Privacy Policy

Last Updated: May 8th 2025

I. Introduction and Scope of this Policy

A. About Us ; IndoAi Technologies Pvt Ltd

IndoAI Technologies Pvt Ltd (hereinafter referred to as “the Company,” “it,” or “its”) is committed to protecting the privacy of individuals who interact with its services. This document outlines the Company’s practices concerning Personal Data.

B. Purpose of this Privacy Policy

This Privacy Policy (“Policy”) explains how the Company collects, uses, processes, shares, and protects the Personal Data of individuals in India. This Policy is designed to be in compliance with the Digital Personal Data Protection Act, 2023 (“DPDP Act”) of India.1 It aims to provide transparency regarding the Company’s data handling practices and the rights available to Data Principals.

C. Applicability

This Policy applies to all individuals (“Data Principals”) whose Personal Data is processed by the Company in India. The DPDP Act and this Policy primarily cover Personal Data collected in digital form.3 Should the Company collect Personal Data in a non-digital format which is subsequently digitized, such data will fall under the scope of this Policy from the point of its digitization. It is important for Data Principals to understand this distinction, as the DPDP Act’s specific obligations are tied to digital personal data. Consequently, the Company has established internal data governance protocols to identify the precise moment of digitization, ensuring that from that point forward, the data is managed strictly in accordance with the DPDP Act and this Policy.

The DPDP Act possesses an extraterritorial reach. Therefore, this Policy also applies if the Company processes the personal data of Data Principals in India, even if the processing occurs outside India, or if it offers goods or services to Data Principals within India.1

D. Definitions

For the purposes of this Policy, the following terms shall have the meanings ascribed to them below, consistent with the DPDP Act:

“Personal Data”: Means any data about an individual who is identifiable by or in relation to such data.1 This includes, but is not limited to, information such as name, email address, phone number, IP address, device information, usage data, and financial information if collected by the Company.1
“Data Principal”: The individual to whom the Personal Data relates.3
“Data Fiduciary”: The Company (indo.ai), as it alone or in conjunction with others determines the purpose and means of processing Personal Data.3
“Data Processor”: Any person who processes Personal Data on behalf of the Company.3
“Processing”: In relation to Personal Data, means an automated operation or set of operations performed on digital Personal Data. This may include operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.
“Consent”: Any freely given, specific, informed, unconditional, and unambiguous indication of the Data Principal’s wishes by which they, through a clear affirmative action, signify agreement to the processing of their Personal Data for the specified purpose.2
“Data Protection Board of India” (“Board”): The authority established under the DPDP Act to enforce its provisions and adjudicate on matters related thereto.1
“Child”: An individual who has not completed eighteen years of age. This definition is critical for understanding the special obligations related to processing children’s data, as detailed later in this Policy.8

II. Personal Data We Collect and How We Collect It

A. Types of Personal Data Collected

The Company collects various categories of Personal Data to provide and improve its services. The specific types of Personal Data collected depend on the nature of the interaction with the Data Principal. These may include:

Identity & Contact Data: Such as full name, email address, postal address, phone number, date of birth, and gender.1
Technical Data: Including Internet Protocol (IP) address, browser type and version, time zone setting and location data (such as GPS coordinates, if collected with explicit consent), operating system and platform, device identifiers, online browsing history, and search queries conducted on the Company’s platforms.1
Usage Data: Information pertaining to how Data Principals use the Company’s website, products, and services. This may also include data from social media posts and messages if Data Principals interact with the Company’s official social media channels.1
Financial Data: Such as bank account numbers and credit card details, if payments are processed directly by the Company for its services.1
User-Generated Content: Any data provided by Data Principals when they use interactive features of the Company’s services, such as comments, feedback, or other submissions.

The enumeration of these data types is based on a thorough data mapping exercise conducted by the Company, as recommended for compliance with data protection regulations.2

B. Purposes for Which Personal Data is Processed

Personal Data is collected and processed only for “specified, explicit, and legitimate purposes”.1 The Company ensures that Data Principals are informed of these purposes at or before the time of data collection. These purposes include, but are not limited to:

Providing and managing Data Principal accounts and access to services.
Delivering the services requested by Data Principals.
Processing transactions and fulfilling orders.
Personalizing the user experience on the Company’s platforms.
Providing customer support and responding to inquiries.
Communicating important service updates, security alerts, and administrative messages.
Sending marketing communications, subject to obtaining specific consent from Data Principals.
Conducting data analytics to understand service usage and for service improvement.
Ensuring the security and integrity of the Company’s platforms and services.
Complying with applicable legal and regulatory obligations.

The Company adheres strictly to the Purpose Limitation Principle, meaning Personal Data will not be further processed in a manner that is incompatible with these declared and legitimate purposes.1

C. Lawful Basis for Processing

The Company processes Personal Data based on one or more lawful bases as prescribed under the DPDP Act:

Consent: The primary basis for most processing activities is the explicit Consent obtained from the Data Principal, as detailed in Section III of this Policy.2
Legitimate Uses: In certain limited circumstances, the Company may process Personal Data without explicit consent if such processing falls under “Legitimate Uses” as recognized by the DPDP Act.3 These situations are narrowly defined and may include:
- Processing for a purpose for which the Data Principal has voluntarily provided their Personal Data to the Company, and it is reasonably expected that they would provide such data for that purpose.
- Compliance with any law in force in India, or any judgment, decree, or order issued under such law.
- Responding to medical emergencies involving a threat to the life or immediate threat to the health of the Data Principal or any other individual.
- Taking measures to ensure safety during a disaster or a breakdown of public order.
- For purposes related to employment, including the prevention of corporate espionage, maintenance of confidentiality, and protection of intellectual property, provided such processing is necessary.
- Other uses as may be permitted from time to time by the DPDP Act or rules made thereunder.

The Company will clearly identify and document its rationale whenever it relies on a “Legitimate Use” for processing Personal Data. This approach, while reducing “consent fatigue” for Data Principals in certain necessary processing scenarios, places a significant onus on the Company to ensure that its interpretation and application of “Legitimate Uses” strictly align with the DPDP Act’s provisions. Transparency regarding these uses is paramount, and the Company commits to informing Data Principals about the categories of legitimate uses it might invoke, even when explicit consent is not the legal basis for processing. This requires careful legal assessment of what constitutes a “legitimate use” beyond the explicit statutory examples.

D. How We Collect Personal Data

The Company collects Personal Data through various methods:

Directly from Data Principals: When Data Principals register for an account, use the Company’s services, fill out forms, subscribe to newsletters, participate in surveys, or communicate directly with the Company.
Automatically: Through the use of cookies, server logs, and other similar technologies when Data Principals interact with the Company’s website or online services. The use of such technologies, particularly cookies, will be subject to a clear consent mechanism.

From Third-Party Sources: In some instances, and if applicable to its services, the Company may receive Personal Data from third-party sources. This could include publicly available databases, social media platforms (if Data Principals interact with the Company’s official pages on such platforms), or third-party service providers. Any collection from third-party sources will be conducted with appropriate safeguards and transparency, ensuring compliance with the DPDP Act.

III. Consent

A. Obtaining Consent

The Company will obtain “free, specific, informed, unconditional, and unambiguous” Consent from Data Principals, through a “clear affirmative action,” before processing their Personal Data, except where Legitimate Uses (as described in Section II.C) apply.2

The Company ensures that:

Consent mechanisms do not involve pre-ticked boxes; consent must be an explicit opt-in action by the Data Principal.2
Consent sought will be limited to the collection and processing of Personal Data that is necessary for the specified purpose(s) communicated to the Data Principal.8
Consent for one processing activity will not be bundled with consent for other unrelated processing activities, nor will it be made a precondition for accessing services if the specific data processing is not essential for providing that service.2 This “unconditional” nature of consent is a cornerstone of the DPDP Act. It has significant implications for how the Company designs its services and user interfaces for obtaining consent. Access to a core service cannot be made contingent on a Data Principal consenting to non-essential data processing (e.g., for third-party marketing) if that processing is not integral to the provision of the core service. This necessitates the adoption of granular consent mechanisms, allowing Data Principals to make distinct choices for different data uses, especially for secondary purposes. Such an approach requires careful UI/UX design to present these options clearly and manageably.

B. Notice at the Time of Consent

Before or at the time of requesting Consent, the Company will provide Data Principals with a clear, concise, and easily understandable notice. This notice will contain the following information 3:

The specific categories of Personal Data that will be collected and/or processed.
The explicit purpose(s) for which the Personal Data will be processed.
Information on how Data Principals can exercise their rights under the DPDP Act (with a reference to Section VII of this Policy).
Details on how to make a complaint to the Data Protection Board of India.
The contact details of the Company’s Grievance Officer or Data Protection Officer.

This notice will be made available in English and, where appropriate and feasible, in other official Indian languages to ensure accessibility and understanding.2

C. Withdrawal of Consent

Data Principals have the right to withdraw their Consent at any time, and the process for doing so will be as easy as the process for giving Consent.2 Clear instructions on how to withdraw Consent (e.g., through account settings, by contacting the Grievance Officer via a specified email) will be provided.

Upon receipt of a withdrawal request, the Company will cease processing the Data Principal’s Personal Data for the purpose(s) for which Consent was withdrawn, within a reasonable timeframe. However, such withdrawal will not affect the lawfulness of processing based on Consent before its withdrawal. Furthermore, the Company may continue to process Personal Data if such processing is required or permitted under applicable law (e.g., for fulfilling ongoing legal obligations, or if another legitimate basis for processing exists).

Data Principals will be informed of any potential consequences of withdrawing their Consent, such as the inability to access certain services or features that rely on the processing of that specific Personal Data.

D. Processing of Children’s Personal Data

The Company will not knowingly collect or process Personal Data from Children (individuals who have not completed eighteen years of age) without first obtaining “verifiable consent” from their parent or lawful guardian.5 The DPDP Act places the onus on the Data Fiduciary (the Company) to verify the identity of the individual claiming to be the parent or lawful guardian and their authority to provide consent.5

Operationalizing “verifiable” parental or guardian consent presents distinct challenges. It implies that the Company must implement robust mechanisms that go beyond a simple declaration or checkbox. These mechanisms must provide reasonable assurance that consent is genuinely obtained from a person with legal parental authority. This could involve requesting documentary proof (such as a birth certificate extract or court order, along with the parent’s government-issued ID), utilizing recognized third-party age and identity verification services, or employing other reliable methods as technology and regulations evolve. The implementation of such verification systems can be operationally complex and may itself involve the collection of sensitive data (e.g., identification documents of parents). The Company is committed to designing these processes carefully to be effective yet minimally intrusive, and to securely handle any additional Personal Data collected solely for the purpose of this verification.

Furthermore, the Company will not undertake any processing of Children’s Personal Data that is likely to cause harm to a Child.7 The Company will also refrain from undertaking tracking or behavioral monitoring of Children or directing targeted advertising at Children.7

E. Consent Managers

The DPDP Act introduces the concept of Consent Managers, which are entities registered with the Data Protection Board of India. These Consent Managers are intended to act as a single point of contact to enable a Data Principal to give, manage, review, and withdraw their consent through an accessible, transparent, and interoperable platform.3 The Company will monitor the development and adoption of Consent Manager frameworks and will indicate in this Policy or through other appropriate notices if and when it integrates with any such registered Consent Managers.

IV. How We Use Your Personal Data

A. Adherence to Purpose

The Company reiterates its commitment to using Personal Data strictly for the purposes that were disclosed to the Data Principal at the time of collection, or for other purposes that are directly compatible with the original ones and for which valid consent has been obtained or a legitimate use applies.

B. Data Minimization

The Company is committed to the principle of data minimization. In accordance with the DPDP Act, it will only collect and process Personal Data that is “adequate, relevant, and limited to what is necessary” in relation to the specified purposes for which it is processed.1 The Company will not collect Personal Data speculatively or on the chance that it might become useful at a later date.

The principle of “data minimization” is not merely a one-time check at the point of data collection. It imposes an ongoing obligation on the Company to continuously assess whether the Personal Data it holds remains necessary for the original, specified purpose. Data that ceases to be necessary must be appropriately managed, typically through secure erasure or anonymization, as detailed in the Data Retention section of this Policy (Section IX). This continuous assessment ensures that the Company does not retain excessive or outdated data, thereby reducing privacy risks and the associated compliance burden. This practice is intrinsically linked to the “Storage Limitation” principle, which dictates that data should not be kept longer than necessary.

C. Specific Uses

Subject to obtaining necessary consents or relying on applicable legitimate uses, the Company may use Personal Data for the following (examples, to be tailored to indo.ai’s actual practices):

Service Provision: To create and manage Data Principal accounts, deliver the features and functionalities of its services, and process payments or other transactions initiated by Data Principals.
Communication: To send service-related notifications (e.g., updates, security alerts, support messages), respond to inquiries and feedback from Data Principals, and, with specific consent, send marketing communications about products, services, or promotions that may be of interest.
Personalization: To tailor content, recommendations, and the overall user experience on its platforms. Such personalization, especially if it involves profiling beyond what is core to service delivery, will be subject to specific consent.
Analytics & Improvement: To analyze usage patterns, trends, and preferences to improve the Company’s existing services, develop new features and products, and enhance overall service quality. Wherever feasible, such analytics will be performed using aggregated or de-identified data.
Security & Fraud Prevention: To protect the Company’s platform, systems, and users from security threats, unauthorized access, and fraudulent activities.
Legal Compliance: To fulfill the Company’s legal and regulatory obligations under Indian law or as required by competent authorities.

V. How We Share and Disclose Your Personal Data

A. With Data Processors

The Company may engage third-party vendors, service providers, or agents (“Data Processors”) to process Personal Data on its behalf and under its instructions for the purposes outlined in this Policy. Examples of such Data Processors include cloud hosting providers, payment processing companies, customer support service providers, and data analytics firms.

The Company will enter into written contracts with all Data Processors. These contracts will obligate the Data Processors to implement appropriate security safeguards to protect Personal Data and to process Personal Data only in accordance with the Company’s explicit instructions, for the specified purposes, and in a manner compliant with the DPDP Act.5

It is critical to understand that under the DPDP Act, the primary responsibility for compliance rests with the Data Fiduciary (the Company), even when data processing activities are outsourced to a Data Processor.6 The Act does not impose directly applicable statutory obligations on Data Processors in the same way it does on Data Fiduciaries. Instead, Data Fiduciaries are mandated to ensure compliance through contractual means. This means the Company cannot contractually shift its ultimate accountability for data protection failures that may occur due to the actions or omissions of its Data Processors. Consequently, the Company implements rigorous due diligence procedures when selecting Data Processors, insists on strong contractual clauses that impose DPDP Act-equivalent data protection obligations, and reserves the right to audit or otherwise monitor its Data Processors’ compliance. While indemnity clauses in contracts with Data Processors are an important risk management tool, they will not absolve the Company from potential regulatory penalties if a Data Processor causes a breach due to the Company’s failure to ensure appropriate safeguards were contractually mandated and overseen.

B. With Other Third Parties (Non-Processors)

The Company will only share Personal Data with other third parties (who are not Data Processors acting on its behalf) under the following limited circumstances:

With Explicit Consent: If the Data Principal has provided explicit consent for their Personal Data to be shared with a specific third party for a clearly defined purpose.
For Legitimate Uses: As described in Section II.C of this Policy, if the sharing is necessary for a recognized legitimate use under the DPDP Act.
Aggregated or De-identified Data: The Company may share aggregated or de-identified data, which cannot reasonably be used to identify an individual Data Principal, with third parties for purposes such as research, statistical analysis, industry reporting, or service improvement.

C. For Legal Reasons and Protection

The Company may disclose Personal Data if it believes in good faith that such disclosure is necessary to:

Comply with applicable law, regulation, legal process (such as a court order or subpoena), or a binding governmental request from a competent authority in India.
Protect the rights, property, or safety of the Company, its users, or the public, as required or permitted by law. This includes the processing of Personal Data for law enforcement or national security purposes if mandated under Indian law and through due legal procedure.1 The DPDP Act includes exemptions for processing by designated state entities for purposes such as the sovereignty and integrity of India, security of the State, friendly relations with foreign states, or maintenance of public order.12 This section addresses the Company’s potential obligation to disclose Personal Data to such entities if legally compelled.
Detect, prevent, or otherwise address fraud, security, or technical issues.

D. Business Transfers

In the event that the Company is involved in a merger, acquisition, corporate reorganization, financing, bankruptcy, sale of all or a portion of its assets, or other similar business transaction, Personal Data may be transferred as part of that transaction. In such cases, the Company will ensure that the acquiring entity is bound by data protection commitments that are at least as protective as those in this Policy, or Data Principals will be notified of any material changes to how their Personal Data will be handled.

VI. Cross-Border Transfer of Personal Data

A. General Principle

In connection with the purposes outlined in this Policy, the Company may transfer Personal Data of Data Principals to countries outside of India for processing or storage. This may occur, for example, if the Company utilizes cloud services with servers located internationally or engages Data Processors based in other countries.

B. Compliance with Indian Law

Any such cross-border transfer of Personal Data will be conducted in strict compliance with the provisions of the DPDP Act and any relevant rules, regulations, or notifications issued by the Central Government of India. The DPDP Act empowers the Central Government to restrict the transfer of Personal Data to certain specified countries or territories by notifying a list of such jurisdictions (often referred to as a “negative list”).2 The Company will not transfer Personal Data to any country or territory that is included in such a notified restricted list.

For transfers of Personal Data to countries that are not on the restricted list, the Company will ensure that such transfers are subject to appropriate safeguards designed to provide a level of data protection that is comparable to that afforded under the DPDP Act. This may involve contractual clauses or other mechanisms as permitted or prescribed by the Indian government.10

The framework for cross-border data transfers under the DPDP Act relies significantly on future notifications and guidelines from the Central Government, particularly concerning the “negative list” of countries and potentially other conditions for transfer.4 This introduces an element of regulatory dynamism and potential uncertainty, as this list and associated guidelines can be updated. The Company must, therefore, maintain agile internal processes to continuously monitor regulatory updates from the Ministry of Electronics and Information Technology (MeitY) and adapt its data transfer practices accordingly. Unlike some other international data protection regimes where a Data Fiduciary might make its own assessment of a recipient country’s “adequacy,” the DPDP Act requires adherence to the Indian government’s explicit directives. This approach allows the Indian government to maintain sovereign control over its citizens’ data flows based on its own assessment of other countries’ laws, data protection standards, and geopolitical considerations. If the Company relies on transferring data to a country that subsequently gets added to the restricted list, it will need to promptly implement alternative solutions, such as data localization within India, transferring the data to another permitted country, or ceasing the specific processing activity that necessitates the transfer.

C. User Notification

Where Personal Data is transferred outside India, the Company will endeavor to inform Data Principals about such transfers. This information will typically be provided through this Privacy Policy, which will be updated as necessary to reflect the Company’s data transfer practices.

VII. Your Rights as a Data Principal

Under the DPDP Act, Data Principals are endowed with several rights concerning their Personal Data. The Company is committed to upholding these rights and facilitating their exercise.

A. Right to Access Information

Data Principals have the right to obtain from the Company the following information 1:

A summary of their Personal Data that is being processed or has been processed by the Company.
Information about the processing activities undertaken by the Company with respect to their Personal Data (e.g., the purposes of processing).
The identities of all Data Fiduciaries (if any, with whom the Company is a co-fiduciary) and Data Processors with whom their Personal Data has been shared by the Company, along with the categories of Personal Data so shared.
Any other information as may be prescribed under the rules of the DPDP Act. This right to access is generally applicable when Personal Data is processed based on the Data Principal’s consent or for legitimate uses that result in the provision of a service or benefit to the Data Principal.

B. Right to Correction and Erasure

Data Principals have the following rights related to the accuracy and retention of their Personal Data 1:

Correction: The right to request the correction of Personal Data held by the Company that is inaccurate, incomplete, or misleading.
Completion: The right to request the completion of incomplete Personal Data.
Updating: The right to request the updating of Personal Data that is no longer current.
Erasure: The right to request the erasure (deletion) of their Personal Data when it is no longer necessary for the purpose for which it was collected, or if the Data Principal has withdrawn their consent for its processing (and no other overriding legal ground for continued processing or retention exists).1 This right is subject to any legal or regulatory obligations that may require the Company to retain the Personal Data for a specified period.

C. Right to Grievance Redressal

Data Principals have the right to an easily accessible means of registering grievances with the Company’s designated Grievance Officer or Data Protection Officer (as applicable) regarding any aspect of the Company’s processing of their Personal Data or concerning the exercise of their rights under the DPDP Act.5

Furthermore, if a Data Principal’s grievances are not resolved satisfactorily by the Company, or if they believe their rights under the DPDP Act have been infringed, they have the right to lodge a complaint with the Data Protection Board of India.

D. Right to Nominate

Data Principals have the right to nominate another individual who can exercise their rights under the DPDP Act on their behalf in the event of their death or incapacity.5 Incapacity, in this context, refers to a condition where the Data Principal is unable to exercise their rights due to unsoundness of mind or infirmity of body.

The “Right to Nominate” is a distinctive feature of the DPDP Act, extending data management considerations beyond a Data Principal’s lifetime or active capacity. To operationalize this right, the Company will need to establish a clear, secure, and verifiable process. This process will involve:

A secure mechanism for the Data Principal to submit the details of their nominee.
Verification of the Data Principal’s identity at the time of making the nomination to prevent fraudulent nominations.
Secure storage of the nominee’s information.
A defined procedure for the nominated individual to invoke this right. This procedure will require verification of the nominee’s identity and satisfactory proof of the Data Principal’s death (e.g., a legally recognized death certificate) or incapacity (which may require appropriate legal documentation or adherence to an internal assessment process defined by the Company in line with legal requirements). This right acknowledges the enduring nature and importance of personal data and seeks to provide a mechanism for its continued management according to the Data Principal’s wishes, even posthumously or during periods of incapacity. The implementation of this right adds a layer of complexity to the Company’s data management and user support functions and involves careful legal consideration to prevent fraud or unauthorized access by individuals falsely claiming to be nominees.

E. How to Exercise Rights

Data Principals can submit requests to exercise their rights by contacting the Company through the channels specified in Section X (Grievance Redressal) or Section XIII (Contact Us) of this Policy. To protect Personal Data, the Company may require Data Principals to provide sufficient information to verify their identity before processing any request. This verification is essential to prevent unauthorized access to or alteration of Personal Data. The Company will respond to all valid requests from Data Principals within the timeframe prescribed under the DPDP Act or its associated rules.

F. Table: Data Principal Rights and How to Exercise Them

The following table summarizes the key rights of Data Principals and provides general guidance on how to exercise them with the Company:

Right	Description under DPDP Act	How to Exercise with indo.ai
Right to Access	Obtain a summary of processed Personal Data, details of processing activities, and identities of entities with whom data has been shared.	Submit an access request to the contact details provided in Section X or XIII (e.g., [email protected] with subject “Access Request”).
Right to Correction	Request correction of inaccurate or misleading Personal Data; request completion of incomplete data; request updates to outdated data.	Submit a correction request to the contact details provided in Section X or XIII (e.g., [email protected] with subject “Correction Request”).
Right to Erasure	Request deletion of Personal Data when it is no longer necessary for the collected purpose, or if consent is withdrawn (subject to legal retention obligations).	Submit an erasure request to the contact details provided in Section X or XIII (e.g., [email protected] with subject “Erasure Request”).
Right to Grievance Redressal	Lodge complaints or grievances regarding the processing of Personal Data or the exercise of rights, initially with the Company and subsequently with the Data Protection Board if unsatisfied.	Contact the Grievance Officer / Data Protection Officer using the details provided in Section X.
Right to Nominate	Nominate another individual to exercise rights under the DPDP Act in the event of the Data Principal’s death or incapacity.	Follow the specific process communicated by the Company for nominations, which can be requested from the contact details in Section X or XIII (e.g., [email protected] with subject “Nomination Process Request”).

This table serves as a quick reference. The Company is committed to ensuring these rights are easily exercisable and that Data Principals are empowered to manage their Personal Data effectively.

VIII. Duties of Data Principals

While the DPDP Act primarily focuses on the rights of Data Principals and the obligations of Data Fiduciaries, it also outlines certain duties for Data Principals. When interacting with the Company and exercising their rights under the DPDP Act, Data Principals are expected to adhere to the following duties 7:

Compliance with Laws: Data Principals must exercise their rights in accordance with all applicable laws and regulations. The exercise of rights should not infringe upon other laws or the rights of other individuals.
No Impersonation: Data Principals must not impersonate another person when providing Personal Data or when interacting with the Company or the Data Protection Board.
No Suppression of Material Information: Data Principals must not suppress any material information while providing their Personal Data to the Company for any specific purpose where such information is relevant.
Authenticity of Information: Data Principals are responsible for ensuring that any Personal Data they provide to the Company is authentic, accurate, complete, and up-to-date to the best of their knowledge.
No False or Frivolous Grievances: Data Principals should refrain from registering false or frivolous grievances or complaints with the Company or with the Data Protection Board of India.
Verifiable Information for Correction/Erasure: When exercising their right to correction or erasure of Personal Data, Data Principals must furnish only verifiably authentic information to support their request.

Including these duties in the Policy is important for establishing a balanced understanding of the data protection framework. It sets clear expectations for the conduct of Data Principals and can assist the Company in managing interactions, particularly in deterring the misuse of data rights or the submission of deliberately false or misleading information. While the DPDP Act is fundamentally designed to protect Data Principals, these duties contribute to the overall integrity and efficiency of the data protection regime by ensuring that the rights are exercised responsibly. This helps in managing expectations and ensures that the resources dedicated to upholding data rights are utilized effectively for genuine concerns.

IX. Data Security and Retention

A. Our Commitment to Data Security

The Company is deeply committed to protecting the Personal Data of Data Principals from unauthorized access, use, disclosure, alteration, loss, or destruction. It recognizes the importance of maintaining the confidentiality and integrity of Personal Data.

B. Security Safeguards

The Company will implement “appropriate technical and organizational measures” to ensure a level of security that is appropriate to the risk associated with the processing of Personal Data.1 The determination of “appropriate” measures is a dynamic and ongoing process, rather than a fixed checklist. It requires the Company to continuously assess the risks to Personal Data, considering factors such as the volume and sensitivity of the data, the nature of the processing activities, the potential harm that could result from a breach, and the evolving technological landscape and threat environment.

These security measures are designed to prevent personal data breaches and may include, but are not limited to, the following 10:

Data Encryption: Implementing encryption for Personal Data both at rest (when stored) and in transit (when transmitted over networks).
Access Controls: Employing robust access control mechanisms, including role-based access and strong authentication methods (e.g., multi-factor authentication), to limit access to Personal Data to authorized personnel only.
Data Masking or Obfuscation: Using techniques such as data masking or pseudonymization where appropriate to reduce the identifiability of Personal Data.
Regular Cybersecurity Audits and Vulnerability Assessments: Conducting periodic security audits, penetration testing, and vulnerability assessments to identify and remediate potential weaknesses in systems and processes.
Secure Software Development Practices: Integrating security considerations into the software development lifecycle (DevSecOps).
Employee Training and Awareness: Providing regular training to employees on data protection principles, security policies, and procedures.
Physical Security Measures: Implementing appropriate physical security measures to protect data centers and other locations where Personal Data may be stored or processed.
Incident Response Plan: Maintaining a data breach incident response plan to effectively manage and mitigate the impact of any security incidents.

Contracts with Data Processors will include legally binding provisions requiring them to implement and maintain security safeguards that are consistent with the Company’s standards and the requirements of the DPDP Act.10 The significant penalties stipulated under the DPDP Act for security breaches (which can extend up to INR 250 crore 11) underscore the critical importance and financial imperative for the Company to establish and maintain robust security measures. This necessitates a proactive approach to risk management, potentially including adherence to recognized information security standards (e.g., ISO 27001) to demonstrate due diligence.

C. Data Breach Notification

In the unfortunate event of a Personal Data breach that is likely to cause harm to Data Principals, the Company will notify the Data Protection Board of India and the affected Data Principals as required by and in accordance with the provisions of the DPDP Act and its associated rules.5 Such notification will typically describe the nature of the Personal Data breach, the categories and approximate number of Data Principals concerned, the likely consequences of the breach, and the measures taken or proposed to be taken by the Company to address the breach and mitigate its possible adverse effects.

D. Data Retention Policy

The Company will retain Personal Data only for as long as it is necessary to fulfill the specific purposes for which it was collected, as outlined in this Policy and as communicated to the Data Principal at the time of collection.1 This aligns with the principle of “storage limitation.”

Personal Data will be securely erased or anonymized when:

The purpose(s) for which it was collected have been fulfilled and the data is no longer needed.
The Data Principal withdraws their consent for its processing, and there is no other legal basis or legitimate purpose for its continued retention.
It is no longer necessary to retain the Personal Data for compliance with any law for the time being in force in India.5

The “storage limitation” principle, which mandates the erasure of data when no longer needed, must be carefully balanced with potential legal or regulatory obligations that may require the Company to retain certain categories of data for longer, specified periods (e.g., financial transaction records, data relevant to ongoing litigation, or other statutory record-keeping requirements). The Company maintains a data retention schedule that maps different types of Personal Data to their original purposes, the DPDP Act’s erasure requirements, and any overriding legal retention obligations. This schedule is periodically reviewed and updated. Data Principals should be aware that their Personal Data might be retained beyond the fulfillment of the primary processing purpose if such retention is mandated by applicable Indian law.

The draft rules under the DPDP Act may also set specific retention periods for certain types of Data Fiduciaries or data categories.10 The Company will comply with any such mandated retention periods if and when they become applicable to its operations. Anonymized or aggregated data, which does not identify individual Data Principals, may be retained for longer periods for purposes such as research, statistical analysis, or service improvement.

X. Grievance Redressal

A. Grievance Officer / Data Protection Officer

The Company has appointed a designated official to address queries and grievances from Data Principals relating to this Privacy Policy and the processing of their Personal Data.

The status of the Company as a “Significant Data Fiduciary” (SDF) under the DPDP Act is a critical internal assessment. SDFs are entities designated by the Central Government based on factors such as the volume and sensitivity of personal data processed, risk to the rights of Data Principals, potential impact on the sovereignty and integrity of India, security of the State, public order, or risk to electoral democracy.14 This designation triggers additional, more stringent obligations. These include the mandatory appointment of a Data Protection Officer (DPO) based in India who is responsible to the board of directors or a similar governing body, the conduct of periodic data protection impact assessments (DPIAs), and regular data audits by an independent data auditor.3 Penalties for non-compliance with SDF-specific obligations can be substantial, potentially extending up to INR 150 crore.11

If the Company is (or is likely to be classified as) a Significant Data Fiduciary (SDF): The Company [is/may be classified as] a Significant Data Fiduciary under the DPDP Act. Accordingly, it has appointed a Data Protection Officer (DPO) based in India. The DPO is the designated point of contact for Data Principals and is responsible for overseeing compliance with the DPDP Act within the Company.
If the Company is NOT an SDF: The Company has appointed a Grievance Officer [or other designated contact person] to address Data Principal inquiries and grievances related to data privacy.2

(The Company indo.ai must internally assess its status and select the appropriate statement above. The contact details below should reflect the correct designation.)

B. Contact Details

The contact details for the [Data Protection Officer / Grievance Officer] are as follows:

Designation: [Data Protection Officer / Grievance Officer]
Email Address: [e.g., [email protected] or [email protected]]
Postal Address:

C. Process for Lodging a Complaint/Grievance

Data Principals who wish to submit a grievance or have concerns regarding the processing of their Personal Data can do so by contacting the [Data Protection Officer / Grievance Officer] using the contact details provided above. It is recommended to submit grievances in writing, providing specific details of the issue.

The Company will acknowledge receipt of the grievance promptly and will endeavor to investigate and resolve it within the timeframe prescribed by the Central Government under the rules of the DPDP Act (if any such timeframe is specified).7

D. Escalation to Data Protection Board

If a Data Principal is not satisfied with the resolution provided by the Company, or if their grievance is not addressed by the Company within the prescribed timeframe (if any), they have the right to file a complaint with the Data Protection Board of India.7 The Board is the statutory body responsible for adjudicating on such matters.

XI. Updates to this Privacy Policy

The Company reserves the right to update or modify this Privacy Policy at any time to reflect changes in its data processing practices, service offerings, or applicable legal and regulatory requirements.

The Company will notify Data Principals of any material changes to this Policy. The method of notification will be appropriate to the significance of the changes and may include posting a prominent notice on its website, sending an email to registered users, or using other communication channels to ensure Data Principals are adequately informed. While it is standard practice for policies to state that continued use implies acceptance of changes, the DPDP Act’s strong emphasis on “informed” consent and transparency 1 suggests a more proactive approach for material changes. If the Company makes changes that significantly alter how it collects, uses, or shares Personal Data (e.g., introducing new data uses, new categories of data sharing, or changes affecting Data Principal rights), it will endeavor to provide clear, advance notice. This helps ensure that Data Principals are genuinely informed and can make considered decisions regarding their continued use of the services or the exercise of their rights, such as withdrawing consent for a new use.

The “Last Updated” date at the beginning of this Policy will indicate when it was last revised. Continued use of the Company’s services after any such changes have been notified and have taken effect will constitute acceptance of the revised Policy, subject to the Data Principal’s rights to withdraw consent or exercise other rights available under the DPDP Act. For significant changes that fundamentally alter the basis of processing Personal Data, the Company may seek renewed consent where required by law.

XII. Governing Law and Dispute Resolution

A. Governing Law

This Privacy Policy and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of India.

B. Dispute Resolution – Arbitration

Agreement to Arbitrate: In the event of any dispute, controversy, or claim arising out of or relating to this Privacy Policy, its interpretation, validity, performance, breach, or termination hereof (hereinafter referred to as a “Dispute”), the parties (the Data Principal and the Company) shall endeavor to resolve such Dispute amicably through negotiation. If an amicable resolution is not reached within thirty (30) days from the date one party notifies the other of the Dispute, such Dispute shall be referred to and finally resolved by arbitration in accordance with the Arbitration and Conciliation Act, 1996, and any amendments thereto.15
Arbitrator(s): The arbitration shall be conducted by a sole arbitrator. The parties shall attempt to mutually appoint the sole arbitrator. If the parties are unable to agree on a sole arbitrator within thirty (30) days from the date of one party invoking arbitration, the arbitrator shall be appointed in accordance with the provisions of the Arbitration and Conciliation Act, 1996.
Seat and Venue of Arbitration: The seat of the arbitration shall be Pune, India. The venue of the arbitration shall also be Pune, India. Specifying Pune as the “seat” of arbitration is legally crucial as it grants the courts in Pune supervisory jurisdiction over the arbitration process. This includes matters such as applications for interim relief under Section 9 of the Arbitration and Conciliation Act, 1996, challenges to the arbitral award under Section 34, or applications for the appointment of arbitrators if the parties fail to agree.15 Merely stating “Pune court” or “Pune venue” without specifying the seat can lead to ambiguity.
Jurisdiction of Courts: Subject to the arbitration agreement herein, the courts in Pune, India, shall have exclusive jurisdiction to grant interim reliefs, entertain any application for the enforcement of the arbitral award, or address any other matter incidental to or arising out of the arbitration proceedings that is permissible for court intervention under the Arbitration and Conciliation Act, 1996.
Language: The language of the arbitration proceedings shall be English.
Confidentiality: The parties shall maintain the confidentiality of the arbitration proceedings and the arbitral award, except as may be necessary to enforce the award or as required by applicable law.15
Survival: This arbitration clause shall survive the termination or expiration of this Privacy Policy. The principle of separability, recognized under Indian arbitration law 15, means that this arbitration agreement is treated as separate from the other terms of this Privacy Policy. Therefore, even if the validity or applicability of the Privacy Policy itself is challenged, this arbitration clause can remain valid and enforceable to resolve that challenge.

C. Interaction with Data Protection Board

It is hereby clarified that this arbitration clause is intended to cover disputes arising from or in connection with the contractual relationship established by this Privacy Policy between the Data Principal and the Company. This clause does not limit, oust, or supersede the statutory jurisdiction of the Data Protection Board of India to adjudicate upon any complaints, grievances, or matters falling within its powers as conferred by the DPDP Act. Data Principals retain their full right to approach the Data Protection Board of India for redressal of grievances related to any alleged violations of the provisions of the DPDP Act by the Company. The arbitration mechanism is for contractual disputes, while the Board is the statutory authority for DPDP Act violations.

XIII. Contact Us

If Data Principals have any questions, concerns, or grievances regarding this Privacy Policy, the processing of their Personal Data by the Company, or if they wish to exercise their rights, they may contact the Company through the following channels:

Designated Email Address for Privacy Inquiries: [email protected]
Postal Address for Formal Notices:

IndoAi Technologies Pvt Ltd

B -15 & 16 , City Vista DownTown Kharadi

Pune – 411014 , Maharashtra, India

Website Contact Form:
Phone no : 9096536286
Data Principals are also encouraged to refer to Section X of this Policy for the specific contact details of the Company’s [Data Protection Officer / Grievance Officer].