← Back to Home

Privacy Policy

Last updated: 19 April 2026

TwaBot ("we", "us", or "our") operates the website twabot.com and the TwaBot platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

1. Information We Collect

1.1 Account Information

When you register, we collect your name, email address, business name, industry, and password (stored in hashed form). We never store your password in plain text.

1.2 WhatsApp Business Data

When you connect your WhatsApp Business number, we process incoming and outgoing messages through the WhatsApp Business API to provide AI-powered responses. Message content is stored in our database to maintain conversation history and improve your bot's performance.

1.3 Payment Information

Payment processing is handled by Razorpay, a PCI DSS compliant payment gateway. We do not store your credit card, debit card, or UPI details on our servers. We only store transaction IDs and payment status for record-keeping.

1.4 API Keys

If you provide your own OpenAI or Google Gemini API key, it is encrypted using AES-256 encryption before storage. We never access, share, or use your API key for any purpose other than processing your AI requests.

1.5 Usage Data

We automatically collect information about your usage of the platform including message counts, AI call counts, broadcast statistics, login times, and browser/device information for analytics and service improvement.

1.6 Reconfiguration Audit Data

When you change ("reconfigure") the WhatsApp Business number attached to your account, we create an audit record containing:

  • The timestamp of the change and the user account that initiated it
  • The IP address and browser user-agent of the device that submitted the request
  • A before/after snapshot of the previous and new phone number, phone-number-id, WABA id, and display name
  • The reason you selected (e.g., "number restricted", "lost number", "business change") and any optional note you provided
  • The outcome of the reconfigure attempt (pending, in-progress, completed, or failed with error code)

This data is required to comply with Meta's Tech Provider obligations, to resolve disputes about unauthorized number changes, and to enforce our abuse-prevention cooldown. It is retained for 3 years from the date of the reconfigure and may be disclosed to Meta or to law-enforcement authorities if a specific and lawful request is made. You consent to this collection and retention each time you initiate a reconfigure.

1.7 Google Account Data (Google Calendar Integration)

TwaBot offers an optional Google Calendar integration so that appointments booked through your WhatsApp chat flows are automatically created on your own Google Calendar, with your customers added as attendees. This section describes exactly what Google account data we access, how we use it, and what we do not do with it.

OAuth scopes requested:

  • https://www.googleapis.com/auth/calendar.events — to create, update, and delete calendar events that TwaBot creates on your behalf when your customers book, reschedule, or cancel an appointment.
  • https://www.googleapis.com/auth/userinfo.email — to display the connected Google account email in your TwaBot dashboard so you can confirm which account is linked and disconnect it at any time.
  • openid — standard OpenID Connect sign-in identifier, required by Google's OAuth flow.

What we do with this data:

  • Create calendar events (optionally with Google Meet links) when a customer completes an appointment-booking flow on WhatsApp.
  • Add the customer's email address as an attendee on the event so they receive a Google Calendar invitation.
  • Update or delete an event if the customer later reschedules or cancels via WhatsApp.
  • Store the returned event ID and calendar ID in our database so we can update or delete that specific event later. We do not store the full event body.
  • Store your refresh token and a short-lived access token, encrypted at rest using AES-256-CBC, so we can keep creating events on your behalf without asking you to sign in repeatedly.

What we do not do with this data — Limited Use disclosure:

TwaBot's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We do not read, download, export, or analyze any events on your calendar that TwaBot did not create.
  • We do not use Google user data to train, fine-tune, or improve any AI or machine-learning model — generalized or otherwise.
  • We do not sell, rent, transfer, or share Google user data with any third party for advertising, marketing, or any other purpose.
  • We do not use Google user data to build user profiles for advertising or to serve advertisements.
  • Humans on the TwaBot team do not read your Google user data, except (a) with your explicit consent for support troubleshooting, (b) to comply with applicable law, or (c) to investigate abuse of our service.

How to revoke access:

You can disconnect TwaBot from your Google account at any time, which will immediately revoke our access and delete your tokens from our servers. Use either method:

  • Inside TwaBot: Go to Dashboard → Settings → Calendar & Meet → Disconnect.
  • From Google directly: Visit myaccount.google.com/permissions, find "TwaBot" in the list of third-party apps, and click Remove Access.

Disconnecting does not delete events that were already created on your calendar. You can delete those from Google Calendar directly if needed.

2. How We Use Your Information

  • To provide, maintain, and improve the TwaBot platform
  • To process AI-powered responses to your WhatsApp customers
  • To send broadcast messages on your behalf
  • To process your subscription payments
  • To send you service-related notifications (subscription expiry warnings, receipts)
  • To provide customer support
  • To detect, prevent, and address technical issues or abuse

3. Data Security

We take data security seriously and implement the following measures:

  • Encryption: AES-256 encryption for sensitive data (API keys, tokens)
  • Authentication: Session-based authentication with HTTP-only secure cookies
  • Password Security: Bcrypt hashing with salt rounds
  • Input Protection: Input sanitisation, XSS prevention, and SQL injection protection
  • Rate Limiting: API rate limiting to prevent abuse
  • Isolation: Each business has a completely isolated data environment

4. Data Sharing

We do not sell, rent, or share your personal data or your customers' WhatsApp conversation data with any third party for marketing purposes. We share data only with:

  • Meta (WhatsApp): Message delivery through the WhatsApp Business API
  • OpenAI / Google Gemini: Message content sent to AI providers for generating responses (as per your chosen AI provider)
  • Google Calendar API: Event details (title, description, date/time, your own Google account email, customer email as attendee) sent to Google only to create/update/delete calendar events on your behalf, with your OAuth consent — see Section 1.7
  • Razorpay: Payment processing only
  • Law Enforcement: If required by law or to protect our legal rights

5. Data Retention

We retain your account data and conversation history for as long as your account is active. Broadcast recipient details older than 90 days may be automatically cleaned up. Reconfiguration audit records (section 1.6) are retained for 3 years independent of account deletion, as they constitute compliance evidence required by Meta. When you delete your account, we will delete your personal data within 30 days, except where retention is required by law.

6. Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your account and data
  • Export your conversation data
  • Withdraw consent for data processing

To exercise any of these rights, contact us at support@twabot.com.

7. Cookies

We use essential cookies only — specifically an HTTP-only authentication cookie for maintaining your login session. We do not use advertising or tracking cookies.

8. Children's Privacy

TwaBot is designed for business use and is not intended for anyone under the age of 18. We do not knowingly collect data from minors.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through a notice on our platform. Continued use of the service after changes constitutes acceptance of the updated policy.

10. Contact Us

If you have questions about this Privacy Policy, please contact us:

Email: support@twabot.com
Website: twabot.com