← Noti5 · Privacy

Privacy policy.

How Noti5 collects, uses, retains, and protects personal data on behalf of the brands that use our notification infrastructure.

Last updated: May 2026 | Effective: May 2026

Quick summary. Noti5 is delivery infrastructure. We act as a data processor on behalf of the businesses (data fiduciaries) that use our service to send transactional messages. We don't run mailing lists, market to your inbox, or sell your data. Personal data we handle is retained for 90 days then scrubbed; metadata for 2 years then deleted.

1. Who we are

Noti5 is a notification infrastructure product operated as a partnership entity in Chennai, India, in collaboration with The Bumblebee Branding Company Pvt Ltd. Contact: hello@noti5.app. Abuse reports: abuse@noti5.app.

2. What data we handle

When a business uses Noti5 to send you an email, WhatsApp message, or OTP, we process:

Your contact identifier — email address or phone number (the address the brand sends to)
Message content — subject, body, and any variables the brand merged into the template
Delivery metadata — timestamps, status (delivered / bounced / read), the IP address that triggered the send
For form acknowledgements — the form fields you submitted (typically name, email, phone, message)
For OTPs — a hashed copy of the code (never the plaintext); attempt counts; expiry timestamps

3. Why we have it (our role)

We are a data processor. The brand that contacted you is the data fiduciary. They decide what to send and to whom; we deliver it. Our processing of your data is limited to:

Routing the message to the right provider (MailerSend for email, Meta WhatsApp Business for WhatsApp)
Recording delivery + bounce status so the brand can see whether their message arrived
Suppression-list management — once an address has bounced or unsubscribed, we won't deliver to it again
Verifying OTPs you've been issued
Aggregate, non-identifying analytics for operational health (queue depth, error rates, etc.)

We do not sell personal data, use it for our own marketing, or share it with third parties beyond the providers required for delivery.

4. Retention

Message body content (subject, rendered body, merged variables): 90 days, then automatically scrubbed by a nightly job. Recovery is impossible after scrub.
Delivery metadata (timestamps, status, hashed recipient identifier): 2 years, then deleted.
OTPs: expire by their TTL (typically 10 minutes); record retained as part of the message log under the same policies.
Suppression entries: kept indefinitely while the brand uses Noti5, to honour your prior unsubscribe.
Audit logs: 2 years.

5. Security

Encryption in transit — TLS only; HTTP redirects to HTTPS.
Encryption at rest — sensitive columns (message body, merged variables, recipient address) are encrypted with Laravel's encrypted casts in our MySQL database.
API authentication — every API call requires a site-scoped bearer token. Tokens are stored as SHA-256 hashes; raw values are never persisted.
Webhook signing — provider webhooks (MailerSend, Meta) and our outbound webhooks to brands are HMAC-SHA256 signed.

6. Your rights (DPDP 2023)

Under India's Digital Personal Data Protection Act 2023 you have the right to:

Access — get a copy of personal data we hold about you, scoped to a specific business that sent to you.
Correction & erasure — ask us to delete personal data we hold (the body of messages sent to you; we retain hashed identifiers for suppression).
Withdrawal of consent — for any data processing that requires your consent.
Grievance redressal — complain to our Grievance Officer (below) if you believe your rights have been violated.

Because we are the processor, requests are usually best made to the brand that contacted you — they hold the relationship with you. We will honour a direct request to privacy@noti5.app and coordinate with the brand. Response within 30 days.

7. International transfers

Email is delivered via MailerSend (EU-based infrastructure). WhatsApp delivery uses Meta's WhatsApp Business Cloud API (global). Our application data lives in India. We use providers that maintain industry-standard data protection.

8. Cookies on noti5.app

The marketing page sets only essential cookies (CSRF protection on the invite-request form). The customer dashboard at app.noti5.app sets a session cookie after sign-in. No third-party analytics or tracking cookies.

9. Children

Noti5 is infrastructure for businesses; we do not knowingly process personal data of individuals under 18 except when a brand has obtained verifiable parental consent (e.g., school admissions enquiries).

10. Changes

We may update this policy. Material changes will be announced via a banner on this page for at least 30 days. The "Last updated" date at the top always reflects the current version.

11. Grievance Officer

For DPDP-related concerns, contact our Grievance Officer:

Name: Sastharam Ravendran
Email: grievance@noti5.app (also routed to hello@noti5.app)
Postal: Noti5, c/o The Bumblebee Branding Company, Chennai, India