GDPR Compliance

Botify is committed to protecting the personal data of individuals in the European Economic Area (EEA), the United Kingdom, and Switzerland in accordance with the EU General Data Protection Regulation (GDPR) and UK GDPR. This page summarizes how Botify complies with GDPR. For a full description of our data practices, please refer to our Privacy Policy and Data Deletion Instructions.

Under Article 6 of the GDPR, we only process personal data where we have a valid legal basis. The legal bases we rely on are: • Contract performance — Processing necessary to deliver the Botify platform and fulfill our Terms of Service • Legitimate interests — Product analytics, fraud prevention, security monitoring, and service improvement, where those interests are not overridden by your rights • Consent — Marketing communications, optional cookies, and any processing you have explicitly opted into • Legal obligation — Compliance with tax, accounting, anti-money-laundering, and other applicable laws For any processing based on legitimate interests, you have the right to object at any time by contacting privacy@botify.in.

If you are located in the EEA, UK, or Switzerland, you have the following rights under GDPR: • Right of access (Article 15) — Obtain a copy of the personal data we hold about you • Right to rectification (Article 16) — Correct inaccurate or incomplete personal data • Right to erasure / right to be forgotten (Article 17) — Request deletion of your personal data • Right to restrict processing (Article 18) — Request temporary suspension of processing • Right to data portability (Article 20) — Receive your data in a structured, machine-readable format • Right to object (Article 21) — Object to processing based on legitimate interests or direct marketing • Right to withdraw consent (Article 7) — Withdraw consent for any processing based on consent • Right not to be subject to automated decision-making (Article 22) — Including profiling, where applicable • Right to lodge a complaint (Article 77) — With your local data protection supervisory authority To exercise any of these rights, email privacy@botify.in. We will respond within 30 days. For deletion-specific requests, see the Data Deletion Instructions page.

Botify operates in two roles depending on the context: Data Controller • For data related to our direct customers (account holders, their team members, billing contacts), Botify is the data controller • We determine the purposes and means of processing for account management, billing, platform analytics, and support Data Processor • When our customers use Botify to send WhatsApp, SMS, Email, RCS, or Voice communications to their own end-users, Botify acts as a data processor on behalf of the customer • In this capacity, our customer is the data controller for those communications, and Botify processes the data only per the customer's instructions under a Data Processing Agreement (DPA) • End-users of our customers who wish to exercise GDPR rights should first contact the Botify customer (the business they interacted with). Botify will also support the request directly at privacy@botify.in

Botify provides a GDPR-compliant Data Processing Agreement to all customers processing personal data of EEA, UK, or Swiss residents. Our DPA includes: • Standard Contractual Clauses (SCCs) approved by the European Commission for international data transfers • A list of sub-processors (Infobip, Meta, Google, Razorpay, Hostinger, AWS) and the regions in which they operate • Confidentiality, security, and breach notification obligations • Audit rights and certification references • Sub-processor change notification process To request a signed DPA, email privacy@botify.in with your account details and the name of your legal entity.

Botify's primary data processing occurs in India. When personal data of EEA or UK residents is transferred outside their home region, we rely on the following safeguards: • Standard Contractual Clauses (SCCs) — The European Commission's 2021 SCCs form the default basis for transfers to India and other third countries • Transfer Impact Assessment (TIA) — We conduct TIAs where required, documenting supplementary measures such as encryption at rest and in transit, access controls, and pseudonymization • Sub-processor due diligence — All sub-processors (Infobip for WhatsApp / SMS, Meta Cloud API, Google for RCS and Ads, Razorpay for billing) are bound by written agreements that include GDPR-compliant transfer mechanisms If you would like more information about our transfer mechanisms, please contact privacy@botify.in.

We implement technical and organizational measures appropriate to the risk of processing, including: • Encryption of data at rest (AES-256) and in transit (TLS 1.2+) • Role-based access controls and principle of least privilege • Multi-factor authentication on all administrative accounts • Network segmentation, firewalls, and intrusion detection • Regular security audits, penetration testing, and vulnerability scanning • Incident response plan with 72-hour breach notification commitment • Employee security training and confidentiality agreements • ISO 27001 and SOC 2 Type II aligned controls In the event of a personal data breach likely to result in a risk to rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected data subjects without undue delay.

We retain personal data only for as long as necessary to fulfill the purposes described in our Privacy Policy, or as required by law: • Account data — Duration of your account + 30 days after deletion • Communication logs — 90 days, then anonymized • Billing records — 7 years (Indian Income Tax Act, GST regulations) • Audit & security logs — 12 months • Usage analytics — Anonymized after 24 months See our Privacy Policy § 10 for the complete retention schedule, and Data Deletion Instructions for how to request earlier deletion.

Botify has designated a Data Protection Officer to oversee GDPR compliance and serve as a point of contact for data subjects and supervisory authorities. • DPO Email: privacy@botify.in • DPO Postal Address: Data Protection Officer, Botify, No 45, Kalaimagal Street, Swarnapuri, Salem - 636 004, Tamil Nadu, India You may contact the DPO directly for any questions about how we process your personal data or to exercise your rights under GDPR.

You have the right to lodge a complaint with a supervisory authority if you believe your personal data has been processed in violation of GDPR. • European Data Protection Board: https://edpb.europa.eu • List of EU data protection authorities: https://edpb.europa.eu/about-edpb/about-edpb/members_en • UK Information Commissioner's Office: https://ico.org.uk • Swiss Federal Data Protection and Information Commissioner: https://www.edoeb.admin.ch We encourage you to contact us first at privacy@botify.in so we can try to resolve your concern directly.

For GDPR-related inquiries, please contact: • Data Protection Officer: privacy@botify.in • General Support: support@botify.in • Website: https://botify.in • Address: Botify, No 45, Kalaimagal Street, Swarnapuri, Salem - 636 004, Tamil Nadu, India We aim to respond to all GDPR inquiries within 30 days.