Privacy

Privacy Policy

This policy explains how OtomateFlow handles information across our website, managed AI messaging platform, and integrations with Meta, Instagram, Messenger, WhatsApp, advertising, booking, and related business systems.

Last updated: 19 July 2026

1. Who we are and when this policy applies

OtomateFlow (“OtomateFlow”, “we”, “us”, or “our”) provides managed AI messaging, workflow automation, business inbox, lead qualification, booking, customer-support, and performance-marketing services to organisations in India.

This policy applies to visitors to https://otomateflow.com, representatives and staff of our business clients, and people who communicate with a client through a channel connected to OtomateFlow, including Facebook Messenger, Instagram, and WhatsApp.

For information a person sends to one of our business clients, that client ordinarily decides why the information is used and acts as the Data Fiduciary or controller. OtomateFlow ordinarily processes that information on the client's instructions as a Data Processor or service provider. The client's own privacy notice may also apply.

2. Information we process

Website and enquiry information

  • Name, work email, phone number, organisation, industry, and enquiry details.
  • Basic technical and usage information such as browser, device, IP address, referring page, timestamps, and security logs.

Business-client and account information

  • Organisation, authorised-user, role, department, billing, subscription, support, and audit information.
  • Connected business-account details, Page or professional-account identifiers, permission scopes, connection status, and encrypted access credentials.

Messaging and Meta Platform Data

  • Page-scoped, Instagram-scoped, or channel-scoped user identifiers; profile or display name; username; and profile information made available by the connected platform.
  • Message text, replies, attachments or media references, timestamps, delivery state, language, conversation status, and staff or AI responses.
  • Facebook Page, Instagram professional-account, WhatsApp Business, and related business asset metadata authorised by the client.
  • Booking, reservation, lead, consent, opt-out, handoff, campaign, and customer-service information supplied during a conversation.

AI, advertising, and operational information

  • Prompt context, retrieved business knowledge, generated responses, language detection, usage counts, error records, and safety or quality-review information.
  • Where a client enables Growth services: campaign, attribution, conversion, ad-account, spend, creative, and performance information authorised by that client.

We do not intentionally request passwords for a person's Facebook or Instagram account. Authentication occurs on Meta's services. Access tokens received after authorisation are encrypted at rest and are not displayed through our client APIs.

3. Where information comes from

  • Directly from website visitors, clients, authorised users, and message senders.
  • From Meta Platforms and connected channels when a client authorises our application.
  • From client-provided knowledge bases, contact imports, calendars, forms, CRM, HMS, PMS, payment, advertising, or other approved integrations.
  • Automatically from our website, platform, webhooks, APIs, logs, and security systems.

4. Why and how we use information

  • Provide the connected inbox, AI assistant, staff handoff, booking, reminders, notifications, attribution, reporting, and other contracted workflows.
  • Route incoming messages to the correct client and originating channel, maintain conversation history, and deliver permitted replies.
  • Authenticate authorised users, administer accounts, provide support, invoice clients, and keep required audit records.
  • Detect abuse, honour opt-outs, enforce channel messaging windows and permissions, protect tenant isolation, investigate failures, and maintain security.
  • Measure service usage and reliability and improve configured workflows, subject to our client agreements and applicable law.
  • Comply with legal obligations, valid government requests, Meta Platform Terms, and other platform rules.

We process information only for disclosed, authorised, and reasonably necessary purposes. We do not sell Meta Platform Data or message content. We do not use a client's message data to advertise unrelated third-party products.

5. AI-assisted processing

A client may enable AI-assisted responses using its approved business information and conversation context. Depending on the workflow, message content may be sent to a contracted model or infrastructure provider solely to generate or support the requested service. Clients can pause AI for a conversation and use human takeover.

AI responses can be incomplete or inaccurate. Clients remain responsible for configuring workflows, reviewing high-impact outcomes, and ensuring that staff—not an automated response—make medical, legal, financial, employment, credit, or other consequential decisions. OtomateFlow is not an emergency or medical-diagnosis service.

6. When information is shared

We may share information only as necessary with:

  • The relevant business client and its authorised staff.
  • Meta Platforms, Instagram, Messenger, WhatsApp, and Gupshup where required to receive or deliver messages and manage authorised business assets.
  • Cloud hosting, database, security, communications, email, AI-model, analytics, payment, and support providers acting under appropriate contractual or confidentiality terms.
  • A successor in a merger, acquisition, restructuring, or sale, subject to continued protection of the information.
  • Courts, regulators, law-enforcement agencies, or other parties where disclosure is legally required or necessary to protect rights, safety, and service integrity.

Our service is hosted in India by default. Some connected platforms and specialist providers may process information in other countries. Where applicable, we use contractual, technical, and organisational safeguards for such processing.

7. Retention

We retain information only for as long as needed to provide the contracted service, maintain security and auditability, resolve disputes, and meet legal or platform obligations. Retention may vary by client configuration and data category.

When a connection is removed, a contract ends, or a valid deletion request is completed, we delete or de-identify covered information unless a longer period is required by law, fraud prevention, security, dispute resolution, or an agreed client retention schedule. Residual encrypted backups are removed through our normal backup lifecycle and are not restored for ordinary business use.

8. Security

We use safeguards designed for the sensitivity of the information, including tenant-scoped access controls, role permissions, encryption of connected-account tokens, webhook-signature verification, audit logging, restricted production access, backups, and monitoring. No internet service is completely secure, and we cannot guarantee that a security incident will never occur.

9. Your choices and rights

Subject to applicable law and our role in the processing, you may request access, correction, deletion, withdrawal of consent, or grievance resolution. You may also stop promotional WhatsApp messages using recognised opt-out instructions and may remove OtomateFlow from Meta's Apps and Websites settings.

If your request concerns a conversation with one of our business clients, contacting that business directly is usually the fastest route. You may also follow our Data Deletion Instructions or email privacy@otomateflow.com. We may need to verify your identity and identify the relevant business and channel before acting.

10. Children

Our platform is offered to businesses and their authorised staff. We do not knowingly invite children to create OtomateFlow business accounts. A client serving minors must establish an appropriate legal basis, provide required notices, and obtain guardian consent where applicable.

11. Third-party services

Meta, Instagram, Messenger, WhatsApp, Gupshup, payment providers, and client-selected integrations operate under their own terms and privacy policies. This policy does not control their independent processing. A client's use of those services is also subject to the applicable provider terms.

12. Changes to this policy

We may update this policy to reflect service, legal, or platform changes. The revised version will be posted at this URL with an updated date. Material changes may also be communicated to affected clients through an appropriate channel.

13. Contact and grievance requests

Privacy, deletion, or grievance requests may be sent to privacy@otomateflow.com.

OtomateFlow
Guwahati, Assam-781022, India

Book a scoping call