VYARO

PRIVACY POLICY

Vyaro Technologies Private Limited ("Vyaro", "we", "our", "us", "Company") is committed to protecting your privacy and ensuring transparency in how we collect, process, store, and share personal and business data. This Privacy Policy describes our practices as a data fiduciary and data processor under applicable Indian law.

Vyaro provides an AI-powered order management platform that facilitates business-to-business (B2B) distribution through WhatsApp Business API and Progressive Web Application (PWA) interfaces, enabling distributors to manage orders, inventory, customer communications, and business operations.

By registering for, accessing, or using the Vyaro platform, you acknowledge that you have read, understood, and agree to the collection, use, storage, and disclosure of your information as described in this Privacy Policy.

1. LEGAL FRAMEWORK AND COMPLIANCE

This Privacy Policy is designed to comply with:

·       The Digital Personal Data Protection Act, 2023 (DPDP Act) and DPDP Rules, 2025

·       The Information Technology Act, 2000 and rules thereunder

·       The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

·       The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021

·       The Indian Contract Act, 1872

·       Any other applicable Indian laws and regulations governing data protection and privacy

We operate as both a data fiduciary (when we determine purposes and means of processing) and a data processor (when we process data on behalf of our merchant customers). This policy covers both roles.

2. KEY DEFINITIONS

·       "Data Principal" means the individual to whom the personal data relates, including merchant users, end customers, and authorized personnel.

·       "Data Fiduciary" means any person who alone or in conjunction with others determines the purpose and means of processing of personal data. Vyaro acts as data fiduciary for merchant account data and as data processor for end customer data.

·       "Data Processor" means any person who processes personal data on behalf of a data fiduciary. Vyaro processes end customer data on behalf of merchant customers.

·       "Personal Data" means any data about an individual who is identifiable by or in relation to such data, in digital form.

·       "Processing" means any operation or set of operations performed on personal data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.

·       "Sensitive Personal Data" includes financial information, health data, official identifiers, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation.

·       "Consent" means any freely given, specific, informed, and unambiguous indication of the data principal wishes by a clear affirmative action.

3. INFORMATION WE COLLECT

3.1. Merchant Business and Account Information

When a business registers to use Vyaro, we collect:

·       Business name, legal entity type, industry vertical, and business description

·       GST Identification Number (GSTIN), Permanent Account Number (PAN), and other tax identifiers

·       Registered business address, principal place of business, and operational locations

·       Primary contact details: name, email address, phone number, designation

·       Bank account details (for settlements and refunds)

·       Business registration documents, licenses, and permits (as applicable)

·       Subscription plan, pricing tier, and module preferences

·       Payment and billing history, invoice records, transaction references

3.2. User-Level Data (Merchant Team Members)

For each individual authorized to access the Vyaro platform:

·       Full name, email address, phone number, employee ID (if applicable)

·       Login credentials (passwords stored using industry-standard hashing)

·       Role and permission level (Admin, Order Manager, Sales Executive, etc.)

·       Profile information voluntarily provided by users

·       User activity logs: actions performed, timestamps, IP addresses, device information

·       Session data: login/logout times, active sessions, access patterns

3.3. End Customer Data (Processed on Behalf of Merchants)

We process the following data belonging to your customers on your behalf as a data processor:

·       Customer name, business name, contact person details

·       Phone number, email address, delivery address

·       Order history: products ordered, quantities, pricing, order values, timestamps

·       Payment information: payment method, transaction status, payment references (we do not store card numbers or CVV)

·       Delivery preferences, special instructions, and fulfillment status

·       Customer opt-in consent records and opt-out requests

·       Communication history: WhatsApp message metadata, timestamps, message types

·       Credit limits, outstanding amounts, payment terms

IMPORTANT: Merchants act as data fiduciaries for end customer data. Merchants are solely responsible for obtaining valid consent from end customers, maintaining compliance with DPDP Act and TRAI regulations, and responding to end customer data rights requests. Vyaro processes this data only as instructed by the merchant.

3.4. WhatsApp Business API and Communication Data

·       WhatsApp Business Account (WABA) details and display name

·       Message content (only if configured and authorized by merchant)

·       Message metadata: timestamps, message IDs, delivery status, read receipts, message templates used

·       Campaign data: Click-to-WhatsApp Ads (CTWA) parameters, campaign IDs, conversion tracking

·       Bot interaction logs: automated responses, workflow triggers, escalation events

·       Chat analytics: message volume, response times, user engagement metrics

·       Opt-in and opt-out records with timestamps

3.5. Technical and Usage Data

·       Device information: type, operating system, browser, screen resolution

·       IP address, location data (derived from IP), timezone

·       Cookies, session tokens, device identifiers

·       API call logs, request/response data, error logs, system diagnostics

·       Performance metrics: page load times, feature usage, platform interaction patterns

·       Integration logs: third-party API calls, webhook events, ERP/CRM sync data

·       Security logs: login attempts, authentication events, access control events

4. HOW WE USE YOUR DATA

Vyaro processes personal data for the following lawful purposes:

4.1. Service Delivery and Platform Operations

·       Account creation, authentication, and user access management

·       Providing order management, inventory tracking, and business analytics features

·       Enabling WhatsApp Business API integration and message routing

·       Processing orders, tracking deliveries, and managing fulfillment workflows

·       Facilitating payment processing, billing, and financial reconciliation

·       Providing customer support and responding to inquiries

·       Sending transactional communications (order confirmations, delivery updates, payment receipts)

4.2. Platform Improvement and Analytics

·       We reserve the right to retain and use collected data to improve, enhance, develop, support, and operate our products and services, including for analytics, research, service optimization, feature development, and AI/ML improvement, subject to applicable law, contractual obligations, and this Privacy Policy. Where feasible or legally required, we will use anonymized, aggregated, or de-identified data for such purposes.

4.3. Legal Compliance and Security

·       Complying with legal obligations under Indian law (taxation, audit, regulatory reporting)

·       Detecting, preventing, and responding to fraud, security threats, and illegal activities

·       Enforcing our Terms of Use and other legal agreements

·       Responding to lawful requests from government authorities, courts, or law enforcement

·       Protecting the rights, property, and safety of Vyaro, our users, and the public

·       Maintaining audit trails for compliance and accountability

4.4. Communication and Support

·       Sending important platform updates, security alerts, and service notifications

·       Providing technical support and responding to inquiries

·       Communicating billing information, payment confirmations, and subscription renewals

·       Notifying about changes to policies, terms, or features (where consent is obtained)

We do NOT use your data for:

• Selling or renting to third parties for commercial purposes
• Behavioral advertising or profiling unrelated to platform services
• Any purpose not disclosed in this Privacy Policy without obtaining your explicit consent

5. LEGAL BASIS FOR PROCESSING

Under the DPDP Act 2023, we process personal data based on the following legal grounds:

·       Consent: Where you have provided free, specific, informed, and unambiguous consent for processing.

·       Legitimate Use: Where you have voluntarily provided personal data for a specified purpose and have not indicated non-consent.

·       Compliance with Law: Where processing is necessary to comply with legal obligations under Indian law.

·       Protection of Life: Where processing is necessary to respond to medical emergencies or threats to life or safety.

·       Performance of Contract: Where processing is necessary to fulfill our contractual obligations to you under our Terms of Use.

·       Employment Purposes: For processing employee data (if Vyaro is your employer).

6. CONSENT MANAGEMENT

6.1. When and How We Obtain Consent:

·       Consent is obtained at the point of data collection through clear, affirmative action (checkbox, button click, form submission)

·       We provide clear information about what data is collected and for what purpose before obtaining consent

·       Consent requests are unbundled - we do not force you to consent to unnecessary processing to access basic services

·       For end customer data, merchants are responsible for obtaining and managing consent

6.2. Your Right to Withdraw Consent:

·       You may withdraw consent at any time by contacting us at support@vyaro.ai

·       Withdrawal is as easy as giving consent - we provide simple mechanisms for revocation

·       We will process withdrawal requests within 72 hours

·       Withdrawal of consent may affect your ability to use certain platform features

·       We will retain only the minimum data required for legal compliance after consent withdrawal

7. INTEGRATION WITH META WHATSAPP BUSINESS API

7.1. WhatsApp Business API Integration:

Vyaro integrates with Meta Platforms, Inc.'s WhatsApp Business API (WABA) to enable business messaging. This integration is governed by:

·       WhatsApp Business Terms of Service

·       WhatsApp Business Solution Terms

·       Meta's data processing and privacy policies

·       Our contractual agreements with our Business Solution Provider (BSP)

7.2. Data Shared with Meta:

·       Business profile information (business name, display name, category)

·       Message templates for approval

·       Message metadata (sender, receiver, timestamp, delivery status)

·       Campaign parameters for Click-to-WhatsApp Ads

·       Opt-in status and consent records as required by WhatsApp policies

7.3. Important Disclaimers:

·       Vyaro is a technology enabler and integration partner for WhatsApp Business API

·       We are NOT responsible for Meta's approval, rejection, or delays in WhatsApp Business Account verification or display name approval

·       The green checkmark (official business badge) is governed entirely by Meta's review process

·       WhatsApp Business API access is subject to Meta's policies and can be suspended or terminated by Meta without notice to Vyaro

·       Merchants remain solely responsible for compliance with WhatsApp Commerce Policy and messaging policies

8. DATA SHARING AND THIRD PARTIES

8.1. We Share Data With:

·       Meta Platforms, Inc.: For WhatsApp Business API messaging, Click-to-WhatsApp Ads, and related services as described in Section 7.

·       Payment Gateways: PCI-DSS compliant payment processors (Razorpay, PayU, or similar) for processing subscriptions, top-ups, and transaction payments. We share only transaction references, amounts, and order IDs - never full payment credentials.

·       Cloud Infrastructure Providers: Amazon Web Services (AWS) and Microsoft Azure for secure hosting, data storage, and computing resources.

·       Business Solution Provider (BSP): Our authorized WhatsApp BSP partner for WABA infrastructure and message routing.

·       Service Providers: Carefully vetted third parties who assist with platform operations (email services, SMS providers, analytics tools, customer support systems) under strict contractual obligations.

·       Merchant-Authorized Integrations: ERP, CRM, accounting, or other third-party systems that merchants explicitly connect to Vyaro. Data flows are controlled by merchant configuration.

8.2. We DO NOT Share Data With:

·       Marketing or advertising companies for third-party promotions

··       Any party for purposes unrelated to platform services

·       Government authorities except as required by law or valid legal process

8.3. Safeguards for Third-Party Sharing:

·       All third parties are contractually bound to maintain confidentiality and security

·       Data Processing Agreements (DPAs) are in place with all processors

·       Third parties must comply with DPDP Act and applicable data protection laws

·       Access is limited to minimum data necessary for specific purposes

·       We maintain a list of sub-processors available upon request

9. DATA SECURITY AND PROTECTION MEASURES

We implement comprehensive technical and organizational measures to protect your data:

9.1. Technical Security Measures

·       Encryption at rest using AES-256 or equivalent for all sensitive data stored in databases

·       Encryption in transit using TLS 1.2 or higher for all data transmissions

·       Secure password storage using industry-standard hashing algorithms (bcrypt, Argon2)

·       Multi-factor authentication (MFA) available for user accounts

·       Role-based access control (RBAC) limiting data access based on job functions

·       API authentication using secure tokens, OAuth 2.0, and rotating access keys

·       Regular security patching and vulnerability scanning

·       Intrusion detection and prevention systems (IDS/IPS)

·       Web application firewall (WAF) protection against common attacks

·       DDoS protection and traffic filtering

9.2. Organizational Security Measures

·       Strict access controls limiting employee access to personal data on need-to-know basis

·       Confidentiality agreements and data protection training for all employees

·       Background verification for employees with data access

·       Security incident response plan and procedures

·       Regular security audits and compliance assessments

·       Vendor due diligence and security reviews for all third parties

·       Data breach notification procedures compliant with DPDP Act

9.3. Data Backup and Business Continuity

·       Automated encrypted backups performed regularly

·       Geo-redundant backup storage in multiple secure locations

·       Disaster recovery procedures tested periodically

·       Business continuity plans to ensure service availability

9.4. Data Breach Notification:

In the event of a personal data breach, we will:

·       Notify the Data Protection Board of India within the timeframe prescribed by DPDP Rules

·       Notify affected data principals without undue delay if the breach is likely to harm their rights

·       Provide information about the nature of the breach, categories of data affected, and remedial measures taken

·       Maintain records of all personal data breaches for regulatory review

10. DATA RETENTION AND DELETION

We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy and to comply with legal obligations:

10.1. Retention Periods

·       Merchant Account Data: Retained for the duration of the active subscription plus 7 years for financial and tax compliance (GST records, invoices, payment history).

·       User Access Logs: Retained for 12 months for security and audit purposes.

·       End Customer Transaction Data: Retained for 7 years to comply with Indian taxation and accounting laws.

·       WhatsApp Message Metadata: Retained for 12 months unless longer retention is required by merchant for business purposes or legal compliance.

·       Support Tickets and Communications: Retained for 3 years for quality assurance and dispute resolution.

·       Analytics and Aggregated Data: Anonymized data may be retained indefinitely for platform improvement and research.

10.2. Deletion Upon Request

Upon account termination or explicit deletion request:

·       Notwithstanding account termination or deletion requests, we may retain data as necessary for legal compliance, fraud prevention, dispute resolution, enforcement of our agreements, internal recordkeeping, and product and service improvement, provided such retention and use is permitted by applicable law and, where appropriate, carried out using anonymized, aggregated, or de-identified data.

11. YOUR RIGHTS AS A DATA PRINCIPAL

Under the DPDP Act 2023, you have the following rights:

11.1. Right to Information and Access

·       You have the right to obtain confirmation of whether we are processing your personal data

·       You may request a summary of personal data we hold about you and how it is being used

·       You may access your data through your Vyaro dashboard or by submitting a request to support@vyaro.ai

·       We will respond to access requests within 30 days

11.2. Right to Correction and Updation

·       You may update your profile information, business details, and user preferences directly through the platform

·       You may request correction of inaccurate or incomplete personal data

·       We will correct errors within 7 business days of verification

11.3. Right to Erasure and Data Portability

·       You may request deletion of your personal data subject to legal retention requirements

·       You may request a portable copy of your data in structured, machine-readable format (CSV, JSON)

·       Data portability requests will be fulfilled within 30 days

·       Deletion requests will be processed within 90 days subject to legal holds

11.4. Right to Withdraw Consent

·       You may withdraw consent at any time through your account settings or by contacting support@vyaro.ai

·       Withdrawal will not affect lawfulness of processing based on consent before withdrawal

·       Certain services may become unavailable after consent withdrawal

11.5. Right to Grievance Redressal

You may file complaints regarding data processing with:

·       Our Grievance Officer at grievance@vyaro.in

·       The Data Protection Board of India (once operational)

To exercise any of these rights, submit a written request to support@vyaro.ai with:

·       Your full name and contact information

·       Description of the right you wish to exercise

·       Specific data or categories of data involved

·       Proof of identity (for security purposes)

12. CHILDREN'S PRIVACY

Vyaro services are designed exclusively for business use and are not directed at children under 18 years of age. We do not knowingly collect personal data from individuals under 18.

If we become aware that we have inadvertently collected personal data from a child under 18 without verifiable parental consent, we will:

·       Delete the data immediately upon discovery

·       Notify the parent or legal guardian if contact information is available

·       Take steps to prevent future collection from individuals under 18

If you believe we have collected data from a child under 18, please contact us immediately at support@vyaro.ai.

13. CROSS-BORDER DATA TRANSFERS

Your data is primarily stored and processed in India. However, certain third-party services we use may involve data transfers outside India:

·       Cloud infrastructure providers (AWS, Azure) may process data in data centers outside India with data residency controls

·       Meta Platforms, Inc. for WhatsApp Business API may process message data in accordance with their global privacy policies

·       All cross-border transfers comply with DPDP Act requirements and are protected by:

Safeguards include:

·       Standard Contractual Clauses (SCCs) approved under Indian law

·       Adequacy decisions by the Indian government (if applicable)

·       Explicit consent where required by law

·       Contractual obligations on recipients to maintain equivalent data protection standards

14. DATA OWNERSHIP AND MERCHANT RESPONSIBILITIES

14.1. Merchant Data Ownership:

All data generated through merchant use of the platform - including orders, customers, products, communications, and business intelligence - remains the sole property of the merchant. Vyaro acts as a data processor and accesses this data only as necessary to provide platform services.

14.2. Merchant Responsibilities as Data Fiduciary:

·       Obtaining valid, documented consent from end customers before sharing their data with Vyaro

·       Ensuring compliance with DPDP Act, TRAI regulations, and consumer protection laws

·       Maintaining privacy notices and consent records for end customers

·       Responding to end customer data rights requests (access, correction, deletion)

·       Notifying end customers of data breaches in accordance with legal requirements

·       Ensuring lawful use of WhatsApp Business API in compliance with Meta policies

14.3. Use of Anonymized Data:

We may create anonymized, aggregated data from merchant and customer data for:

·       Platform performance optimization and feature development

·       Training machine learning and AI models

·       Generating industry benchmarks and insights (non-identifiable)

·       Research and development purposes

Such anonymized data does not contain any personally identifiable information and cannot be linked back to any individual or business.

15. COOKIES AND TRACKING TECHNOLOGIES

We use cookies and similar tracking technologies to enhance platform functionality and user experience:

15.1. Types of Cookies We Use

·       Essential Cookies: Required for platform functionality (authentication, session management, security). These cannot be disabled.

·       Performance Cookies: Collect anonymous information about platform usage to improve performance.

·       Functional Cookies: Remember user preferences and settings to provide personalized experience.

·       Analytics Cookies: Help us understand how users interact with the platform (Google Analytics or similar).

15.2. Managing Cookies:

You can control cookies through your browser settings. Note that disabling essential cookies may affect platform functionality. Most browsers allow you to:

·       View what cookies are stored and delete them individually or all at once

·       Block third-party cookies

·       Block cookies from specific sites

·       Accept all cookies by default

16. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy periodically to reflect:

·       Changes in applicable laws and regulations (DPDP Rules updates, new legal requirements)

·       Introduction of new features, services, or business practices

·       Feedback from regulators or users

·       Evolving privacy and security standards

16.1. Notification of Material Changes:

·       Material changes will be communicated at least 30 days in advance

·       Notification will be sent via email to registered administrators

·       In-app notifications and banners will be displayed

·       Updated policy will be posted on our website with effective date clearly marked

16.2. Continued use of the platform after changes become effective constitutes acceptance of the updated Privacy Policy. If you do not agree to changes, you must discontinue use and may request account deletion.

17. CONTACT US

For questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

Data Protection Officer / Privacy Team
Vyaro Technologies Private Limited
Email: support@vyaro.ai
Grievance Email: grievance@vyaro.ai
Address: TB-LANE-B05, Ivy Villas, Gat No. 690–710, Vagholi, Haveli, Pune – 412207, Maharashtra
Phone: +91 99675 09877

We will respond to all inquiries within 30 days.

18. GRIEVANCE REDRESSAL MECHANISM

In accordance with the Information Technology Act 2000 and DPDP Act 2023, we have designated a Grievance Officer to address complaints:

Name: Vyaro Grievance Officer
Email: grievance@vyaro.ai
Address: TB-LANE-B05, Ivy Villas, Gat No. 690–710, Vagholi, Haveli, Pune – 412207, Maharashtra
Phone: +91 99675 09877

The Grievance Officer will:

·       Acknowledge receipt of complaints within 24 hours

·       Investigate and resolve complaints within 15 days

·       Provide written response with resolution or explanation

·       Escalate unresolved issues to senior management and legal team

19. GOVERNING LAW AND JURISDICTION

This Privacy Policy shall be governed by and construed in accordance with the laws of India. Any disputes arising from this policy shall be subject to the exclusive jurisdiction of courts in Pune, India.

EFFECTIVE DATE: 01-04-2026
LAST UPDATED: 01-04-2026
VERSION: 1.0

BY USING THE VYARO PLATFORM, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO THIS PRIVACY POLICY.