Privacy & Cookie Policy
Effective: June 17, 2026 · Last updated: June 17, 2026
This Privacy and Cookie Policy explains how Connectoo collects, uses, stores, and protects information when you use our platform, website, or mobile app. We have written this in plain language. If you have questions, email [email protected] — we are happy to help.
Our Privacy Commitments
- We never sell your personal data or your customers' data to anyone.
- We do not use your WhatsApp messages, call recordings, SMS, or CRM content to train AI or machine learning models.
- We collect only what we need and use it only for the purposes described here.
- We give you meaningful control over your data, including the ability to export or delete it.
1. Who We Are & Scope of This Policy
Connectoo operates the communication platform available at connectoo.ai and through our mobile application. In this Policy, "we," "us," and "our" refer to Connectoo. "You" refers to anyone who visits our website or uses our Service, whether as an account holder, a team member using a Connectoo account, or simply a visitor browsing our site.
This Policy covers personal information we collect about you in your capacity as a Connectoo user or prospective customer. It does not cover what Connectoo customers do with their own end-customers' data using our platform — that is addressed in our Terms of Service and any applicable Data Processing Agreement we sign with business customers.
This Policy does not extend to third-party websites or services that our platform links to. We recommend reading the privacy policies of any third-party service you connect or navigate to.
2. Key Terms
| Term | What it means in this Policy |
|---|---|
| "Personal data" | Any information that identifies or could identify a living person, either on its own or when combined with other data we hold. |
| "Processing" | Anything we do with personal data — collecting, storing, using, sharing, deleting, and so on. |
| "Controller" | The party that decides why and how personal data is processed. For data about you as our customer, we are the Controller. |
| "Processor" | A party that processes data on behalf of a Controller. When you use Connectoo to manage your customers' data, we act as your Processor for that data. |
| "GDPR" | The EU General Data Protection Regulation (2016/679) and its UK equivalent, which set out rights and obligations for personal data processing in Europe. |
| "Service" | The Connectoo platform, including the website, mobile app, and all features. |
| "Your Data" | Content, contacts, messages, and other information you input into the Service, as distinguished from information about you as a user. |
3. What We Collect
Information you give us directly
When you sign up, subscribe, or contact us, you share information like your name, work email address, phone number, company name, and billing details. We also collect any information you choose to include when you contact our support team or respond to our surveys.
Information generated by your use of the platform
When you use Connectoo, we collect data about how you interact with the platform — which features you use, when you log in, device type, browser, operating system, and your IP address. We use this to operate and improve the Service, and to detect issues.
WhatsApp and messaging data
When you connect a WhatsApp Business account, we receive and store WhatsApp messages, contact details, media files, and conversation metadata through Meta's official WhatsApp Business API. This is the data that powers your shared inbox.
VoIP call data
When you place or receive business calls through Connectoo — in your web browser or our mobile app — we generate and store call metadata: the phone numbers involved, call direction, duration, timestamp, and outcome. Calls are made over the internet (VoIP), so this metadata comes from calls handled inside the platform. We do not read, sync, or upload your phone’s native SIM call log. Placing and receiving calls requires microphone access in the browser or app.
SMS data
SMS is sent and received through your Connectoo VoIP numbers inside the platform and mobile app. We store those SMS threads so they appear on the customer’s timeline alongside calls and WhatsApp. We do not read, sync, or track SMS from your personal phone.
Device contacts (mobile app)
If you grant the mobile app permission to access your device contacts, we use it only so you can start a call or message a contact from within the app. We do not continuously sync or upload your entire address book.
Push notifications
With your permission, the mobile app sends push notifications — for example, for an incoming call or a new message. You can turn notifications off in your device settings at any time.
Information from third-party sign-in
If you register using Google or another identity provider, we receive basic profile data — typically your name, email address, and profile picture — from that provider, consistent with the permissions you grant at sign-in.
Verification documents
In some circumstances (for example, to verify your WhatsApp Business account, activate a regulated phone number, or comply with a regulatory requirement), we may request supporting documents. We handle these with strict access controls and use them only for the stated purpose.
4. How We Use Your Information
We use the information we collect for the following purposes:
- To provide the Service: operating your account, delivering the features you subscribe to, handling your VoIP calls and SMS, syncing your WhatsApp conversations, running your configured automation workflows, and processing your payments.
- To communicate with you: sending account notifications, security alerts, billing receipts, and responses to support enquiries. If you have opted in (or where permitted by law), we may also send product updates and marketing communications — you can opt out any time.
- To improve the platform: analyzing how features are used helps us prioritize improvements and fix problems. This analysis is done at an aggregate level and does not involve reading the content of your conversations.
- To keep the platform secure: detecting and preventing fraud, abuse, unauthorized access, and other harmful activity.
- To meet legal obligations: responding to lawful requests from regulatory authorities and meeting our compliance responsibilities under applicable law.
We do not use the content of your WhatsApp messages, call recordings, SMS, or CRM data to train machine learning models or for any purpose unrelated to operating your account.
5. Legal Basis for Processing (EEA & UK Users)
If you are based in the European Economic Area or the United Kingdom, data protection law requires us to have a valid legal basis for processing your personal data. Here is how that applies to our main processing activities:
- Contract performance: most of our processing — running your account, delivering the Service, processing payments — is necessary to fulfill our contract with you.
- Legitimate interests: some processing (such as security monitoring, product analytics, and business development) is based on our legitimate interest in operating and improving a safe and functional product, balanced against your rights.
- Consent: where we rely on consent — for example, for call recording, connecting your email inbox, or sending you marketing emails — we will ask for it explicitly. You can withdraw consent at any time, and it will not affect any processing we carried out before withdrawal.
- Legal obligation: we may need to process or disclose data to comply with a legal requirement, such as a court order or regulatory request.
If you want to understand the specific legal basis for any particular processing activity, contact us at [email protected].
6. WhatsApp Data
How we access it
We connect to WhatsApp exclusively through the official WhatsApp Business API provided by Meta Platforms, Inc. We do not use unofficial or third-party WhatsApp access methods.
What we store
We store WhatsApp messages, media files, contact information, and conversation metadata on our servers to power your shared inbox and CRM features. This data is accessible only to team members you have authorized within your Connectoo account.
How long we keep it
We keep WhatsApp data for as long as your account is active. When your account closes, it is deleted within 30 days unless you have configured a longer retention period under your plan (where available) or unless we are legally required to keep it for longer.
Deletion requests
You can request deletion of your WhatsApp data at any time by emailing [email protected]. We will process the request within 30 days.
Meta's terms
Your use of WhatsApp through Connectoo also means Meta's WhatsApp Business Terms and Privacy Policy apply to that data. We comply with Meta's data handling requirements for Business API partners.
7. Call Data & Recordings
Call metadata
When you make or receive calls through Connectoo, we store metadata about each call — the numbers involved, direction, duration, timestamp, and outcome — to populate your CRM and communication timeline. Because Connectoo handles calls over VoIP, this metadata comes from calls placed through the platform, not from reading your device’s SIM call log.
Call recording — opt-in only
Call recording is turned off by default. It is available on paid plans and must be enabled by an account administrator. Once enabled, Connectoo records the VoIP call audio and stores it on our servers in encrypted form.
Your legal responsibility for recording
Laws on call recording differ by country and, in many places, by state or province. Some require only one party to the call to consent; others require all parties. It is entirely your responsibility to understand and follow the recording laws that apply wherever you and your call participants are located. Connectoo provides pre-call announcement tools to help — but these are tools, not legal guarantees.
Security of recordings
Recordings are encrypted in transit and at rest. Only account users you designate can access them. We provide configurable auto-deletion policies so recordings are not kept longer than your organization needs.
No AI training
We do not use recording content to train machine learning systems or for any purpose beyond those described here.
9. International Data Transfers
Our infrastructure is hosted in India and the United States. Some of the third-party service providers we work with are located in other countries. If you are in the European Economic Area (EEA) or United Kingdom, this means your personal data may be transferred outside of those regions.
Whenever we transfer EEA or UK personal data internationally, we ensure a lawful transfer mechanism is in place — typically the Standard Contractual Clauses approved by the European Commission, or another mechanism recognized under applicable law. The Appendix at the end of this Policy describes the technical details of our data transfer arrangements in more detail.
10. How Long We Keep Your Data
We keep your personal data for as long as your account is open or as long as we need it to provide the Service. When we no longer need it, we delete or anonymize it. Specific retention periods that apply in different scenarios:
- Active accounts: account, usage, and communication data is retained while your subscription is active.
- After account closure: we retain your data for 30 days to allow you to export it, then delete it from active systems. Some records (such as billing history) may be retained longer where required by financial regulations.
- Call recordings: retained for the duration you set in your account settings. Accounts without a custom retention setting default to platform-level limits.
- Legal holds: if we are involved in litigation or a regulatory investigation that requires us to preserve data, we will retain relevant information until the matter is resolved.
11. How We Protect Your Data
We use a layered approach to security that includes:
- Encryption of all data in transit using TLS (version 1.2 or higher);
- Encryption of stored data, including call recordings, using AES-256;
- Role-based access controls so that only authorized personnel can access data;
- Detailed audit logs of access and changes to sensitive data;
- Periodic internal security reviews and third-party penetration testing;
- Automated backup procedures and tested disaster recovery plans.
No security system is infallible. While we do everything reasonable to protect your data, we cannot promise that an unauthorized third party will never circumvent our measures. If you notice something suspicious related to your account, please tell us immediately.
If a confirmed data breach occurs that is likely to affect your rights or freedoms, we will notify you in line with our obligations under applicable law — without unnecessary delay.
12. Your Rights Over Your Data
Depending on where you are located, you may have some or all of the following rights. To exercise any of them, email us at [email protected]. We will respond within 30 days (or the timeframe required by your local law).
Access
Ask us what personal data we hold about you and get a copy of it.
Correction
Ask us to fix any personal data we hold that is inaccurate or incomplete.
Deletion
Ask us to erase your personal data. We will do so unless we have a legal obligation to keep some or all of it.
Portability
Ask for your data in a portable, machine-readable format so you can move it to another provider.
Objection
Object to us processing your data for direct marketing or where our legal basis is legitimate interests.
Restriction
Ask us to pause processing of your data in certain circumstances, for example while we investigate a dispute.
Withdraw consent
Where processing is based on consent, you can withdraw it at any time. This does not undo processing that already happened.
Lodge a complaint
If you are unsatisfied with how we handle your data, you have the right to file a complaint with your local data protection authority.
When you exercise these rights, we may need to verify your identity. We will never charge a fee for a straightforward access request, but we may charge a reasonable fee for requests that are manifestly unfounded or excessive.
13. Children
Connectoo is a business communication tool designed for adults. We do not knowingly collect personal data from anyone under 18. If you believe a child has created a Connectoo account or submitted personal data through our platform, please contact us at [email protected] and we will delete it promptly.
16. End Users & Third-Party Data
If you are a person whose information appears in a Connectoo customer's account (for example, a contact in someone else's CRM), the Connectoo customer — not us — is the controller of your personal data in that context. Your privacy rights should be directed to that customer.
Connectoo acts as a processor of that data, following the instructions of our customer. We do not have an independent relationship with end users of our customers’ systems and are not responsible for how those customers collect or use personal data.
17. Policy Updates
We may update this Policy from time to time as our product evolves, our business changes, or the law requires. When we make a material change, we will post the updated Policy on this page, update the "Last updated" date at the top, and send you an email notification at least 10 days before the changes take effect.
If you continue using the Service after a change takes effect, that means you accept the updated Policy. If you do not agree, you may stop using the Service and request account deletion.
18. Contact & Complaints
If you have a question about this Policy, want to exercise a data right, or have a concern about how we handle your data, please reach out:
We aim to respond to all enquiries within 5 business days and to complete data rights requests within 30 days.
If you are in the EEA or UK and feel we have not adequately addressed your concern, you have the right to lodge a complaint with your local data protection supervisory authority.
Appendix — International Data Transfer Details (GDPR)
This section describes the data transfer arrangement for EEA and UK customers, forming part of the Standard Contractual Clauses referenced in Section 9. For these purposes, Connectoo is the data importer and the customer is the data exporter.
Who is affected
Connectoo customers (account holders and their team members) and, where relevant, the end-users of those customers' Connectoo accounts.
Why the data is transferred
To deliver the Connectoo communication and CRM platform services that the customer has subscribed to, including hosting, processing, and displaying communication data.
What categories of data are transferred
Subscription & account data — names, contact details, billing information, and identity verification records for authorized account users.
Usage & communication data — information generated through the use of the platform, including telephone numbers, message metadata, call metadata (date, time, duration, direction), and logs used to operate the Service and prevent abuse. This category does not include the content of WhatsApp messages or call recordings for the purpose of this appendix; that content is governed by the service agreement and Data Processing Agreement signed with each business customer.
Who receives the data
Connectoo employees and contractors with a legitimate operational need; sub-processors engaged by Connectoo to provide infrastructure, telephony, payment, or support services (all bound by appropriate data processing agreements); and regulators or law enforcement where legally required.
Sensitive categories
We do not intentionally process special categories of sensitive personal data (such as health, biometric, or financial data) as part of standard Service delivery.
Data protection contact
For data protection matters: [email protected]
