TAILWIND_BRAND_V2_READY

Privacy Policy

Last updated: 22 June 2026

Korekko helps solo businesses and small teams manage enquiries, follow-ups, bookings, payments, and reputation. This Privacy Policy explains what data we collect, how we use it, and the choices available to our users.

1. Who we are

Korekko is a software product that helps businesses handle customer conversations, bookings, payments, reminders, and related workflows. For privacy questions, contact team@korekko.com.

2. Information we collect

We may collect the following categories of information:

  • Account details such as name, email address, business name, and login details.
  • Business profile details such as category, location, services, hours, phone number, and branding information.
  • Customer workflow data such as enquiries, bookings, follow-ups, notes, payments, receipts, reviews, and related activity history.
  • Customer conversation data from connected channels, including message content, the customer's WhatsApp number and profile/display name, and message delivery and read status.
  • Connected service data where you choose to connect third-party accounts, such as Google, Meta, WhatsApp, calendar providers, or payment tools.
  • Technical and usage information such as device, browser, IP address, pages viewed, and product interaction events.
  • Files and documents you upload, including receipt samples, profile assets, or verification documents.

3. How we use information

  • To provide, maintain, and improve Korekko.
  • To authenticate users and protect account security.
  • To operate bookings, payments, reminders, receipts, and customer communication workflows.
  • To support connected features using services such as Google sign-in, Google Calendar, Meta, WhatsApp, or payment integrations when you enable them.
  • To monitor product reliability, prevent abuse, detect fraud, and keep the service secure.
  • To communicate service updates, support responses, and important notices.
  • To comply with legal obligations and enforce our Terms of Service.

Where required by applicable law, we obtain your explicit consent before activating specific features such as channel integrations. You may withdraw consent at any time by disconnecting the relevant integration from Settings or by contacting team@korekko.com.

AI Provider

We use a single third-party AI provider (Anthropic) to classify the intent of incoming messages and to draft suggested replies in your business's voice. To do this, only the text content of the message is sent to Anthropic's API endpoint for inference. No WhatsApp ID, phone number, or metadata is included. When drafting a reply, the customer's display name and up to 10 prior messages are additionally sent, with phone numbers, email addresses, and links automatically redacted beforehand. The AI provider does not use this data to train its models and retains it for no more than 30 days for safety and security purposes. All AI-drafted free-text replies require explicit human approval in the Korekko inbox before sending to WhatsApp. Automatic sending, where you enable it, applies only to specific pre-approved message types and never to AI-drafted free-text replies.

4. Google, Meta, and other connected services

If you choose to sign in with Google or connect Google services, we access only the minimum scopes required to provide the feature you enable, such as Google Business Profile (reviews and Q&A), business discovery, and calendar availability for your bookings.

Gmail: Korekko does not request access to Gmail and does not read, scan, store, or process Gmail message content. We do not use Google OAuth scopes for Gmail in the product.

Korekko's use of data obtained through Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements. See: https://developers.google.com/terms/api-services-user-data-policy

WhatsApp: If you connect your WhatsApp Business account, Korekko receives customer messages sent to your WhatsApp Business number, the sender's WhatsApp profile name and phone number, and message delivery and read status. Korekko uses this data to handle enquiries, prepare and send replies, and follow up on leads for you according to the settings you configure, and to create and manage your message templates against your own WhatsApp Business Account. We do not use this data for advertising, do not sell it, and do not share one business's customer data with any other business. You can change these settings or disconnect your WhatsApp account at any time, and disconnecting triggers automatic deletion of that channel's message data (see Section 7).

We do not sell Google, Meta, or other connected account data. We use connected data only to operate Korekko features requested by the user.

5. Sharing of information

We do not sell your data or your customers' data, do not share it for advertising, and do not use it — nor permit our providers to use it — to train AI models. We share information only in these limited cases:

  • With service providers who process data on our behalf, under our instructions, solely to operate Korekko:
    • Supabase — database hosting and storage (Singapore and United States).
    • Vercel — application hosting (United States).
    • Anthropic PBC — AI intent classification and reply drafting (United States). Receives message text and, for reply drafting, the customer's display name and recent conversation, with phone numbers and emails redacted. Does not train on this data and retains it for at most 30 days. No customer name or identifier is sent for intent classification.
    • Razorpay — payment processing (India). Receives the customer's name and phone number for the transaction. Razorpay processes payments as an independent Data Controller for payment compliance. Korekko does not access card numbers or UPI PINs.
    • Google LLC — Google Business Profile (reviews and Q&A), Places (business discovery), and Calendar (booking availability) (United States). Calendar events include the customer's name and phone.

    Each provider may use the data solely to provide its service to us, under data-processing terms.

  • With third-party services you choose to connect and authorize.
  • When required by law, regulation, legal process, or to protect rights, safety, and security.
  • As part of a corporate transaction such as a merger, financing, or acquisition, subject to appropriate confidentiality protections.

6. International data transfers

Some of our service providers are located outside India (in Singapore and the United States), so operating the service involves transferring personal data across borders. Where this happens, the transfer is carried out under each provider's data-processing terms and is permitted under India's Digital Personal Data Protection Act, 2023, which allows transfers to all countries other than those specifically restricted by the Central Government; Singapore and the United States are not restricted.

By connecting a channel and using these features, you consent to this cross-border processing. You can withdraw consent at any time by disconnecting the relevant integration or by contacting team@korekko.com.

We maintain data-processing terms with each provider: a signed Data Processing Addendum with Supabase; Vercel's standard Data Processing Addendum under our paid plan; Anthropic's Data Processing Addendum, which incorporates Standard Contractual Clauses and is included in the commercial API terms we have accepted; data-processing terms with Razorpay under our merchant agreement; and Google's data-processing terms. Where transfers leave India, the relevant agreements include Standard Contractual Clauses.

7. Data retention

We retain different categories of data for defined periods:

Message content from connected channels (WhatsApp, Instagram, Google Business): retained only while the channel is connected and needed to operate your inbox. Stale inbound message records are automatically purged after 30 days, and all of a channel's message data is deleted promptly and automatically when you disconnect that channel or on request.

AI-provider processing: any message text or context sent to our AI provider is retained by the provider for at most 30 days and is never used to train AI models.

Backups: encrypted, automated daily backups managed by our database provider are retained for 7 days and then permanently deleted. When data is deleted from the live database, any residual copy in a backup is purged when that backup ages out of the 7-day window.

Lead identity, outcomes, and business activity records derived from conversations: 12 months from the date of last activity.

Account and profile data: duration of your active account, plus 30 days after deletion, except where longer retention is required by law.

Payment and transaction records: 7 years as required under applicable Indian financial regulations.

You may request early deletion at any time by contacting team@korekko.com.

8. Security

We use reasonable administrative, technical, and organizational safeguards to protect information. These include encryption of data at rest (AES-256) and in transit (TLS 1.2+), per-business data isolation enforced by row-level security, application-layer encryption of connected-channel access tokens, and signature verification of inbound webhooks. No method of storage or transmission is completely secure, but we work to protect data against unauthorized access, disclosure, alteration, and misuse.

9. Your choices and rights

You may request access, correction, or deletion of your data by contacting us at team@korekko.com.

If you connected Google, Meta, or other third-party services, you may also revoke access through the relevant provider account settings.

10. Data deletion requests

To request deletion of your Korekko account data, email team@korekko.com from your account email address with the subject line Data Deletion Request.

If you disconnect a connected channel such as WhatsApp, that channel's message data is deleted automatically within 24 hours, with no further action needed from you.

Please include your business name, account email, and any connected provider details needed to identify your account. We may retain limited information where required for legal, security, fraud-prevention, billing, or recordkeeping purposes.

11. Children’s privacy

Korekko is not directed to children, and we do not knowingly collect personal information from children.

12. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the effective date on this page and may provide additional notice where appropriate.

13. Contact

For privacy or data questions, contact team@korekko.com.

14. Your Rights Under the Digital Personal Data Protection Act, 2023 (India)

If you are located in India, you have the following rights as a Data Principal under the Digital Personal Data Protection Act, 2023:

  • Right to access: Request a summary of personal data we hold and how it is processed.
  • Right to correction: Request correction of inaccurate or incomplete personal data.
  • Right to erasure: Request deletion of your personal data, subject to legal retention requirements.
  • Right to grievance redressal: Raise a grievance with our Grievance Officer. We will acknowledge within 72 hours and resolve within 30 days.
  • Right to nominate: Nominate another person to exercise your rights on your behalf in the event of your death or incapacity.

Grievance Officer:

  • Name: Niharika Jain
  • Designation: Chief Business Officer, Korekko
  • Email: team@korekko.com

15. Data Controller and Data Processor

When you use Korekko to manage your customers' enquiries, messages, and interactions, you act as the Data Controller for your customers' personal data. Korekko acts as a Data Processor, processing that data only on your instructions and only to provide the Korekko service.

By connecting third-party channels such as WhatsApp, Instagram, or Google Business to Korekko, you confirm that you have a lawful basis to process your customers' data through Korekko for the purpose of managing business communications, as required under the Digital Personal Data Protection Act, 2023.