Legal

Privacy Policy

Last updated: June 20, 2026  ·  Effective under Indian Law & DPDP Act 2023

MotherBot ("we", "our", "us", or "Platform") is committed to protecting your personal information and respecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect information about you when you use the MotherBot platform, in accordance with the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000, the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and all other applicable Indian laws.

By using MotherBot, you consent to the collection and use of your information as described in this Privacy Policy. If you do not agree, please discontinue use of the platform.

1. Who We Are

MotherBot is a technology platform providing WhatsApp Business API-based CRM, campaign management, chatbot, and analytics tools to businesses. We act as a Data Fiduciary (as defined under the DPDP Act 2023) with respect to the personal data of our registered users. With respect to the personal data of end customers (message recipients) belonging to our users, we act as a Data Processor on behalf of our users, who are themselves the Data Fiduciaries for that data.

Platform Disclaimer on End-User Data

MotherBot does not control the personal data of message recipients (your customers). Our registered users (businesses) are solely responsible for ensuring they have obtained valid consent from their customers to send WhatsApp communications, as required under the DPDP Act 2023 and TRAI TCCCP Regulations. MotherBot processes such data only on the express instructions of the registered user.

2. Information We Collect

2.1 Account and Registration Data

  • Name, email address, phone number, and organization name provided during registration
  • Password stored in encrypted (hashed) form — we never store plaintext passwords
  • Profile information and preferences you configure within the platform

2.2 WhatsApp Business Data

  • WhatsApp Business phone numbers and display names you connect to the platform
  • Message templates submitted to and approved by Meta
  • Contact lists, tags, and custom fields you import or create
  • Inbound and outbound message content processed through the WhatsApp Cloud API
  • Chatbot flows, campaign configurations, and automation rules

2.3 Usage and Analytics Data

  • Features you use, pages visited, and actions taken within the platform
  • Campaign delivery statistics, read rates, and response metrics
  • Error logs and diagnostic data used for platform improvement

2.4 Billing and Payment Data

  • Subscription plan details and billing history
  • Payment instrument details processed through PCI-DSS compliant payment processors (we do not store card numbers or CVVs)
  • GST and tax information as required under Indian tax laws

2.5 Technical and Device Data

  • IP address, browser type, device type, and operating system
  • Session data and authentication tokens
  • Cookie data as described in our Cookie Policy

3. Legal Basis for Processing

Under the Digital Personal Data Protection Act, 2023, we process your personal data on the following lawful grounds:

  • Consent: Where you have provided explicit, informed consent (e.g., marketing communications from us)
  • Contractual necessity: Processing required to fulfil our obligations under the Terms of Service (account management, service delivery)
  • Legal obligation: Where we are required to process data to comply with applicable Indian laws
  • Legitimate interests: For security monitoring, fraud prevention, and platform improvement, balanced against your fundamental rights

4. How We Use Your Information

  • To create and manage your account and provide access to the MotherBot platform
  • To process WhatsApp messages, campaigns, and chatbot interactions on your behalf via the WhatsApp Cloud API
  • To send transactional communications (account alerts, billing receipts, security notifications, password resets)
  • To provide customer support and respond to queries or grievances
  • To generate analytics and reporting on campaign performance and platform usage
  • To detect, investigate, and prevent fraud, abuse, spam, and security threats
  • To comply with legal and regulatory obligations under Indian law
  • To improve platform features, performance, and user experience

We do not sell your personal data to any third party. We do not use WhatsApp message content for advertising or profiling purposes.

5. WhatsApp Message Data

Message content transmitted through the WhatsApp Cloud API is also processed by Meta Platforms per Meta's own Privacy Policy. MotherBot stores message logs to provide conversation history and analytics to registered users. The registered user (business) is the Data Fiduciary for personal data of their message recipients and must independently ensure:

  • Valid opt-in consent has been obtained from each recipient before sending marketing messages
  • Recipients can opt out at any time upon request
  • Compliance with TRAI's TCCCP Regulations and the NDNC Registry
  • No personal data of minors (under 18) is processed without verifiable parental consent

6. Data Sharing and Disclosure

We share your information only in the following circumstances:

  • Meta Platforms (WhatsApp, Facebook, Instagram): Message content and contact data are transmitted to Meta to deliver messages via the WhatsApp Cloud API, and to Facebook and Instagram for social media integration features, subject to Meta's Privacy Policy
  • Cloud infrastructure providers: Reputable hosting providers under strict data processing agreements that prohibit any secondary use of your data
  • Payment processors: Billing data shared with PCI-DSS compliant payment gateways (Razorpay, PayU) solely for transaction processing
  • Legal and regulatory authorities: When required by Indian law, court order, or government directive under the IT Act 2000, DPDP Act 2023, or other applicable laws
  • Law enforcement: We cooperate with Indian law enforcement in accordance with lawful legal process
  • Business transfers: In a merger, acquisition, or sale of assets, data may be transferred to the successor entity with prior notice to you

We do not share data with advertisers, data brokers, or any third party for commercial purposes without your explicit consent.

6A. Third-Party Integration Data Flows

Third-Party Data Processing Notice

When you connect MotherBot to a Third-Party Service, data you choose to sync or transmit is processed by that Third-Party Service under its own Privacy Policy. MotherBot does not control how Third-Party Services store, use, or share your data. You are responsible for reviewing the privacy practices of each Third-Party Service you connect.

MotherBot acts as a conduit for data you choose to exchange with the following optional Third-Party Integrations. By enabling any integration, you acknowledge and accept that relevant data will be transmitted to and processed by the respective third party:

  • Zoho CRM: Contact records, lead data, and CRM fields you map are transmitted to your Zoho account. Governed by Zoho's Privacy Policy (zoho.in/privacy).
  • Salesforce CRM: Contact and lead records, case data, and mapped fields are transmitted to your Salesforce organization. Governed by Salesforce's Privacy Policy (salesforce.com/privacy).
  • Google (Gmail, Sheets, Drive, Contacts): Email content, spreadsheet data, file uploads, and contact information may be transmitted to Google's servers. Governed by Google's Privacy Policy (policies.google.com/privacy).
  • X / Twitter: Post content and media you configure for publishing via chatbot automations are transmitted to X Corp. Governed by X's Privacy Policy (x.com/privacy).
  • AI Providers (OpenAI, Anthropic, Google Gemini, Meta Llama): Conversation content and prompts you configure in AI Reply chatbot nodes are transmitted to the selected AI provider for processing. Each provider has its own data retention and usage policies.
  • Payment Gateways (Razorpay, PayU): Transaction amounts, references, and metadata are shared with the selected payment gateway. MotherBot does not store card or bank account details.

MotherBot is not responsible for data breaches, policy changes, API discontinuation, or any other event affecting Third-Party Services. If a Third-Party Service changes how it processes your data or discontinues its services, MotherBot has no control over such changes and cannot be held liable for resulting data issues or service disruptions.

7. Data Retention

  • Account data: Retained for the duration of your account and 3 years after closure for legal compliance
  • Message logs: Retained for 90 days by default; configurable per your platform settings
  • Billing records: Retained for 7 years as required under Indian accounting and GST laws
  • Security and audit logs: Retained for 180 days as required under IT Rules 2021

After the applicable retention period, data is securely deleted or anonymised to prevent re-identification.

8. Your Data Subject Rights

You have specific rights over your personal data. This section explains each right, who it applies to, and exactly how to exercise it. We honour requests from all users regardless of jurisdiction, and apply the highest applicable standard.

8.1 Rights under the Digital Personal Data Protection Act, 2023 (India)

As a Data Principal under the DPDP Act 2023, Indian users have the following rights:

  • Right to Access: Request a summary of the personal data we hold about you, the purposes for which it is being processed, and the identities of Data Processors and third parties with whom it has been shared.
  • Right to Correction: Request correction of inaccurate, incomplete, or misleading personal data. We will correct or supplement the data and notify third parties to whom it was disclosed, where feasible.
  • Right to Erasure: Request erasure of personal data where the purpose for which it was collected has been fulfilled, or where consent has been withdrawn, subject to overriding legal or regulatory retention obligations.
  • Right to Data Portability: Request a machine-readable copy of the personal data you have provided to us, so you may transfer it to another service provider.
  • Right to Withdraw Consent: Withdraw consent for consent-based processing at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. Certain services may become unavailable upon withdrawal.
  • Right to Grievance Redressal: Raise a complaint with our Grievance Officer. If unresolved within 30 days, you may escalate to the Data Protection Board of India once constituted.
  • Right to Nomination: Nominate a trusted individual to exercise your data rights on your behalf in the event of your death or incapacity.

8.2 Additional Rights for EU / EEA Users (GDPR)

If you are located in the European Union or European Economic Area, you have the following additional rights under the General Data Protection Regulation (GDPR):

  • Right to Restriction of Processing: Request that we restrict processing of your personal data where you contest its accuracy, the processing is unlawful, we no longer need it but you require it for a legal claim, or you have objected to processing.
  • Right to Object: Object at any time to processing based on our legitimate interests or for direct marketing. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
  • Right Not to Be Subject to Automated Decision-Making: Request human review of any decision made about you solely by automated means (including profiling) that produces significant legal or similarly significant effects.
  • Right to Lodge a Complaint with a Supervisory Authority: File a complaint with the data protection authority in your EU/EEA member state if you believe your rights have been violated.

Our legal basis for processing EU personal data includes: performance of a contract (service delivery), legal obligation (compliance), legitimate interests (security, fraud prevention), and consent (marketing).

8.3 Additional Rights for California Residents (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of third parties with whom we share it.
  • Right to Delete: Request deletion of personal information we have collected, subject to certain exceptions (e.g., completing transactions, legal obligations, security).
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Opt-Out of Sale or Sharing: MotherBot does not sell personal information and does not share it for cross-context behavioural advertising. This right is automatically satisfied.
  • Right to Limit Use of Sensitive Personal Information: Request that we limit use of sensitive personal information to purposes permitted by the CPRA.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA/CPRA rights — no denial of service, different prices, or degraded quality.

California requests will be acknowledged within 10 business days and fulfilled within 45 days (extendable by a further 45 days where reasonably necessary).

8.4 How to Exercise Your Rights

To submit any data subject rights request, use one of the channels below. Include your name, registered email address, and a description of the right you wish to exercise. We may need to verify your identity before processing the request.

  • Email: hello@motherbot.io
  • Subject line: "Data Subject Rights Request – [right type, e.g. Access / Erasure / Portability]"
  • Response times: Acknowledgement within 24 hours; full response within 30 days (DPDP / GDPR) or 45 days (CCPA)
  • Identity verification: We may ask you to confirm your registered email or provide additional verification to prevent unauthorised disclosure
  • No fee: Rights requests are free of charge unless manifestly unfounded or excessive

If we are unable to fulfil your request due to a legal obligation or overriding legitimate interest, we will explain the reason in writing and inform you of your right to escalate to the applicable supervisory authority.

9. Data Localisation and Cross-Border Transfers

We store your data on servers located in India wherever practicable. Where data is transferred outside India (e.g., to Meta's global servers for WhatsApp message delivery), such transfers are made in compliance with the DPDP Act 2023 and applicable cross-border data transfer rules notified by the Central Government. We ensure appropriate contractual and technical safeguards are in place for any international data transfer.

10. Security

We implement reasonable security practices as required under the IT (SPDI) Rules, 2011 and DPDP Act 2023, including:

  • Encryption of data in transit using TLS 1.2 or higher
  • Encryption of sensitive data at rest
  • Role-based access controls and audit logging
  • Regular security assessments and vulnerability testing
  • Incident response procedures and data breach notification protocols

In the event of a personal data breach that may cause harm to you, we will notify you and the Data Protection Board of India as required under the DPDP Act 2023. To report a security vulnerability, contact hello@motherbot.io.

11. Cookies

  • Essential cookies: Required for authentication, session management, and security — cannot be disabled
  • Analytics cookies: Used to understand usage patterns and improve our services — can be disabled in your browser

See our Cookie Policy for full details.

12. Children's Privacy

MotherBot is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. The DPDP Act 2023 mandates verifiable parental consent before processing a child's personal data. If you believe a child has provided us their data without proper consent, contact our Grievance Officer immediately and we will delete such data upon verification.

13. Grievance Officer

As required under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and the Digital Personal Data Protection Act, 2023:

  • Name: Grievance Officer, MotherBot
  • Privacy queries: hello@motherbot.io
  • General grievances: hello@motherbot.io
  • Acknowledgement: Within 24 hours of receipt
  • Resolution timeline: Within 15 days (IT Rules 2021); within 30 days (DPDP Act requests)

Unresolved grievances may be escalated to the Data Protection Board of India once constituted under the DPDP Act 2023.

14. Compliance Framework

This Privacy Policy is formulated in compliance with:

  • Digital Personal Data Protection Act, 2023 — primary Indian data protection legislation
  • Information Technology Act, 2000 — governing electronic records and cybersecurity
  • IT (SPDI) Rules, 2011 — governing sensitive personal data protection
  • IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 — governing intermediary obligations
  • Consumer Protection (E-Commerce) Rules, 2020 — governing e-commerce privacy obligations
  • TRAI TCCCP Regulations — governing consent for commercial communications

15. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or applicable law. Material changes will be notified via email or in-app notification at least 14 days before they take effect. Continued use of the platform after the effective date constitutes acceptance of the updated Policy.

16. Contact Us

  • Privacy queries: hello@motherbot.io
  • Grievances: hello@motherbot.io
  • Legal: hello@motherbot.io