Batala Automation
← Back to Home

Legal

Privacy Policy

Effective date: 11 April 2026  ·  Last updated: 11 April 2026

1

Introduction

Batala Automation ("Batala Automation", "we", "us", or "our") is committed to protecting the privacy and personal data of our clients, their customers, and all individuals who interact with our services. This Privacy Policy explains what personal data we collect, how we use it, how we share it, and what rights you have under applicable law, including the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the "UAE PDPL") and its implementing regulations.

By using our website at batalaautomation.com, onboarding as a client, or interacting with any WhatsApp automation we operate on behalf of a client business, you acknowledge that you have read and understood this Privacy Policy.

If you do not agree with this policy, please do not use our services. If you have any questions, contact us at privacy@batalaautomation.com before proceeding.

2

Who We Are: Data Controller

Batala Automation is a technology services company headquartered in Abu Dhabi, United Arab Emirates. We provide WhatsApp Business API automation solutions to UAE-based service businesses, operating as a data controller for data collected through our website and as a data processor for customer data handled on behalf of our clients.

For the purposes of data collected through our website and marketing activities, Batala Automation is the data controller. For personal data processed through automations deployed for client businesses (e.g. their end customers' WhatsApp messages), Batala Automation acts as a data processor under the instruction of the client (who is the data controller).

Registered address: Abu Dhabi, United Arab Emirates
Data enquiries: privacy@batalaautomation.com
WhatsApp: +447435670008
3

Personal Data We Collect

We collect personal data in the following categories:

3.1 Business & Client Data

  • Business name, trade licence number, and commercial address
  • Business owner / authorised contact name
  • Email address and UAE mobile number (+971 format)
  • WhatsApp Business account details and API credentials (stored encrypted)
  • Billing and subscription information (payment data is processed by Stripe and not stored by us)
  • Service preferences, package selection, and onboarding questionnaire responses

3.2 End Customer Data (Processed on Behalf of Clients)

When we operate WhatsApp automations on behalf of a client business, we may process the following data belonging to that business's end customers:

  • WhatsApp phone number and display name
  • Message content (text, timestamps) within automated conversation threads
  • Appointment or booking information supplied via WhatsApp
  • Opt-in and consent records for WhatsApp messaging
  • Review request responses and sentiment indicators

This data is processed strictly under the instruction of our client business. End customers should refer to that business's own privacy policy for full details of how their data is handled.

3.3 Website & Technical Data

  • IP address and approximate geographic location (country/emirate level)
  • Browser type, device type, and operating system
  • Pages visited, time on page, and referral source
  • Cookies and similar tracking technologies (see Section 8)

3.4 Communications Data

  • Messages sent to us via WhatsApp, email, or our website contact form
  • Support tickets and related correspondence
  • Records of any consent given to receive marketing communications
4

How We Use Your Personal Data

We use personal data collected for the following lawful purposes under the UAE PDPL:

PurposeLegal Basis
Providing, configuring, and maintaining our automation servicesPerformance of contract
Processing payments and managing subscriptionsPerformance of contract
Setting up and managing WhatsApp Business API numbers on your behalfPerformance of contract / legitimate interest
Sending service notifications, system updates, and support messagesPerformance of contract
Sending marketing communications about new features or packages (with your consent)Consent
Analysing website usage to improve our serviceLegitimate interest
Complying with legal obligations and regulatory requirementsLegal obligation
Preventing fraud, abuse, and unauthorised accessLegitimate interest / legal obligation
Resolving disputes and enforcing our terms of serviceLegitimate interest / legal obligation

We do not sell, rent, or trade your personal data to any third party for commercial purposes.

5

WhatsApp & Meta Data Processing

Our core service relies on the WhatsApp Business API, operated by Meta Platforms Ireland Limited ("Meta"). By using our service, you acknowledge that:

  • WhatsApp message data is transmitted through Meta's infrastructure and is subject to Meta's own Business Data Processing Terms and Privacy Policy.
  • We apply on your behalf for WhatsApp Business API access and Meta approval. In doing so, we submit your business name, website, and contact details to Meta as required by their onboarding process.
  • Meta may process conversation metadata (delivery receipts, read receipts, timestamps) for platform integrity and abuse prevention purposes independent of our service.
  • WhatsApp message templates are pre-approved by Meta. Template content is visible to Meta as part of the approval process.
  • We configure automations using official Meta-approved channels only. We do not use unofficial WhatsApp clients, bulk-messaging tools, or any method that violates Meta's Business Policy.
Meta's data centre locations include the United States and the European Union. Data transmitted through the WhatsApp Business API may be processed in these jurisdictions. See Section 10 for details on international transfers.
6

Third-Party Service Providers

We share personal data with the following categories of trusted third-party providers, solely to deliver our services:

ProviderPurposeLocation
Meta / WhatsAppWhatsApp Business API delivery and message routingUSA / EU
StripePayment processing and subscription billingUSA / EU
SupabaseDatabase, authentication, and backend infrastructureUSA / EU
RailwayCloud application hosting and infrastructureUSA
VercelWebsite hosting and CDN deliveryUSA / EU
GoogleAnalytics (aggregated, anonymised) and Google review linksUSA / EU

All third-party providers are contractually required to maintain appropriate security standards and to process data only as instructed. We do not permit third parties to use your data for their own marketing purposes.

7

Cookies & Tracking Technologies

Our website uses cookies and similar technologies. We use the following categories:

  • Strictly necessary cookies: Required for the website to function (e.g. session management). These cannot be disabled.
  • Analytics cookies: Help us understand how visitors use our site (page views, scroll depth, referrals). Data is aggregated and anonymised. We use privacy-respecting analytics tools that do not fingerprint individual users.
  • Preference cookies: Remember your language and theme settings across visits.

We do not use advertising cookies, retargeting cookies, or cross-site tracking. You may disable non-essential cookies through your browser settings. Note that disabling cookies may affect website functionality.

8

Data Retention

We retain personal data only as long as necessary for the purposes described in this policy:

  • Client account data: Retained for the duration of the active subscription plus 3 years following termination, to comply with UAE commercial record-keeping requirements.
  • WhatsApp conversation logs: Retained for 12 months from the date of each message, unless a shorter period is requested by the client or required by law.
  • Payment records: Retained for 7 years in accordance with UAE Federal Law No. 2 of 2015 (Commercial Companies Law) and tax record obligations.
  • Website analytics data: Aggregated data retained for up to 24 months. IP addresses anonymised within 30 days.
  • Marketing communications records: Consent records retained until withdrawal of consent plus 3 years.

Upon expiry of the applicable retention period, data is securely deleted or irreversibly anonymised.

9

Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. These measures include:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • API credentials and sensitive keys stored in encrypted secret management systems, never in application code or version control
  • Row-Level Security (RLS) policies enforced at the database level, ensuring strict tenant data isolation
  • Access controls based on the principle of least privilege. Staff access is role-based and logged
  • Regular security reviews and dependency updates
  • Incident response procedures with breach notification timelines compliant with UAE PDPL requirements

In the event of a personal data breach that poses a risk to individuals, we will notify the UAE Data Office and affected individuals as required by the UAE PDPL, within 72 hours of becoming aware of the breach where feasible.

10

Your Rights Under UAE Law

Under the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, you have the following rights regarding your personal data:

  • Right of Access: You may request confirmation of whether we hold personal data about you and obtain a copy of that data.
  • Right to Rectification: You may request correction of inaccurate or incomplete personal data.
  • Right to Erasure: You may request deletion of your personal data where it is no longer necessary for the purpose it was collected, subject to our legal retention obligations.
  • Right to Restrict Processing: You may request that we limit how we use your data in certain circumstances.
  • Right to Data Portability: You may request your data in a structured, commonly used, machine-readable format.
  • Right to Object: You may object to processing based on legitimate interest, including direct marketing.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, submit a written request to privacy@batalaautomation.com. We will respond within 30 days. We may request proof of identity before processing your request. There is no charge for exercising your rights, except where requests are manifestly unfounded or excessive, in which case a reasonable administrative fee may apply.

If you believe your rights have been infringed, you may lodge a complaint with the UAE Data Office (the competent supervisory authority) at uaedataoffice.gov.ae.

11

International Data Transfers

Some of our third-party service providers (including Meta, Stripe, Supabase, Railway, and Vercel) operate outside the UAE and the GCC. Where personal data is transferred internationally, we ensure that appropriate safeguards are in place, including:

  • Transfers to countries deemed to provide adequate data protection levels
  • Contractual data processing agreements incorporating standard contractual clauses equivalent to international best practice
  • Transfers that are necessary for the performance of your service contract (e.g. WhatsApp API routing)

By using our services, you acknowledge that your data may be processed in jurisdictions outside the UAE, including the United States and European Union member states, where data protection laws may differ from those in the UAE.

12

Children's Privacy

Our services are intended exclusively for business owners, managers, and authorised representatives of UAE-registered businesses. We do not knowingly collect personal data from individuals under the age of 18. If you become aware that a minor has provided us with personal data, please contact us immediately at privacy@batalaautomation.com and we will take steps to delete it.

13

Third-Party Links

Our website may contain links to third-party websites, including Meta's WhatsApp platform, Google Business Profile, and social media platforms. We are not responsible for the privacy practices or content of these external sites. We encourage you to review the privacy policy of any third-party site you visit.

14

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, or business practices. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Notify active clients via WhatsApp or email at least 14 days before the changes take effect
  • Where required by law, obtain fresh consent for new processing activities

Your continued use of our services after the effective date of any changes constitutes your acceptance of the updated policy. If you do not agree with the changes, you should discontinue use and contact us to discuss your options.

15

Contact Us

For all privacy-related enquiries, data access requests, or to report a concern, please contact our designated data officer:

Batala Automation, Data Office
Abu Dhabi, United Arab Emirates
Email: privacy@batalaautomation.com
WhatsApp: +447435670008
Website: batalaautomation.com

We aim to respond to all privacy-related enquiries within 5 working days.