Privacy Policy.

01Who we are

Wizthinkers Private Limited (operating as "Depra", "we", "us") is a private limited company incorporated under the Companies Act, 2013.

CIN: U74999UP2022PTC174011. Registered office: Sami Manzil, Pahasu House, Aligarh, Uttar Pradesh, India, 202001. Website: https://depra.ai. Contact: team@depra.ai.

We act in two capacities: as a Data Fiduciary / Controller for our own customers (the brands that subscribe to Depra) and as a Data Processor on their behalf when we handle messages with their end-shoppers. When we act as a Processor, the customer brand remains the Data Fiduciary and we follow their documented instructions and our DPA.

02Laws this policy follows

Digital Personal Data Protection Act, 2023 (India). EU/UK General Data Protection Regulation. California Consumer Privacy Act / CPRA. Other applicable data protection laws where Depra services reach users.

03What we collect

Identity & contact: name, email, phone, company name, job title - provided by you, or by our customers about their end-shoppers.

Account & billing: hashed credentials, plan tier, invoices, GST number for business customers.

Communication content: WhatsApp messages, voice call audio and transcripts, email content, attachments.

Order & commerce data fetched from your connected store: order IDs, SKUs, cart contents, addresses, COD/prepaid status, return reasons, AWB tracking.

Payment metadata only: transaction ID, status, timestamps. We do not store card numbers, CVV, UPI PINs, or net-banking credentials.

Telephony metadata: caller number, call duration, timestamps, call disposition.

Device & technical: IP address, browser, OS, device type, language, time zone, cookies.

Usage telemetry: feature usage, conversation counts, latency, errors.

Inferred attributes: sentiment scores, intent, language detection, repeat-buyer signal.

04How we use it

Provide the Depra platform to customers and process end-shopper conversations on their behalf - under their instructions and our DPA. Lawful basis: performance of contract.

Run revenue plays the customer has configured: cart recovery, COD-to-prepaid, NDR recovery, refund-to-exchange, replenishment.

Bill customers and maintain accounting records - DPDP Sec 7(c) and equivalent legal-obligation grounds under GDPR.

Detect fraud, abuse, and unauthorised access - legitimate interests basis.

Improve features and AI models only on aggregated, de-identified data, or on data the customer has explicitly authorised in writing.

Send service-critical notices (security alerts, breach notifications, policy changes). Marketing email goes only to opted-in business prospects.

Comply with legal obligations, court orders, and regulatory requests.

05How AI fits in

We use enterprise-tier large language models, speech-to-text (Deepgram), and text-to-speech (ElevenLabs) to power conversations across WhatsApp, voice, and email.

We do not make solely automated decisions that produce legal effects on you. End-shoppers can request a human at any time by saying "agent" or "human" in any supported language.

Customer conversations are not used to train our AI providers' foundation models. Our AI sub-processors operate on no-training enterprise tiers with zero or short-window (≤30 days) abuse-detection log retention.

Voice transcripts are auto-redacted for PAN, Aadhaar, payment-card numbers, OTPs, and email addresses before storage.

06Cookies

We use strictly-necessary cookies (session, CSRF, your consent choice) and - only with your consent - analytics cookies (Google Analytics, Mixpanel) and product cookies for the dashboard.

We do not use cross-site tracking or behavioural advertising cookies.

We honour Global Privacy Control (GPC) and Do Not Track (DNT) signals as opt-out requests. You can change your choice any time via the Cookie settings link in the footer.

07Sharing

Customer brands (when we act as Processor) - we return conversation transcripts and analytics to the brand so they can serve their shoppers.

Sub-processors - listed at https://depra.ai/subprocessors. We give 14 days' notice before adding a new one and you can object on reasonable data-protection grounds.

Government and regulators - only when required by lawful order. We do not sell personal data and we do not share it for cross-context behavioural advertising.

Successor entities - on a merger, acquisition, or asset sale, with continuity of the privacy commitments in this policy.

08Where we store data

Primary storage is in India (AWS Mumbai, ap-south-1). Voice recordings, transcripts, and CDRs stay in India.

Some sub-processors (LLM providers, STT/TTS, observability tooling) are in the US or EU. Those transfers are governed by EU Standard Contractual Clauses, the UK International Data Transfer Addendum, and Section 16 of the DPDP Act with documented Transfer Impact Assessments.

09How long we keep it

Active customer account, billing, and usage data: contract term + 90 days.

Conversation transcripts: 13 months by default; configurable per customer.

Voice recordings: 90 days by default; configurable up to 24 months.

Billing and tax records: 8 years (Indian Income Tax Act / GST Act).

Marketing contact data: 24 months from last engagement; suppression list retained indefinitely after unsubscribe.

Web server logs: 90 days.

Backups: rolling 35-day retention, then auto-purged.

On expiry, we securely delete or anonymise the data so it can no longer identify you.

10Your rights

You can ask us to access, correct, or erase your data. You can withdraw any consent you previously gave, object to processing based on legitimate interests, ask for data portability, and lodge a complaint with the Data Protection Board of India, your local EU/UK supervisory authority, or the California Attorney General.

Under DPDP Act Section 14 you can nominate someone to exercise these rights for you in the event of death or incapacity.

California residents have all CCPA/CPRA rights including the right to know, delete, correct, and limit use of sensitive personal information. We do not sell or share for cross-context behavioural advertising.

How to exercise: email team@depra.ai with the request. We acknowledge within 72 hours and resolve within 30 days under DPDP, within 1 month under GDPR (extendable for complex requests), or 45 days under CCPA. We may ask for verification before fulfilling the request.

11Children

Depra is for businesses and adults. We do not knowingly collect personal data from anyone under 18. Customer brands using Depra are responsible for any verifiable parental consent required when they communicate with shoppers who may be minors. If you believe we hold a child's data, email team@depra.ai and we will delete it.

12Security

TLS 1.2+ in transit, AES-256 at rest. HSTS enabled and on the preload submission path.

Auto-redaction of PAN, Aadhaar, card numbers, OTPs, and email addresses in stored voice transcripts.

SSO + mandatory MFA for all employee access to production. Quarterly access reviews. Tenant isolation and least-privilege RBAC.

Annual third-party penetration testing. Continuous vulnerability scanning. SOC 2 Type 1 in progress with Vanta. Targeting Type 2 once we have a qualifying observation window.

Personal Data Breach notification: we notify affected customers within 48 hours of confirmed discovery and report to the Data Protection Board of India / supervisory authority within 72 hours per applicable law.

13Grievance Officer (DPDP Act, Section 13)

Email: team@depra.ai. Address: Wizthinkers Private Limited, Sami Manzil, Pahasu House, Aligarh, Uttar Pradesh, India, 202001. We acknowledge complaints within 72 hours and resolve them within 30 days of receipt.

14Changes to this policy

We may update this Policy from time to time. For material changes, we post the updated Policy with a new "Last updated" date and email registered account administrators at least 14 days before the effective date. Continued use after the effective date constitutes acceptance.