Legal

Data Protection & GDPR

Our commitments on data protection, GDPR and the DPDP Act.

Last updated: 23 June 2026

1. Introduction and Scope

This Data Protection & GDPR notice explains how Mankiwave handles personal data in the course of providing its cloud-hosted, multi-tenant software-as-a-service for WhatsApp marketing, CRM, AI chatbots, bulk messaging, bot building, and shared team inbox / live chat. It is intended to be read together with our Privacy Policy and Cookie Policy, and it also serves as a basic summary of how Mankiwave processes personal data on behalf of its customers.

This notice is written to be aware of, and consistent with, the EU General Data Protection Regulation (GDPR), the UK GDPR, India's Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000 and rules made thereunder, and other applicable data protection laws. Where a specific contractual data protection commitment is required, a signed Data Processing Addendum (DPA) is available on request (see Section 11).

Mankiwave is operated by Mankiwave, India. Our service is available at https://mankiwave.in.

2. Controller and Processor Roles

Data protection law distinguishes between the party that decides why and how personal data is processed (the "controller") and the party that processes personal data on the controller's behalf and instructions (the "processor"). The roles below define our relationship with you ("User") and apply throughout this notice.

  • You are the controller of the personal data of your own contacts, recipients, leads, and message audiences that you upload to, generate within, or process through the Mankiwave platform ("User Content"). You determine the purposes of contacting those individuals and are responsible for the lawfulness of that processing.
  • Mankiwave is the processor of that User Content. We process it only to provide and support the service to you, on your documented instructions, and not for our own independent purposes.
  • Mankiwave is an independent controller for a limited set of data we collect directly to operate our business — for example, your account registration details, billing and subscription records, support correspondence, and platform usage and security logs. Our handling of that data is described in our Privacy Policy.

Mankiwave is an independent platform. We are not affiliated with, endorsed by, or sponsored by Meta Platforms, Inc., WhatsApp LLC, Google LLC, Apple Inc., or any other trademark holder. "WhatsApp", "Meta", and "Instagram" and related marks belong to their respective owners.

3. Processing Only on Documented Instructions

As your processor, Mankiwave will:

  • Process User Content only to deliver the contracted services and only on your documented instructions, which include the instructions inherent in your configuration and use of the platform (such as connecting your own WhatsApp numbers, building contact lists, scheduling campaigns, and running automations), unless we are required to act otherwise by applicable law.
  • Inform you if, in our reasonable opinion, an instruction infringes applicable data protection law (without obligation to provide legal advice).
  • Ensure that personnel authorised to process User Content are bound by appropriate confidentiality obligations.
  • Not sell User Content and not use it to build, train, or improve any product or model except as strictly necessary to provide the service to you or as you separately and lawfully instruct.

You, as controller, are solely responsible for obtaining valid consent or another lawful basis for contacting your recipients, and for complying with WhatsApp's Business Messaging Policy, Meta's commerce and business policies, the IT Act 2000 and rules, TRAI / DND regulations, and any anti-spam and data protection laws applicable to you, including GDPR, the DPDP Act, and CAN-SPAM. Your obligations as a User are further described in our Acceptable Use Policy and Terms & Conditions. Mankiwave does not itself send unsolicited messages.

4. Categories of Personal Data and Purposes

The categories of personal data processed through the platform depend on what you choose to upload and how you use the service. As a processor of User Content, Mankiwave typically processes the following on your behalf:

  • Contact and recipient identifiers — names, WhatsApp / mobile numbers, email addresses, and similar identifiers of the individuals you choose to message.
  • Communication content — the messages, templates, media, and chatbot or AI conversation data exchanged between you (or your automations) and your contacts through the shared inbox and campaigns.
  • Contact attributes and CRM data — tags, notes, custom fields, lead status, and other attributes you record about your contacts.
  • Engagement and delivery metadata — message status, timestamps, and interaction events used to operate campaigns and reporting.

The purpose of this processing is solely to provide, secure, maintain, and support the messaging, CRM, automation, and inbox functionality you have subscribed to. Mankiwave does not determine which individuals you contact or the content you send to them.

Separately, as an independent controller, Mankiwave processes your account, billing, and usage data for purposes such as account administration, taking payment, providing support, securing the platform, and meeting legal obligations. Payments are handled by third-party gateways (Razorpay, Stripe, PayPal, PhonePe, and PayU); see our Privacy Policy for details.

5. Data Subject Rights and How We Assist

Individuals whose personal data is processed ("data subjects") may have rights under applicable law, including the rights of access, rectification, erasure, restriction, portability, objection, and withdrawal of consent, as well as rights under the DPDP Act such as the right to correction and erasure, the right to grievance redressal, and the right to nominate.

Because you are the controller of your contacts' data, requests from those individuals should in the first instance be directed to and handled by you. Where a data subject exercises a right in respect of data you process through Mankiwave, you remain responsible for responding within the timelines required by applicable law.

Mankiwave will, taking into account the nature of the processing, provide reasonable assistance to help you fulfil your obligations to respond to data subject requests. This assistance may include:

  • Tools within the platform to search, view, export, correct, and delete contact records and conversation data.
  • Reasonable support, on request to hello@mankiwave.in, where the platform's self-service tools are insufficient to action a valid request.
  • Promptly notifying you if we receive a request directly from one of your data subjects, and not responding to it ourselves except on your instruction or as required by law.

6. Sub-processors

To deliver the service, Mankiwave engages third-party sub-processors, such as cloud hosting and infrastructure providers, communication and messaging infrastructure, and the payment gateways named above. We engage sub-processors only where:

  • The engagement is necessary to provide the service or operate our business;
  • We impose on each sub-processor, by written contract, data protection obligations that are no less protective than those we owe to you (the duty to "flow down" obligations); and
  • We remain responsible to you for the performance of each sub-processor's obligations.

On request to hello@mankiwave.in, we will provide an up-to-date list of sub-processors and a mechanism to be notified of intended changes, so that you may object to a new sub-processor on reasonable, data-protection-related grounds.

7. International Data Transfers and Safeguards

Mankiwave is operated from India, and personal data processed through the platform may be stored or processed in India or in other countries where we or our sub-processors operate. Where personal data is transferred across borders, we take steps intended to ensure an appropriate level of protection, which may include:

  • Relying on transfer mechanisms recognised under applicable law, such as the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where relevant);
  • Contractual data protection commitments flowed down to sub-processors; and
  • Technical and organisational safeguards as described in Section 8.

Under the DPDP Act, transfers of personal data outside India are permitted except to territories that may be restricted by the Government of India. As the controller, you are responsible for ensuring that your use of the platform, including any cross-border transfer of your contacts' data inherent in that use, is lawful for your organisation.

8. Security Measures

Mankiwave implements technical and organisational measures designed to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage, appropriate to the nature of the data and the risks involved. These measures may include encryption in transit, access controls and authentication, network and application security controls, segregation of tenant data in our multi-tenant environment, logging and monitoring, and regular review of our security practices.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for safeguarding your account credentials, configuring access for your team and agents appropriately, and using the platform in a secure manner. See also our Disclaimer.

9. Personal Data Breach Notification

If Mankiwave becomes aware of a personal data breach affecting User Content that we process on your behalf, we will notify you without undue delay after becoming aware of it. Our notification will, to the extent then known and where reasonably possible, describe the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address it.

As the controller, you are responsible for assessing the breach and for making any notifications required to supervisory authorities (for example, within 72 hours under the GDPR), to the Data Protection Board of India and affected individuals under the DPDP Act, or to other regulators and individuals as required by laws applicable to you. Mankiwave will provide reasonable cooperation and assistance to support those obligations.

10. Data Retention and Deletion

Mankiwave retains User Content for as long as your account is active and you continue to use the relevant features, so that the service functions as intended. You can delete contacts, conversations, and other records using the tools within the platform at any time.

  • On account closure or termination, Mankiwave will, at your choice and within a reasonable period, delete or return the User Content we process on your behalf, except to the extent we are required to retain it by applicable law.
  • Residual copies remaining in routine backups will be deleted in accordance with our backup rotation and retention cycles, and remain protected by the safeguards in this notice until deleted.
  • Account, billing, and legal records for which Mankiwave is an independent controller may be retained for longer where required to meet legal, accounting, tax, or dispute-resolution obligations.

For more detail on retention of data we hold as a controller, see our Privacy Policy.

11. Data Processing Addendum (DPA)

This notice, together with our Terms & Conditions and Privacy Policy, describes the data protection terms applicable to your use of Mankiwave. If your organisation requires a separate, signed Data Processing Addendum incorporating the controller–processor commitments summarised here (including, where applicable, Standard Contractual Clauses for international transfers), you may request one by writing to hello@mankiwave.in. We will provide a DPA for execution on reasonable request.

12. Changes to This Notice

We may update this Data Protection & GDPR notice from time to time to reflect changes in our practices, our service, or applicable law. Material changes will be communicated through the platform or by other appropriate means. Your continued use of Mankiwave after an update takes effect constitutes acceptance of the revised notice.

13. Data Protection Point of Contact and Contact Us

For any questions, requests, or concerns relating to data protection, your role as controller, sub-processors, international transfers, breach notification, or to request a signed DPA, please contact our data protection point of contact:

You can also reach us through our Contact Us page. This notice is governed by the laws of India, and any disputes are subject to the jurisdiction of the courts of India. Please also review our Privacy Policy and Cookie Policy.