Privacy policy

OperGen Technologies Private Limited ("OperGen", "we", "us", "our") operates the WhatsAssist Android application and the website at opergen.com (collectively, the "Service"). Your privacy is fundamental to how we built this product. This Privacy Policy explains what we collect, why, how we use it, and what choices you have.

If you don't agree with this policy, please don't use the app or our services.

1. Plain-English overview

In one minute:

WhatsAssist reads only the notifications you allow on your Android phone.
We use those messages to draft replies you can review and send.
Your conversation memory is encrypted at rest and in transit.
We never train AI models on your conversations.
We never sell or share your data for advertising.
You can delete everything in one tap in Settings → Account.
You can write to support@opergen.com for any privacy question or request.

2. Who we are

Legal entity: OperGen Technologies Private Limited
Registered office: Bengaluru, Karnataka, India
Country of incorporation: India
All inquiries: support@opergen.com
Data controller: OperGen Technologies Private Limited
Privacy contact: Privacy Lead, OperGen — support@opergen.com

For postal correspondence (service of notices, regulatory filings), email support@opergen.com first and we will provide the registered office address appropriate to your matter.

3. What this policy covers

This policy applies to:

The WhatsAssist Android app
Our websites at opergen.com and its subdomains
Our APIs and backend services
Customer support interactions via support@opergen.com

It does not cover third-party services you connect to (WhatsApp, Instagram, Telegram, etc.). Those have their own privacy policies, which apply when you use them.

4. What we collect

4.1 Information you give us directly

Account information: email address, name (optional), country.
Payment information: processed by Google Play and RevenueCat. We see plan and country; we do not see your full card details.
Business knowledge uploads (Business plan): documents, CSVs, PDFs, and other files you upload to teach WhatsAssist about your business.
Support communications: what you write to us at support@opergen.com.

4.2 Information from your device (via Android Notification Access)

When you grant Notification Access we receive:

Message text shown in notifications from messaging apps you enable.
Sender names shown in those notifications.
Notification timestamps.

We do not receive:

Messages that are not delivered as notifications.
Media content (photos, voice notes, videos) — only placeholder text like "Photo".
Your full address book.
Anything from apps you have not enabled.
Anything from your screen, keyboard, microphone, camera, or location.

You can revoke Notification Access any time in Android Settings → Notifications → Notification access.

4.3 Information collected automatically

Device info: model, OS version, app version, language, country, screen resolution.
Usage info: features used, draft acceptance/rejection rates, errors and crashes.
Approximate location: inferred from IP at country/city level. No precise GPS.
Performance metrics: latency, error rates, anonymized request shapes.

4.4 Information from third parties

Sign in with Google: name, email, Google account ID.
Google Play: subscription status, country.
Analytics: aggregated event data only, with IPs truncated.

5. Why we collect it (legal bases)

Under GDPR (UK and EU residents):

Purpose	Legal basis
Provide the app and services	Performance of a contract (Art. 6(1)(b))
Generate AI drafts using your messages	Performance of a contract (Art. 6(1)(b))
Process payments and renewals	Performance of a contract (Art. 6(1)(b))
Improve reliability (crash data)	Legitimate interest (Art. 6(1)(f))
Service-related emails	Performance of a contract (Art. 6(1)(b))
Optional marketing emails	Consent (Art. 6(1)(a)) — opt out any time
Comply with legal obligations	Legal obligation (Art. 6(1)(c))
Defend against fraud / abuse	Legitimate interest (Art. 6(1)(f))

Under India's DPDP Act 2023, our lawful grounds are consent (for processing of personal data) and legitimate use for purposes defined in §7 of the Act.

6. How we use your information

Provide AI-drafted replies based on your messages and personal memory.
Maintain your conversation memory and knowledge graph.
Improve the quality of drafts for you (your memory does not improve any other user's drafts).
Operate, maintain, and improve our services.
Process subscriptions and payments.
Respond to support requests at support@opergen.com.
Detect and prevent fraud, abuse, and security incidents.
Comply with legal obligations.

7. What we do NOT do with your information

We do not train AI models on your messages or memory.
We do not sell your data to anyone, for any purpose.
We do not share your messages with advertisers or marketers.
We do not read your messages outside of generating drafts you requested.
We do not use your data to build cross-app advertising profiles.
We do not permit our AI sub-processors to use your data to train their general-purpose models, per the enterprise terms under which we invoke them.

8. Cookies and similar technologies

On opergen.com we use a minimal set of technologies:

Strictly necessary: CSRF tokens on any form submission, session cookies for logged-in admin areas (when applicable). Cannot be disabled.
Functional (localStorage only): remembers your billing cadence toggle (monthly/annual) on /pricing. Not transmitted to our servers.
Analytics: we use a privacy-respecting, cookieless analytics provider that does not set cookies, does not fingerprint, and reports only aggregated counts.
No advertising cookies. No third-party tracking pixels. No cross-site profiling.

Inside the Android app, only technical storage required for the app to function is used. There are no advertising SDKs, no attribution SDKs, and no third-party trackers.

We share personal information only with:

9.1 Service providers (data processors)

See Section 10 for the current sub-processor list.

9.2 Legal and safety

We may share information if required by law, court order, or to protect the rights, property, or safety of OperGen, our users, or the public. We narrowly scope any disclosure and challenge overbroad requests where lawful.

9.3 Business transfers

If OperGen is acquired, merged, or sells material assets, your information may be transferred. We will notify you and any acquirer is bound to this Privacy Policy unless you accept new terms.

10. Sub-processors

We engage the following sub-processors to deliver the Service. Each has a data-processing agreement that restricts use of your data to providing services to us, and prohibits onward training of general-purpose AI models on your content.

Sub-processor	Purpose	Region
Google Cloud Platform (GCP)	Cloud hosting, storage, encrypted databases	United States / EU multi-region
Google Gemini Enterprise	AI model inference for draft generation	United States
Google Play	App distribution and subscription billing	United States
Firebase (Crashlytics)	Crash and error reporting	United States
RevenueCat	Subscription state synchronisation	United States

We will update this list with at least 14 days' notice via this page before engaging a new sub-processor that processes user personal data. For DPA copies, email support@opergen.com.

11. International data transfers

WhatsAssist is operated from India. Our sub-processors are primarily in the United States and the European Union. When we transfer data across borders:

EU/UK users: we rely on Standard Contractual Clauses (EU 2021/914 and the UK Addendum) approved by the European Commission and the UK ICO, plus supplementary measures (encryption in transit and at rest, contractual prohibitions on government access except where legally compelled).
Indian users: transfers are made in accordance with the DPDP Act 2023 and any notifications issued under §16 of the Act.
Other regions: transfers are made under analogous safeguards required by the applicable jurisdiction.

For information about transfer impact assessments, email support@opergen.com.

12. How long we keep your data

Data type	Retention
Active account data	While your account is active
Conversation memory (Free)	7 days rolling window
Conversation memory (Pro / Business)	Indefinite, until you delete
Business uploads (catalogs, FAQs)	Until you remove them
Crash logs	90 days
Analytics events	13 months
Support tickets	24 months after resolution
Billing records	7 years (legal / tax requirement)
Deleted account data	Erased within 30 days, except where law requires retention
Backups containing deleted data	Overwritten within 90 days

13. Your rights

Depending on your jurisdiction, you have the right to:

Access the personal data we hold about you (Art. 15 GDPR; §11 DPDP)
Correct inaccurate data (Art. 16 GDPR; §12 DPDP)
Delete your data ("right to be forgotten") (Art. 17 GDPR; §12 DPDP)
Restrict or object to processing (Art. 18, 21 GDPR)
Portability — receive a machine-readable copy (Art. 20 GDPR)
Withdraw consent at any time (Art. 7 GDPR; §6 DPDP)
Nominate someone to exercise your rights on your behalf (DPDP §14)
Not be subject to solely-automated decisions with legal effect (Art. 22 GDPR)
Lodge a complaint with your data protection authority

14. How to exercise your rights (Data Subject Requests)

Email support@opergen.com from the email address linked to your WhatsAssist account, with the subject line DSR: [your request].
We acknowledge within 5 business days.
We may verify your identity if your request affects sensitive data; verification will use the minimum data necessary.
We respond substantively within 30 days of identity verification. Where law permits an extension (up to 60 additional days for complex requests), we will tell you why and when to expect a response.
If we cannot fulfil your request in part or whole (e.g., a legal retention obligation), we will tell you why and what your further options are.
Access, correction, deletion, and portability requests are free. Manifestly unfounded or excessive requests may incur a reasonable fee or be refused, with reasons.

You can also delete your account in-app: Settings → Account → Delete account.

EU users: complaints to your national Data Protection Authority. UK users: Information Commissioner's Office (ICO). Indian users: Data Protection Board of India. California users: see Section 18.

15. Security

We protect your data using:

TLS 1.3 for all data in transit
AES-256 encryption for data at rest
Per-user encryption keys for memory storage
Role-based access control with audit logging on infrastructure access
Mandatory two-factor authentication for all team accounts
Annual third-party security review and ongoing automated scanning
A documented incident response plan
Secure SDLC practices, code review, and dependency scanning

No system is 100% secure. If we discover a breach affecting you, we will notify you and the relevant authorities within the timelines required by law (72 hours under GDPR; without undue delay under DPDP §8(6)).

16. Children's privacy

WhatsAssist is not directed at children under 13 (or 16 / 18 depending on jurisdiction). We do not knowingly collect data from children below the applicable age threshold. If we learn we have collected such data, we will delete it promptly. If you believe a child has provided data to us, email support@opergen.com.

17. Third-party services

WhatsAssist integrates with messaging apps you have already installed (WhatsApp, Instagram, etc.) via Android Notification Access. We are not affiliated with, endorsed by, or controlled by Meta, Telegram, Google, or any messaging platform. Your use of those apps is governed by their own terms and privacy policies. WhatsAssist cannot guarantee that those apps' policies or technical changes won't affect your experience.

18. California residents (CCPA / CPRA)

If you're a California resident, you have the following rights:

Right to know what categories of personal information we collect (see Section 4).
Right to delete your personal information.
Right to correct inaccurate information.
Right to opt out of "sale" or "sharing" — we do not sell or share your personal data for cross-context advertising and have not in the prior 12 months.
Right to limit the use and disclosure of sensitive personal information.
Right to non-discrimination for exercising any of these rights.

To exercise these rights, email support@opergen.com with the subject CCPA Request.

19. India residents (DPDP Act 2023)

If you are an individual in India ("Data Principal"), the Digital Personal Data Protection Act, 2023 grants you rights similar to those described above, including the right to access, correction, erasure, grievance redressal, and nomination. Our Grievance Officer can be reached at support@opergen.com with the subject DPDP Grievance. We will respond within the timelines prescribed by the DPDP Act and any subordinate rules.

20. Changes to this policy

We will revise the "Last updated" date at the top.
For material changes, we will notify you via email or in-app notice at least 14 days before the change takes effect.
Your continued use after a change means you accept the updated policy.
Prior versions are archived and available on request via support@opergen.com.

21. Contact us

All privacy matters: support@opergen.com
Grievance Officer (India): support@opergen.com — subject: DPDP Grievance
CCPA requests: support@opergen.com — subject: CCPA Request
Registered office: OperGen Technologies Private Limited, Bengaluru, Karnataka, India

We typically respond within 5 business days, faster for urgent requests.

22. Google Play Data Safety summary

This mirrors the disclosures we make in our Google Play Data Safety section.

Data type	Collected	Shared	Optional	Purpose
Email address	Yes	No	No	Account management
Name	Yes	No	Yes	Personalization
User ID	Yes	No	No	Account, analytics
Messages in app	Yes	No	No	Core functionality (draft replies)
Messages history (cloud sync)	Yes	No	Yes	App functionality
App info and performance	Yes	No	No	Diagnostics, crash reporting
Device or other IDs	Yes	No	No	Analytics, security
Approximate location	Yes	No	No	Regional pricing, analytics
Photos / Videos	No	No	—	—
Audio files	No	No	—	—
Contacts	No	No	—	—
Precise location	No	No	—	—
Web browsing history	No	No	—	—
Financial info (cards)	No	No	—	—

Encrypted in transit: Yes · Deletion supported: Yes · Play Families Policy: No (not directed at children)

This Privacy Policy is published in English. If we make it available in other languages, the English version controls in case of conflict.