Last updated May 26, 2026

Privacy Policy

This Privacy Policy explains how Sai Infotech, the operator of the eDoot WhatsApp campaign service, collects, uses, shares, secures, and retains information. Privacy questions and requests can be sent to [email protected].

Who This Covers

eDoot is a business tool for importing CSV or Excel contact files, preparing WhatsApp templates, reviewing quota usage, sending approved WhatsApp template messages, and tracking delivery evidence.

eDoot is operated by Sai Infotech, a firm based in India. For privacy questions, access requests, or deletion requests, contact [email protected], or raise the request through the workspace owner or operator who granted you access.

Information eDoot Stores

  • Workspace information: workspace name, industry, slug, default country, default currency, default timezone, onboarding state, and consent-attestation timestamp.
  • Account and access information: user email, derived user name, workspace membership, role, magic-link token hashes, session hashes, session expiry, and revocation state.
  • Imported contact data: uploaded filename, raw spreadsheet rows, mapped row data, first name, last name, company, phone number, country code, locale, timezone, due date, group membership, consent status, validation errors, duplicate keys, and opt-out records.
  • Template and campaign data: template names, categories, bodies, merge fields, provider template IDs, campaign names, scheduled times, recipient payloads, rendered message bodies, quota and usage metadata, statuses, and provider message IDs.
  • WhatsApp sender data: sender display name, phone number, phone-number ID, WhatsApp Business Account ID or managed provider app ID, business portfolio ID where returned, quality and health state, notes, and encrypted sender credentials.
  • Inbound and delivery data: delivery status, read or failure evidence received from WhatsApp providers, summarized inbound message content, inbound provider message IDs, and raw webhook payloads from WhatsApp providers, Razorpay, Dodo Payments, and Stripe webhook routes.
  • Billing data: billing email, billing contact name, billing phone, coupon code, Razorpay or Dodo Payments customer, subscription, product, plan, offer, checkout, invoice and payment IDs, payment method brand, last four digits, holder name, invoice line items, and usage ledger entries.
  • Operational data: queued job payloads, retry state, processing errors, audit logs, record timestamps, workspace IDs, entity IDs, and application log entries needed to run and troubleshoot the service.

Cookies And Browser Storage

  • eDoot sets an HTTP-only session cookie after magic-link sign-in. The cookie stores the session token in the browser; the database stores a SHA-256 hash of that token.
  • The authenticated sidebar stores a sidebar_state cookie for up to seven days so the workspace navigation can remember whether it was open.
  • The theme toggle stores edoot-theme in localStorage.
  • Import and billing forms store temporary drafts in sessionStorage so in-progress setup can survive page navigation in the same browser session.
  • No advertising, analytics, tracking-pixel, PostHog, Google Analytics, or Sentry integration is present in the current web application code.

How The Information Is Used

  • To authenticate users, manage workspace access, and send one-time sign-in links.
  • To parse imports, map spreadsheet columns, validate rows, create contact records, and build campaign recipient payloads.
  • To connect a workspace's WhatsApp sender through managed WhatsApp onboarding or direct-provider setup, submit or import templates, send template messages, sync sender health, and receive delivery or inbound-message webhooks.
  • To prepare subscription checkout with the configured billing provider, verify payment callbacks, reconcile billing events, and send billing notices.
  • To show campaign previews, status, delivery history, quota usage, activity logs, and setup state inside the workspace.
  • To send operator alerts, daily operational digests, and command replies when Telegram alerts or commands are configured.
  • To detect errors, retry background jobs, maintain auditability, prevent unauthorized access, and investigate provider or webhook failures.

Third-Party Services

eDoot shares data with third-party services only where the current product flow calls them.

  • WhatsApp, Meta, and configured WhatsApp Business Solution Providers such as Gupshup receive sender setup data, sender credentials, WhatsApp Business Account IDs or managed app IDs, phone-number IDs, template submissions, recipient phone numbers, message template names, message parameters, and live campaign messages. They send webhook payloads back for delivery, template, account, activation, and inbound-message events.
  • Razorpay or Dodo Payments receives billing contact details, subscription setup data, workspace IDs, workspace names, coupon codes, and checkout/payment identifiers when billing is configured and used.
  • Resend receives email addresses and transactional email content for magic links and billing notifications when email delivery is configured.
  • Telegram receives operator alert and command-reply text containing new account email, derived name, user ID, workspace name, sender display name, sender IDs, masked sender phone number, campaign failure summaries, aggregate status or digest counts, and timestamps when Telegram is configured.
  • A Supabase-compatible Postgres database stores the application records.

Third-party services apply their own terms and privacy policies, including the WhatsApp Business Terms, WhatsApp Business Messaging Policy, Razorpay Privacy Policy, Dodo Payments Privacy Policy, and Resend Privacy Policy, and Telegram Privacy Policy.

Where Data Is Processed

eDoot relies on third-party providers (Meta and WhatsApp, Razorpay or Dodo Payments, Resend, Telegram, and the configured Postgres host) that may store and process data outside India. By using eDoot you consent to that processing as needed to deliver the service. Sai Infotech remains responsible for the data it controls and shares it only as described in this policy.

Security

  • Sender provider credentials, including managed Gupshup app credentials and Meta-direct access tokens, are encrypted with AES-256-GCM using the configured SENDER_TOKEN_ENCRYPTION_KEY before storage.
  • Magic-link tokens and session tokens are stored as SHA-256 hashes in the database.
  • Session cookies are HTTP-only, SameSite=Lax, scoped to the site path, and marked secure in production.
  • Mutation routes check same-origin request headers, and provider webhook routes verify configured signatures or tokens before processing.
  • Provider requests to Meta, Razorpay, Dodo Payments, Resend, and Telegram use HTTPS endpoints.

Retention And Deletion

We retain workspace data, imports, contacts, templates, campaigns, message deliveries, webhook records, billing records, jobs, and audit logs for as long as the workspace is active and you use the service.

When you close your account or send a deletion request to [email protected], we delete the associated workspace and contact data within 30 days, except records we must keep for legal, tax, accounting, fraud-prevention, or dispute purposes. The workspace UI supports deleting unused contact groups directly; account-level deletion and erasure requests are handled by Sai Infotech within the same 30-day window.

Recipient Opt-Outs

If a WhatsApp recipient sends STOP, STOP ALL, UNSUBSCRIBE, CANCEL, END, QUIT, or NO, eDoot records the contact as opted out and stores an opt-out reason for that workspace.

Changes To This Policy

We may update this Privacy Policy as the service changes. Material changes are reflected by the “Last updated” date above. Continued use of eDoot after an update means you accept the revised policy to the extent permitted by applicable law.

Contact

eDoot is operated by Sai Infotech (India). For privacy questions, access requests, or deletion requests, contact [email protected].