Privacy Policy

1. Who we are

Leadzap is a WhatsApp and Instagram CRM and campaign manager built and operated by Al Mufaddal Computers, a sole proprietorship registered in Mumbai, Maharashtra, India. In this policy "Leadzap", "we", "us", and "our" refer to Al Mufaddal Computers.

This policy applies to data collected through:

• The Leadzap web application at app.leadzap.co.in
• The marketing website at leadzap.co.in (including the access request form)
• Any communications between you and our team

2. What data we collect

Information you give us directly

• Account info: name, email, business name, role
• Access request info: WhatsApp number, city, country, business description, expected message volume, how you heard about us
• Contact data you upload: the customer phone numbers, names, and labels you import into Leadzap to message your own customers
• Content you create: templates, campaigns, auto-reply rules, media files, and other configurations
• Channel connections you authorise: when you connect your Instagram Business or Creator account to Leadzap via Facebook Login, we receive an access token and the basic profile information of the connected Facebook Page and Instagram account.

Information collected automatically

• IP address (used for spam protection on the access request form)
• Browser user-agent string
• Login timestamps and OTP request logs
• Webhook delivery logs and API call logs

Information from WhatsApp

• Messages sent to and from your WhatsApp Business number through the Leadzap inbox
• Message status updates from Meta (sent, delivered, read, failed)
• Phone number identifiers and message IDs from the WhatsApp Business Cloud API

Information from Instagram

• Direct Messages (DMs) sent to and from your connected Instagram Business or Creator account through the Leadzap inbox
• The Instagram user ID, username, and display name of the customer who sent or received the DM
• Message attachments such as images, videos, voice notes, story replies, story mentions, shared posts, and reaction emojis
• Quick-reply postback events and message identifiers (mids) issued by Meta's Instagram Graph API
• Basic profile information of your connected Instagram account: username, name, account ID, and the linked Facebook Page

3. How we use your data

We use your data only to:

• Run the service: deliver WhatsApp messages and Instagram Direct Messages, sync templates, store contacts, generate analytics
• Authenticate you: send one-time codes (OTPs) by email for login
• Communicate with you: send transactional emails (OTPs, welcome, account updates) and respond to support requests
• Review access requests: evaluate whether your business is a fit for our invite-only platform
• Detect spam & abuse: using IP and user-agent for honeypot and rate-limit checks on public forms
• Improve the product: identify which features are used and where users get stuck

We do not use your data for advertising. We do not sell your data. We do not share it with marketing networks. We do not use the content of your messages, your contacts' messages, or any Instagram profile data to train machine learning or AI models.

4. WhatsApp message data

Leadzap is built on the official WhatsApp Business Cloud API operated by Meta. Your messages and your customers' messages flow through Meta's infrastructure to and from Leadzap.

• We store the contents of messages, template parameters, and media files in our database so you can view your conversation history.
• Tenants are fully isolated at the database level — your contacts, messages, and media are never visible to other Leadzap tenants.
• Meta's own privacy policy applies to data handled by WhatsApp itself; we recommend reviewing it at whatsapp.com/legal/privacy-policy.
• You are responsible for obtaining valid consent from your customers before messaging them through Leadzap, in accordance with WhatsApp Business Policy and applicable laws.

5. Instagram message data

Leadzap integrates with the Instagram Graph API operated by Meta. When you connect an Instagram Business or Creator account, Direct Messages between your account and your customers flow through Meta's infrastructure to and from Leadzap so you can manage conversations from a single inbox.

• What we store: the text content of DMs, the URLs and metadata of attachments (images, videos, voice notes, shared posts, story replies/mentions), reaction emojis, quick-reply postback titles and payloads, the Instagram-issued message IDs, and timestamps.
• Profile data: the basic public profile of the customer who sent or received the DM — Instagram user ID, username, and display name — so you can identify the conversation. We do not collect followers lists, follow status, post history, or any data outside of the DM thread itself.
• Access tokens: the long-lived Page access tokens issued by Meta during OAuth are stored encrypted at rest and used only to send and receive DMs on your behalf. We rotate these tokens automatically before they expire.
• Tenant isolation: your Instagram conversations, contacts, and tokens are fully isolated from other Leadzap tenants at the database level.
• Meta's 24-hour messaging window: Meta restricts business-initiated Instagram DMs to a 24-hour window following the customer's most recent inbound message. Leadzap enforces this restriction client-side and surfaces clear UI when the window is closed.
• Meta's own policies: Meta's privacy policy applies to data handled by Instagram itself; we recommend reviewing it at privacycenter.instagram.com/policy.
• Customer consent: you are responsible for obtaining valid consent from your customers before initiating messages through Leadzap, in accordance with Meta's Platform Terms, Instagram Community Guidelines, and applicable laws.
• Disconnection: you can disconnect your Instagram account from the Leadzap Settings → Channels screen at any time. Disconnection immediately revokes our ability to send or receive new DMs on that account, and the access token is marked inactive in our database.

Leadzap's use and transfer of information received from Meta APIs adheres to the Meta Platform Terms and the Meta Developer Policies.

6. Sharing & third parties

We share data only with the service providers necessary to operate Leadzap:

• Meta (WhatsApp Business Cloud API and Instagram Graph API) — for sending and receiving WhatsApp messages and Instagram Direct Messages
• Amazon Web Services (AWS Mumbai region) — for hosting our application servers and database
• Cloudflare R2 — for storing media files (images, videos, documents, voice notes)
• Amazon SES — for sending transactional emails (OTPs, notifications)
• Hostinger — for VPS infrastructure
• Anthropic — only if you choose to enable AI features that use Claude API

We do not share data with any party for advertising, marketing, or resale. We will only disclose data to government authorities when legally compelled by Indian law.

7. Storage, location & security

• Primary location: India — application servers and PostgreSQL database hosted on AWS Mumbai (ap-south-1) region.
• Media files: Cloudflare R2 with global CDN distribution.
• Encryption in transit: all traffic to and from Leadzap uses TLS 1.2 or higher (Let's Encrypt SSL certificates).
• Encryption at rest: database backups, media storage, and OAuth access tokens are encrypted by the cloud provider or at the application layer.
• Access control: only authorised Al Mufaddal Computers staff can access production systems, with each access logged.
• Authentication: all logins use passwordless email OTP — there are no passwords to be leaked.

8. Data retention

• Active accounts: we retain your data as long as your account is active.
• Closed accounts: within 90 days of account closure, we delete or anonymise your contacts, messages, media, OAuth tokens, and configurations. Aggregated, non-identifiable analytics may be kept indefinitely.
• Disconnected Instagram accounts: when you disconnect an Instagram account from Leadzap, the access token is invalidated immediately. Conversation history and contact records remain in your tenant so you can review past interactions, until you delete them or close your account.
• Access request records: retained for up to 24 months for legitimate-interest review and audit.
• Backups: backups are rotated and overwritten on a 30-day cycle; data may persist briefly in backups even after deletion from the live system.

9. Your rights under India's DPDP Act 2023

If you are an Indian resident, the Digital Personal Data Protection Act 2023 gives you the following rights regarding personal data we process:

• Right to access: request a copy of the personal data we hold about you
• Right to correction: request that we correct inaccurate data
• Right to erasure: request that we delete your personal data, subject to legal retention obligations
• Right to grievance redressal: raise a grievance if you believe your rights have been violated
• Right to nominate: nominate another individual to exercise your rights in case of death or incapacity

To exercise any of these rights, contact us using the details in section 13. We will respond within 30 days.

10. Data deletion requests

If you are a customer whose Instagram or WhatsApp conversations are stored in a Leadzap tenant (because a business that uses Leadzap has messaged you), or if you are a Leadzap account holder, you can request deletion of your data at any time.

Full instructions and the request form are available at leadzap.co.in/data-deletion.html. We will acknowledge your request within 7 days and complete deletion within 30 days, subject to legal retention obligations.

11. Cookies & local storage

Leadzap uses minimal browser storage:

• Authentication token: stored locally so you stay logged in (no third-party cookies).
• User preferences: small amount of data to remember your UI settings.
• We do not use tracking cookies, advertising cookies, or third-party analytics that profile users.

12. Changes to this policy

We may update this policy as Leadzap evolves. Material changes will be communicated by email to active users at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.

13. Contact us