Privacy Policy

This Privacy Policy describes how BttrLabs Private Limited (“Watari,” “we,” “us”) collects, uses, shares, and protects personal information. It is presented as a standalone notice and is not bundled with our Terms of Service.

Watari is a B2B SaaS that converts customer support tickets into structured bug reports, draft pull requests, and customer-facing root-cause analyses, using AI. If you are an end-user of one of our customers' support flows, see §6 Customer Content for the controller/processor split.

1. Information we collect

1.1 Information you provide

• Account information: name, email address, organization name, role.
• Billing information: billing contact, country, GSTIN (for Indian customers), invoice address. Card and bank details are handled directly by our payments processor (Razorpay) and never stored on Watari servers.
• Integration credentials: OAuth access and refresh tokens you authorize when you connect third-party services (Zendesk, Intercom, Slack, Linear, Jira, GitHub). Stored encrypted at rest with AES-256-GCM.
• Configuration: repository selections, auto-trigger tags, channel selections, project mappings.

1.2 Information we receive from connected services

• Customer support tickets: ticket body, subject, status, tags, attachments, conversation thread (public and internal), assignee and submitter identifiers, requester name and email.
• Source code: we retain function-level structure (file paths, line ranges, symbol names) and 1,536-dimensional vector embeddings generated for code-location mapping. We do not store your raw source at rest— it is processed in memory and re-fetched from GitHub at the indexed commit on demand, then discarded.
• Integration metadata: workspace identifiers, team and project IDs, channel IDs, webhook signing secrets.

1.3 Information collected automatically

• Usage and device data: IP address, browser user-agent, pages viewed, actions taken, timestamps.
• Logs and error telemetry: stack traces, request IDs, error contexts. Personally identifying data is scrubbed before transmission to our error monitor.
• Bot-protection signals (Cloudflare Turnstile): when you submit our signup, login, password-reset, or contact forms, Cloudflare Turnstile silently analyses browser environment signals (configured in “Invisible” mode — no challenge UI) to issue a one-time verification token that Watari sends to its backend at submit. Watari does not receive the underlying fingerprint signals; Cloudflare's own handling of those signals is described in the Cloudflare Turnstile Privacy Addendum.
• Cookies: see our Cookie Policy.

2. How we use information

We use personal information to:

• Provide the Service, including extracting bug reports from support tickets, mapping them to code, drafting pull requests, and posting customer-facing root-cause analyses on your behalf.
• Authenticate you, secure your account, and enforce access controls.
• Process billing, calculate metered usage, and issue invoices.
• Send transactional communications (e.g., bug-extracted notifications, trial-expiring notices, billing receipts).
• Detect, prevent, and respond to abuse, fraud, and security incidents.
• Comply with legal obligations.

2.1 Legal bases (EU/UK)

For visitors in the EU, EEA, or UK, we rely on the following legal bases under GDPR Article 6:

• Contract (Art. 6(1)(b)): performance of the Service for our customers and prospective customers.
• Legitimate interests (Art. 6(1)(f)): securing the Service, improving the product, and preventing abuse. You may object at any time (see §9).
• Consent (Art. 6(1)(a)): non-essential cookies, product analytics, and marketing communications. You may withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)): tax, accounting, and regulatory record-keeping.

3. AI processing

Watari uses large language models (LLMs) to extract bug reports from support ticket text, to map bugs to code locations, to draft pull requests, and to draft customer-facing root-cause analyses.

3.1 LLM subprocessors

We send Customer Content to the following AI subprocessors:

• Anthropic, PBC (Claude API): receives ticket bodies, conversation threads, source-code excerpts, and code- location candidates for bug extraction, code mapping (reranking), pull-request drafting, and root-cause analysis generation.
• OpenAI, L.L.C. (text-embedding-3-small): receives source-code chunks and short bug-signature summaries (derived from extracted bug fields) for vector embedding only. Embedding endpoint; no chat or completion data is sent, and raw ticket conversation threads are not transmitted to OpenAI.

3.2 No training on Customer Content

Watari does not use Customer Content to train any AI model. Anthropic and OpenAI are contractually prohibited from using our API traffic to train their foundation models, consistent with Anthropic's Commercial Terms and OpenAI's API Data Usage Policy.

3.3 Retention by AI subprocessors

Content sent to Anthropic Claude is not retained at rest beyond what is necessary to return the API response, except for safety- classifier results retained for abuse monitoring. Content sent to OpenAI for embedding generation is retained by OpenAI for up to 30 days for abuse monitoring and then deleted. Neither provider retains Customer Content for training purposes.

3.4 Human-in-the-loop

Watari is a human-in-the-loop system. Pull requests generated by Watari are drafts and are never auto-merged into your repositories. Root-cause analyses are drafts and are never auto-published to your end users without your explicit approval.

3.5 Hallucination disclaimer

LLMs may produce inaccurate, incomplete, or misleading outputs. You must independently verify all Watari outputs before relying on them, merging code, or communicating findings to your end users. Watari makes no warranty as to accuracy, completeness, fitness for purpose, or non-infringement of AI outputs.

3.6 Automated decision-making

Watari uses automated AI confidence scores to classify whether a support ticket qualifies as a “Mapped Bug” for metered billing purposes (confidence ≥ 0.7 for both extraction and at least one code location). This is the only automated processing producing a billing effect. It does not produce legal effects on you or significantly affect you under GDPR Article 22. You may contest a Mapped Bug classification within 7 days; see our Terms of Service for the credit window.

3.7 EU AI Act

Watari is a deployer of general-purpose AI systems within the meaning of Regulation (EU) 2024/1689 (“EU AI Act”). Outputs visible to your end users (such as published root-cause analyses) are clearly labelled as AI-generated. Watari does not classify as a “high-risk” AI system under Annex III. We comply with Article 50 transparency obligations effective from 2 August 2026.

4. Sharing of information

We share personal information only as described below.

4.1 Subprocessors

We engage third-party subprocessors to operate the Service. A current list of subprocessors with purposes, data categories, and processing locations is maintained at watari.ai/legal/subprocessors. We provide at least 30 days' advance notice of new subprocessors via email (subscribe at subprocessors@watari.ai) and the customer has a right to object.

4.2 Connected services you authorize

When you connect a third-party service (Zendesk, Intercom, Slack, Linear, Jira, GitHub), Watari reads from and writes to that service only within the scopes you authorize on the consent screen. Each provider's privacy policy governs how it handles data you have shared with it directly.

4.3 Legal, safety, and corporate transactions

We may disclose personal information to comply with applicable law, to respond to lawful requests from public authorities, to enforce our agreements, and to protect the rights, safety, and security of Watari, our users, or the public. In the event of a merger, acquisition, or sale of assets, customer accounts will be among the assets transferred, subject to the protections of this Policy.

We do not sell personal information.

5. International transfers

Watari is headquartered in India. Our primary customer database is hosted on Supabase in the United States (AWS us-east-1), and most of our subprocessors are also located in the United States. All Customer Content — including data submitted by customers in India, the EEA, and the UK — is stored and processed in the United States. When we transfer personal information out of the EEA, UK, or India to a country without an adequacy decision, we rely on:

• EU Standard Contractual Clauses (Module 2/3) for transfers from the EEA.
• UK International Data Transfer Agreement (IDTA) or International Data Transfer Addendum for transfers from the UK.
• Standard contractual clauses applicable under the DPDP Act 2023 for transfers from India once the relevant standard form is notified.

Copies of the relevant clauses are incorporated by reference into our Data Processing Agreement and are available on request.

6. Customer Content and roles

For data submitted to the Service by Watari customers, the customer is the “controller” (or “Data Fiduciary” under India's DPDP Act 2023) and Watari is the “processor” (or “Data Processor”). Watari processes such data only on documented instructions from the customer, as set out in our Data Processing Agreement.

If you are an end-user whose support ticket has been processed by Watari on behalf of one of our customers, please contact that customer first. Watari will assist the customer in responding to your request.

For account, billing, and marketing data we collect directly from Watari customers and visitors, Watari acts as a controller.

7. Data retention

We retain personal information only for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements.

• Account data: retained for the duration of the subscription. After termination, retained until you request deletion at privacy@watari.ai; we will action the request within 30 days.
• Customer Content (tickets, bugs, RCAs): retained for the duration of the subscription. Deletable on demand from within the application via Settings → Organization → Delete (organization owner only) — this is an immediate cascade delete. After automatic termination for non-payment, Customer Content is retained until you request deletion as above; we will action the request within 30 days.
• Billing and tax records: retained for 7 years to satisfy Indian tax-record-keeping obligations.
• Operational logs: 30 days.
• Error telemetry: 90 days.
• Backups: rolling 30-day retention; backups containing deleted records are overwritten in cadence.

8. Security

We use technical and organisational measures designed to protect personal information from loss, misuse, and unauthorised access. These include:

• Encryption in transit: TLS 1.3 for all inbound and outbound traffic.
• Encryption at rest: AES-256-GCM for OAuth tokens and other sensitive secrets stored in the database.
• Tenant isolation: all customer data is scoped by organization_id and enforced by Postgres row- level security policies at the database layer.
• Access control: least-privilege role-based access for Watari personnel, with audit logging.
• Incident response: defined plan with breach- notification SLAs to controllers within 72 hours of awareness.

A more detailed description of our security posture is published at watari.ai/security.

9. Your rights

Subject to applicable law, you may have rights to access, correct, delete, restrict, port, or object to our processing of your personal information, and to withdraw consent at any time without affecting prior processing. Specific rights are described in the regional supplements below.

To exercise your rights, email privacy@watari.ai. We will respond within the time limits required by applicable law and, where required, verify your identity before fulfilling the request.

10. Regional supplements

10.1 India (DPDP Act 2023)

Watari is a Data Fiduciary under the Digital Personal Data Protection Act, 2023 (“DPDP Act”) for Data Principals in India.

Your rights as a Data Principal: access to a summary of your personal data (§11), correction and erasure (§12), grievance redressal (§13), and to nominate another person to exercise your rights on your behalf in case of death or incapacity (§14).

Withdrawing consent: you may withdraw consent previously given for any specific purpose by emailing privacy@watari.ai. Withdrawal will not affect processing carried out before withdrawal.

Grievance Officer: for complaints about our processing of your personal data, contact our Grievance Officer at grievances@watari.ai. We will acknowledge your complaint within 24 hours and resolve it within 15 days as required by the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.

Data Protection Board of India: if your grievance is not resolved, you may file a complaint with the Data Protection Board of India under §13 of the DPDP Act.

This Privacy Policy is available in English. A copy in any of the 22 languages in the Eighth Schedule to the Constitution of India can be requested at privacy@watari.ai.

10.2 European Economic Area, United Kingdom, and Switzerland

For visitors and Data Subjects in the EEA, UK, and Switzerland, the controller of your personal information is BttrLabs Private Limited. To exercise any of the rights described below, or to ask a question about how Watari handles personal information, email privacy@watari.ai.

Your rights under GDPR / UK GDPR (Arts. 15-22): access, rectification, erasure (“right to be forgotten”), restriction of processing, data portability, objection, and the right not to be subject to a decision based solely on automated processing. To exercise these rights, email privacy@watari.ai.

Supervisory authority:you have the right to lodge a complaint with your local supervisory authority. For UK residents, the supervisory authority is the Information Commissioner's Office (ICO).

10.3 California, USA

California residents have rights under the California Consumer Privacy Act, as amended (“CCPA”), and the California Privacy Rights Act (“CPRA”).

Categories of personal information collected in the preceding 12 months: identifiers (name, email, IP address), commercial information (subscription tier, billing history), internet activity (usage logs, error telemetry), professional information (job title, organisation), and inferences (account-segmentation labels).

Sources: directly from you, from your authorisations of third-party services, and automatically from your device.

Business purpose: see §2 above.

Do Not Sell or Share My Personal Information: Watari does not sell or share personal information for cross-context behavioural advertising. We honour Global Privacy Control (GPC) signals.

Sensitive personal information: we do not knowingly collect sensitive personal information (as defined under CPRA) beyond what is necessary to operate the Service. We do not use sensitive personal information for inferring characteristics about consumers.

Your rights: to know, delete, correct, opt out of sale/share (not applicable), limit use of sensitive PI, and non-discrimination. To exercise, email privacy@watari.ai.

10.4 Other US state privacy laws

Residents of Colorado, Connecticut, Virginia, Texas, Delaware, Oregon, Montana, Iowa, Tennessee, Indiana, Florida, New Jersey, New Hampshire, Kentucky, Minnesota, Maryland, and Rhode Island have rights similar to those described in §10.3, subject to each state's specific framework. The same email at privacy@watari.ai processes requests from residents of any of these states.

11. Children

The Service is intended for use by businesses and is not directed to individuals under the age of 18. We do not knowingly collect personal information from individuals under 18. If you believe we have inadvertently collected such information, contact privacy@watari.ai.

12. Changes to this Policy

We may update this Privacy Policy from time to time. The “Effective date” at the top of this page indicates the last revision. Material changes will be communicated by email to the registered owner of an Organisation at least 30 days before the change takes effect. Continued use of the Service after the effective date constitutes acceptance.

13. Contact

For privacy-related questions or to exercise any of your rights, contact:

• Privacy: privacy@watari.ai
• India Grievance Officer: grievances@watari.ai
• Security: security@watari.ai
• General: support@watari.ai

Postal address: BttrLabs Private Limited, B-38, Alay Park, Nana Mava Road, Rajkot - 360005, Gujarat, India. See the Imprint page for CIN, GSTIN, and statutory contacts.