Home / Privacy Policy

Privacy Policy

Effective Date: 16 June 2026

Last Updated: 16 June 2026

WhatsRCS ("WhatsRCS," "we," "us," or "our") operates the website whatsrcs.com and provides RCS (Rich Communication Services) based messaging, campaign management, and customer engagement services (the "Services"). This Privacy Policy is published in accordance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023, along with its associated Rules (collectively, "Indian Data Protection Law").

This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you visit our website, register for an account, or use our Services, and describes the rights available to you in respect of your personal data.

This Privacy Policy applies to two categories of individuals:

  • Visitors to whatsrcs.com and businesses that register with us to use our Services ("Customer," "you")
  • The end customers, contacts, or recipients ("End Users") whose personal data Customer uploads to the Platform in order to send RCS messages

Under Indian Data Protection Law, WhatsRCS acts as the "Data Fiduciary" in respect of the personal data of Customers (the businesses that use our Services). For personal data of End Users contained in contact lists uploaded by Customer, WhatsRCS acts as a "Data Processor" on Customer's instructions, and Customer is the Data Fiduciary responsible for that personal data, as further explained in Section 7.

1. Personal Data We Collect

1.1 Personal Data You Provide to Us

  • Contact and account information, such as name, business name, email address, phone number, billing address, and any details submitted through our contact form, sign up process, or RCS Agent registration
  • Billing and payment information necessary to process payments, which is handled through third party payment processors; we do not store full card or bank account details
  • Communications, including messages, queries, or support requests sent to us

1.2 Customer Data (End User Personal Data)

When Customer uses the Services to run RCS messaging campaigns, Customer may upload contact lists containing End User personal data such as names, phone numbers, and any other data Customer chooses to include. We process this personal data solely to deliver the Services requested by Customer, such as sending messages and generating performance reports.

1.3 Information Collected Automatically

  • Usage data, such as pages visited, features used, timestamps, and delivery or click through data for messages sent
  • Device and technical data, such as IP address, browser type, operating system, and device identifiers
  • Cookies and similar tracking technologies, as described in Section 8

2. How We Use Personal Data

We process personal data for the following specified purposes:

  • To provide, operate, and maintain the Services, including RCS Agent registration, campaign creation, message delivery, and reporting
  • To create and manage Customer accounts and respond to inquiries
  • To process payments and manage billing
  • To communicate with Customer about the Services, including updates, security alerts, and support messages
  • To monitor, analyze, and improve the Platform, including troubleshooting and detecting fraud or misuse
  • To comply with our obligations under applicable law and under the policies of Google, Jibe Mobile Inc., and mobile network operators

3. Consent and Legitimate Uses

  • 3.1 Wherever required under the Digital Personal Data Protection Act, 2023, we collect and process personal data only on the basis of consent that is free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action. The notice accompanying our request for consent specifies the personal data being collected and the purpose of such processing.
  • 3.2 You may withdraw your consent at any time, with the withdrawal being as easy as giving consent. Withdrawal of consent will not affect the lawfulness of processing carried out before withdrawal, but may affect our ability to continue providing certain Services.
  • 3.3 In limited circumstances recognized as "legitimate uses" under applicable law, such as where Customer has voluntarily provided personal data to us for a specified purpose and has not indicated that it does not consent to its use, or where processing is necessary to comply with a legal obligation or judgment, or to respond to a medical emergency, we may process personal data without separate consent, to the extent permitted by law.

4. How We Share Personal Data

We do not sell personal data. We may share personal data in the following circumstances:

  • With Google LLC and its affiliates, including Jibe Mobile Inc., and with mobile network operators ("Carriers"), to the extent necessary to register RCS Agents and deliver RCS messages
  • With other Data Processors who support our operations, such as hosting providers, analytics providers, payment processors, and customer support tools, under contractual obligations that require them to process personal data only as instructed by us and to maintain appropriate security safeguards
  • To comply with our obligations under Indian Data Protection Law, or in response to lawful requests from courts, the Data Protection Board of India, regulators, or law enforcement authorities
  • In connection with a merger, acquisition, financing, or sale of business assets, subject to confidentiality protections
  • With Customer's consent, or at Customer's direction

5. Data Retention

We retain personal data only for as long as is necessary to fulfil the specified purpose for which it was collected, or as required to comply with any applicable legal or regulatory requirement. End User personal data uploaded by Customer is retained for the duration of the relevant campaign and for a reasonable period thereafter for reporting purposes, unless Customer requests earlier erasure or applicable law requires a different retention period. Where personal data is no longer necessary for the specified purpose and Customer's account has been inactive for the period prescribed under applicable law, we will erase such personal data in accordance with that law.

6. Data Security

In accordance with the reasonable security practices prescribed under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and the Digital Personal Data Protection Act, 2023, we implement reasonable technical and organizational security safeguards designed to protect personal data from unauthorized access, disclosure, alteration, loss, or destruction, including encryption of data in transit, access controls, and periodic security reviews. In the event of a personal data breach, we will take steps to notify the Data Protection Board of India and affected Data Principals as required by applicable law.

7. Role as Data Processor for End User Personal Data

For personal data contained in customer contact lists uploaded by Customer, WhatsRCS acts solely as a Data Processor acting on Customer's instructions. Customer, as the Data Fiduciary for that personal data, is responsible for:

  • Ensuring it has obtained valid consent, in the manner required under the Digital Personal Data Protection Act, 2023, to collect, share with WhatsRCS, and use End User personal data for RCS messaging
  • Providing End Users with appropriate notice regarding the collection and use of their personal data
  • Honoring End User requests to access, correct, update, or erase their personal data, and to withdraw consent or opt out of further messages

WhatsRCS will provide reasonable assistance to Customer in fulfilling such requests where required by applicable law.

8. Cookies and Tracking Technologies

Our website uses cookies and similar technologies to operate the Platform, remember preferences, and understand how visitors use our website. You can control cookies through your browser settings, although disabling cookies may affect the functionality of the website.

9. Transfer of Personal Data Outside India

Because the Services rely on infrastructure operated by Google and other global service providers, personal data may be transferred to, stored, and processed in countries outside India. The Digital Personal Data Protection Act, 2023 permits such transfers, except to countries or territories that the Government of India may restrict by notification from time to time. We do not knowingly transfer personal data to any country or territory so restricted.

10. Rights of Data Principals

As a Data Principal under the Digital Personal Data Protection Act, 2023, you have the right to:

  • Obtain a summary of the personal data we hold about you and the processing activities carried out with respect to such data
  • Seek correction, completion, and updating of your personal data
  • Seek erasure of your personal data that is no longer necessary for the purpose for which it was processed, subject to any legal retention requirements
  • Withdraw consent at any time, where processing is based on consent
  • Nominate another individual to exercise these rights on your behalf in the event of death or incapacity
  • Have readily available means to register a grievance with us, and, if not satisfied with our response, to approach the Data Protection Board of India

To exercise these rights, please contact us using the details in Section 14. We may need to verify your identity before fulfilling a request, and we will respond within the timelines prescribed under applicable law.

11. Marketing Communications and Opt-Out

End Users who receive RCS messages from a Customer through our Platform may opt out at any time by replying "STOP" or using the opt-out method indicated in the message. Customer is responsible for promptly honoring such requests and maintaining auditable consent records, and WhatsRCS will provide tools to support this process where applicable.

12. Personal Data of Children

In accordance with the Digital Personal Data Protection Act, 2023, "child" means an individual who has not completed the age of eighteen years. Our Services are intended for use by businesses and individuals above the age of eighteen, and we do not knowingly collect personal data directly from children. Where processing of a child's personal data is unavoidable, we will process such data only with the verifiable consent of the child's parent or lawful guardian, obtained in the manner prescribed under applicable law.

13. Third Party Links and Services

Our website may contain links to third party websites or services, including those of Google and our payment processors. This Privacy Policy does not apply to those third party sites, and we encourage you to review their respective privacy policies.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. The updated version will be posted on whatsrcs.com with a revised "Last Updated" date. We encourage you to review this Privacy Policy periodically.