Privacy Policy

msg10x Technologies Private Limited ("msg10x", "we", "us", or "our") operates the msg10x WhatsApp CRM platform accessible at https://msg10x.com and associated mobile applications and APIs (collectively, the "Service").

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. It applies to all users of msg10x — including business administrators, agents, and end-customers whose data is processed through our platform.

This policy is compliant with India's Digital Personal Data Protection (DPDP) Act, 2023, the Information Technology Act, 2000 and associated rules, and aligned with the General Data Protection Regulation (GDPR) for users in the European Union. By using the Service, you consent to the practices described herein.

We collect information you provide directly, information generated by your use of the Service, and information from third parties integrated with our platform.

Account & Contact Information

• Full name, email address, and phone number of account holders and team members
• Company name, GST number, and billing address
• Password (stored as bcrypt hash — never in plain text)
• Profile photos and team member role assignments

Usage & Platform Data

• Login timestamps, IP addresses, browser type, and device information
• Pages visited, features used, and interaction events within the dashboard
• API request logs (rate limits, error codes) for debugging and abuse prevention
• Performance metrics and crash reports via Sentry

WhatsApp Messages & Customer Data

• Inbound and outbound WhatsApp messages processed through your connected Business Account
• Customer contact information (phone numbers, names, custom attributes) you import or receive
• Conversation history, attachments, and media files shared in conversations
• Message delivery statuses and read receipts from Meta

Payment Information

• Subscription plan and billing history
• Payment method details are handled exclusively by Razorpay — msg10x does not store card numbers or bank account details
• Transaction IDs and invoices generated for GST compliance

• Service Delivery: To operate, maintain, and improve the msg10x platform, process WhatsApp messages, and execute automations on your behalf.
• Authentication & Security: To verify your identity, prevent unauthorised access, detect fraud, and enforce our Acceptable Use Policy.
• Customer Support: To respond to tickets, resolve technical issues, and provide onboarding assistance.
• Analytics & Product Improvement: Aggregated, anonymised usage data helps us identify popular features, diagnose performance bottlenecks, and prioritise development.
• Billing & Finance: To process subscription payments, issue GST invoices, and manage renewals via Razorpay.
• Marketing Communications: With your explicit consent, we may send product updates, tips, and promotional emails. You may opt out at any time via the unsubscribe link or by emailing privacy@msg10x.com.
• Legal Compliance: To comply with applicable Indian laws, respond to court orders, and cooperate with regulatory authorities.

We do not sell your personal data to third parties. We share data only in the following circumstances:

Essential Service Providers

• Meta Platforms Inc. / WhatsApp Business API: Messages are routed through Meta's BSP infrastructure. Meta's Data Policy governs message processing at their end.
• Razorpay Financial Solutions: Payment processing, refund management, and financial compliance. PCI-DSS Level 1 certified.
• Amazon Web Services (AWS) — Mumbai Region (ap-south-1): Cloud infrastructure, object storage (S3), and managed databases (RDS).
• Sentry: Anonymous error tracking and performance monitoring.
• SendGrid / AWS SES: Transactional email delivery (OTPs, invoices, alerts).

Other Disclosures

• Legal Obligation: We may disclose data in response to a valid court order, government directive, or regulatory requirement under Indian law.
• Business Transfer: In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you 30 days in advance.
• With Your Consent: Any other sharing requires your explicit, informed consent.

All customer data is stored in AWS data centres located in the Mumbai region (ap-south-1), ensuring your data remains within India in compliance with data localisation requirements under the DPDP Act, 2023.

Technical Safeguards

• AES-256 encryption at rest for all database records and file storage
• TLS 1.3 encryption in transit for all API communications
• VPC isolation — production databases are not publicly accessible
• Role-based access control (RBAC) limiting employee access to minimum necessary data
• Automated daily backups with 30-day retention and point-in-time recovery
• Multi-factor authentication (MFA) enforced for all msg10x employee accounts

Compliance Certifications

• SOC 2 Type II — audit in progress, certification expected Q3 2026
• ISO 27001 — information security management system certified
• Meta WhatsApp Business Solution Provider (BSP) — verified partner

We retain your data for as long as your account is active. Upon account deletion, data is purged from production systems within 30 days and from backup archives within 90 days, unless retention is required by applicable law.

Under India's Digital Personal Data Protection Act, 2023, you have the following rights as a Data Principal:

• Right to Access: Request a copy of all personal data we hold about you.
• Right to Correction: Request correction of inaccurate or incomplete personal data.
• Right to Erasure: Request deletion of your personal data, subject to legal retention obligations.
• Right to Data Portability: Receive your data in a structured, machine-readable format (JSON or CSV).
• Right to Withdraw Consent: Withdraw consent for any processing based on consent, without affecting prior lawful processing.
• Right to Nominate: Nominate a person to exercise your rights in case of death or incapacity.
• Right to Grievance Redressal: Lodge a complaint with our Grievance Officer or the Data Protection Board of India.

To exercise any of these rights, email privacy@msg10x.com with the subject line "Data Rights Request". We will respond within 30 days as required by the DPDP Act.

msg10x is an authorised Meta WhatsApp Business Solution Provider (BSP). When you connect your WhatsApp Business Account to msg10x:

• You grant msg10x permission to send and receive messages on your behalf through the WhatsApp Business API.
• Message content is processed according to Meta's WhatsApp Business Terms of Service in addition to this Privacy Policy.
• We do not use your customers' WhatsApp messages to train AI models without explicit opt-in.
• Message logs are retained for 12 months by default. You may configure a shorter retention period in your account settings.
• End-to-end encryption: WhatsApp messages are encrypted in transit by Meta's protocol. Once received by the API, messages are stored encrypted at rest on our servers.
• You remain the Data Fiduciary for your customers' data. msg10x acts as a Data Processor on your behalf.

We use cookies and similar tracking technologies on our website and dashboard.

Types of Cookies

• Strictly Necessary: Session authentication cookies required for the platform to function. Cannot be disabled.
• Analytics: Google Analytics 4 and PostHog for understanding aggregate user behaviour. All data is anonymised. IP addresses are truncated.
• Preferences: Stores your theme (dark/light), language, and dashboard layout preferences.

Opt-out: You may disable analytics cookies via the Cookie Preferences panel in your account settings or by installing the Google Analytics Opt-out Add-on. Disabling strictly necessary cookies will impair platform functionality.

The msg10x Service is intended exclusively for business use by individuals aged 18 years and above. We do not knowingly collect personal data from anyone under 18 years of age. If you believe a minor has provided us with personal information, please contact privacy@msg10x.com and we will promptly delete such data.

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Send an in-app notification to all account administrators at least 14 days before changes take effect
• For significant changes affecting data subject rights, send an email notification to the registered account email address

Continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy.

For any privacy-related queries, data rights requests, or complaints, please contact us: