Autopilot My Business is a business-to-business (B2B) workplace application made available only to employees and authorised users of organisations that subscribe to our service. It is not offered to the general public. When you use the App as part of your employer/organisation, that organisation is the data controller and decides what data is processed and why; we act as a data processor on their behalf.
Words with an initial capital letter have meanings defined under the following conditions, and these definitions apply whether they appear in singular or plural form.
A unique account created for you to access our Service or parts of our Service.
("We," "Us," or "Our") refers to Autopilotmybusiness, based in Nehru Place, New Delhi.
Small files placed on your device by a website, containing information about your browsing history and other uses.
India.
Any device capable of accessing our Service, such as a computer, smartphone, or tablet.
Any information relating to an identified or identifiable individual.
Refers to the website and any other services provided by the Company, specifically business process automation.
Any natural or legal person processing data on behalf of the Company.
Data automatically collected from the use of our Service or its infrastructure.
The Company's website, accessible from www.autopilotmybusiness.com.
The individual or legal entity accessing or using the Service.
This policy has been crafted to reflect the operations of Autopilotmybusiness, under the management of Arun P Sharma.
Name, email address, phone number, role/designation, employer (tenant) association, and authentication data needed to sign you in.
For organisations using the call-tracking / telecalling features, after you grant phone and call-log permissions we process, for calls you make or receive on the device: phone number dialled or received, call duration and type (outgoing / incoming / missed / rejected), and call timestamp. This is uploaded to your organisation’s CRM to create call/follow-up records. We do not read or upload the contents of unrelated calls, SMS messages, or your personal communications.
Where your organisation enables it and your device/dialer creates call recordings, the App may read the recording file for a tracked call from your device storage and upload it to your organisation’s CRM. Only recordings relevant to tracked business calls are accessed. No other documents or media are accessed.
For organisations using field-staff/attendance features, and only for users enrolled in tracking, we collect device location (including in the background where permitted) to record attendance and field activity for your employer.
Device model, OS version, app version, push notification token (for notifications), IP address, and diagnostic/usage logs.
Each sensitive permission is requested with an in-app explanation, and is only used for the feature described below.
| Permission | Why we request it |
|---|---|
READ_PHONE_STATE
|
Detect when a call starts/ends to log it. |
READ_CALL_LOG
|
Read accurate call duration and type for CRM call records. |
CALL_PHONE
|
Place calls to contacts/leads from within the App. |
RECORD_AUDIO / storage / media-audio
|
Access call recordings to sync to your CRM. |
ACCESS_FINE/COARSE/BACKGROUND_LOCATION
|
Field-staff attendance & activity tracking (enrolled users only). |
POST_NOTIFICATIONS
|
Show caller-ID and business notifications. |
Foreground service
|
Keep call/location tracking reliable while the App is in the background. |
RECEIVE_BOOT_COMPLETED
|
Resume tracking after the device restarts. |
To provide its powerful automation features, our Service requires extensive access to your Google account, specifically your Gmail data. This section transparently details what data we access, why we need it, and how we protect it, in full compliance with Google's requirements for sensitive and restricted scopes.
Our application is a business automation tool that operates based on rules and workflows you create. To execute these user-defined tasks, we require access to various functions within your Gmail account. We are committed to data minimization, but the comprehensive nature of automation requires broad permissions. Access is never used for purposes other than executing the workflows you configure.
Purpose: The core of our Service is automating your email communication. This allows you to create workflows that can, for example, automatically reply to customer inquiries, send follow-ups on invoices, process information from an email body, and then archive or delete the email to keep your inbox clean.
Data Accessed: Email body, headers, recipients, attachments. We can read, create, send, and even permanently delete emails on your behalf as directed by your automation rules.
Purpose: To help you automatically manage and organize your inbox. Your workflows can apply labels (e.g., "Paid," "Urgent," "Follow-Up") to incoming or outgoing emails, and move emails between folders (e.g., move all receipts to a "Receipts" folder).
Data Accessed: Email messages and their labels.
Purpose: For advanced workflows that require importing emails into your mailbox. For example, you could create an automation that logs an activity from a CRM and then inserts a corresponding email record into your Gmail account.
Data Accessed: We can insert emails into your mailbox.
Purpose: To allow you to create and manage highly sophisticated automation rules. This functionality is used to programmatically create or modify Gmail filters and forwarding addresses based on your business needs. For example, you could create a workflow to temporarily forward all emails from a specific client to a project manager.
Data Accessed: Your Gmail filters, forwarding settings, and other general email settings. This access is highly sensitive and is used only to execute automation rules you explicitly create.
Purpose: For simpler, faster workflows that do not require reading the entire email. For example, an automation could be triggered just by checking the sender's email address or the subject line. This minimizes data access wherever possible.
Data Accessed: Email headers (From, To, Subject, Date) and labels, without accessing the email body.
Purpose: To provide our Service's features directly within the Gmail interface for a seamless user experience. This access is contextual and only active when you are interacting with our add-on inside Gmail.
Data Accessed: Email content and compose windows, but only when the add-on is open and you are actively using it.
Your Google user data is used exclusively to provide and improve the automation services you have configured.
We do not share, transfer, or disclose your Google user data with any third parties. The only exceptions to this rule are:
https://mail.google.com/
https://www.googleapis.com/auth/gmail.modify
https://www.googleapis.com/auth/gmail.readonly
https://www.googleapis.com/auth/gmail.compose
https://www.googleapis.com/auth/gmail.send
https://www.googleapis.com/auth/gmail.insert
https://www.googleapis.com/auth/gmail.labels
https://www.googleapis.com/auth/gmail.metadata
https://www.googleapis.com/auth/gmail.settings.basic
https://www.googleapis.com/auth/gmail.settings.sharing
https://www.googleapis.com/auth/gmail.addons.current.message.readonly
https://www.googleapis.com/auth/gmail.addons.current.action.compose
https://www.googleapis.com/auth/gmail.addons.current.message.action
To provide meeting attendance insights and automation features, our Service requires access to certain data from your Zoom account. We adhere to the Zoom App Marketplace Developer Agreement and Privacy Policy.
Our application accesses data only when you explicitly connect your Zoom account to execute workflows or view insights.
Your Zoom user data is used exclusively to provide insight features within your dashboard.
We do not share, transfer, or disclose your Zoom user data with any third parties, except where required by law.
We do not sell your personal data and do not share it with advertisers.
We implement robust technical and organizational security measures to safeguard your Google and Zoom user data against unauthorized access, alteration, disclosure, or destruction.
All data is encrypted in transit using Transport Layer Security (TLS 1.2 or higher) and encrypted at rest using industry-standard AES-256 encryption.
We enforce strict internal access controls based on the Principle of Least Privilege, ensuring that only a minimal number of authorized personnel with a legitimate business need can access systems containing user data.
Our application is hosted on a secure cloud infrastructure (e.g., Google Cloud/AWS) that provides comprehensive security protections.
We continuously monitor our systems for vulnerabilities and potential security threats.
We retain your data only for as long as you maintain an active Account with our Service, or as needed to provide the Service to you. You have full control over your data and the right to delete it at any time.
You can delete your Account from the application's dashboard at any time. Upon receiving a deletion request, all associated data will be permanently erased from our live systems within 30 days.
You can revoke access at any time via your Google Account permissions or Zoom App Marketplace managed apps settings.
This is a feature-specific privacy addendum to the Autopilot My Business Platform Privacy Policy. It governs the collection, storage, processing, and deletion of data associated exclusively with the WhatsApp Web integration. This feature allows registered business tenants ("Tenants") to link their WhatsApp accounts, send and receive messages, manage contacts, run broadcast campaigns, and access a shared CRM inbox — all within the platform.
Important: The WhatsApp Web integration uses an unofficial WhatsApp Web client. It is not affiliated with, endorsed by, or officially supported by Meta Platforms, Inc. or WhatsApp LLC. Use of this feature is at the Tenant's own risk with respect to WhatsApp's Terms of Service.
Autopilot My Business is a multi-tenant B2B SaaS platform providing CRM, HR, Inventory, and Marketing automation. For data protection purposes, Autopilot My Business acts as the Data Processor on behalf of its Tenants. Each Tenant is the Data Controller for end-user data processed through the WhatsApp integration.
The following categories of data are collected specifically by the WhatsApp Web integration:
To maintain a persistent WhatsApp Web connection, the integration generates authentication credentials equivalent to those stored in a WhatsApp Web browser session. These include cryptographic keys, signal protocol state, and registration identifiers. Data is stored encrypted in our database, isolated per Tenant and per registered device. Deleting a device from the platform revokes and purges all associated session data.
All messages sent or received through a connected WhatsApp device are stored in our database. Each message record may contain:
| Field | Description | Example |
|---|---|---|
| jid | WhatsApp contact or group identifier | [email protected] |
| content | Text body of the message | "Hi, following up on your order" |
| messageType | Type: text, image, video, audio, document, location, contact, sticker, reaction | image |
| mediaUrl | URL of uploaded media (stored in cloud storage) | Google Drive link |
| senderName | WhatsApp Push Name of the sender | "John Doe" |
| isFromMe | Whether the message was sent by the connected device | true |
| status | Delivery status: PENDING, SENT, DELIVERED, READ, ERROR | DELIVERED |
| timestamp | UTC timestamp of the message | ISO-8601 datetime |
| source | Origin: app, phone, or automation | automation |
| connectedPhoneNumber | Phone number of the linked WhatsApp account | +91XXXXXXXXXX |
When contacts interact with a connected device, the system caches their identity data to resolve display names. This includes:
For WhatsApp group messaging, the platform stores group metadata including:
Every outgoing message action is logged for audit and deliverability tracking:
When a Tenant runs a broadcast campaign, the following is stored:
Messages awaiting delivery (due to rate limiting, offline devices, or scheduled sends) are stored in a durable message queue containing the full message payload, recipient identity, scheduled time, retry count, and processing status.
To protect connected WhatsApp numbers from being banned, the platform tracks per-device messaging statistics:
Connection lifecycle events (device connected, disconnected, QR scanned) are logged for operational monitoring. On a manual disconnection or ban, the platform sends an email alert to the Tenant's administrator. The email contains the device name and business display name — no message content is included.
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Maintaining an active WhatsApp Web session for the Tenant | Session credentials | Contract (service provision) |
| Displaying the CRM inbox (received and sent messages) | Message content, JID, sender name, timestamps | Contract (service provision) |
| Sending messages on behalf of the Tenant | Recipient JID, message content, media, delivery status | Contract + Tenant's instruction |
| Resolving contact display names across the CRM | Contact identity cache (push name, JID, phone) | Legitimate interest (UX consistency) |
| Rate limiting / preventing WhatsApp account bans | Daily message counts, interaction ratio, account age | Legitimate interest (platform stability) |
| Running broadcast campaigns | Recipient list, message template, delivery outcomes | Contract + Tenant's instruction |
| Delivering notifications when a device disconnects | Device ID, admin email, business name | Legitimate interest (operational alert) |
| Audit logging for support and dispute resolution | Message logs (from/to numbers, status) | Legitimate interest (accountability) |
No advertising use: Data processed through the WhatsApp integration is never used for advertising, sold to third parties, or combined with external datasets for profiling end users.
| Data Category | Minimum Retention | Maximum Retention | Deletion Method |
|---|---|---|---|
| WhatsApp session credentials | Until device is removed | Until device is removed | Purged on device disconnection/logout |
| Message content (inbox) | 6 months | 12 months | Automated batch deletion nightly at 03:30 UTC |
| Contact identity cache | Duration of Tenant subscription | Subscription + 30 days | Purged on account termination |
| Group metadata & participant lists | Duration of Tenant subscription | Subscription + 30 days | Purged on account termination |
| Message delivery logs | 12 months | 12 months | Automated deletion |
| Campaign data | Duration of Tenant subscription | Subscription + 90 days | Purged on account termination |
| Message queue entries | Until processed or failed | 90 days (stuck entries) | Automated reaper job |
| Account health metrics (aggregated) | Derived from message data | Deleted with messages | Computed on demand; no separate store |
The default retention thresholds (6-month keep floor and 12-month delete ceiling) are configurable by platform administrators. These values can only be lowered (more aggressive deletion), never raised beyond the limits stated above.
By using this feature, messages are transmitted over WhatsApp's infrastructure. Meta Platforms, Inc. processes these messages in accordance with WhatsApp's own Privacy Policy. Autopilot My Business has no control over Meta's data practices. Tenants and their end-users are also subject to WhatsApp's Terms of Service.
The platform's servers, databases, and media storage are hosted on cloud infrastructure. Infrastructure providers operate under their own data processing agreements and do not have independent access to Tenant message data.
Media files received or sent via WhatsApp may be uploaded to Google Drive with the resulting link stored in the message record. Access to these files is controlled by the Tenant's Google Drive account permissions.
Autopilot My Business does not sell, rent, or share personal data processed through the WhatsApp integration with any advertising networks, data brokers, or marketing analytics providers.
Where sub-processors are engaged, appropriate Data Processing Agreements (DPAs) are in place. Tenants may request a list of current sub-processors by emailing [email protected].
As Data Controllers for their end-user data, Tenants who enable the WhatsApp Web integration accept the following obligations:
End-users whose personal data is processed through a Tenant's WhatsApp integration may exercise the following rights under applicable data protection law (GDPR, PDPB, or equivalent):
These requests should be directed to the Tenant (the business that messaged the end-user). If a Tenant fails to respond, end-users may contact Autopilot My Business at [email protected].
The WhatsApp Web integration and the Autopilot My Business platform are intended exclusively for B2B use. We do not knowingly collect or process data relating to individuals under the age of 13. Tenants must not use the integration to contact minors without appropriate legal basis and parental consent.
Data may be stored on servers located outside the Tenant's jurisdiction depending on the cloud infrastructure region selected. Where data is transferred across borders, appropriate safeguards are in place (Standard Contractual Clauses, adequacy decisions, or equivalent mechanisms). Tenants requiring data residency in a specific region should contact [email protected] before enabling the feature.
In the event of a personal data breach affecting the WhatsApp integration, Autopilot My Business will:
Tenants are responsible for notifying their own end-users and relevant supervisory authorities where required by applicable law.
The WhatsApp Web feature uses the following browser-side storage:
We may update this policy as we add new capabilities to the WhatsApp integration or in response to changes in applicable law. Material changes will be communicated to Tenant administrators via in-platform notification and/or email at least 14 days before they take effect. Continued use of the WhatsApp integration after the effective date constitutes acceptance of the revised policy.
For questions, data requests, or complaints related to this policy, contact us at [email protected]. If you are an end-user and believe your data has been processed unlawfully, you also have the right to lodge a complaint with your local data protection supervisory authority.
If you have any questions about this Privacy Policy, you can contact us: