DPDP Compliance

WENSLink Private Limited is committed to processing personal data in accordance with the lawful, fair and transparent principles set out in Sections 4 and 5 of the DPDP Act. We apply the following commitments across our operations:

• Purpose limitation: we collect personal data only for specified, lawful purposes that are notified at the point of collection.
• Data minimisation: we collect only the data required for the notified purpose.
• Accuracy: we make reasonable efforts to ensure the personal data we hold is accurate, complete and current.
• Storage limitation: we retain personal data only for as long as necessary for the notified purpose, subject to legal-retention requirements.
• Reasonable safeguards: we apply organisational and technical safeguards to protect personal data, as set out in our Security Statement.
• Accountability: we maintain records of processing activities and assist Data Principals in exercising their rights.

If you are a Data Principal whose personal data we process, the DPDP Act grants you the following rights:

• Right to access (Section 11) - confirmation of processing, a summary of the personal data we hold about you and the categories of recipients with whom we have shared it.
• Right to correction, completion, updating and erasure (Section 12) - have inaccurate or incomplete data corrected, completed or updated, and have data that is no longer necessary erased, subject to overriding legal-retention obligations.
• Right of grievance redressal (Section 13) - raise a grievance with our Grievance Officer in the first instance, with escalation to the Data Protection Board of India if unsatisfied.
• Right to nominate (Section 14) - nominate another individual to exercise rights on your behalf in the event of death or incapacity.
• Right to withdraw consent (Section 6(4)) - where we rely on consent, withdraw it at any time without affecting the lawfulness of prior processing.

3.1 How we collect consent

• Account holders: consent is collected at signup through a clear, affirmative action (checkbox or click-through) referencing this Notice and the Privacy Policy.
• WhatsApp messaging: our Customers are contractually required to obtain valid opt-in consent from their Recipients in a manner compliant with Meta's WhatsApp Business Messaging Policy and the DPDP Act, and to retain auditable records of that consent.
• Cookies: we use only essential cookies; no consent banner is required because we do not place tracking or advertising cookies.

3.2 How to withdraw consent

You may withdraw consent at any time by (a) writing to support@globvoice.com, (b) deleting your account from the dashboard, or (c) for end-user communications, by replying STOP to any WhatsApp message from a GlobVoice-powered number. Withdrawal does not affect the lawfulness of processing performed before withdrawal and may limit our ability to provide the Service.

3.3 Consent records

We maintain consent records, including the timestamp, the mechanism by which consent was collected, and the version of the notice in force at that time, in our database. Customers are similarly required to maintain consent records for their Recipients.

WENSLink Private Limited acts as a Data Fiduciary in respect of personal data of our Customers' account holders (employees, admins and end-users of GlobVoice). Our obligations under Section 8 of the DPDP Act include, without limitation:

• complying with this DPDP Compliance Notice and the DPDP Act;
• providing accurate, clear and meaningful notice at the time of collection;
• maintaining the accuracy and completeness of personal data used for decisions affecting the Data Principal;
• implementing reasonable security safeguards (see Section 8(5) and our Security Statement);
• notifying the Data Protection Board and affected Data Principals in the event of a personal data breach;
• erasing personal data when its purpose has been served, unless law requires otherwise;
• publishing the contact information of a Grievance Officer.

With respect to the WhatsApp Recipient data uploaded by our Customers, WENSLink acts as a Data Processor on documented instructions of the Customer (who is the Data Fiduciary). Customers remain primarily responsible for compliance with the DPDP Act for that data.

The Central Government of India may, by notification under Section 10 of the DPDP Act, classify certain entities as “Significant Data Fiduciaries” (“SDFs”) based on volume and sensitivity of data processed, risk to electoral democracy, security of state and public order.

WENSLink Private Limited has not, as of the date of this Notice, been classified as an SDF. If we are so classified, we will, in accordance with Section 10(2):

• appoint a Data Protection Officer based in India;
• appoint an independent data auditor;
• undertake periodic Data Protection Impact Assessments and audits;
• comply with any additional measures notified by the Central Government or the Data Protection Board.

We will update this Notice and inform Customers of any change to our SDF status.

Section 16 of the DPDP Act permits cross-border transfers of personal data to any country, subject to restrictions notified by the Central Government. As of the date of this Notice, no restriction has been notified that affects the countries to which we transfer data in the course of providing GlobVoice.

Our cross-border transfers are described in Section 11 of the Privacy Policy. In summary:

• European Union (Germany): Hetzner Online GmbH for hosting.
• United States: Meta Platforms, Inc. (WhatsApp Business Cloud API), Groq, Inc., Google LLC and OpenRouter, Inc. (AI inference and authentication).

Each transfer is governed by a written agreement with the recipient that requires the recipient to maintain confidentiality, apply reasonable security safeguards and process the data only on our instructions, in addition to any safeguards (such as Standard Contractual Clauses) required under applicable foreign law.

We have implemented an incident-response procedure that includes detection, containment, forensic investigation, remediation and notification.

• Detection: security telemetry, anomaly detection, error monitoring and Customer reports.
• Containment: rotate credentials, revoke sessions, isolate affected systems, apply hot-fixes.
• Assessment: determine the categories of personal data affected, the number of Data Principals concerned and the likely consequences.
• Notification: notify the Data Protection Board and affected Data Principals in the form and within the timelines prescribed by Section 8(6) of the DPDP Act and the rules made thereunder.
• Post-incident review: root-cause analysis and corrective action to prevent recurrence.

Section 9 of the DPDP Act prohibits the processing of personal data of a child (an individual below 18 years of age) or of a person with a disability who has a lawful guardian, without verifiable consent of the parent or lawful guardian, and prohibits tracking, behavioural monitoring or targeted advertising directed at children.

GlobVoice is a business tool and is not intended for use by children. We do not knowingly create accounts for children, do not direct marketing to children and do not perform behavioural tracking of children. Customers using GlobVoice to communicate with end-users who may include minors are responsible for obtaining verifiable parental consent in accordance with Section 9 before uploading those end-users' data.

1. Email support@globvoice.com from the email address associated with your account (or another address we can reasonably verify is yours).
2. State clearly which right you wish to exercise (access, correction, erasure, withdrawal of consent, nomination or grievance redressal) and what data the request relates to.
3. We will acknowledge your request within 7 (seven) days and respond substantively within 30 (thirty) days as required by the DPDP Rules.
4. If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India through the channels notified by the Central Government.

In line with Section 8(9) of the DPDP Act and Rule 5 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, the contact details of our Grievance Officer are published below. The Grievance Officer is the same person designated as the Data Protection contact for DPDP Act enquiries until and unless we are required to appoint a separate Data Protection Officer under Section 10(2).

• Name: Mr. Ataur Rahman
• Designation: Founder & Director, WENSLink Private Limited
• Email: support@globvoice.com
• Operations Office: L24 A South Ex, Delhi - 110049, India.
• Registered Office: Maa Commercial Complex, NH-15, Bechimari, Darrang, Assam - 784514, India.