Legal

Privacy Policy

This describes what Rasilo collects, why, how it's protected, and how to reach us about it — for workspace owners running Rasilo, the people they message on WhatsApp, and visitors to this site.

Effective: July 10, 2026 Contact: [email protected]

1. Who we are

Rasilo (operated by Novu Systems LLP, "Rasilo", "we", "us") is a multi-tenant WhatsApp control plane: businesses ("workspace owners") connect a WhatsApp Business number and use Rasilo's shared inbox, automation, campaigns, and AI agent features to talk to their own customers. This policy covers the Rasilo website, dashboard, and API.

We're pre-GA and building this in the open — see our "Where we are — honestly" section on the homepage for what's shipped today. This policy is drafted in good faith to match that same standard of candor; if you have questions or need something clarified for your own compliance obligations, write to us — a person answers.

2. Two roles: workspace owner and end customer

Rasilo sits between a business and its customers on WhatsApp. Two different people may have data in the system, with different relationships to us:

RoleRelationship to RasiloExample
Workspace ownerOur direct customer — creates a Rasilo account, connects a WhatsApp number, invites team members.An agency or business running Rasilo for its own WhatsApp line.
End customerMessages a workspace owner's WhatsApp number. We process their messages on the workspace owner's behalf (as a data processor / service provider), not as our own customer.A workspace owner's customer messaging their business number.

If you're an end customer with a privacy question about a specific conversation, the workspace owner (the business you messaged) is best placed to help first, since they control that data. If you can't reach them, contact us and we'll assist.

3. Data we process

Workspace owner & team data

  • Account info: name, email, hashed password, workspace name.
  • Team/role data: who's invited to a workspace and their permission level.
  • Billing contact details, once billing exists (Rasilo is pre-GA; no billing today).
  • Connected-channel metadata: WhatsApp Business Account ID, phone number, and the encrypted access credentials needed to send/receive on your behalf.
  • Optional third-party API keys you provide (AI providers, email senders, Google Sheets) — see §6.

End customer data (processed on the workspace owner's behalf)

  • WhatsApp contact identity: phone number, WhatsApp display name.
  • Message content and media sent or received through the connected number.
  • Conversation metadata: timestamps, delivery/read status, which team member or AI agent handled a reply.
  • Any custom fields, tags, or notes the workspace owner adds (e.g., lifecycle stage, order reference).

Website visitor data

  • Standard web server logs (IP address, user agent, page requested) from our hosting provider.
  • Anything you send us directly, e.g. via the contact email link.

4. How we use data

  • To operate the service: route messages, run automations/flows, power the shared inbox, generate campaign sends, and — when a workspace owner configures it — generate AI-drafted or AI-sent replies.
  • To improve reliability: debugging, monitoring, and abuse prevention (e.g., detecting credential misuse).
  • To communicate with workspace owners about their account, incidents, or material changes to the service.

We do not sell personal data, and we do not use end-customer WhatsApp message content to train any model we operate.

5. WhatsApp / Meta Platform data

Rasilo is built on the WhatsApp Business Platform (Meta Cloud API) and, for some workspaces, Twilio's WhatsApp API. When a workspace owner connects a number:

  • Message send/receive, delivery, and read-status events pass through Meta's (or Twilio's) infrastructure as the underlying carrier — this is inherent to how WhatsApp works, not a choice Rasilo makes on top of it.
  • We receive and store message content and metadata via webhook so the shared inbox and automations function; we do not access WhatsApp data outside what a connected number legitimately sends us.
  • Data made available to Rasilo through the WhatsApp Business Platform is used solely to provide the features the workspace owner has configured (inbox, automation, campaigns, AI), consistent with Meta's WhatsApp Business Data Processing Terms. We do not use it for advertising, and we do not share it with data brokers.

6. AI providers you connect

Rasilo's AI agent feature is bring-your-own-model: a workspace can configure Anthropic (Claude), OpenAI, OpenRouter, Google, or a self-hosted Ollama instance. If enabled:

  • Relevant conversation context (and, for RAG features, matched knowledge-base excerpts) is sent to the provider the workspace owner selected, to generate a reply or draft.
  • That provider's own privacy policy and data-handling terms govern their processing of that request. We don't control what a third-party model provider does with a request once sent, beyond what your account settings with them specify.
  • API keys you enter for these providers are encrypted at rest (see §7) and are never displayed back in full once saved.
  • AI features are entirely optional and off by default per agent — a workspace that never configures an AI agent never sends conversation data to a third-party model.

7. Who we share data with

RecipientWhy
Meta (WhatsApp Business Platform) / TwilioRequired carriers to send and receive WhatsApp messages.
Your chosen AI provider (if configured)To generate AI drafts/replies, per §6 — only if you turn this on.
Amazon SES (if configured)To send email campaigns, for workspaces using the email module.
Google (if configured)Sheets/Drive integration you explicitly connect.
Infrastructure providersHosting, database, and content-delivery vendors that keep Rasilo running — bound by standard confidentiality/processing terms.
Law enforcement / legal processOnly when legally compelled, and we'll notify the affected workspace owner unless prohibited by law.

We do not sell data or share it for third-party advertising.

8. Security & workspace isolation

  • Every workspace's data is scoped and isolated at the application's query layer — one workspace cannot read another's contacts, messages, or credentials.
  • Connected-channel credentials, AI provider keys, and other sensitive secrets are encrypted at rest (AES-256-GCM) before they touch disk.
  • Passwords are hashed (scrypt), never stored in plain text.
  • Access to production systems is restricted to those who need it to operate the service.

No system is perfectly secure. If you believe you've found a vulnerability, please email [email protected] — we take reports seriously and will respond.

9. Retention & deletion

  • Workspace data is retained for as long as the workspace is active, plus a reasonable buffer to support account recovery.
  • A workspace owner can delete individual contacts, conversations, or their entire workspace; deletion removes the corresponding data from active systems (backups age out on our standard retention cycle).
  • When a workspace owner disconnects a WhatsApp/email channel, we stop processing new messages through it immediately; historical conversation data remains under the workspace's control until the owner deletes it.

10. Your rights

Depending on where you're located, you may have rights to access, correct, export, or delete your personal data, and to object to or restrict certain processing.

  • Workspace owners can exercise most of these directly in the dashboard (edit/delete contacts, export data, remove a channel) or by emailing us.
  • End customers should first contact the business they messaged (the workspace owner), since they control that conversation data; if that's not possible, contact us and we'll coordinate.

Email [email protected] for any request — we'll respond as promptly as we can.

11. International transfers

Rasilo's infrastructure and the third-party providers we rely on (Meta, Twilio, cloud hosting, and any AI provider you configure) may process data in countries other than your own. Where required, we rely on the transfer mechanisms those providers themselves offer (e.g., Standard Contractual Clauses) to keep transfers lawful.

12. Children's privacy

Rasilo is a business tool and is not directed at children. WhatsApp Business Platform requires that businesses not use it to knowingly communicate with children in violation of applicable law and WhatsApp's own terms. If you believe a child's data has reached us inappropriately, contact us and we'll address it.

13. This website: cookies & analytics

The rasilo.app marketing site does not set tracking or advertising cookies today, and does not run third-party analytics. It uses a small amount of local, on-device state (e.g., your language toggle preference) that never leaves your browser. If that changes — for example, if we add product analytics — we'll update this section first.

14. Changes to this policy

We'll update the effective date above when this policy changes, and for material changes we'll notify workspace owners directly (email or an in-app notice) rather than relying on a silent date bump.

15. Contact

Questions, requests, or a vulnerability report: [email protected] — a person answers, not a sequence.

This policy is a good-faith, plain-language description of how Rasilo actually works today, written to match our pre-GA "tell you exactly where we are" approach. It isn't a substitute for your own legal advice — if you operate under specific regimes (GDPR, CCPA, etc.) and need a Data Processing Addendum or region-specific terms, write to us and we'll work through it with you.