Back to daWorld.net

Privacy Policy

Effective: April 11, 2026|Last Updated: April 11, 2026

This Privacy Policy describes how daWorld Technologies (“daWorld.net”, “we”, “us”, or “our”) collects, uses, discloses, and protects your personal information when you use our platform, services, and applications (collectively, the “Service”).

1.Information We Collect

1.1 Information You Provide Directly

  • Account Information: Name, email address, username, password, profile picture, and biography when you create an account.
  • Organization Details: Business name, registration details, logos, branding assets, and team member information when creating or joining an organization.
  • Payment Information: Billing address and payment method details (processed securely by our payment processors — see Section 4).
  • Content: Designs, documents, spreadsheets, workflow automations, templates, and any other content you create on the platform.
  • Communications: Messages, support tickets, feedback, and any correspondence with us or other users.
  • Identity Verification: Government-issued identification documents when required for Real-ID verification or financial compliance.

1.2 Information Collected Automatically

  • Usage Data: Pages visited, features used, interactions with the platform, time spent, clicks, and navigation paths.
  • Device Information: Device type, operating system, browser type and version, screen resolution, and unique device identifiers.
  • Log Data: IP address, access times, referring URLs, error logs, and server response codes.
  • Cookies & Similar Technologies: Session cookies, persistent cookies, local storage, and tracking pixels (see Section 6).
  • Location Data: Approximate geographic location derived from IP address.

1.3 Information from Third-Party Sources

  • OAuth Providers: When you connect social media accounts (Instagram, Facebook, LinkedIn, Threads, Pinterest), we receive your public profile information, page/account identifiers, and authorized permissions.
  • Payment Processors: Transaction confirmations, payment status updates, and fraud detection signals from Stripe and Razorpay.
  • Single Sign-On: Authentication data from Google, GitHub, or other SSO providers you choose to use.

2.How We Use Your Information

  • Service Delivery: To provide, maintain, and improve the daWorld.net platform, including design editing, app building, automation workflows, and collaboration features.
  • Account Management: To create and manage your account, authenticate your identity, and process account-related requests.
  • Social Media Automation: To execute authorized automation workflows such as comment-triggered DM funnels, scheduled posts, and engagement monitoring on connected social media platforms.
  • Payment Processing: To process payments, manage subscriptions, issue invoices, handle refunds, and prevent fraudulent transactions.
  • Communication: To send transactional emails, service notifications, security alerts, and — with your consent — marketing communications.
  • Analytics & Improvement: To analyze usage patterns, diagnose technical issues, and improve user experience.
  • Legal Compliance: To comply with applicable laws, regulations, legal processes, and governmental requests.
  • Security: To detect, prevent, and address fraud, abuse, security vulnerabilities, and technical problems.

3.Social Media Platform Integrations

daWorld.net enables organizations to connect their social media accounts for automation workflows. We take the responsible handling of this data extremely seriously.

3.1 Meta Platforms (Instagram & Facebook)

  • We access Instagram and Facebook data only through the official Meta Graph API and in accordance with the Meta Platform Terms.
  • Data Accessed: Public profile information, Page identifiers, Page metadata, comment data on monitored posts, and messaging capabilities as authorized by the page administrator.
  • Permissions Requested: instagram_basic, instagram_manage_messages, pages_messaging, pages_show_list, pages_manage_metadata.
  • Automated Messaging: Direct messages are sent only in response to user-initiated interactions (e.g., comments on designated posts). We never send unsolicited messages.
  • 24-Hour Window: We comply with Meta's 24-hour messaging window policy — automated responses are only sent within 24 hours of the last user interaction.
  • Data Storage: OAuth access tokens are encrypted at rest using Supabase Vault. They are never exposed to client-side code.
  • Revocation: Users can disconnect their Meta accounts at any time from the Organization HQ > Integrations page. Upon disconnection, stored access tokens are permanently deleted.

3.2 LinkedIn

  • We access LinkedIn data through the official LinkedIn API in compliance with the LinkedIn API Terms of Use.
  • Data Accessed: Organization page information and authorized posting capabilities.
  • Data Usage: Solely for the purpose of executing authorized automation workflows configured by the organization administrator.

3.3 Threads

  • We access Threads data through the official Threads API.
  • Rate Limits: We enforce Threads API rate limits (reply quota ceiling) to prevent abuse and ensure fair usage.

3.4 Pinterest

  • We access Pinterest data through the official Pinterest API for board reading and pin management.
  • Data Accessed: Board information, pin metadata, and authorized publishing capabilities.

3.5 General Social Media Data Principles

  • We never sell social media data to third parties.
  • We never use social media data for advertising, profiling, or surveillance.
  • We never share social media credentials or tokens with third parties.
  • Social media data is only used for the specific automation purposes authorized by the connecting organization.
  • All social media integrations can be revoked at any time, and associated data is deleted upon disconnection.

4.Payment Processing

We use trusted third-party payment processors to handle all financial transactions. We do not store credit card numbers, CVVs, or raw banking credentials on our servers.

4.1 Stripe

  • Stripe, Inc. processes international payments in compliance with PCI DSS Level 1 standards.
  • We receive transaction confirmations, payment intents, and subscription status updates via secure webhooks.
  • Stripe's privacy policy: https://stripe.com/privacy

4.2 Razorpay

  • Razorpay Software Private Limited processes payments for Indian users in compliance with RBI regulations and PCI DSS standards.
  • We receive payment confirmations and settlement details via secure server-to-server callbacks.
  • Razorpay's privacy policy: https://razorpay.com/privacy/

4.3 UGB (Unified GB) Wallet

  • Our internal utility credit system (UGB) tracks usage-based consumption. UGB balance is a prepaid, non-refundable utility credit.
  • All UGB ledger mutations use double-entry accounting (zero-sum invariant) for auditability.
  • UGB transactions are logged and auditable by the organization administrator.

5.Data Sharing & Third Parties

We do not sell your personal information. We share data only in the following circumstances:

  • Service Providers: Hosting (Vercel, Supabase), email delivery (Resend), payment processing (Stripe, Razorpay), and analytics services that process data on our behalf under strict contractual obligations.
  • Organization Members: Content created within an organization is accessible to authorized members of that organization.
  • Legal Requirements: When required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of daWorld.net, our users, or the public.
  • Business Transfers: In connection with a merger, acquisition, or sale of assets, with appropriate notice to affected users.
  • Consent: When you have given explicit consent to share specific data.

6.Cookies & Tracking Technologies

6.1 Types of Cookies We Use

TypePurposeDuration
EssentialAuthentication, session management, CSRF protectionSession / 7 days
FunctionalUser preferences, language settings, theme1 year
AnalyticsUsage patterns, feature adoption, error tracking90 days
OAuth StateCSRF nonce for social media OAuth handshakes10 minutes

6.2 Managing Cookies

You can control cookies through your browser settings. Disabling essential cookies may prevent you from using certain features of the Service. We do not use third-party advertising cookies.

7.Data Retention

  • Account Data: Retained for as long as your account is active. Upon account deletion, personal data is purged within 30 days, except where retention is required by law.
  • Content Data: Designs, documents, and other content are retained until you or your organization administrator deletes them.
  • Social Media Tokens: Deleted immediately when you disconnect a social media account. Expired tokens are purged within 24 hours.
  • Payment Records: Transaction records are retained for 7 years to comply with tax and accounting regulations (as required by Indian tax law and international financial reporting standards).
  • Server Logs: Retained for 90 days for security and debugging purposes, then automatically purged.
  • Backup Data: Encrypted database backups are retained for 30 days and then automatically deleted.

8.Data Security

We employ industry-standard security measures to protect your data:

  • Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3.
  • Encryption at Rest: All database data is encrypted at rest using AES-256. OAuth tokens are additionally encrypted using Supabase Vault.
  • Access Control: Row-Level Security (RLS) policies enforce multi-tenant data isolation at the database level. No organization can access another organization's data.
  • Authentication: Secure session management using HTTP-only, SameSite cookies. No tokens stored in localStorage.
  • API Security: Rate limiting (Upstash) on all sensitive endpoints. CSRF protection on all state-changing operations.
  • Infrastructure: Hosted on Vercel (Edge Network) and Supabase (AWS infrastructure) with SOC 2 compliance.
  • Vulnerability Management: Regular dependency audits, automated security scanning, and responsible disclosure program.

9.Your Rights & Choices

Depending on your location, you may have the following rights regarding your personal data:

9.1 Under GDPR (European Economic Area)

  • Right of Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate personal data.
  • Right to Erasure: Request deletion of your personal data (subject to legal retention requirements).
  • Right to Restrict Processing: Request limitation of processing in certain circumstances.
  • Right to Data Portability: Receive your data in a structured, machine-readable format.
  • Right to Object: Object to processing based on legitimate interests or direct marketing.
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.

9.2 Under CCPA (California)

  • Right to Know: Request disclosure of categories and specific personal information collected.
  • Right to Delete: Request deletion of personal information collected.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
  • We do not sell personal information as defined by the CCPA.

9.3 Under DPDP Act (India)

  • Right to Access: Obtain a summary of your personal data and processing activities.
  • Right to Correction & Erasure: Request correction of inaccurate data or erasure of data no longer required.
  • Right to Grievance Redressal: Lodge complaints regarding data processing with our Data Protection Officer.
  • Right to Nominate: Nominate an individual to exercise your rights in case of death or incapacity.

To exercise any of these rights, contact us at dpo@daworld.net. We will respond within 30 days (or sooner as required by applicable law).

10.International Data Transfers

  • Our primary infrastructure is hosted in the Asia Pacific (Mumbai) region (AWS ap-south-1) via Supabase.
  • Content delivery is accelerated via Vercel's global Edge Network.
  • If your data is transferred outside your country of residence, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or equivalent mechanisms.
  • Payment data processed by Stripe may be stored in the United States. Stripe is certified under the EU-US Data Privacy Framework.

11.Children's Privacy

The Service is not intended for individuals under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child without verification of parental consent, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at privacy@daworld.net.

12.Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Update the “Last Updated” date at the top of this policy.
  • Notify you via email or an in-app notification at least 14 days before the changes take effect.
  • For significant changes, we may require you to re-acknowledge the updated policy.

13.Contact Us

General Inquiries

support@daworld.net

Privacy & Data Protection

privacy@daworld.net

Data Protection Officer

dpo@daworld.net

Registered Entity

daWorld Technologies

14.Compliance & Certifications

We are committed to meeting the highest standards of data protection and privacy compliance:

GDPR

General Data Protection Regulation (EU)

CCPA/CPRA

California Consumer Privacy Act

DPDP Act

Digital Personal Data Protection Act (India)

PCI DSS

Payment Card Industry Data Security Standard (via Stripe & Razorpay)

SOC 2

Infrastructure compliance (via Supabase & Vercel)

Meta Platform Terms

Facebook & Instagram developer policies

15.Data Deletion

You may request deletion of your data at any time. The following actions are available:

  • Disconnect Social Accounts: Navigate to HQ > Integrations and click “Disconnect” on any connected platform. OAuth tokens are immediately and permanently deleted.
  • Delete Account: Contact support@daworld.net to request full account deletion. All personal data will be purged within 30 days.
  • Delete Organization: Organization administrators can delete their organization from HQ > Settings. All associated data (designs, members, channels, tokens) will be permanently deleted.
  • Export Data: You can export your designs, documents, and data in standard formats (PDF, CSV, XLSX) before deletion.

Meta Data Deletion Callback: In compliance with Meta Platform requirements, we support automated data deletion callbacks. When a user removes our app from their Facebook/Instagram settings, we automatically delete all stored tokens and associated data within 24 hours.