Privacy Policy
Last updated: 13 July 2026
On this page
- 1. Introduction & Scope
- 1.1 Electronic record
- 1.2 Who we are
- 1.3 Our two roles — Controller/Data Fiduciary and Processor/Data Processor
- 1.4 Scope
- 2. Definitions
- 2.1 Platform-specific terms (used identically across the InfiQ legal suite)
- 2.2 India — Digital Personal Data Protection Act, 2023
- 2.3 EU / UK — GDPR and UK GDPR
- 2.4 United States — CCPA/CPRA
- 3. Information We Collect
- 3.1 Account & registration data (InfiQ as Controller)
- 3.2 Billing & payment data (InfiQ as Controller)
- 3.3 Customer Data & End User data (InfiQ as Processor)
- 3.4 Usage, device, log & location data (InfiQ as Controller)
- 3.5 Cookies & analytics data (InfiQ as Controller)
- 3.6 Support communications (InfiQ as Controller)
- 3.7 Data from Meta/WhatsApp and third-party integrations (mixed roles)
- 3.8 Sensitive data
- 4. How We Collect It
- 5. Purposes & Legal Bases
- 6. WhatsApp / Meta Data Handling
- 7. How We Share & Disclose
- 8. International Data Transfers
- 9. Data Retention
- 10. Security
- 11. Your Rights
- 11.1 India — Digital Personal Data Protection Act, 2023
- 11.2 EU / UK — GDPR and UK GDPR
- 11.3 California — CCPA/CPRA
- 12. Children's Data
- 13. Cookies & Tracking
- 14. Automated Decision-Making & Profiling
- 15. Changes to this Policy
- 16. Contact Us
Provided by: AIO Infinity Private Limited, the parent company that owns and provides the InfiQ platform ("InfiQ", "we", "us", "our") Website / Platform: https://www.infiq.in Registered office: 54, Old Subhash Nagar, Bhopal – 462023, Madhya Pradesh, India CIN: U62013MP2025PTC074108 · GSTIN: 23ABBCA9125H1ZX
This Privacy Policy explains how AIO Infinity Private Limited, the parent company that owns and provides the InfiQ WhatsApp Business API (CPaaS) platform, collects, uses, discloses, transfers, retains, and protects personal information, and describes the rights and choices available to individuals under the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the Information Technology Act, 2000 of India, the EU General Data Protection Regulation ("GDPR") and the UK GDPR, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other applicable data-protection laws.
Please read this Policy together with our Terms and Conditions, Cookie Policy, Data Processing Agreement, and Sub-processors list, which form part of the framework governing your use of the Service.
1. Introduction & Scope
1.1 Electronic record
This Privacy Policy is an electronic record within the meaning of the Information Technology Act, 2000 and the rules made thereunder, and the amended provisions pertaining to electronic records in various statutes as amended by the Information Technology Act, 2000. This electronic record is generated by a computer system and does not require any physical or digital signature. It is published in accordance with the provisions of Rule 3(1) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the applicable rules that require publishing of the privacy policy and terms for access or usage of the Platform.
1.2 Who we are
InfiQ is a Communications-Platform-as-a-Service (CPaaS) product owned and provided by its parent company, AIO Infinity Private Limited, a company incorporated under the laws of India, having its registered office at 54, Old Subhash Nagar, Bhopal – 462023, Madhya Pradesh, India. InfiQ provides businesses with access to the WhatsApp Business Platform (Cloud API) provided by Meta, together with a web dashboard, team inbox, broadcast and campaign tools, chatbot/automation builder, APIs, and related features made available at https://www.infiq.in (the "Platform", "Service", or "Services").
1.3 Our two roles — Controller/Data Fiduciary and Processor/Data Processor
Data-protection law distinguishes between the party that decides why and how personal data is processed and the party that processes it on another's behalf and instructions. InfiQ operates in two distinct capacities, and this Policy addresses both:
-
InfiQ as a Data Fiduciary / Controller. When we process personal data relating to our own business and account relationships — for example, the details of a Customer's Authorised Users, billing and payment contacts, prospects and marketing leads, website visitors, and support correspondents — we determine the purposes and means of processing and act as a Data Fiduciary (DPDP Act) / Controller (GDPR) / Business (CCPA/CPRA). Sections of this Policy that describe our own collection, purposes, legal bases, retention, and individual rights apply in this capacity.
-
InfiQ as a Data Processor. When we process Customer Data and End User data — including WhatsApp message content, recipients' phone numbers, contact lists, media, and message metadata — we do so only on behalf of, and on the documented instructions of, the Customer. In this context the Customer is the Controller / Data Fiduciary of its contacts, leads, and customers, and InfiQ is a Data Processor (GDPR) / Data Processor (DPDP Act) / Service Provider (CCPA/CPRA). The terms of that processing are set out in our Data Processing Agreement, which prevails over this Policy in respect of Customer Data.
In plain terms: if you are an End User (a person who receives WhatsApp messages from a business that uses InfiQ), the business that contacted you — not InfiQ — is the controller responsible for that messaging. You should consult that business's privacy notice and direct data-subject requests to it in the first instance. We will support the Customer in responding, as described in Section 11 and in the DPA.
1.4 Scope
This Policy applies to:
- Visitors to and users of https://www.infiq.in and any InfiQ subdomains, web application, and dashboard;
- Customers, Authorised Users, prospective customers, partners, and resellers;
- Individuals who contact us for support, sales, or other enquiries; and
- Personal data we process as a Processor on a Customer's behalf, to the extent described here and governed by the DPA.
This Policy does not apply to third-party websites, applications, or services (including Meta/WhatsApp and any Customer's own website or app) that we do not own or control, nor to a Customer's independent use of personal data outside the Service.
2. Definitions
We use the following defined terms. Terms specific to a legal regime are grouped for clarity; where a concept is common across regimes, the regime-specific label is treated as equivalent.
2.1 Platform-specific terms (used identically across the InfiQ legal suite)
- "Platform" / "Service" / "Services" — the InfiQ WhatsApp Business API software-as-a-service platform, including the web dashboard, team inbox, broadcast and campaign tools, chatbot/automation builder, APIs, and related features made available at https://www.infiq.in.
- "Customer", "you", "your" — the business or organisation that registers for, subscribes to, or uses the Service.
- "Authorised User" — an individual (employee, agent, contractor) the Customer permits to access its InfiQ account.
- "End User" / "Recipient" — an individual with whom the Customer communicates through the Service (i.e., the Customer's own contacts, leads, and customers who receive WhatsApp messages).
- "Customer Data" — all data, content, contact lists, and messages the Customer or its End Users submit to, or that is processed through, the Service.
- "WhatsApp Business API" / "Cloud API" — the WhatsApp Business Platform APIs provided by Meta.
- "Meta" — Meta Platforms, Inc. and its affiliates (including WhatsApp LLC).
- "WABA" — the Customer's WhatsApp Business Account.
- "Sub-processor" — a third party engaged by InfiQ to process Customer Data on our behalf (see /subprocessors).
2.2 India — Digital Personal Data Protection Act, 2023
- "Data Principal" — the individual to whom the personal data relates (and, for a child, the parent or lawful guardian; for a person with disability, the lawful guardian).
- "Data Fiduciary" — the person who, alone or with others, determines the purpose and means of processing personal data (equivalent to a "controller").
- "Data Processor" — a person who processes personal data on behalf of a Data Fiduciary.
- "Consent Manager" — a registered entity that acts as a single point of contact enabling a Data Principal to give, manage, review, and withdraw consent through an accessible, transparent, and interoperable platform. (Consent Managers are to be registered with the Data Protection Board of India. Where InfiQ integrates with a registered Consent Manager, we will identify it and describe its role.)
- "Personal Data" — any data about an individual who is identifiable by or in relation to such data.
- "Processing" — a wholly or partly automated operation or set of operations performed on personal data.
2.3 EU / UK — GDPR and UK GDPR
- "Controller" — the entity that determines the purposes and means of processing personal data.
- "Processor" — the entity that processes personal data on behalf of the controller.
- "Data Subject" — an identified or identifiable natural person.
- "Personal Data" — any information relating to an identified or identifiable natural person.
- "Special Category Data" — personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and genetic, biometric, health, or data concerning a person's sex life or sexual orientation.
- "Supervisory Authority" — an independent public authority responsible for monitoring the application of the GDPR (e.g., a national Data Protection Authority; in the UK, the Information Commissioner's Office).
- "Standard Contractual Clauses (SCCs)" — the clauses adopted by the European Commission (Implementing Decision (EU) 2021/914) for transfers of personal data to third countries.
2.4 United States — CCPA/CPRA
- "Business" — the entity that determines the purposes and means of processing consumers' personal information (analogous to a controller).
- "Consumer" — a natural person who is a California resident.
- "Personal Information" — information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
- "Sensitive Personal Information (SPI)" — a defined subset including government identifiers, financial account credentials, precise geolocation, contents of certain communications, and similar categories.
- "Sell" / "Share" — as defined by the CCPA/CPRA (disclosure for monetary or other valuable consideration; sharing for cross-context behavioural advertising).
- "Service Provider" / "Contractor" — an entity that processes personal information on behalf of a business pursuant to a written contract (analogous to a processor).
3. Information We Collect
The categories below describe personal data we may collect. Not every category applies to every individual; what we hold depends on how you interact with InfiQ.
3.1 Account & registration data (InfiQ as Controller)
When a Customer signs up or an Authorised User is provisioned, we collect: full name; business/organisation name; work email address; mobile/telephone number; job title or role; username and hashed authentication credentials; two-factor authentication (2FA) details; profile photo (if provided); account preferences and settings; the WABA identifier, Meta Business Manager ID, connected phone number(s), and display name associated with the WhatsApp Business Account; and the plan, entitlements, and role-based permissions assigned to each Authorised User.
3.2 Billing & payment data (InfiQ as Controller)
To process Subscription Fees, Prepaid Credits/Wallet top-ups, and applicable taxes, we collect: billing name and address; GSTIN/tax identifiers; invoicing contact details; the plan and transaction history; wallet balance and usage ledger; and partial payment-instrument metadata (such as card brand, last four digits, and expiry) returned to us by our payment gateway.
We do not store full card numbers, CVV/CVC codes, or complete bank credentials. Card and other sensitive payment-instrument data are collected and processed directly by our PCI-DSS-compliant payment processors, Zoho Payments and Razorpay (and, where applicable, their acquiring banks; additional processors may be added from time to time). InfiQ does not store card data and receives only a tokenised reference and limited transaction metadata. Please review the privacy notice of the relevant payment processor for details of its processing.
3.3 Customer Data & End User data (InfiQ as Processor)
When a Customer uses the Service to communicate with its End Users, InfiQ processes the following on the Customer's behalf and instruction:
- WhatsApp message content — the text, media (images, audio, video, documents, stickers), templates, interactive components (buttons, lists), location shares, and contacts that flow through the Cloud API in either direction;
- End User identifiers — recipients' WhatsApp phone numbers, WhatsApp profile names (as exposed by the API), and any customer-reference identifiers the Customer chooses to store;
- Contact lists and audience data — contact records, tags, custom attributes/fields, opt-in status and consent records, and segmentation data the Customer uploads or builds;
- Message metadata — timestamps; delivery, read, and failure statuses; message and conversation IDs; template names and categories; conversation-category and pricing metadata; agent-assignment and routing data; and quality/rating signals returned by Meta;
- Automation and workflow data — chatbot flows, triggers, canned responses, and any variables captured during a conversation.
The nature, categories of data subjects, and duration of this processing are specified in the Data Processing Agreement. The Customer determines what End User data is collected and uploaded, the lawful basis for contacting End Users, and the content of communications; InfiQ does not independently decide these matters.
3.4 Usage, device, log & location data (InfiQ as Controller)
When you access the Platform we automatically collect: IP address; browser type and version; operating system and device type; device and screen identifiers; language and locale; referring/exit URLs; pages and features viewed and the sequence and duration of interactions; clickstream and event data; API request logs, rate-limit counters, and error/diagnostic logs; and session identifiers. We may infer approximate location (such as city or country) from your IP address for security, fraud-prevention, routing, and analytics. We do not collect precise GPS geolocation from the dashboard unless you expressly enable a feature that requires it.
3.5 Cookies & analytics data (InfiQ as Controller)
We and our analytics providers use cookies, pixels, local storage, software development kits (SDKs), and web beacons to operate, secure, measure, and improve the Platform and our website. The categories, named cookies, durations, and your choices are described in our Cookie Policy.
3.6 Support communications (InfiQ as Controller)
When you contact us (via email, in-app chat, support tickets, phone, or community channels) or when we contact you, we collect the content of those communications, contact details, and any attachments, together with metadata such as timestamps and the channel used. We may keep records of support interactions to resolve issues, train staff, and improve service quality.
3.7 Data from Meta/WhatsApp and third-party integrations (mixed roles)
- Meta/WhatsApp. During onboarding and operation, we receive information via the Meta Business and WhatsApp APIs — including WABA and phone-number status, display-name and verification status, message-template approval status, quality ratings, messaging limits/tiers, and webhooks carrying message and status events. Some of this is account data about the Customer (Controller role); message payloads are Customer Data (Processor role).
- Third-party integrations. If you connect InfiQ to third-party services (for example, CRM, e-commerce, helpdesk, payment, spreadsheet, analytics, or automation tools), we receive and exchange data with those services as configured by you. The data exchanged depends on the integration and your settings.
- Social login / SSO. If you register or sign in using a third-party identity provider (for example, Google), we receive basic profile information permitted by that provider and your privacy settings there (typically name, email address, and a unique identifier). We do not receive your password for that provider.
3.8 Sensitive data
InfiQ does not seek to collect Special Category Data / Sensitive Personal Information about Authorised Users beyond what is necessary to operate accounts and comply with law. Customers are responsible for ensuring that any sensitive data they choose to process through the Service (within message content or contact attributes) is handled lawfully, with an appropriate lawful basis or consent, and in accordance with the Acceptable Use Policy and applicable Meta policies.
4. How We Collect It
We collect personal data through the following means:
- Directly from you. When you register, configure your account, subscribe, top up your Wallet, complete forms, contact support or sales, respond to surveys, or otherwise interact with us.
- Automatically. Through cookies and similar technologies, server and application logs, and telemetry generated as you use the Platform (see Sections 3.4–3.5 and the Cookie Policy).
- From Meta/WhatsApp. Through the Meta Business and WhatsApp Cloud APIs and associated webhooks, as described in Sections 3.7 and 6.
- From partners and resellers. Where you engage InfiQ through an authorised partner, reseller, or referral partner, we may receive your registration and contact details, and information necessary to provision and support your account.
- From your Authorised Users and, via the Customer, from End Users. Customer Data (including End User data) is submitted to the Service by the Customer and its Authorised Users, or generated by End Users' interactions with the Customer over WhatsApp.
- From third-party sources. Such as identity providers (social login/SSO), fraud-prevention and enrichment providers, and publicly available sources, to the extent permitted by law.
5. Purposes & Legal Bases
Where InfiQ acts as a Data Fiduciary / Controller, we rely on the legal bases set out below. Under the GDPR we rely on one or more of the Article 6 bases (consent; contract; legal obligation; legitimate interests; and, rarely, vital interests or public task). Under the DPDP Act we process personal data either on the basis of consent or for a permitted "legitimate use" (for example, a use for which the Data Principal has voluntarily provided data and not indicated objection, or as required to comply with law). Where InfiQ acts as a Processor, the Customer is responsible for establishing the lawful basis for processing End User data; we process it under the Customer's instructions and the DPA.
| # | Purpose of processing | GDPR / UK GDPR legal basis | DPDP Act ground |
|---|---|---|---|
| 1 | Provide, operate, and maintain the Service — create and administer accounts, authenticate Authorised Users, deliver core features, and make the Platform available | Performance of a contract (Art. 6(1)(b)); legitimate interests in running our business (Art. 6(1)(f)) | Consent; legitimate use (performance of service voluntarily requested) |
| 2 | Route and deliver messages via the Meta WhatsApp Cloud API (Processor role for message payloads) | Processing on behalf of the Customer under the DPA; Customer is Controller | Processing on the Customer's behalf as Data Processor; Customer is Data Fiduciary |
| 3 | Billing, invoicing, taxation, and Wallet/credit management — process Subscription Fees, Meta Conversation Charges, top-ups, refunds, and maintain financial records | Performance of a contract (Art. 6(1)(b)); legal obligation for tax/accounting (Art. 6(1)(c)) | Legitimate use; compliance with legal obligation |
| 4 | Customer support and service communications — respond to enquiries, troubleshoot, send service/transactional notices, and manage the relationship | Performance of a contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)) | Consent; legitimate use |
| 5 | Security, fraud prevention, abuse detection, and platform integrity — monitor for unauthorised access, prevent spam/abuse, enforce rate limits, and protect users | Legitimate interests (Art. 6(1)(f)); legal obligation (Art. 6(1)(c)) | Legitimate use (including for security and prevention of fraud) |
| 6 | Product improvement, analytics, and research — understand usage, debug, develop features, and improve reliability and UX (using aggregated/de-identified data where feasible) | Legitimate interests (Art. 6(1)(f)); consent for non-essential analytics cookies | Consent (for optional analytics); legitimate use |
| 7 | Marketing and promotional communications — send newsletters, product updates, offers, and event invitations to Customers/prospects | Consent (Art. 6(1)(a)) where required; legitimate interests for B2B soft opt-in (Art. 6(1)(f)) | Consent (with a clear opt-out) |
| 8 | Legal compliance and enforcement — comply with law, respond to lawful requests, establish/exercise/defend legal claims, and enforce our terms | Legal obligation (Art. 6(1)(c)); legitimate interests (Art. 6(1)(f)) | Compliance with legal obligation; legitimate use |
| 9 | Corporate transactions — evaluate, negotiate, and complete mergers, acquisitions, financings, or asset sales | Legitimate interests (Art. 6(1)(f)) | Legitimate use |
Marketing is consent-based. We send marketing communications only where we have a lawful basis to do so, and we always provide a simple way to opt out (an unsubscribe link in every marketing email and/or an in-app preference control). Opting out of marketing does not stop essential service/transactional messages (for example, security alerts, billing notices, or material changes to terms).
Withdrawing consent. Where we rely on consent, you may withdraw it at any time; withdrawal does not affect the lawfulness of processing before withdrawal. See Section 11.
Reliance on legitimate interests. Where we rely on legitimate interests, we have balanced those interests against your rights and freedoms. You may object to such processing (see Section 11), and you may request further information about our balancing assessments via privacy@infiq.in.
6. WhatsApp / Meta Data Handling
InfiQ enables Customers to communicate with their End Users through Meta's WhatsApp Business Platform (Cloud API). This section explains how message data is handled.
- Messages route through Meta. When a Customer sends or receives WhatsApp messages via InfiQ, those messages are transmitted through Meta's WhatsApp Cloud API. As a result, WhatsApp message data (including content, phone numbers, and metadata) is processed on Meta's WhatsApp Cloud API infrastructure, which for the InfiQ Service is currently localised to data centres in India only. Meta's handling of that data is governed by Meta's and WhatsApp's own terms and policies, including the WhatsApp Business Solution Terms, the WhatsApp Business Data Processing Terms, and the Meta Platform Terms.
- Meta is a sub-processor. For the purpose of transmitting and delivering WhatsApp messages, Meta acts as a sub-processor of InfiQ (and, through the Customer's direct relationship with Meta, as an independent processor/controller for its own platform purposes). Meta is listed on our Sub-processors page.
- Cloud API hosting. InfiQ uses the cloud-hosted version of the WhatsApp Business API, meaning message routing is handled on Meta-operated infrastructure rather than on servers InfiQ hosts on the Customer's behalf. InfiQ stores conversation history, contact data, and metadata within its own systems to provide inbox, analytics, and automation features, as described in this Policy and the DPA.
- No advertising use. InfiQ does not use Meta/WhatsApp data (including message content, phone numbers, or contact lists processed through the Service) for advertising or ad-targeting, and does not sell such data. We process it solely to provide the Service to the Customer.
- Adherence to Meta Terms. InfiQ adheres to the Meta Platform Terms and the applicable WhatsApp business terms and policies, and flows relevant obligations down to Customers through the Terms and Conditions and the WhatsApp Messaging & Anti-Spam Policy. Customers must comply with these Meta policies, including obtaining valid opt-in before messaging End Users.
- Meta policies referenced. The principal Meta/WhatsApp policies that apply include:
- WhatsApp Business Solution Terms — https://www.whatsapp.com/legal/business-solution-terms
- WhatsApp Business Terms of Service — https://www.whatsapp.com/legal/business-terms
- WhatsApp Business Messaging Policy — https://www.whatsapp.com/legal/messaging-policy
- WhatsApp Commerce Policy — https://www.whatsapp.com/legal/commerce-policy
- WhatsApp Business Data Processing Terms — https://www.whatsapp.com/legal/business-data-processing-terms
- Meta Platform Terms — https://developers.facebook.com/terms/
Because message data traverses Meta's platform, End Users' communications are also subject to WhatsApp's end-to-end encryption and Meta's own data practices, over which InfiQ has no control.
7. How We Share & Disclose
We share personal data only as described below. We do not sell personal data, and we do not "share" personal data for cross-context behavioural advertising as those terms are defined under the CCPA/CPRA.
- Sub-processors. We engage vetted third-party sub-processors to provide infrastructure and functionality — for example, cloud hosting, the WhatsApp Cloud API (Meta), analytics, email/notification delivery, customer-support tooling, and error monitoring. Each sub-processor is bound by contractual obligations consistent with this Policy and the DPA, and processes personal data only for the purposes we specify. Our current sub-processors are listed at /subprocessors.
- Affiliates. We may share personal data with our group companies and affiliates for the purposes described in this Policy, subject to appropriate safeguards.
- Payment processors. Billing and payment-instrument data are shared with our PCI-DSS-compliant payment processors, Zoho Payments and Razorpay (additional processors may be added from time to time), to process transactions, as described in Section 3.2. InfiQ does not store card data.
- Professional advisers. We may disclose personal data to auditors, lawyers, accountants, insurers, and consultants where necessary for their professional services and subject to confidentiality obligations.
- Legal and regulatory disclosures. We may disclose personal data where we believe in good faith that it is necessary to comply with a law, regulation, legal process, or enforceable governmental or regulatory request (including from Indian authorities under the IT Act/DPDP Act and, where applicable, foreign authorities); to enforce our terms; to detect, prevent, or address fraud, security, or technical issues; or to protect the rights, property, or safety of InfiQ, our users, or the public.
- Business transfers. If InfiQ is involved in a merger, acquisition, reorganisation, financing, sale of assets, or insolvency, personal data may be transferred as part of that transaction, subject to the receiving party continuing to honour this Policy or providing notice of any material change. We will notify affected individuals where required by law.
- With your direction or consent. We share personal data with third parties (for example, integrations you enable) when you instruct us to or otherwise consent.
For Customer Data processed in our Processor role, disclosures are governed by the DPA and are made only on the Customer's instructions or as required by law (with notice to the Customer where legally permitted).
8. International Data Transfers
InfiQ is based in India and serves customers in India and abroad. InfiQ currently hosts and processes all personal data and Customer Data in India only.
- Processing location (India only). All personal data and Customer Data processed by InfiQ currently reside and are processed in India, in data centres located in India operated by our cloud infrastructure providers Amazon Web Services (AWS), Microsoft Azure, and Google Cloud. The WhatsApp Business Platform (Meta Cloud API) used by the Service is likewise localised to India only. We do not currently host or process this data outside India. Our sub-processors are listed at /subprocessors.
- Transfers into India by customers. Because InfiQ currently hosts in India, a Customer that is established in, or that collects personal data from individuals in, the EEA, the UK, Switzerland, or another jurisdiction will be transferring that data into India when it uses the Service. Where such a transfer is to a country (India) not recognised as providing an adequate level of protection under the relevant law, we support one or more of the following safeguards for the import of that data into India:
- EU Standard Contractual Clauses (SCCs) adopted by the European Commission (Implementing Decision (EU) 2021/914), incorporated into our contracts, together with any required supplementary measures;
- the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs for data subject to the UK GDPR;
- reliance on an adequacy decision of the European Commission or the UK, where one applies; and
- the EU-US Data Privacy Framework and its UK Extension and Swiss-US counterpart, where a relevant onward-transfer recipient is certified.
- DPDP Act transfers. Any transfer of personal data outside India would be made in accordance with the DPDP Act and any restrictions the Central Government may notify regarding transfers to specified countries or territories.
- Your copy of the safeguards. You may request a copy of the relevant transfer mechanism (with commercially sensitive terms redacted) by contacting privacy@infiq.in.
9. Data Retention
InfiQ is designed for the long-term retention of records. InfiQ does not provide automated data deletion or purge, and does not routinely delete, purge, or anonymise personal data or Customer Data. Personal data and Customer Data are retained for the life of the account and, thereafter, for operational, record-keeping, business-continuity, and legal purposes, for as long as we consider appropriate or as required or permitted by applicable law. We do not operate a routine deletion or purge cycle, and we do not automatically delete or return Customer Data on termination.
Statutory erasure requests. Where you have a right of erasure or deletion under applicable law, we action such requests only to the extent strictly required by that law; in all other respects, and wherever the law does not compel deletion, data is retained in accordance with this Section and our record-keeping practices.
Retention considerations. Our retention is informed by: (a) the nature and sensitivity of the data; (b) the purposes for which we process it; (c) applicable statutory retention requirements (for example, tax, GST, and companies-law record-keeping); and (d) the need to establish, exercise, or defend legal claims. Records such as billing, invoicing, and tax records are, in particular, retained to meet mandatory statutory record-keeping obligations.
Customer Data (Processor role). Customer Data is retained for the life of the Customer's account and thereafter as described above and in the Data Processing Agreement. InfiQ does not automatically delete or return Customer Data on termination and does not operate a routine backup-purge cycle; such data is retained unless, and only to the extent that, deletion is strictly required by applicable law.
10. Security
We maintain administrative, technical, and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:
- Encrypted databases to industry standards — data stored at rest is held in encrypted databases encrypted to prevailing industry standards using AES-256 (or equivalent), with managed key rotation;
- Encryption in transit using TLS 1.2/1.3 for data moving between clients, the Platform, and our sub-processors;
- Two-factor authentication (2FA) required for account access (and enforced for privileged and administrative roles);
- Role-based access control (RBAC) and the principle of least privilege, so that Authorised Users and staff access only what their role requires;
- Access logging and monitoring, audit trails, and alerting on anomalous activity;
- Network security controls (firewalls, segmentation, secrets management) and secure software-development practices (code review, dependency scanning, vulnerability management);
- Regular backups, disaster-recovery planning, and periodic testing;
- Vendor risk management and contractual security obligations for sub-processors; and
- Personnel measures including confidentiality obligations and security awareness training.
Breach response. We maintain an incident-response process to detect, assess, contain, and remediate personal-data breaches. Where InfiQ acts as a Processor, we will notify the affected Customer without undue delay and, in any event, within seventy-two (72) hours of becoming aware of a personal-data breach affecting its Customer Data, as set out in the DPA, so the Customer (as Controller/Data Fiduciary) can meet its own notification obligations. Where InfiQ acts as a Controller/Data Fiduciary, we will notify the relevant supervisory authority, the Data Protection Board of India, and/or affected individuals where and as required by applicable law (including the GDPR's 72-hour authority-notification standard and the DPDP Act's breach-intimation requirements).
No method of transmission or storage is completely secure. While we work hard to protect your data, we cannot guarantee absolute security, and you also have a role to play — keep your credentials confidential, enable 2FA, and notify us promptly of any suspected compromise at privacy@infiq.in.
11. Your Rights
The rights available to you depend on where you are located and the applicable law. If you are an End User whose data InfiQ processes as a Processor, please direct your request to the Customer (the business that contacted you), which is the Controller/Data Fiduciary; we will assist that Customer in responding as required by the DPA. If you are a Customer, Authorised User, prospect, or website visitor whose data we hold as a Controller/Data Fiduciary, you may exercise the rights below directly with us.
How to exercise your rights. Submit a request to privacy@infiq.in (with a copy to support@infiq.in if you wish; see Section 16, Contact Us). We may need to verify your identity before acting, and may ask for additional information for that purpose. We will not discriminate against you for exercising your rights.
11.1 India — Digital Personal Data Protection Act, 2023
As a Data Principal, you have the right to:
- Access — obtain a summary of the personal data we process about you and the processing activities, and the identities of Data Fiduciaries/Processors with whom it has been shared;
- Correction and completion — have inaccurate or misleading personal data corrected, incomplete data completed, and out-of-date data updated;
- Erasure — request erasure of your personal data; such requests are honoured only to the extent strictly required by applicable law and remain subject to InfiQ's retention and record-keeping practices described in Section 9, and InfiQ does not otherwise delete or purge data;
- Grievance redressal — have a readily available means of registering a grievance with us (by writing to privacy@infiq.in; see Section 16, Contact Us) before approaching the Data Protection Board of India;
- Nominate — nominate another individual to exercise your rights in the event of your death or incapacity; and
- Withdraw consent — withdraw consent as easily as it was given, where our processing relies on consent.
Response timeline (India). We acknowledge grievances within 48 hours and endeavour to resolve requests and grievances within the timelines prescribed under the DPDP Act and the IT Act rules. If you are dissatisfied with our response, you may lodge a complaint with the Data Protection Board of India.
11.2 EU / UK — GDPR and UK GDPR
As a Data Subject, you have the right to:
- Access — obtain confirmation of whether we process your personal data and a copy of it, along with prescribed information;
- Rectification — have inaccurate personal data corrected and incomplete data completed;
- Erasure ("right to be forgotten") — request deletion of personal data in certain circumstances; we action such requests only to the extent strictly required by applicable law and subject to InfiQ's retention and record-keeping practices (see Section 9), and we do not otherwise delete or purge data;
- Restriction — obtain restriction of processing in certain circumstances;
- Data portability — receive personal data you provided to us in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible;
- Object — object to processing based on legitimate interests, and object at any time to processing for direct marketing;
- Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing; and
- Lodge a complaint — with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement, or (in the UK) with the Information Commissioner's Office (ICO). We would appreciate the chance to address your concerns first via privacy@infiq.in.
You also have the right not to be subject to solely automated decisions producing legal or similarly significant effects (see Section 14).
Response timeline (EU/UK). We respond to rights requests without undue delay and within one (1) month of receipt, extendable by up to two further months for complex or numerous requests (we will inform you of any extension and the reasons).
11.3 California — CCPA/CPRA
As a consumer, you have the right to:
- Know / access — request the categories and specific pieces of personal information we have collected, the sources, the business/commercial purposes, and the categories of third parties to whom it is disclosed;
- Delete — request deletion of personal information we collected from you; we honour such requests only to the extent strictly required by applicable law and subject to our retention and record-keeping practices (see Section 9), and we do not otherwise delete or purge data;
- Correct — request correction of inaccurate personal information;
- Opt out of sale/sharing — direct us not to sell or share your personal information. InfiQ does not sell or share personal information as those terms are defined under the CCPA/CPRA; if this changes, we will provide a "Do Not Sell or Share My Personal Information" mechanism;
- Limit use of Sensitive Personal Information — direct us to limit use of SPI to permitted purposes (we use SPI only as necessary to provide the Service and for permitted purposes, and not to infer characteristics);
- Non-discrimination — not receive discriminatory treatment for exercising your rights; and
- Use an authorised agent — designate an authorised agent to submit requests on your behalf (we may require proof of authorisation and verification of your identity).
Response timeline (California). We confirm receipt within 10 business days and respond substantively within 45 calendar days, extendable by a further 45 days where reasonably necessary (with notice). Verifiable requests to know may cover the preceding 12-month period (or longer where required).
12. Children's Data
The Service is intended for use by businesses and their Authorised Users and is not directed to children, and we do not knowingly collect personal data from children as account holders.
- India (DPDP Act). For processing the personal data of a child (under 18 years) or a person with disability who has a lawful guardian, we require verifiable consent of the parent or lawful guardian, and we do not undertake tracking, behavioural monitoring, or targeted advertising directed at children.
- EU/UK (GDPR). Where information-society services are offered directly to a child, consent is valid only for children aged 16 or over (Member States may set a lower age, not below 13); below that age, parental/guardian authorisation is required.
- United States (COPPA). We do not knowingly collect personal information from children under 13 in a manner regulated by the Children's Online Privacy Protection Act.
If you believe a child has provided us personal data without appropriate consent, please contact privacy@infiq.in and we will take appropriate steps to delete it. Customers are responsible for ensuring that they do not use the Service to process children's data unlawfully.
13. Cookies & Tracking
We and our providers use cookies, pixels, local storage, SDKs, and web beacons to operate, secure, measure, and improve our website and the Platform, and (where you consent) for analytics and marketing. You can manage your preferences through our consent banner and your browser settings. For full details — including the categories of cookies, a representative cookie table, third-party cookies, and opt-out links — please see our Cookie Policy.
14. Automated Decision-Making & Profiling
InfiQ does not make decisions that produce legal or similarly significant effects concerning individuals based solely on automated processing, without human involvement. We do use automated processing for limited operational purposes such as spam/abuse detection, fraud and security scoring, rate-limiting, message routing, and product analytics; these do not by themselves determine outcomes with legal or similarly significant effects on Authorised Users.
Any chatbot, automation, or workflow that a Customer builds and operates through the Service is configured and controlled by that Customer; InfiQ does not determine the logic or outcomes of a Customer's automations, and the Customer is responsible for ensuring that any automated decision-making affecting its End Users complies with applicable law (including providing required notice, meaningful information about the logic, and, where applicable, the ability to obtain human review). Where the GDPR applies and solely automated decisions with legal or similarly significant effects are made, affected individuals have the right to obtain human intervention, express their point of view, and contest the decision.
15. Changes to this Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or the Service. When we make material changes, we will update the "Effective / Last Updated" date at the top and, where appropriate, provide additional notice (for example, by email or an in-Platform notification). Your continued use of the Service after an update takes effect constitutes acknowledgement of the revised Policy, to the extent permitted by law. We encourage you to review this Policy periodically. Prior versions are available on request from privacy@infiq.in.
16. Contact Us
If you have questions, requests, or concerns about this Privacy Policy or our data practices, please contact us. All privacy queries and complaints may be directed to privacy@infiq.in and support@infiq.in.
AIO Infinity Private Limited (InfiQ) 54, Old Subhash Nagar, Bhopal – 462023, Madhya Pradesh, India Website: https://www.infiq.in Phone: 022-69621762 (Monday–Friday, 10:00 AM–5:00 PM IST)
| Purpose | Contact |
|---|---|
| General & support | support@infiq.in |
| Privacy & data requests | privacy@infiq.in |
| Phone | 022-69621762 (Monday–Friday, 10:00 AM–5:00 PM IST) |
Related documents: Terms and Conditions · Cookie Policy · Data Processing Agreement · Sub-processors
This Privacy Policy describes the practices of AIO Infinity Private Limited in relation to the InfiQ platform. Where InfiQ processes Customer Data on a Customer's behalf, the Data Processing Agreement governs and, in the event of a conflict with this Policy in respect of such Customer Data, that Agreement prevails.