Privacy Policy

1. Introduction

This Privacy Policy explains how White Lions Group Pty Ltd, a company registered in Australia and trading as Kaanha AI ("Kaanha AI", "we", "us", or "our"), collects, uses, stores, shares, and protects personal data when you use the Kaanha AI platform, including the web application at kaanha.ai, the Kaanha AI mobile application (iOS), our APIs, and any related services (collectively, the "Service").

Kaanha AI is a multi-tenant software-as-a-service (SaaS) platform for WhatsApp Business CRM, omni-channel messaging, voice agents, and AI-powered customer engagement. Our customers ("you", "Customer", or "Organization") use the Service to communicate with their own end users ("Contacts").

This policy applies to:

• Customers — businesses and individuals who sign up for a Kaanha AI account.
• End users (Contacts) — individuals who interact with our Customers through Kaanha AI-powered channels (WhatsApp, SMS, voice, Slack, Notion, email).
• Visitors to our public marketing pages and documentation.

For data we process on behalf of our Customers (such as Contact phone numbers and message content), the Customer is the "controller" and Kaanha AI is the "processor" under GDPR. Our role is governed by our Data Processing Agreement (DPA).

2. Information We Collect

We collect the following categories of information:

2.1 Account Information

• Full name, email address, password (stored as a bcrypt cost-12 hash — we never see the plaintext), business name, and country.
• Multi-factor authentication enrollment data (TOTP secret, backup codes — encrypted at rest).
• Organization name, slug, billing tier, and team membership roles.
• OAuth identifiers when you sign in with Google.

2.2 WhatsApp Business Account (WABA) Data

• WhatsApp Business API credentials (Phone Number ID, WABA ID, system-user access token) — encrypted at rest with AES-256-GCM.
• Verified business display name, profile photo, and About text.
• Approved message templates and template performance metrics.

2.3 Contact Data (processed on behalf of our Customers)

• Contact phone numbers (E.164 format), display name, profile photo URL, tags, custom fields, lifecycle stage.
• Opt-in / opt-out status for WhatsApp and SMS.
• Conversation assignment, owner, and notes.

2.4 Message Data (processed on behalf of our Customers)

• Inbound and outbound message content (text, captions, button payloads, interactive replies) across WhatsApp, SMS, Slack, Notion, and email.
• Media metadata (mime type, size, sender, timestamp). Media binaries are fetched on demand from Meta's CDN or stored temporarily in object storage.
• Delivery receipts, read receipts, reactions, and replies.
• Message threading metadata (conversation ID, thread ID, parent message ID).

2.5 SMS Consent Data

• Opt-in status, opt-in timestamp, opt-in source, opt-out timestamp, and consent text — required for TCPA compliance.

2.6 Voice Call Audio (rolling out)

• When you enable voice agents, inbound and outbound call audio is streamed in real time to our voice processing pipeline (Sarvam AI for STT/TTS or Deepgram for STT/TTS, Google Gemini 1.5 Flash for response generation, ElevenLabs for welcome-message pre-synthesis only).
• Call recordings (if recording is enabled in your settings), transcripts, turn timings, and provider response metadata.
• Caller phone number, called phone number, call duration, disposition.

2.7 Mobile Device Identifiers (Kaanha AI mobile app)

• Expo push token, device platform (iOS), app version, OS version, device model.
• Biometric enrollment flag (the biometric template itself is stored on your device by Apple Secure Enclave — Kaanha AI never receives or stores biometric data).
• Offline-mode queue contents (local to device until network is restored).

2.8 Usage and Diagnostic Data

• Feature usage events, API call counts, message volumes, AI credit consumption, error logs, and audit logs (login attempts, role changes, configuration updates).
• IP addresses (for rate limiting, abuse prevention, and audit logging).
• Browser user-agent strings and approximate geolocation derived from IP.

2.9 Payment Data

• Billing address, last 4 digits of card, card brand, expiry month/year, and Stripe customer / subscription identifiers. We never see, transmit, or store full card numbers, CVV codes, or bank credentials — these are handled directly by Stripe (PCI-DSS Level 1).
• Subscription tier (Free, Starter, Pro, Premium, Enterprise), billing cycle, invoice history, and AI credit balance.

3. How We Use Your Information

• Provide the Service: create and authenticate your account, render the dashboard, synchronize data across devices, and power your CRM workflows.
• Deliver messages: send and receive WhatsApp, SMS, Slack, Notion, and email messages on your behalf via the official Meta Cloud API and our other integration partners.
• AI processing: generate AI chatbot responses (when AI is enabled) using Google Gemini 1.5 Flash or GPT-4o-mini, with optional opt-in routing to OpenAI or Anthropic for advanced workflows.
• Voice processing: route, transcribe, generate, and synthesize voice agent calls via Twilio Voice + Sarvam AI / Deepgram / Google Gemini / ElevenLabs (rolling out).
• Billing and metering: meter AI credit usage (1 credit = 1,000 tokens), enforce subscription limits, process Stripe payments, generate invoices, and send billing notifications.
• Security and abuse prevention: rate limiting, fraud detection, intrusion detection, audit logging, and compliance with WhatsApp Business Policy and TCPA.
• Customer support: respond to your support requests and send service-related notifications (incident notices, security alerts, policy updates).
• Product improvement: analyze aggregate, de-identified usage patterns to improve performance, reliability, and feature design. We do not use the content of your messages or your Contacts' data to train AI models.

4. Legal Bases for Processing (GDPR Article 6)

Where the EU/UK General Data Protection Regulation applies, our legal bases for processing personal data are:

• Contractual necessity (Art. 6(1)(b)): processing required to provide the Service under our Terms of Service — account creation, message delivery, billing, voice processing.
• Legitimate interest (Art. 6(1)(f)): security, abuse prevention, audit logging, fraud detection, and service analytics. We balance these interests against your rights and freedoms and document this assessment.
• Consent (Art. 6(1)(a)): AI processing of your Contacts' messages, optional integrations (Slack, Notion, Google), marketing communications. Consent can be withdrawn at any time without affecting prior processing.
• Legal obligation (Art. 6(1)(c)): tax record-keeping, response to lawful regulatory or law-enforcement requests, and TCPA / opt-out compliance.

5. Data Storage and Security

We apply controls mapped to the SOC 2 Trust Service Criteria (Security, Availability, Confidentiality, and Processing Integrity). Kaanha AI is not currently SOC 2 certified; certification is on our compliance roadmap.

5.1 Encryption

• Encryption in transit: TLS 1.2 or higher on all public endpoints, HTTP Strict Transport Security (HSTS) with max-age=31536000 on all production hostnames.
• Encryption at rest: AES-256-GCM on more than 15 credential fields including WhatsApp tokens, Twilio auth tokens, voice provider API keys, OAuth refresh tokens, MFA secrets, and OTP backup codes.
• Password hashing: bcrypt with cost factor 12.
• API token hashing: SHA-256 with per-org pepper. Plain tokens are shown once at creation and never stored in recoverable form.

5.2 Multi-Tenant Isolation

Every tenant-scoped database query is filtered by organizationId at the application layer, with row-level security policies enforced at the PostgreSQL layer. Cross-tenant access is fail-closed by default and audit-logged.

5.3 Authentication and Access Controls

• Session management: NextAuth.js v4 with httpOnly, Secure, SameSite=Lax JWT cookies; 24-hour maximum session lifetime.
• MFA: TOTP-based multi-factor authentication compatible with Google Authenticator, Authy, 1Password, and any RFC 6238 client.
• Brute-force protection: 5 failed login attempts trigger a 30-minute account lockout.
• Password policy: minimum 8 characters, mixed case + at least one digit, last 5 passwords cannot be reused.
• Role-based access: Owner / Admin / Member / Read-only roles enforce per-feature permissions inside each Organization.

5.4 Webhook and Integration Security

• Twilio request-signature verification on every voice and SMS webhook.
• HMAC verification on voice tool-call and engine callback webhooks.
• Meta App Secret signature verification on every WhatsApp Cloud API webhook.
• Stripe signing-secret verification on all billing webhooks.
• SSRF protections, rate limiting, input validation, and idempotency keys across the API surface.

5.5 Personnel and Operational Controls

• Production access is restricted to authorized engineers, gated behind MFA, logged, and reviewed.
• Background checks and confidentiality agreements are required for all personnel with production access.
• Vulnerability scanning, dependency upgrades (npm audit, Dependabot), and penetration tests are performed periodically.

6. Data Retention

We retain personal data only for as long as required to provide the Service or meet a legal obligation. Default retention windows are:

Automated retention jobs run on a regular schedule and permanently delete expired records across all Organizations. Upon account deletion, all tenant-scoped data is permanently removed from primary databases within 30 days; encrypted backups are purged within the following backup-rotation cycle.

7. Third-Party Sub-Processors

We engage the following sub-processors to deliver the Service. Each is bound by a written agreement that requires data-protection terms equivalent to or stronger than those in this policy. A live, version-controlled list is published at /sub-processors.

We will provide at least 30 days' prior notice (via email and the dashboard sub-processors page) before adding or replacing a sub-processor that materially changes how your data is handled. You may object on reasonable data-protection grounds, in which case we will work in good faith to provide an alternative.

8. International Data Transfers

Kaanha AI's primary infrastructure is hosted in the United States (Railway). Voice STT/TTS may also be processed in India (Sarvam AI). Other sub-processors process data in the locations listed in Section 7.

Where personal data of residents in the European Economic Area (EEA), the United Kingdom, or Switzerland is transferred to a country that has not received an adequacy decision from the European Commission, we rely on the European Commission Standard Contractual Clauses (SCCs) (Module 2: Controller-to-Processor or Module 3: Processor-to-Processor as applicable), supplemented by additional technical and organizational measures (encryption in transit and at rest, strict access controls, audit logging).

For transfers from Australia, we rely on the Australian Privacy Principle 8 (APP 8) cross-border disclosure framework. A copy of the SCCs and a transfer-impact assessment summary is available on request to privacy@kaanha.ai.

9. Your Rights (GDPR)

If you are a resident of the EEA, the United Kingdom, or Switzerland, you have the following rights with respect to your personal data:

• Right of access (Art. 15): request a copy of the personal data we hold about you, including processing purposes, recipients, and retention periods.
• Right to rectification (Art. 16): correct inaccurate or incomplete personal data.
• Right to erasure (Art. 17 — "right to be forgotten"): request deletion of your personal data, subject to legal retention obligations.
• Right to data portability (Art. 20): receive your personal data in a structured, commonly used, machine-readable format (JSON export available in Account → Data Export).
• Right to restriction (Art. 18): ask us to limit processing in defined circumstances.
• Right to object (Art. 21): object to processing based on legitimate interest, including profiling.
• Right to withdraw consent (Art. 7(3)): withdraw any consent you previously gave (e.g., AI processing, marketing emails) without affecting the lawfulness of prior processing.
• Right not to be subject to solely automated decision-making (Art. 22): see Section 11.
• Right to lodge a complaint: with your local supervisory authority. A list is available at edpb.europa.eu.

To exercise any of these rights, email privacy@kaanha.ai or use the in-product controls under Account → Privacy. We respond within 30 days; we may extend this by up to 60 days for complex requests and will tell you why.

10. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

• Right to know: the categories of personal information we have collected, the sources, the business purposes, and the categories of third parties with whom we share it.
• Right to delete: request deletion of personal information we collected from you, subject to statutory exceptions.
• Right to correct: request correction of inaccurate personal information.
• Right to opt-out of sale or sharing: Kaanha AI does not sell or share personal information for cross-context behavioral advertising.
• Right to limit use of sensitive personal information: where applicable.
• Right to non-discrimination: we will not deny services, charge different prices, or provide a different level of service because you exercised any CCPA right.

To exercise these rights, email privacy@kaanha.ai. We respond within 45 days and may extend by 45 days when reasonably necessary, with notice. We will verify your identity using information already on file before fulfilling the request.

11. AI and Automated Processing

• AI is opt-in. Free and Starter plans ship with AI disabled. Pro and Premium plans include token-based AI credits (1 credit = 1,000 tokens — Pro: 10,000 credits/month, Premium: 50,000 credits/month). AI providers are locked to Google Gemini 1.5 Flash and OpenAI GPT-4o-mini on these plans (no Bring-Your-Own-Key on Free/Starter/Pro/Premium).
• Mandatory AI disclosure (Meta Jan 2026 policy): before the first AI-generated reply in any conversation, your Contact automatically receives the disclosure: “You are chatting with an AI assistant. Reply HUMAN at any time to speak with a person.”
• Human escalation guarantee: Contacts can type HUMAN, AGENT, or PERSON at any time to instantly hand off to a human agent. This guarantee cannot be disabled.
• Task-specific AI: in line with Meta's January 2026 business-policy update, AI is configured for specific business tasks (customer support, FAQ, order tracking, qualification) — not as a standalone general-purpose chatbot. AI processing is incidental to a Customer's business operations.
• Content safety: all AI responses are filtered through a category checker (medical advice, financial recommendations, legal advice, violence, adult content, prompt-injection patterns) before being delivered to a Contact.
• No model training on your content. Kaanha AI does not use your messages, your Contacts' messages, or your business data to train any AI model. Our AI sub-processors (OpenAI, Anthropic, Google) are contractually bound by their respective enterprise / API terms, which prohibit training on submitted content.
• For the full AI system card, model versions, evaluations, and risk disclosures, see /ai-disclosure.

12. WhatsApp Opt-Out and STOP Processing

Kaanha AI uses the official Meta WhatsApp Business Cloud API exclusively. Opt-in is enforced at the API layer for all outbound messages — outbound traffic to a Contact who has not opted in is rejected at the gateway.

Opt-out keywords: a Contact can stop receiving WhatsApp messages at any time by sending any of: STOP · UNSUBSCRIBE · CANCEL · QUIT · END · BLOCK.

Re-subscribe: Contacts can re-subscribe by sending START.

Opt-out is processed automatically and immediately at the platform layer, a confirmation message is sent in the same conversation, and the Contact is excluded from all future broadcasts and proactive messaging. The 24-hour conversation window rule and Meta's template-message requirements are enforced for all outbound traffic. These controls cannot be overridden by Customers or operators.

13. SMS / TCPA Opt-Out

SMS messaging through Kaanha AI is delivered via Twilio and is subject to the U.S. Telephone Consumer Protection Act (TCPA), CTIA Messaging Principles and Best Practices, and equivalent regulations in other jurisdictions.

Opt-out keywords: STOP · STOPALL · UNSUBSCRIBE · CANCEL · END · QUIT.

Re-subscribe: START · YES · UNSTOP.

Help: HELP · INFO.

These keywords are processed automatically at the carrier level and again by our platform — neither Customers nor operators can override them. TCPA prior express written consent is required before any marketing SMS is sent. Consent records (opt-in source, timestamp, consent text) are stored for the lifetime of the contact for audit purposes.

14. Voice Calls (Rolling Out)

Kaanha AI Voice Agents handle inbound and outbound phone calls using AI. The feature is currently rolling out and is gated to specific plans and accounts. When you enable a voice agent:

• Telephony: Twilio Voice handles the SIP/PSTN connection.
• Speech-to-text (STT): Sarvam AI (Indic and English languages, processed in India) or Deepgram (English, processed in the United States), depending on agent configuration.
• Language model (LLM): Google Gemini 1.5 Flash (processed in the United States).
• Text-to-speech (TTS): Sarvam AI (Indic) or Deepgram Aura (English). ElevenLabs is used only for pre-synthesizing the welcome message in some configurations.
• What is processed: caller phone number, the audio of each turn, the transcript of each turn, AI-generated response text and audio, and call metadata (duration, disposition, tool calls).
• Where it is stored: transcripts and metadata are stored in our primary US-based PostgreSQL. Audio recordings, if recording is enabled, are stored in object storage with the same retention configuration as message media (90 days default).
• Webhook security: Twilio request-signature verification and HMAC verification on all engine-to-platform callbacks (fail-closed).
• Caller opt-out: callers can request a human agent during any voice call by saying “agent”, “human”, or “representative”, or by pressing 0. Where applicable law requires call-recording disclosure, the agent provides it before recording begins.

Voice agents follow the same retention defaults as message data and can be configured per Organization. Voice features are disabled on the Free and Starter plans.

15. Mobile App

The Kaanha AI mobile app (iOS, version 2.1.0, available on the Apple App Store) is a React Native operator inbox that consumes the same APIs as the web application and supports switching between Organizations.

• Device identifiers: we collect Expo push tokens, OS version, app version, and device model for diagnostic and push-delivery purposes. We do not collect IDFA, contact lists, photos, microphone input, or precise location.
• Biometric login (optional): Face ID or Touch ID can be enabled to unlock the app. The biometric template is generated and stored in the device's Secure Enclave by Apple — Kaanha AI never receives or stores biometric data.
• Offline mode: a local cache lets you read recent conversations without network. A banner indicates offline state. Drafts are queued locally and sent when the device is back online.
• Push notifications: delivered via Expo Push Service, which fans out to Apple APNs (iOS) or Google FCM (when Android ships). You can disable push at any time from your device settings.
• Data minimization: only the data required for the operator inbox tabs (Chats, Contacts, Quick Replies, Profile) is fetched. Dashboard, Pipeline, Settings, and Billing are web-only.

16. Cookies and Local Storage

We use a single session cookie and browser local storage. We do not use tracking, advertising, or analytics cookies, and we do not embed third-party tracking pixels.

For the full cookie inventory and your choices, see /cookie-policy.

17. Children's Privacy

Kaanha AI is a business tool. The Service is not directed to children under 16, and we do not knowingly collect personal data from children. If we become aware that personal data of a child has been collected without verifiable parental consent (where required), we will delete that data and terminate any associated account. If you believe a child's data has been provided to us, contact privacy@kaanha.ai.

18. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes (changes that expand the categories of personal data collected, the purposes of processing, or the sub-processors used), we will provide at least 30 days' prior notice via email to the account owner and a banner on your dashboard before the change takes effect. Non-material changes (clarifying edits, formatting, contact-detail updates) take effect on publication. The “Last updated” date at the top of this page always reflects the latest revision.

19. Contact Us

For privacy questions, data-subject requests, or to exercise any right under this policy, contact us at:

• Privacy: privacy@kaanha.ai
• Legal: legal@kaanha.ai
• Security incidents and responsible disclosure: security@kaanha.ai

Mailing address:
White Lions Group Pty Ltd
(Trading as Kaanha AI)
Australia

20. Companion Documents

This Privacy Policy should be read together with the following documents, which form part of our overall agreement and disclosures:

• Terms of Service
• Data Processing Agreement (DPA)
• Acceptable Use Policy (AUP)
• Refund Policy
• Sub-Processors
• AI Disclosure / System Card
• Cookie Policy
• DMCA Notice and Takedown