PRIVACY POLICY

ZöTok Technologies Private Limited (“ZöTok”, “we”, “our”, “us”) is committed to protecting your data and ensuring full transparency in the handling of your information. As India's first network CRM for conversational commerce using GenAI on WhatsApp, ZöTok supports end-to-end order-to-cash automation, marketing communication, and supply chain coordination between sellers, buyers, and sales teams.

This Privacy Policy outlines how ZöTok collects, processes, stores, and shares information through our SaaS platform, mobile apps, and WhatsApp integrations. By using ZöTok, you consent to the practices described below.

1. Information We Collect

ZöTok collects various types of data to enable seamless operations, automation, and secure access to our services across web, mobile, and WhatsApp interfaces. This data is categorized as follows:

a. Business and Account Information

When a company or organization registers to use ZöTok, we collect critical information to verify and provision the account:

• Business Name, Industry, GSTIN, PAN:
  These identifiers are used to establish the business identity for billing, tax documentation, compliance, and service eligibility under Indian regulatory requirements.
• Primary Contact Details (Name, Email, Phone):
  Used to establish the account administrator, send onboarding instructions, communicate system updates, provide support, and enable secure account recovery processes.
• Subscription Preferences and Chosen Modules:
  These include selected pricing tiers, enabled features (e.g., campaign manager, supply chain module), and platform usage configuration which dictate the scope of services delivered.
• Assigned Roles and Permission Structures:
  When businesses onboard their teams, ZöTok allows defining role-based privileges such as “Seller Admin,” “Sales Executive,” “Support Agent,” or “Buyer.” These roles determine what sections of the platform each user can access or modify.

b. User-Level Data

Each individual who accesses the ZöTok platform as part of an organization has associated metadata:

• Login Credentials (Hashed Passwords):
  We store passwords using industry-standard hashing algorithms to protect against unauthorized access. Credentials are not stored in plaintext under any circumstances.
• Profile Data (Name, Contact, Role):
  User identification helps personalize the interface, manage activity logs, and track internal team performance (e.g., sales conversion, customer handling).
• User Activity Logs and Permissions Set by the Company Admin:
  Logs capture what actions were performed, when, and by whom, which is essential for audit trails, compliance, and operational visibility.

c. Transactional and Operational Data

This is core data generated through the platform's commercial workflows and automation features:

• Orders Placed by Customers (via WhatsApp, Web, or Mobile):
  Every order created through ZöTok—regardless of the interface—is recorded with timestamp, customer details, product SKUs, pricing, payment mode, and delivery preferences.
• Invoices, Payments, Delivery Statuses, and ERP Sync Data:
  End-to-end transaction records including invoice generation, payment collection (partial or full), dispatch updates, and any automated sync events with ERP or accounting systems.
• Inventory, Pricing, and Offer Data Configured by the Business:
  Businesses can upload catalogs, set pricing rules, discounts, or promotional offers. This data fuels product availability, order processing logic, and customer-facing conversations.

d. Communication and Messaging Data

ZöTok integrates tightly with Meta's APIs to enable conversational commerce. Data collected includes:

• WhatsApp Message Logs (Text, Media, Templates):
  ZöTok facilitates sending and receiving messages through WABA (WhatsApp Business API). We store metadata (timestamp, message ID, direction, template ID), and only the message content if configured by the business.
• Campaign Responses through Click-to-WhatsApp Ads (CTWA):
  When a user clicks a WhatsApp ad and starts a conversation, ZöTok captures the interaction, campaign ID, ad parameters, and user response flow to attribute success and personalize conversations.
• Bot Replies, Automated Workflows, and Chat Analytics:
  Includes triggers, fallback scenarios, user journey paths, auto-responses, escalation history, and aggregated metrics such as message count, response time, and user satisfaction signals.

e. Payment and Billing Data

To support secure transactions and transparent billing:

• Payment Gateway Transaction References (UPI, Cards, Netbanking):
  ZöTok integrates with trusted gateways (e.g., Razorpay, PayU) to process payments. We store gateway-generated transaction IDs, payment statuses, and timestamps—but not sensitive card or UPI credentials.
• Invoice History, Subscription Tier, Credit Usage:
  Every transaction on the platform (monthly fees, messaging charges, per-order costs) is reflected in an itemized billing log, visible to the admin with GST-compliant invoices.
• Discounts, Coupons, and Promotional Codes Applied:
  ZöTok tracks usage of discounts for accounting and performance monitoring. This ensures accurate credit calculations and eligibility checks for future campaigns.

f. Technical and Metadata

For operational stability, diagnostics, and security:

• Device Type, IP Address, OS, Browser, Timestamps:
  This data is captured at login and session start for threat detection, geo-tracking, device analytics, and security audits (e.g., to identify suspicious activity or brute-force attempts).
• API Call Logs, SDK Integration Traces, System Diagnostics:
  Logs from integrations and embedded components (e.g., mobile SDK, APIs) help track request success/failure, measure latency, debug errors, and ensure seamless 3rd-party connectivity.

Roles, Bot Access, and Integrations

ZöTok implements a comprehensive Role-Based Access Control (RBAC) system that enables organizations to securely manage user access and operational workflows. Each user is assigned a predefined role—such as Admin, Member, Order Manager, CRM User, Finance Manager, Catalogue Manager, or Order Operator—which governs their level of access to platform features, data, and actions. These roles control visibility and permissions across all interfaces, including web, mobile apps, and WhatsApp. The Seller Admin is responsible for assigning and managing roles to ensure proper segregation of duties and secure access to sensitive functions.

In addition to user access, ZöTok allows role-based configuration of bot functionalities. The bot can be enabled to perform specific automated tasks such as responding to customer queries, placing orders, updating payment or delivery status, or triggering follow-ups—based on permissions defined by the organization. Access to bot workflows can be restricted or extended according to team roles to prevent unauthorized automation.

ZöTok also provides secure integration capabilities with third-party systems such as ERPs, CRMs, accounting tools, and Meta's WhatsApp Business API. These integrations are governed by access tokens, API keys, and webhook permissions, and are restricted to users with appropriate roles and privileges. Only authorized users can initiate or modify integrations, ensuring data flows are managed securely and aligned with business policies. All role-based activities, bot actions, and integration events are logged and monitored for compliance, traceability, and audit readiness.

3. How We Use Your Data

ZöTok collects and processes data strictly to provide, operate, and enhance the services delivered through our SaaS platform. The data you provide—whether related to your business, users, customers, or system interactions—is used in the following ways:

• Service Delivery and Account Management:
  We use your data to create and manage your organization's account on the ZöTok platform, facilitate secure login, configure features based on your subscription tier, and maintain ongoing access to the modules and services you've activated.
• Automation of Business Processes:
  Your data powers automated workflows such as order-to-cash processing, lead management, payment follow-ups, delivery updates, and customer engagement campaigns. This includes enabling WhatsApp bots to execute predefined tasks and ensuring timely transactional communication across channels.
• Role-Based Interfaces and Alerts:
  Based on the roles assigned to your users (e.g., Admin, Order Manager), ZöTok personalizes the platform experience by displaying relevant dashboards, performance metrics, and access-specific modules. System-generated alerts and notifications are sent to authorized users for important events like new orders, payment reminders, or integration failures.
• Campaign and Communication Execution:
  Data is used to initiate and manage Click-to-WhatsApp Ads (CTWA), broadcast campaigns, and message flows using approved WhatsApp Business templates. This includes audience targeting, message sequencing, and campaign performance tracking.
• Meta and Platform Integrations:
  We process your data to securely connect with Meta services like WhatsApp Business API (WABA), Ads Manager, and other third-party applications such as ERPs and CRMs. These integrations are necessary for syncing messages, product data, customer interactions, financials, and other operational information across your business systems.
• Compliance and Legal Obligations:
  We retain and use data to generate invoices, track subscription usage, record messaging volume for Meta billing, and meet legal, tax, and regulatory requirements applicable to your business jurisdiction.

Important Note:
We do not use your data for any form of behavioral advertising, third-party marketing, or profiling unrelated to your use of the ZöTok platform. Your data is never sold, rented, or used outside the scope of providing and improving ZöTok services.

4. Integration with Meta & WhatsApp

ZöTok integrates with official services offered by Meta Platforms, Inc. to enable secure and scalable conversational commerce over WhatsApp. These integrations are essential to delivering seamless, real-time customer interactions, campaign automation, and messaging workflows.

• WhatsApp Business API (WABA):
  ZöTok connects with Meta's WABA infrastructure to enable businesses to send and receive structured message types, including service messages (e.g., order confirmations), utility messages (e.g., delivery updates, payment links), and marketing messages (e.g., promotional broadcasts). This allows for a standardized, policy-compliant communication experience within the WhatsApp environment.
• Click-to-WhatsApp Ads (CTWA):
  Businesses using ZöTok can launch and manage CTWA campaigns that redirect users from Facebook and Instagram ads into WhatsApp conversations. These conversations are initiated based on user consent and are typically routed through ZöTok's bot workflows or live agent interfaces for lead generation, order placement, or support.
• Meta Ads Manager Integration:
  ZöTok supports integration with Meta Ads Manager to help businesses monitor ad performance, track campaign attribution, measure engagement, and optimize future messaging strategies. This connection ensures campaign data is mapped back to the ZöTok CRM and conversation logs for complete visibility.

All communication via Meta integrations is conducted in a secure, encrypted manner using TLS protocols. While message content is transmitted through the WhatsApp Business API, ZöTok does not retain raw chat transcripts by default. Only essential message metadata—such as template IDs, timestamps, delivery statuses, and user engagement—is stored to support campaign reporting and audit trails.

Raw message content or full conversation history is stored only when explicitly configured and approved by the organization, such as for compliance, quality monitoring, or CRM enrichment purposes.

Messaging-related charges incurred through Meta (for session messages, template initiations, or campaign traffic) are billed on actual usage, and reflected transparently in the ZöTok usage dashboard. Businesses can view their Meta billing consumption, associated campaigns, and channel-level metrics in real time.

Disclaimer:

ZöTok acts solely as a technology enabler and integration partner for Meta's WhatsApp Business API (WABA) and related services. We are not responsible for the approval, rejection, or delay in verification of your WhatsApp Business Account's display name or the issuance of the green checkmark (official business badge). These are entirely governed by Meta's internal review process, and approval is subject to Meta's eligibility criteria, brand verification policies, and business integrity checks. While ZöTok can guide you through the setup and submission process, the final decision and timeline rest with Meta.

5. Payment Gateways & Billing

ZöTok supports secure and transparent financial operations by integrating with trusted, PCI-DSS-compliant payment gateways. These gateways enable businesses to manage their subscriptions, add credit balances, and process service payments in a seamless and compliant manner.

All payments related to the ZöTok platform—including monthly fees, usage-based charges, and additional service costs—are handled through industry-standard, encrypted payment workflows. Users may complete transactions using various payment methods such as UPI, credit/debit cards, or net banking, including payments initiated through WhatsApp-based payment links provided as part of ZöTok's conversational commerce features.

ZöTok does not store or process any sensitive payment information (such as card numbers or CVV codes) on its own servers. Instead, all financial data is routed directly through certified third-party payment service providers that comply with the Payment Card Industry Data Security Standard (PCI-DSS).

Billing Model

ZöTok operates on a prepaid credit model, which provides flexibility and clarity for businesses of all sizes. Under this model:

• Users must maintain a credit balance in their ZöTok account to access platform features and messaging services.
• Charges are debited transparently from the prepaid balance based on actual usage.
• Detailed usage reports and billing statements are accessible from the ZöTok dashboard in real-time.

Charges Covered Under the Credit Model Include:

• Monthly Platform Fees:
  Recurring subscription charges based on the selected plan and feature access.
• Messaging Usage Charges:
  Pay-as-you-go costs for WhatsApp Business messaging (e.g., service, utility, and marketing templates), charged as per Meta's pricing structure.
• Per-Order Processing:
  Additional charges incurred if the number of orders exceeds the predefined limit in the base plan.
• Add-On Services:
  Costs associated with optional modules such as ERP/CRM integrations, advanced analytics, chatbot customizations, or third-party connectors.

All invoices, payment confirmations, and account statements are automatically generated and made available within the billing section of the ZöTok platform for transparency and audit readiness. Businesses can also configure email or WhatsApp alerts for low credit balances and invoice generation.

6. Data Security and Hosting

At ZöTok, protecting your data is a top priority. We implement enterprise-grade security practices and infrastructure standards to ensure that all business and customer information remains secure, confidential, and available when needed. The ZöTok platform is hosted on reliable, high-availability cloud infrastructure providers such as Amazon Web Services (AWS) and Microsoft Azure.

Key Security Measures Include:

• Encryption at Rest and in Transit:
  All sensitive data is encrypted using modern cryptographic protocols. Information is protected both while being stored (at rest) and while being transmitted between systems (in transit) using TLS 1.2 or higher. This helps prevent unauthorized access during data exchanges and at storage endpoints.
• Secure Authentication and Access Control:
  We utilize secure API keys, rotating access tokens, and OAuth 2.0 mechanisms to ensure that only authorized systems and users can access protected endpoints and integrations. Platform access is role-based and session-controlled to further limit unauthorized exposure.
• Firewall Protection and Threat Detection:
  ZöTok employs cloud-level and application-level firewalls to block malicious traffic and protect against brute force attacks, denial-of-service attempts, and other cyber threats. Intrusion detection systems (IDS) are in place to monitor abnormal activity and trigger automated responses.
• Automated Backups and Disaster Recovery:
  Encrypted backups of platform data are created on a regular basis, with copies stored in geo-redundant locations to ensure business continuity. In the event of a failure or outage, our disaster recovery procedures are designed to restore services quickly with minimal data loss.
• Audit Logging and Traceability:
  Every user action on the ZöTok platform is logged with associated metadata including timestamps, IP addresses, and performed operations. These logs are crucial for auditing, accountability, security investigations, and compliance reporting.

ZöTok continuously evaluates and updates its security practices to stay aligned with the latest industry standards and evolving threat landscapes. By hosting on secure cloud environments and implementing multi-layered protections, we help ensure that your organization's operational and customer data remain safe, private, and compliant.

7. Data Ownership and Usage Rights

ZöTok respects and upholds your data sovereignty. All data processed on the ZöTok platform—whether operational, transactional, or conversational—remains the sole property of your organization. We act as a data processor on your behalf and access or use data only as required to deliver the services you have subscribed to.

Ownership and Control

• All data generated by your organization—including orders, product catalogs, customer conversations, campaign workflows, pricing configurations, integrations, and team activity—is fully and irrevocably owned by you.
• You retain complete control over your data, including access, modification, export, and deletion rights, subject to reasonable technical constraints.

Processor Commitments under Applicable Law

In compliance with GDPR (Art. 28) and the DPDP Act, India, ZöTok, as a data processor:

• Processes your data only on documented instructions from you (the data fiduciary/controller)
• Implements appropriate technical and organizational security measures
• Assists you in responding to lawful access requests, audits, or user data requests
• Ensures that any subprocessors (e.g., hosting or analytics providers) are contractually bound to the same data protection obligations

Restrictions on Use

• ZöTok does not use your data—whether customer-related, transactional, or internal—for any purpose beyond the delivery and improvement of the ZöTok platform.
• Your data is not shared, sold, or commercially exploited under any circumstances.

Use of Aggregated and Anonymized Data

We may internally process anonymized and aggregated data to:

• Train machine learning (ML) or GenAI models
• Improve platform scalability, performance, and recommendations
• Generate non-identifiable analytics used for benchmarking and reliability enhancements

Such processing does not contain any personally identifiable information (PII) or confidential business data that can be linked back to you or your customers.

Use of Logos and Testimonials

ZöTok may use your organization.s logo, name, or testimonials in case studies, presentations, or promotional material only with your prior written consent. You reserve the right to revoke this permission at any time via a written notice.

8. Data Sharing and Third Parties

ZöTok maintains a strong commitment to data confidentiality and does not sell, rent, or trade your business or customer data under any circumstance. We only share data with carefully vetted third parties when it is strictly necessary for service delivery, and always in accordance with applicable data protection regulations, including the GDPR, DPDP Act (India), and contractual data processing agreements.

Permissible Data Sharing Scenarios

Data may be shared with the following categories of third parties under tightly controlled and auditable conditions:

• Meta Platforms, Inc. (WABA & CTWA):
  Data shared with Meta is limited to what is required for sending and receiving WhatsApp Business messages via the WhatsApp Business API (WABA) and executing Click-to-WhatsApp Ads (CTWA) campaigns. This includes message templates, campaign metadata, and approved sender profiles. All communication is secured and governed by Meta's platform policies and consent-based message flows.
• Payment Gateways:
  We may transmit minimal transaction data—such as reference IDs, amounts, and order metadata—to PCI-DSS-compliant payment service providers to enable processing of subscription fees, top-ups, and service payments. ZöTok never accesses or stores your full payment credentials (e.g., card numbers, CVV, UPI pins).
• ERP or CRM Integrations:
  Where explicitly enabled by your organization, ZöTok may exchange operational data with your internal ERP, CRM, or other third-party systems. This may include order data, inventory status, customer details, or payment updates. All integration flows are authenticated, logged, and controlled via secure APIs or webhooks.
• Authorized Sub-processors:
  ZöTok may engage a limited number of cloud infrastructure providers, analytics tools, or backend processors to deliver core services. All such sub-processors operate under strict contractual obligations, including:
  1. Non-disclosure agreements (NDAs)
  2. Data Processing Agreements (DPAs)
  3. Compliance with ISO 27001, SOC 2, and applicable data privacy regulations

Safeguards and Compliance

Every third-party service ZöTok integrates with undergoes a security and compliance review. We ensure:

• Data is transmitted securely using encryption protocols
• Access is limited to the minimum data required for functionality
• Sub-processors are located in jurisdictions with adequate data protection laws, or protected by standard contractual clauses (SCCs)

ZöTok maintains a list of current sub-processors and integration partners, which can be made available to clients upon request. Any material changes to our data-sharing practices are communicated in advance as part of our commitment to transparency and regulatory compliance.

9. Data Retention & Portability

ZöTok adheres to clearly defined data retention policies that align with legal, regulatory, and operational best practices. Data is retained only as long as necessary to fulfill the purposes outlined in this policy and to meet statutory requirements, after which it is securely deleted or anonymized.

Retention Periods by Data Category

• Transactional and Billing Data:
  All order-related, invoicing, payment, and credit usage records are retained for a minimum of 7 years, in compliance with applicable tax laws, financial reporting standards, and audit obligations. This includes Meta messaging charge logs, invoice history, and subscription records.
• Chat Metadata:
  Metadata associated with WhatsApp conversations—such as timestamps, sender/receiver info, message IDs, and bot interactions—is stored for up to 12 months by default. Retention settings may be extended or reduced based on your organization's compliance policies or regulatory requirements.
• Account-Level Data and User Records:
  Upon formal contract termination and written request, ZöTok will deactivate and delete your account-level data, including user profiles, access logs, configurations, and custom workflows. This deletion process is completed within 90 calendar days unless a legal hold or active investigation prevents immediate removal.

Data Portability

In accordance with the Digital Personal Data Protection (DPDP) Act, India, GDPR, and other global data protection frameworks, you are entitled to request a portable copy of your data. This may include:

• Orders and transactions
• Customer conversation logs
• Product and catalog data
• Analytics and performance records

Such data will be made available in a structured, machine-readable format (e.g., CSV, JSON, or equivalent), and can be accessed via your organization's ZöTok dashboard or by submitting a formal request to our support team at privacy@zotok.ai.

ZöTok ensures that all retention and deletion actions are performed securely and verifiably, with appropriate safeguards to prevent data leaks or unauthorized access during archival or purging operations.

10. User Rights

ZöTok is committed to upholding your rights as a data subject or authorized business user in accordance with applicable data protection laws, including the Digital Personal Data Protection (DPDP) Act, India, the General Data Protection Regulation (GDPR, EU), and other global privacy frameworks.

As a registered organization or user of the ZöTok platform, you are entitled to the following rights:

• Right to Access:
  You may access your account data, platform usage history, message logs, billing statements, and integration records at any time via the ZöTok Admin Dashboard. This includes visibility into team-level actions and configuration changes made by authorized users.
• Right to Rectification:
  You have the ability to update or correct your user profile details, organization information, and team member access permissions directly through the platform. For changes requiring administrative overrides or support, our team will assist upon verification.
• Right to Data Portability and Export:
  You may request a structured, machine-readable export of your organization's data, including but not limited to customer interactions, orders, campaigns, and configuration settings. This data will be securely transmitted in formats such as CSV, JSON, or XML.
• Right to Erasure (Right to be Forgotten):
  You may request deletion of your account-level data and associated records upon contract termination or based on legal grounds. Subject to regulatory retention requirements and pending obligations, ZöTok will securely delete the requested data within a defined time frame (e.g., 90 days).
• Right to Withdraw Consent:
  You may withdraw previously granted consent for receiving system alerts, marketing communications, product updates, or platform access at any time. Consent revocation may impact the availability of certain services, which will be communicated during the process.
• Right to Restrict Processing (Where Applicable):
  In accordance with certain jurisdictions, you may request a temporary halt on data processing where there is a dispute about accuracy, lawfulness, or processing scope.

To exercise any of these rights, submit a request through your ZöTok Admin Panel or contact our Data Protection Office at:

📧 support@zotok.ai
Subject to verification and applicable legal constraints, we will respond to all valid requests within the statutory time limits defined by relevant regulations.

11. Children's Privacy

ZöTok services are designed for business use only. We do not knowingly collect data from individuals under 18 years of age.

13. Service-Specific Privacy Considerations

ZöTok supports advanced platform extensibility through APIs, integrations, and analytics connectors. If your organization chooses to activate certain extended services or third-party tools, additional data exchange flows may occur. These are governed under ZöTok's Integration and Data Flow Policy, which ensures all transfers are secure, logged, and compliant.

Specific scenarios include:

• Custom Integrations via API Keys or Webhooks:
  When your organization uses custom API integrations or webhooks, data such as customer details, orders, event triggers, or status updates may flow to or from external systems. These interactions are authenticated, rate-limited, and encrypted, with access controlled by your organization.
• Third-party CRM/ERP Synchronization:
  If ZöTok is integrated with third-party enterprise systems such as Salesforce, SAP, Zoho, Tally, or other ERP/CRM platforms, transactional or customer data may be shared bidirectionally to ensure operational consistency. These connections are secured by encrypted API credentials and can be monitored or revoked by the Admin.
• Campaign Attribution via External Tools:
  For organizations using tools such as Meta Ads Manager, Google Analytics, or mobile attribution platforms, ZöTok may exchange campaign metadata (e.g., ad ID, UTM parameters, click source) to enable end-to-end attribution tracking. No personal customer data is shared unless explicitly configured.

In all such cases, ZöTok ensures that data processing is aligned with your organization's configuration, consent policies, and regional data protection requirements. We maintain full traceability and audit logs for all data movements related to integrations and external systems.

14. Changes to This Privacy Policy

ZöTok reserves the right to amend or update this Privacy Policy periodically to reflect evolving legal, regulatory, technological, or service-related changes.

• Material changes—such as updates to data usage practices, integration scopes, or rights mechanisms—will be communicated in advance through official ZöTok channels including in-app banners, email notifications, or WhatsApp alerts to registered administrators.
• The most current and authoritative version of this Privacy Policy is always available on our official website at:
  🔗 https://www.zotok.ai/privacy

Continued use of the ZöTok platform after such changes constitutes your acceptance of the updated terms.

15. Contact Us

If you have questions about this Privacy Policy, or would like to submit a data request, report a concern, or exercise your rights under applicable data protection laws, please contact our Data Protection & Compliance Team:

ZöTok Technologies Pvt. Ltd.
📧 support@zotok.ai
🌐 https://www.zotok.ai
📍 [ Survey 37, Kapil Kavuri Hub, Level 4, no.144, Financial District, Nanakramguda, Hyderabad, Telangana 500032 ]

We are committed to addressing all privacy-related inquiries in a timely, secure, and transparent manner.

ZöTok Technologies Pvt. Ltd.
📧 support@zotok.ai
🌐 https://www.zotok.ai
📍 [ Survey 37, Kapil Kavuri Hub, Level 4, no.144, Financial District, Nanakramguda, Hyderabad, Telangana 500032 ]