Privacy Policy

Wque (“Wque,” “we,” “us,” “our”) is committed to protecting your privacy. This Privacy Policy explains what personal information we collect, why we collect it, how we use and share it, and the rights and choices you have.

This policy applies to information collected through wque.chat, the Wque dashboard at app.wque.chat, our REST APIs at api.wque.chat, and any other product, page or communication that links to this policy (collectively, the “Services”).

By using the Services you confirm that you have read and understood this policy. If you do not agree, please do not use the Services.

Wque is an Indian Software-as-a-Service company operating a WhatsApp Business API, marketing automation and OTP delivery platform. Our Services route customer messages through WhatsApp’s Cloud API to deliver WhatsApp communications and OTPs.

For the purposes of the Digital Personal Data Protection Act, 2023 (India) (“DPDP Act”) and, where applicable, the EU/UK General Data Protection Regulation (“GDPR”):

• We act as a Data Fiduciary / Controller for information about our customers, prospects and website visitors (e.g. signup details, billing data, support correspondence).
• We act as a Data Processor / Processor for the message content and recipient data that customers send through our platform to their own end-users.

This policy describes our general practices. Specific products, integrations or regions may have additional notices that supplement this policy. Where you are an end-user receiving WhatsApp messages from a Wque customer, the customer (the sender you communicated with) is the controller of your personal data. Please contact that customer for questions about the messages you receive.

We collect information in three broad ways:

4.1 Information you give us

• Account & identity: account type (Individual or Company), full name or business name, contact name, company size, email address, WhatsApp phone number (verified by OTP), and a password / session token.
• KYC & verification: for Individual accounts — PAN and Aadhaar reference details; for Company accounts — Company PAN, TAN, and AOA / MOA. We use this to comply with WhatsApp / Meta onboarding requirements and applicable Indian regulations.
• Billing & payments: billing name, address, GSTIN (where applicable), invoice history and payment method metadata. Card / UPI / NetBanking credentials are processed directly by our payment partners and are never stored on our servers.
• Customer-provided content: message templates, campaigns, contact lists, media files, webhook URLs, API keys, and any data you submit through the dashboard or API.
• Support & communications: emails, chat transcripts, WhatsApp messages and call notes when you contact us.

4.2 Information we collect automatically

• Usage data: dashboard activity, API request metadata (timestamp, endpoint, status code, latency), feature usage, and audit logs of administrative actions.
• Message metadata: for every WhatsApp message routed through Wque we store sender / recipient phone numbers in E.164 format, template ID, message type (marketing, utility, OTP, custom), delivery status, Meta message ID, error codes and timestamps. Where required for debugging and compliance we may retain a copy of the rendered message body.
• Device & network: IP address, browser type and version, operating system, device identifiers, language, time zone and the referring URL.
• Cookies & local storage: see Section 13.

4.3 Information from third parties

• Meta / WhatsApp: message delivery receipts, template approval status, business verification status, phone number quality rating and policy enforcement notices.
• Payment providers: transaction status, reference IDs and limited masked payment metadata from UPI, NetBanking and card gateways we integrate with.
• Identity-verification partners: KYC outcomes (passed / failed) and limited verification metadata used to satisfy onboarding checks.
• Public sources: publicly available business registry data (for example, company name, registered address) used to enrich account profiles or fight fraud.

We use personal data for the following purposes:

• Provide the Services: create and manage accounts, authenticate users, deliver WhatsApp messages and OTPs, route webhooks, apply rate limits and serve the dashboard.
• Billing & credit accounting: meter usage against your wallet, deduct credits, generate invoices, process payments and detect billing fraud.
• Compliance: KYC, anti-money-laundering, WhatsApp Business Policy and Meta’s Commerce / Messaging Policy enforcement, responding to lawful government requests, and protecting against abuse, spamming or impersonation.
• Reliability & security: monitor uptime, diagnose incidents, investigate security events and maintain audit logs.
• Product analytics: understand which features customers use so we can improve them. We aggregate or pseudonymise this data wherever practical.
• Customer communications: service notices (uptime, security, billing), product updates and, where you have opted in, newsletters and marketing.
• Sales & support: respond to enquiries, schedule demos, set up your workspace and provide ongoing assistance.

Where the GDPR or comparable laws apply, we rely on the following legal bases to process personal data:

• Performance of a contract — to provide the Services you signed up for.
• Legitimate interests — to operate, secure and improve the Services, prevent fraud, and run our business. We balance these interests against your privacy rights.
• Consent — for optional processing such as marketing emails, non-essential cookies and certain integrations. You can withdraw consent at any time.
• Legal obligation — to comply with applicable laws, regulations, court orders and tax / accounting requirements.

Under the DPDP Act, we process your personal data under the lawful grounds of consent, performance of contract, compliance with law, and legitimate uses permitted by the Act.

We do not sell your personal data. We share it only as described below:

• With Meta / WhatsApp as necessary to send messages on your behalf via the WhatsApp Business Cloud API and to provision business / phone-number assets.
• With sub-processors that help us run the platform (hosting, payments, KYC, email, analytics — see Section 8). These providers are contractually bound to confidentiality and limited use.
• With your authorised users — team members you invite to your Wque workspace will see information you have shared with the workspace.
• With professional advisors such as auditors, lawyers and accountants under appropriate confidentiality obligations.
• For legal reasons when we believe in good faith that disclosure is necessary to comply with law, enforce our terms, protect against fraud, or protect the rights, property or safety of Wque, our users or the public.
• In a business transaction such as a merger, acquisition, financing or sale of assets — subject to standard confidentiality protections and continued application of this policy.

We engage carefully selected sub-processors to help operate the Services. Our current key sub-processors include:

We update this list as we add or replace providers. For an up-to-date list or to be notified of changes, email hello@wque.chat.

Wque is headquartered in India and primarily processes data on infrastructure located in India and Singapore. Some sub-processors (for example Meta, Cloudflare and our email providers) may process data in the United States, the European Union or other regions.

Where we transfer personal data internationally, we rely on appropriate safeguards such as Standard Contractual Clauses, the data-importer’s adequacy certifications, or other recognised transfer mechanisms.

We retain personal data only for as long as necessary to fulfil the purposes described in this policy, unless a longer period is required by law:

• Account data — for the life of your account and up to 36 months after closure to satisfy tax, audit and dispute-resolution requirements.
• Message metadata (status, error codes, timestamps) — 12 months by default. You may request shorter retention via written agreement.
• Rendered message bodies — up to 90 days for debugging and abuse investigations, then purged unless a legal hold applies.
• Billing records & invoices — 8 years, as required by Indian tax and accounting regulations.
• Security & audit logs — 12 months.
• Backups — rolling 30-day encrypted backups; deleted personal data is purged from backups within this window.

We take security seriously and apply industry-standard administrative, technical and physical safeguards, including:

• TLS 1.3 in transit and AES-256 at rest.
• Role-based access control with principle-of-least-privilege; SSO, 2FA and optional SCIM provisioning on eligible plans.
• Secrets vaulted, API keys hashed at rest and rotatable from the dashboard; webhooks signed with HMAC-SHA256.
• Network isolation, firewalls, rate limits and abuse / fraud detection.
• Regular vulnerability scanning, third-party penetration tests and an industry-standard secure-development lifecycle.
• SOC 2 Type II programme; ISO/IEC 27001 alignment in progress; PCI-DSS scope kept minimal by relying on tokenising payment processors.

No system is impenetrable. If you believe your account has been compromised or you discover a vulnerability, please email security@wque.chat immediately.

Subject to applicable law (including the DPDP Act and the GDPR), you have the following rights with respect to your personal data:

• Access — request a copy of the personal data we hold about you.
• Correction — ask us to correct inaccurate or incomplete data.
• Erasure — request deletion of your personal data, subject to legal retention requirements.
• Restriction & objection — ask us to pause certain processing or object to processing based on legitimate interests.
• Portability — receive your data in a structured, commonly used and machine-readable format.
• Withdraw consent — where we rely on consent, you can withdraw it at any time. This does not affect the lawfulness of processing carried out before withdrawal.
• Nominate — under the DPDP Act, you may nominate another individual to exercise your rights in the event of your death or incapacity.
• Complain — lodge a complaint with the Data Protection Board of India or, where applicable, your local supervisory authority.

To exercise any of these rights, email privacy@wque.chat from the address associated with your account. We will respond within the timeframes prescribed by applicable law (typically within 30 days).

We use a small number of cookies and similar technologies to keep the Services working:

• Strictly necessary — session cookies for authentication, CSRF protection and load balancing.
• Preferences — local storage for remembering your dashboard settings (theme, table layouts, last-used filters).
• Analytics — aggregated, pseudonymised product analytics to understand feature usage. We avoid third-party advertising cookies on the marketing site.

You can control cookies via your browser settings. Disabling strictly-necessary cookies may break parts of the dashboard.

The Services are intended for use by businesses and adults aged 18 or older. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, please contact privacy@wque.chat and we will take appropriate steps to delete it.

We may update this Privacy Policy from time to time. When we make material changes we will update the “Last updated” date at the top of this page and, where appropriate, notify you in-product or by email. Your continued use of the Services after the changes take effect constitutes your acceptance of the updated policy.

In accordance with the Information Technology Act, 2000, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the DPDP Act, 2023, the contact details of our Grievance Officer / Data Protection Officer are:

For any privacy-related question or request, contact us at:

• Email: privacy@wque.chat
• General: hello@wque.chat
• WhatsApp: +91-7028720372
• Address: Bengaluru, Karnataka, India