Your Data.
Your Rights.
Our Responsibility.
Amezly is built for Indian businesses. We follow India's Digital Personal Data Protection Act (DPDPA) 2023, and we keep your data in India. Here is exactly what we collect, why, and what you can do about it.
- §01 Who We Are
- §02 Scope
- §03 Data We Collect
- §04 How We Collect
- §05 Why We Use Your Data
- §06 Legal Basis
- §07 Data Sharing
- §08 Third-Party Processors
- §09 Cross-Border Transfers
- §10 Data Storage & Security
- §11 Data Retention
- §12 Your Rights (DPDPA)
- §13 Cookies & Tracking
- §14 WhatsApp & SMS Data
- §15 Voice Call Data
- §16 AI & Automated Decisions
- §17 Children's Privacy
- §18 Data Breaches
- §19 Changes to This Policy
- §20 Grievance Officer
This policy complies with India's Digital Personal Data Protection Act 2023 and the IT (Amendment) Act 2008.
Who We Are
Amezly Technologies Private Limited ("Amezly", "we", "us", "our") is a company incorporated under the Companies Act 2013, with its registered office in Bangalore, Karnataka, India.
Amezly operates an AI-powered business automation platform available at amezly.com and its subdomains. The platform includes AI chatbots, voice AI agents, WhatsApp automation, email campaigns, CRM, order management, and SEO tools.
For the purposes of the Digital Personal Data Protection Act (DPDPA) 2023, Amezly acts as:
- Data Fiduciary in relation to personal data of our subscribers (business owners and their team members who use Amezly's dashboard)
- Data Processor in relation to personal data of our subscribers' end-customers (the individuals who interact with chatbots, voice agents, or WhatsApp flows built using Amezly)
Scope of This Policy
This Privacy Policy applies to:
- Visitors to the amezly.com website and all subdomains
- Individuals who sign up for a free trial or paid subscription
- Team members added to an Amezly account by a subscriber
- Individuals whose data is processed through Amezly's platform (e.g., customers who interact with chatbots or voice agents deployed by an Amezly subscriber)
This policy does not apply to third-party websites or services linked from amezly.com. We are not responsible for the privacy practices of those third parties.
Data We Collect
A. Data You Give Us Directly
- Account registration: Name, business name, email address, phone number, password (stored as a bcrypt hash — never in plain text)
- Billing information: Name, billing address, GSTIN (if provided), payment method (card details are handled by Razorpay and never stored on Amezly servers)
- Business profile: Industry, city, business type, website URL, WhatsApp number, and other onboarding information you choose to provide
- Support communications: Content of emails, chat messages, or support tickets you send us
- AI product content: Chat transcripts, voice call recordings and transcripts, email templates, CRM notes, product catalogues, and other content you upload or create in the Amezly dashboard
B. Data Collected Automatically
- Usage data: Pages visited, features used, time spent, clicks, dashboard navigation patterns — used to improve the product
- Device and browser data: IP address, browser type, operating system, screen resolution, referring URL
- Log data: Server logs including timestamps, API calls, error logs — retained for security and debugging purposes
- Cookies and local storage: See §13 for full details
C. Data About Your End-Customers (Processed on Your Behalf)
When your end-customers interact with AI chatbots, voice agents, or WhatsApp flows you've built using Amezly, the following data may be processed:
- Name, phone number, email address (if they provide it during the conversation)
- Conversation transcripts (chat and voice)
- Purchase intent, product preferences, appointment bookings
- Any other information your end-customers voluntarily share with your AI agent
How We Collect Data
- Directly from you: When you sign up, complete your business profile, add payment details, contact support, or use features in the dashboard
- Through our platform: When you or your team members use Amezly's dashboard, widget, or APIs
- From third-party integrations: If you connect Amezly to Razorpay, Shiprocket, Google Calendar, or other services, we receive data from those services as part of the integration
- Via cookies and analytics: When you visit amezly.com, our analytics tools collect behavioural data (see §13)
- From your end-customers: Through the chatbot widget, WhatsApp flows, or voice agents you deploy — this data is collected on your behalf as your processor
Why We Use Your Data
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Create and manage your account | Name, email, phone, password hash | Contract performance |
| Provide the Amezly platform and features | All account and usage data | Contract performance |
| Process payments and issue invoices | Billing details, GSTIN, payment confirmation | Contract + legal obligation (GST) |
| Send transactional emails (invoices, alerts, OTPs) | Email address, account activity | Contract performance |
| Provide customer support | Account data, support history | Contract performance |
| Improve the platform (analytics, bug fixes) | Usage data, device data, error logs | Legitimate interest |
| Send product updates and feature announcements | Email address, plan type | Legitimate interest (opt-out available) |
| Comply with legal obligations (tax, audit, law enforcement) | Account, billing, and usage data | Legal obligation |
| Detect and prevent fraud, abuse, or security threats | IP address, login patterns, usage anomalies | Legitimate interest / legal obligation |
| Marketing emails and promotional offers | Email address, plan type, industry | Consent (opt-in, unsubscribe available) |
We do not use your personal data or your end-customers' data to train AI models. We do not sell your data to third parties. We do not use your data for targeted advertising.
Legal Basis for Processing
Under the DPDPA 2023, Amezly processes personal data on the following lawful grounds:
- Consent: Where you have given explicit consent — for example, marketing emails and optional product research surveys. You may withdraw consent at any time.
- Contract: Where processing is necessary to fulfil our subscription agreement with you — providing the platform, billing, support.
- Legal obligation: Where processing is required by Indian law — GST compliance, responding to lawful government or court orders.
- Legitimate interest: Where processing serves our legitimate business interests and does not override your rights — security monitoring, product analytics, fraud prevention. You may object to processing under this basis.
Who We Share Your Data With
We share your data only in the following circumstances:
- Service providers and processors: Third-party vendors we use to operate Amezly (see §08 for full list). These vendors process data only on our instructions and are bound by data processing agreements.
- Within Amezly: Employees and contractors who need access to provide services — subject to confidentiality obligations and role-based access controls.
- Business transfers: If Amezly is acquired, merged, or sells assets, your data may be transferred as part of that transaction. We will notify you via email and provide a choice to delete your data before the transfer completes.
- Legal requirements: We may disclose data to government authorities, courts, or law enforcement when required by Indian law, court order, or to protect the rights and safety of our users or the public.
- With your consent: For any other purpose, only with your explicit consent.
Third-Party Data Processors
Amezly uses the following third-party services to deliver its platform. Each receives only the minimum data necessary for their function:
| Vendor | Purpose | Data Shared | Data Location |
|---|---|---|---|
| Razorpay | Payment processing | Name, email, billing address, payment details | India |
| MSG91 | WhatsApp & SMS messaging | Recipient phone number, message content | India |
| Vobiz | Voice call infrastructure (DID telephony) | Phone number, call duration, call recording | India |
| OpenRouter | LLM inference for AI features (email copy, RAG answers) | Prompt text (may include end-customer conversation context) | USA (processed in transit) |
| DataForSEO | SEO keyword data and rank tracking | Domain name, tracked keywords (no personal data) | EU |
| Resend | Transactional email delivery (fallback) | Recipient email address, email content | USA (processed in transit) |
| Stalwart Mail | Primary email delivery (self-hosted, noreply@amezly.com) | Recipient email, email content | India (self-hosted) |
| Shiprocket | Order shipping and logistics (if enabled) | Customer name, address, phone, order details | India |
| ClickHouse | Analytics and event tracking (self-hosted) | Usage events, anonymised visitor behaviour | India (self-hosted) |
| PostgreSQL (self-hosted) | Primary database for all platform data | All account and platform data | India (self-hosted) |
All processors who handle personal data are bound by data processing agreements requiring them to maintain appropriate security, process data only on our instructions, and delete data when the processing relationship ends.
Cross-Border Data Transfers
Amezly stores all personal data on servers located in India. However, certain processing activities involve data passing through servers outside India:
- OpenRouter (USA): When AI features process conversation context, prompt text may pass through OpenRouter's US-based inference infrastructure. We minimise this by avoiding inclusion of identified personal data in prompts where possible, and by contractual protections.
- Resend (USA): Transactional emails (when Stalwart fallback is triggered) pass through Resend's US servers. Email content and recipient addresses are shared for delivery purposes only.
- DataForSEO (EU): SEO keyword and ranking data passes through DataForSEO's EU infrastructure. Only domain names and keyword strings are shared — no personal data.
For transfers to countries without adequate data protection, we rely on contractual safeguards (standard contractual clauses or equivalent) to protect your data. These transfers are limited to what is technically necessary to deliver the service features you use.
Data Storage & Security
Amezly takes data security seriously. We implement the following measures to protect your personal data:
- Encryption in transit: All data transmitted between your browser and Amezly's servers is encrypted using TLS 1.2 or higher (HTTPS)
- Encryption at rest: Sensitive data fields (passwords, payment tokens, API keys) are encrypted at rest using AES-256
- Passwords: User passwords are hashed using bcrypt — we never store or have access to your plain-text password
- Access controls: Role-based access controls within Amezly ensure employees access only data necessary for their role. Access to production systems is restricted and audited
- Infrastructure: Our primary database and application servers are hosted in India with physical security controls, regular security patching, and automated backups
- Penetration testing: We conduct periodic security assessments and vulnerability scans
- Two-factor authentication: Available on all Amezly accounts — we strongly recommend enabling it
Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data (name, email, phone) | Duration of subscription + 90 days post-cancellation | Service delivery; 90-day grace period for reactivation |
| Billing and invoice records | 7 years from date of invoice | Indian tax and GST law requires 7-year retention |
| Chat and voice call transcripts | 12 months from creation (configurable to 3 months on request) | Business operations; shorter retention available on request |
| Voice call recordings | 90 days (auto-deleted; not configurable shorter) | Call quality review and dispute resolution |
| CRM contact data (end-customers) | Duration of subscription + 90 days | Deleted with your account or on earlier request |
| Email campaign data | 24 months or until manually deleted | Campaign performance reporting |
| Usage and analytics logs | 13 months (rolling) | Year-on-year analytics comparison |
| Server security logs | 6 months | Security incident investigation |
| Support ticket history | 3 years | Customer support quality; pattern detection |
| Data deletion request records | 3 years from the request date | Legal compliance — demonstrating fulfilment of DPDPA rights |
When retention periods expire, data is securely deleted or irreversibly anonymised. Anonymised, aggregated data (with no individual identifiable) may be retained indefinitely for statistical purposes.
Your Rights Under DPDPA 2023
As a Data Principal under India's DPDPA 2023, you have the following rights with respect to your personal data:
To exercise any of these rights, email privacy@amezly.com from your registered email address with the subject line "DPDPA Rights Request — [Your Name]." We will acknowledge within 48 hours and fulfil the request within 30 days. We may need to verify your identity before processing the request.
Cookies & Tracking Technologies
Amezly uses the following types of cookies and tracking technologies on amezly.com:
| Type | Purpose | Can You Opt Out? | Retention |
|---|---|---|---|
| Strictly Necessary | Login session, CSRF protection, user preferences | No — platform won't function | Session / 30 days |
| Functional | Remember language, dashboard layout, theme preferences | Yes — via Settings → Privacy | 1 year |
| Analytics | Page views, feature usage (self-hosted ClickHouse — no third-party analytics) | Yes — via Cookie Banner | 13 months |
| Marketing | Currently none — we do not run third-party ad retargeting | N/A | N/A |
We use self-hosted ClickHouse for analytics — not Google Analytics or Meta Pixel. This means your browsing behaviour on amezly.com is not shared with Google, Meta, or any other advertising platform.
You can manage your cookie preferences through the cookie banner on first visit, or any time by going to amezly.com/cookie-settings. You may also configure your browser to reject cookies, though this may affect the functionality of the platform.
WhatsApp & SMS Data
When you use Amezly's WhatsApp automation or SMS features (powered by MSG91):
- Message content and recipient phone numbers are transmitted to MSG91 for delivery
- WhatsApp messages are processed via Meta's Business API through MSG91's approved integration — Meta's privacy policy applies to message delivery infrastructure
- Message delivery receipts and read status may be returned by Meta and stored in Amezly to populate your analytics dashboard
- Amezly does not read or analyse your WhatsApp message content for purposes other than delivering them and populating your dashboard analytics
Your responsibilities as a subscriber:
- You must obtain valid consent from recipients before sending WhatsApp marketing messages, as required by TRAI regulations and Meta's WhatsApp Business Policy
- You must maintain an opt-out mechanism for recipients who do not wish to receive further messages
- You are responsible for ensuring your message templates comply with Meta's template approval requirements
Voice Call Data
When you use Amezly's Voice AI Agent (powered by Vobiz):
- Call recordings: Calls may be recorded for quality assurance and transcript generation. Callers are notified at the start of the call ("This call may be recorded for quality purposes"). Recordings are retained for 90 days then auto-deleted.
- Call transcripts: AI-generated transcripts of calls are stored in your Amezly dashboard for up to 12 months. Transcripts may contain personal data spoken by callers.
- Phone numbers: Caller phone numbers (CLI) are stored in your CRM as part of the call record and contact management features
- DND compliance: Amezly's outbound calling features are designed to comply with India's Do Not Disturb (DND) registry (TRAI regulations). You are responsible for scrubbing your outbound call lists against the DND registry
Your responsibilities: You must inform callers that calls are being recorded, as required by Indian law. Failing to do so may constitute a privacy violation. Amezly's default call greeting includes a recording disclosure — do not remove this disclosure if you enable call recording.
AI & Automated Decision-Making
Amezly uses AI in the following ways:
- Chatbot responses: AI generates responses to your end-customers' questions based on your configured knowledge base (RAG). These responses are recommendations — your chatbot widget displays them, but no binding decision is made by the AI alone.
- Voice agent conversations: AI generates spoken responses to incoming or outbound calls. The AI can book appointments, answer FAQs, or collect information — but cannot execute financial transactions or make binding legal commitments.
- Email copy generation: AI (OpenRouter Llama) generates suggested email subject lines and body copy based on your inputs. This is a drafting tool — you review and send.
- Lead qualification: AI may score or classify leads based on conversation intent. This scoring is provided as a recommendation — your team makes the final decision.
Amezly's AI features are explicitly restricted from making decisions in the following domains — these restrictions are built into the system prompts and platform configuration:
- Medical diagnosis, clinical advice, or health treatment recommendations
- Legal advice, contracts, or legal representations
- Financial investment advice, loan approvals, or credit decisions
- Emergency services (the AI is configured to refer callers to emergency services immediately)
Children's Privacy
Amezly's platform is intended for use by businesses and business professionals. It is not directed at individuals under the age of 18.
- We do not knowingly collect personal data from anyone under 18 years of age
- Account registration requires the user to confirm they are at least 18 years old
- If you believe we have inadvertently collected personal data from a minor, please contact privacy@amezly.com immediately and we will delete it promptly
Subscribers who deploy Amezly's chatbot or voice agent in contexts where minors may interact (e.g., an educational institution) must ensure appropriate parental consent mechanisms are in place before collecting any personal data from minors through the platform.
Data Breach Notification
In the event of a personal data breach, Amezly will:
- Contain the breach as quickly as possible by isolating affected systems and revoking compromised credentials
- Assess the impact — what data was affected, how many individuals, and the likely consequences
- Notify the Data Protection Board of India (once operational) within 72 hours if the breach is likely to result in harm to Data Principals — as required by DPDPA 2023
- Notify affected subscribers via email within 72 hours of confirming a breach that affects their account or their end-customers' data
- Provide a full incident report within 14 days detailing the nature of the breach, data affected, steps taken, and recommendations
Notifications will be sent to the primary email address on your Amezly account. We strongly recommend keeping your registered email address current and enabling two-factor authentication to reduce breach risk.
To report a suspected security vulnerability or data breach, email security@amezly.com — we treat all security reports with urgency.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time as our platform evolves or regulations change. When we do:
- The "Last Updated" date at the top of this page will be revised
- For material changes that reduce your privacy protections or expand data use, we will email all active subscribers at least 14 days before the new policy takes effect
- The notice will clearly describe what is changing and why
- For changes required by new law or regulation, we may implement them sooner with as much notice as practicable
- Continued use of Amezly after the effective date of the updated policy constitutes acceptance of the revised terms
We encourage you to review this policy annually or whenever you see a "Last Updated" date that is newer than your last visit. Previous versions of this policy are available on request by emailing privacy@amezly.com.
Grievance Officer
As required by the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 and the DPDPA 2023, Amezly has appointed a Grievance Officer:
📧 Email: grievance@amezly.com
📮 Address: Grievance Officer, Amezly Technologies Pvt. Ltd., Bangalore, Karnataka, India
⏱️ Response time: Acknowledgement within 48 hours; resolution within 30 days
🕘 Available: Monday to Friday, 9 AM – 6 PM IST (excluding public holidays)
You may contact the Grievance Officer for:
- Complaints about how your personal data is being processed
- Requests to exercise DPDPA rights (access, correction, deletion, consent withdrawal)
- Reports of potential data breaches or privacy violations
- Appointing a nominee for your data rights
- Any other privacy-related grievances
If you are not satisfied with the Grievance Officer's response, you may escalate your complaint to the Data Protection Board of India (once constituted under DPDPA 2023) or seek other legal remedies available under Indian law.
Privacy questions or data requests?
Our privacy team typically responds within 48 hours. For data deletion, you can also use our self-service deletion page.