← Owentra home | Terms of Service

Privacy Policy

Effective date: January 1, 2026  ·  Last updated: May 2026  ·  Version 1.1

Owentra ("we", "us", "our") is committed to protecting your personal information. This Privacy Policy explains what data we collect, how we use and share it, how we protect it, and the rights you have over it when you use the Owentra platform, website, and associated services (collectively, the "Service").

Contents

  1. Information We Collect
  2. How We Use Your Information
  3. Legal Basis for Processing (GDPR)
  4. How We Share Your Information
  5. Data Retention
  6. Cookies and Tracking Technologies
  7. Security
  8. International Data Transfers
  9. Children's Privacy
  10. Your Rights and Choices
  11. California Residents (CCPA)
  12. Data Processing Agreement
  13. Changes to This Policy
  14. Contact & Complaints

1. Information We Collect

We collect information in three ways: information you provide directly, information collected automatically, and information from third parties.

1.1 Information You Provide

  • Account registration: username, email address, and password when you sign up. If you register via Google OAuth, we receive your name and email from Google.
  • Profile information: company name, phone number, and billing address you add to your profile.
  • Payment information: billing address and payment method type. Full card or bank details are processed and stored by Razorpay; we never receive or store raw payment credentials on our servers.
  • Bot and widget configuration: bot names, goals, website URLs, widget appearance settings, webhook URLs, SMTP credentials, and system prompt content you enter into the Service.
  • Support communications: emails and messages you send to our support team.
  • Visitor conversation data: when your end-users interact with a chat widget you have deployed, their messages, captured email addresses, phone numbers, and names are stored on your behalf. You are the data controller for this data; we process it as your data processor.

1.2 Information Collected Automatically

  • Log data: IP address, browser type and version, operating system, referring URL, pages viewed, and timestamps of requests.
  • Device information: device type, screen resolution, and language settings.
  • Usage data: features used, clicks, navigation paths, and session duration.
  • Session cookies: a single server-side session cookie to keep you authenticated (see Section 6).
  • Widget visitor identifier: a browser-local UUID stored in localStorage on your visitors' devices to resume chat sessions across page loads. This is not a tracking cookie and does not leave the visitor's browser.

1.3 Information from Third Parties

  • Google OAuth: if you choose "Continue with Google", we receive your Google account name, email, and profile photo as permitted by Google's OAuth scopes.
  • Razorpay: payment success/failure events and subscription lifecycle events via signed webhook notifications. We verify each webhook signature before processing.

2. How We Use Your Information

We use the information we collect for the following purposes:

PurposeCategories of data used
Provide, operate, and maintain the ServiceAccount data, bot config, conversation data
Process payments and manage subscriptionsBilling data, Razorpay events
Send transactional emails (password reset, payment confirmation, trial notices)Email address
Deliver OTP verification emails on behalf of your botsVisitor email address (your data)
Detect, investigate, and prevent fraud or abuseLog data, IP address, usage data
Enforce our Terms of ServiceAccount data, usage data
Improve the platform (aggregate, anonymised analytics)Anonymised usage data
Respond to your support requestsAccount data, support communications
Comply with legal obligationsAll applicable categories

We do not sell your personal data. We do not use your data for behavioural advertising. We do not share your data with third-party advertisers.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:

  • Contract performance: to create and manage your account, provide the Service, and process payments.
  • Legitimate interests: to improve our platform, ensure security, prevent fraud, and communicate service-related updates. We have carried out a balancing test and concluded our interests are not overridden by your data protection rights.
  • Legal obligation: where processing is required by applicable laws (e.g., tax record-keeping).
  • Consent: where you have given explicit consent (e.g., optional marketing communications). You may withdraw consent at any time.

4. How We Share Your Information

We share personal data only in the following circumstances:

4.1 Sub-Processors

We use the following third-party services to operate the platform. Each is bound by a data processing agreement:

Sub-ProcessorPurposeLocation
RazorpayPayment processing and subscription managementIndia
Google (OAuth2)Optional social sign-inUSA
Transactional email providerSystem email delivery (configured per deployment)Per deployment
Hosting / cloud infrastructure providerServer infrastructure and data storagePer deployment
Redis / message brokerReal-time WebSocket routingPer deployment

4.2 Legal Requirements

We may disclose your information where required to comply with a legal obligation, court order, or valid government request, or where necessary to protect the rights, property, or safety of Owentra, our users, or the public.

4.3 Business Transfers

If Owentra is acquired, merges with another company, or sells substantially all of its assets, your data may be transferred as part of that transaction. We will notify you via email or a prominent in-app notice before your data is subject to a different privacy policy.

4.4 With Your Consent

We may share data for any other purpose with your explicit prior consent.

5. Data Retention

  • Account and billing data: retained for as long as your account is active and for up to 7 years after closure for tax, legal, and audit purposes.
  • Conversation data (your visitors' messages and leads): retained according to your subscription plan's analytics window. You may request earlier deletion at any time.
  • Log data: retained for up to 90 days for security and debugging, then purged or anonymised.
  • Payment records: retained for the period required by applicable tax law (typically 7 years).
  • Support communications: retained for up to 3 years after the last interaction.
  • Deleted accounts: when you delete your account, we begin a 30-day grace period before permanent deletion, during which you may reactivate. After the grace period, personal data is purged within 60 days, except where retention is required by law.

6. Cookies and Tracking Technologies

We use a minimal set of technologies to make the Service work:

Name / TypePurposeDuration
sessionid (session cookie)Keeps you authenticated across requestsSession / browser close
csrftoken (security cookie)Protects forms against CSRF attacks (required)1 year
Widget localStorage keyResumes visitor chat sessions on your embedded widget. Not a cookie; never sent to our servers.Browser local storage

We do not use third-party advertising cookies, cross-site tracking pixels, or analytics tools that fingerprint individual users.

7. Security

We implement industry-standard technical and organisational measures to protect your data:

  • All data in transit is encrypted using HTTPS/TLS 1.2 or higher.
  • WebSocket connections are secured via WSS (encrypted WebSocket over TLS).
  • Passwords are stored as salted hashes using Django's PBKDF2-SHA256 algorithm (never in plaintext).
  • Payment webhook signatures are verified using HMAC-SHA256 before any data is processed.
  • Access to production infrastructure is restricted to authorised personnel and protected by multi-factor authentication.
  • We conduct regular security reviews and apply critical patches promptly.

Despite our efforts, no system is 100% secure. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and any applicable supervisory authority within 72 hours of becoming aware of it, as required by GDPR Article 33.

8. International Data Transfers

Owentra is operated from India. If you access the Service from the EEA, UK, or other regions with data protection laws, your information may be transferred to and processed in India or the jurisdiction where our infrastructure providers operate.

Where we transfer personal data from the EEA or UK to countries not recognised as providing an adequate level of protection, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission, or we ensure that the recipient is certified under an equivalent framework.

You may request details of the specific safeguards we use by contacting us at teams.owentra@gmail.com.

9. Children's Privacy

The Service is not directed at children under the age of 13 (or under 16 in certain jurisdictions). We do not knowingly collect personal data from children. If you believe a child has provided us with personal information without parental consent, please contact us immediately and we will delete that information.

10. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal data:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: request correction of inaccurate or incomplete data.
  • Erasure ("right to be forgotten"): request deletion of your account and associated personal data, subject to our legal retention obligations.
  • Restriction: request that we restrict processing of your data in certain circumstances.
  • Portability: receive your data in a structured, machine-readable format and transfer it to another controller (Pro/Enterprise plan feature for conversation data).
  • Objection: object to processing based on legitimate interests or for direct marketing purposes.
  • Withdrawal of consent: where processing is based on your consent, withdraw it at any time without affecting the lawfulness of prior processing.
  • Automated decision-making: request human review of any automated decisions that significantly affect you.

To exercise any of these rights, email teams.owentra@gmail.com. We will respond within 30 days. We may need to verify your identity before processing requests. Requests are free of charge unless manifestly unfounded or excessive.

If you are unhappy with how we handle your request, you have the right to lodge a complaint with your local data protection supervisory authority.

11. California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you additional rights:

  • Right to Know: request disclosure of the categories and specific pieces of personal information we collect about you, the sources, our business or commercial purposes, and the categories of third parties with whom we share it.
  • Right to Delete: request deletion of personal information we have collected, subject to certain exceptions.
  • Right to Correct: request correction of inaccurate personal information.
  • Right to Opt-Out of Sale or Sharing: we do not sell or share personal information for cross-context behavioural advertising. This right therefore does not apply to Owentra.
  • Right to Limit Use of Sensitive Personal Information: we do not use sensitive personal information for purposes beyond those permitted by the CPRA.
  • Right to Non-Discrimination: we will not discriminate against you for exercising any CCPA/CPRA rights.

To exercise California rights, email teams.owentra@gmail.com with the subject line "California Privacy Rights Request".

12. Data Processing Agreement

If you use Owentra to collect and process personal data from your end-users (e.g., via chat widgets), you are the data controller and Owentra is your data processor. By accepting these terms and using the Service, you also accept our Data Processing Agreement (DPA), which sets out the terms under which we process personal data on your behalf.

Enterprise customers may request a signed DPA by emailing teams.owentra@gmail.com.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to our practices, technology, or applicable law. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page.
  • Notify you via email and/or a prominent in-app banner at least 14 days before changes take effect.

Your continued use of the Service after the effective date constitutes acceptance of the revised Policy. If you do not agree to the changes, you should stop using the Service and delete your account before the effective date.

14. Contact & Complaints

For privacy questions, rights requests, or complaints:

  • Email: teams.owentra@gmail.com
  • General support: Contact Us

If you are in the EEA or UK and believe we have not handled your data lawfully, you have the right to lodge a complaint with the data protection supervisory authority in your member state or country.