Definitions
Controller — you. The entity that decides what personal data is processed and why.
Processor — InboxChange. We process data on your instructions.
Sub-processor — third parties we engage to deliver the Service (Meta, Resend, AWS, etc.).
Personal data — any information relating to an identifiable person — typically your customers' phone numbers, names, emails, message history.
Scope & purpose
We process personal data only for the purpose of providing the Service to you, as instructed by you through the product interface, the API, or written agreement.
We do not use your personal data to train AI models, sell to data brokers, or for any purpose unrelated to delivering the Service.
Our obligations as processor
We process personal data only on documented instructions from you (including transfers to third countries, where applicable).
We ensure staff with access to personal data are bound by confidentiality obligations.
We maintain appropriate technical and organisational security measures (encryption in transit and at rest, access controls, audit logging, breach response plans).
We provide reasonable assistance to you in fulfilling your obligations to respond to data-subject requests, regulatory enquiries, and breach notifications.
We notify you without undue delay (and in any case within 48 hours) of any confirmed personal-data breach affecting your data.
At your request, we delete or return all personal data after the end of the Service (default: deletion within 30 days of termination, unless legally required to retain).
Sub-processors
Current list:
• Meta Platforms Ireland Limited (WhatsApp message routing) — DPA at facebook.com/legal/terms/dataprocessingagreement.
• Resend Inc. (transactional email delivery) — DPA at resend.com/legal/dpa.
• Razorpay Software Private Limited (payment processing).
• Amazon Web Services / DigitalOcean (hosting infrastructure) — region depends on your account location.
• Google LLC — Google Gemini API, only if you enable LLM chatbot features and only for question→answer inference, never for training.
We will notify you at least 30 days before adding a new sub-processor that processes personal data. You may object in writing; if we can't address your objection, you may terminate the affected services with pro-rata refund.
International data transfers
Where personal data is transferred outside the EEA or other jurisdictions with adequacy decisions, we rely on the European Commission's Standard Contractual Clauses (SCCs) and supplementary measures as appropriate (encryption, access controls).
For India-headquartered customers, we offer ap-south-1 (Mumbai) hosting so no cross-border transfer occurs in normal operation. EU customers default to eu-west-1 (Ireland). US customers default to us-east-1 (Virginia).
Audit rights
On reasonable notice (at least 30 days), you may audit our compliance with this DPA. We will respond to security questionnaires and provide third-party audit reports where they exist.
Audits may not be more frequent than once per year and must be conducted in a way that doesn't disrupt other customers. We bear reasonable costs of audits we conduct on your behalf; you bear costs of audits you conduct directly.
Liability
Liability under this DPA is subject to the limitations in our Terms of Service.
Term
This DPA is effective from the date you accept our Terms of Service and continues until our processing of your personal data ceases. After termination, the deletion / return obligations and any obligations under applicable law survive.
Questions? Email legal@inboxchange.com or use the contact form. For data-subject access requests (DPDP / GDPR), email dpo@inboxchange.com — we respond within 30 days.