1. Who We Are

Vakoza is an AI receptionist service for Indian small businesses. When you use Vakoza, your business gets a 24/7 AI assistant that answers customer enquiries and books appointments across WhatsApp, a website chat widget, and a self-service booking page (and voice calls where available).

This policy applies to vakoza.com and the Vakoza app. For questions, contact us at hello@vakoza.com.

2. What Data We Collect

Business owner data (you):

• Name, email address, phone number
• Business name, type, and operating hours
• Services and pricing information you provide
• Google Calendar connection (if you choose to connect)

Your customers' data (collected by your AI agent):

• Name and phone number (required to book appointments)
• Appointment date, time, and reason for visit
• Conversation transcripts from WhatsApp, website chat, and (where enabled) voice calls

Technical data:

• IP addresses (for rate limiting and security)
• Browser and device type
• Usage logs (for debugging and service improvement)

3. Why We Collect It

• To provide the service — your AI agent needs your business info to answer customer queries correctly
• To book appointments — customer name and phone are required to create calendar entries
• To send notifications — we alert you when a new appointment is booked
• To handle billing — subscription and payment records
• To improve the service — anonymised usage patterns help us make Vakoza better

4. Who We Share Data With

We never sell or rent your data, and we never use it for advertising. We share data only with the service providers ("sub-processors") needed to run Vakoza — each acting under our instructions and bound by their own data-protection terms:

• Supabase — database and login/authentication
• Railway — application hosting
• Google (Gemini) — the AI that powers website-chat replies; messages a visitor sends in the chat are processed by Google to generate a response
• Google Calendar — appointment syncing (only if you connect your calendar)
• ElevenLabs — AI voice/conversation engine (processes audio and transcripts; used for voice and, where enabled, WhatsApp)
• Meta Platforms (WhatsApp Business Platform) — when you connect your WhatsApp Business number, customer messages flow through Meta's WhatsApp Business Platform so your AI can reply (see below)
• Resend — transactional email (signup alerts, trial reminders, weekly summaries)
• Cashfree Payments / UPI — payments and subscription billing (Indian payment rails); we never see or store your card or bank credentials
• Twilio — telephony for voice/SMS where used (legacy)

WhatsApp & Meta Platform data. If you connect your WhatsApp Business number, Vakoza receives the messages your customers send to that number, together with the contact's name and phone number, solely to operate your AI receptionist — to reply, book appointments, and send reminders. We use this data only to provide the service to you; never for advertising, resale, or building profiles. We handle it in line with Meta's WhatsApp Business and Platform terms, and you can disconnect WhatsApp or request deletion at any time (see Section 6).

Cross-border processing. Some sub-processors (notably our AI and email providers) process data on servers outside India. Where that happens, we rely on the cross-border-transfer provisions of the DPDP Act 2023 and on each provider's contractual data-protection commitments. We do not transfer data to any country restricted by the Government of India.

5. Data Retention

• Appointment records — retained for 2 years, then deleted
• Conversation transcripts — retained for 90 days, then purged
• Account data — retained while your account is active; deleted within 30 days of account closure
• Billing records — retained for 7 years as required by Indian tax law

6. Your Rights Under the DPDP Act 2023

Under India's Digital Personal Data Protection Act 2023, you have the right to:

• Access — request a copy of the personal data we hold about you
• Correction — ask us to correct inaccurate data
• Erasure — request deletion of your personal data (we will comply within 30 days, except where retention is legally required)
• Grievance redressal — raise a complaint with us; we will respond within 7 business days

To exercise any of these rights, email hello@vakoza.com with the subject line "Data Request".

7. Your Customers' Rights

As a Vakoza user, you are a Data Fiduciary under the DPDP Act for your customers' data. You are responsible for:

• Informing your customers that an AI agent handles their initial enquiries
• Honouring any data deletion requests from your customers

If your customer contacts us directly for data deletion, we will delete their data from Vakoza's systems and notify you.

8. Security

We take security seriously:

• All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
• Database access is protected by Row Level Security (RLS) — each client can only see their own data
• Webhook endpoints use HMAC secret validation to prevent unauthorised access
• We do not store raw payment card details — all payments are handled by Cashfree

9. Cookies

We use only functional cookies — specifically, Supabase Auth uses a session cookie to keep you logged in. We do not use advertising cookies or third-party tracking.

10. Children's Privacy

Vakoza is a B2B service intended for business owners. We do not knowingly collect data from anyone under the age of 18.

11. Changes to This Policy

If we make material changes to this policy, we will notify you by email at least 14 days before the changes take effect. Continued use of Vakoza after that date constitutes acceptance.

12. Contact

For any privacy-related questions or requests:

• Email: hello@vakoza.com
• Subject line: "Privacy" or "Data Request"
• We respond within 7 business days