1. Introduction
This Privacy Policy explains how Varox AI ("VaroxAI", "we", "us", or "our") handles personal data in connection with the VaroxAI platform, available at varoxai.com and app.varoxai.com (together, the "Service"). VaroxAI is an AI-powered CRM and customer-engagement platform built on the official WhatsApp Business API, offering a shared team inbox, AI-powered auto-replies via customer-configured webhooks, contacts, sales pipelines, broadcasts, message templates, and no-code automations.
This policy covers our entire Service — the marketing website, the web application, and all related features — not just visitors to our website.
Our dual role. For personal data about our own account holders, VaroxAI acts as a data controller. For the end-customer WhatsApp data that our customers process using the Service, VaroxAI acts as a data processor acting on our customer's instructions (see Section 12).
If you have any questions about this policy, contact us at +91 82002 92304. Effective date: 2 July 2026.
2. Data we collect
We collect the following categories of personal data:
(a) Account holders
Data you provide when you create and use a VaroxAI workspace: your name, email address, phone number, company name, billing and payment information, and login credentials (passwords are stored only as salted hashes). This also includes workspace settings, teammate roles, and invitations you send.
(b) End-customer WhatsApp data (processed on our customers' behalf)
When our customers connect their WhatsApp Business account, we process data about the people they message: phone numbers, WhatsApp profile names, message content, and media (images, documents, voice notes), along with CRM data our customers add such as tags, notes, custom fields, and pipeline/deal data. We process this data solely to provide the Service to our customer (see Section 12).
(c) Technical data
Collected automatically when you use the Service: IP address, device and browser information, cookies and similar identifiers, and usage logs (such as pages viewed, features used, and timestamps). See Section 10 for cookies.
3. How and why we use data
We use personal data for the purposes below, each supported by a legal basis under applicable law (including the GDPR):
- To provide and operate the Service — creating your account, delivering the inbox, CRM, automations, and broadcasts. Legal basis: performance of a contract.
- To process payments and manage billing. Legal basis: performance of a contract; legal obligation.
- To secure the Service — fraud prevention, abuse detection, and troubleshooting. Legal basis: legitimate interest.
- To improve and develop features using aggregated or de-identified usage data. Legal basis: legitimate interest.
- To send service and marketing communications. Legal basis: legitimate interest for service messages; consent for marketing, which you can withdraw anytime.
- To build or augment contact profiles. We obtain valid consent before building or augmenting user profiles where required. Legal basis: consent.
We never sell your personal data — not account-holder data, and not the end-customer data we process on our customers' behalf.
4. AI webhook flow
A core feature of VaroxAI is automatic AI replies. If a customer enables this, they configure a webhook URL pointing to a third-party AI endpoint of their choice (for example, an endpoint they build on OpenAI, Anthropic Claude, Google Gemini, or a custom model).
When AI replies are enabled, inbound WhatsApp message content — and related context such as the sender's phone number and profile name — is forwarded from our system to that customer-configured AI endpoint so it can generate a reply. This means message content leaves VaroxAI's systems and is transmitted to the third-party endpoint.
The customer chooses and controls their AI provider. The customer is solely responsible for that provider's data handling, security, and compliance, including any terms and privacy practices of the chosen AI service. VaroxAI does not control how a third-party AI endpoint stores or uses the data it receives.
6. International data transfers
VaroxAI is based in India and serves customers globally. As a result, personal data may be transferred to, stored in, or processed in countries other than the one in which you are located, including India and countries where our sub-processors operate.
Where we transfer personal data from the European Economic Area, the United Kingdom, or other regions with data-transfer restrictions, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs) or equivalent mechanisms.
7. Data retention & deletion
We retain personal data only for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements.
When a user deletes their account, we delete that user's data from our active systems, subject to limited retention required by law (for example, financial records) or held briefly in backups that are cycled out on a routine schedule. Customers can also delete individual contacts and conversations within the Service.
8. Data security
We use industry-standard measures to protect personal data, including encryption in transit (TLS) and at rest, role-based access controls (Owner, Admin, Agent, and Viewer roles with granular permissions), and restricted internal access on a need-to-know basis. No method of transmission or storage is completely secure, but we work continuously to protect your data and to promptly address any vulnerabilities.
9. Your rights
Depending on where you live, you may have the right to access, correct, delete, port, or object to the processing of your personal data, and to withdraw consent at any time. These rights are provided under laws including the EU/UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and India's Digital Personal Data Protection Act, 2023 (DPDP Act).
- GDPR (EU/UK): rights of access, rectification, erasure, restriction, portability, and objection; the right to lodge a complaint with a supervisory authority.
- CCPA/CPRA (California): the right to know, delete, and correct personal information, and to opt out of "sale" or "sharing" — note that we do not sell personal data.
- DPDP Act (India): rights to access, correction, and erasure, the right to grievance redressal, and the right to nominate.
To exercise any of these rights, call or message us at +91 82002 92304. If your request relates to end-customer WhatsApp data, we may direct you to the relevant customer (the controller of that data) and assist them in responding. We will respond within the timeframes required by applicable law.
11. Children's data
The Service is intended for businesses and is not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us personal data, contact us at +91 82002 92304 and we will take appropriate steps to delete it.
12. Controller vs processor
For personal data about our own account holders, VaroxAI is the data controller and determines how and why that data is processed.
For the end-customer WhatsApp data that our customers manage using the Service (phone numbers, profile names, message content, media, tags, notes, and deal data), our customer is the data controller and VaroxAI is the data processor. We process that data only on the customer's documented instructions and as needed to provide the Service, under a data processing agreement where applicable.
13. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top and, where appropriate, notify you through the Service. Your continued use of the Service after an update means you accept the revised policy.
14. Contact us
If you have questions, requests, or complaints about this policy or your personal data, contact: