Legal · reflyst.com

Privacy Policy

Effective date: 5 July 2026 Last updated: 5 July 2026

01Scope and the two kinds of people this policy covers

RefLyst provides a SaaS platform that helps educational institutes (“Institutes,” “Customers”) re-engage their prospective students (“Leads”) over WhatsApp, email, and AI voice calls. Because of that, this policy covers two different relationships:

  • Institutes — the businesses that sign up for and use RefLyst. For this data, RefLyst is the data controller (or “data fiduciary” under the DPDP Act).
  • Leads — the Institute's own prospective students, whose contact details and enquiry information the Institute uploads to RefLyst so our AI can follow up with them. For this data, the Institute is the data controller/fiduciary and RefLyst acts as a data processor, handling Lead data only on the Institute's instructions and for the purpose of providing the outreach service.

If you are a Lead and have questions about why you were contacted, please contact the Institute directly; RefLyst can help route your request (see Section 13).

02Information we collect

2.1 From Institutes (account holders)

  • Name, business/institute name, email address, phone number.
  • Billing details processed through Razorpay (RefLyst does not store your card or bank account numbers).
  • Login credentials, session data, and platform usage logs.
  • Support requests and correspondence with us.

2.2 From Leads (uploaded or captured by an Institute)

  • Name, phone number, email address, course or program of interest.
  • Enquiry source (e.g. website form, ad click, walk-in) and enquiry date.
  • The content of conversations across WhatsApp, email, and AI voice calls, including call recordings and transcripts.
  • Signals derived by our AI from that content — for example, detected objections, sentiment, urgency/purchase-probability scores, and preferred language.
  • If an Institute enables lead enrichment, publicly available professional information such as job title, company, or LinkedIn profile URL, sourced via a third-party enrichment provider.
  • Engagement data such as link clicks, webinar registrations/attendance, and cart-abandonment events on Institute landing pages.

2.3 Automatically collected

  • Standard web log data (IP address, browser type, pages visited) for the reflyst.com dashboard.
  • Cookies or similar technology strictly necessary to keep you logged in and to remember basic preferences. We do not use third-party advertising cookies.

03How we use this information

We use the information above to:

  • Operate the outreach service an Institute has configured — sending WhatsApp messages, emails, and placing AI voice calls to that Institute's own Leads, in the language and cadence the Institute selected.
  • Power the AI conversation engine: our systems send relevant conversation content to our large-language-model provider (Groq) to generate replies, detect objections, and score leads, and to our translation provider (Sarvam AI) to communicate in Indian languages.
  • Process wallet top-ups and billing through Razorpay.
  • Provide the dashboard, analytics, and reporting features Institutes use to manage their leads.
  • Maintain and improve the security, reliability, and performance of the platform.
  • Respond to support requests and legal obligations.

We do not sell personal data, and we do not use Lead data to build advertising profiles or to market to Leads on behalf of anyone other than the Institute that uploaded them.

04AI-generated communications and call recording

Messages and calls a Lead receives are generated or assisted by artificial intelligence on behalf of the Institute. AI voice calls placed through our platform may be recorded and transcribed for service delivery, quality review, and to improve the accuracy of future conversations. Where applicable law requires notifying a call participant that the call may be recorded and/or that they are speaking with an AI system, the Institute is responsible for ensuring that disclosure is made, and RefLyst will support the technical means to do so (for example, an opening disclosure line in the call script).

05Third-party service providers (sub-processors)

We rely on the following categories of service providers to operate RefLyst. Each processes data only as needed to perform its function for us:

ProviderPurpose
Meta (WhatsApp Business Platform)Sending and receiving WhatsApp messages
Bolna AIPlacing and transcribing AI voice calls
GroqLarge-language-model processing for conversation and scoring
Sarvam AITranslation into Indian languages
Sender.netTransactional and outreach email delivery
RazorpayPayment processing and wallet top-ups
Google CloudHosting of backend infrastructure (Cloud Run, asia-south1); Google Calendar access is handled separately — see Section 6
HostingerWeb hosting for the RefLyst application
People Data Labs — if/when enabled Optional lead enrichment

We enter into appropriate data-processing terms with these providers and only share the minimum data necessary for them to perform their function.

06Google Calendar data (Google user data)

If an Institute connects a Google Calendar account to enable AI-booked counsellor appointments, we access what Google classifies as Google user data for that specific purpose. This section discloses that handling separately, in addition to the general practices described elsewhere in this policy.

6.1 What we access

  • Free/busy information for the connected calendar, to determine open appointment slots.
  • The ability to create calendar events (with a generated Google Meet link) on the connected calendar when a Lead books a slot.
  • The basic profile information (email address) of the connected Google account, to display which account is connected.

6.2 How we use it

We use this access solely to power the appointment-booking feature: checking availability, creating the calendar event for a booked session, and generating a joining link. We do not read, use, or store the content of any other event on the connected calendar beyond what is necessary to compute free/busy availability.

6.3 Sharing

We do not share, sell, transfer, or disclose Google user data to any third party, and we do not use it for advertising, to train AI/ML models, to determine creditworthiness, or for any purpose other than providing and improving this specific appointment-booking feature.

6.4 Protection and retention

The refresh token used to access a connected Google account is stored encrypted. An Institute may disconnect Google Calendar at any time from its dashboard settings; on disconnection we stop using the associated token for new requests and delete or invalidate the stored token within 30 days.

07Data sharing and disclosure

We disclose personal data only:

  • To the sub-processors listed above, to operate the service.
  • To an Institute, regarding its own Leads (an Institute cannot see another Institute's data).
  • If required by law, regulation, legal process, or governmental request.
  • To protect the rights, property, or safety of RefLyst, our users, or others.
  • In connection with a merger, acquisition, or sale of assets, subject to confidentiality safeguards.

We do not sell personal data to third parties.

08Data retention

We retain Institute account data for as long as the account is active, and for a reasonable period after closure to comply with legal, accounting, or dispute-resolution needs. We retain Lead data for as long as the Institute's account is active and the Institute has not requested deletion, subject to the Institute's own retention instructions. Call recordings and transcripts are retained for 12 months unless the Institute requests earlier deletion or law requires longer retention.

09Data security

We use industry-standard safeguards — including encrypted connections, access controls, and encrypted storage of sensitive credentials (such as third-party API tokens) — to protect personal data. No system is completely secure, and we cannot guarantee absolute security.

10Your rights

If you are an Institute, you can access, correct, export, or request deletion of your account data at any time by contacting us (Section 13) or through your dashboard settings where available.

If you are a Lead, under the DPDP Act and similar laws you may have the right to:

  • Obtain confirmation of whether your personal data is being processed, and access it.
  • Request correction or erasure of your data.
  • Withdraw consent to being contacted (see Section 11).
  • Lodge a complaint with the relevant data protection authority.

Because the Institute is the controller/fiduciary for Lead data, please direct these requests to the Institute first where possible. If you're unsure which Institute contacted you, or the Institute is unresponsive, you may contact us at the address in Section 13 and we will assist in routing your request.

11Opting out / Do Not Contact

Leads can stop receiving messages at any time by replying “STOP” on WhatsApp, using the unsubscribe link in emails, or telling our AI voice agent they wish to stop being contacted. We flag such requests so the Lead is not contacted again through that channel. Institutes are responsible for ensuring they have a lawful basis (including compliance with India's Telecom Commercial Communications Customer Preference Regulations / DND framework, where applicable) to contact their Leads in the first place.

12Children's privacy

RefLyst is intended for use by businesses and their adult prospective customers. We do not knowingly collect personal data from individuals under 18 through our own marketing, and the platform is not directed at children. Institutes are responsible for ensuring that any Lead data they upload complies with applicable law where the Lead is a minor.

13Grievance Officer / Contact us

For privacy questions, requests, or complaints:

Abhishrk Singh
Email: support@reflyst.com
Address: Reflyst Private Limited, A307, BDA Konadasapura Phase 2, Bidare Agraha, Bengaluru - 560049

We aim to acknowledge requests within 30 business days, in line with applicable law.

14International data transfers

Some of our service providers (Section 5) may process data outside India, including in the United States. Where this occurs, we require providers to maintain appropriate safeguards for the data they process on our behalf.

15Changes to this policy

We may update this policy from time to time. We will post the revised version here with an updated “Last updated” date, and, for material changes, notify Institutes by email.