commoat to communicate with and manage your own customers, the personal data of those end-users is processed by Commoat as a processor on your behalf — you are the controller and are responsible for the lawful basis and notices for that processing.

3. Information we collect

3.1 Information you provide

  • Account & profile — name, business name, email, phone number, role, and password.
  • Billing — billing contact, address, tax details, and payment information processed by our payment provider.
  • Content & messages — conversations, contacts, templates, notes, and other content you process through the Service.
  • Support & sales — information you share when you contact us, request a demo, or respond to surveys.

3.2 Information collected automatically

  • Usage data — features used, actions taken, and timestamps.
  • Device & log data — IP address, browser and device type, operating system, identifiers, and diagnostic data.
  • Cookies — as described in section 8.

3.3 Information from third parties

We may receive information from integrated platforms (such as Meta/WhatsApp), payment processors, analytics providers, and partners, consistent with their terms and your settings.

4. How we use information

We use information to:

  • Provide, operate, maintain, secure, and improve the Service;
  • Set up accounts, process transactions, and manage Subscriptions;
  • Personalize features and provide AI-assisted suggestions;
  • Communicate about updates, security alerts, and support;
  • Monitor usage, detect and prevent fraud and abuse, and maintain platform integrity;
  • Conduct analytics and research to develop new features;
  • Comply with legal obligations and enforce our agreements.

5. Legal bases for processing

Under the DPDP Act, we process your personal data on the basis of your consent and, where applicable, the certain legitimate uses permitted by the Act (for example, where you voluntarily provide data for a specified purpose). We may also process data as necessary to perform our contract with you and to comply with our legal obligations. Where we rely on consent, you may withdraw it at any time, after which we will stop the related processing, without affecting the lawfulness of processing carried out before withdrawal. For individuals located outside India, additional bases under laws such as the GDPR (including our legitimate interests) may also apply.

6. WhatsApp & Meta platform data

The Service connects to the WhatsApp Business Platform operated by Meta. When you link a WhatsApp Business account, we process messages and related metadata to deliver the Service to you. This processing is also subject to Meta's and WhatsApp's policies. You are responsible for obtaining the consents required to message your customers and for complying with applicable opt-in and messaging rules.

7. AI features & automated processing

The Service includes AI-assisted features (for example, suggested replies and summaries). These may process the content of conversations to generate outputs. We design our AI architecture to be cost-aware and tenant-isolated, and we do not use your Customer Data to train shared, cross-customer models except where you have expressly opted in or as permitted by your agreement. AI outputs may be imperfect and should be reviewed before use. We do not make decisions producing legal or similarly significant effects about individuals solely by automated means without a lawful basis.

8. Cookies & similar technologies

We use cookies and similar technologies on our websites and within the Commoat application to keep you signed in, remember preferences, secure the Service, and understand usage. Once you sign up for and use the CRM product, cookies and session tokens are used to operate your workspace. We distinguish between strictly necessary cookies and optional analytics or performance cookies. You can manage cookies through your browser settings; disabling some cookies may affect functionality. Where required, we will request your consent for non-essential cookies.

9. How we share information & sub-processors

We do not sell your personal information. We may share information with:

  • Sub-processors & service providers — vendors who help us run the Service (e.g. cloud hosting, database, payments, analytics, email), bound by contractual confidentiality and data-protection obligations;
  • Platform partners — such as Meta/WhatsApp, to deliver the messaging functionality you request;
  • Legal & safety — when required by law, regulation, legal process, or to protect the rights, property, or safety of Commoat, our users, or the public;
  • Business transfers — in connection with a merger, acquisition, financing, or sale of assets, subject to this policy.

10. Marketing communications

We may send you service-related messages and, where permitted, marketing about features and offers. You can opt out of marketing at any time using the unsubscribe link or by contacting us; we will still send essential transactional and security messages. Your marketing preferences do not affect the processing necessary to provide the Service.

11. Data retention

We retain information for as long as your Account is active or as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. Retention periods vary by the type of data and purpose. When data is no longer required, we delete or anonymize it within a reasonable period.

12. Security

We implement technical and organizational measures designed to protect information, including encryption in transit, access controls, environment segregation, and tenant isolation, consistent with the reasonable security practices and procedures expected under the Information Technology Act, 2000 and applicable rules. No method of transmission or storage is completely secure, so we cannot guarantee absolute security. Please keep your credentials confidential and notify us of any suspected compromise. In the event of a personal data breach, we will notify the affected users and the relevant authority where required by law.

13. International data transfers

We may process and store information in countries other than where you reside. Where we transfer personal data across borders, we use appropriate safeguards consistent with applicable law, such as standard contractual clauses or equivalent mechanisms, to ensure an adequate level of protection.

14. Your privacy rights

As a Data Principal under the DPDP Act, you have the right to:

  • Access a summary of the personal data we process about you and the processing activities;
  • Request correction, completion, updating, or erasure of your personal data;
  • Grievance redressal through our Grievance Officer (see section 17);
  • Nominate another individual to exercise your rights in the event of your death or incapacity.

To exercise these rights, contact us at hello@commoat.com. We will respond within the timeframe required by applicable law and may need to verify your identity. Where Commoat processes data as a processor on behalf of a business customer, end-user requests should be directed to that business. If you are not satisfied with our response, you may lodge a complaint with the Data Protection Board of India. Individuals located outside India may have additional rights under their local data-protection laws.

15. Children's privacy

The Service is intended for businesses and is not directed to individuals under 18. We do not knowingly collect personal information from children. If you believe a child has provided us information, please contact us so we can take appropriate action.

16. Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised policy with a new "Last updated" date and, where appropriate, provide additional notice. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

17. Contact & Grievance Officer

For privacy questions, requests, or concerns, contact us at hello@commoat.com.

Grievance Officer

In accordance with the Information Technology Act, 2000 (and the rules thereunder) and the Digital Personal Data Protection Act, 2023, you may address any grievance regarding the processing of your personal data to our Grievance Officer at hello@commoat.com. We will acknowledge your grievance within 48 hours and endeavour to resolve it within 30 days. If you are not satisfied with the resolution, you may escalate your complaint to the Data Protection Board of India.