Privacy Policy
This Privacy Policy describes how ioappio collects, uses, stores, and protects information in connection with the ioappio WhatsApp automation platform. It applies to our Clients (businesses and organisations subscribed to ioappio) and to End Users (customers, patients, and contacts who interact with businesses via the Service).
Last updated: May 2026 · Applicable law: IT Act 2000, DPDP Act 2023, India
Table of Contents
1. Who We Are
ioappio is a Software-as-a-Service platform that enables businesses to automate and manage customer communication via WhatsApp, built on Meta’s officially approved WhatsApp Business API.
For the purposes of Indian data protection law (including the Digital Personal Data Protection Act, 2023), ioappio acts as:
- Data Fiduciary in respect of data collected directly from Clients and website visitors (account registration data, billing details, support communications).
- Data Processor in respect of End User data (your customers’ or patients’ personal information) uploaded or processed on behalf of our Clients. In this role, ioappio processes data only under the instructions of the Client, who acts as the Data Fiduciary for their End Users.
Registered Address: Infopark Phase II, Kochi, Kerala, India – 682030
Email: support@ioappio.com
2. What Data We Collect
2.1 Data collected from Clients
| Category | Examples | Purpose |
|---|---|---|
| Account Information | Name, business name, email address, phone number, role | Account creation, authentication, support |
| Billing & Payment | Invoice details, GST number, payment confirmation records | Subscription billing, financial records |
| Configuration Data | Schedules, workflows, business hours, message templates, staff details | Delivering the Service as configured |
| Usage & Analytics | Dashboard actions, feature usage frequency, session duration, error logs | Product improvement, support, abuse prevention |
| Support Communications | Email threads, WhatsApp messages to support, issue descriptions | Issue resolution, service improvement |
| Technical Data | IP address, browser type, OS, device type, timestamps | Security monitoring, fraud prevention |
2.2 Data processed on behalf of Clients (End User data)
As a data processor acting on Client instructions, ioappio may process the following categories of End User data:
- Name and contact information (phone number, email) of your customers or patients
- Appointment details, booking preferences, and scheduling history
- Message content exchanged via WhatsApp conversations managed through the platform
- Tags, notes, and CRM-style labels applied by Client staff
- Opt-in and opt-out consent records for messaging
ioappio does not collect or store diagnostic information, medical records, clinical notes, or sensitive health data as part of the standard platform unless explicitly contracted and architecturally designed for that purpose.
2.3 Data we do NOT collect
- Payment card numbers or bank account details (processed directly by payment gateway providers)
- Government-issued ID numbers (Aadhaar, PAN) unless expressly required and contracted
- Biometric data
- Precise real-time geolocation data
3. Legal Basis for Processing
ioappio processes personal data under the following legal bases as recognised under the Digital Personal Data Protection Act, 2023 (DPDP Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011:
- Contractual necessity: Processing required to fulfil our obligations under the Terms of Service agreement with our Clients (e.g., account management, service delivery, billing).
- Legitimate interests: Processing necessary for our legitimate business interests where these are not overridden by the data subject’s interests (e.g., security monitoring, fraud detection, product analytics, improving Service reliability).
- Consent: Where required by law — for example, in respect of non-essential cookies, marketing communications to prospective clients, or processing sensitive personal data categories.
- Legal obligation: Where processing is necessary to comply with Indian law, including regulatory requirements, court orders, or law enforcement requests.
For End User data processed on behalf of Clients: the Client is responsible for establishing and maintaining appropriate legal basis (typically consent or legitimate interest in a business context) for processing their End Users’ personal data through the platform.
4. How We Use Your Data
Service delivery
- Creating and managing your account and subscription
- Running automation workflows, appointment reminders, and notifications as configured
- Routing and managing WhatsApp conversations through the platform
- Processing billing, generating invoices, and managing subscription lifecycle
Support & operations
- Responding to support requests, bug reports, and implementation queries
- Diagnosing technical issues and reviewing error logs
- Onboarding new Clients and configuring the platform
Safety, security & compliance
- Detecting and preventing fraud, abuse, spam, and unauthorised access
- Monitoring for violations of our Acceptable Use Policy and WhatsApp Business Policy
- Maintaining audit trails and security logs
- Complying with applicable Indian law and regulatory requirements
Product improvement
- Analysing aggregated, anonymised usage patterns to improve platform features and reliability
- Conducting internal research and testing to enhance the Service
Communications
- Sending transactional notifications (billing, maintenance windows, security alerts)
- Sending product updates and feature announcements to active Clients (can be opted out)
⚠ ioappio will never use End User data (your customers’ or patients’ data) for ioappio’s own marketing, analytics, or any purpose other than delivering the Service to the Client whose account holds that data.
5. Data Sharing & Third-Party Processors
ioappio does not sell, rent, or trade personal data to third parties for commercial purposes. We may share data only in the following circumstances:
Sub-processors and service providers
ioappio engages trusted third-party service providers who process data on our behalf to support service delivery. These include:
| Processor Category | Purpose |
|---|---|
| Meta Platforms (WhatsApp Business API) | Transmission and delivery of WhatsApp messages |
| Cloud infrastructure providers | Hosting, storage, and computing infrastructure for the platform |
| Payment gateway providers | Processing subscription billing transactions |
| Email & communication tools | Transactional email delivery (billing, support notifications) |
| Analytics platforms | Aggregated, anonymised product analytics for platform improvement |
All sub-processors are bound by data processing agreements and are required to maintain appropriate security standards. ioappio remains accountable for their handling of personal data processed on our behalf.
Legal disclosures
We may disclose personal data if required to do so by:
- Valid court orders, legal process, or orders from Indian regulatory authorities
- Law enforcement requests where disclosure is required by applicable Indian law
- Situations where disclosure is necessary to protect the safety, rights, or property of ioappio, our Clients, or the public
Business transfers
In the event of a merger, acquisition, or sale of all or part of ioappio’s business assets, personal data may be transferred as part of that transaction. Affected Clients will be notified in advance of any such transfer that changes the identity of the Data Fiduciary or significantly changes how data is processed.
6. Data Retention
ioappio retains personal data only for as long as necessary to fulfil the purpose for which it was collected, or as required by applicable law:
| Data Category | Retention Period |
|---|---|
| Active Client account & configuration data | Duration of active subscription |
| End User data processed for Clients | Duration of active subscription + 30 days post-termination for export |
| Billing records & invoices | 7 years (Indian GST and accounting compliance) |
| Security & access logs | 12 months |
| Support communications | 3 years from resolution |
| Anonymised aggregated analytics | Indefinitely (no personal data retained) |
Upon account termination, Client data in active systems will be deleted within 30 days following the post-termination export window. Backups may take an additional 30 days to fully purge. Billing records are retained as required by Indian tax law regardless of account status.
7. Security Measures
ioappio implements technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. Our security practices include:
Technical measures
- Encryption in transit: All data transmitted between your browser/device and ioappio’s systems uses TLS 1.2 or higher
- Encryption at rest: Sensitive data stored on our infrastructure is encrypted at rest using industry-standard algorithms
- Access controls: Role-based access control (RBAC) limits data access to authorised personnel on a need-to-know basis
- Authentication: Multi-factor authentication is required for ioappio infrastructure and recommended for Client accounts
- Security monitoring: Continuous monitoring of systems for anomalous access patterns, intrusion attempts, and abuse
- Vulnerability management: Regular security patching, dependency updates, and vulnerability assessments
Organisational measures
- Background screening for personnel with access to production systems
- Confidentiality agreements with all team members and contractors
- Security awareness training for staff
- Incident response procedures for potential data breaches
⚠ No system connected to the internet can be guaranteed completely secure. Despite our safeguards, ioappio cannot warrant that data will never be subject to unauthorised access. In the event of a data breach affecting personal data, ioappio will notify affected Clients and relevant authorities as required by applicable Indian law and the DPDP Act, 2023.
8. Healthcare & Sensitive Personal Data
ioappio serves healthcare businesses including clinics, diagnostic centres, and healthcare providers. We recognise the heightened sensitivity of health-related data and apply additional care accordingly.
What we process in healthcare contexts
For healthcare Clients, the data processed through the platform typically includes appointment scheduling information, appointment reminders, and administrative communications between the clinic and patients. This is administrative data, not clinical or medical records.
ioappio does not, by default, process:
- Clinical notes, diagnoses, prescriptions, or treatment records
- Lab reports, imaging data, or test results
- Patient medical history or health conditions
If a Client chooses to include such information in message templates or conversation flows, this is the Client’s decision and responsibility, and the Client must ensure this complies with applicable healthcare data regulations.
Sensitive personal data
Under the DPDP Act, 2023 and the IT (SPDI) Rules, 2011, certain categories of data are classified as “sensitive personal data or information” including health data, financial information, and biometrics. ioappio handles any such data that appears within the platform with:
- Strict access controls limited to personnel with a legitimate need
- Encryption at rest and in transit
- Enhanced audit logging for access to sensitive data fields
- Minimisation principles — we collect and retain only what is necessary
Healthcare Client obligations
Healthcare Clients using ioappio are responsible for ensuring their use of the platform complies with the Clinical Establishments Act, applicable State Medical Council guidelines, the DPDP Act 2023, and any applicable National Health Authority guidelines including ABDM (Ayushman Bharat Digital Mission) requirements relevant to their operations.
9. Your Rights
Under the Digital Personal Data Protection Act, 2023 and applicable Indian law, individuals whose personal data we process have the following rights:
| Right | What it means |
|---|---|
| Right of Access | Request a summary of the personal data ioappio holds about you and how it is being used |
| Right to Correction | Request correction of inaccurate or incomplete personal data |
| Right to Erasure | Request deletion of your personal data where it is no longer necessary, or where you withdraw consent (subject to legal retention obligations) |
| Right to Nominate | Nominate another individual to exercise your data rights on your behalf in the event of death or incapacity |
| Right to Grievance Redress | Raise a complaint with ioappio’s Grievance Officer and, if not resolved, with the Data Protection Board of India |
For End Users (patients / customers of our Clients)
If you are an End User (for example, a patient of a clinic that uses ioappio) and wish to exercise your rights over personal data held by that business, you should contact the business (the Client) directly. The Client is the Data Fiduciary for your data. ioappio can assist the Client in fulfilling such requests but is not the primary point of contact for End User rights requests.
How to exercise your rights
Submit your request to our Grievance Officer at support@ioappio.com. We will acknowledge your request within 48 hours and aim to resolve it within 30 days. In complex cases we may request additional verification of identity before processing your request.
10. Cookies & Tracking
Website (ioappio.com)
The ioappio marketing website uses minimal cookies:
- Strictly necessary: Session management, theme preference storage (localStorage, not a cookie), and CSRF protection
- Analytics: Where we use any analytics tool, it is configured with IP anonymisation and data minimisation. We do not use cross-site tracking or fingerprinting
We do not serve third-party advertising cookies. We do not build advertising profiles using your browsing behaviour.
Platform (admin dashboard)
The ioappio dashboard uses session cookies essential for authentication and security. These are strictly necessary and cannot be opted out of while using the platform.
Managing cookies
You can control cookies through your browser settings. Disabling non-essential cookies will not affect your ability to use the core Service.
11. Children’s Data
The ioappio platform and marketing website are intended for use by businesses and are not directed at individuals under the age of 18. ioappio does not knowingly collect personal data from minors directly.
In healthcare contexts, Clients may process appointment data for minor patients (children). This is the Client’s responsibility as Data Fiduciary, and Clients must ensure appropriate parental or guardian consent is obtained as required by applicable law, including the DPDP Act, 2023, which requires verifiable parental consent before processing data of children.
If ioappio becomes aware that personal data of a minor has been inadvertently collected without appropriate consent, we will take steps to delete that data promptly. Please contact support@ioappio.com to report such concerns.
12. International Data Transfers
ioappio primarily processes and stores data on infrastructure located in India or in regions with adequacy determinations as notified by the Indian Government under the DPDP Act, 2023.
Some sub-processors (including Meta Platforms for WhatsApp message delivery, and cloud infrastructure providers) may process or route data through servers located outside India. Where such transfers occur, ioappio ensures that:
- The transfer is to a jurisdiction notified by the Central Government as providing adequate data protection, or
- Appropriate contractual safeguards (standard contractual clauses or equivalent data processing agreements) are in place with the sub-processor
Clients who have jurisdiction-specific data residency requirements should contact us before onboarding to confirm whether our infrastructure configuration meets those requirements.
13. No Sale of Personal Data
ioappio does not sell, rent, trade, or otherwise commercially exploit personal data of Clients or End Users.
Personal data processed through the platform is used exclusively to deliver, support, and improve the Service. We derive our revenue from subscription fees paid by our Clients, not from monetising user data.
End User data (your customers’ or patients’ information) belongs to the Client and will never be shared with other ioappio clients, used for ioappio’s own marketing, or disclosed to third parties for advertising purposes.
14. Updates to This Policy
ioappio may update this Privacy Policy from time to time to reflect changes in our data practices, applicable law, or the Service. When we make material changes:
- We will update the “Last updated” date at the top of this page
- Active Clients will be notified by email or in-platform notification at least 14 days before material changes take effect
- For minor, non-material updates (such as clarifications or formatting), we may update the policy without individual notification
Continued use of the Service following notification of a policy update constitutes acceptance of the revised Privacy Policy. If you object to any change, you may terminate your subscription before the change takes effect.
The current version of this Privacy Policy is always available at ioappio.com/privacy.
15. Contact & Grievance Officer
For any questions, concerns, or requests related to this Privacy Policy, your data rights, or a data breach report, please contact our Grievance Officer:
We will acknowledge your query within 48 hours and aim to resolve it within 30 days. If you are not satisfied with our response, you may escalate your complaint to the Data Protection Board of India once established under the DPDP Act, 2023.