Features Solutions About Us Contact Us →

Privacy Policy

VYARO TECHNOLOGIES PRIVATE LIMITED

VYARO TECHNOLOGIES PRIVATE LIMITED (“Vyaro”, “we”, “our”, “us”, “Company”) is committed to protecting your privacy and ensuring transparency in how we collect, process, store, and share personal and business data. This Privacy Policy describes our practices as a data fiduciary and data processor under applicable Indian law.

WHEREAS, Vyaro is a B2B technology service provider offering Software-as-a-Service (SaaS) solutions for digital commerce, communication, and business management; WHEREAS, Vyaro develops and provides custom-built digital commerce platforms and solutions including digital storefronts, Progressive Web Applications (PWA), AI-powered chatbots, WhatsApp Business API integration, order management systems, analytics tools, and related services.

WHEREAS, Merchant is an independent business entity desiring to engage Vyaro’s services to develop and operate a custom digital commerce platform to conduct independent e-commerce business; WHEREAS, Merchant will operate independently using Vyaro’s platform as an intermediary technology service provider, with Merchant as the sole seller in all customer transactions; By registering for, accessing, or using the Vyaro platform, you acknowledge that you have read, understood, and agree to the collection, use, storage, and disclosure of your information as described in this Privacy Policy.

1. LEGAL FRAMEWORK AND COMPLIANCE

This Privacy Policy is designed to comply with:

  • The Digital Personal Data Protection Act, 2023 (DPDP Act) and DPDP Rules, 2025
  • The Information Technology Act, 2000 and rules thereunder
  • The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
  • The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021
  • The E-Commerce (Protection of Consumers from Unfair Trade Practices) Rules, 2020
  • The Indian Contract Act, 1872
  • Any other applicable Indian laws and regulations governing data protection and privacy

We operate as both a data fiduciary (when we determine purposes and means of processing) and a data processor (when we process data on behalf of our merchant customers). This policy covers both roles.

1.1 INTEGRATION WITH MERCHANT TERMS OF USE

This Privacy Policy is part of an integrated legal framework that includes: Merchant Terms of Use v2.7, Software Services Agreement v1.2, and Annexure A: Takedown Notice and Content Removal Procedure (incorporated in Merchant Terms of Use v2.7). All three documents should be read together as a comprehensive legal agreement governing your use of the Vyaro platform.

1.2 INTERMEDIARY STATUS AND SAFE HARBOR PROTECTION

INTERMEDIARY STATUS: Vyaro operates as an “intermediary” as defined under Section 2(1)(w) of the Information Technology Act, 2000. We host platforms where merchants create, manage, and operate independent storefronts with their own content.

SAFE HARBOR PROTECTION: Subject to compliance with Section 79 of the Information Technology Act, 2000 and the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, Vyaro is NOT LIABLE for: Merchant Content; Merchant’s business practices or decisions; Merchant’s customer relationships; Merchant’s failure to comply with laws; Illegal, inaccurate, or harmful content posted by merchants; Third-party claims against merchants; Merchants’ privacy violations or data mishandling.

1.2A UPDATES TO TERMS AND ACCEPTANCE

Vyaro may update, modify, or amend the Merchant Terms of Use, this Agreement, or any referenced policies at any time. For non-emergency updates, Vyaro shall provide written notice of material updates 30 days in advance. For emergency updates, Vyaro may implement updates immediately without advance notice for mandatory compliance with government orders, critical security breaches, data protection emergencies, or imminent harm to customers. Merchant’s continued use of the Platform following the effective date of any updated terms shall constitute Merchant’s acceptance.

2. KEY DEFINITIONS

  • “Data Principal” means the individual to whom the personal data relates.
  • “Data Fiduciary” means any person who alone or in conjunction with others determines the purpose and means of processing of personal data. Vyaro acts as data fiduciary for merchant account data and as data processor for end customer data.
  • “Data Processor” means any person who processes personal data on behalf of a data fiduciary. Vyaro processes end customer data on behalf of merchant customers.
  • “Personal Data” means any data about an individual who is identifiable by or in relation to such data, in digital form.
  • “Processing” means any operation or set of operations performed on personal data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
  • “Sensitive Personal Data” includes financial information, health data, official identifiers, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation.
  • “Consent” means any freely given, specific, informed, and unambiguous indication of the data principal’s wishes by a clear affirmative action.
  • “Annexure A” means the Takedown Notice and Content Removal Procedure as incorporated in Merchant Terms of Use v2.7.

3. INFORMATION WE COLLECT

3.1 DATA VYARO COLLECTS AS DATA FIDUCIARY

When a business registers to use Vyaro, we collect the following data:

Business and Account Information: Business name, legal entity type, industry vertical, and business description; GST Identification Number (GSTIN), Permanent Account Number (PAN), and other tax identifiers; Registered business address and operational locations; Primary contact details: name, email address, phone number, designation; Bank account details (for settlements and refunds); Business registration documents, licenses, and permits; Subscription plan, pricing tier, and module preferences; Payment and billing history.

User-Level Data (Merchant Team Members): Full name, email address, phone number, employee ID; Login credentials (passwords stored using industry-standard hashing); Role and permission level; Profile information voluntarily provided; User activity logs: actions performed, timestamps, IP addresses, device information; Session data: login/logout times, active sessions, access patterns.

Technical and Usage Data: Device information: type, operating system, browser, screen resolution; IP address, location data (derived from IP), timezone; Cookies, session tokens, device identifiers; API call logs, request/response data, error logs, system diagnostics; Performance metrics; Integration logs; Security logs.

3.2 DATA VYARO PROCESSES AS DATA PROCESSOR

We process the following data belonging to your customers on your behalf as a data processor. IMPORTANT: Merchants act as data fiduciaries for this data. Merchants are solely responsible for obtaining valid consent from end customers, maintaining compliance with DPDP Act and TRAI regulations, and responding to end customer data rights requests.

End Customer Data: Customer name, business name, contact person details; Phone number, email address, delivery address; Order history; Payment information; Delivery preferences; Customer opt-in consent records and opt-out requests; Communication history; Credit limits, outstanding amounts, payment terms.

WhatsApp Business API and Communication Data: WhatsApp Business Account (WABA) details; Message content (only if configured and authorized by merchant); Message metadata; Campaign data; Bot interaction logs; Chat analytics; Opt-in and opt-out records with timestamps.

3.3 CUSTOMER CONTACT BY VYARO

Vyaro may contact End Customers directly in the following cases: (a) Regulatory or Legal Requirements; (b) Feedback on Experience (voluntary basis, used only for Platform improvement); (c) Response to Customer Correspondence. All communications are limited to the stated purpose. No unsolicited marketing or merchant-related solicitation.

3.4 MEDICAL PRODUCTS AND HEALTH DATA

For merchants selling medical products, Vyaro maintains additional data protection measures. Merchant is responsible for ensuring all health claims are accurate, evidence-supported, and compliant with DCGI/AYUSH regulations. Customer health data related to medical products is processed with heightened security under DPDP Act. Vyaro may request and verify merchant’s licenses for data compliance purposes. If merchant makes false or unsubstantiated health claims, Vyaro may terminate access immediately.

4. HOW WE USE YOUR DATA

4.1 SERVICE DELIVERY AND PLATFORM OPERATIONS

Account creation, authentication, and user access management; Providing order management, inventory tracking, and business analytics features; Enabling WhatsApp Business API integration and message routing; Processing orders, tracking deliveries, and managing fulfilment workflows; Facilitating payment processing, billing, and financial reconciliation; Providing customer support and responding to inquiries; Sending transactional communications.

4.2 PLATFORM IMPROVEMENT AND ANALYTICS

AI AND MACHINE LEARNING: We use anonymized and aggregated data to: Train chatbot models for platform improvements; Improve order matching and inventory recommendations; Detect fraud and security threats; Analyze platform usage patterns for product development. We do NOT use personal data to: Create individual merchant or customer profiles for external use; Train models that identify or track specific individuals; Share trained models with third parties. All AI/ML training uses anonymized and de-identified data.

4.3 DATA MINIMIZATION

We collect only the minimum personal data necessary to provide our services.

4.4 LEGAL COMPLIANCE AND SECURITY

Complying with legal obligations under Indian law; Detecting, preventing, and responding to fraud, security threats, and illegal activities; Enforcing our Terms of Use and other legal agreements; Responding to lawful requests from government authorities; Protecting the rights, property, and safety of Vyaro, our users, and the public; Maintaining audit trails for compliance and accountability.

EMERGENCY DISCLOSURE: We may disclose personal data without consent if disclosure is necessary to protect life, health, or safety; in emergency situations; or where delaying disclosure would cause harm.

We do NOT use your data for: Selling or renting to third parties for commercial purposes; Behavioral advertising or profiling unrelated to platform services; Any purpose not disclosed in this Privacy Policy without your explicit consent.

4.5 PROHIBITED CONTENT AND DATA HANDLING

Vyaro does not process, store, or transmit data related to prohibited content as defined in Merchant Terms of Use v2.7 Section 5, including: Child sexual abuse material (CSAM) or exploitation material; Illegal products or services; Obscene or pornographic content; Content that violates intellectual property rights; Counterfeit goods or stolen items.

5. LEGAL BASIS FOR PROCESSING

Under the DPDP Act 2023, we process personal data based on: Consent; Legitimate Use; Compliance with Law; Protection of Life; Performance of Contract; Employment Purposes.

6. CONSENT MANAGEMENT

6.1 When and How We Obtain Consent

Consent is obtained at the point of data collection through clear, affirmative action. We provide clear information about what data is collected and for what purpose before obtaining consent. Consent requests are unbundled. For end customer data, merchants are responsible for obtaining and managing consent.

6.2 Your Right to Withdraw Consent

You may withdraw consent at any time by contacting us at support@vyaro.ai. We will process withdrawal requests within 72 hours. Withdrawal of consent may affect your ability to use certain platform features. We will retain only the minimum data required for legal compliance after consent withdrawal.

7. INTEGRATION WITH META WHATSAPP BUSINESS API

7.1 WhatsApp Business API Integration

Vyaro integrates with Meta Platforms, Inc.’s WhatsApp Business API (WABA). This integration is governed by WhatsApp Business Terms of Service, WhatsApp Business Solution Terms, Meta’s data processing and privacy policies, and our contractual agreements with our Business Solution Provider (BSP).

7.2 Data Shared with Meta

Business profile information; Message templates for approval; Message metadata (sender, receiver, timestamp, delivery status); Campaign parameters for Click-to-WhatsApp Ads; Opt-in status and consent records.

7.3 Important Disclaimers

Vyaro is a technology enabler and integration partner for WhatsApp Business API. We are NOT responsible for Meta’s approval, rejection, or delays in WABA verification or display name approval. The green checkmark (official business badge) is governed entirely by Meta’s review process. WhatsApp Business API access is subject to Meta’s policies and can be suspended or terminated by Meta without notice to Vyaro. Merchants remain solely responsible for compliance with WhatsApp Commerce Policy and messaging policies. Meta’s Privacy Policy applies to data processed by Meta. Vyaro is not liable for any privacy violations committed by merchants.

8. DATA SHARING AND THIRD PARTIES

8.1 We Share Data With

Meta Platforms, Inc.: For WhatsApp Business API messaging and related services.

Payment Gateways: PCI-DSS compliant payment processors (Razorpay, PayU, or similar) for processing subscriptions and payments. We share only transaction references, amounts, and order IDs — never full payment credentials.

Cloud Infrastructure Providers: Amazon Web Services (AWS) and Microsoft Azure for secure hosting, data storage, and computing resources.

Business Solution Provider (BSP): Our authorized WhatsApp BSP partner for WABA infrastructure and message routing.

Service Providers: Carefully vetted third parties under strict contractual obligations.

Merchant-Authorized Integrations: ERP, CRM, accounting, or other third-party systems that merchants explicitly connect to Vyaro.

CURRENT SUB-PROCESSORS (as of 01-06-2026): Amazon Web Services (AWS); Microsoft Azure; Razorpay / PayU; Google Analytics; Zoho Sign. A complete list of sub-processors is maintained at vyaro.ai/subprocessors and available upon request at support@vyaro.ai.

8.2 We DO NOT Share Data With

Marketing or advertising companies for third-party promotions; Government authorities except as required by law or valid legal process.

8.3 Safeguards for Third-Party Sharing

All third parties are contractually bound to maintain confidentiality and security under Data Processing Agreements (DPAs).

9. DATA SECURITY AND PROTECTION MEASURES

9.1 Technical Security Measures

Encryption at rest using AES-256 or equivalent; Encryption in transit using TLS 1.2 or higher; Secure password storage using industry-standard hashing algorithms (bcrypt, Argon2); Multi-factor authentication (MFA) available; Role-based access control (RBAC); API authentication using secure tokens, OAuth 2.0; Regular security patching and vulnerability scanning; Intrusion detection and prevention systems (IDS/IPS); Web application firewall (WAF); DDoS protection and traffic filtering.

9.2 Organizational Security Measures

Strict access controls; Confidentiality agreements and data protection training for all employees; Background verification for employees with data access; Security incident response plan and procedures; Regular security audits; Vendor due diligence; Data breach notification procedures.

9.3 Data Backup and Business Continuity

Automated encrypted backups performed regularly; Geo-redundant backup storage in multiple secure locations; Disaster recovery procedures tested periodically; Business continuity plans.

9.4 Data Breach Notification

In the event of a personal data breach, we will: Notify the Data Protection Board of India within the timeframe prescribed by DPDP Rules; Notify affected data principals without undue delay; Provide information about the nature of the breach; Maintain records of all personal data breaches for regulatory review.

10. DATA RETENTION AND DELETION

10.1 Retention Periods

  • Merchant Account Data: Duration of active subscription plus 7 years for financial and tax compliance
  • User Access Logs: 12 months for security and audit purposes
  • End Customer Transaction Data: 7 years to comply with Indian taxation and accounting laws
  • WhatsApp Message Metadata: 12 months unless longer retention is required
  • Support Tickets and Communications: 3 years for quality assurance and dispute resolution
  • Analytics and Aggregated Data: Anonymized data may be retained indefinitely

10.2 Deletion Upon Request

Upon receiving a deletion request, we will: (1) Acknowledge within 48 hours; (2) Verify identity within 5 business days; (3) Delete personal data within 30 days of verification (except where legal holds or compliance requirements apply).

DATA DELETION ON MERCHANT TERMINATION: Day 0–30: Data export available; Day 31–90: Personal customer data deleted (unless legally retained); Day 91+: Aggregate/anonymized data may be retained for compliance. Data is NOT deleted if related to: Ongoing legal disputes or arbitration; Regulatory investigations; Law enforcement requests; Child safety concerns (CSAM); Fraud or illegal activity; Unpaid fees or financial claims.

11. YOUR RIGHTS AS A DATA PRINCIPAL

Under the DPDP Act 2023, you have the following rights:

11.1 Right to Information and Access

You have the right to obtain confirmation of whether we are processing your personal data. You may request a summary of personal data we hold about you and how it is being used. We will respond to access requests within 30 days.

11.2 Right to Correction and Updation

You may update your profile information directly through the platform or request correction of inaccurate or incomplete personal data. We will correct errors within 7 business days of verification.

11.3 Right to Erasure and Data Portability

You may request deletion of your personal data subject to legal retention requirements. You may request a portable copy of your data in structured, machine-readable format (CSV, JSON). Requests will be fulfilled within 30 days.

11.4 Right to Withdraw Consent

You may withdraw consent at any time through your account settings or by contacting support@vyaro.ai.

11.5 Right to Grievance Redressal

You may file complaints regarding data processing with: Our Grievance Officer at grievance@vyaro.ai; or the Data Protection Board of India (once operational).

12. DATA ACCESS / EXPORT RIGHTS

MERCHANT DATA EXPORT: Upon merchant termination or request, Vyaro provides a 30-day window to export all merchant data in machine-readable format (CSV, JSON, or similar). A fee may apply for large data exports.

CUSTOMER DATA ACCESS: Customers may request a copy of personal data processed by Vyaro, data in portable format within 30 days. Request process: Contact privacy@vyaro.ai with proof of identity.

13. CHILDREN’S PRIVACY

Vyaro services are designed exclusively for business use and are not directed at children under 18 years of age. We do not knowingly collect personal data from individuals under 18. If we become aware of such collection, we will delete the data immediately upon discovery and notify the parent or legal guardian if contact information is available.

14. CROSS-BORDER DATA TRANSFERS

Your data is primarily stored and processed in India. However, certain third-party services we use may involve data transfers outside India. Cloud infrastructure providers (AWS, Azure) may process data in data centers outside India with data residency controls. Meta Platforms, Inc. may process message data in accordance with their global privacy policies. All cross-border transfers comply with DPDP Act requirements and are protected by Standard Contractual Clauses, adequacy decisions by the Indian government (if applicable), and contractual obligations on recipients to maintain equivalent data protection standards.

15. DATA OWNERSHIP AND MERCHANT RESPONSIBILITIES

15.1 Merchant Data Ownership

All data generated through merchant use of the platform — including orders, customers, products, communications, and business intelligence — remains the sole property of the merchant. Vyaro acts as a data processor and accesses this data only as necessary to provide platform services.

15.2 Merchant Responsibilities as Data Fiduciary

Obtaining valid, documented consent from end customers before sharing their data with Vyaro; Ensuring compliance with DPDP Act, TRAI regulations, and consumer protection laws; Maintaining privacy notices and consent records; Responding to end customer data rights requests; Notifying end customers of data breaches; Ensuring lawful use of WhatsApp Business API.

15.3 Use of Anonymized Data

We may create anonymized, aggregated data from merchant and customer data for: Platform performance optimization and feature development; Training machine learning and AI models; Generating industry benchmarks and insights (non-identifiable); Research and development purposes. Such anonymized data does not contain any personally identifiable information.

15.4 MERCHANT AS CUSTOMER SERVICE PROVIDER

Merchant is the primary service provider to End Customers. Merchant processes customer data for order fulfillment, customer service, refund and return processing, and marketing and promotional communications (with consent). Merchant is responsible for obtaining customer consent for data processing, maintaining data security, responding to customer data access/deletion requests, complying with DPDP Act for customer data, and handling customer complaints related to data.

16. COOKIES AND TRACKING TECHNOLOGIES

16.1 Types of Cookies We Use

  • Essential Cookies: Required for platform functionality (authentication, session management, security). These cannot be disabled.
  • Performance Cookies: Collect anonymous information about platform usage to improve performance.
  • Functional Cookies: Remember user preferences and settings to provide personalized experience.
  • Analytics Cookies: Help us understand how users interact with the platform (Google Analytics or similar).

16.2 Managing Cookies

You can control cookies through your browser settings. Disabling essential cookies may affect platform functionality.

17. TAKEDOWN NOTICES AND CONTENT REMOVAL

For illegal content, data processing violations, or other legal concerns, please submit a takedown notice as detailed in ANNEXURE A: Takedown Notice and Content Removal Procedure (Incorporated in Merchant Terms of Use v2.7). Our Takedown Procedure includes: 24-hour acknowledgment; 36-hour removal timeline for valid government notices; 12-hour removal for emergencies; Merchant notification procedures; Right to appeal or submit counter-notice; Record keeping for 3 years; Quarterly transparency reporting.

Submission channels: Email: grievance@vyaro.ai | Phone: +91 99675 09877 (24/7 emergency)
Address: TB-LANE-B05, IVY VILLAS, GAT NO. 690-710, Vagholi, Haveli, Pune – 412207, Maharashtra, India

18. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy periodically. Non-emergency material changes will be communicated 30 days in advance via email to registered administrators or displayed on our website. Continued use of the platform after changes become effective constitutes acceptance of the updated Privacy Policy.

Vyaro may implement updates immediately without advance notice in emergency scenarios including mandatory compliance with government orders, critical security breaches, data protection emergencies under DPDP Act 2023, or imminent harm to customers or Platform users.

19. CONTACT US AND GRIEVANCE REDRESSAL

For questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

Data Protection Officer / Privacy Team
VYARO TECHNOLOGIES PRIVATE LIMITED
Email: support@vyaro.ai
Grievance Email: grievance@vyaro.ai
Address: TB-LANE-B05, IVY VILLAS, GAT NO. 690-710, Vagholi, Haveli, Pune – 412207, Maharashtra, India
Phone: +91 99675 09877

We will respond to all inquiries within 30 days.

GRIEVANCE OFFICER:
In accordance with the Information Technology Act 2000 and DPDP Act 2023:
Name: Vyaro Grievance Officer
Email: grievance@vyaro.ai
Phone: +91 99675 09877
The Grievance Officer will: Acknowledge receipt of complaints within 24 hours; Investigate and resolve complaints within 15 days; Provide written response with resolution or explanation.

20. GOVERNING LAW AND JURISDICTION

This Privacy Policy shall be governed by and construed in accordance with the laws of India. Any disputes arising from this policy shall be subject to the exclusive jurisdiction of courts in Pune, India. Dispute Resolution: Any disputes regarding data processing or this Privacy Policy shall follow the dispute resolution procedures outlined in the Software Services Agreement v1.2 and Merchant Terms of Use v2.7, including: Good faith negotiation (30 days); Mediation (optional); Arbitration under the Arbitration and Conciliation Act, 1996. Courts of Pune, Maharashtra shall have exclusive jurisdiction.

EFFECTIVE DATE: 01-06-2026 | LAST UPDATED: 01-06-2026 | VERSION: 1.3

BY USING THE VYARO PLATFORM, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO THIS PRIVACY POLICY AND THE INTEGRATED LEGAL FRAMEWORK INCLUDING THE MERCHANT TERMS OF USE v2.7 (WITH ANNEXURE A) AND SOFTWARE SERVICES AGREEMENT v1.2.