Privacy Policy
Last Updated: March 15, 2026
Data Controller: ODIVEND OPC PRIVATE LIMITED, Odisha, India | [email protected]
ODIVEND OPC PRIVATE LIMITED ("ODIVEND", "we", "us") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you visit engage.odivend.com ("Website") or use the ODIV Engage platform at chat.odivend.com ("Platform").
1. Who We Are
ODIVEND OPC PRIVATE LIMITED is incorporated under the Companies Act, 2013 with its registered office in Odisha, India. We operate ODIV Engage — a WhatsApp Business API SaaS platform sold under the brand "ODIV Engage" at engage.odivend.com.
For EU-based data subjects, ODIVEND acts as a Data Controller under GDPR with respect to data collected directly from you. For data you process through the Platform about your own customers, ODIVEND acts as a Data Processor.
2. Legal Framework
We comply with:
- Digital Personal Data Protection Act, 2023 (DPDP Act) — primary law governing processing of personal data of Indian residents
- General Data Protection Regulation (GDPR) — applies to personal data of individuals in the EU/EEA
- Information Technology Act, 2000 and the IT (Reasonable Security Practices) Rules, 2011
3. Data We Collect
3.1 Data You Provide Directly:
- Account registration: full name, email address, mobile number, business name, country
- Subscription & billing: plan selection, billing period (payment details are processed by Razorpay — we do not store card numbers or bank credentials)
- Support communications: any information shared in emails or support requests to [email protected]
3.2 Data Collected Automatically:
- Website usage: pages visited, features interacted with, session duration — only if you consent to analytics cookies (PostHog)
- Technical data: browser type, operating system, screen resolution, language preference
- Country-level location: determined from Netlify's CDN geo headers attached to your request — your IP address is not sent to any third-party geolocation service
3.3 Data Processed as Your Data Processor:
When you use ODIV Engage to communicate with your customers via WhatsApp, we process your customers' personal data (phone numbers, message content, contact records) on your behalf. In this capacity, you are the Data Fiduciary/Controller and ODIVEND is the Data Processor. You remain responsible for ensuring you have a lawful basis to process your customers' data.
4. Purpose & Legal Basis for Processing
| Purpose | Legal Basis (DPDP Act) | Legal Basis (GDPR) |
|---|---|---|
| Account creation & authentication | Consent | Contract (Art. 6(1)(b)) |
| Service delivery & billing | Contract | Contract (Art. 6(1)(b)) |
| Payment processing | Contract | Contract (Art. 6(1)(b)) |
| Transactional emails | Contract | Contract (Art. 6(1)(b)) |
| Product analytics & improvement | Consent | Consent (Art. 6(1)(a)) |
| Legal compliance & fraud prevention | Legal obligation | Legal obligation (Art. 6(1)(c)) |
| Customer support | Legitimate interest | Legitimate interest (Art. 6(1)(f)) |
5. Data Sharing & Sub-Processors
We do not sell your personal data. We share data only with the following sub-processors, all subject to appropriate data processing agreements:
Supabase Inc. — Cloud Database & Authentication
Data: Customer accounts, subscription records, platform configuration | Location: Frankfurt, Germany (EU)
supabase.com/privacyNetlify Inc. — Web Hosting & Serverless Functions
Data: Web request logs, function execution logs | Location: US-based CDN with EU edge nodes
netlify.com/privacyRazorpay Software Pvt. Ltd. — Payment Processing
Data: Billing information, transaction records | Location: India
razorpay.com/privacyResend Inc. — Transactional Email Delivery
Data: Email address, email content | Location: United States
resend.com/privacyMeta Platforms Inc. / WhatsApp LLC — WhatsApp Business API
Data: WhatsApp messages, phone numbers, message templates | Location: United States
whatsapp.com/legal/privacy-policyPostHog Inc. — Product Analytics (only if you consent to analytics cookies)
Data: Page views, feature interactions, session metadata (no PII by default) | Location: EU (eu.posthog.com, Frankfurt)
posthog.com/privacy6. International Data Transfers
ODIVEND is based in India. Some sub-processors (Netlify, Resend, Meta/WhatsApp) are based in the United States.
For EU users: Transfers to the US are made under EU Standard Contractual Clauses (SCCs) or applicable adequacy frameworks as provided by each sub-processor.
For Indian users: Cross-border transfers are subject to the contractual protections required under the DPDP Act, 2023.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Active customer account data (ODIV systems) | Duration of subscription. If deactivated: 15 days grace + 30 days warning, then permanently deleted or anonymized |
| WhatsApp platform data — contacts, conversations, bots, automations, channel wallets (BSP infrastructure) | Permanently deleted on the 1st of each month if subscription has been inactive for more than 15 days. This is enforced by the BSP and cannot be reversed. |
| Billing records | 7 years (Indian tax law requirement) |
| Support communications | 3 years |
| PostHog analytics data | 12 months (EU PostHog servers) |
| Website preference storage (localStorage) | 12 months (user's device) |
| Session tokens | Duration of browser session |
After retention periods expire, data is securely deleted or anonymized.
Automatic Deletion for Inactive Accounts: If your account is deactivated (due to payment failure, cancellation, or any other reason) and remains inactive for more than 15 days, we will notify you via email and WhatsApp that your data is scheduled for deletion. You will have 30 days to reactivate. If you do not reactivate, your personal data on ODIV systems (name, email, phone, company details) will be permanently deleted or anonymized. Separately, your WhatsApp platform data (contacts, conversations, bots, automations, billing logs) hosted on our BSP partner infrastructure is permanently deleted on the 1st of every month for accounts inactive more than 15 days — this may occur before your 30-day ODIV warning period expires. We cannot recover BSP-deleted data. Deleted users are treated as new users upon re-subscription.
Billing and subscription records are retained for 7 years as required by Indian tax law, even after account deletion.
8. Your Rights
8.1 Rights Under DPDP Act 2023 (Indian Residents):
- Right of Access — request a summary of your personal data we process
- Right of Correction & Erasure — request corrections to inaccurate data or deletion of your data
- Right to Grievance Redressal — raise a complaint with us; we commit to acknowledge within 72 hours and resolve within 30 days
- Right to Nominate — nominate a person to exercise your data rights on your behalf
8.2 Additional Rights for EU Residents Under GDPR:
- Right to Data Portability — receive your data in a structured, machine-readable format
- Right to Restrict Processing — limit how we use your data in certain circumstances
- Right to Object — object to processing based on legitimate interests
- Right to Withdraw Consent — withdraw analytics consent at any time via the cookie preferences panel
- Right to Lodge a Complaint — with your EU/EEA supervisory authority
To exercise any of these rights, email [email protected] with subject line "Data Rights Request". We will respond within 30 days.
9. Cookies & Local Storage
We use browser localStorage (not HTTP cookies) to store your language preference, currency selection, and cookie consent record. Analytics storage (PostHog) is only activated after you explicitly consent. See our Cookie Policy for full details of every item stored.
10. WhatsApp Message Processing
When you use the ODIV Engage Platform to send or receive WhatsApp messages, your customers' message data is processed by ODIVEND's infrastructure on your behalf. We act solely as a Data Processor for this data — we do not read, analyse, or use your customers' message content for our own purposes, and we do not share it with third parties beyond what is technically necessary to deliver the WhatsApp API service.
11. Children's Privacy
ODIV Engage is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at [email protected] and we will delete it promptly.
12. Security
We implement industry-standard security measures including:
- TLS 1.2+ encryption for all data in transit
- Row-level security (RLS) in our Supabase database
- JWT-based authentication with refresh token rotation
- Access controls restricting staff access to customer data on a need-to-know basis
No system is 100% secure. We cannot guarantee absolute security of data transmitted over the internet.
13. Grievance Officer
In accordance with the Information Technology Act, 2000 and DPDP Act, 2023, grievances relating to personal data may be directed to us. We commit to acknowledging complaints within 72 hours and resolving them within 30 days.
14. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be communicated via email or in-platform notice at least 15 days before taking effect. The "Last Updated" date at the top reflects the most recent revision.