← Back to Home

Privacy Policy

Last updated: 15 April 2026

TwaBot ("we", "us", or "our") operates the website twabot.com and the TwaBot platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

1. Information We Collect

1.1 Account Information

When you register, we collect your name, email address, business name, industry, and password (stored in hashed form). We never store your password in plain text.

1.2 WhatsApp Business Data

When you connect your WhatsApp Business number, we process incoming and outgoing messages through the WhatsApp Business API to provide AI-powered responses. Message content is stored in our database to maintain conversation history and improve your bot's performance.

1.3 Payment Information

Payment processing is handled by Razorpay, a PCI DSS compliant payment gateway. We do not store your credit card, debit card, or UPI details on our servers. We only store transaction IDs and payment status for record-keeping.

1.4 API Keys

If you provide your own OpenAI or Google Gemini API key, it is encrypted using AES-256 encryption before storage. We never access, share, or use your API key for any purpose other than processing your AI requests.

1.5 Usage Data

We automatically collect information about your usage of the platform including message counts, AI call counts, broadcast statistics, login times, and browser/device information for analytics and service improvement.

1.6 Reconfiguration Audit Data

When you change ("reconfigure") the WhatsApp Business number attached to your account, we create an audit record containing:

  • The timestamp of the change and the user account that initiated it
  • The IP address and browser user-agent of the device that submitted the request
  • A before/after snapshot of the previous and new phone number, phone-number-id, WABA id, and display name
  • The reason you selected (e.g., "number restricted", "lost number", "business change") and any optional note you provided
  • The outcome of the reconfigure attempt (pending, in-progress, completed, or failed with error code)

This data is required to comply with Meta's Tech Provider obligations, to resolve disputes about unauthorized number changes, and to enforce our abuse-prevention cooldown. It is retained for 3 years from the date of the reconfigure and may be disclosed to Meta or to law-enforcement authorities if a specific and lawful request is made. You consent to this collection and retention each time you initiate a reconfigure.

2. How We Use Your Information

  • To provide, maintain, and improve the TwaBot platform
  • To process AI-powered responses to your WhatsApp customers
  • To send broadcast messages on your behalf
  • To process your subscription payments
  • To send you service-related notifications (subscription expiry warnings, receipts)
  • To provide customer support
  • To detect, prevent, and address technical issues or abuse

3. Data Security

We take data security seriously and implement the following measures:

  • Encryption: AES-256 encryption for sensitive data (API keys, tokens)
  • Authentication: Session-based authentication with HTTP-only secure cookies
  • Password Security: Bcrypt hashing with salt rounds
  • Input Protection: Input sanitisation, XSS prevention, and SQL injection protection
  • Rate Limiting: API rate limiting to prevent abuse
  • Isolation: Each business has a completely isolated data environment

4. Data Sharing

We do not sell, rent, or share your personal data or your customers' WhatsApp conversation data with any third party for marketing purposes. We share data only with:

  • Meta (WhatsApp): Message delivery through the WhatsApp Business API
  • OpenAI / Google: Message content sent to AI providers for generating responses (as per your chosen AI provider)
  • Razorpay: Payment processing only
  • Law Enforcement: If required by law or to protect our legal rights

5. Data Retention

We retain your account data and conversation history for as long as your account is active. Broadcast recipient details older than 90 days may be automatically cleaned up. Reconfiguration audit records (section 1.6) are retained for 3 years independent of account deletion, as they constitute compliance evidence required by Meta. When you delete your account, we will delete your personal data within 30 days, except where retention is required by law.

6. Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your account and data
  • Export your conversation data
  • Withdraw consent for data processing

To exercise any of these rights, contact us at support@twabot.com.

7. Cookies

We use essential cookies only — specifically an HTTP-only authentication cookie for maintaining your login session. We do not use advertising or tracking cookies.

8. Children's Privacy

TwaBot is designed for business use and is not intended for anyone under the age of 18. We do not knowingly collect data from minors.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through a notice on our platform. Continued use of the service after changes constitutes acceptance of the updated policy.

10. Contact Us

If you have questions about this Privacy Policy, please contact us:

Email: support@twabot.com
Website: twabot.com