Privacy Policy

Privacy Policy

Your Data.
Your Rights.
Our Responsibility.

Amezly is built for Indian businesses. We follow India's Digital Personal Data Protection Act (DPDPA) 2023, and we keep your data in India. Here is exactly what we collect, why, and what you can do about it.

📅 Effective: 1 June 2025 🗓️ Last Updated: 1 June 2025 🇮🇳 Governed by DPDPA 2023 & IT Act 2000 📍 Data stored in India
🇮🇳
Data Stays in India
All personal data is stored on servers located in India. We do not transfer personal data outside India except as described in this policy.
🔒
Minimum Necessary
We collect only what we need to provide the service. No data mining, no building user profiles for advertising, no selling your data.
👁️
Full Transparency
We tell you exactly what data we collect, who we share it with, how long we keep it, and why — in plain language, not lawyer-speak.
🧑‍⚖️
DPDPA Compliant
This policy is written to comply with India's Digital Personal Data Protection Act (DPDPA) 2023, including your rights as a Data Principal.
§ 01

Who We Are

Amezly Technologies Private Limited ("Amezly", "we", "us", "our") is a company incorporated under the Companies Act 2013, with its registered office in Bangalore, Karnataka, India.

Amezly operates an AI-powered business automation platform available at amezly.com and its subdomains. The platform includes AI chatbots, voice AI agents, WhatsApp automation, email campaigns, CRM, order management, and SEO tools.

For the purposes of the Digital Personal Data Protection Act (DPDPA) 2023, Amezly acts as:

  • Data Fiduciary in relation to personal data of our subscribers (business owners and their team members who use Amezly's dashboard)
  • Data Processor in relation to personal data of our subscribers' end-customers (the individuals who interact with chatbots, voice agents, or WhatsApp flows built using Amezly)
§ 02

Scope of This Policy

This Privacy Policy applies to:

  • Visitors to the amezly.com website and all subdomains
  • Individuals who sign up for a free trial or paid subscription
  • Team members added to an Amezly account by a subscriber
  • Individuals whose data is processed through Amezly's platform (e.g., customers who interact with chatbots or voice agents deployed by an Amezly subscriber)

This policy does not apply to third-party websites or services linked from amezly.com. We are not responsible for the privacy practices of those third parties.

ℹ️ If you are an end-customer of a business that uses Amezly's chatbot, voice agent, or WhatsApp automation: the business (Amezly's subscriber) is the Data Fiduciary for your data. Please contact that business directly for requests regarding your personal data. Amezly processes your data only on the business's instructions.
§ 03

Data We Collect

A. Data You Give Us Directly

  • Account registration: Name, business name, email address, phone number, password (stored as a bcrypt hash — never in plain text)
  • Billing information: Name, billing address, GSTIN (if provided), payment method (card details are handled by Razorpay and never stored on Amezly servers)
  • Business profile: Industry, city, business type, website URL, WhatsApp number, and other onboarding information you choose to provide
  • Support communications: Content of emails, chat messages, or support tickets you send us
  • AI product content: Chat transcripts, voice call recordings and transcripts, email templates, CRM notes, product catalogues, and other content you upload or create in the Amezly dashboard

B. Data Collected Automatically

  • Usage data: Pages visited, features used, time spent, clicks, dashboard navigation patterns — used to improve the product
  • Device and browser data: IP address, browser type, operating system, screen resolution, referring URL
  • Log data: Server logs including timestamps, API calls, error logs — retained for security and debugging purposes
  • Cookies and local storage: See §13 for full details

C. Data About Your End-Customers (Processed on Your Behalf)

When your end-customers interact with AI chatbots, voice agents, or WhatsApp flows you've built using Amezly, the following data may be processed:

  • Name, phone number, email address (if they provide it during the conversation)
  • Conversation transcripts (chat and voice)
  • Purchase intent, product preferences, appointment bookings
  • Any other information your end-customers voluntarily share with your AI agent
⚠️ As the business deploying Amezly's tools, you are responsible for obtaining the necessary consent from your end-customers before deploying chatbots, voice agents, or sending WhatsApp messages to them. Amezly processes this data only on your instructions as your data processor.
§ 04

How We Collect Data

  • Directly from you: When you sign up, complete your business profile, add payment details, contact support, or use features in the dashboard
  • Through our platform: When you or your team members use Amezly's dashboard, widget, or APIs
  • From third-party integrations: If you connect Amezly to Razorpay, Shiprocket, Google Calendar, or other services, we receive data from those services as part of the integration
  • Via cookies and analytics: When you visit amezly.com, our analytics tools collect behavioural data (see §13)
  • From your end-customers: Through the chatbot widget, WhatsApp flows, or voice agents you deploy — this data is collected on your behalf as your processor
§ 05

Why We Use Your Data

Purpose Data Used Legal Basis
Create and manage your account Name, email, phone, password hash Contract performance
Provide the Amezly platform and features All account and usage data Contract performance
Process payments and issue invoices Billing details, GSTIN, payment confirmation Contract + legal obligation (GST)
Send transactional emails (invoices, alerts, OTPs) Email address, account activity Contract performance
Provide customer support Account data, support history Contract performance
Improve the platform (analytics, bug fixes) Usage data, device data, error logs Legitimate interest
Send product updates and feature announcements Email address, plan type Legitimate interest (opt-out available)
Comply with legal obligations (tax, audit, law enforcement) Account, billing, and usage data Legal obligation
Detect and prevent fraud, abuse, or security threats IP address, login patterns, usage anomalies Legitimate interest / legal obligation
Marketing emails and promotional offers Email address, plan type, industry Consent (opt-in, unsubscribe available)

We do not use your personal data or your end-customers' data to train AI models. We do not sell your data to third parties. We do not use your data for targeted advertising.

§ 06

Legal Basis for Processing

Under the DPDPA 2023, Amezly processes personal data on the following lawful grounds:

  • Consent: Where you have given explicit consent — for example, marketing emails and optional product research surveys. You may withdraw consent at any time.
  • Contract: Where processing is necessary to fulfil our subscription agreement with you — providing the platform, billing, support.
  • Legal obligation: Where processing is required by Indian law — GST compliance, responding to lawful government or court orders.
  • Legitimate interest: Where processing serves our legitimate business interests and does not override your rights — security monitoring, product analytics, fraud prevention. You may object to processing under this basis.
§ 07

Who We Share Your Data With

We share your data only in the following circumstances:

  • Service providers and processors: Third-party vendors we use to operate Amezly (see §08 for full list). These vendors process data only on our instructions and are bound by data processing agreements.
  • Within Amezly: Employees and contractors who need access to provide services — subject to confidentiality obligations and role-based access controls.
  • Business transfers: If Amezly is acquired, merged, or sells assets, your data may be transferred as part of that transaction. We will notify you via email and provide a choice to delete your data before the transfer completes.
  • Legal requirements: We may disclose data to government authorities, courts, or law enforcement when required by Indian law, court order, or to protect the rights and safety of our users or the public.
  • With your consent: For any other purpose, only with your explicit consent.
We do not sell your data. We do not share your data with advertisers. We do not allow third parties to use your data for their own marketing purposes.
§ 08

Third-Party Data Processors

Amezly uses the following third-party services to deliver its platform. Each receives only the minimum data necessary for their function:

Vendor Purpose Data Shared Data Location
Razorpay Payment processing Name, email, billing address, payment details India
MSG91 WhatsApp & SMS messaging Recipient phone number, message content India
Vobiz Voice call infrastructure (DID telephony) Phone number, call duration, call recording India
OpenRouter LLM inference for AI features (email copy, RAG answers) Prompt text (may include end-customer conversation context) USA (processed in transit)
DataForSEO SEO keyword data and rank tracking Domain name, tracked keywords (no personal data) EU
Resend Transactional email delivery (fallback) Recipient email address, email content USA (processed in transit)
Stalwart Mail Primary email delivery (self-hosted, noreply@amezly.com) Recipient email, email content India (self-hosted)
Shiprocket Order shipping and logistics (if enabled) Customer name, address, phone, order details India
ClickHouse Analytics and event tracking (self-hosted) Usage events, anonymised visitor behaviour India (self-hosted)
PostgreSQL (self-hosted) Primary database for all platform data All account and platform data India (self-hosted)

All processors who handle personal data are bound by data processing agreements requiring them to maintain appropriate security, process data only on our instructions, and delete data when the processing relationship ends.

§ 09

Cross-Border Data Transfers

Amezly stores all personal data on servers located in India. However, certain processing activities involve data passing through servers outside India:

  • OpenRouter (USA): When AI features process conversation context, prompt text may pass through OpenRouter's US-based inference infrastructure. We minimise this by avoiding inclusion of identified personal data in prompts where possible, and by contractual protections.
  • Resend (USA): Transactional emails (when Stalwart fallback is triggered) pass through Resend's US servers. Email content and recipient addresses are shared for delivery purposes only.
  • DataForSEO (EU): SEO keyword and ranking data passes through DataForSEO's EU infrastructure. Only domain names and keyword strings are shared — no personal data.

For transfers to countries without adequate data protection, we rely on contractual safeguards (standard contractual clauses or equivalent) to protect your data. These transfers are limited to what is technically necessary to deliver the service features you use.

ℹ️ You may disable certain AI features (such as AI email copy generation) if you do not wish for any conversation context to pass outside India. Contact privacy@amezly.com to understand your options.
§ 10

Data Storage & Security

Amezly takes data security seriously. We implement the following measures to protect your personal data:

  • Encryption in transit: All data transmitted between your browser and Amezly's servers is encrypted using TLS 1.2 or higher (HTTPS)
  • Encryption at rest: Sensitive data fields (passwords, payment tokens, API keys) are encrypted at rest using AES-256
  • Passwords: User passwords are hashed using bcrypt — we never store or have access to your plain-text password
  • Access controls: Role-based access controls within Amezly ensure employees access only data necessary for their role. Access to production systems is restricted and audited
  • Infrastructure: Our primary database and application servers are hosted in India with physical security controls, regular security patching, and automated backups
  • Penetration testing: We conduct periodic security assessments and vulnerability scans
  • Two-factor authentication: Available on all Amezly accounts — we strongly recommend enabling it
⚠️ No system is 100% secure. While we implement industry-standard security measures, we cannot guarantee absolute security. If you suspect your account has been compromised, contact security@amezly.com immediately.
§ 11

Data Retention

Data Type Retention Period Reason
Account data (name, email, phone) Duration of subscription + 90 days post-cancellation Service delivery; 90-day grace period for reactivation
Billing and invoice records 7 years from date of invoice Indian tax and GST law requires 7-year retention
Chat and voice call transcripts 12 months from creation (configurable to 3 months on request) Business operations; shorter retention available on request
Voice call recordings 90 days (auto-deleted; not configurable shorter) Call quality review and dispute resolution
CRM contact data (end-customers) Duration of subscription + 90 days Deleted with your account or on earlier request
Email campaign data 24 months or until manually deleted Campaign performance reporting
Usage and analytics logs 13 months (rolling) Year-on-year analytics comparison
Server security logs 6 months Security incident investigation
Support ticket history 3 years Customer support quality; pattern detection
Data deletion request records 3 years from the request date Legal compliance — demonstrating fulfilment of DPDPA rights

When retention periods expire, data is securely deleted or irreversibly anonymised. Anonymised, aggregated data (with no individual identifiable) may be retained indefinitely for statistical purposes.

§ 12

Your Rights Under DPDPA 2023

As a Data Principal under India's DPDPA 2023, you have the following rights with respect to your personal data:

📋 Right to Access
Request a summary of the personal data we hold about you and how it is being processed. We will respond within 30 days.
✏️ Right to Correction
Request that we correct inaccurate or incomplete personal data about you. Most corrections can be made directly in your account settings.
🗑️ Right to Erasure
Request deletion of your personal data. We will delete within 30 days, subject to data we must retain for legal obligations (e.g., invoices for 7 years under GST law).
🚫 Right to Withdraw Consent
Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of prior processing.
🤖 Right to Grievance Redressal
If you are unsatisfied with how we handle your data, you may raise a grievance with our Grievance Officer (§20) and escalate to the Data Protection Board of India.
👤 Nominee Rights
Under DPDPA 2023, you may nominate another person to exercise your data rights in case of your death or incapacity. Contact our Grievance Officer to set up a nominee.

To exercise any of these rights, email privacy@amezly.com from your registered email address with the subject line "DPDPA Rights Request — [Your Name]." We will acknowledge within 48 hours and fulfil the request within 30 days. We may need to verify your identity before processing the request.

Most account data can be accessed, corrected, or deleted directly from your Amezly dashboard under Settings → Privacy, without needing to contact us. For complete data export or account deletion, use the Data Deletion page.
§ 13

Cookies & Tracking Technologies

Amezly uses the following types of cookies and tracking technologies on amezly.com:

Type Purpose Can You Opt Out? Retention
Strictly Necessary Login session, CSRF protection, user preferences No — platform won't function Session / 30 days
Functional Remember language, dashboard layout, theme preferences Yes — via Settings → Privacy 1 year
Analytics Page views, feature usage (self-hosted ClickHouse — no third-party analytics) Yes — via Cookie Banner 13 months
Marketing Currently none — we do not run third-party ad retargeting N/A N/A

We use self-hosted ClickHouse for analytics — not Google Analytics or Meta Pixel. This means your browsing behaviour on amezly.com is not shared with Google, Meta, or any other advertising platform.

You can manage your cookie preferences through the cookie banner on first visit, or any time by going to amezly.com/cookie-settings. You may also configure your browser to reject cookies, though this may affect the functionality of the platform.

§ 14

WhatsApp & SMS Data

When you use Amezly's WhatsApp automation or SMS features (powered by MSG91):

  • Message content and recipient phone numbers are transmitted to MSG91 for delivery
  • WhatsApp messages are processed via Meta's Business API through MSG91's approved integration — Meta's privacy policy applies to message delivery infrastructure
  • Message delivery receipts and read status may be returned by Meta and stored in Amezly to populate your analytics dashboard
  • Amezly does not read or analyse your WhatsApp message content for purposes other than delivering them and populating your dashboard analytics

Your responsibilities as a subscriber:

  • You must obtain valid consent from recipients before sending WhatsApp marketing messages, as required by TRAI regulations and Meta's WhatsApp Business Policy
  • You must maintain an opt-out mechanism for recipients who do not wish to receive further messages
  • You are responsible for ensuring your message templates comply with Meta's template approval requirements
⚠️ Sending unsolicited WhatsApp or SMS messages without consent violates TRAI regulations and may result in your Amezly account being suspended. See our Terms of Service for details.
§ 15

Voice Call Data

When you use Amezly's Voice AI Agent (powered by Vobiz):

  • Call recordings: Calls may be recorded for quality assurance and transcript generation. Callers are notified at the start of the call ("This call may be recorded for quality purposes"). Recordings are retained for 90 days then auto-deleted.
  • Call transcripts: AI-generated transcripts of calls are stored in your Amezly dashboard for up to 12 months. Transcripts may contain personal data spoken by callers.
  • Phone numbers: Caller phone numbers (CLI) are stored in your CRM as part of the call record and contact management features
  • DND compliance: Amezly's outbound calling features are designed to comply with India's Do Not Disturb (DND) registry (TRAI regulations). You are responsible for scrubbing your outbound call lists against the DND registry

Your responsibilities: You must inform callers that calls are being recorded, as required by Indian law. Failing to do so may constitute a privacy violation. Amezly's default call greeting includes a recording disclosure — do not remove this disclosure if you enable call recording.

§ 16

AI & Automated Decision-Making

Amezly uses AI in the following ways:

  • Chatbot responses: AI generates responses to your end-customers' questions based on your configured knowledge base (RAG). These responses are recommendations — your chatbot widget displays them, but no binding decision is made by the AI alone.
  • Voice agent conversations: AI generates spoken responses to incoming or outbound calls. The AI can book appointments, answer FAQs, or collect information — but cannot execute financial transactions or make binding legal commitments.
  • Email copy generation: AI (OpenRouter Llama) generates suggested email subject lines and body copy based on your inputs. This is a drafting tool — you review and send.
  • Lead qualification: AI may score or classify leads based on conversation intent. This scoring is provided as a recommendation — your team makes the final decision.
ℹ️ No AI training on your data: Amezly does not use your data, your customers' data, or conversation transcripts to train AI models — ours or any third party's. Prompts sent to OpenRouter are used solely for inference and are governed by OpenRouter's zero data retention policy for API calls.

Amezly's AI features are explicitly restricted from making decisions in the following domains — these restrictions are built into the system prompts and platform configuration:

  • Medical diagnosis, clinical advice, or health treatment recommendations
  • Legal advice, contracts, or legal representations
  • Financial investment advice, loan approvals, or credit decisions
  • Emergency services (the AI is configured to refer callers to emergency services immediately)
§ 17

Children's Privacy

Amezly's platform is intended for use by businesses and business professionals. It is not directed at individuals under the age of 18.

  • We do not knowingly collect personal data from anyone under 18 years of age
  • Account registration requires the user to confirm they are at least 18 years old
  • If you believe we have inadvertently collected personal data from a minor, please contact privacy@amezly.com immediately and we will delete it promptly

Subscribers who deploy Amezly's chatbot or voice agent in contexts where minors may interact (e.g., an educational institution) must ensure appropriate parental consent mechanisms are in place before collecting any personal data from minors through the platform.

§ 18

Data Breach Notification

In the event of a personal data breach, Amezly will:

  1. Contain the breach as quickly as possible by isolating affected systems and revoking compromised credentials
  2. Assess the impact — what data was affected, how many individuals, and the likely consequences
  3. Notify the Data Protection Board of India (once operational) within 72 hours if the breach is likely to result in harm to Data Principals — as required by DPDPA 2023
  4. Notify affected subscribers via email within 72 hours of confirming a breach that affects their account or their end-customers' data
  5. Provide a full incident report within 14 days detailing the nature of the breach, data affected, steps taken, and recommendations

Notifications will be sent to the primary email address on your Amezly account. We strongly recommend keeping your registered email address current and enabling two-factor authentication to reduce breach risk.

To report a suspected security vulnerability or data breach, email security@amezly.com — we treat all security reports with urgency.

§ 19

Changes to This Privacy Policy

We may update this Privacy Policy from time to time as our platform evolves or regulations change. When we do:

  • The "Last Updated" date at the top of this page will be revised
  • For material changes that reduce your privacy protections or expand data use, we will email all active subscribers at least 14 days before the new policy takes effect
  • The notice will clearly describe what is changing and why
  • For changes required by new law or regulation, we may implement them sooner with as much notice as practicable
  • Continued use of Amezly after the effective date of the updated policy constitutes acceptance of the revised terms

We encourage you to review this policy annually or whenever you see a "Last Updated" date that is newer than your last visit. Previous versions of this policy are available on request by emailing privacy@amezly.com.

§ 20

Grievance Officer

As required by the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 and the DPDPA 2023, Amezly has appointed a Grievance Officer:

🧑‍⚖️ Grievance Officer — Amezly Technologies Pvt. Ltd.

📧 Email: grievance@amezly.com
📮 Address: Grievance Officer, Amezly Technologies Pvt. Ltd., Bangalore, Karnataka, India
⏱️ Response time: Acknowledgement within 48 hours; resolution within 30 days
🕘 Available: Monday to Friday, 9 AM – 6 PM IST (excluding public holidays)

You may contact the Grievance Officer for:

  • Complaints about how your personal data is being processed
  • Requests to exercise DPDPA rights (access, correction, deletion, consent withdrawal)
  • Reports of potential data breaches or privacy violations
  • Appointing a nominee for your data rights
  • Any other privacy-related grievances

If you are not satisfied with the Grievance Officer's response, you may escalate your complaint to the Data Protection Board of India (once constituted under DPDPA 2023) or seek other legal remedies available under Indian law.

For general privacy questions that are not formal grievances, you can reach us faster at privacy@amezly.com or via in-app chat during business hours.
Questions?

Privacy questions or data requests?

Our privacy team typically responds within 48 hours. For data deletion, you can also use our self-service deletion page.

Scroll to Top