InboxChange
Sign in Start free
← Home

Privacy Policy

Last updated: 2026-05-11 · Effective immediately on this date.

This policy explains what data InboxChange collects, why we collect it, how we use it, who we share it with, and what control you have over it. We've written it in plain English. If anything is unclear, email dpo@inboxchange.com.

Who we are

InboxChange is operated by Clicks Bazaar Technologies Private Limited ("InboxChange", "we", "us"), registered at AIHP Horizon, 445, Udyog Vihar Phase V, Sector 19, Gurugram, Haryana 122016, India.

For privacy questions, our Data Protection Officer can be reached at dpo@inboxchange.com.

What we collect

Account data — name, work email, company, country, role you selected at signup, encrypted password hash. We collect this so we can give you an account.

Usage data — what features you use, which broadcasts you send, which leads you capture. We use aggregated, non-identifying versions of this to improve the product.

WhatsApp content — the messages your customers send to you and the messages you send to them. We store these on your behalf; we do not read them or use them for any purpose other than rendering them in your inbox.

Customer data you upload — CSV contact lists, audience filters, lead-capture form answers. You are the data controller for this; we are the data processor.

Technical data — IP address, browser type, device, session timestamps. Used for security (fraud / abuse detection) and operational metrics. Retained for 90 days.

Payment data — your billing address and tax information. Card numbers are handled by Razorpay and never touch our servers.

How we use it

We use your data to deliver the InboxChange service — running your campaigns, delivering your messages, generating your invoices.

We use anonymised, aggregated usage data to understand product performance and prioritise improvements.

We send you operational emails (welcome, password reset, invoices, payment receipts, team invitations). These are required for the service to function and can't be unsubscribed from.

We send you optional marketing emails (monthly product update, best-tactics digest) only if you opt in. Every marketing email has a one-click unsubscribe link.

We do not sell your data. We do not run ads in our product. We do not allow third-party advertisers to track you through our product.

Lawful basis (GDPR Article 6 / DPDP)

Contract — most data processing is necessary to deliver the service you bought from us. This includes account management, message delivery, billing.

Legitimate interest — security monitoring, fraud prevention, aggregated analytics, operational emails. Our legitimate interest is balanced against your rights and never overrides them.

Consent — marketing emails, optional analytics features. You can withdraw consent any time via account settings.

Legal obligation — tax records, audit trails. Retained for the period required by Indian / EU / US tax law (typically 7 years).

Who we share data with

Sub-processors — companies we use to deliver the service:
Meta Platforms Ireland — WhatsApp message delivery (your messages flow through Meta's API).
Resend (Resend Inc., USA) — transactional email delivery.
Razorpay (Razorpay Software Private Limited, India) — payment processing.
DigitalOcean / AWS — server hosting (India / Singapore region for India customers, EU-West for European customers).
Google Gemini API — if you enable the LLM chatbot, the inbound message you choose to send is forwarded to Google's API. Only your knowledge-base entries + the specific inbound question are sent. No customer PII or chat history.

Each sub-processor has a data-processing agreement with us. The full list with their respective DPAs is available at inboxchange.com/dpa.

We do not share your data with anyone else, except where legally compelled by valid court orders / government requests in the jurisdictions we operate in.

Where we store it & how long we keep it

Data is stored in encrypted databases. For India-headquartered customers, we host in AWS Mumbai (ap-south-1). For EU customers, AWS Ireland (eu-west-1). For US, AWS Virginia (us-east-1). You can request a different region for Enterprise contracts.

Account data — retained while your account is active. Deleted within 30 days of account closure, except as required by law (tax records: 7 years).

Messages and contacts — retained while your account is active. You can export and delete on demand via the admin UI. Hard-deleted within 30 days.

Logs (technical) — 90 days, then automatically purged.

Backups — 365 days, encrypted at rest, deleted on rotation.

Your rights

Under GDPR (if you're in the EU / EEA / UK) and the DPDP Act (if you're in India), you have the right to:

Access — request a copy of all data we hold about you.
Rectification — correct any data we have wrong.
Erasure ("right to be forgotten") — request we delete your data.
Portability — receive your data in a machine-readable format.
Objection — object to certain processing (e.g. marketing).
Withdraw consent — at any time, for any consent-based processing.

To exercise any right, email dpo@inboxchange.com. We will respond within 30 days. There is no charge for these requests (unless they are manifestly excessive — at which point we'll quote a reasonable fee or refuse, and explain why).

If you're not satisfied with our response, you can lodge a complaint with your local supervisory authority (in India: the Data Protection Board; in the EU: your national supervisory authority; in the UK: the ICO).

How we protect your data

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Passwords are hashed with bcrypt cost 12.

Access to production systems is restricted to a small number of engineers. Every access is logged. Two-factor authentication is required for engineering staff.

We run automated daily backups encrypted with a separate key, stored in a different region for disaster recovery.

We do annual security reviews. Material incidents are notified to affected customers within 72 hours per GDPR / DPDP requirements.

Cookies & similar technologies

We use only essential cookies — primarily a session cookie (`ipsess`) so we can keep you logged in. We don't use third-party advertising cookies or cross-site trackers.

See our Cookie Policy for full details.

Children

InboxChange is a B2B product. We don't market it to anyone under 18 and we don't knowingly collect data about minors. If you believe we have, email dpo@inboxchange.com and we'll delete it.

Changes to this policy

We'll notify customers by email (to the account owner address) at least 30 days before any material change to this policy. The current version is always at inboxchange.com/privacy; older versions are archived and available on request.

Questions? Email legal@inboxchange.com or use the contact form. For data-subject access requests (DPDP / GDPR), email dpo@inboxchange.com — we respond within 30 days.

@media (max-width: 900px) { section.section > .container > div[style*="grid-template-columns:240px"] { grid-template-columns: 1fr !important; } aside[style*="position:sticky"] { position: static !important; } }