Privacy Policy

Welcome to Dvaarik AI ("Dvaarik," "we," "us," or "our"). Dvaarik AI is an AI-powered receptionist platform operated from Hyderabad, Telangana, India. We are committed to protecting the privacy and security of all individuals and businesses that interact with our services.

This Privacy Policy explains how we collect, use, disclose, store, and protect your information when you visit our website at www.dvaarik.com, use our AI receptionist platform, or interact with our services in any way. This policy applies to business owners who subscribe to Dvaarik AI ("Business Users") as well as their customers who interact with our AI through WhatsApp or other channels ("End Customers").

By using our services, you consent to the practices described in this Privacy Policy. If you do not agree with this policy, please do not use our services.

We collect the following categories of information:

We use your information for the following purposes:

1. Service Delivery: To provide and operate the Dvaarik AI receptionist, including processing bookings, handling customer conversations, collecting payments, and generating daily reports for your business.
2. Account Management: To create and maintain your account, process subscription payments, send invoices, and manage your business profile.
3. AI Training & Improvement: To train and improve the accuracy of our AI models for better language understanding, response quality, and booking accuracy. All training data is anonymized and aggregated.
4. Communication: To send you service-related notifications, daily business reports, appointment reminders, payment confirmations, and important updates about your account.
5. Analytics & Insights: To generate business analytics, track platform usage, identify trends, and provide you with insights about your business performance.
6. Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests, including tax and financial reporting requirements.

We process your personal data in compliance with the Digital Personal Data Protection Act, 2023 (DPDPA) of India. Our legal bases for processing include:

• Consent: You provide explicit consent when you create an account, subscribe to our services, or submit information through our website or WhatsApp channel.
• Contractual Necessity: Processing is necessary to perform our obligations under our Terms of Service, including providing the AI receptionist service, processing bookings, and collecting payments.
• Legitimate Interests: We process data for legitimate business interests such as improving our services, preventing fraud, and ensuring platform security, provided these interests do not override your fundamental rights.
• Legal Obligation: We process data when required by applicable Indian laws, including tax regulations, financial reporting requirements, and law enforcement requests.

We take the security of your data seriously and implement industry-standard measures to protect it:

• Encryption: All data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption.
• Database Security: We use PostgreSQL databases with multi-tenant architecture. Every database query is scoped to the specific business using business_id filtering, ensuring complete data isolation between businesses.
• Access Controls: Access to production systems and customer data is restricted to authorized personnel with role-based access controls.
• Infrastructure: Our application is hosted on secure cloud infrastructure with regular security patches, automated backups, and monitoring.
• Payment Security: All payment processing is handled by Razorpay, a PCI-DSS Level 1 compliant payment gateway. We never store full credit card or debit card numbers on our servers.

We retain your data according to the following schedule:

• Active Accounts: All business data, customer records, conversation history, and booking data is retained for the duration of your active subscription.
• Cancelled Accounts: After cancellation, your data is retained for 90 days to allow for reactivation. After 90 days, all business data and customer records are permanently deleted.
• Payment Records: Transaction records and invoices are retained for 7 years as required by Indian tax and financial regulations.
• Anonymized Analytics: Aggregated and anonymized usage data may be retained indefinitely for service improvement and research purposes.
• Legal Holds: Data may be retained beyond the standard period if required by law, legal proceedings, or regulatory requirements.

We use the following third-party services to deliver and improve our platform. Each service processes data in accordance with their own privacy policies:

We require all third-party service providers to maintain appropriate security measures and to process data only in accordance with our instructions.

Dvaarik AI integrates with Meta's WhatsApp Business Cloud API to enable business owners to receive and respond to customer messages on WhatsApp through our AI receptionist. When an end customer messages a business that uses our WhatsApp AI Channel, we receive and process the following data via Meta:

• Customer phone number in international format (e.g., +91XXXXXXXXXX)
• WhatsApp display name as set by the customer in their WhatsApp profile
• Message content: text, images, audio, video, and document files sent by the customer to the business
• Message metadata: timestamps, message IDs, delivery status, and read receipts

We use this WhatsApp data exclusively to:

1. Generate AI-powered responses on behalf of the business owner using our AI engine
2. Create and manage customer bookings, orders, payments, and service requests
3. Send transactional notifications such as booking confirmations, reminders, and payment links via approved WhatsApp templates
4. Maintain a conversation history accessible only to the business owner through their authenticated dashboard

WhatsApp Data Sharing: We do not share WhatsApp customer data with any third party except (a) Meta itself, as strictly required to deliver and receive messages through the WhatsApp Business Cloud API, and (b) the specific business owner who is the intended recipient of those customer messages. We do not use WhatsApp data for advertising, marketing by Dvaarik, or training AI models for other customers.

Customer Rights: End customers may request access, correction, or deletion of their data at any time by emailing [email protected] with their phone number. We will respond within 30 days as required by the DPDPA 2023.

Compliance: Our use of the WhatsApp Business Platform is governed by Meta's WhatsApp Business Policy and Business Terms of Service.

Our website uses the following types of cookies and tracking technologies:

• Essential Cookies: Required for basic site functionality, session management, and security. These cannot be disabled.
• Analytics: We use Vercel Analytics to understand how visitors use our website. This data is aggregated and does not personally identify individual users.

We do not use advertising cookies, third-party tracking pixels, or sell any data to advertisers. You can manage cookie preferences through your browser settings.

Under the Digital Personal Data Protection Act, 2023, you have the following rights regarding your personal data:

• Right to Access: You may request a summary of the personal data we hold about you and how it is being processed.
• Right to Correction: You may request correction of any inaccurate or incomplete personal data we hold about you.
• Right to Erasure: You may request deletion of your personal data, subject to legal and regulatory retention requirements.
• Right to Data Portability: You may request your data in a structured, commonly used, machine-readable format. You can export your customer database, booking history, and conversations from the dashboard.
• Right to Withdraw Consent: You may withdraw your consent to data processing at any time. Withdrawal of consent does not affect the lawfulness of processing performed before withdrawal.
• Right to Grievance Redressal: You have the right to file a complaint with our Grievance Officer or with the Data Protection Board of India if you believe your rights have been violated.

To exercise any of these rights, contact us at [email protected]. We will respond to all requests within 30 days.

Dvaarik AI is designed for use by businesses and is not intended for individuals under the age of 18. We do not knowingly collect personal data from children under 18 years of age.

If we become aware that we have collected personal data from a child under 18, we will take immediate steps to delete such data. If you believe a child has provided us with personal data, please contact us at [email protected].

Your data is primarily stored and processed in India. However, some of our third-party service providers (such as Vercel, Google Gemini, Cloudflare, and Sentry) may process data in servers located outside India.

When data is transferred outside India, we ensure that appropriate safeguards are in place, including contractual obligations requiring the receiving party to provide a level of data protection equivalent to that required under Indian law. We comply with all cross-border data transfer requirements under the DPDPA 2023.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the Data Protection Board of India within 72 hours of becoming aware of the breach, as required by the DPDPA 2023.
• Notify affected Business Users and, where applicable, End Customers without undue delay via email and/or WhatsApp notification.
• Provide details of the breach including the nature of the data affected, approximate number of individuals impacted, likely consequences, and measures taken or proposed to mitigate the breach.
• Take all reasonable steps to contain the breach and prevent further unauthorized access.

We have designated a Data Protection Officer (DPO) responsible for overseeing our data protection strategy and ensuring compliance with the DPDPA 2023.

For any questions or concerns about how we handle your data, you may contact our Data Protection Officer:

If you have any complaints, concerns, or grievances regarding our data processing practices, please contact our Grievance Officer:

We will acknowledge your grievance within 48 hours and provide a resolution within 30 days of receipt. If you are not satisfied with our response, you may escalate your complaint to the Data Protection Board of India.

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable laws. When we make material changes, we will:

• Update the "Last updated" date at the top of this page.
• Notify registered Business Users via email or WhatsApp at least 15 days before the changes take effect.
• Post a prominent notice on our website for significant changes.

Your continued use of our services after the effective date of a revised Privacy Policy constitutes acceptance of the updated terms.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: