CABot ("we", "our", or "us") is a product of MageComp. We are committed to protecting the privacy of Chartered Accountant firms ("CA Firms") and their clients who interact with the CABot platform. This Privacy Policy describes how we collect, use, store, and safeguard information in connection with our WhatsApp automation service.
1. Information We Collect
We collect the following categories of information:
- CA Firm Account Data: Name, firm name, email address, WhatsApp/phone number, and billing information provided during registration or account management.
- Client Interaction Data: WhatsApp phone numbers, message content, document requests, and bot interaction logs originating from the CA firm's clients via the WhatsApp channel.
- Documents & Files: Financial documents (e.g., ITR acknowledgements, GST certificates) uploaded or retrieved via the platform for delivery to clients.
- Usage & Technical Data: IP addresses, browser/device information, page views, and feature usage analytics collected automatically.
- Payment Data: Transaction identifiers and plan subscription details processed via Razorpay. We do not store raw card or UPI credentials.
2. How We Use Information
Information collected is used exclusively for:
- Operating and delivering the CABot WhatsApp automation service to CA firms
- Routing client messages and delivering documents on behalf of the CA firm
- Processing subscription payments and managing billing records
- Sending service notifications, renewal reminders, and support communications
- Improving platform features, fixing bugs, and ensuring service reliability
- Complying with applicable legal and regulatory obligations
3. WhatsApp & Meta Platform Data
CABot operates via the Meta WhatsApp Business API. Message data passing through WhatsApp is subject to Meta's own privacy policies. CA firms are responsible for obtaining appropriate consent from their clients before onboarding them to any WhatsApp automation service.
We do not use client WhatsApp data for advertising, profiling, or any purpose unrelated to the CA firm's own service delivery.
4. Data Sharing & Disclosure
We do not sell or rent personal data. We may share data only in these limited circumstances:
- Service Providers: Trusted sub-processors (e.g., Railway for hosting, Razorpay for payments, Resend for transactional email) under strict data processing agreements.
- Meta / WhatsApp: Message routing via the WhatsApp Business API as required for service operation.
- Legal Obligations: When required by Indian law, court order, or a competent regulatory authority.
- Business Transfer: In the event of a merger or acquisition, data may transfer to the successor entity under equivalent privacy protections.
5. Data Security
We implement industry-standard security measures including:
- Fernet encryption for sensitive client data at rest
- HTTPS/TLS encryption for all data in transit
- JWT-based authentication with short-lived tokens for admin access
- Role-based access controls separating superadmin and CA-level permissions
- Regular dependency audits and security monitoring
No method of transmission over the internet is 100% secure. We cannot guarantee absolute security but commit to responding promptly to any identified breach.
6. Data Retention
We retain account and interaction data for the duration of the subscription and for a period of 90 days after account termination, after which data is permanently deleted. Billing records are retained as required by Indian GST and accounting laws (typically 7 years).
7. CA Firm Responsibilities
CA firms using CABot act as independent data controllers for their own clients' data. It is the responsibility of each CA firm to:
- Obtain client consent before sending automated WhatsApp messages
- Comply with applicable data protection laws when collecting and storing client information
- Ensure clients are aware of how their data is used in the context of the CA firm's services
8. Cookies & Analytics
Our web application may use session cookies for authentication and basic analytics cookies to understand usage patterns. These do not track users across third-party sites and can be controlled via browser settings.
9. Support Access to Your Account
MageComp support staff may access a CA firm's account only in the following circumstances:
- When the CA firm has raised a support request or given explicit permission
- When required to investigate a technical fault or security incident affecting the account
Every instance of support access is logged with a timestamp and IP address. The CA firm receives an immediate WhatsApp notification at their registered number whenever their account is accessed by MageComp support. This notification includes the date, time, and a contact number to raise concerns.
Support access is never used for commercial purposes, profiling, or sharing data with third parties.
10. Your Rights under the DPDP Act 2023
Under the Digital Personal Data Protection (DPDP) Act 2023, CA firm account holders have the following rights:
- Right to Access: Request a summary of personal data we hold about your account
- Right to Correction: Request correction of inaccurate or incomplete personal data
- Right to Erasure: Request deletion of your account and all associated data. We will process deletion requests within 30 days. Billing records may be retained as required by Indian GST law.
- Right to Grievance Redressal: Raise a complaint with us and receive a response within 30 days
- Right to Nominate: Nominate another individual to exercise your rights on your behalf in case of death or incapacity
- Data Portability: Request an export of your client data in a portable format
To exercise any of these rights, use the Data Privacy section in your CABot admin panel (Bot Config → Data Privacy) or contact us directly at the details below. Deletion requests submitted via the admin panel are processed within 30 days.
11. Data Breach Notification
In the event of a personal data breach that is likely to result in harm to affected individuals, we will notify the relevant CA firms and, where required by the DPDP Act, the Data Protection Board of India within 72 hours of becoming aware of the breach.
12. Grievance Officer
In accordance with the DPDP Act 2023 and the Information Technology Act 2000, the details of our Grievance Officer are:
- Name: MageComp Support Team
- Email: support@magecomp.com
- Response time: Within 30 days of receipt of complaint
13. Changes to This Policy
We may update this Privacy Policy periodically. Significant changes will be communicated via email to registered CA firms at least 7 days before taking effect. Continued use of CABot after changes constitutes acceptance of the updated policy.
14. Contact Us
For privacy-related queries or data requests: