BanquetDesk

Privacy Policy

Last updated: 19 May 2026

1. Who we are

BanquetDesk and GrowMyShop are SaaS products operated by GrowMyShop ("we", "us"). Contact us at support@growmyshop.in.

2. Two roles

We act in two distinct roles depending on the data:

  • Data Controller for the data of our Customers (venue / business owners who sign up for the Service): name, email, phone, password hash, billing information.
  • Data Processor for the leads, customers and WhatsApp conversations that flow through your tenant. You are the controller of that data; we process it on your behalf.

3. What we collect (as controller)

  • Account data: venue name, your name, email, WhatsApp number, city, password hash, IP address at signup, and the timestamp + version of the Terms you accepted.
  • Billing data: amounts charged, Razorpay payment / invoice IDs, last-4 of card or UPI handle (held by Razorpay, not by us).
  • Operational logs: HTTP request logs, function invocation metrics, webhook delivery logs.

4. What flows through your tenant (as processor)

  • Lead form submissions: name, phone, email, message, event date, party size — collected by your public site.
  • WhatsApp conversations: inbound and outbound messages, media files, message status, recipient phone numbers.
  • Instagram conversations and comments — see section 7 below for the full disclosure of Instagram data we process on your behalf.
  • Booking and pipeline data you record in admin.
  • Media you upload: photos, menus, brochures, favicon.

5. How we use the data

To:

  • Provide and operate the Service.
  • Bill you and process payments through Razorpay under their PCI-DSS compliant infrastructure.
  • Send transactional emails (welcome, billing receipts, dunning, password reset).
  • Send WhatsApp messages on your behalf, where you have configured templates and recipients.
  • Detect abuse, fraud, and policy violations.
  • Improve the Service through aggregated, non-identifying analytics.

6. Sub-processors

We rely on the following sub-processors:

  • Vercel Inc. — application hosting (USA / global edge).
  • Neon Inc. — Postgres database (region: configured per deployment).
  • Cloudflare, Inc. — object storage (R2) for uploaded media.
  • Razorpay Software Pvt. Ltd. — payment processing (India).
  • Meta Platforms, Inc. — WhatsApp Business Cloud API for messaging, and Instagram Graph API / Instagram API with Instagram Login for direct messages and comment automation.
  • An SMTP provider — transactional email delivery.

Each sub-processor is bound by its own contractual data protection terms. We do not sell or rent your data, or your customers' data, to any third party.

7. Instagram integration

If you (the tenant) connect an Instagram Business or Creator account to the Service via Facebook Login for Business or Instagram Login for Business, we process the following data on your behalf as a Data Processor, strictly for the purposes you configure inside the admin panel (automated comment replies, DM auto-responders, follow-up sequences, lead qualification, and conversation inbox).

7.1 Data we receive from Meta

  • Your Instagram Business Account ID, username, profile picture URL, follower / following counts, and (for the legacy Facebook Login flow) the linked Facebook Page ID and Page name.
  • A long-lived access token (~60 days) used solely to call the Instagram Graph API on your behalf. Tokens are encrypted at rest with AES-256-GCM using a key held only in our deployment environment, and are never exposed in the admin UI, logs, or to other tenants.
  • Inbound direct messages sent to your Instagram account by end users — message text, attachments metadata, sender Instagram-scoped user ID (IGSID), and timestamps.
  • Inbound comments on your Instagram media — comment text, commenter username, commenter IGSID, parent media ID, and timestamps.
  • Webhook event metadata: messaging postbacks, message reactions, message reads, message deletions, mentions, and live comments. When Meta notifies us that a user deleted a message, we delete the corresponding row from our database.

7.2 What we send back to Meta

  • Outbound direct messages — the text you (or your automation rules) compose, sent only to IGSIDs that have messaged your account within Meta's 24-hour standard messaging window, or within 7 days when a human operator is replying via the HUMAN_AGENT tag.
  • Public comment replies and private replies to comments, posted from your Instagram account.

7.3 Purposes & legal basis

Data is processed solely to deliver the automation and inbox features you have configured in your tenant admin. Legal basis: performance of contract with you (the tenant), and your end-users' implicit consent established by initiating a direct message or public comment with your Instagram account.

7.4 What we do NOT do

  • We do not sell, rent, or share Instagram data with third parties beyond the sub-processors listed in section 6.
  • We do not use Instagram data to train machine-learning models or to enrich any advertising profile.
  • We do not contact end users outside the messaging windows permitted by Meta's Messaging Policies, and we honour STOP / UNSUBSCRIBE / opt-out keywords automatically.
  • We do not log message bodies or access tokens to our operational logging system — only opaque identifiers (account ID, IGSID, message ID) appear in logs.

7.5 Instagram-specific retention

  • Direct-message conversations that are not linked to a CRM lead are deleted 180 days after the most recent inbound or outbound activity. Conversations linked to a CRM lead follow the CRM record lifecycle.
  • Raw Instagram webhook event payloads are deleted after 90 days. Compliance audit entries (deauthorize and data deletion notifications) are retained for 400 days.
  • Tokens are deleted immediately when you disconnect an account from the admin panel, when Meta sends a deauthorize callback, or when a Meta data-deletion request is received.

7.6 End-user data deletion

Instagram end users can request deletion of data tied to their IGSID at any time:

  • Send the keyword STOP (or UNSUBSCRIBE / OPT OUT) in a direct message to the connected Instagram account. This immediately opts the IGSID out of all further automated messaging.
  • Use Meta's in-app "Remove App" control in your Facebook or Instagram settings. Meta will notify our deauthorize callback, and we will purge the associated conversation history.
  • Email support@growmyshop.in with the IGSID or the username of the affected Instagram account, and we will respond within 30 days.
  • Track the status of a Meta-initiated deletion request at https://app.growmyshop.in/api/instagram/data-deletion/status?code=<confirmation_code>.

7.7 Tenant disconnection

You may disconnect your Instagram account at any time from the admin panel. Disconnection deletes the stored access token, unsubscribes our webhook, and stops all future automation. Historical conversation data is retained for the periods stated in section 7.5 unless you also request its deletion.

8. Data retention (other modules)

  • Active tenant data is retained while the tenant remains active and for 90 days after cancellation, after which it is permanently deleted unless legally required to be kept longer (e.g. tax records of paid invoices: 8 years per Indian Companies Act).
  • Webhook and operational logs are retained for 90 days.
  • Billing event audit logs are retained for 7 years.
  • Instagram-specific retention is described in section 7.5.

9. Your rights

You have the right to access, correct, export and delete your data. Contact support@growmyshop.in from your registered owner email and we will respond within 30 days. Account deletion requests will result in suspension first, full deletion after the 90-day retention window (giving you a chance to export data first).

10. Security

  • Passwords are hashed with bcrypt; we never store plaintext.
  • All traffic is served over HTTPS / TLS 1.2+.
  • Database connections are encrypted in transit.
  • Razorpay and Meta webhook payloads are HMAC-SHA256 signature verified using constant-time comparison before processing.
  • Instagram access tokens and other third-party secrets are encrypted at rest with AES-256-GCM (random IV + auth tag per record); the encryption key lives only in deployment environment variables and is never written to the database.
  • Tenant isolation: every API endpoint validates the authenticated session's tenantId; cross-tenant queries are not possible from the application layer.

11. Cookies

We use a single first-party HTTP-only session cookie set by NextAuth for admin authentication. We do not use third-party advertising or tracking cookies on the marketing or tenant sites by default.

12. International transfers

Data may be transferred to and processed in jurisdictions outside India where our sub-processors operate (primarily the USA and the EU). Sub-processors maintain contractual safeguards consistent with applicable cross-border transfer requirements.

13. Changes

We may update this policy. Material changes will be notified by email to your registered owner email at least 14 days in advance.

14. Contact

support@growmyshop.in

Document version 2026-05-07. Contact support@growmyshop.in for queries.