Delete your Trinetra account & data

We would rather you leave cleanly than stay annoyed. The terms below are the minimum we commit to in writing — in practice we move faster, ask fewer questions, and confirm in writing. Deleting your account is one email; helping you export first is a reply away.

This is the official Trinetra CRM page for requesting deletion of your account, your contacts, your WhatsApp connection, or any personal data we hold. It applies to two kinds of request: (a) you, the account holder, asking us to delete your Trinetra account and the data tied to it; and (b) your end-customer asking you (the business owner) to delete their data from your inbox, with Trinetra assisting on the technical execution. This URL is also listed in our Meta App configuration under App Settings → Basic.

Under the Digital Personal Data Protection Act, 2023 (DPDP), Section 12 gives every Data Principal the right to request erasure of personal data when it is no longer necessary for the purpose it was collected. Section 6(6) gives you the right to withdraw consent at any time, with the same ease with which it was given. If you are in the EEA, UK or California, the corresponding right exists under GDPR Article 17 and CCPA §1798.105.

GDPR Article 17(3) and CCPA §1798.105(d) carve out exceptions for legal-obligation retention (which is what drives the tax-record retention listed below) and defence of legal claims. EEA users may lodge a complaint with their local Data Protection Authority; California users may complain to the California Privacy Protection Agency; Indian users may escalate to the Data Protection Board of India under DPDP §27 once the Board has begun accepting filings.

You do not need to give us a reason. Asking is enough.

Email privacy@trinetracrm.com with the subject "Data Deletion — [your business name]" from the email address on file with us. If the privacy@ mailbox is unreachable, fall back to grievance@trinetracrm.com with the same subject — both routes acknowledge inside the same SLA.

• We acknowledge receipt within 24 hours (an automated reply confirms intake; a human follows up the next working day).
• We confirm identity with one round-trip — usually a code sent to the email on file.
• We complete the deletion within 30 days of acknowledgement. This matches the timeline proposed under the draft DPDP Rules 2025 (Rule 8) and the 30-day Rule 4(1)(b) under IT (Intermediary Guidelines) Rules 2021 for grievance resolution. We target 7 working days; we will not claim a faster average until we have a track record of completed requests to back it up.

In-app deletion is also live — Settings → Privacy → Start account deletion stamps a 30-day cancellable grace window after a password re-confirm. The email route remains valid and is the canonical fallback for users who can no longer sign in (lost credentials, account compromise).

On confirmed account deletion, the following is removed from primary storage:

• Your user profile (name, email, phone, hashed password, sessions, login history).
• Your business profile (business name, address, business hours, away-message templates, branding settings).
• Your contacts (customer names, phone numbers, lead status, notes, tags).
• Your conversations (inbound + outbound WhatsApp messages, attachments, status events).
• Your templates (broadcast templates, automation flows once shipped).
• Your team-member records (invitations, role assignments, last-seen).
• Your WhatsApp credentials — the AES-256-GCM encrypted access token is overwritten before the database row is deleted (crypto-shred).

Primary storage is in India (Neon, Mumbai region). Neon's point-in-time backup window is vendor-managed (currently up to 30 days on our plan); after that window the deleted rows are no longer recoverable from backup. We will publish a verified backup-rollover SLA once we have measured one full cycle in production.

A small set of records is retained even after account deletion, and only for the period strictly required by Indian law:

• Billing & tax records — invoices, payment receipts — for the longer of 72 months under CGST Act §36 read with §35, and 6 years from the end of the relevant assessment year under IT Act §44AA read with Rule 6F. GST credit notes will be retained on the same schedule once Trinetra is GST-registered (Trinetra is currently MSME-registered only). Where Trinetra operates as an incorporated entity, books of account are additionally retained for 8 years per Companies Act 2013 §128(5). These records contain business name, GSTIN if provided, and amount paid — they do not contain customer message content.
• Audit logs of security-sensitive events (login, password change, plan change, refund, deletion request, breach response) — retained for up to 1 year, in excess of the 180-day CERT-In directive of 28 April 2022. Automated purge is on the roadmap; today the logs are reviewed and trimmed manually on a rolling basis.

No retained record is used for marketing, profiling, advertising, model training, or any purpose beyond the specific legal obligation it serves.

Primary personal data is stored in India (Neon, Mumbai region). Some sub-processors operate globally — Resend for transactional email, Vercel for the marketing-site CDN, Plausible for cookie-less analytics. The full list with jurisdictions is at /privacy/sub-processors. Payment instrument data is stored only in India by Razorpay per the RBI Storage of Payment System Data circular (6 April 2018) — Trinetra holds only the payment reference, not card/UPI credentials. Once the Central Government publishes the DPDP §16 list of permitted cross-border jurisdictions, we will move any non-permitted processing within India with at least 30 days' email notice.

If one of your end-customers (a contact in your inbox) asks for their data to be deleted, you are the Data Fiduciary under DPDP and the deletion decision is yours to make. Trinetra is the Data Processor and we will execute the deletion you request — surgically, without affecting other contacts.

• Per-contact deletion from the dashboard is on the DPDP roadmap. Until it ships, email privacy@trinetracrm.com with the contact's phone number(s) and we will execute the deletion under your written instruction — typically within 7 working days.
• For bulk deletion (e.g. a category of leads aged out of retention policy), email us the same way and we will run the deletion under your written instruction.
• Your end-customer can also escalate to us directly at privacy@trinetracrm.com. We will route the request to you within 2 working days and notify your end-customer that we have done so — we will not act on their data without your authorisation, because it is your data under DPDP.

Account deletion is the most thorough option. If you only want to stop Trinetra from accessing your WhatsApp Business Account, go to Settings → WhatsApp Business → Disconnect. Disconnecting revokes the access token at Meta, crypto-shreds the encrypted token in our database, and stops new WhatsApp messages from reaching Trinetra. Your contacts and existing message history stay in your Trinetra inbox — useful if you want to keep the CRM and switch the WhatsApp connection separately.

When we delete your data from our primary database, we also issue deletion requests to the sub-processors that hold a copy (e.g. Razorpay for billing records — which retain only the tax-mandated subset above, and Resend for transactional email logs — which auto-purge within 30 days). The full sub-processor list is at /privacy/sub-processors with each one's deletion-propagation timeline.

When deletion is complete, you receive a confirmation email — sent to the address on file before deletion, since the inbox you used to make the request is itself being deleted. The confirmation lists what was deleted and what was retained under the categories above. Keep this email — it is the receipt you can show under DPDP §5 (notice to Data Principals) and §11 (right to access information about personal data).

If we do not respond within the timelines on this page, or if you are not satisfied with the resolution, our Grievance Officer per DPDP §8(9) and IT Rules 2021 Rule 4(1) is Raj Kumar Upadhyay, Founder & Grievance Officer, reachable at grievance@trinetracrm.com (subject line "Data Deletion — Grievance") and at +91 83839 00820 — voice or WhatsApp — during Mon–Sat, 10:00–19:00 IST. Postal escalation: 517, 1st Floor, Shalimar Bagh Residence, Block Bh, Shalimar Bagh, New Delhi, Delhi, 110088, India. You may also escalate to the Data Protection Board of India under DPDP §27 once the Board has begun accepting filings. Trinetra has not been notified as a Significant Data Fiduciary under DPDP §10; if so notified in future, a Data Protection Officer will be appointed and named on this page.

Trinetra integrates with the WhatsApp Business Cloud API via Meta's Embedded Signup. The access token Meta issues us is encrypted at rest (AES-256-GCM with a per-business derived key). When you click Disconnect or delete your account, we revoke the token at Meta's Graph API and overwrite the encrypted blob in our database before the row is removed. This page is the public data-deletion URL listed in our Meta App configuration.

Material changes to the deletion process are notified by email to the address on file at least 30 days before they take effect. Each version of this page is timestamped; older versions are retained on request for users with active legal queries.