Effective date: 10 June 2026 Version: 1.0
This Privacy Policy explains how 9dots Ventures Pte Ltd (UEN 202506246K, registered at 160 ROBINSON ROAD, #14-04, SINGAPORE BUSINESS FEDERATION CENTER, SINGAPORE 068914, Singapore) ("9dots", "we", "us") collects and uses personal data when you use our platform, our website, or any service we provide (together, the "Services").
We're a software company. We provide a SaaS solutions that help businesses and licensed professionals operate on the WhatsApp Business Platform. We are not WhatsApp, and we are not Meta. When you sign up to use the Services, you also accept Meta's own terms with Meta directly — those are a separate relationship, governed by Meta's own policies.
This policy is structured in two parts because we handle two different kinds of data in two different roles:
If you only want a short answer to a specific question, jump to the section heading below.
This part applies if you are: - a person who signs up for a 9dots account (whether as a sole proprietor, a licensed professional, or a representative of a company); - a person whose company has signed up for a 9dots account and who uses the platform on the company's behalf; - a visitor to our website.
When you sign up and use your account, we collect: - your legal name, email address, and WhatsApp phone number; - if you are signing for a company: the company's registered name, registration number, and your stated relationship to the company (in your own words); - if you are a regulated professional (for example, a Singapore real estate agent), the registration details you choose to provide; - the terms-acceptance record — your IP address, user-agent string, session identifier, geographic location derived from your IP, the timestamp of acceptance, the documents you accepted, and the affirmation you provided. This record is created when you click to accept our Terms and is preserved as a permanent legal record; - account configuration data — the phone numbers you connect, the WhatsApp Business Account ("WABA") identifiers Meta returns to us, message templates you create, dashboard preferences, and your team members' details if you invite them; - billing data — billing email and your invoice history (we use a payment processor; we do not store full payment-card details); - support data — anything you tell us when you contact our support team, plus a record of the conversation.
When you visit our website, we collect: - standard server logs — IP address, user-agent, pages visited, referrer, timestamps. We use these for security and to understand how the site is being used; - cookie data — we'll describe this in section 9.
| What we do with it | Why | Legal basis (where GDPR applies) |
|---|---|---|
| Create and operate your account | To provide the Services you've asked for | Performance of contract |
| Authenticate you and protect the platform | Security, fraud prevention, account integrity | Legitimate interest |
| Send service emails (billing, security alerts, important changes) | To run the Services properly | Performance of contract |
| Send product updates and onboarding tips | To help you get value from the Services | Legitimate interest; you can opt out |
| Send marketing emails | To tell you about new features and offerings | Consent; you can withdraw it any time |
| Record your acceptance of our Terms | To prove the contract was formed and the terms agreed | Legal obligation and legitimate interest |
| Comply with audit, regulatory, and tax obligations | Because we have to | Legal obligation |
| Investigate complaints, abuse, or AUP violations | To enforce our terms and protect our users | Legitimate interest |
If you're outside the GDPR's territorial scope, the corresponding legal basis under your local law applies — under Singapore's PDPA, we rely primarily on consent and on the legitimate-interests/business-operations exceptions.
We only share your data where we need to, and only with parties bound by appropriate obligations.
We do not sell your personal data. We do not share it for advertising purposes.
We will update this list when it changes. A current sub-processor list is maintained at [URL].
Our infrastructure is hosted on Supabase in [region — confirm primary region, e.g. Singapore (ap-southeast-1)], with backups in [secondary region]. When you connect a WhatsApp number, message traffic also reaches Meta's infrastructure in the regions Meta operates.
If you are in the European Economic Area, the United Kingdom, or Switzerland, transfers of your personal data outside that region take place under the European Commission's Standard Contractual Clauses (or the UK International Data Transfer Addendum, as applicable), supplemented by appropriate technical and organisational measures.
If you are in Singapore, transfers outside Singapore take place under contractual clauses that impose protection comparable to the PDPA, in line with section 26 of the PDPA.
If you are in another jurisdiction with cross-border restrictions (for example India under the DPDP Act, or Vietnam under the PDPL), we use the transfer mechanism applicable under your local law and update our DPA limbs as those regimes mature.
| Data category | Retention |
|---|---|
| Account data (name, email, phone, company details) | Duration of your account, plus 7 years after termination |
| Terms-acceptance records | Duration of your account, plus 7 years after termination (we treat these as legal records of contract formation) |
| Billing data | 7 years from issue, to meet tax and accounting law |
| Support tickets | 3 years from closure |
| Server logs and security logs | 12 months |
| Marketing-consent records | While consent is active, plus 3 years after withdrawal |
| Website analytics | Up to 26 months |
We may retain data longer where required to comply with a legal obligation, resolve disputes, or enforce our agreements.
Depending on where you are, you have some or all of the following rights:
For users in Singapore, you have the equivalent rights under the PDPA, including the right to withdraw consent and to request access and correction.
To exercise any of these, email privacy@9dots.co. We'll respond within 30 days, or sooner where the law requires.
If you're not happy with our response, you can complain to: - the Personal Data Protection Commission of Singapore (pdpc.gov.sg); - your local supervisory authority in the EU/UK (e.g. the Irish DPC, the UK ICO, the CNIL); - the relevant authority in your jurisdiction.
We protect your data with measures appropriate to its sensitivity, including: - TLS 1.2+ encryption for data in transit, AES-256 for data at rest; - role-based access control with multi-factor authentication for our staff; - audit logging retained for at least 12 months; - regular vulnerability management and code-review practices; - segregation of duties between engineering, support, and compliance; - background checks on personnel with access to customer data.
We work towards SOC 2 Type II and ISO 27001 attestation and will share reports under NDA on request once obtained.
We don't claim our security is perfect — nobody honestly can — but we take it seriously. If you spot a vulnerability, email security@9dots.co.
Our website uses: - Strictly necessary cookies — for authentication and security. These can't be turned off without breaking the site; - Analytics cookies — to understand how the site is used. We anonymise or aggregate this data; - Preference cookies — to remember your settings.
We don't use advertising cookies and we don't sell cookie data to third parties.
You can manage cookies through your browser. EU/UK visitors will see a consent banner on first visit.
The Services are for businesses and licensed professionals. We don't knowingly collect personal data from anyone under 18 (or the local age of digital consent, whichever is higher). If you believe a child has provided data to us, contact us and we'll delete it.
We'll update this policy from time to time. If we make material changes, we'll give at least 30 days' notice by email or in-app notice before they take effect. The effective date at the top of the policy always tells you the version in force.
| Controller | 9dots Ventures Pte Ltd, 160 ROBINSON ROAD, #14-04, SINGAPORE BUSINESS FEDERATION CENTER, SINGAPORE 068914, Singapore |
| Privacy contact | hello@9dots.co |
| Security contact | hello@9dots.co |
When your customers contact you on WhatsApp, message content and metadata pass through our infrastructure on the way between WhatsApp and your account.
You are the controller of that data. We process it on your instructions.
This part of the policy is a short summary for transparency. The contractual detail lives in the Data Processing Addendum that forms part of your contract with us.
We process this data only for the purposes you've engaged us for: delivering, storing, organising, displaying, and analysing messages in your account; supporting you; and complying with our obligations under the law and our agreement with Meta.
You're responsible for: - having a lawful basis to send the messages you send and to use the contact data you upload; - obtaining and recording consent from your contacts under applicable anti-spam and data-protection law; - providing your contacts with a privacy notice that accurately describes your messaging practices and identifies 9dots as your service provider where appropriate; - responding to your contacts' data-subject requests (access, deletion, opt-out, etc.). We'll help you do this — see the DPA for the assistance we provide.
Message data is retained for as long as you keep your account active, subject to any in-platform retention rules you configure. When your account is terminated, we return or delete the message data within 90 days (with the detailed process set out in the DPA), unless retention is required by law.
The Data Processing Addendum at [URL] is the authoritative document for our processing of message data. Where this Part B summarises it, the DPA governs in case of conflict.
When you sign up to use the Services, you accept two important documents directly with Meta:
These create a direct contractual relationship between you and Meta. Meta's privacy practices for the WhatsApp Business Platform are governed by Meta's own privacy policy, not this one. We don't have the authority to describe what Meta does with your data — you should read Meta's policy directly.
Where this policy mentions Meta or WhatsApp, we're describing what we do, not what Meta does.