Last updated: 12 July 2026 · Effective: 12 July 2026
This policy explains what data UpGreat World Pvt Ltd. (“Convoup”, “we”, “us”) processes when you use our website and platform, why we process it, and the choices you have. It applies to convoup.com, app.convoup.com, and all related services operated by UpGreat World Pvt Ltd.
Data we collect and process
We collect and process the following categories of data:
- Account data — name, work email, mobile number, organisation name, industry, login credentials (hashed password), Google OAuth ID (if you sign in with Google), and profile avatar.
- Customer and conversation data — contacts (phone numbers, names, email addresses, company names, custom fields), messages, media files, message templates, campaign data, and automation flows that you bring into the platform to communicate with your own customers.
- Usage and device data — log data, IP addresses (stored encrypted), browser type and version, device information, operating system, pages visited, features used, API call logs, and platform performance metrics.
- Session and authentication data — refresh tokens (hashed), user-agent strings, device identifiers, login timestamps, last-seen timestamps, failed login counts, and account lockout status.
- Billing and payment data — subscription plan, billing cycle, payment history, and payment identifiers processed through our payment provider. We do not store credit card numbers on our servers.
- Webhook and integration data — webhook subscriber URLs, webhook delivery logs, and OAuth tokens for third-party integrations stored encrypted.
- Meta and WhatsApp data — WhatsApp Business Account (WABA) IDs, phone number IDs, Meta user IDs, access tokens (stored encrypted), message delivery statuses, conversation categories, quality scores, and messaging limits.
- Communication data — support emails, contact form submissions, and customer satisfaction (CSAT) responses.
- Compliance and audit data — audit logs of account actions, opt-out/suppression records, and data deletion request history.
Cookies and similar technologies
We use the following cookies and local storage:
- Authentication cookies — httpOnly cookies to maintain your login session and store JWT access tokens. These are essential for the service to function and expire after 15 minutes (access token) or 7 days (refresh token).
- CSRF tokens — cookies used to protect against cross-site request forgery attacks. These are essential for security.
- Bot detection — used on our website contact form to prevent spam. Our bot-detection provider may set cookies as part of its process. See the provider’s privacy policy for details.
- Local storage — used to store UI preferences (theme, sidebar state) and session context (selected workspace, onboarding status) on your browser. No passwords or authentication tokens are stored in local storage.
We do not use advertising cookies or third-party tracking pixels on our website.
WhatsApp and Meta data
Convoup is built on the official Meta WhatsApp Cloud API. When you use the platform, we send and receive WhatsApp messages and related metadata through Meta’s systems on your behalf. For this data we act as a processor (service provider) on behalf of your business, which is the controller of the customer conversations you run through Convoup.
We process WhatsApp and Meta Platform data only to provide the service to you and strictly in accordance with Meta’s applicable terms, including the WhatsApp Business Messaging Policy, the Meta Platform Terms and the Developer Policies. We do not use this data for our own advertising, we do not sell it, and we do not share it except as needed to operate the service or as required by law.
How we use data
- To provide and operate the service described in our terms
- To authenticate users and prevent unauthorised access
- To secure the platform, detect fraud, and prevent abuse (including brute-force protection and rate limiting)
- To process billing and manage subscriptions
- To communicate with you about updates, support, and security notices
- To comply with legal obligations
Legal bases (GDPR)
Where GDPR or similar laws apply, we rely on the following legal bases:
- Contract performance — processing necessary to provide the service you signed up for.
- Legitimate interest — securing the platform, preventing fraud, and improving the service.
- Consent — where required (e.g., marketing communications).
- Legal obligation — retaining financial records for tax and accounting compliance.
Sharing and sub-processors
We share data with the sub-processors listed on our sub-processors page. We do not sell personal data. Data is shared only as follows:
- Meta Platforms, Inc. — to route WhatsApp messages through your WABA (see Meta’s Privacy Policy).
- Razorpay Software Pvt Ltd. — subscription billing and payment processing.
- Google LLC — OAuth authentication (if you sign in with Google).
- Cloud infrastructure and hosting providers — to operate and secure the platform.
- Transactional email providers — for account-related notifications (verification, password reset, security alerts).
Data retention
We retain your data for as long as your account is active or as needed to provide the service. Specifically:
- Account data — retained until you delete your account, then purged within 30 days.
- Customer and conversation data — retained while your WABA is connected, then deleted within 30 days of disconnection or account deletion.
- Billing records — retained for 7 years as required by Indian tax law.
- Audit logs — retained for 2 years for security and compliance purposes.
- Suppression records — retained indefinitely to prevent re-sending to opted-out numbers (required for WhatsApp compliance).
Security
We implement industry-standard security measures including encryption at rest for sensitive data, hashed password storage, HMAC-signed webhooks, role-based access control, CSRF protection, rate limiting, and TLS encryption in transit. See our security page for details.
Your rights
Depending on your jurisdiction you may have the following rights:
- Access — request a copy of the personal data we hold about you.
- Correction — request correction of inaccurate data.
- Deletion — request deletion of your personal data. See data deletion instructions.
- Portability — request your data in a structured, machine-readable format. Contact us at hello@convoup.com to request a data export.
- Objection — object to processing based on legitimate interest.
To exercise any of these rights, email hello@convoup.com. We will respond within 30 days.
International transfers
Your data may be processed in India, the United States, or the European Union depending on which sub-processor is used. Where data is transferred outside your jurisdiction, we rely on appropriate safeguards including standard contractual clauses where required by GDPR.
Children’s privacy
Our service is not directed to individuals under 18. We do not knowingly collect personal data from children.
Changes to this policy
We may update this policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before they take effect.
Contact
Questions about this privacy policy? Email hello@convoup.com or write to:
UpGreat World Pvt Ltd.
Welldone Tech Park, Sector 48
Gurugram – 122018, Haryana
India