Back to home

Privacy Policy

This Privacy Policy explains how Brandbabaa-AI ("Brandbabaa", "we", "us", "our") collects, uses, shares, and protects personal data when (a) you visit our website, (b) you create an account and use our CRM/automation platform, and (c) your organization uploads or otherwise provides personal data of leads, customers, or contacts to Brandbabaa (together, the "Services").

This Policy is intended to support compliance with applicable Indian laws, including the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the Digital Personal Data Protection Rules, 2025, as notified, and the Information Technology Act, 2000 and applicable rules (including the SPDI Rules).

1. Key Roles and Scope

a) Website visitors and account users. For personal data collected directly from you (e.g., when you sign up, pay for a subscription, or contact support), Brandbabaa generally acts as a Data Fiduciary (controller).

b) Customer-Provided Data. If you are a business customer and you upload or connect lead/customer/contact data (including WhatsApp message content) to Brandbabaa, your organization typically determines the purpose and means of processing that data and is the Data Fiduciary. In that context, Brandbabaa generally acts as a Data Processor (processor) and processes such data only on documented instructions from the customer, as further described in our customer agreement / Data Processing Addendum (where applicable).

c) End customers / leads. If you are an end customer/lead whose data is processed by one of our business customers, please contact that business customer first to exercise rights, because they control the relationship and the purpose of processing. We will assist our customers in responding to such requests as required by law and contract.

2. What Personal Data We Collect

We collect personal data depending on how you use the Services. This can include:

  • Account and profile data: name, email, phone number, company details, role/permissions, authentication credentials (stored in hashed form), and support communications.
  • Billing data: billing address, GST information (if provided), invoices, and payment-related identifiers from payment processors (we do not store full card details).
  • Customer-Provided Data: lead/customer/contact records you create or import; notes; tags; custom fields; call logs and reminders; and any content (including attachments such as images, documents, or other media files) that you or your team store in Brandbabaa or share through our Services (e.g., via WhatsApp).
  • Messaging and conversation data: message content, timestamps, and related metadata where you use (i) our WhatsApp automation features (including via our Chrome Extension) or (ii) our WhatsApp Business API features, including delivery status events where available.
  • Voice call data: audio recordings and transcripts of calls conducted through the Services (when you use our AI voice calling feature).
  • Integrations data: data you sync or import from third-party systems you connect (e.g., Google Sheets, Meta Lead Ads, external CRM integrations) and configuration tokens/keys required to enable those integrations.
  • Technical and usage data: IP address, browser/device information, logs, diagnostic data, cookie identifiers, and analytics events.

We do not intentionally ask you to provide Sensitive Personal Data (as defined under applicable IT rules) through the Services; however, Customer-Provided Data may include such information if your leads share it during conversations. You are responsible for minimizing collection to what is necessary for your use case.

3. How We Use Personal Data

  • Providing the Services: account creation, authentication, lead management, pipelines/stages, reminders, and other CRM features.
  • Automation and messaging: sending scheduled follow-ups and reminders to engage leads (including via AI-powered voice calls) and enabling messaging features you activate.
  • AI features: generating suggested replies, qualification summaries, lead insights, and automation content based on conversation context and your configured prompts. By default, we do not use Customer-Provided Data to train public, general-purpose AI models.
  • Service improvement and analytics: understanding product usage, debugging, maintaining reliability, and improving features.
  • Security and abuse prevention: detecting fraud, spam, or misuse and maintaining platform integrity.
  • Communications: service notices, support responses, and administrative messages.
  • Legal compliance: complying with legal obligations, responding to lawful requests, and enforcing our agreements.

4. Legal Basis for Processing (DPDP Act)

Under the DPDP Act, we process personal data only for a lawful purpose and based on (a) consent, or (b) certain legitimate uses as permitted by law. Where we act as a Data Processor for Customer-Provided Data, our customer (the Data Fiduciary) is responsible for establishing a lawful basis and providing any required notices/consents to Data Principals.

5. Cookies and Similar Technologies

We use cookies and similar technologies for authentication, security, preferences, and analytics. You can manage cookies via your browser settings. Where required, we will provide cookie choices or banners.

6. Sharing and Disclosure

We may share personal data with:

  • Vendors and service providers (sub-processors) who help us operate the Services (e.g., cloud hosting, analytics, customer support tooling, email delivery, payment processing, and AI/LLM infrastructure).
  • Your configured integrations and recipients: If you connect third-party CRMs or other integrations, we will share data as needed to fulfill your instructions.
  • WhatsApp/Meta and other communication platforms: Where you choose to use WhatsApp messaging features, message delivery is subject to the platform's processing and policies.
  • AI voice calling provider: If you enable our AI voice calling feature, we will share call content (audio and transcripts) with our third-party voice service provider.
  • Legal and compliance: Law enforcement, regulators, courts, or other parties where required by law or to protect rights/safety.
  • Business transfers: In connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to appropriate safeguards.

We do not sell Customer-Provided Data or personal data. We do not share Customer-Provided Data with third parties for their own marketing or advertising purposes.

7. Cross-Border Transfers

We may process and store personal data in India and other jurisdictions where we or our service providers operate. Transfers outside India will be carried out in accordance with the DPDP Act/Rules and any other applicable laws.

8. Data Retention and Deletion

We retain personal data for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements. Retention can vary by data type:

  • Account and billing records: retained as required for legal, tax, and audit purposes.
  • Customer-Provided Data: retained for the duration of the customer account, unless the customer deletes it earlier. Backups may persist for a limited period before being overwritten.

Upon account termination, we will provide customers a reasonable opportunity to export Customer-Provided Data. After this export period, we will delete or anonymize Customer-Provided Data within a reasonable time, except where retention is required for legal, security, or dispute-resolution purposes.

9. Rights of Data Principals and How to Exercise Them

Subject to applicable law, Data Principals may have rights including: (i) access to information about processing, (ii) correction/completion/updating, (iii) erasure, (iv) grievance redressal, and (v) nomination. Where processing is based on consent, you may also withdraw consent.

If you are a business customer/account user, contact us at info@Brandbabaa-ai.com. If your data was provided to Brandbabaa by one of our business customers, please contact that customer first.

10. Security

We maintain reasonable administrative, technical, and organizational safeguards designed to protect personal data against unauthorized access, disclosure, alteration, or loss. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

11. Personal Data Breach Notification

If we become aware of a personal data breach, we will take reasonable steps to contain and remediate it. We will notify the Data Protection Board of India and affected Data Principals when required under applicable law.

12. Children's Privacy

Our Services are intended for use by businesses and are not directed to children. We do not knowingly process personal data of children as a Data Fiduciary.

13. Changes to this Policy

We may update this Policy from time to time. The updated version will be posted with a revised "Last Updated" date. Material changes may be notified through the website or within the Services.

14. Contact and Grievance Redressal

Email: ggaganjohar@gmail.com

We will respond to grievances within the timelines prescribed by applicable law (currently up to 90 days under the DPDP Rules, as notified).