Last updated: 14 July 2026 · Effective: 14 July 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between UpGreat World Pvt Ltd., operating as Convoup (“Processor”, “we”, “us”), and the customer entity that has registered an account on the Service (“Controller”, “you”). It applies whenever we process personal data on your behalf as part of providing the Service, including WhatsApp Business messaging, contact management, campaigns, and the team inbox. Where our Terms of Service or Privacy Policy conflict with this DPA on matters of data processing, this DPA controls.
You act as the Controller (or Processor, where you act on behalf of your own customers) for personal data you submit to or collect through the Service — including your contacts’ names, phone numbers, and message content. Convoup acts as a Processor (or Sub-processor, where applicable) and processes that data solely on your documented instructions, as given through your use of the Service’s features and configuration.
Subject matter: provision of a WhatsApp Business operations platform (API, inbox, CRM, campaigns, automations) built on the Meta WhatsApp Cloud API. Duration: for as long as you maintain an active account, plus the retention period described in Section 8. Purpose: to send, receive, store, and route WhatsApp messages and associated contact/conversation data on your behalf, and to provide analytics, automation, and support features you configure.
Data subjects: your end customers/contacts you message via WhatsApp, and your own team members with accounts on the Service.
Categories of personal data: contact name and WhatsApp phone number; message content and media (text, images, documents, voice notes); conversation metadata (timestamps, delivery/read status, assigned agent, labels); contact attributes you configure (e.g. order ID, custom fields); account and billing data for your team members. We do not intentionally process special categories of data (e.g. health, biometric) unless you choose to transmit it through message content, which you control.
Convoup shall:
You authorise Convoup to engage the sub-processors listed on our sub-processors page, which we keep current. Each is bound by data-protection obligations consistent with this DPA, and we remain responsible for their performance. We will provide notice via email or in-app notification before adding or replacing a sub-processor that materially changes how your personal data is processed, and you may object by contacting support within 14 days.
Personal data is primarily stored and processed in data centres serving the Indian market. Where data is transferred outside the country in which it was collected (including to the sub-processors listed on our sub-processors page), we rely on the sub-processor’s own compliance mechanisms (such as Standard Contractual Clauses, where applicable) and require contractual data protection commitments consistent with this DPA.
We maintain the technical and organisational measures described on our Security page, including encryption of data in transit (TLS) and at rest for sensitive fields (AES-256-GCM for stored access tokens), bcrypt-hashed passwords, HMAC-signed webhook verification, role-based access control with audit logging, and network-level access restrictions to production systems.
We retain personal data for as long as your account is active. Upon account closure, we delete personal data within 30 days, except where retention is required for legal, tax, or regulatory compliance, or to resolve disputes, as described in our Data Deletion Policy. You may request deletion of specific contact data at any time through the Service or by contacting support.
If we become aware of a breach affecting personal data we process on your behalf, we will notify you without undue delay and no later than 72 hours after becoming aware, with information reasonably available to us at the time regarding the nature of the breach, likely consequences, and measures taken or proposed to address it.
On reasonable written request, and no more than once per 12-month period (unless required following a security incident), we will provide you with information reasonably necessary to demonstrate compliance with this DPA, including relevant security documentation. On-site audits may be arranged by mutual agreement and at your cost.
Liability under this DPA is subject to the limitations of liability set out in our Terms of Service. This DPA remains in effect for as long as we process personal data on your behalf under the Terms of Service and terminates automatically upon completion of the deletion obligations in Section 8.
Questions about this DPA or to exercise data subject rights on behalf of your organisation, contact us via our contact page, call +91 98912 96555, or write to:
UpGreat World Pvt Ltd.