Privacy Notice
Learn how XploreByte handles your data and protects your privacy.
Last updated 01-10-2025
This privacy notice for XploreByte Solutions ("XploreByte", "we", "us", or "our") explains how and why we collect, store, use, and disclose ("process") personal information when you use https://xplorebyte.comand the XploreByte SaaS, including features powered by the WhatsApp Business (Cloud) API(the "Service").
1) Scope
This Privacy Notice explains how we collect, use, disclose, and protect personal information when you visit the Site or use the Service, including our integrations with the WhatsApp Business (Cloud) API provided by Meta Platforms ("WhatsApp"). In this notice, "process" means any operation on personal information, such as collect, store, use, disclose, or delete.
2) Definitions
- Personal data: information that identifies or can reasonably be linked to an identifiable individual.
- Controller: determines purposes and means of processing personal data; Processor: processes personal data on the controller's instructions.
- Customer Data: personal data you submit to the Service (e.g., contacts, templates, logs).
- WhatsApp Data: data processed via the WhatsApp Cloud API (e.g., WABA ID, phone_number_id, delivery/read events).
3) Roles (Controller vs. Processor)
- For data about your end-users/contacts (e.g., WhatsApp recipients) that you upload or generate through the Service, you are the data controller and XploreByte acts as your data processor, processing personal data only on your documented instructions to provide the Service.
- For our own operations (account administration, billing, security, analytics, and service communications to admins), XploreByte is an independent controller.
4) Information We Collect
A. Information you provide
Account details (name, email, phone, username, role), business info (business name, country), billing details (address, tax IDs, payment status; full card data handled by payment processors), content you submit (message templates, campaigns, media), configuration settings, and support requests.
B. Automatic collection
IP address, device/browser type, OS, pages viewed, timestamps, referral URLs, product usage events, crash/error logs, and security signals (e.g., rate-limit counters).
C. From third parties
Identity providers (e.g., Facebook Login), service partners and sub-processors (hosting, analytics, email, payments).
D. WhatsApp-specific data (Cloud API)
- IDs & configuration: WABA ID, phone_number_id, display phone number, template metadata (name, language, status), and account/quality/tier signals exposed by the API.
- Events & metadata: message IDs, timestamps, delivery/read statuses, error codes, provider responses via webhooks.
- Content/media: not stored by default. If you enable features that require storing message content or media (e.g., searchable logs or previews), we process that content strictly for those features.
5) How We Use Information
- Provide and maintain the Service (auth, account management, messaging via Cloud API, webhooks, results).
- Product operations and improvement (analytics, feature development, quality monitoring, troubleshooting, support).
- Security and abuse prevention (fraud detection, rate limiting, logging, incident response).
- Legal and compliance (tax, accounting, audits, enforcing terms, responding to lawful requests).
- Communications (service announcements, onboarding, support replies; marketing only with consent where required).
Legal bases (GDPR/UK GDPR): performance of a contract; legitimate interests (security, improvement); consent (where required); and legal obligations.
6) Processing Summary
| Data category | Purpose | Legal basis | Source | Sharing | Retention |
|---|---|---|---|---|---|
| WABA ID, phone_number_id, display number, template metadata | Connect WhatsApp, manage templates, subscribe webhooks, enable messaging | Contract; legitimate interests (security) | Customer (ESU/manual) | Meta (Cloud API), hosting/logging | While account is active |
| Message metadata (IDs, timestamps, delivery/read, error codes) | Logs, analytics, support | Contract; legitimate interests | Webhooks/API | Hosting/logging | 180 days (configurable) |
| Message content/media (only if enabled) | Searchable logs/previews | Contract; consent where required | Customer/API | Storage provider | 30–90 days (configurable) |
| Account/admin & billing | Auth, billing, support | Contract; legal obligation | Customer | Payment/email providers | As required by law/contract |
| Device/usage & security signals | Reliability, abuse prevention, improvement | Legitimate interests | Automatic | Logging/analytics | 12–24 months (aggregate) |
| Backups | Disaster recovery/business continuity | Legitimate interests; legal | System | Hosting | ≤ 30 days rolling |
7) How We Share Information
We do not sell or share personal information as defined by CPRA. We may disclose personal information to service providers (hosting, storage, logging, analytics, email delivery, payments, and Meta/WhatsApp to operate the Cloud API), for business transfers (with safeguards), and for legal/compliance where required.
Government and law-enforcement requests. We assess requests under applicable law, require valid legal process, limit scope, and notify affected customers where legally permitted before producing data.
Third-party sites and plugins. The Service and Site may link to third-party websites, services, or social plugins. Their practices are governed by their own policies.
8) International Data Transfers
We may process data globally. Where required (e.g., EEA/UK), we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) and implement technical and organizational measures to protect personal data transferred internationally.
9) Data Retention
Defaults (configurable where supported): IDs & settings — while account is active; message metadata & webhook logs — 180 days; content/media (if enabled) — 30–90 days; backups — up to 30 days rolling. We may retain limited data to comply with law, resolve disputes, or enforce agreements.
10) Security & Incidents
We use industry-standard administrative, technical, and physical safeguards, including encryption in transit, access controls, secret management, and auditing. If we become aware of a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data, we will investigate, mitigate, and notify customers and/or regulators as required by law and our agreements.
11) Automated Decision-Making
We do not engage in automated decision-making that produces legal or similarly significant effects. Limited automation is used for abuse/spam detection and rate-limiting.
12) Your Responsibilities
You are responsible for obtaining and recording valid opt-in for WhatsApp messaging and honoring opt-out requests; ensuring templates and content comply with WhatsApp/Meta policies and applicable laws; and configuring retention settings that meet your compliance needs.
13) Your Privacy Rights
Global: Subject to law, you may request access, correction, deletion, portability, restriction, or objection by contacting us (see Contact). We may request information to verify your identity and authority. We aim to respond within 30 days (extendable where permitted).
California (CCPA/CPRA): We do not “sell” or “share” personal information. California residents may request to know, delete, and correct personal information and will not be discriminated against for exercising their rights.
India (DPDP Act, 2023): You may raise grievances to our Grievance Officer (details below). We aim to acknowledge and resolve grievances within 15 days.
14) Cookies and Similar Technologies
We use cookies and similar technologies for login sessions, preferences, analytics, and security. Most browsers allow you to block or delete cookies; some features may not function without them. Where required (e.g., EEA/UK), a cookie banner/manager will present choices for non-essential cookies. See our Cookie Notice.
15) Marketing Communications & Do-Not-Track
We may send admins product updates or newsletters. You can opt out at any time via the unsubscribe link in those emails. Service and transactional messages (e.g., security, billing) are not marketing and may still be sent.
The Site does not respond to Do-Not-Track (DNT) signals due to the absence of an industry standard.
16) Children’s Privacy
The Service is not intended for individuals under 18. We do not knowingly collect personal data from children. If we learn we have collected such data, we will delete it.
17) Changes to This Policy
We may update this Policy from time to time. We will post the updated version with a new Effective date and, where legally required, provide additional notice.
18) Contact
XploreByte Solutions
Address: HNo 279, WardNo 5, Bawani Khera, Bhiwani, Haryana – 127032
Support: support@xplorebyte.com
19) Data Processing Addendum (DPA)
For customers subject to GDPR/UK GDPR/CCPA or enterprise requirements, XploreByte offers a Data Processing Addendum that forms part of the agreement and governs our processing as a processor, including sub-processors, international transfers (SCCs), security measures, assistance with data subject requests, and deletion/return of data on termination. Request a copy at support@xplorebyte.com.
WhatsApp-Specific Reminder
By connecting your WABA and phone number(s), you instruct XploreByte to process WhatsApp data on your behalf (including waba_id, phone_number_id, template metadata, and webhook events). Storage of message content/media is off by defaultand only enabled if you turn on features that require it. You remain responsible for end-user consent, template compliance, and lawful messaging.