Privacy Policy
Last updated: July 4, 2026 · Effective immediately for all Meek Media products
Meek Media (LLP, India) — referred to here as "we", "us", or "our" — operates a portfolio of AI-powered automation and growth products. This Privacy Policy explains what data we collect, how we use it, who we share it with, and the rights you have over your data.
This policy applies to all of our products, including:
- meek.media — our agency website, blog, and free tools (AI calculators, generators, audits).
- waomate.com — our WhatsApp Business Cloud API platform for shared inbox, broadcasts, and templates.
- igmsg.com — our Instagram comment-to-DM automation product.
- Any future Meek Media product that links to this page as its privacy policy.
Where a specific section applies to only one product, we say so explicitly.
1. Introduction
By creating an account, using a free tool, connecting a Meta (Facebook / Instagram / WhatsApp) account, or otherwise interacting with our services, you consent to the practices described here. If you do not agree, please do not use our services.
If you are a customer of one of our business clients (e.g., a person who messages a business that uses Waomate or Igmsg), please refer to that business's own privacy policy. We process your data on their behalf as a data processor; they are the data controller for messages and contact data.
2. Information We Collect
2.1 Information you provide directly
- Account information: name, business name, email, phone number, password (stored only as a bcrypt hash with cost factor 12 — never plain text).
- Billing information: company name, GSTIN (where applicable), billing address, and payment-method tokens (we never store full card numbers — these stay with our payment processor Razorpay).
- Support & communications: emails, chat messages, screenshots, and call recordings you share with our support team.
- Tool inputs: data you enter into our free tools (URL audits, ROI inputs, competitor domains, etc.) — used to compute results and not retained beyond the session unless you log in and save.
2.2 WhatsApp Business Account data (Waomate users)
When you connect WhatsApp Business through Meta's Embedded Signup flow inside Waomate, we receive and store:
- WhatsApp Business Account (WABA) ID, phone number ID, business name, and display phone number.
- Long-lived OAuth access tokens — encrypted at rest using AES-256 with a per-environment master key.
- Phone-number health metadata from Meta: quality rating, messaging tier, account review status. Refreshed every ~10 minutes.
- Message templates you submit — name, category, language, body, footer, buttons, sample variable values.
- Customer contacts you import: name, phone number (E.164), tags, custom attributes.
- Inbound and outbound message content sent or received via your WhatsApp number, including text, media (images/video/audio/documents), and interactive components.
- Message delivery, read, reply, and template-status events received from Meta via webhooks.
2.3 Instagram account data (Igmsg users)
When you connect Instagram through Meta's Login flow inside Igmsg, we receive and store:
- Instagram Business or Creator account ID, username, profile picture, and the linked Facebook Page ID.
- Long-lived access tokens — encrypted at rest using AES-256.
- Posts and comments you choose to monitor for keyword automation — comment text, commenter username, post media URL.
- Direct messages we send on your behalf in response to a triggering comment, plus any subsequent inbound DMs from those users.
- Automation rules you configure: trigger keywords, response messages, follow-up sequences.
- Story replies and reaction data when you opt in to story-mention automation.
2.4 Customer contact and conversation data
This is data about your end customers (not about you). When end customers interact with your business through Waomate or Igmsg, we process their phone number / Instagram handle, message content, and any custom attributes you assign. We are a data processor for this data; you are the controller. We do not use it for our own marketing or analytics, and we do not share it with anyone outside the sub-processors listed in section 5.
2.5 Automatically collected information
- Log data: IP address, browser type, device type, operating system, timestamps, referring URL.
- Usage data: pages viewed, features used, clicks, errors encountered. Aggregated and anonymised for product analytics.
- Performance data: load times, API response times, error traces.
2.6 Cookies and tracking technologies
- Strictly necessary: session cookie, CSRF token. Cannot be disabled — required for login and form submission.
- Functional: theme preference, dismissed banners. Stored in localStorage.
- Analytics: aggregated, anonymised — no personal identifiers. We do not use third-party advertising cookies.
- We do not use Google Analytics, Facebook Pixel, or third-party retargeting cookies on our product surfaces (Waomate dashboard, Igmsg dashboard). Our marketing site (meek.media) may use minimal first-party analytics for SEO purposes.
3. How We Use Your Information
- Provide the service: deliver messages, store conversations, render dashboards, process automations.
- Authenticate & secure: log you in, prevent account takeover, detect abuse.
- Bill you accurately: meter usage, calculate overages, generate invoices.
- Improve the product: aggregated analytics tell us which features are used, where users get stuck, what to build next.
- Customer support: respond to tickets, investigate issues, share workarounds.
- Legal & compliance: tax records, anti-abuse, lawful requests from authorities.
- Communicate with you: transactional emails (receipts, password resets, security alerts), product updates, occasional surveys. You can opt out of marketing emails at any time.
We do not use your data, your customer messages, or your contacts to train any AI model — ours or a third-party's.
4. Legal Basis for Processing (GDPR)
If you are in the European Economic Area or UK, our legal bases are:
- Contract — processing necessary to deliver the service you signed up for.
- Legitimate interests — improving the product, preventing fraud and abuse, ensuring security.
- Legal obligation — tax records, court orders, regulator requests.
- Consent — for non-essential cookies, marketing emails, optional features. You can withdraw consent at any time.
5. Data Sharing and Disclosure
We do not sell, rent, or trade your data. We share it only with the parties below, and only as needed.
5.1 Sub-processors and service providers
- Hostarmada (India region) — application and database hosting.
- Cloudflare — DNS, CDN, DDoS protection.
- Google Firebase Realtime Database — real-time message-event delivery for the Waomate inbox.
- Razorpay — subscription payment processing (only when you upgrade to a paid plan).
- Email delivery: transactional emails sent via SMTP relay; provider rotated as needed.
Each sub-processor has signed a data-processing agreement that prohibits independent use of your data, requires equivalent security, and binds them to delete data on termination.
5.2 Meta Platforms
Our products operate on top of Meta's WhatsApp Business Cloud API (Waomate) and Instagram Graph API (Igmsg). To deliver your messages, fetch your Pages, or submit templates for review, we exchange data with Meta as required by their APIs. Meta's own privacy policy (facebook.com/privacy/policy) applies to data they hold. We do not use Meta APIs for any purpose other than what you instruct via our dashboards.
5.3 Legal requirements
We may disclose data when compelled by valid legal process (court order, lawful subpoena, government request) or when necessary to protect our rights, property, or safety, or that of our users.
5.4 Business transfers
If Meek Media is acquired, merged, or sells substantially all of its assets, your data may transfer to the successor entity. The successor will be bound by this policy or one with materially equivalent protections. We will notify you by email at least 30 days before any such transfer.
6. Data Security
- HTTPS-only transport (TLS 1.2 or higher) for all client-server communication.
- WhatsApp and Instagram OAuth access tokens encrypted at rest with AES-256-GCM.
- Per-tenant data isolation enforced at the application layer (every database query is scoped by tenant_id).
- Password hashes use bcrypt with a work factor of 12.
- Webhook signatures (Meta) are verified via HMAC-SHA256 before any database write.
- Audit logs of admin actions retained for 1 year.
- Daily encrypted off-site backups; rotated and overwritten within 30 days.
- Access to production systems restricted to a small named group with hardware-key 2FA.
- Annual third-party penetration tests planned for 2026.
No method of transmission or storage is 100% secure. If you discover a vulnerability, please email security@meek.media — we run a coordinated disclosure program.
7. Data Retention
- Active accounts: data retained for the life of the account.
- Cancelled accounts: data deleted from active databases within 90 days; backups overwritten within an additional 30 days.
- WhatsApp / Instagram message content: retained per the workspace setting (default 12 months; configurable in Waomate / Igmsg dashboards).
- Tax invoices and billing records: 7 years per Indian tax law (Income Tax Act).
- Audit logs: 1 year.
- Anonymised aggregated analytics: retained indefinitely; cannot be linked back to you.
8. Your Rights and Choices
Regardless of where you live, you can at any time:
- Access a copy of your data — export from your dashboard, or email privacy@meek.media.
- Correct inaccurate data via your account settings.
- Delete your data — see Data Deletion Instructions.
- Object to specific processing or restrict it.
- Port your data to another provider — exports are available as JSON/CSV.
- Withdraw consent for non-essential processing.
- File a complaint with a supervisory authority (e.g., the Data Protection Board of India under the DPDPA, or your local EU/UK DPA).
We respond to verified requests within 30 days.
9. California Privacy Rights (CCPA)
If you are a California resident, in addition to the rights in section 8, you have the right to:
- Know what personal information we have collected about you in the last 12 months.
- Request deletion of personal information.
- Opt out of the "sale" of personal information — we do not sell personal information, so there is nothing to opt out of.
- Not be discriminated against for exercising your CCPA rights.
To exercise these rights, email privacy@meek.media with "CCPA request" in the subject line.
10. Children's Privacy
Our services are not directed at anyone under 18 and we do not knowingly collect personal information from minors. If you believe a minor has provided us data, contact us and we will delete it.
11. International Data Transfers
Our infrastructure runs primarily in India (Hostarmada Mumbai region). Some sub-processors (Cloudflare, Google Firebase, Meta) may process data outside India for the purpose of providing CDN, real-time messaging, DNS, or messaging-API services. Where required, we rely on Standard Contractual Clauses or equivalent safeguards.
12. Third-Party Links
Our sites may link to external resources (Meta documentation, customer case studies, blog references). We are not responsible for the privacy practices of those sites; their own privacy policies govern your interactions with them.
13. Data Deletion Requests
You can delete your account and all associated data:
- Self-serve: log in to the relevant product and use the "Close account" option in workspace settings.
- By email: write to privacy@meek.media from the email address registered to your account, subject "Delete my data". We verify identity then delete within 30 days.
- From Meta: if you remove our app from your Meta Business Settings, Meta sends us a deletion notice. We treat that the same as a self-serve deletion.
Full step-by-step instructions are at /data-deletion.
14. Changes to This Privacy Policy
We may update this policy from time to time. Material changes will be posted here with a new "Last updated" date and announced by email to active account owners at least 30 days before they take effect.
15. Contact Us
For privacy questions, data-subject requests, or to report a security issue:
- Email: privacy@meek.media
- Security disclosures: security@meek.media
- Postal address: Meek Media LLP, Kolkata, West Bengal, India
- Data Protection Officer: Manish Sharma — reachable at the above email
This document is a clear summary of our practices and is not a substitute for legal advice. If you operate in a jurisdiction with specific requirements (GDPR, CCPA, India DPDPA, LGPD, PIPEDA, etc.), contact us for our data-processing addendum.