Automate your WhatsApp conversations with Xilot AI — No code, no hassle.Get started free →
Privacy Policy

Your Data, Handled With Care

How Xilot collects, uses, and protects information across WhatsApp, Instagram, Messenger, Facebook Lead Ads, and every other channel you connect — including our Meta Platform Data commitments.

Effective Date: 1 January 2026  · Last Updated: 18 June 2026

Xilot, operated by Credible Arena, helps businesses talk to their customers across WhatsApp, Instagram, Messenger, Facebook Lead Ads, SMS, RCS, Email, Telegram, and the web — with CRM, automation, and AI built in. This Policy describes the data involved and your rights. Our use of information received from Meta technologies follows the Meta Platform Terms and Developer Policies, detailed in section 5.

1. Who We Are & Scope

Xilot is an omnichannel customer-communication, CRM, and automation platform operated by Credible Arena ("Xilot," "we," "our," or "us"). The platform lets businesses connect their own messaging channels — WhatsApp Business, Instagram, Facebook Messenger, Facebook Lead Ads, SMS, RCS, Email, Telegram, and a web widget — and manage conversations, leads, automations, and analytics from one dashboard.

This Privacy Policy explains what information we handle, why, and the choices and rights you have. It applies to our website (xilot.app), the Xilot web and mobile applications, and all related services (together, the "Services"). By using the Services you agree to this Policy. If you do not agree, please discontinue use.

2. Our Role: Controller vs. Processor

Xilot interacts with two broad categories of data, and our role differs for each:

  • Customer Account Data — information about the businesses and users who sign up for Xilot. For this we act as a data controller.
  • End-User / Contact Data — the messages, profiles, comments, leads, and contact records that flow through a customer's connected channels (e.g. a person who messages a business on WhatsApp or comments on its Instagram post). For this data the Xilot business customer is the controller and Xilot acts as a data processor, handling the data only on that customer's instructions to provide the Services.

Each Xilot business customer is responsible for having a lawful basis and the necessary consent to contact and process the data of its own end users, and for its own privacy notices to those users.

3. Information We Collect

a. Information you provide

  • Name, business name, email address, phone number, and role
  • Account credentials, team members, and communication preferences
  • Billing details and transaction records (processed by our payment partners)
  • Support requests, feedback, and survey responses

b. Connected-channel credentials & assets

When you connect a channel, we store the access tokens and identifiers needed to operate it on your behalf. These are encrypted at rest (AES-256) and used only to send and receive on your channels:

  • WhatsApp Business Account IDs, phone-number IDs, and message templates
  • Facebook Page IDs and Page access tokens; linked Instagram Business account IDs and usernames
  • System-user / OAuth tokens granted through Facebook Login for Business
  • SMS/RCS sender IDs, email sending domains, and Telegram bot tokens

c. Messaging & channel content (processed for you)

  • WhatsApp / Messenger / Instagram direct messages, message status, and media you exchange with your customers
  • Instagram comments on your posts and reels (when you enable comment automations)
  • Facebook / Instagram Lead Ad form submissions (e.g. name, phone, email a person submits)
  • The sender's display name, platform-scoped user ID (PSID / IGSID), and profile handle
  • Contacts, leads, pipelines, tasks, appointments, orders, and notes you create or import

d. Automatically collected information

  • Log data: IP address, browser/device type, timestamps, and pages or features used
  • Diagnostic, performance, and error data to keep the Services reliable and secure
  • Cookies and similar technologies (see "Cookies & Tracking")

e. AI processing

When you use AI features (AI replies, copilot, summarisation, sentiment, classification, or natural-language reporting), the relevant text is sent to our AI sub-processors to generate the output. This content is processed only to deliver the feature and is not used by Xilot to train foundation models.

4. How We Use Information

  • Operate the channels you connect — send, receive, route, and store conversations
  • Run the automations, flows, broadcasts, and AI features you configure
  • Capture and organise leads and contacts into your CRM
  • Authenticate accounts, secure access, and prevent fraud and abuse
  • Provide dashboards, analytics, delivery reports, and engagement insights
  • Process payments, wallet top-ups, and subscription billing
  • Provide customer support and send essential service notifications
  • Comply with legal obligations and platform requirements

5. Meta Platform Data — Limited Use & Permissions

Xilot integrates with Meta technologies — the WhatsApp Business Platform, Instagram, Messenger, Facebook Pages, Facebook Lead Ads, and Facebook Login for Business. Our access to and use of data obtained through these integrations ("Platform Data") complies with the Meta Platform Terms and Developer Policies.

Our commitments

  • We use Platform Data only to provide the specific feature you connected an account to enable.
  • We do not sell, rent, or license Platform Data.
  • We do not use Platform Data for advertising or to build advertising profiles.
  • We retain Platform Data only as long as needed to provide the Services, and delete it on request or when you disconnect (see Retention & Deletion).
  • Access tokens are stored encrypted and are never exposed to other customers.

Permissions we request and why

  • whatsapp_business_messaging — send and receive WhatsApp messages on your WhatsApp Business number.
  • whatsapp_business_management — manage your WhatsApp Business Account, phone numbers, and message templates.
  • instagram_basic — identify the Instagram Business account you connect.
  • instagram_manage_messages — send and receive Instagram Direct messages in your shared inbox.
  • instagram_manage_comments — read comments on your Instagram posts and reels so your automations can respond to them (for example, reply to a comment or capture the commenter as a lead in your CRM).
  • pages_messaging — send and receive Facebook Page (Messenger) messages.
  • pages_show_list — list the Pages you manage so you can choose which to connect.
  • pages_read_engagement — read basic Page and conversation details to display who you are talking to.
  • pages_manage_metadata — subscribe your Page to webhooks so messages and leads reach Xilot in real time.
  • leads_retrieval — retrieve Lead Ad form submissions and file them into your CRM.
  • business_management — connect the business assets you explicitly authorise via Facebook Login for Business.

You can review and revoke these permissions at any time from your Facebook/Meta Business settings, or by disconnecting the channel inside Xilot. Revoking access stops further processing and lets you request deletion of the associated data.

6. Legal Bases for Processing

Where data-protection laws such as the GDPR apply, we rely on the following bases:

  • Contract — to provide the Services you sign up for.
  • Legitimate interests — to secure, maintain, and improve the platform and prevent abuse.
  • Consent — for optional cookies and marketing communications, which you may withdraw at any time.
  • Legal obligation — to meet tax, accounting, and other regulatory duties.

For end-user/contact data we process as a processor, the lawful basis is established by the Xilot business customer who controls that data.

7. How We Share Information & Sub-Processors

We do not sell or rent your data. We share it only with the service providers necessary to run the platform, each bound by confidentiality and data-protection obligations and permitted to use the data only to perform services for us:

  • Meta Platforms — to deliver and receive messages, comments, and leads on WhatsApp, Instagram, Messenger, and Facebook.
  • Cloud hosting & infrastructure — to host the application, databases, and caches.
  • AI providers — to power AI replies, copilot, summarisation, sentiment, and reporting on the content you submit to those features.
  • Communication providers — SMS, RCS, and email delivery partners for the corresponding channels.
  • Payment processors — Razorpay and other payment partners, to handle subscriptions and wallet top-ups (card and banking details are processed by the payment provider under PCI-DSS standards; we do not store full card numbers).
  • Legal & safety — where required by law, court order, or to protect rights, safety, and prevent fraud.
  • Business transfers — as part of a merger, acquisition, or asset sale, subject to this Policy.

A current list of sub-processors is available on request at info@crediblearena.com.

8. Data Retention

We keep information only as long as needed for the purposes described here:

  • Account data — for the life of your account and up to 90 days after closure, unless a longer period is legally required.
  • Conversations, contacts & leads — for the duration of your subscription, after which you can export or request deletion.
  • Channel access tokens — until you disconnect the channel or revoke access on Meta; then promptly invalidated and removed.
  • Billing records — as required by tax and accounting law.
  • Logs & diagnostics — on a rolling, time-limited basis for security and reliability.

9. Data Deletion & Your Controls

You can delete data directly in the app (delete contacts, conversations, flows, or your whole account) or ask us to do it for you. Disconnecting a Meta channel stops further processing; you may then request deletion of the data collected through it.

How to request deletion

Email info@crediblearena.com with the subject "Data Deletion Request", or use our dedicated page: xilot.app/data-deletion.

We acknowledge requests within 3 business days and complete verified deletions within 30 days, then confirm in writing. Some records may be retained where the law requires (e.g. tax, fraud prevention) or for active legal disputes.

10. Data Security

We protect data with encryption in transit (TLS) and at rest (AES-256), encrypted storage of channel access tokens, role-based access controls, tenant isolation, signed-webhook verification, audit logging, and continuous monitoring. No online service is completely risk-free, so we encourage strong, unique passwords and good account hygiene. If a breach affects your data, we will notify you and the relevant authorities as required by law.

11. International Data Transfers

Xilot operates globally and may process data in India and other jurisdictions where we or our sub-processors operate. Where required, we use appropriate safeguards such as Standard Contractual Clauses and data-processing agreements so your data remains protected wherever it is processed.

12. Your Privacy Rights

Subject to your location and applicable law (including the GDPR, UK GDPR, CCPA/CPRA, and India's DPDP Act), you may have the right to:

  • Access a copy of the personal data we hold about you
  • Correct inaccurate or incomplete data
  • Delete your data ("right to be forgotten")
  • Restrict or object to certain processing, including direct marketing
  • Withdraw consent where consent is the legal basis
  • Receive your data in a portable, machine-readable format
  • Lodge a complaint with your local data-protection authority

To exercise any right, email info@crediblearena.com. We respond within the timeframe required by law (typically 30 days). If you are an end user contacting a business that uses Xilot, please direct your request to that business; we will support them as their processor.

13. Cookies & Tracking

We use essential cookies required for the platform to function (e.g. authentication and security) and, with your consent where required, optional analytics and preference cookies to understand usage and improve the product. You can manage non-essential cookies through your browser or our consent controls. We do not use cookies to track you across unrelated third-party websites. See our Cookie Policy for details.

14. Children's Privacy

Xilot is a business tool intended for users aged 18 and over. We do not knowingly collect personal information from children. If you believe a child has provided us data, contact info@crediblearena.com and we will delete it promptly.

15. Third-Party Services

The Services may link to or integrate with third-party platforms (e.g. Meta, payment providers, or tools you choose to connect). Their use of your data is governed by their own privacy policies, not this one. We encourage you to review the privacy terms of any third party you connect.

16. Changes to This Policy

We may update this Policy to reflect changes in our practices, technology, or the law. The "Last Updated" date below will change accordingly, and we will notify you of material changes by email or in-app notice before they take effect. Continued use of the Services after the effective date means you accept the updated Policy.

17. Contact Us

For any question, request, or complaint about this Policy or our data practices, contact our privacy team:

Operated by: Credible Arena (registered in India)

Registered office: India — full address available on request

Email: info@crediblearena.com

Web: xilot.app/contact

Data deletion: xilot.app/data-deletion