CustomerGrip ("we", "our", "us") operates a CRM, WhatsApp automation, loyalty, and membership platform for local Indian businesses. This Privacy Policy explains how we collect, use, store, and protect your data in compliance with applicable Indian and international data protection laws.
1. Data We Collect
1.1 Business Owner Data
- Business name, owner name, email, phone, address, GSTIN, logo
- Subscription plan, payment history, credit balance
- WhatsApp Business Account credentials (WABA ID, phone number ID, access token — encrypted at rest)
- Login credentials (bcrypt-hashed passwords — we never store plain text)
- Activity logs (login time, IP address, browser, device for security)
1.2 Customer Data (per business)
- Name, mobile number, email, birthday, anniversary, gender, address
- Visit history, purchase amounts (Purchased Method), loyalty points
- Tags, labels, notes, health score
- Membership card details (Member ID, tier, expiry, family members)
- QR check-in events (timestamp, optional purchase amount)
- WhatsApp message logs (recipient, message content, delivery status)
1.3 Staff Data
- Name, email, phone, role (Owner/Staff), login credentials (bcrypt-hashed)
- Activity logs for accountability
1.4 Platform Data
- Payment transactions (processed via Razorpay — we don't store card numbers)
- Credit transaction ledger (append-only audit trail)
- Support tickets and replies
- System logs (API calls, errors, webhook receipts)
2. How We Use Your Data
- CRM: To store and manage customer records per business
- WhatsApp Messaging: To send campaigns, birthday wishes, and automated messages via the official Meta WhatsApp Cloud API
- Loyalty: To track points, tiers, and redemption history
- Membership: To issue, track, and manage membership cards
- Analytics: To generate insights on customer growth, campaign performance, and engagement
- Payments: To process subscription and credit pack purchases via Razorpay
- Security: To detect fraud, prevent abuse, and maintain audit trails
- Support: To respond to support tickets and provide assistance
3. Data Storage & Security
- Database: Supabase (PostgreSQL) hosted in AWS (Asia-Pacific region)
- Multi-tenancy: Each business's data is isolated via Row-Level Security (RLS) — no tenant can access another's data
- Encryption in transit: All connections use TLS 1.2+ (HTTPS)
- Encryption at rest: Database and storage are encrypted by Supabase
- Password hashing: bcrypt with salt rounds ≥ 10
- Session management: JWT tokens in httpOnly, Secure, SameSite=Lax cookies (7-day expiry)
- WhatsApp credentials: Encrypted at rest, never exposed to client-side code
- Payment data: Processed by Razorpay — we never see or store card/UPI details
4. WhatsApp Data & Meta Compliance
CustomerGrip uses the official Meta WhatsApp Cloud API (direct integration, not via a BSP). All WhatsApp messaging complies with:
- Meta's WhatsApp Business Platform Terms of Service
- Meta's Commerce & Business Policies
- WhatsApp opt-in requirements — businesses must obtain consent before sending marketing messages
- 24-hour customer service window — business-initiated messages outside this window use approved templates only
- Message templates must be approved by Meta before use
- Delivery status (sent/delivered/read/failed) is received via Meta webhooks
- Incoming customer messages are logged for the business's reference
Each business connects their own WhatsApp Business Account via Embedded Signup. CustomerGrip does not own or control the business's WhatsApp number — it only sends on their behalf.
5. Data Sharing
We do not sell, rent, or trade your data. We share data only with:
- Meta (Facebook): For WhatsApp message delivery (message content, recipient phone number)
- Razorpay: For payment processing (amount, business email — no customer data)
- Supabase: For database hosting (all data — covered by their DPA)
- Vercel: For application hosting (no persistent data stored on edge servers)
- Legal authorities: If required by law, court order, or government request
6. Data Retention
- Active subscriptions: Data is retained for the duration of the subscription
- Cancelled subscriptions: Data is retained for 30 days, then deleted upon request
- Credit transactions: Retained for 7 years (financial audit requirement)
- Activity/Audit logs: Retained for 1 year
- System logs: Retained for 90 days
- WhatsApp message logs: Retained for 6 months
7. Your Rights
- Access: Request a copy of all your data
- Correction: Request correction of inaccurate data
- Deletion: Request deletion of your account and all associated data
- Export: Export all customer data as CSV/PDF
- Opt-out: Customers can opt out of WhatsApp messaging by replying "STOP"
- Data portability: Request data export in a machine-readable format
To exercise any of these rights, email support@customergrip.com
8. Multi-Tenant Isolation
CustomerGrip is a multi-tenant SaaS platform. Each business (tenant) has strict data isolation:
- PostgreSQL Row-Level Security (RLS) enforces tenant isolation at the database layer
- Business owners cannot access other businesses' data — not through the UI, not through the API
- The Super Admin (platform owner) can view cross-tenant data for support and oversight, with full audit logging
- Staff accounts are scoped to their business only
9. Cookies & Tracking
CustomerGrip uses a single httpOnly cookie (cg_session) for authentication. This cookie:
- Contains a JWT token (no personal data — just user ID and role)
- Is HttpOnly (not accessible via JavaScript)
- Is Secure (only sent over HTTPS)
- Is SameSite=Lax (prevents CSRF)
- Expires after 7 days
We do not use third-party cookies, advertising trackers, or analytics tools that profile users.
10. Children's Privacy
CustomerGrip is designed for businesses, not individuals under 18. We do not knowingly collect data from minors. If you believe a minor's data has been collected, contact us immediately for deletion.
11. Data Breach Response
In the event of a data breach, we will:
- Notify affected businesses within 72 hours of discovery
- Notify the relevant data protection authorities if required by law
- Conduct a full investigation and implement corrective measures
- Provide a detailed incident report upon request
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify all active businesses via email and in-app notification at least 14 days before any material change takes effect.
13. Contact