Privacy Policy

1. Who we are

The data controller for account and website data is Senithu Software Solutions, No. 295/A/1, Nedagamuwa, Kotugoda, Sri Lanka. For privacy questions or requests, contact chatmunshi@senithu.lk.

2. Two roles: controller and processor

Because ChatMunshi is a business tool, we handle data in two distinct roles:

  • As a controller — for the personal data of our customers (the businesses who sign up), such as your account details, billing information, and how you use the Service. This policy governs that data.
  • As a processor — for the personal data of your end customers (the people who message your WhatsApp), which we process only on your behalf and instructions. That processing is governed by our Data Processing Addendum. As the business, you are the controller of your customers’ data and are responsible for a lawful basis to message them.

3. Data we collect

Data you provide

  • Account & business profile: name, email address, password, business name, business details you configure (services, hours, prices, location), and your logo or uploaded documents (e.g. price lists, catalogues).
  • WhatsApp connection: the WhatsApp Business account and phone number you connect, and the access tokens needed to send and receive messages on your behalf (stored under access-restricted rules and, where enabled, encrypted).
  • Payment: subscription and billing information. Payments are processed by PayPal; we do not receive or store your full card details. We receive limited confirmation and billing metadata from PayPal.
  • Communications: messages you send us, support requests, and newsletter sign-ups.

Data processed on your behalf (your customers)

  • Message content: the text, voice notes, images, and documents your customers send and that the Service sends in reply, including AI-generated transcriptions of voice notes.
  • Contact identifiers: your customers’ WhatsApp phone numbers and profile names, and metadata such as timestamps.

Data collected automatically

  • Usage & device data: log data, IP address, browser type, pages viewed, and actions in the dashboard, used to operate and secure the Service.
  • Cookies: essential cookies for login and preferences. See our Cookie Policy.

4. How we use data

  • To provide, operate, and maintain the Service and your account.
  • To power AI features — understanding customer messages and voice notes, and generating replies, transcriptions, and voice responses.
  • To process payments and manage subscriptions via PayPal.
  • To provide support, send service and transactional emails, and respond to requests.
  • To secure the Service, prevent abuse and fraud, and enforce our terms.
  • To improve and develop the Service (using aggregated or de-identified data where possible).
  • To send you product updates or our newsletter where you have opted in (you can unsubscribe anytime).
  • To comply with legal obligations.

5. Legal bases (where GDPR or similar law applies)

  • Contract — to provide the Service you signed up for and process payments.
  • Legitimate interests — to secure, support, and improve the Service, and for direct communications about it.
  • Consent — for marketing emails and any non-essential cookies, where required. You can withdraw consent at any time.
  • Legal obligation — to comply with applicable laws.

6. WhatsApp, Meta, and AI processing

To deliver messages, the Service uses the WhatsApp Business Platform provided by Meta. Message data passes through Meta’s systems subject to Meta’s and WhatsApp’s own privacy terms. To understand and generate replies and to transcribe voice notes, message content is processed by AI providers (including Google Cloud services). We instruct these providers to process data only to provide their functionality to us and not to train their general models on your data where such controls are offered. We are not affiliated with Meta.

7. Sharing and sub-processors

We do not sell your personal data. We share data only with service providers who help us run the Service (“sub-processors”), under contracts that require appropriate safeguards — for example, Meta/WhatsApp (messaging), PayPal (payments), Google Cloud and Firebase (hosting, database, storage, AI), Vercel (hosting), and Zoho (email delivery). The current list is maintained in our Data Processing Addendum. We may also disclose data if required by law or to protect rights, safety, and the integrity of the Service.

8. International transfers

We and our sub-processors may process data in countries other than yours, including outside your region. Where required, we rely on appropriate safeguards (such as standard contractual clauses) for such transfers.

9. Data retention

We keep account data for as long as your account is active and as needed to provide the Service. Conversation and message data is retained to provide history and features, and is deleted or de-identified within a reasonable period after you delete it, close your account, or on your instruction. We may retain limited data as required for legal, tax, security, or dispute-resolution purposes.

10. Security

We use technical and organisational measures to protect data, including access controls, encryption in transit, restricted database rules, and (where enabled) encryption of stored WhatsApp access tokens. No method of transmission or storage is completely secure, but we work to protect your data and to notify you of material incidents as required by law.

11. Your rights

Depending on your location, you may have rights to access, correct, delete, restrict, or object to processing of your personal data, to data portability, and to withdraw consent. To exercise these rights, contact chatmunshi@senithu.lk. We will respond within the time required by applicable law. You also have the right to complain to a data protection authority.

Deletion for businesses and end users: both our customers and their end customers can request deletion of personal data. See our Data Deletion & Requests page for how to do this. If you are an end customer who messaged a business using ChatMunshi, the business is the controller of your data; we will assist them in fulfilling your request.

12. Children

The Service is for businesses and is not directed to children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.

13. Changes to this policy

We may update this Privacy Policy from time to time. We will update the “Last updated” date and, for material changes, provide additional notice where appropriate.

14. Contact

For any privacy question or request, contact chatmunshi@senithu.lk or write to Senithu Software Solutions, No. 295/A/1, Nedagamuwa, Kotugoda, Sri Lanka.