Privacy Policy

Your Data, Our Responsibility

A transparent account of how Epicwave Technologies collects, uses, and protects your personal information — including via WhatsApp Business.

GDPRCCPA/CPRAIndia DPDP Act 2023WhatsApp Business APIPDPALGPDPIPEDA
01

About This Privacy Policy

This Privacy Policy governs how Epicwave Technologies (“we,” “us,” or “our”) collects, uses, stores, shares, and protects personal data when you interact with our website, mobile applications, and messaging services — including communications conducted through the WhatsApp Business Platform powered by Meta.

By using our services, you acknowledge you have read and understood this policy. If you do not agree, please discontinue use of our services.

02

Data Controller & Contact Information

The data controller responsible for your personal information is:

Epicwave Technologies
privacy@epicwave.tech
dpo@epicwave.tech
September 20, 2025
03

WhatsApp Business API — Specific Disclosures

We use the WhatsApp Business API (provided by Meta Platforms, Inc.) to communicate with users. The following disclosures are required under Meta's WhatsApp Business Policy and applicable law.

WhatsApp Opt-In & Opt-Out

We only message users who have given explicit, documented opt-in consent. You may withdraw consent at any time by:

  • Replying STOP to any WhatsApp message from us
  • Emailing privacy@epicwave.tech with subject “WhatsApp Opt-Out”
  • Using the opt-out link in any message we send

We will cease WhatsApp communications within 24 hours of your request.

Data Shared with Meta via WhatsApp

When you communicate with us via WhatsApp, Meta Platforms, Inc. processes certain data as a sub-processor, including:

  • Your WhatsApp phone number and profile information
  • Message content (end-to-end encrypted in transit; we receive and store content you send us)
  • Message metadata: timestamps, delivery receipts, read receipts
  • Device information associated with your WhatsApp account

Meta's use of this data is governed by Meta's Privacy Policy. We recommend reviewing it independently.

Message Templates

All outbound WhatsApp messages we initiate use pre-approved Message Templates reviewed and approved by Meta. We do not use WhatsApp to send unsolicited commercial communications.

04

Personal Data We Collect

Data You Provide Directly

  • Full name and contact details (phone number, email address, postal address)
  • Account credentials (username, hashed password — we never store plaintext passwords)
  • Payment information (processed via PCI-DSS Level 1 compliant processors; raw card data is never stored by us)
  • Communications sent via WhatsApp, email, or contact forms
  • Feedback, survey responses, and support requests

Data Collected Automatically

  • IP address, browser type, operating system, and device identifiers
  • Pages visited, links clicked, time spent, referral URLs
  • Cookie data and similar tracking technologies (see Section 10)
  • Approximate geolocation derived from IP address

Data from Third Parties

  • Social login providers (Google, Apple, Meta) — only with your consent
  • Analytics and advertising partners
  • Fraud prevention and identity verification services
06

How We Use Your Personal Data

  • To provide, operate, and improve our products and services
  • To process transactions and send related notices (receipts, invoices)
  • To send service updates, security alerts, and support messages via WhatsApp or email
  • To send marketing and promotional content (only with your explicit opt-in consent)
  • To analyse usage patterns and improve user experience
  • To detect, investigate, and prevent fraudulent or illegal activities
  • To comply with legal obligations and respond to lawful requests from authorities
  • To enforce our Terms of Service and other agreements
07

Data Sharing & Third-Party Disclosure

We do not sell your personal data. We may share data in the following limited circumstances:

Service Providers (Sub-processors)

💬
Meta Platforms, Inc.WhatsApp Business API provider — sub-processor under a Data Processing Agreement
☁️
Cloud InfrastructureAWS / Google Cloud — hosting, storage, and compute services
💳
Payment ProcessorsPCI-DSS Level 1 certified gateways — raw card data never reaches our servers
📊
Analytics ServicesGoogle Analytics (IP anonymisation enabled) and equivalent tools

All sub-processors are bound by Data Processing Agreements (DPAs) and must implement equivalent data protection measures.

Legal Disclosures

We may disclose data when required by law, court order, or governmental authority, or to protect the safety and rights of our users and company.

Business Transfers

In the event of a merger, acquisition, or asset sale, personal data may be transferred. You will be notified at least 30 days in advance via email or prominent website notice.

08

International Data Transfers

Your data may be processed outside your home country (including the US and EEA). Where such transfers occur, we use appropriate safeguards:

  • EU Standard Contractual Clauses (SCCs) — for transfers from the EEA
  • UK International Data Transfer Agreements (IDTAs) — for UK transfers
  • Adequacy decisions where applicable
  • Binding Corporate Rules or equivalent frameworks

For transfers from India under the DPDPA 2023, we comply with all Government of India-approved frameworks and do not transfer data to jurisdictions restricted by notification.

09

Data Retention

We retain personal data only as long as necessary for the stated purposes or as required by law:

Data CategoryRetention PeriodBasis
Account & profile dataDuration of account + 2 yearsContract / Legal
WhatsApp message logs12 months from last interactionLegitimate interest
Financial / transaction records7 yearsTax & legal obligation
Marketing consent recordsUntil withdrawal + 5 yearsGDPR Art. 7(1)
Security / access logs90 daysLegitimate interest
Cookies (analytics)Up to 13 monthsCookie consent

After retention periods expire, data is securely deleted or anonymised in accordance with NIST SP 800-88 or equivalent standards.

10

Cookies & Tracking Technologies

We use cookies and similar technologies. You may control preferences via our Cookie Consent Manager shown on your first visit.

  • Strictly Necessary — Required for site functionality; cannot be disabled
  • Performance / Analytics — Help us understand usage patterns
  • Functional — Remember your preferences and settings
  • Marketing / Targeting — Deliver relevant advertising (only with consent)

For users in the EU, UK, and India, non-essential cookies are set only after explicit opt-in consent in accordance with the ePrivacy Directive, UK PECR, and DPDPA.

11

Your Privacy Rights

GDPR Rights — EU/EEA Residents

  • Right to Access — request a copy of your personal data
  • Right to Rectification — correct inaccurate or incomplete data
  • Right to Erasure (“Right to be Forgotten”)
  • Right to Restriction of processing
  • Right to Data Portability in a machine-readable format
  • Right to Object to processing based on legitimate interests
  • Right to withdraw consent at any time without affecting prior lawful processing
  • Right to lodge a complaint with your supervisory authority (e.g., ICO, CNIL, BfDI)

CCPA / CPRA Rights — California Residents

  • Right to Know what personal information we collect, use, disclose, or share
  • Right to Delete your personal information
  • Right to Opt-Out of Sale or Sharing of personal information
  • Right to Correct inaccurate personal information
  • Right to Limit Use of Sensitive Personal Information
  • Right to Non-Discrimination for exercising privacy rights

California residents may submit requests via privacy@epicwave.tech. We will respond within 45 days.

India DPDP Act 2023 Rights — Indian Residents

  • Right to access a summary of personal data processed and identities of data fiduciaries
  • Right to correction, completion, updating, and erasure of personal data
  • Right to grievance redressal within a reasonable time period
  • Right to nominate another individual to exercise rights on your behalf

Other Jurisdictions

Residents of Brazil (LGPD), Canada (PIPEDA), Thailand (PDPA), and other jurisdictions have analogous rights under their applicable laws. We honour all such requests. Contact us at privacy@epicwave.tech.

To exercise any right, email us at privacy@epicwave.tech. We will verify your identity and respond within 30 days (or as required by applicable law).

12

Data Security

We implement industry-standard technical and organisational measures to protect your personal data:

  • TLS 1.2+ encryption for all data in transit
  • AES-256 encryption for sensitive data at rest
  • Role-based access controls (RBAC) and principle of least privilege
  • Regular penetration testing and vulnerability assessments
  • Multi-factor authentication (MFA) for all staff accessing personal data
  • SOC 2 Type II aligned security controls
  • Documented incident response plan with defined notification procedures

In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify the appropriate supervisory authority within 72 hours (GDPR) and affected individuals without undue delay.

13

Children's Privacy

Our services are not directed to individuals under 18 years of age (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us immediately at privacy@epicwave.tech and we will promptly delete it.

14

Automated Decision-Making & Profiling

We may use automated processing for fraud detection, service personalisation, and risk assessment. Where such processing produces significant legal or similarly significant effects, you have the right under GDPR Article 22 to:

  • Request human review of automated decisions
  • Contest the decision and obtain an explanation of the logic involved

We do not use fully automated decision-making for WhatsApp message routing. All message templates are human-initiated and Meta-approved.

15

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by:

  • Email notification to your registered address (at least 14 days before changes take effect)
  • Prominent banner notice on our website
  • WhatsApp message to opted-in users, where appropriate

Continued use of our services after the effective date constitutes acceptance of the revised policy. Where required by law, we will seek fresh consent.

16

Complaints & Supervisory Authorities

You have the right to lodge a complaint with your local data protection authority:

  • EU/EEA: Your national DPA — edpb.europa.eu
  • UK: Information Commissioner's Office (ICO) — ico.org.uk
  • India: Data Protection Board of India (established under DPDPA 2023)
  • USA (California): California Privacy Protection Agency — cppa.ca.gov
  • Brazil: ANPD — gov.br/anpd

We encourage you to contact us first at privacy@epicwave.tech so we can address your concern directly and promptly.

17

Contact Us

For any privacy-related questions, data subject requests, or concerns, please contact our Data Protection Officer:

Epicwave Technologies
privacy@epicwave.tech
dpo@epicwave.tech
Reply STOP or email us

This Privacy Policy was last updated and is effective as of September 20, 2025. © 2026 Epicwave Technologies. All rights reserved.