Privacy Policy

MsgX is a WhatsApp Business API platform developed and operated by Pistachio Tech LLP, a company registered in India. MsgX enables businesses to send and receive WhatsApp messages, manage contacts, create message templates, and integrate messaging into their own applications via our REST API.

By using MsgX, you agree to the practices described in this Privacy Policy. This policy applies to our website (MsgX.in), the MsgX dashboard, and the MsgX API.

We collect information in the following ways:

• Account information: When you register, we collect your name, email address, phone number, and business name.
• WhatsApp Business credentials: To connect your WhatsApp Business Account, we collect and securely store your Meta access token, WABA ID, and Phone Number ID — encrypted at rest using AES-256.
• Message data: We store metadata about messages sent and received through our platform (message IDs, timestamps, delivery status, and message content) to power your inbox and analytics.
• Contact data: Phone numbers, names, email addresses, and tags for contacts you add to your account.
• API keys: We store hashed (SHA-256) versions of your API keys — we never store them in plaintext.
• Usage data: Log data including IP addresses, browser type, pages visited, and API request logs for security and debugging.
• Billing information: Subscription plan details processed via Razorpay. We do not store raw card numbers.

We use the information we collect to:

• Provide, operate, and improve the MsgX platform and API
• Send and receive WhatsApp messages on your behalf through Meta's Cloud API
• Display conversation history, delivery status, and analytics in your dashboard
• Authenticate API requests and secure your account
• Deliver webhook events to your registered endpoints
• Send transactional emails (account creation, billing receipts)
• Comply with legal obligations and Meta's WhatsApp Business Platform policies
• Detect and prevent abuse, fraud, and policy violations

MsgX operates as a Meta Business Solution Provider (BSP) and accesses Meta's WhatsApp Business Cloud API on your behalf. All messaging activity conducted through MsgX is subject to:

• Meta's WhatsApp Business Platform Terms of Service
• Meta's Privacy Policy (https://www.facebook.com/privacy/policy/)
• WhatsApp's Acceptable Use Policy

By using MsgX, you confirm that you have obtained all necessary consents from your end-users to send them WhatsApp messages, and that your use of MsgX complies with applicable laws and Meta's policies.

We do not use message content to train AI models, sell data to third parties, or use it for advertising purposes.

We do not sell your personal data. We share data only in these circumstances:

• Meta Platforms, Inc.: Message data is transmitted through Meta's WhatsApp Cloud API to deliver messages. Meta processes this data under their own privacy policy.
• Razorpay: Payment processing for subscription plans. Subject to Razorpay's privacy policy.
• Infrastructure providers: We use cloud hosting (servers, databases, Redis) to operate the platform. These providers process data on our behalf under data processing agreements.
• Legal requirements: We may disclose data if required by law, court order, or to protect our legal rights.
• Your webhook endpoints: If you configure webhooks, we deliver event data to URLs you specify. You are responsible for how you handle this data.

We retain your data for as long as your account is active or as needed to provide services:

• Message data: Retained for 90 days by default, then archived or deleted
• Contact data: Retained until you delete contacts or close your account
• Account information: Retained for up to 30 days after account closure for legal compliance, then permanently deleted
• API keys: Deleted immediately upon revocation
• Billing records: Retained for 7 years as required by Indian tax law

We implement industry-standard security measures to protect your data:

• AES-256-CBC encryption for stored Meta access tokens
• SHA-256 hashing for API keys — never stored in plaintext
• JWT tokens with expiry for dashboard authentication
• HMAC-SHA256 signatures on all outbound webhook deliveries
• HTTPS/TLS for all data in transit
• Role-based access control (MAIN / AGENT) within tenant accounts

Despite these measures, no system is 100% secure. If you discover a security vulnerability, please report it to support@thepistachio.tech.

Depending on your location, you may have rights including:

• Access: Request a copy of personal data we hold about you
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your account and associated data (see our Data Deletion page)
• Portability: Request your data in a machine-readable format
• Restriction: Request we limit processing of your data
• Objection: Object to certain uses of your data

To exercise these rights, email legal@thepistachio.tech. We will respond within 30 days.

Our dashboard uses the following cookies and local storage:

• Authentication token (localStorage): Stores your JWT session token to keep you signed in
• Preference cookies: Remember UI preferences (theme, tab state)
• No advertising or third-party tracking cookies are used

MsgX is not directed to children under the age of 13 (or 16 in the EU). We do not knowingly collect personal information from children. If we learn we have collected data from a child, we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify registered users by email and update the 'Last updated' date at the top of this page. Continued use of MsgX after changes constitutes acceptance of the updated policy.

This Privacy Policy is governed by the laws of India, including the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023 (as applicable).

Disputes will be subject to the exclusive jurisdiction of courts in India.