SAMVAAD

by RecursX

Legal

Privacy Policy

How RecursX collects, uses, protects, and never sells the data you and your customers trust us with.

Last updated: 2 June 2026 Effective: 2 June 2026

This Privacy Policy explains how RecursX Innovations Private Limited ("RecursX", "we", "us", or "our") handles personal data in connection with SAMVAAD, our AI-powered WhatsApp sales assistant, and the associated website, dashboard, APIs, and onboarding services (together, the "Service").

Your privacy is not an afterthought for us — it is a design principle. We do not sell your data. We do not rent it. We do not share it for anyone else's advertising. We collect only what we need to run the Service, we store it securely in India, and we give you meaningful control over it. This policy describes exactly what that means in practice.

By creating an account or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with it, please do not use the Service.

We never sell your data

Your data and your customers' data are never sold, rented, or traded — to anyone, ever, for any purpose.

Stored in India

Personal data is hosted on infrastructure located in India (AWS Mumbai region) for data residency.

Encrypted end-to-end at rest & in transit

All data is encrypted in transit (TLS) and at rest, with strict access controls and audit logging.

Compliance-first

Built to align with India's DPDP Act 2023, the IT Act 2000 & SPDI Rules, and Meta's WhatsApp policies.

1. Scope & Who This Applies To

This policy applies to two groups of people: (a) our customers — the businesses, merchants, and their authorised users who sign up for and operate SAMVAAD; and (b) end-customers — the individuals who message a business on WhatsApp where SAMVAAD is enabled.

For data belonging to our business customers' end-customers (for example, the contents of WhatsApp conversations), the business is the Data Fiduciary / Data Controller and RecursX acts as a Data Processor that processes such data only on the business's documented instructions and solely to provide the Service. See "Our Role: Processor vs. Fiduciary" below.

This policy does not apply to third-party websites, products, or services we do not own or control, even if they link to or from the Service.

2. Key Definitions

  • Personal Data / Personal Information — any data about an identified or identifiable individual.
  • Data Principal / Data Subject — the individual to whom personal data relates.
  • Data Fiduciary / Controller — the entity that determines the purpose and means of processing personal data.
  • Data Processor — an entity that processes personal data on behalf of a Data Fiduciary.
  • Sub-processor — a third party engaged by us to process personal data to help deliver the Service.
  • Processing — any operation performed on personal data (collection, storage, use, disclosure, erasure, etc.).
  • DPDP Act — the Digital Personal Data Protection Act, 2023 of India and any rules issued under it.

3. Our Role: Processor vs. Fiduciary

When you sign up and give us your own information (your name, business details, billing data, login credentials), RecursX is the Data Fiduciary for that information.

When SAMVAAD handles the messages, names, phone numbers, and order details of your end-customers flowing through your WhatsApp Business number, you are the Data Fiduciary and we are your Data Processor. We process that data only to: deliver replies, search your catalog, capture orders, generate payment links, and show you analytics — strictly on your behalf. We do not use your end-customers' data for our own independent purposes.

4. Information We Collect

a) Account & business information

  • Your name, business / brand name, and role.
  • Contact details — phone number (in E.164 format) and email address.
  • Authentication data — a securely hashed password and one-time passcodes (OTPs) used for login verification.
  • Business profile, industry / category, and onboarding preferences.

b) Catalog & operational content

  • Product and service catalog data you upload (names, descriptions, prices, variants, images, availability).
  • FAQs, business rules, and configuration that shape how the AI responds.
  • WhatsApp Business number connection details and the access tokens needed to send and receive messages via Meta.

c) End-customer conversation data (processed on your behalf)

  • Inbound and outbound WhatsApp messages, including text and, where applicable, transcribed voice notes.
  • End-customer WhatsApp display name and phone number.
  • Conversation history (we typically load a limited recent window to provide context to the AI) and order / appointment details captured in chat.

d) Payment & billing information

  • Subscription plan, billing history, and GST / tax identifiers where provided.
  • Payments for end-customer orders are processed by our payment partner (e.g., Razorpay) and flow directly to the merchant. We do not store full card numbers, CVV, UPI PINs, or bank credentials — that sensitive data is handled by PCI-DSS-compliant payment processors.

e) Technical & usage data

  • Device and browser information, IP address, and approximate location derived from it.
  • Log data, request identifiers, timestamps, error reports, and feature-usage analytics.
  • Cookies and similar technologies used to keep you logged in and to understand product usage (see "Cookies").

5. How We Collect It

  • Directly from you — when you register, onboard, upload a catalog, configure the AI, or contact support.
  • Automatically — through cookies, server logs, and usage analytics as you use the Service.
  • From integrations you connect — such as Meta / WhatsApp Cloud API (to receive and send messages) and our payment partner (to confirm payment status). We only receive what is necessary to operate the features you enable.

6. How We Use Information

We use personal data only for legitimate, clearly-defined purposes:

  • To provide, operate, secure, and maintain the Service.
  • To generate AI replies that are constrained to your own catalog and FAQs.
  • To capture orders, schedule appointments, and generate payment links inside chat.
  • To authenticate logins, send OTPs, and protect your account.
  • To process subscriptions, billing, invoicing, and applicable taxes.
  • To provide customer support and respond to your requests.
  • To produce analytics and dashboards for your business.
  • To detect, prevent, and investigate fraud, abuse, and security incidents.
  • To comply with legal obligations and enforce our Terms.

We do not use your data, or your end-customers' data, for third-party advertising, profiling for unrelated purposes, or sale.

7. AI Processing & Model Training

SAMVAAD uses large language models (currently including Google's Gemini) and a vector search index (Qdrant) to understand messages and generate catalog-aware replies. The AI is constrained to your catalog and configured content — it is designed not to invent prices or products, and to escalate to a human when unsure.

We do not sell your conversations to AI vendors, and we do not use your end-customers' personal data to train our own general-purpose models without an appropriate legal basis or your instruction. Where third-party AI providers are used, data is sent only to generate a response for your business and is governed by that provider's enterprise / API terms, which restrict use of submitted content for their own model training.

9. How We Share Information — and Our No-Sale Promise

We do not sell, rent, or trade personal data. We do not share it with third parties for their own marketing. We share data only in the limited circumstances below, and only to the extent necessary:

a) Sub-processors who help us run the Service

We rely on a small set of trusted, contractually-bound providers, including:

  • Meta Platforms (WhatsApp Cloud API) — to receive and send WhatsApp messages.
  • Google (Gemini AI) — to generate AI replies.
  • Amazon Web Services (AWS, Mumbai region) — cloud hosting, storage (S3), and notifications (SNS for OTP).
  • Qdrant — vector search over your catalog to find relevant products.
  • Razorpay (or a similar PCI-DSS payment processor) — to generate payment links and confirm payments.

Each sub-processor is permitted to use the data only to provide its service to us, under confidentiality and data-protection obligations.

b) Legal & safety disclosures

  • When required by law, court order, or a valid government request.
  • To protect the rights, property, or safety of RecursX, our users, or the public, and to prevent fraud or abuse.

c) Business transfers

If RecursX is involved in a merger, acquisition, or asset sale, personal data may be transferred subject to this policy; we will notify you of any change in ownership or use of your personal data.

10. Data Storage, Location & Residency

Personal data is stored and processed on cloud infrastructure located in India (AWS Mumbai region). We design for data residency in India wherever feasible. Where a feature requires sending limited data outside India (for example, to an AI provider's API), we do so under contractual safeguards and only to the extent necessary to provide the feature you have enabled.

11. How We Protect Your Data

We apply administrative, technical, and physical safeguards proportionate to the risk, including:

  • Encryption in transit (HTTPS / TLS) for all data moving between you, us, and our sub-processors.
  • Encryption at rest for stored data.
  • Password protection — passwords are stored only as salted, hashed values; we cannot read your password.
  • Webhook integrity — inbound WhatsApp webhooks are verified using HMAC signature checks before processing.
  • Access controls — least-privilege access, authentication, and internal authorisation on sensitive systems.
  • Monitoring & logging — request tracing, audit logs, and error monitoring to detect anomalies.
  • Tenant isolation — each business's data is logically separated and access-scoped to that account.

No method of transmission or storage is 100% secure, but we work continuously to protect your data and to improve our safeguards. If we ever become aware of a personal data breach affecting you, we will notify you and the relevant authorities as required by law.

12. Data Retention

We keep personal data only for as long as necessary for the purposes described in this policy, or as required by law:

  • Account & catalog data — for the life of your account, and deleted after account closure subject to the timelines in our Account Deletion Policy.
  • Conversation data — retained to provide history and analytics while your account is active; you can request deletion.
  • Billing & tax records — retained for the period required by Indian tax and accounting law (typically up to 8 years).
  • Backups — purged on a rolling cycle (typically within 90 days) after deletion from active systems.

When we no longer need personal data, we securely delete or irreversibly anonymise it.

13. Your Rights & Choices

Subject to applicable law (including the DPDP Act, 2023), you have the right to:

  • Access the personal data we hold about you and obtain a summary of how it is processed.
  • Correct or update inaccurate or incomplete personal data.
  • Erase your personal data (see our Account Deletion Policy).
  • Withdraw consent at any time, where processing is based on consent.
  • Data portability — receive a copy of certain data, and we will help you export your data on request.
  • Grievance redressal — raise a complaint with our Grievance Officer and, if unsatisfied, with the Data Protection Board of India.
  • Nominate another individual to exercise your rights in the event of death or incapacity, as provided under the DPDP Act.

To exercise any right, contact us at hello@recursx.in. We will verify your identity and respond within the timelines required by law. End-customers should usually contact the business they messaged; we will assist that business in fulfilling such requests.

14. Children's Privacy

The Service is intended for businesses and is not directed at children. We do not knowingly collect personal data of children (as defined under the DPDP Act) without verifiable parental / guardian consent. If you believe a child's data has been collected without appropriate consent, contact us and we will delete it.

15. Cookies & Similar Technologies

We use strictly-necessary cookies and local storage (for example, to keep you securely logged in) and a limited set of analytics technologies to understand and improve product usage. We do not use cookies to build advertising profiles or to share your activity with ad networks. You can control cookies through your browser settings, though disabling essential cookies may affect functionality.

16. Third-Party Services & Links

The Service integrates with and may link to third-party services (such as WhatsApp / Meta and payment providers). Your use of those services is governed by their own terms and privacy policies. We encourage you to review them. We are not responsible for the privacy practices of services we do not control.

17. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date and, where appropriate, notify you through the Service or by email. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

18. Grievance Officer & Contact

If you have questions, concerns, or complaints about this policy or how we handle your data, please contact our Grievance Officer:

  • Entity: RecursX Innovations Private Limited
  • Attention: Grievance Officer / Data Protection Officer
  • Email: hello@recursx.in
  • Address: Indore, Madhya Pradesh, India

We take every grievance seriously and will acknowledge and address it within the timelines prescribed by applicable law.

Related policies

Terms & ConditionsAccount Deletion