fonetic.ai
Privacy Policy
Legal Entity
Godrongo 82 Labs LLP
LLPIN
ACS-4184
Registered Address
406 Building 10, Shanti Park Apartments, Jayanagar 9th Block, Bangalore 560041, India
Godrongo 82 Labs LLP (LLPIN: ACS-4184), with its registered office at 406 Building 10, Shanti Park Apartments, Jayanagar 9th Block, Bangalore 560041, India ("Fonetic", "we", "us", or "our") operates the Fonetic AI sales automation platform, including the website fonetic.ai, the application at app.fonetic.ai, and related services (collectively, the "Service").
This Privacy Policy explains how we collect, use, store, share, and protect personal information in connection with the Service, in alignment with:
- the Digital Personal Data Protection Act, 2023 (DPDP Act) of India,
- the Information Technology Act, 2000 and rules thereunder (including the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011 and the IT (Intermediaries Guidelines and Digital Media Ethics Code) Rules, 2021),
- the General Data Protection Regulation (EU 2016/679) where applicable, and
- the California Consumer Privacy Act (as amended by the CPRA) where applicable.
By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.
1. Scope and Definitions
This policy applies to two distinct categories of individuals whose information we may process:
- Customers — businesses and individuals who sign up for and use the Fonetic Service (e.g., as account owners, agents, or administrators).
- End Users — individuals who interact with our Customers via channels connected to Fonetic (for example, a person sending a direct message to a Customer's Instagram Business account or WhatsApp Business number).
For data processed about End Users on behalf of a Customer, Fonetic acts as a Data Processor, and the Customer acts as the Data Controller (or Data Fiduciary, under the DPDP Act). Customers are responsible for establishing the lawful basis for their communications with End Users, including obtaining any required consent.
2. Information We Collect
We collect information in four ways: directly from Customers when they sign up and use the Service, from End Users via channels that Customers connect (such as Instagram or WhatsApp), automatically when you visit our website, and from the third-party services and sub-processors described in Sections 6 and 7.
2.1 Information from Customers
When you sign up for, evaluate, or use the Service, we collect:
- Account information — name, business email address, phone number, company name, designation, and (where applicable) billing information.
- Authentication credentials — passwords (stored as salted hashes), and OAuth tokens for third-party services you connect.
- Usage data — actions you take in the dashboard, feature usage, configuration settings, API request logs, IP address, browser type, device type, and timestamps.
- Support and communications — content of your support tickets, email correspondence, and demo or sales conversations with us.
2.2 Information from End Users (via connected channels)
When a Customer connects a channel to Fonetic (Instagram, WhatsApp, or others), we receive and process the following on the Customer's behalf:
- Identifiers — Instagram username, account ID, and profile picture; WhatsApp phone number; sender's display name where available.
- Message content — text, images, videos, files, and other attachments exchanged on the connected channel.
- Message metadata — timestamps, delivery status, read receipts, message IDs, and interaction events (replies, reactions).
- Conversation context — labels, tags, notes, and routing decisions applied by Customer agents or by Fonetic's automation.
2.3 Information from Website Visitors
We collect basic technical data when you visit fonetic.ai — IP address, browser type, referring URL, pages visited, and timestamps — primarily through cookies and analytics tools. See Section 9 for cookie details.
2.4 Information We Do Not Collect
Fonetic does not knowingly collect financial account numbers, payment card details, government-issued ID numbers, biometric data, genetic data, or health information. If you provide such information through messages or conversations, please be aware that it will be stored as part of the conversation record; we recommend not transmitting sensitive identifiers through the Service.
3. How We Use Your Information
We use the information described above to:
- Operate, maintain, secure, and improve the Service;
- Authenticate users and enforce access controls;
- Route, label, and display conversations in the Fonetic unified inbox for Customer agents;
- Generate AI-assisted replies, draft suggestions, summarization, sentiment analysis, and other automation features that the Customer has enabled (see Section 6);
- Produce analytics and reports for the Customer about conversations on their connected channels;
- Provide customer support and respond to inquiries;
- Send service-related communications (security notices, product updates, account notices); marketing communications are sent only to Customers and can be opted out of at any time;
- Detect, prevent, and respond to fraud, abuse, and security incidents;
- Comply with applicable legal obligations and respond to lawful requests.
We do not sell personal information. We do not use personal information for cross-context behavioural advertising. We do not train AI or machine learning models on Customer or End User data (see Section 6).
4. Meta Platform Integration Disclosure (Instagram and WhatsApp)
The Service integrates with messaging platforms operated by Meta Platforms, Inc., including the Instagram Messaging APIs and the WhatsApp Business Platform (the latter accessed via our Business Solution Provider, Gupshup, where Fonetic is registered as a Tech Provider).
4.1 Data Processed from Meta Platforms
When a Customer connects their Instagram Business account or WhatsApp Business number to Fonetic, we may process the following platform data on the Customer's behalf:
- Instagram usernames, account IDs, profile pictures, and account metadata
- WhatsApp phone numbers and profile display names
- Message content, attachments, and reactions
- Message metadata — timestamps, delivery status, read receipts, message IDs
- Interaction events — replies, comments (where the Customer has enabled comment management on Instagram)
This data is used solely to provide the Service to the Customer — to display conversations in the Fonetic inbox, enable human and AI replies, route and label conversations, produce analytics for the Customer, and operate the automation features the Customer has configured.
4.2 Limited Use Commitment
Fonetic's use and transfer of information received from Meta APIs will adhere to Meta's Platform Terms and Policies.
Specifically, Fonetic:
- Does not use Meta data for serving advertisements or for cross-context behavioural advertising.
- Does not use Meta data to make eligibility determinations about people (such as for housing, employment, or credit decisions).
- Does not sell, license, or transfer Meta data to data brokers or for monetization.
- Does not use Meta data to train any AI or machine learning models, and does not authorize any sub-processor to do so.
- Uses Meta data only to provide and improve the Service to the connecting Customer, as instructed by the Customer.
- Deletes Meta platform data when it is no longer needed for the purpose for which it was obtained, when the Customer disconnects the relevant channel, or upon request from Meta or from the user to whom the data belongs.
4.3 Data Residence on Meta Infrastructure
You acknowledge that messages and metadata exchanged on Instagram and WhatsApp are first processed by Meta's infrastructure (including the Meta Cloud API for WhatsApp, routed through Gupshup) before being delivered to Fonetic. Data on Meta's infrastructure is governed by Meta's own terms and privacy policies. Once data is delivered to Fonetic, it is hosted and processed as described in Section 10.
4.4 Revocation
Customers can disconnect a connected Instagram or WhatsApp account at any time from Fonetic's settings, or by revoking Fonetic's access via the respective platform's app permissions page on Instagram or Meta Business Settings. Upon disconnection, access tokens are immediately invalidated, and associated message data is retained or deleted in accordance with Section 8.
5. Lawful Basis for Processing
Where the GDPR or analogous laws apply, we rely on one or more of the following lawful bases:
- Performance of a contract — to provide the Service to the Customer under our Terms of Service.
- Legitimate interests — to secure and improve the Service, prevent fraud and abuse, and operate our business.
- Consent — for direct marketing communications and certain optional features. Consent may be withdrawn at any time.
- Legal obligation — to comply with applicable law and respond to lawful requests.
Under the DPDP Act, processing of personal data of Indian data principals is carried out either (a) with consent for specified purposes, or (b) for legitimate uses recognised under the Act.
For End User data processed via connected channels, Fonetic acts as a Processor and processes such data only on documented instructions from the Customer, who is responsible for establishing and maintaining the lawful basis for the underlying communications.
6. AI and Machine Learning
Fonetic uses AI to power features such as conversational AI replies, draft suggestions, message summarization, sentiment analysis, and intent classification. To deliver these features, Customer and End User data is transmitted to AI sub-processors. This section explains how that works and what we commit to.
6.1 Our Commitments
- Fonetic does not train its own AI or machine learning models on Customer or End User data. We do not aggregate, anonymize, or otherwise repurpose your data to build or improve any general model used across our customer base.
- We do not authorize our AI sub-processors, or any model providers reached through them, to train their generalized models on Customer or End User data. Our sub-processors are configured on enterprise or API terms that exclude submitted content from being used to train their general models.
- We do not enable optional logging, data-sharing, or training-incentive features offered by our AI sub-processors (for example, OpenRouter's opt-in prompt-logging discount).
- Customer-specific fine-tuned models, where used, remain isolated to the originating Customer and are not exposed to or used for other Customers.
6.2 AI Sub-processors and Model Routing
Fonetic accesses large language models through two aggregator services. Both route inference requests to a set of downstream model providers; the specific provider that handles a given request depends on the model selected, availability, and routing configuration.
| Sub-processor | What it is | Downstream model providers |
|---|---|---|
| AWS Bedrock | Amazon Web Services' managed foundation-model service. Bedrock provides a single API for models from multiple providers, while architecturally isolating those providers from customer data. | Includes models from Anthropic, Meta, Mistral, Cohere, Amazon, AI21, and others (subject to AWS's published model availability). |
| OpenRouter | A model routing proxy that forwards inference requests to downstream providers. | Includes models from OpenAI, Anthropic, Google, Meta, Mistral, and others (subject to OpenRouter's published provider list). |
6.3 AWS Bedrock — Provider Isolation
When Fonetic uses AWS Bedrock, the underlying model providers (Anthropic, Meta, and others) do not have access to prompts or completions. AWS publishes that "Amazon Bedrock does not store customer input data or model output data," "the service does not use customer inputs or outputs to train AWS models or share them with third parties," and that model providers cannot access Bedrock logs, prompts, or completions because each model is deployed into AWS-controlled accounts to which the model provider has no access. For full details, see AWS Bedrock data protection documentation.
6.4 OpenRouter — Logging Disabled
OpenRouter operates as a proxy that routes requests to downstream model providers. We have configured our OpenRouter account so that prompt and completion logging is disabled by default. The current list of downstream providers OpenRouter may route to, along with each provider's data retention and training policy, is maintained by OpenRouter at openrouter.ai/docs/guides/privacy/provider-logging.
7. Sub-processors and Data Sharing
We share personal information only with the categories of recipients described below.
7.1 Infrastructure and Operational Sub-processors
| Provider | Purpose | Region |
|---|---|---|
| Railway (railway.com) | Application hosting, databases, and backups | Singapore (primary) |
| Gupshup | WhatsApp Business Solution Provider (Fonetic is a Tech Provider via Gupshup) | India / global |
| AWS Bedrock | AI inference (see Section 6) | Multiple AWS regions |
| OpenRouter | AI model routing (see Section 6) | Global |
| Mailgun | Outbound transactional and notification email | US / EU |
Each sub-processor is engaged under terms that require them to process data only on our documented instructions, maintain appropriate security, and assist us with our compliance obligations. We do not appoint additional sub-processors with access to Customer or End User content without updating this policy.
7.2 Legal Reasons
We may disclose information when required by law, regulation, legal process, or a lawful government request, or where we believe in good faith that disclosure is necessary to protect our rights, our Customers, our End Users, or the public.
7.3 Business Transfers
In the event of a merger, acquisition, financing, reorganisation, or sale of all or part of our business or assets, personal information may be transferred to the successor entity, subject to this Privacy Policy or a successor policy with equivalent protections.
7.4 No Sale of Personal Information
We do not sell personal information, and we do not share personal information for cross-context behavioural advertising.
8. Data Retention and Deletion
8.1 Retention Periods
- Account and account-level data is retained for as long as the Customer's account is active and for up to 180 days after account closure or service disconnection, after which it is deleted or anonymised, except where longer retention is required by law.
- Conversation and message data from connected channels is retained for the duration of the Customer's subscription. Customers can configure shorter retention periods within the Service.
- Backups are retained on a rolling basis and overwritten within 30 days.
- Logs and security event records are retained for up to 12 months for security and audit purposes.
8.2 Deletion Requests
Customers can delete their account through the in-product settings, which initiates the retention period described above.
To request immediate deletion of specific records, email team@fonetic.ai with the subject line "Data Deletion Request" and sufficient information to identify the relevant account or data (such as the registered email address, business name, or connected channel). We will respond within 7 to 30 days of receiving a verified request, except where retention is required by law or to resolve a dispute.
8.3 End User Deletion Requests
End Users who wish to request deletion of their data from the Fonetic platform can either:
(a) contact the Customer (the business they messaged) directly, who can delete the relevant records from their Fonetic account; or
(b) email team@fonetic.ai with the subject line "Data Deletion Request" and sufficient information to identify the relevant data (for example, the Instagram username or WhatsApp number used, and the business they were communicating with).
We will coordinate with the Customer to action such requests within 7 to 30 days.
8.4 Deletion Upon Channel Disconnection
When a Customer disconnects an Instagram or WhatsApp channel, the associated OAuth tokens are invalidated immediately. Message data associated with that channel is retained per the standard retention period above, unless the Customer requests earlier deletion.
9. Cookies and Tracking
The Fonetic website and product use cookies and similar technologies for authentication, security, preference storage, and basic analytics. You can control cookies through your browser settings. Disabling certain cookies may affect the functionality of the Service. We do not use third-party advertising cookies or cross-site tracking pixels.
10. Data Storage and International Transfers
Application data is hosted on Railway infrastructure, with primary servers located in Singapore. Some sub-processors (including AI providers and email services) may process data in the United States, the European Union, India, or other regions.
Where personal data of EU/UK data subjects is transferred outside their jurisdiction, we rely on Standard Contractual Clauses or other appropriate safeguards required by the GDPR. Where personal data of Indian data principals is processed outside India, we maintain reasonable safeguards consistent with the DPDP Act and the IT Rules, 2011.
By using the Service, you consent to the international transfers described in this section.
11. Security
We implement administrative, technical, and physical safeguards designed to protect personal information, including:
- Encryption in transit using TLS for all network traffic.
- Encryption at rest for databases and backups.
- Access controls — role-based access, principle of least privilege, multi-factor authentication for administrative access.
- Audit logging of administrative and security-relevant actions.
- Secret management — credentials and tokens are stored in dedicated secret stores, not in source code or plaintext configuration.
- Vendor due diligence — sub-processors are reviewed for security posture and bound by contractual obligations.
No method of transmission or storage is 100% secure. While we strive to protect personal information, we cannot guarantee absolute security. If you become aware of a security issue, please email team@fonetic.ai.
12. Your Rights
Depending on your jurisdiction, you may have some or all of the following rights:
- Access — request details of the personal data we hold about you.
- Correction — request correction of inaccurate or incomplete data.
- Deletion — request deletion of your personal data, subject to legal retention obligations.
- Restriction / Objection — limit or object to specific processing.
- Data Portability — request a copy of your data in a structured, commonly used, machine-readable format.
- Withdraw Consent — where processing is based on consent, withdraw it at any time.
- Lodge a Complaint — with a supervisory authority in your jurisdiction.
- Grievance (DPDP Act) — Indian users may file a grievance under Section 14 below.
To exercise any of these rights, email team@fonetic.ai from the address associated with your account (or with sufficient information for us to verify your identity). We will respond within 30 days of a verified request, or as required by applicable law.
13. Children's Privacy
The Service is intended for use by businesses and is not directed to children. Under the DPDP Act, processing personal data of an Indian data principal under the age of 18 requires verifiable parental consent; we do not knowingly process such data without it. Under the GDPR, we do not knowingly collect data from children under 16 (or the lower age threshold set by applicable EU member state law). If you believe a child has provided personal information to us, please contact team@fonetic.ai and we will promptly delete it.
14. Grievance Redressal (DPDP Act – India)
In accordance with the Digital Personal Data Protection Act, 2023, Godrongo 82 Labs LLP has designated the following Grievance Officer:
Siddharth Das
Designation: Grievance Officer
Address: 406 Building 10, Shanti Park Apartments, Jayanagar 9th Block, Bangalore 560041, Karnataka, India
Email: siddharth@fonetic.ai
Acknowledgment: within 72 hours
Response: within 15 business days
Data principals in India may submit grievances related to personal-data processing or violation of their rights under the DPDP Act to the Grievance Officer.
15. Changes to This Policy
We may update this Privacy Policy from time to time. We will post any updated version on this page with a revised "Last updated" date. Material changes will be communicated via email to active Customers or via an in-product notice. Your continued use of the Service after an update constitutes acceptance of the revised policy.
16. Contact Us
For any privacy questions, security issues, or to exercise your rights:
Godrongo 82 Labs LLP
406 Building 10, Shanti Park Apartments
Jayanagar 9th Block, Bangalore 560041, Karnataka, India
Email: team@fonetic.ai
DPDP grievances: siddharth@fonetic.ai
This Privacy Policy is published in accordance with the Information Technology Act, 2000, the Digital Personal Data Protection Act, 2023, and applicable rules thereunder.