Loyalty over WhatsApp, for businesses worldwide
Support|Sign in
Retainx
Start free
Legal

Privacy policy

Last updated: 28 May 2026Effective: 28 May 2026Jurisdiction: India

This privacy policy explains how Retainx, operated by Retainx Private Limited ("Retainx", "we", "us"), collects, uses, stores, and protects personal data. It is written to comply with the Digital Personal Data Protection Act, 2023 (the "DPDP Act") and applicable law. By using Retainx you agree to the practices described here.

Who we are

Data fiduciary
Retainx Private Limited
Grievance officer
grievance@retainx.in
Contact
privacy@retainx.in, +91 80 4718 2200 (10am to 7pm IST, Mon to Sat)

The two kinds of people whose data we handle

Retainx is a business to business service. There are two distinct roles, and the DPDP Act treats them differently.

1. Merchants (our customers)

Restaurant owners, salon owners, and other SMB operators who sign up for Retainx. For merchant data, Retainx is the data fiduciary.

2. End customers (the merchant's customers)

The people who pay a merchant and get enrolled in a loyalty program. For this data, the merchant is the data fiduciary and Retainx acts as a data processor on the merchant's documented instructions. Merchants are responsible for having a lawful basis and for obtaining any consent required before enrolling a customer.

What we collect

From merchants

  • Identity and contact: name, business name, email, phone number.
  • Business and tax: GSTIN, PAN, registered address, business category.
  • Billing: subscription plan, payment status, and invoices. Card and bank details are handled by Razorpay, not stored by us.
  • Usage: pages visited, features used, device and browser metadata, IP address.

From end customers (on behalf of the merchant)

  • Phone number (the primary identifier for WhatsApp loyalty).
  • Name, and optionally email, date of birth, and anniversary, where the merchant collects them.
  • Transaction records: amount, date, outlet, payment method, and UPI VPA where shared by the payment rail.
  • Loyalty state: points, tier, rewards, visit history.
  • Message delivery events: sent, delivered, read, and clicked status of WhatsApp and SMS messages.

How we use data

  • To run loyalty programs: enroll customers, award points, issue and redeem rewards.
  • To send loyalty messages over WhatsApp, SMS, and email on the merchant's behalf.
  • To generate AI personalized win-back messages and business insights for the merchant.
  • To process merchant subscription billing and issue GST invoices.
  • To prevent fraud, abuse, and to secure the service.
  • To comply with legal and tax obligations.

Subprocessors

We share data with the following processors strictly to provide the service:

Razorpay
Payment processing, subscriptions, UPI Smart Collect. Stores payment instrument data.
Gupshup, AiSensy
WhatsApp Business API message delivery.
MSG91
OTP and SMS fallback delivery.
Anthropic
AI message and insight generation. Customer phone numbers are not sent; only first names and order context.
Resend
Transactional email delivery.
Hostinger
Cloud hosting and object storage, located in data centres serving the India region.

We sign data processing terms with each subprocessor. We do not sell personal data to anyone, and we never will.

Retention

  • Merchant account data: kept while the account is active and for up to 90 days after closure, then deleted or anonymised, except records we must retain for tax (up to 8 years).
  • End customer data: kept while the merchant's account is active. On account closure the merchant gets a 30 day export window, after which the data is deleted.
  • Message delivery logs: 24 months.
  • Audit logs: 24 months.

Your rights under the DPDP Act

  • The right to access a summary of your personal data and how it is processed.
  • The right to correction and erasure of your personal data.
  • The right to nominate another person to exercise your rights in case of death or incapacity.
  • The right to grievance redressal (see our grievance redressal page).

End customers should contact the merchant first, since the merchant is the data fiduciary for their data. If a merchant does not respond, write to privacy@retainx.in and we will help route the request.

Security

Data is encrypted in transit (TLS 1.2 and above) and at rest. Sensitive tokens are encrypted with authenticated encryption (AES-256-GCM). Access is role based and audit logged. We run automated vulnerability scans on our container images and commission periodic external penetration testing.

Children

Retainx is not intended for anyone under 18. Merchants must not enrol the personal data of a child without verifiable parental consent as required by the DPDP Act.

Changes

We may update this policy. Material changes will be notified by email and in the dashboard. The date at the top reflects the latest version.

Questions about this policy? Contact us or write to legal@retainx.in.