CurlCast is a single-operator dispatch workspace. It holds no recipient PII, no API keys, and no campaign content on any persistent store.
Recipient phone numbers, names, and template content are processed entirely in your browser. Our dispatch service forwards your payload to your WhatsApp BSP and returns its response. Payload contents are not stored anywhere on the server side.
Our dispatch service logs only: timestamp, run identifier, recipient sequence number, IP address, and HTTP status code. It does not log payload contents, phone numbers, or API keys.
Your WhatsApp BSP API key lives in your browser memory during the session. It is forwarded once per dispatch over TLS to the BSP and is never written to any log or persistent store on our side.
Settings → Clear all data removes every CurlCast entry from your browser's local storage. We hold no other copy to delete.
Under India's Digital Personal Data Protection Act 2023, you (the operator dispatching messages) are the Data Fiduciary for the recipient data you process. CurlCast acts as a Data Processor under your control.
Browser-to-dispatch traffic is served from the nearest edge region available to your network. Onward routing to your BSP follows the BSP's own residency policy.
An anonymous UX analytics script is loaded for session-level usability insight. No tracking pixels and no third-party advertising scripts.
For India-routed marketing-category sends, CurlCast enforces a soft warning outside the 09:00–21:00 IST window per TRAI's commercial communications guidance. Override requires a logged reason.