← Back to home
This Privacy Policy explains how FutureFist Tech Solutions LLP ("FutureFist", "we", "us", or "our"), an Indian limited liability partnership having its registered office in Thane, Maharashtra, India, collects, uses, stores, shares, and protects information when you use WACRM (the "Service"), our WhatsApp Business and customer relationship management platform.
By accessing or using the Service, you agree to this Policy. If you do not agree, please do not use the Service.
Quick summary. We collect only what we need to run the Service, we do not sell your data, we honour deletion requests under India's DPDP Act and the EU GDPR, and we follow Meta's WhatsApp Business Platform privacy requirements.
1. Who this policy applies to
This policy applies to:
- Account holders — businesses and individuals who sign up for WACRM.
- Authorised users — team members, agents, or administrators added by account holders.
- End contacts — individuals whose phone numbers and conversation data are processed by account holders through the Service (for example, the customers of an account holder).
- Website visitors — anyone visiting our public website.
2. Information we collect
2.1 Information you provide to us
- Account information: name, email address, mobile number, business name, GSTIN, billing address, designation.
- Authentication data: hashed passwords, two-factor authentication settings, OTP records.
- Payment information: payment method tokens (we do not store full card numbers), billing history, invoices, GST details. Payments are processed by Razorpay or other PCI-DSS-compliant providers.
- Support communications: messages, attachments, and recordings of interactions when you contact our support team.
2.2 Information you connect through Meta / WhatsApp
When you connect a WhatsApp Business Account ("WABA") to WACRM through Meta's Embedded Signup, we receive from Meta:
- Your WABA ID, Business Manager ID, and phone number ID.
- Phone number(s), display name(s), and quality rating(s).
- Message templates and their approval status.
- Webhook events relating to messages, statuses, and account changes.
2.3 Information about end contacts
Through your use of the Service, we process end-contact data on your behalf, including:
- Phone number, display name, profile picture (if shared on WhatsApp).
- Message content (text, media, documents, voice notes, location, interactive replies).
- Message metadata (timestamps, delivery and read receipts, message IDs).
- Custom attributes, labels, and notes that you create or import.
- Opt-in and opt-out status.
In relation to this end-contact data, you are the Data Fiduciary (controller) and we are the Data Processor. You are responsible for obtaining lawful consent from end contacts before sending them messages.
2.4 Information collected automatically
- Device and browser information, IP address, operating system, screen resolution.
- Usage logs: pages viewed, features used, timestamps, error reports.
- Cookies and similar technologies for session management, preferences, and analytics.
3. How we use information
We use the information described above to:
- Provide, operate, maintain, and improve the Service.
- Authenticate users and secure accounts.
- Send transactional messages (billing receipts, security alerts, service updates).
- Process payments and prepare GST-compliant invoices.
- Respond to support requests and troubleshoot issues.
- Detect, investigate, and prevent fraud, abuse, spam, or violations of our Terms of Service or Meta's policies.
- Comply with legal obligations, court orders, and lawful requests from authorities.
- Analyse usage to improve the Service, with data aggregated and anonymised wherever possible.
We do not:
- Sell your personal information or end-contact data to third parties.
- Use the content of your WhatsApp messages to train AI models, except where you explicitly opt in to AI-powered features that operate on your own data.
- Share end-contact data with advertisers.
4. Legal bases for processing
Under the Digital Personal Data Protection Act, 2023 (India) and the EU GDPR (where applicable), we process personal data on the following bases:
| Purpose | Legal basis |
|---|
| Account creation and Service delivery | Performance of contract |
| Billing, GST invoicing | Legal obligation |
| Security, fraud prevention | Legitimate interest |
| Analytics and product improvement | Legitimate interest (with anonymisation) |
| Marketing communications | Consent (you can withdraw at any time) |
| End-contact data processing | On behalf of the account holder under written authorisation |
5. Sharing of information
We share information only as follows:
- With Meta Platforms, Inc. — message content and metadata are transmitted to and from WhatsApp's infrastructure as required to deliver messages.
- With sub-processors — hosting providers, payment gateways, email delivery services, error tracking, analytics. A current list of sub-processors is available on request.
- With your authorised users — team members you invite to your account.
- For legal compliance — when required by valid legal process, court order, or government request, with appropriate scrutiny.
- For business transfers — in connection with a merger, acquisition, or asset sale, in which case we will notify you and require the recipient to honour this Policy.
6. Data retention
- Account data: retained for the life of your account, plus 90 days after closure for billing and legal record purposes.
- Conversation data: retained per your account’s configured retention period (default: 24 months; configurable per plan).
- Billing records and GST invoices: retained for 8 years as required by Indian tax law.
- Backups: retained for up to 35 days in encrypted form, after which they are permanently overwritten.
- Audit and security logs: retained for up to 12 months.
7. Data security
We implement industry-standard technical and organisational measures, including:
- TLS 1.2+ encryption in transit for all API and web traffic.
- Encryption at rest for databases, file storage, and backups.
- Role-based access control with least-privilege defaults.
- Two-factor authentication available on all accounts.
- Regular security reviews, dependency scanning, and incident response procedures.
- Logical separation of customer data in a multi-tenant architecture.
No method of transmission or storage is 100% secure. We commit to notifying you and the Data Protection Board of India within 72 hours of becoming aware of a personal data breach that is likely to result in risk to data principals.
8. Your rights
Under the DPDP Act and equivalent laws, you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate or incomplete data.
- Erase your data, subject to legal retention obligations.
- Withdraw consent for processing based on consent.
- Grievance redressal — file a complaint with our Grievance Officer (see Section 12).
- Nominate another individual to exercise your rights in the event of death or incapacity.
To exercise any right, email privacy@futurefist.com. We respond within 30 days.
9. Data deletion
For instructions on how to permanently delete your account and associated data, see our Data Deletion Instructions.
10. International transfers
Personal data is primarily stored on servers located in India. Meta processes WhatsApp message data on its global infrastructure as governed by Meta's own privacy terms. Where data is transferred outside India, we rely on appropriate safeguards under the DPDP Act and standard contractual clauses where applicable.
11. Children
The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal data from children. If we learn we have collected such data, we will delete it promptly.
12. Grievance Officer
In accordance with the DPDP Act and the Information Technology Rules, the following Grievance Officer has been appointed:
Sunny Racharlas
Grievance Officer, FutureFist Tech Solutions LLP
Email:
grievance@futurefist.com
Address: Thane, Maharashtra, India
Response time: within 30 days of receipt of complaint.
13. Cookies
We use essential cookies for authentication and session management, and optional analytics cookies that you can disable in your account preferences. We do not use third-party advertising cookies on the application.
14. Changes to this Policy
We may update this Policy from time to time. Material changes will be notified by email and through the Service at least 30 days before they take effect. Continued use of the Service after the effective date constitutes acceptance.
15. Contact
General privacy questions: privacy@futurefist.com
Meta-related compliance: meta-compliance@futurefist.com
Address: FutureFist Tech Solutions LLP, Thane, Maharashtra, India.