WebOrigin.

Privacy Policy for WebOrigin Platforms **Effective Date: May 22, 2026** **Last Dynamic Audit Revision: May 2026**

WebOrigin ("we," "our," "us," or "the Platform") operates a decentralized, multi-tenant Software-as-a-Service (SaaS) AI Chatbot integration suite and automation framework. We specialize in engineering real-time, ultra-low-latency (0.8-second execution boundaries) communication systems that interface proprietary business data layers directly with the Meta WhatsApp Cloud API and Google AI Studio architecture.

This Privacy Policy forms a legally binding operational protocol between WebOrigin and your commercial organization, enterprise, or individual sole proprietorship ("Tenant," "Client," "User"). This document outlines the precise technical mechanisms, collection protocols, encryption vectors, and regulatory compliance standards regarding the parsing, ingestion, retention, and isolation of personal and transactional business data passing through our system pipelines.

By deploying an operational webhook instance or initializing the WebOrigin AI Trainer Panel dashboard, you explicitly acknowledge and authorize the data configuration protocols detailed herein.

---

1. High-Fidelity Data Architecture & Scope of Collection

To maintain sub-second multi-tenant chat processing loops, our systems capture, process, and map data into three separate operational vectors:

#### A. Tenant Operator Configurations During dashboard onboarding, account provisioning, or Meta Embedded Signup verification cycles, we collect: * **Identity Indicators:** Full legal personal or corporate operator names, associated individual or corporate tax registration parameters (including Personal or Business Permanent Account Numbers - PAN), physical service deployment locations, and postal verification signatures. * **Network Handshake Credentials:** Securely isolated Meta Cloud API Access Tokens, WhatsApp Business Phone Number IDs, WhatsApp Business Account (WABA) identifiers, and Supabase client-side reference variables. * **Organizational Context:** Business category, industry vertical (Coaching, Medical, Real Estate, Freelancer), subscription tier, and tenant classification (business or individual operator).

#### B. The Multimodal AI Ingestion Pipeline (AI Trainer Data) When training an instance brain via the client dashboard, our file processing layer ingests files (.txt, .md, .csv, .pdf, .docx, .png, .jpg) and converts them into normalized text or visual multidimensional vector arrays. This includes: * Raw alphanumeric text extractions from training manuals, course syllabi, inventory catalogs, and localized trade matrices. * Base64 structural pixel maps of uploaded promotional leaflets, flyers, or handwritten schedules passed directly through our multimodal ingestion layer. * Document metadata including file names, upload timestamps, file sizes, and source labels for knowledge base organization.

#### C. Live Webhook Transactional Records When an end-user customer transmits a communication stream to a tenant's integrated phone terminal, our active Next.js API endpoints intercept: * Inbound text strings, structural voice note files (.ogg), interactive visual screenshots (.png, .jpg), and digital system logs. * Core transaction routing parameters, including sender WhatsApp identifiers (phone metadata strings), message direction (inbound/outbound), and server execution time codes. * Extracted lead data (names, email addresses, company information, phone numbers, and inquiry details) when lead capture is enabled.

---

2. Deep Technical Processing, Transformation, and Model Mechanics

WebOrigin does not employ generic, open-ended conversational caches. Our processing mechanics are strictly defined as follows:

#### A. Vectorization & Vector Grounding * Injected knowledge assets are passed through our isolated system chunking loops (sliced safely into arrays containing a maximum of 90 items per sub-operation) and processed using the `gemini-embedding-2` embedding model. * Resulting 768-dimensional vector coordinates are committed directly into your dedicated Supabase PostgreSQL vector tables using pgvector extensions. * Embeddings enable semantic similarity search for context retrieval without storing raw document text in search indices.

#### B. Upstream Processing (Google AI Studio Ecosystem) * Dynamic prompt loops use Google's `gemini-2.5-flash` or `gemini-1.5-flash` API via direct server-to-server endpoints (never exposed to client browser). * Per Google AI Studio developer documentation guidelines, your proprietary data is handled safely through secure endpoints for context queries. * System prompts are dynamically constructed based on tenant industry type, custom instructions, and retrieved knowledge base context. * Estimated token counting algorithms calculate API costs per message for billing accuracy.

#### C. Outbound Media Delivery Interception * When a client request matches a stored asset parameter, our server actions parse the exact path using strict regex handlers. * Static files are fetched directly from Supabase Storage public buckets, converted into native Meta WhatsApp Media Message Objects. * Media is routed to the recipient phone within 0.8-second execution boundary via Meta Graph API.

---

3. Hardline Multi-Tenant Isolation & Advanced Data Security

WebOrigin is engineered on a rigid zero-trust privacy infrastructure:

#### A. Row-Level Security (RLS) * All data blocks, training matrices, token caches, and transaction logs are governed by strict multi-tenant Row-Level Security (RLS) policies within our Supabase database architecture. * Every single database query is strictly filtered by a validated `tenant_id` parameter token. * No tenant can ever cross-query or view another organization's files, logs, chat messages, leads, or customer data arrays. * Admin operations use separate elevated service role credentials with audit logging.

#### B. Encryption Standards * **In Transit:** Data is strictly encrypted using TLS 1.3 protocols across all edge network connections (Vercel deployment routes, Meta Cloud API, Google AI endpoints). * **At Rest:** Data inside primary storage instances is locked down using industry-standard AES-256 cryptographic keys managed by Supabase. * **Database-Level:** Sensitive credential fields (Meta Access Tokens, API keys) are hashed or encrypted at the database schema level.

#### C. Token Hardening & Access Control * Sensitive administration credentials (`SUPABASE_SERVICE_ROLE_KEY`, Meta Access Tokens, Gemini API keys) are injected purely as server-side environment variables on protected production runtime engines. * They are never exposed to client-side network inspectors, browser local storage, or client-side code bundles. * Platform admin access is restricted to verified administrator user IDs via `WEBORIGIN_ADMIN_USER_ID` environment variable.

#### D. Privacy Control Options * **Deep Privacy Mode:** When enabled, message content is not stored in chat logs, only transaction metadata is retained. * **Message Retention Settings:** Automatic purge of chat messages after configurable retention period (default: 90 days). * **Contact Whitelist:** Tenants can restrict AI responses to specific phone numbers only. * **Keyword-Triggered AI:** AI responses only activate when specific keywords appear in incoming messages. * **Lead Capture Toggle:** Disable automated lead extraction if privacy concerns prohibit data collection.

---

4. Data Retention, Purging, and Lifecycle Protocols

#### A. Ephemeral Caching * Inbound customer voice note files (.ogg) and multimodal snapshot pixels are processed through memory runtime arrays during the 0.8-second response window. * Raw files are parsed into structured data streams and immediately flushed from terminal processing buffers. * Temporary embedding calculations are discarded after similarity search completion.

#### B. Tenant-Controlled Purging * Tenants retain absolute ownership of their indexed data matrices. * Clicking "Delete Knowledge Base" or "Flush All Data" inside the AI Trainer Panel fires an immediate cascading drop rule across your database schemas. * All associated text chunks, vector embeddings, and metadata are permanently scrubbed within 24 hours. * Account deletion triggers complete tenant workspace purge including all chat logs, leads, and training files.

#### C. Regulatory Retention Minimization * We maintain transaction logs purely to preserve active customer chat state threads inside the dashboard layout. * Logs are not repurposed for cross-tenant indexing, model retraining, or analytics aggregation. * Historical data is segregated and automatically purged based on tenant-configured retention policies.

---

5. Compliance with Global and Indian Data Regulations

WebOrigin operates in strict compliance with the framework guidelines of the **Digital Personal Data Protection (DPDP) Act, 2023** of India and respects international privacy standards:

#### A. DPDP Act 2023 Compliance * **The Right to Erasure:** Customers and Tenants can invoke data wiping parameters at any time via dashboard or email request. * **Storage Limitations:** Data is retained only for the duration necessary to provide our services. * **Purpose Limitation:** Data collected for webhook processing is not repurposed for marketing, profiling, or cross-tenant analysis. * **Consent Management:** Explicit consent is obtained during account creation and can be withdrawn at any time.

#### B. International Standards * **GDPR-Adjacent Principles:** While not GDPR-subject, we implement equivalent data minimization and transparency principles. * **No Unauthorized Third-Party Sharing:** We do not sell, rent, or lease business or customer conversation logs to data brokers. * **Transparent Data Processing:** All data flows are documented in this policy and our technical system diagrams.

---

6. Third-Party Service Integrations & Data Transfers

Our platform integrates with the following external services. Your data is transferred to these services only as necessary to provide functionality:

#### A. Meta Platforms Inc. (WhatsApp Cloud API) * Inbound and outbound messages are transmitted to Meta's secure servers per their platform policies. * Meta Access Tokens are stored securely within our Supabase database and never exposed publicly. * We comply with Meta's Business Policies regarding message content, frequency, and user experience standards.

#### B. Google Cloud (Gemini AI & Embeddings) * Text content is transmitted to Google's servers for embedding generation and language model processing. * Google's data processing terms apply per their official terms of service. * Embeddings are generated server-side and stored in your isolated Supabase vector database; original data is not retained by Google.

#### C. Supabase (Database & Vector Storage) * Your entire data layer is hosted on Supabase's PostgreSQL servers with encryption at rest. * Row-level security policies are enforced at the database level. * Supabase complies with international data protection standards.

---

7. User Rights & Data Subject Requests

#### A. Access & Portability * You can request a complete export of your tenant data at any time by contacting business.sunder@gmail.com. * Data exports are provided in machine-readable formats (JSON, CSV) within 15 business days.

#### B. Rectification & Erasure * You can update incorrect information via the Settings dashboard. * You can request permanent deletion of your account and all associated data. * Deletion requests are processed within 7 business days; data is purged from all systems including backups within 30 days.

#### C. Restriction & Objection * You can restrict AI processing by disabling specific features or enabling Deep Privacy Mode. * You can object to specific data processing activities via documented request to business.sunder@gmail.com.

---

8. Security Incident Response & Data Breach Protocol

In the event of unauthorized access to personal data:

  • We conduct a forensic investigation within 24 hours of discovery.
  • Affected tenants are notified within 72 hours with details on scope and remediation.
  • We implement enhanced security controls and provide credit monitoring services if applicable.
  • Data breaches are reported to relevant regulatory authorities as required by law.

---

9. Children's Privacy & Age Restrictions

WebOrigin is not designed for use by individuals under 18 years of age. We do not knowingly collect personal information from minors. If we become aware of personal information collected from a minor, we will delete it immediately.

---

10. Policy Amendments & Change Notification

WebOrigin reserves the right to dynamically adjust this privacy framework to match evolving security parameters, regulatory requirements, and technical architecture improvements. All revisions are:

  • Dynamically rendered across our centralized distribution nodes at `https://weborigin.tech/privacy`.
  • Timestamped with effective date and change summary.
  • Communicated to active tenants via email notification for material changes.
  • Archived in version history for regulatory audit trails.

---

11. International Data Transfers

If your organization is located outside India, data transfers to our India-based infrastructure comply with:

  • for GDPR-subject data.
  • executed upon request.
  • for approved jurisdictions.

---

12. Contact & Governance

For privacy inquiries, data requests, or compliance concerns:

  • business.sunder@gmail.com
  • https://weborigin.tech
  • +91 8542 999 607
  • WebOrigin Headquarters, India

For urgent security matters, escalate to: contact.weborigin@gmail.com

---

13. Data Protection Officer & Grievance Redressal

While WebOrigin does not employ a formal DPO as mandated by GDPR (not applicable), we maintain:

  • Available for consultation on privacy matters.
  • Submit privacy complaints via business.sunder@gmail.com.
  • 30 days for formal grievance investigation and response.

---

This Privacy Policy is legally binding and forms the entire agreement regarding data handling practices. By using WebOrigin, you acknowledge full understanding and acceptance of these terms.

Last Updated: May 22, 2026