Privacy Policy

1. Who We Are & Data Fiduciary Designation

Patherle is a B2B SaaS platform that enables Indian micro, small and medium enterprises (MSMEs) to deploy AI-powered chatbots on WhatsApp, Telegram, and their own websites. Businesses use Patherle to automate customer enquiries, manage leads, sync product catalogues, and communicate with customers in 23 Indian languages.

As a Data Fiduciary under the Digital Personal Data Protection Act 2023 (DPDP Act), we determine the purpose and means of processing your personal data. Where we engage third-party service providers to process data on our behalf, they act as Data Processors under our written instructions.

2. Definitions

These terms have the meanings assigned under the DPDP Act 2023 unless the context requires otherwise:

3. Data We Collect

We apply strict data minimisation: every field in the table below is necessary for the stated purpose. We do not collect data speculatively or for future purposes we have not yet defined.

3.1 Account & Identity Data

3.2 Channel Credentials (Sensitive Personal Data)

3.3 Operational & Customer Data (Your Business Data)

This is data you upload or generate while operating Patherle. You own this data. We process it only to deliver the service.

3.4 Technical & Usage Data

3.5 Billing Data

4. How We Use Your Data

We use personal data strictly for the following purposes. We do not use your data to train general AI models, nor do we share it with advertisers.

• Service delivery - operating, maintaining, and improving the Patherle platform
• Bot operation - generating AI responses to your customers' WhatsApp and Telegram messages
• HITL workflow - presenting unresolved queries to you (the business owner) for manual review and approval
• ERP sync - reading your product catalogue from connected ERP systems and pushing it to the bot knowledge base
• Analytics - providing you with usage dashboards about your bot's performance (this is your data, processed to surface insights to you)
• Security & fraud prevention - detecting unusual login activity, rate-limit enforcement, abuse detection
• Legal compliance - meeting obligations under the IT Act 2000, DPDP Act 2023, and GST laws
• Customer communications - sending transactional emails (plan alerts, password resets, material policy changes)
• Product improvement - analysing aggregated, anonymised usage patterns to decide which features to build next

5. Legal Basis for Processing

Under the DPDP Act 2023, every act of processing must have a lawful basis. Here is ours:

Consent withdrawal: You may withdraw your consent at any time by deleting your account via Settings → Account & Data. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal, or processing required under legal obligation.

6. Third Parties & Sub-Processors

We engage the following Data Processors under data processing agreements. Each receives only the data strictly necessary to perform their function.

We do not permit any of the above processors to use your data for their own commercial purposes (advertising, model training, etc.) beyond what is necessary to provide their respective services to us.

6.1 Google API Services User Data Policy — Limited Use

When you connect Google Sheets to Patherle, our application accesses Google user data through the Google Sheets API and Google Drive API (using the drive.file scope — we can only read or write files our application created or files you explicitly opened with our app).

Patherle's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, data accessed via Google APIs (including Google Sheets and Google Drive) is:

• Used only to provide or improve user-facing features that are visible and prominent in the Patherle interface (writing your synthesised business data to a Google Spreadsheet you own).
• Not used to develop, improve, or train generalised AI or machine-learning models. Google user data never enters our embedding pipeline, our RAG knowledge base, or any third-party model training set.
• Not transferred to others, except as necessary to provide or improve the user-facing feature, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with continued user notification.
• Not used or transferred for serving advertisements, including retargeting, personalised, or interest-based advertising.
• Accessible to humans only when (a) we have your explicit consent, (b) it is necessary for security purposes (such as investigating abuse), (c) we are required by applicable law to do so, or (d) the data has been aggregated and anonymised so that it can no longer be associated with an individual user.

You can revoke Patherle's access to your Google account at any time from your Google Account Permissions page, or by clicking Disconnect on the Patherle Integrations page in your dashboard. Upon disconnection, our stored OAuth tokens for your account are deleted within 24 hours.

7. Cross-Border Data Transfers

Several of our service providers are based outside India (primarily the United States). Where personal data is transferred across borders, we rely on the following safeguards:

• Data Processing Agreements (DPAs) - we have or require DPAs with each sub-processor that impose contractual obligations on data protection equivalent to Indian law standards.
• Encryption in transit - all data is encrypted using TLS 1.2 or higher before it leaves India's borders.
• Data minimisation at transfer - only the minimum data necessary for the processor's function is transmitted internationally.
• India-hosted processors where available - Sarvam AI (language processing) and Razorpay (payments) are India-based, keeping the most sensitive processing within Indian jurisdiction.

8. Data Retention Schedule

We keep your data only for as long as necessary. The schedule below is binding and implemented in our database systems.

When you delete your account via Settings, all data in the rows marked "until account closed" is deleted immediately (within seconds) using a cascade-delete mechanism. Billing records are retained for the statutory 7-year period even after account deletion.

9. Your Rights Under the DPDP Act 2023

As a Data Principal, the DPDP Act 2023 grants you the following rights. You can exercise most of them directly from your Settings page, or by contacting privacy@patherle.com. We will respond within 30 days of a verified request.

10. Sensitive Personal Data - IT Act 2000 & SPDI Rules 2011

The IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, issued under Section 43A of the IT Act 2000, impose additional obligations on us when we handle Sensitive Personal Data or Information (SPDI).

The following data we process qualifies as SPDI under Rule 3:

• Passwords - your account password (stored only as a bcrypt hash with cost factor 12)
• Financial information - billing records, transaction metadata (processed via Razorpay; we do not hold card numbers)
• API credentials and access tokens - functionally equivalent to financial account credentials as they grant access to WhatsApp Business Accounts and ERP systems

For SPDI, Rule 6 requires your explicit written consent before we collect it. This consent is obtained via the sign-up consent checkbox and, for channel integrations, via the in-app Settings page where you actively paste your own credentials. Rule 6(1) also requires that you be given an option to not provide SPDI - for channel credentials specifically, you may opt not to integrate WhatsApp or Telegram at any time without losing access to other Patherle features.

Grievance mechanism for SPDI: Under Rule 5(9), if you have a grievance regarding our handling of your SPDI, please contact our Grievance Officer (Section 16).

11. Security Measures

Under Rule 8 of the IT (SPDI) Rules 2011 and Section 11 of the DPDP Act 2023, we are required to implement reasonable security practices. Here is what we have implemented:

11.1 In Transit

• TLS 1.2 minimum enforced on all API and web endpoints (TLS 1.3 preferred)
• HTTP Strict Transport Security (HSTS) headers enabled
• All webhook endpoints verified with HMAC signatures

11.2 At Rest

• Supabase database encryption at rest (AES-256 via AWS RDS)
• API credentials, ERP OAuth tokens, and channel tokens stored in encrypted JSONB fields
• Row-level security (RLS) in Supabase - every database query is scoped to the authenticated tenant; no tenant can access another's data
• Passwords stored as bcrypt hashes (cost factor 12) - plaintext passwords are never stored

11.3 Access Controls

• Backend API requires a valid JWT on every authenticated endpoint
• Production database is accessible only from the Railway backend - no direct public database access
• CORS policy restricts API access to approved origins only
• IP-based rate limiting prevents brute-force attacks

11.4 Operational Security

• Automated conversation text purge runs nightly (DPDP data minimisation)
• Security dependency audits run on every deployment
• Production environment variables managed via Railway secrets vault - not in source code

12. Data Breach Response

Under Section 8(6) of the DPDP Act 2023 and Rule 12 of the IT (SPDI) Rules 2011, we have a documented breach response procedure:

1. Detection & containment - Upon identifying a suspected breach, the incident is immediately contained (compromised credentials rotated, access revoked).
2. Assessment - We determine the scope, nature of data affected, and risk of harm to Data Principals.
3. Notification to Data Protection Board - We report to CERT-In (Computer Emergency Response Team, India) and, once constituted, the Data Protection Board of India, as required by law.
4. Notification to you - If your personal data is affected and there is a risk of harm, we will email you at your registered address within 72 hours of becoming aware of the breach. The notice will describe: what data was affected; what we believe happened; what we have done to contain it; and what steps, if any, you should take.
5. Post-incident review - We conduct a root-cause analysis and implement corrective measures.

13. Cookies & Tracking Technologies

We use a minimal set of cookies and tracking technologies:

We do not use:

• Marketing or advertising cookies (Google Ads, Meta Pixel, etc.)
• Cross-site tracking cookies
• Third-party retargeting pixels
• Browser fingerprinting for tracking purposes

To opt out of PostHog analytics, email privacy@patherle.com with "Opt out of analytics" in the subject. We will exclude your session from analytics collection within 48 hours.

14. Children's Privacy

Patherle is a B2B platform designed exclusively for registered businesses and their adult representatives. We do not knowingly collect personal data from any individual under the age of 18. Our sign-up consent explicitly requires confirmation that you are 18 or older.

Under Section 9 of the DPDP Act 2023, processing of personal data of children requires verifiable parental consent. If we become aware that we have inadvertently collected data from a minor, we will delete that account and all associated data within 24 hours. Please notify us immediately at privacy@patherle.com if you believe a minor has registered.

15. Changes to This Policy

We may update this Privacy Policy when our data practices change or when required by law. For material changes (changes that expand what data we collect, change how we use it, or affect your rights), we will:

• Email you at your registered email address
• Display a prominent notice within the Patherle app
• Provide at least 30 days' notice before the change takes effect
• For changes that require fresh consent under the DPDP Act, present a new consent request in the app

For non-material changes (typographical corrections, clarifications that do not alter your rights), we will update the "Last revised" date at the top of this page without additional notice. The current version of this policy is always available at www.patherle.com/privacy.

16. Grievance Officer

Under Rule 3(11) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021, every intermediary shall designate a Grievance Officer and publish their contact information. In compliance:

Your grievance must include: your registered email address; a description of the grievance; and, where relevant, the specific data or processing activity you are complaining about. For complex matters involving SPDI, please attach relevant supporting evidence.

If your grievance is not resolved to your satisfaction within 30 days, you have the right to escalate to the Data Protection Board of India (Section 25, DPDP Act 2023) once it is constituted by the Central Government. For IT Act complaints, you may approach the Adjudicating Officer (Section 46, IT Act 2000) at the Ministry of Electronics and Information Technology.

For full grievance procedures, see our dedicated Grievance Redressal page.

17. Contact

For all privacy matters that are not grievances, contact:

This Privacy Policy is governed by the laws of the Republic of India. Any dispute arising in connection with this Policy, or with our collection, use, or handling of your personal data, shall be subject to the exclusive jurisdiction of the competent courts in Mumbai, Maharashtra, India, without prejudice to your right to approach the Data Protection Board of India or CERT-In under applicable statutory provisions.

Related documents: Terms of Service  ·  Grievance Redressal