NE Wind Labs Logo OmniFlow CPaaS

Privacy Policy

Last Updated: June 14, 2026 Company: NE Wind Labs Service: OmniFlow Communications Platform as a Service (CPaaS)

NE Wind Labs ("we," "us," or "our") respects your privacy and is committed to protecting personal data. This Privacy Policy outlines our data processing practices and is designed to ensure strict compliance with global data protection frameworks, including the Digital Personal Data Protection Act, 2023 (DPDPA) of India, and the General Data Protection Regulation (GDPR).

1. Roles and Responsibilities under DPDPA & GDPR

To ensure legal clarity under applicable data protection laws, the roles concerning personal data are defined as follows:

  • Data Fiduciary (Data Controller): You, the Partner or Organization utilizing OmniFlow's API to send messages. The Data Fiduciary determines the purpose and means of processing personal data. You are legally responsible for providing statutory Notice and obtaining verifiable Consent from the end-user (Data Principal) before transmitting their data to OmniFlow.
  • Data Processor: OmniFlow acts exclusively as a Data Processor. We process personal data solely on behalf of, and under the strict instructions of, the Data Fiduciary for the execution of communication tasks.
  • Data Principal (Data Subject): The end-user or individual to whom the personal data relates (e.g., the recipient of the WhatsApp message or SMS).

2. Information We Process

As a Data Processor, we temporarily process the following to deliver services:

  1. End-User Communications Data: Phone numbers, email addresses, and message payloads (text, templates, media links) provided dynamically via your API requests.
  2. API Traffic & Metadata: IP addresses, API key usage, timestamps, and routing metadata for platform security, rate limiting, and billing reconciliation.
  3. Partner Account Information: Business names, contact emails, and billing details collected directly from Partners (where we act as the Data Fiduciary for the Partner's B2B data).

3. Purpose Limitation & Data Minimization

We process end-user personal data strictly for the purpose of:

  • Routing messages to downstream telecommunication carriers (e.g., WhatsApp, SMS aggregators, SMTP providers).
  • Fraud prevention, security auditing, and preventing violations of our Acceptable Use Policy. We do not use end-user personal data for marketing, profiling, or any secondary purposes.

4. Strict Data Retention Policy

In compliance with the DPDPA principle of data minimization and storage limitation, OmniFlow enforces a strict 90-Day Data Retention Policy:

  • Message Payloads & Delivery Logs: All raw message payloads, recipient phone numbers/emails, and detailed delivery logs are permanently and irretrievably scrubbed from our active databases 90 days after the message is processed. This 90-day window exists solely to accommodate billing disputes, audit trails, and compliance with Telecom Regulatory Authority of India (TRAI) guidelines.
  • Aggregated Analytics: Anonymized, aggregated metadata (e.g., total message volume per day) may be retained indefinitely for platform analytics.

5. Information Sharing and Sub-Processors

We do not sell personal data. Data is securely transmitted only to trusted sub-processors required to deliver the Service:

  • Telecommunication Carriers: Downstream providers (e.g., Meta, Twilio, MSG91) exclusively to terminate the message delivery.
  • Cloud Infrastructure: Secure cloud hosting providers hosting our processing queues.
  • Legal Mandates: We may disclose data if legally mandated by a valid court order or regulatory authority (e.g., CERT-In).

6. Security Measures and Breach Notification

We implement robust technical and organizational measures (e.g., TLS 1.2+ encryption, API Key authentication, strict internal access controls) to safeguard data. In the event of a suspected personal data breach, OmniFlow is legally bound to notify the affected Data Fiduciary without undue delay, enabling the Fiduciary to fulfill their statutory reporting obligations to the Data Protection Board of India and affected Data Principals.

7. Rights of the Data Principal

Under the DPDPA, Data Principals possess the Right to Information, Right to Correction and Erasure, and Right to Grievance Redressal. Because OmniFlow operates as a Data Processor, all Data Principal requests must be directed to the respective Data Fiduciary (the Partner/Organization that initiated the message). We will reasonably assist the Data Fiduciary in fulfilling these requests.

8. Grievance Redressal / Data Protection Officer (DPO)

If you have questions regarding this policy or our DPDP compliance, or wish to escalate a grievance, please contact our designated Grievance Officer: Email: grievance@NE Wind Labs

9. Changes to this Policy

We may update this Privacy Policy to reflect changes in legal or regulatory requirements. We will notify Partners of any significant changes.

© 2026 NE Wind Labs - All Rights Reserved.