Bbrok

Privacy Policy

Last updated: 13 May 2026

This Privacy Policy explains how Velswift (trading as "Bbrok", "we", "us") collects, uses, and protects personal data when patients interact with clinics that use our WhatsApp appointment-booking service. This policy is published in compliance with India's Digital Personal Data Protection Act, 2023 ("DPDP Act") and Meta's WhatsApp Business Platform requirements.

1. Who we are

Data Fiduciary: Velswift (sole proprietorship registered under GST in India). Trade name: Bbrok.

Service: A WhatsApp-based appointment booking assistant offered to clinics in India. When you message a participating clinic on WhatsApp, your messages are routed through our software to help schedule, reschedule, or cancel appointments.

Contact: hello@bbrok.in

2. What data we collect

When you send a WhatsApp message to a participating clinic, we collect:

  • Your WhatsApp phone number (provided to us by Meta when you initiate contact)
  • Your WhatsApp profile name (if you have set one)
  • The text of your messages exchanged with the clinic's bot
  • Appointment details you provide: chosen slot and status
  • Consent records: the date, time, and language of your consent under the DPDP Act

We do not collect financial information, government identifiers, location data, or contents of media files unless you voluntarily send them.

3. Why we collect it (purpose)

  • To schedule, modify, and cancel your appointment with the clinic you contacted
  • To send you booking confirmations, reminders, and status updates via WhatsApp
  • To allow the clinic to view your booking and contact you about your appointment
  • To maintain a record required for regulatory compliance and dispute resolution

We do not use your data for advertising, profiling, or selling to third parties.

4. Legal basis (DPDP Act § 6)

We process your personal data only after you have given specific, informed, and unambiguous consent by tapping "I agree" in response to the consent prompt sent by the clinic's bot at first contact. You can withdraw consent at any time by sending STOP to the clinic's WhatsApp number.

5. Who we share data with

  • The clinic you booked with: full access to your phone number, name, and appointment details via their secured dashboard. Each clinic acts as an independent Data Fiduciary for their own use of your data.
  • Meta Platforms Ireland Ltd.: WhatsApp message delivery is operated by Meta. Meta processes message metadata under their own privacy policy.
  • MongoDB Inc. (Atlas): our database host. Data is encrypted at rest and in transit. Hosted in India region.
  • Government authorities: only when compelled by valid Indian law.

We do not transfer your data outside India except as necessary for the above processors and as permitted under DPDP § 16.

6. How long we keep it (retention)

  • Conversation messages: 90 days from the date of the message, then automatically deleted.
  • Appointment records: retained for as long as the clinic continues to use Bbrok, plus 3 years thereafter, for legal/financial records.
  • Consent records: retained for the same duration as appointment records, as proof of lawful processing.
  • If you withdraw consent (send STOP), we stop sending messages immediately and delete all your personal data within 30 days, except records we are legally required to retain.

7. Your rights (DPDP Act § 11–14)

You have the right to:

  • Access a copy of the personal data we hold about you
  • Correct inaccurate data
  • Erase your data (subject to legal retention)
  • Withdraw consent at any time (send STOP to the clinic's WhatsApp number)
  • Nominate another individual to exercise your rights in the event of death or incapacity
  • Lodge a grievance with our Grievance Officer (below)
  • Escalate to the Data Protection Board of India if unresolved

To exercise any right, email hello@bbrok.in with the subject "Data Request". We respond within 30 days.

8. Security

We protect your data using:

  • TLS 1.2+ encryption for all data in transit (including via WhatsApp and our dashboard)
  • Encryption at rest on the database
  • Role-based access: only the clinic you booked with, and authorised Velswift personnel, can see your data
  • Webhook signature verification (HMAC-SHA256) to ensure messages originate from Meta
  • Bcrypt-hashed passwords for all clinic dashboard logins

9. Children

The service is intended for adults booking on their own behalf. Where a child's appointment is booked, the booking adult is responsible for providing consent under DPDP § 9 and ensuring lawful processing on the child's behalf.

10. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent change. Material changes will be communicated via the clinic's WhatsApp channel where reasonable.

11. Grievance Officer

As required by the DPDP Act:

  • Name: Vel Moorthi Nagarajan (Proprietor, Velswift)
  • Email: hello@bbrok.in
  • Response time: within 30 days of receipt