Privacy Policy

Last updated: December 25, 2025

1. Introduction

ChartBox ("we", "our", or "us") is committed to protecting your privacy and complying with India's Digital Personal Data Protection Act, 2023 (DPDP Act). This Privacy Policy explains how we collect, use, store, and protect personal data when you use our Service.

2. Data Controller and Processor

You are the Data Fiduciary (Controller): When you use ChartBox, you remain the data fiduciary for your end customers' personal data.

ChartBox is the Data Processor: We process personal data on your behalf according to your instructions and in compliance with the DPDP Act.

3. What Data We Collect

3.1 Account Information

  • Your email address (used for account creation and login)
  • Organization name
  • WhatsApp platform provider (Wati or Interakt)
  • Webhook configuration details

3.2 Conversation Data (from Webhooks)

  • Customer phone numbers (encrypted at rest using AES-256)
  • Message content (text, media metadata - automatically deleted after retention period)
  • Message timestamps
  • Agent identifiers (names, IDs from your platform)
  • Conversation status and metadata

3.3 Usage Data

  • Login activity
  • Feature usage patterns
  • System performance metrics

4. How We Use Your Data

We use collected data to:

  • Provide the ChartBox Service (analytics, reports, visualizations)
  • Detect conversation leakage patterns
  • Generate Ghost Reports and funnel analytics
  • Calculate revenue estimates and agent performance metrics
  • Maintain and improve the Service
  • Comply with legal obligations

5. Data Security Measures

We implement multiple layers of security:

  • Encryption at Rest: All customer phone numbers are encrypted using AES-256-GCM before storage
  • Row-Level Security (RLS): Strict database isolation ensures your data cannot be accessed by other organizations
  • Webhook Authentication: HMAC signature verification (Interakt) and secret-based validation (Wati)
  • Secure Transmission: All data transmitted over HTTPS/TLS
  • Access Controls: Limited access to production systems with audit logging

6. Data Retention and Deletion

6.1 Message Content

Message content is automatically hard-deleted based on your configured retention period (default: 30 days, configurable 1-365 days). This deletion is permanent and cannot be recovered.

6.2 Conversation Metadata

Conversation metadata (timestamps, status, agent assignments) is retained for reporting and analytics purposes. Customer identifiers remain encrypted.

6.3 Account Termination

Upon account termination, all message content is immediately deleted. Conversation metadata is retained for 30 days for compliance purposes, then permanently deleted.

7. Data Sharing and Third Parties

We do not sell your data. We only share data in limited circumstances:

  • Supabase (Infrastructure Provider): Database hosting with encryption and RLS enforcement
  • Vercel (Hosting Provider): Application hosting with no access to encrypted data
  • Legal Requirements: If required by Indian law or valid legal process

We do not share data with analytics providers or advertising platforms.

8. Your Rights Under DPDP Act

You have the following rights regarding your data:

  • Right to Access: Request a copy of your data
  • Right to Correction: Correct inaccurate data
  • Right to Erasure: Request deletion of your data (subject to legal retention requirements)
  • Right to Data Portability: Export your data via CSV export feature
  • Right to Grievance Redressal: File complaints about data handling

To exercise these rights, contact us at contact@chartbox.in.

9. Children's Privacy

ChartBox is a B2B service not intended for children under 18. We do not knowingly collect data from children. If you believe we have collected data from a child, contact us immediately.

10. International Data Transfers

Your data is stored in India on Supabase infrastructure. We do not transfer data outside of India without your explicit consent and appropriate safeguards.

11. Data Breach Notification

In the event of a data breach that compromises your personal data, we will notify you within 72 hours as required by the DPDP Act. We will also notify the Data Protection Board of India if required.

12. Cookies and Tracking

ChartBox uses minimal cookies for authentication and session management. We do not use third-party tracking cookies or advertising networks. You can manage cookies through your browser settings.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of material changes via email or through the Service. Continued use after changes constitutes acceptance.

14. Contact and Grievance Officer

Data Protection Officer:
ChartBox Data Protection Team
Email: contact@chartbox.in

Grievance Redressal:
For complaints about data handling, contact our Grievance Officer at contact@chartbox.in. We will respond within 15 days as required by the DPDP Act.

15. DPDP Act Compliance Statement

ChartBox is designed to comply with the Digital Personal Data Protection Act, 2023. We implement:

  • Purpose limitation (data used only for agreed analytics)
  • Data minimization (only necessary data collected)
  • Storage limitation (configurable auto-delete)
  • Reasonable security safeguards (encryption, RLS, access controls)
  • Transparency in data processing
  • Accountability mechanisms
← Back to Home
ChartBox - WhatsApp Sales Intelligence Platform