NNAP Designs
PrivacyTermsDPDPASign in
Legal · § I

Privacy Policy

Effective 10 July 2026. Latest revision published to napdesigns.com/privacy-policy.

NAP Designs (“NAP”, “we”, “our”) operates the WhatsApp Business software platform available at napdesigns.com and whatsapp.napdesigns.com (the “Platform”). This Privacy Policy explains what personal data we collect from you and from your customers, why, and how you can exercise control over it. It reflects the Digital Personal Data Protection Act 2023 (DPDPA), the GDPR, and Meta's WhatsApp Business Terms.

1. Who is the data controller?

You (the business using the Platform) are the data fiduciary under DPDPA (or controller under GDPR) for your customers' conversations, contacts, and message history. NAP acts as your data processor — we only process customer data on your instructions to operate the Platform.

2. What personal data we collect

2.1 From you (the account holder)

  • Email address (used to sign you in via magic link)
  • Name and phone number if you provide them in Settings → Profile
  • Meta App credentials you paste into the connect form — App ID, App Secret, WABA ID, Phone Number ID, System User Token — encrypted at rest with libsodium secretbox
  • Payment method details processed by Razorpay (we never see card numbers)

2.2 From your customers (through you)

  • WhatsApp ID (the mobile number they use to message you)
  • Display name they set on WhatsApp, if visible
  • Message content — text, media links, template variables
  • Delivery / read receipts and quality metrics from Meta
  • Optional custom fields you assign to their contact record

2.3 Automatic technical data

  • Server logs (IP, user-agent, timestamp) retained ≤ 30 days
  • Product analytics (page views, feature usage) — no PII in payload

3. Why we process it

  • To route inbound and outbound WhatsApp messages via Meta's Cloud API
  • To bill you for the Platform subscription (Razorpay)
  • To provide inbox, templates, campaigns, analytics, flows, and admin features
  • To meet legal / regulatory obligations (record-keeping, tax)
  • To detect fraud, abuse, and violations of Meta's WhatsApp Business Terms

4. Where the data lives

All customer data is stored in a Supabase-managed PostgreSQL instance in AWS ap-south-1 (Mumbai). Encrypted WABA tokens never leave that region. Backups are region-local. We do not replicate customer data outside India without your explicit written instruction.

5. Who we share it with

  • Meta Platforms — every WhatsApp message you send is transmitted through Meta's Cloud API. Meta's privacy policy applies to that transit.
  • Supabase — database hosting. Data-processing addendum on file.
  • Railway — application hosting for the gateway/worker services (ap-south-1).
  • Vercel — dashboard hosting (edge cached, but no customer conversation data is cached at the edge).
  • Razorpay — subscription and top-up processing.
  • Anthropic — only when you explicitly use the AI (Claude) flow node. The rendered prompt and the reply text are sent to Anthropic; we do not train models on your data.
  • ZeptoMail — transactional email (login links, onboarding notifications).

We never sell personal data. We never share your data with advertising networks.

6. Your rights

Under DPDPA and GDPR you (and your customers) have the right to access, correct, delete, port, and restrict processing of personal data. Send requests to privacy@napdesigns.com and we will respond within 30 days.

7. Retention

  • Conversation + message data — kept while your subscription is active
  • 90 days after cancellation — full delete unless you request an export
  • Audit logs — 12 months (for security investigations)
  • Invoice + ledger data — 8 years (Indian tax law)

8. Security

  • Row-Level Security on every tenant table, keyed to your org
  • WABA access tokens encrypted with libsodium secretbox at rest
  • HMAC-verified webhooks (Meta, Razorpay) — timing-safe compare
  • TLS 1.2+ enforced on every endpoint
  • Least-privilege service-role keys, never exposed to the browser

9. Children

The Platform is not directed at children. If you learn that a contact under 18 has messaged you and you wish to purge that record, email us.

10. Changes to this Policy

We'll email account owners before any material change. Older versions are kept in the git repository at github.com/napdesigns for audit.

11. Contact

NAP Designs · Mumbai, India · privacy@napdesigns.com · Data Protection Officer: dpo@napdesigns.com

© MMXXVI · NAP Designs · Mumbai, India · legal@napdesigns.com