This Privacy Policy explains how BNM for Business ("BNM", "we", "us", or "our") collects, uses, shares, retains, and protects personal data in connection with our services. It applies to our web application available at studio.bnmapp.com and in.studio.bnmapp.com, our companion "BNM Admin" desktop and mobile applications, and any related websites, APIs, and features (together, the "Service").
BNM for Business is a multi-tenant software-as-a-service (SaaS) platform that enables businesses to run their operations over WhatsApp and Telegram. The Service includes a no-code automation and workflow builder, a shared messaging inbox, e-commerce and order management, appointments, clinical and healthcare records (for clinic businesses), delivery dispatch, subscriptions, a wallet and payments, company back-office tools, and an AI assistant.
This policy is governed by, and should be read together with, our Terms of Service and, where applicable, the data processing agreement that governs our handling of end-customer data on behalf of business customers. Please read it carefully so that you understand our practices regarding your personal data and how we treat it.
This policy addresses two distinct categories of people whose data we handle:
The distinction matters because it determines our legal role and responsibilities, which we explain in Section 2. Under India's Digital Personal Data Protection Act, 2023 (the "DPDP Act"), an identifiable individual is a "Data Principal"; under the EU/UK GDPR, a "data subject". We use the plain term "you" for both throughout this policy.
The entity responsible for the Service is:
[Legal entity name and registered address — to be completed]
Our role under data protection law depends on whose data is being processed and why. The same data protection laws can apply to us in two different capacities, so we set out both clearly below. The terms "controller" and "processor" are used as defined under the GDPR; under the DPDP Act, the equivalent roles are "Data Fiduciary" and "Data Processor" respectively.
For personal data relating to our account holders — for example, the business's account and contact details, the identifiers used by administrators to sign in, billing and transaction metadata, and the device, log, and usage data generated when a business administrator uses the Service — BNM is the data controller (Data Fiduciary). This means we determine the purposes and means of processing that data, and we are directly responsible to those individuals for how it is handled.
For personal data relating to end-customers — for example, an end-customer's name, phone number, delivery address, shared location, the WhatsApp/Telegram messages and media they exchange with the business, and their order, appointment, or clinical records — BNM acts as a data processor. In this capacity:
If you are an end-customer and you wish to exercise your rights over your data, or you have questions about how your data is used, you should in the first instance contact the business you interacted with, as it is the controller of that data. We will support that business in responding to your request, and you may also contact us using the details in Section 18.
We collect and process the categories of information described below. Not all categories apply to every person or every business; what we hold depends on which features of the Service are used.
When a business signs up for and configures the Service, we collect business account and contact details. This typically includes the business name, the names and contact details of the administrators who manage the account, business address and operating details, and configuration and preference settings.
When administrators sign in, we process authentication identifiers, including identifiers associated with Google sign-in and Apple sign-in. We use these to verify identity, create and secure sessions, and protect accounts. We do not receive or store the passwords held by those identity providers.
The Service handles WhatsApp and Telegram messages and media that pass through the shared inbox and automations. This can include text, images, documents, audio, and other media exchanged between a business and its end-customers, together with related metadata such as timestamps, sender and recipient identifiers, and delivery status.
We process end-customer contact data on behalf of the business, which may include the end-customer's name, phone number, delivery address, and any location they choose to share. This data is provided by the end-customer to the business through the messaging channels or other features of the Service.
Depending on the features a business uses, we process records relating to orders and e-commerce transactions, appointments and bookings, deliveries, subscriptions, and the business's back-office operations.
For clinic and healthcare businesses, the Service can store clinical and healthcare records. Such records may include health information about end-customers — for example, symptoms, diagnoses, prescriptions, visit notes, and voice recordings of consultations where the business uses that feature. Health data is treated as sensitive personal data and is given enhanced protection. Where BNM stores or processes such data, it does so as a processor acting on the instructions of the clinic, which remains the controller and is responsible for having a lawful basis to collect and use it, including any consent required by law.
We process payment and transaction metadata to support orders, the wallet, subscriptions, and billing — for example, transaction amounts, status, references, timestamps, and the identifier returned by the payment gateway. Full card numbers and other complete card details are handled directly by the payment gateway and are not stored by BNM. See Section 7 for more on payments.
When the Service is used, we automatically collect device, log, and usage data. This can include IP address, browser and device type, operating system, app version, identifiers for diagnostics and push notifications, pages and features accessed, actions taken, error and performance logs, and approximate location inferred from network information. We use this data to operate, secure, and improve the Service.
We use cookies and similar technologies, including browser local storage, to keep administrators signed in, maintain sessions, remember preferences, and support analytics. See Section 8 for details.
We use personal data for the purposes set out below. Where we act as a controller, we rely on the legal bases indicated. Where we act as a processor for end-customer data, the legal basis for the underlying processing is determined by the business customer (the controller); we process only on its instructions.
Under the DPDP Act, personal data is generally processed on the basis of consent or for certain legitimate uses permitted by that Act. Under the GDPR, we rely on the following bases:
We process personal data only for the purposes described in this policy and will seek a fresh basis or consent if we need to use it for a materially different purpose. For end-customer data processed on behalf of a business, the relevant lawful basis (such as consent or contract) must be established and maintained by that business as the controller.
The Service connects businesses to their end-customers through the WhatsApp Business Platform (Cloud API), operated by Meta Platforms, and through Telegram.
When an end-customer sends a message to a business, or a business sends a message to an end-customer, that message and any media pass through the relevant platform's infrastructure (Meta for WhatsApp, Telegram for Telegram) and are received and stored within the Service so the business can view, reply, automate, and manage the conversation. The content of these messages, and related metadata, is therefore processed by both the platform provider and by BNM as a processor for the business.
Use of WhatsApp and Telegram is also subject to those providers' own terms and privacy policies. Business customers are responsible for using the channels in compliance with:
This includes obtaining any required opt-in or consent from end-customers before messaging them, honouring opt-outs, and using approved message templates and categories where the platform requires them. BNM is not responsible for the data practices of Meta or Telegram, which act under their own terms.
The Service includes AI-powered features, such as the AI assistant, the clinical voice-to-record assistant, and automation capabilities. To provide these features, relevant content — which may include messages, records, and other inputs you submit — may be sent to and processed by third-party AI model providers, namely Anthropic (Claude), OpenAI, and Google (Gemini), in order to generate responses, suggestions, extractions, or automations.
We process this content only to power the features you use. We do not permit your content to be used to train third-party publicly available AI models without consent. Our use of AI providers is governed by our agreements with them, which restrict the use of submitted content to providing the service to us.
Automated processing. Some AI features process inputs automatically to draft replies, suggest prescriptions, extract information, or route workflows. These features are assistive only: they support, but do not replace, human decision-making. We do not use them to make decisions producing legal or similarly significant effects about you without human involvement. AI-generated output may be inaccurate or incomplete and should not be relied upon as a substitute for professional judgement, including in clinical or healthcare contexts. Businesses remain responsible for reviewing AI output before acting on it.
Payments made through the Service — including order payments, wallet top-ups, and subscriptions — are processed by our third-party payment gateway, Easebuzz (for India). When you make a payment, your card or payment details are collected and processed directly by the payment gateway under its own privacy policy and security standards.
BNM does not collect or store full card numbers or other complete card details. We retain only payment and transaction metadata — such as transaction amount, status, reference, timestamp, and the identifier returned by the gateway — which we use to reconcile orders, manage the wallet and subscriptions, support refunds, and maintain financial records.
We use cookies and similar technologies, including browser local storage, on our web application. These fall into the following broad categories:
You can control cookies through your browser settings, including by blocking or deleting them. Disabling certain cookies may affect the functionality of the Service. Where required by law, we obtain consent before setting non-essential cookies.
We do not sell personal data, and we do not share it for cross-context behavioural advertising. We share personal data only as needed to operate the Service, and in the circumstances described below.
We engage the following third parties to help us provide the Service. Each is listed with the purpose for which it processes data:
We may update this list as our service providers change. Where we add or replace a sub-processor that materially affects the processing of personal data, we will take reasonable steps to keep this policy current and, where required by a data processing agreement, give business customers prior notice and an opportunity to object.
We retain personal data for as long as it is needed for the purposes set out in this policy, and thereafter only where required to meet legal, accounting, tax, or regulatory obligations, resolve disputes, or enforce our agreements.
When personal data is no longer required, we delete it or anonymise it so that it can no longer be associated with an individual.
We implement technical and organisational measures designed to protect personal data against unauthorised access, disclosure, alteration, and loss. These measures include encryption in transit, access controls and authentication, tenant isolation in our multi-tenant architecture, least-privilege access to data, private storage for sensitive content such as clinical recordings, logging and monitoring, and restricting access to personal data to personnel and sub-processors who need it to provide the Service.
No method of transmission or storage is completely secure, so we cannot guarantee absolute security. Business customers are responsible for maintaining the security of their own credentials and for configuring access within their accounts appropriately.
Breach notification. If a personal data breach occurs, we will act promptly to investigate and contain it. Where we act as a controller, we will notify the affected individuals and the relevant authorities — including the Data Protection Board of India under the DPDP Act, and supervisory authorities under the GDPR — within the timeframes and in the manner required by applicable law. Where we act as a processor, we will notify the relevant business customer without undue delay so that it can meet its own notification obligations.
We are based in India, and the Service is operated with an India-focused infrastructure. However, some of our sub-processors operate or store data outside India, including in other jurisdictions. As a result, personal data may be transferred to, stored in, or accessed from countries other than the one in which it was collected.
Where personal data is transferred internationally, we take steps to ensure that an appropriate level of protection applies, consistent with applicable law. For transfers subject to the EU/UK GDPR, we rely on lawful transfer mechanisms such as standard contractual clauses or transfers to jurisdictions recognised as providing adequate protection. For transfers from India, we transfer personal data only in a manner permitted under the DPDP Act and any restrictions issued by the Central Government under it.
Depending on your location and the applicable law, you have rights over your personal data. We honour the rights granted under India's Digital Personal Data Protection Act, 2023 (DPDP Act) and, where it applies to individuals in those regions, the EU/UK GDPR.
If we are the controller of your data, you can exercise your rights by contacting us using the details in Section 18. If your data is processed by us as a processor on behalf of a business (for example, you are an end-customer of a business), please contact that business as the controller; we will assist the business in responding to your request. We may need to verify your identity before acting on a request, and some rights are subject to legal conditions and exceptions. We will respond within the timeframes required by applicable law and, ordinarily, without undue delay.
If you are in India, you have the right to lodge a complaint with the Data Protection Board of India after first raising your grievance with us (or with the relevant business, where it is the controller). If you are in the EU/UK, you have the right to lodge a complaint with your local data protection supervisory authority. We encourage you to contact us first so we can try to resolve your concern.
The Service is intended for use by businesses and is not directed at children. We do not knowingly offer the Service to, or knowingly collect personal data directly from, individuals under the age of 18 as account holders. If you believe that a child's personal data has been provided to us in a way that requires attention, please contact us so we can take appropriate action. Where a business processes data relating to children through the Service, that business is responsible, as controller, for obtaining any consents required by applicable law — including verifiable consent of a parent or lawful guardian where the DPDP Act requires it — and for not undertaking processing likely to cause a detrimental effect on a child or any tracking, behavioural monitoring, or targeted advertising directed at children.
When a business uses the Service to process the personal data of its own end-customers, that business is the data controller (Data Fiduciary) of that data, and BNM acts as its processor. Each business customer is responsible for:
Our processing of end-customer data on behalf of a business is governed by a data processing agreement (or equivalent terms) between us and that business. In the event of any conflict between this policy and that agreement in respect of end-customer data, the data processing agreement governs.
The Service may contain links to, or integrate with, third-party websites, applications, and services that are not operated by us, including the providers named in this policy. This Privacy Policy does not apply to those third parties, and we are not responsible for their content or privacy practices. We encourage you to review the privacy policies of any third-party services you use.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or service providers. When we make changes, we will update the "Last updated" date at the top of this policy and, where the changes are material, we will take reasonable steps to notify you, such as through the Service or by email. Your continued use of the Service after an updated policy takes effect constitutes acceptance of the changes, to the extent permitted by law.
If you have any questions, requests, or concerns about this Privacy Policy or our handling of personal data, you can contact us at:
Our legal entity and registered address are: [Legal entity name and registered address — to be completed]
In accordance with the DPDP Act, you may contact our Grievance Officer / Data Protection contact to raise any grievance regarding the processing of your personal data:
We will acknowledge and address grievances within the timeframes required by applicable law. If you are not satisfied with our response, you may escalate your complaint to the Data Protection Board of India or, where the GDPR applies, to your local supervisory authority, as described in Section 13.
This Privacy Policy is governed by the laws of India, and the courts of India have jurisdiction over any dispute relating to it, without prejudice to any mandatory rights you may have under the data protection laws of your own jurisdiction.
Last updated: 13 June 2026