INTRODUCTION
O2V Private Limited, operating as elsai ("we," "us," "our," or "Company"), is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our Agent Resource Management Software (ARMS) platform and related services (collectively, the "Platform" or "Services").
This Privacy Policy applies to information collected through:
The elsai website (https://www.elsai.ai)
The ARMS platform and associated applications
Email communications and customer support interactions
Third-party integrations and services you enable
Mobile applications and API integrations
By accessing or using our Services, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree with this Privacy Policy, please do not use our Services.
Important Notice for Indian Users: This Privacy Policy complies with India's Digital Personal Data Protection Act (DPDPA), 2023 and Rules 2025. Additional obligations specific to Indian users are outlined in Section 19.
1. INFORMATION WE COLLECT
1.1 Information You Provide to Us
Account Information
When you register for an account, we collect:
Full name and email address
Work email address and company name
Password (stored in encrypted form using industry-standard hashing algorithms
Phone number (optional)
Company size and industry (optional)
Job title and role (optional)
Billing and payment information (processed by third-party payment processors)
Government-issued identification (for enterprise verification only, with consent)
Customer Data
You may upload, submit, or process various types of data through the Platform ("Customer Data"), including:
AI agent configurations, prompts, and instructions
Log data and telemetry from your AI deployments
Documents, files, and content processed by AI agents
API credentials and integration settings
Usage metrics and performance data
Custom models and training data
Business intelligence and analytics data
Data Ownership: You retain full ownership and control of your Customer Data. We process Customer Data solely to provide the Services as described in our Terms of Service. We act as a Data Processor (under GDPR) and Data Fiduciary (under DPDPA) with respect to Customer Data.
Communications
We collect information when you:
Contact our support team via email, chat, or phone
Participate in surveys, questionnaires, or feedback forms
Subscribe to newsletters or marketing communications
Engage with our content or social media
Attend webinars, training sessions, or events
Provide testimonials or case study information
1.2 Information Collected Automatically
Usage Information
We automatically collect information about your use of the Services, including:
Pages visited and features accessed
Time spent on the Platform and session duration
Click patterns and navigation paths
Search queries and filters used
Projects created and configurations modified
API calls and integration usage
Error messages and system logs
Performance metrics and response times
Feature adoption and usage patterns
Device and Technical Information
We collect:
IP address and geolocation data (country/city level)
Browser type, version, and language settings
Operating system and device type
Screen resolution and display settings
Referring URLs and exit pages
Time zone and access timestamps
Mobile device identifiers (for mobile applications)
Network information and connection type
Cookies and Tracking Technologies
We use cookies, web beacons, local storage, and similar tracking technologies to enhance your experience and gather information about usage patterns. Types of cookies we use include:
Essential Cookies: Required for the Platform to function properly (e.g., authentication, security, session management)
Performance Cookies: Help us understand how you use the Platform and improve performance
Functional Cookies: Remember your preferences and settings
Analytics Cookies: Provide usage statistics and insights (e.g., Google Analytics, Mixpanel)
Advertising Cookies: Used for targeted advertising and remarketing (only with your consent)
Cookie Management: You can control cookie preferences through your browser settings or our cookie preference center. However, disabling certain essential cookies may limit Platform functionality.
For detailed information about our cookie practices, please refer to our separate Cookie Policy.
1.3 Information from Third Parties
We may receive information about you from third-party sources, including:
Authentication providers (e.g., Google Workspace, Microsoft Azure AD, Okta, OAuth providers)
Cloud service providers (AWS, Azure, GCP, IBM Cloud)
Data platforms (Snowflake, Databricks, BigQuery)
LLM providers for service integration (OpenAI, Anthropic, Google, etc.)
Payment processors for billing information (Stripe, Razorpay)
Marketing and analytics partners (LinkedIn, Google Ads)
Public databases and data enrichment services
Business partners and resellers
Referral sources and affiliates
1.4 Sensitive Personal Data
We limit collection of sensitive personal data. Under certain circumstances, with your explicit consent or as required by law, we may process:
Financial information (credit card details, bank account information - processed by payment processors only)
Health information (only for healthcare-specific use cases with explicit consent and HIPAA compliance)
Biometric data (only for authentication purposes in enterprise deployments, with explicit consent)
Government-issued identification numbers (only for compliance and verification purposes)
Special Protections: Sensitive personal data receives enhanced security measures including encryption, access controls, and audit logging. We do not use sensitive data for profiling, automated decision-making, or marketing purposes without explicit consent.
2. LEGAL BASIS FOR PROCESSING
We process your personal data based on the following legal grounds:
2.1 Consent
We process personal data with your explicit, informed, and freely given consent for:
Marketing communications and newsletters
Optional features and integrations
Use of company logo in marketing materials
Participation in case studies and testimonials
Processing of sensitive personal data
Cookies and tracking technologies (where required by law)
Withdrawal of Consent: You may withdraw your consent at any time by contacting support@elsai.ai or through your account settings. Withdrawal does not affect the lawfulness of processing before withdrawal.
2.2 Contractual Necessity
We process personal data when necessary to perform our contract with you, including:
Providing access to the Platform and Services
Processing transactions and billing
Customer support and technical assistance
Account management and authentication
Service delivery and performance
2.3 Legitimate Interests
We process personal data based on our legitimate interests (or those of third parties), including:
Platform improvement and product development
Security and fraud prevention
Network and information security
Internal business operations and analytics
Merger, acquisition, or business restructuring activities
Legal compliance and regulatory reporting
We balance our legitimate interests against your rights and freedoms, and you have the right to object to processing based on legitimate interests.
2.4 Legal Obligations
We process personal data to comply with legal and regulatory obligations, including:
Tax and accounting requirements
Regulatory reporting and audits
Court orders and legal processes
Anti-money laundering and know-your-customer requirements
Data breach notification obligations
Record-keeping requirements
2.5 Specified Legitimate Uses (DPDPA)
Under India's DPDPA, we may process personal data without consent for the following legitimate uses:
Voluntary disclosure by data principal for a specified purpose
Compliance with legal obligations and court orders
Employment and recruitment purposes
Medical emergencies, epidemics, and disaster response
Protection against fraudulent, malicious, or unlawful activities
Provision of government services and benefits
Processing publicly available personal data
3. HOW WE USE YOUR INFORMATION
We use the collected information for the following purposes:
3.1 Service Provision and Operations
Provide, operate, and maintain the Platform
Process and execute AI agent operations
Monitor system performance and ensure reliability
Provide customer support and respond to inquiries
Process billing and payments
Manage user accounts and authentication
Enable integrations with third-party services
Generate usage reports and analytics dashboards
Fulfill contractual obligations
3.2 Platform Improvement and Development
Analyze usage patterns to improve features and functionality
Develop new products, services, and features
Conduct research and analytics
Test and optimize platform performance
Debug issues and fix technical problems
Enhance user experience and interface design
Train and improve AI/ML models (only with aggregated, anonymized data)
3.3 Security and Compliance
Detect, prevent, and respond to security incidents
Monitor for fraudulent or unauthorized activity
Enforce our Terms of Service and policies
Comply with legal obligations and regulatory requirements
Maintain audit trails and compliance documentation
Protect the rights, property, and safety of users and the Company
Conduct security assessments and vulnerability testing
Implement access controls and authentication measures
3.4 Communications and Marketing
Send service-related announcements and updates
Provide customer support and technical assistance
Send newsletters and promotional materials (with consent)
Conduct surveys and gather feedback
Invite you to events, webinars, and training sessions
Display your company logo in customer showcases (with work email signup, opt-out available)
Send product updates and feature announcements
Provide onboarding and training resources
Company Logo Usage: When you register using your work email address, you grant us permission to display your company logo and name in our customer lists, marketing materials, and website. You may opt out of this at any time by emailing support@elsai.ai.
3.5 Aggregated and Anonymized Data
We may use aggregated, de-identified, or anonymized data that cannot reasonably identify you or your organization for:
Industry benchmarking and trend analysis
Product development and improvement
Academic research and publications
Public reporting and statistics
Marketing and promotional purposes
AI/ML model training and improvement
This aggregated data is not considered personal information and may be used and shared without restriction, subject to applicable anonymization standards.
3.6 Automated Decision-Making and Profiling
We use limited automated decision-making for:
Fraud detection and prevention
Security threat assessment
Usage-based recommendations
Platform performance optimization
Your Rights: You have the right to request human review of automated decisions that significantly affect you. Contact support@elsai.ai to exercise this right.
We do NOT use automated decision-making for:
Credit decisions or financial assessments
Employment decisions
Profiling for discriminatory purposes
Significant decisions affecting your legal rights without human oversight
4. HOW WE SHARE YOUR INFORMATION
We do not sell, rent, or trade your personal information. We may share your information in the following circumstances:
4.1 Service Providers and Partners
We may share information with trusted third-party service providers who assist us in operating the Platform, including:
Cloud infrastructure providers (AWS, Azure, GCP, IBM Cloud)
Data storage and database services
Payment processors and billing services (Stripe, Razorpay)
Email and communication platforms (SendGrid, Twilio)
Analytics and monitoring tools (Google Analytics, Mixpanel, DataDog)
Customer support software (Zendesk, Intercom)
Security and fraud prevention services
LLM and AI model providers (100+ integrations)
Content delivery networks (CDNs)
Authentication and identity management services
These service providers are contractually obligated to:
Use your information only as necessary to provide services to us
Maintain confidentiality and security of your data
Comply with applicable data protection laws
Not use data for their own purposes
Return or delete data upon termination of services
Data Processing Agreements (DPA): We maintain signed DPAs with all service providers processing personal data on our behalf.
4.2 Third-Party Integrations
When you enable third-party integrations (such as Snowflake, Databricks, or specific LLM providers), we may share relevant data with those services to facilitate the integration. Data sharing is:
Limited to what is necessary for the integration to function
Governed by the third party's privacy policy and terms
Subject to your explicit authorization
Configurable based on your integration settings
Documented in integration-specific consent flows
You are responsible for reviewing and accepting the privacy practices of third-party services you integrate with the Platform.
4.3 Business Transfers
If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of assets, or transition of service to another provider, your information may be transferred as part of that transaction. We will:
Notify you via email at least 30 days before transfer
Post a prominent notice on the Platform
Provide information about the new entity's privacy practices
Give you the opportunity to delete your account before transfer
Ensure the receiving party agrees to honor this Privacy Policy
4.4 Legal Requirements and Protection
We may disclose your information if required to do so by law or in response to:
Valid legal process (e.g., subpoenas, court orders, warrants)
Government or regulatory requests
Law enforcement investigations
National security requirements
Protection of our rights, property, or safety
Protection of users' rights, property, or safety
Detection, prevention, or investigation of fraud or security issues
Enforcement of our Terms of Service or other agreements
Protection against legal liability
Legal Disclosure Principles: We will:
Verify the legal basis for disclosure requests
Notify affected users when legally permitted
Disclose only the minimum information necessary
Challenge overbroad or unlawful requests
Maintain a transparency report of disclosure requests (upon request for enterprise customers)
4.5 With Your Consent
We may share your information for purposes not described in this Privacy Policy with your explicit, informed consent. We will:
Clearly explain the purpose and recipients of sharing
Obtain separate consent for each new purpose
Allow you to withdraw consent at any time
4.6 Company Logo and Case Studies
As mentioned in our Terms of Service, when you register using your work email address, we may display your company logo and name in:
Customer lists and testimonials on our website
Marketing materials and presentations
Case studies and success stories (with additional consent)
Conference materials and promotional content
Press releases and media communications
To opt out of logo usage, email support@elsai.ai. For case studies involving detailed information about your use of the Platform, we will obtain explicit written consent and provide you with approval rights before publication.
4.7 Public Information
Information you choose to make public through the Platform (such as public profiles, community forums, or shared projects) may be accessible to other users and the public. Exercise caution when sharing information publicly.
5. DATA STORAGE AND SECURITY
5.1 Data Location
Primary Data Center: United States
Data storage locations vary by Service Plan:
Indie Developer, Startup, and Enterprise plans: Data stored in US-based cloud infrastructure (elsai managed)
Advanced Enterprise plan: Customers may choose:
US-based cloud storage
EU-based cloud storage (for GDPR compliance)
India-based cloud storage (for DPDPA compliance)
Asia-Pacific regional storage
Hybrid deployment (SaaS portal + customer VPC)
Self-hosted deployment (fully customer-managed infrastructure)
For Advanced Enterprise customers, data residency can be configured to meet specific regulatory and compliance requirements.
Data Localization: For Indian users, we maintain the ability to store data within India as required by DPDPA and other applicable regulations.
5.2 Data Retention
We retain information for as long as necessary to provide the Services and fulfill the purposes outlined in this Privacy Policy. Retention periods vary by data type and Service Plan:
Standard Retention Periods
Data Type | Retention Period | Legal Basis |
Account Information | Active + 3 years | Legal/Operational |
Customer Data | Plan-specific (7d-1y) + 30d | Contractual |
Usage Logs | 90 days to 1 year | Operational/Security |
Billing Records | 7 years | Tax/Accounting |
Security Logs | Up to 2 years | Security/Compliance |
Support Communications | 3 years after resolution | Customer Service |
Marketing Consent | Until withdrawal | Consent |
Backup Data | 90 days | Business Continuity |
Table 1: Data retention periods by category
Retention After Account Closure
Customer Data: Retained for 30 days for retrieval, then permanently deleted
Account Information: Retained for 90 days, then anonymized or deleted
Billing Records: Retained for 7 years for tax and legal compliance
Security Logs: Retained per security policy (up to 2 years)
Data Deletion
You may request immediate deletion of your data by contacting support@elsai.ai. We will:
Confirm your identity and authorization
Delete personal data within 30 days of verification
Permanently delete Customer Data from active systems within 30 days
Remove data from backup systems within 90 days
Retain only data required for legal, regulatory, or legitimate business purposes
Permanent Deletion: Deleted data is overwritten and cannot be recovered.
5.3 Security Measures
We implement comprehensive, industry-standard security measures to protect your information:
Technical Safeguards
Encryption:
Data encrypted in transit using TLS 1.3 (minimum TLS 1.2)
Data encrypted at rest using AES-256 encryption
End-to-end encryption for sensitive data transfers
Secure key management using hardware security modules (HSM)
Access Controls:
Role-based access control (RBAC) with least privilege principle
Multi-factor authentication (MFA) for all accounts
Single sign-on (SSO) support for enterprise customers
Regular access reviews and deprovisioning
IP whitelisting and geofencing (Advanced Enterprise)
Network Security:
Next-generation firewalls and intrusion detection/prevention systems (IDS/IPS)
DDoS protection and traffic filtering
Virtual private networks (VPN) for administrative access
Network segmentation and zero-trust architecture
Web application firewall (WAF) protection
Application Security:
Regular security testing and penetration testing (annual minimum)
Vulnerability assessments and remediation
Secure code reviews and static/dynamic analysis
Security-focused software development lifecycle (SDLC)
API security and rate limiting
Input validation and output encoding
Organizational Safeguards
Data Governance:
Logical separation of customer data in multi-tenant environments
Data classification and handling procedures
Privacy by design and by default
Data protection impact assessments (DPIA) for high-risk processing
Personnel Security:
Background checks for employees with data access
Regular security awareness training for all personnel
Confidentiality and non-disclosure agreements
Strict access provisioning and deprovisioning procedures
Monitoring and Response:
24/7 security monitoring and incident response
Security information and event management (SIEM)
Automated threat detection and alerting
Regular security audits and assessments
Compliance and Certification:
Third-party security assessments and compliance audits
SOC 2 Type II certification (in progress)
ISO 27001 information security management
HIPAA compliance (Advanced Enterprise)
Regular compliance monitoring and reporting
Physical Safeguards
Data centers with 24/7 physical security and monitoring
Biometric access controls and video surveillance
Environmental controls (fire suppression, climate control)
Redundant power and network connectivity
Disaster recovery and business continuity planning
5.4 Incident Response
In the event of a data breach or security incident that affects your personal information, we will:
Immediate Response (0-24 hours)
Contain and investigate the incident
Assess scope, impact, and affected data
Engage incident response team and security experts
Document all actions taken
Notification (24-72 hours)
Notify affected users within 72 hours of discovery (as required by GDPR, DPDPA)
Notify relevant regulatory authorities as required:
Data Protection Board of India (DPDPA)
EU supervisory authorities (GDPR)
State attorneys general (US state laws)
Provide details about:
Nature of the breach and affected data
Likely consequences and risks
Measures taken to address the breach
Protective measures you can take
Contact information for further assistance
Remediation and Prevention
Implement measures to prevent future incidents
Conduct post-incident review and root cause analysis
Update security controls and procedures
Provide affected users with identity protection services (if warranted)
Security Incident Reporting: You can report security concerns to security@elsai.ai. We maintain a bug bounty program for responsible disclosure.
5.5 Data Backup and Recovery
We maintain regular automated backups of Customer Data to ensure business continuity and disaster recovery. Backup policies vary by Service Plan:
Standard plans: Daily incremental backups, retained per plan specifications
Advanced Enterprise: Custom backup frequency and retention policies
Geographic redundancy: Backups stored in multiple geographic locations
Encryption: All backups are encrypted using AES-256
Testing: Regular disaster recovery testing (quarterly minimum)
Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO):
Standard plans: RTO 24-48 hours, RPO 24 hours
Advanced Enterprise: Custom RTO/RPO based on SLA agreements
6. YOUR RIGHTS AND CHOICES
We respect your rights regarding your personal data. You have the following rights:
6.1 Right to Access
You have the right to:
Confirm whether we process your personal data
Access your personal information we hold
Receive information about processing purposes and recipients
Request copies of your data in a readable format
How to Exercise: Log in to your account and access the "Data & Privacy" section, or contact support@elsai.ai.
Response Time: We will respond within 30 days (DPDPA, CCPA) or 1 month (GDPR).
6.2 Right to Correction/Rectification
You have the right to:
Correct inaccurate or incomplete information
Update your account and profile information
Request correction of erroneous data
How to Exercise: Update information through your account settings or contact support@elsai.ai.
6.3 Right to Deletion/Erasure
You have the right to request deletion of your personal data when:
Data no longer necessary for the purposes collected
You withdraw consent (where processing based on consent)
You object to processing and no overriding legitimate grounds exist
Data was unlawfully processed
Legal obligation requires deletion
Exceptions: We may retain data when required for:
Legal compliance or obligations
Establishment, exercise, or defense of legal claims
Legitimate business purposes (e.g., fraud prevention)
Contractual obligations
How to Exercise: Contact support@elsai.ai or use the account deletion option in settings.
Deletion Timeline: Data deleted within 30 days from active systems, 90 days from backups.
6.4 Right to Data Portability
You have the right to receive your Customer Data in a structured, commonly used, and machine-readable format. You can:
Export Customer Data in JSON, CSV, or XML format through the Platform interface
Use our API to programmatically retrieve your data
Request a complete data export by contacting support@elsai.ai
Transfer data directly to another service provider (where technically feasible)
Data Included: Account information, Customer Data, usage history, and configuration settings.
Format Options: JSON, CSV, XML, or other standard formats.
Delivery: We will provide the data export within 30 days of your request via secure download link or API access.
6.5 Right to Restrict Processing
You have the right to restrict processing of your personal data when:
You contest the accuracy of the data
Processing is unlawful but you oppose deletion
We no longer need the data but you require it for legal claims
You have objected to processing pending verification of legitimate grounds
How to Exercise: Contact support@elsai.ai with specific restrictions requested.
6.6 Right to Object
You have the right to object to processing of your personal data:
Based on legitimate interests (including profiling)
For direct marketing purposes (including profiling)
For scientific, historical research, or statistical purposes
How to Exercise: Contact support@elsai.ai or use opt-out mechanisms in marketing communications.
Effect: We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
6.7 Right to Withdraw Consent
Where processing is based on consent, you have the right to:
Withdraw consent at any time
Easily withdraw as it was to give consent
Not face negative consequences for withdrawal
How to Exercise: Contact support@elsai.ai, use account settings, or click "unsubscribe" in emails.
Effect: Withdrawal does not affect lawfulness of processing before withdrawal.
6.8 Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority if you believe we have processed your personal data unlawfully.
Relevant Authorities:
India: Data Protection Board of India (https://www.dataprotection.gov.in)
EU/EEA: Your local supervisory authority (https://edpb.europa.eu/about-edpb/board/members_en)
UK: Information Commissioner's Office (https://ico.org.uk)
US (California): California Attorney General (https://oag.ca.gov)
We encourage you to contact us first at support@elsai.ai so we can address your concerns directly.
6.9 Marketing Communications
You can control marketing communications by:
Clicking "unsubscribe" in any marketing email
Adjusting email preferences in your account settings
Contacting us at support@elsai.ai
Opting out through our preference center
Even if you opt out of marketing communications, we will still send you:
Service-related announcements (e.g., maintenance notifications)
Billing and account-related messages
Security alerts and important updates
Responses to your support inquiries
Legal notices and policy updates
6.10 Cookie Management
You can control cookies through:
Browser settings (most browsers allow you to refuse or delete cookies)
Cookie preference center on our website
Opt-out mechanisms for specific third-party cookies (e.g., Google Analytics opt-out browser add-on)
Mobile device settings for app-based tracking
Note: Disabling certain cookies may affect Platform functionality. Essential cookies required for security and authentication cannot be disabled.
For more information, see our Cookie Policy.
6.11 Do Not Track and Global Privacy Control
Do Not Track (DNT): Some browsers have "Do Not Track" features. At this time, there is no universally accepted standard for how to respond to DNT signals. We do not currently respond to DNT browser signals.
Global Privacy Control (GPC): We recognize and respond to Global Privacy Control signals for users in jurisdictions where legally required (e.g., California, Colorado). When we detect a GPC signal, we will treat it as an opt-out of sale/sharing of personal information.
6.12 Exercising Your Rights
Identity Verification: To protect your privacy and security, we will verify your identity before fulfilling rights requests. We may request:
Email confirmation
Account credentials
Government-issued identification (for sensitive requests)
Answers to security questions
No Fee: We do not charge a fee for exercising your rights unless requests are manifestly unfounded, excessive, or repetitive. In such cases, we may charge a reasonable administrative fee or refuse the request.
Response Timeline:
GDPR: Within 1 month (extendable to 3 months for complex requests)
DPDPA: Within reasonable time (typically 30 days)
CCPA: Within 45 days (extendable to 90 days)
Contact Information: To exercise any of your rights, contact:
Email: support@elsai.ai
Subject Line: "Data Rights Request - [Your Right]"
Include: Your name, email address, and specific request
7. COMPLIANCE AND REGULATORY FRAMEWORKS
Our compliance capabilities vary by Service Plan. Advanced Enterprise customers can access comprehensive compliance frameworks and certifications.
7.1 GDPR Compliance (Advanced Enterprise)
For customers subject to the European General Data Protection Regulation (GDPR), Advanced Enterprise plans provide full compliance support.
Legal Basis for Processing
Contractual necessity: Processing required to provide the Services
Legitimate interests: Platform improvement, security, and fraud prevention
Consent: Marketing communications and optional features
Legal obligations: Compliance with applicable laws
GDPR Rights
EU data subjects have additional rights under GDPR (see Section 6 for detailed descriptions):
Right to access and obtain confirmation of data processing
Right to rectification of inaccurate or incomplete data
Right to erasure ("right to be forgotten")
Right to restrict processing
Right to data portability
Right to object to processing
Right to withdraw consent
Right not to be subject to automated decision-making
Right to lodge a complaint with supervisory authorities
Data Protection Impact Assessment (DPIA)
We conduct DPIAs for high-risk processing activities, including:
Large-scale processing of sensitive data
Systematic monitoring of public areas
Automated decision-making with legal effects
Processing of special categories of data
Cross-border data transfers
Data Processing Addendum (DPA)
Available for Advanced Enterprise customers upon request. The DPA includes:
Processing instructions and limitations
Security measures and safeguards
Sub-processor authorization
Data subject rights assistance
Audit and inspection rights
Breach notification procedures
Data return and deletion obligations
EU Representative
For customers in the EU, please contact support@elsai.ai for information about our EU representative (if appointed under GDPR Article 27).
Contact: support@elsai.ai
7.2 CCPA and US State Privacy Laws Compliance
For residents of California and other US states with comprehensive privacy laws, we comply with applicable requirements.
CCPA (California Consumer Privacy Act)
Categories of Personal Information Collected:
Category | Examples | Collected |
Identifiers | Name, email, IP address | Yes |
Commercial information | Billing history, subscription | Yes |
Internet activity | Usage logs, browsing behavior | Yes |
Geolocation data | Country, city-level location | Yes |
Professional information | Job title, company name | Yes |
Inferences | Preferences, characteristics | Yes |
Sensitive personal info | Financial account credentials | Limited |
Table 2: Categories of personal information collected under CCPA
Your CCPA Rights
Right to Know: Request details about personal information collected, used, disclosed, or sold in the past 12 months, including:
- Categories and specific pieces of personal information
- Categories of sources
- Business or commercial purposes
- Categories of third parties with whom we share data
Right to Delete: Request deletion of personal information (subject to exceptions for legal compliance, fraud prevention, etc.)
Right to Correct: Request correction of inaccurate personal information
Right to Opt-Out: Opt out of "sale" or "sharing" of personal information
- Important: We do NOT sell personal information for monetary consideration
- We may "share" information with analytics and advertising partners (you can opt out)
Right to Limit Use of Sensitive Personal Information: Direct us to limit use of sensitive personal information to purposes necessary to provide services
Right to Non-Discrimination: Equal service and pricing regardless of exercising CCPA rights
Authorized Agent: You may designate an authorized agent to submit requests on your behalf
How to Submit CCPA Requests:
Email: support@elsai.ai
Online: Privacy request form at https://www.elsai.ai/privacy-request
Phone: Available on request for accessibility
Verification: We will verify your identity using email confirmation and account credentials. For sensitive requests, we may require additional verification.
Response Time: Within 45 days (extendable to 90 days for complex requests).
No Sale of Personal Information: We do not sell personal information for monetary consideration. We may share information with advertising and analytics partners; you can opt out of this sharing at https://www.elsaifoundry.ai/privacy/opt-out.
Other US State Privacy Laws
We comply with comprehensive privacy laws in the following states:
Colorado Privacy Act (CPA)
Connecticut Data Privacy Act (CTDPA)
Utah Consumer Privacy Act (UCPA)
Virginia Consumer Data Protection Act (VCDPA)
Montana Consumer Data Privacy Act (MCDPA)
Oregon Consumer Privacy Act (OCPA)
Texas Data Privacy and Security Act (TDPSA)
Delaware Personal Data Privacy Act (DPDPA-DE)
Iowa Consumer Data Protection Act (ICDPA)
Indiana Consumer Data Protection Act (INCDPA)
Tennessee Information Protection Act (TIPA)
Kentucky Consumer Data Protection Act (KYCDPA)
Rhode Island Data Transparency and Privacy Act (RIDTPA)
Nebraska Data Privacy Act (NDPA)
Universal Opt-Out Mechanisms: We recognize and honor universal opt-out mechanisms, including Global Privacy Control (GPC) signals.
Consumer Health Data Privacy
For processing of consumer health data (as defined under applicable state laws), we implement additional protections:
Enhanced consent requirements
Heightened security measures
Restricted disclosure and sharing
No sale or sharing without explicit consent
Compliance with state-specific health data requirements
7.3 India DPDPA Compliance
For users in India, we comply with the Digital Personal Data Protection Act (DPDPA), 2023 and associated Rules, 2025.
Data Fiduciary Obligations
As a Data Fiduciary under DPDPA, we:
Process personal data lawfully, fairly, and transparently
Collect data only for lawful purposes with valid consent or legitimate use
Ensure data accuracy, completeness, and consistency
Implement appropriate security safeguards
Respond to Data Principal requests within reasonable time
Notify Data Protection Board of India of breaches
Maintain records of data processing activities
Notice and Consent Requirements
Privacy Notice: This Privacy Policy serves as our privacy notice under DPDPA, containing:
Categories of personal data collected
Purpose for which data will be processed
Manner in which consent may be withdrawn
Grievance redressal mechanisms
Contact information for Data Protection Officer
Consent Characteristics: Consent obtained is:
Free, specific, informed, unconditional, and unambiguous
With clear affirmative action
For specified purposes only
Separate for each purpose
Easily withdrawable
Consent Management: We support consent management through:
Clear consent requests at point of collection
Granular consent options for different purposes
Easy withdrawal mechanisms in account settings
Consent records and audit trails
Support for registered Consent Managers (as available)
Data Principal Rights Under DPDPA
Right to Access: Obtain summary of personal data being processed and processing activities
Right to Correction: Correct, complete, or update inaccurate or misleading personal data
Right to Erasure: Request erasure of personal data (subject to legal retention requirements)
Right to Grievance Redressal: File grievances regarding data processing
Right to Nominate: Nominate another individual to exercise rights in case of death or incapacity
Exercising Rights: Contact support@elsaifoundry.ai or use our online request form. We will respond within reasonable time (typically 30 days).
Data Breach Notification (DPDPA)
In the event of a personal data breach, we will:
Immediate Actions:
Investigate and assess the breach
Contain and remediate the incident
Notification to Data Principals (Without Delay):
Description of the breach (nature, extent, timing)
Likely consequences for Data Principals
Mitigation measures implemented
Recommended safety steps for Data Principals
Contact information for authorized person
Notification to Data Protection Board of India:
Initial intimation without delay
Detailed report within 72 hours containing:
Comprehensive breach information
Facts, circumstances, and reasons
Impact assessment
Remediation actions taken
Special Protections for Children
We do not knowingly process personal data of children under 18 without verifiable parental consent. If we discover we have inadvertently collected data from a child under 18 without proper consent, we will delete it promptly.
Prohibited for Children:
Behavioral monitoring and tracking
Targeted advertising
Profiling and automated decision-making
Parental Rights: Parents and legal guardians may:
Provide, withdraw, or manage consent on behalf of children
Request access to child's data
Request correction or deletion of child's data
Significant Data Fiduciary (SDF) Obligations
If classified as a Significant Data Fiduciary by the Data Protection Board of India, we will additionally:
Appoint a Data Protection Officer based in India
Appoint an independent Data Auditor
Conduct periodic data protection impact assessments
Conduct annual data audits
Implement enhanced security measures
Data Localization and Cross-Border Transfers
We maintain capability to store Indian users' data within India
Cross-border transfers comply with DPDPA requirements
Transfers only to countries approved by Central Government (when restrictions apply)
Appropriate safeguards for international data transfers
Grievance Redressal Mechanism
Internal Grievance Officer:
Name: Data Protection Officer
Email: support@elsaifoundry.ai
Address: 129B, East Coast Road, Thiruvanmiyur, Chennai - 600041, Tamil Nadu, India
Grievance Process:
Submit grievance via email or online form
Acknowledgment within 72 hours
Investigation and resolution within 30 days
Communicate outcome and actions taken
Data Protection Board of India: If unsatisfied with our resolution, you may file a complaint with the Data Protection Board of India at https://www.dataprotection.gov.in.
7.4 HIPAA Compliance (Advanced Enterprise Only)
For customers processing Protected Health Information (PHI), HIPAA compliance is available exclusively on Advanced Enterprise plans.
Requirements for HIPAA Compliance
Business Associate Agreement (BAA): Must be executed before processing PHI
Infrastructure: Deployment in HIPAA-compliant infrastructure
- Dedicated cloud environment
- Enhanced encryption and access controls
- Comprehensive audit logging
Safeguards: Implementation of required technical, physical, and administrative safeguards per 45 CFR Parts 160, 162, and 164
Breach Notification: Procedures compliant with HIPAA Breach Notification Rule
Employee Training: HIPAA privacy and security training for all personnel with PHI access
Risk Assessments: Annual HIPAA risk assessments and remediation
To Enable HIPAA Compliance: Contact support@elsaifoundry.ai to discuss your requirements and execute necessary Business Associate Agreement.
PHI Processing: We will NOT process PHI without a signed BAA and HIPAA-compliant infrastructure configuration.
7.5 SOC 2 and ISO 27001 (Advanced Enterprise)
Advanced Enterprise customers benefit from our security and compliance certifications:
SOC 2 Type II: Independent audit of security, availability, processing integrity, confidentiality, and privacy controls based on AICPA Trust Services Criteria (in progress - expected completion Q2 2026)
ISO 27001: Information security management system certification demonstrating systematic approach to managing sensitive information (certification in progress)
Audit Reports: Available to Advanced Enterprise customers under NDA. Contact support@elsaifoundry.ai to request access.
7.6 Industry-Specific Compliance
We support industry-specific compliance requirements for Advanced Enterprise customers:
Financial Services: PCI DSS, SOX, GLBA, FCRA compliance support
Healthcare: HIPAA, HITECH, FDA 21 CFR Part 11 compliance
Government: FedRAMP, FISMA, ITAR compliance (roadmap)
Education: FERPA, COPPA compliance support
Legal: Attorney-client privilege and work product protections
7.7 AI and Algorithmic Transparency
In compliance with emerging AI regulations and ethical standards:
AI System Transparency: We disclose when AI systems are used for automated decision-making
Algorithmic Fairness: We conduct bias assessments and fairness testing on AI models used in the Platform
Human Oversight: Significant decisions involving personal data include human review option
Explainability: We provide explanations of AI-driven decisions upon request (where technically feasible)
AI Training Data: Customer Data is NOT used to train third-party AI models without explicit consent
- You can opt out of using your data for our internal model improvement
- We maintain separate data processing for AI training purposes
7.8 Other Jurisdictions
We strive to comply with applicable privacy laws in all jurisdictions where we operate, including:
Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)
Australia: Privacy Act 1988 and Australian Privacy Principles (APPs)
Brazil: Lei Geral de Proteção de Dados (LGPD)
Singapore: Personal Data Protection Act (PDPA)
Japan: Act on the Protection of Personal Information (APPI)
South Korea: Personal Information Protection Act (PIPA)
South Africa: Protection of Personal Information Act (POPIA)
If you are located outside the US, EU, or India and have specific privacy concerns or requirements, please contact support@elsaifoundry.ai.
8. INTERNATIONAL DATA TRANSFERS
The Platform is operated from India, with data primarily stored in the United States. If you access the Services from outside these regions, your information may be transferred to, stored in, and processed in countries that may have different data protection laws than your country of residence.
8.1 Data Transfer Mechanisms
For international data transfers, we rely on appropriate safeguards and legal mechanisms:
Standard Contractual Clauses (SCCs)
European Commission-approved Standard Contractual Clauses for EU data transfers
UK International Data Transfer Agreement (IDTA) for UK transfers
Supplementary measures to address data protection gaps
Adequacy Decisions
Transfers to countries deemed adequate by relevant authorities:
EU adequacy decisions (e.g., EEA countries, UK, Switzerland)
DPDPA approved countries (as designated by Indian Government)
Binding Corporate Rules (BCRs)
Internal data protection policies for intra-group transfers (planned for future implementation)
Explicit Consent
Your consent for specific transfers where applicable
Separate consent for sensitive data transfers
Contractual Necessity
Transfers necessary to fulfill our contract with you
Transfers necessary to implement pre-contractual measures
Customer-Controlled Infrastructure
Advanced Enterprise customers can deploy in their preferred region
Data residency options: US, EU, India, APAC, or self-hosted
Ensures compliance with local data localization requirements
8.2 Safeguards for International Transfers
Regardless of where data is processed, we maintain appropriate safeguards including:
Technical Safeguards:
Encryption of data in transit (TLS 1.3) and at rest (AES-256)
Pseudonymization and anonymization where appropriate
Access controls and authentication requirements
Secure data transfer protocols
Organizational Safeguards:
Contractual obligations with service providers
Data processing agreements with third parties
Regular security assessments and audits
Incident response and breach notification procedures
Legal Safeguards:
Compliance with applicable data protection laws
Transparency about government data requests
Legal challenges to overbroad data requests
Notification to affected users (where legally permitted)
8.3 Supplementary Measures
In light of the Schrems II decision and evolving data transfer landscape, we implement supplementary measures for EU data transfers:
Case-by-case assessment of destination country laws
Enhanced encryption and access controls
Technical measures to prevent government access
Legal measures including transparency and challenge mechanisms
Organizational measures including policies and training
8.4 Data Localization Options
For customers with specific data residency requirements, we offer:
Region | Availability |
United States | Standard plans |
European Union | Advanced Enterprise |
India | Advanced Enterprise |
Asia-Pacific | Advanced Enterprise |
Customer VPC | Advanced Enterprise |
Self-hosted | Advanced Enterprise |
Table 3: Data residency options by service plan
Contact support@elsaifoundry.ai to configure data residency settings.
9. CHILDREN'S PRIVACY
The Platform is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18 without verifiable parental consent.
9.1 Age Verification
We require users to confirm they are 18 years or older during registration
We implement age-gating mechanisms where appropriate
We may request additional verification for accounts showing indicators of underage use
9.2 Parental Consent (Under DPDPA)
For Indian users, if processing personal data of children under 18:
We obtain verifiable parental consent before collection
We provide clear notice to parents about data practices
Parents may review, correct, or delete their child's data
Parents may revoke consent at any time
Verification Methods:
Parental authorization forms
Payment card verification (small charge and refund)
Government-issued identification
Video conference verification
9.3 Prohibited Practices for Children
We do NOT engage in the following practices with respect to children under 18:
Behavioral monitoring and tracking
Targeted advertising based on personal data
Profiling for marketing purposes
Sale or sharing of children's personal data
Collection of more data than necessary
9.4 Inadvertent Collection
If you believe we have inadvertently collected information from a child under 18 without proper parental consent, please contact us immediately at support@elsaifoundry.ai. We will:
Verify the report and investigate
Cease processing the data
Delete the data within 30 days
Notify the parent or guardian
Parents and guardians who believe their child has provided personal information to us should contact us to request deletion.
10. THIRD-PARTY LINKS AND SERVICES
The Platform may contain links to third-party websites, applications, or services that are not operated by us. This Privacy Policy does not apply to third-party services.
10.1 Third-Party Privacy Practices
We are not responsible for the privacy practices of third parties. Third-party services have their own privacy policies and terms of service.
We encourage you to review the privacy policies of any third-party services before providing them with your information.
10.2 Third-Party Services We Integrate
Third-party services include:
Cloud Providers: AWS, Azure, GCP, IBM Cloud
Data Platforms: Snowflake, Databricks, BigQuery
LLM Providers: OpenAI, Anthropic, Google, Cohere, Mistral, and 100+ others
Payment Processors: Stripe, Razorpay, PayPal
Analytics Tools: Google Analytics, Mixpanel, Amplitude
Communication Services: SendGrid, Twilio, Zendesk
Authentication Providers: Google, Microsoft, Okta
10.3 Data Sharing with Third Parties
When you enable integrations with third-party services:
You authorize data sharing according to the integration configuration
Data sharing is governed by the third party's privacy policy
You can review and modify integration permissions in your account settings
You can revoke third-party access at any time
We provide transparency about data sharing through:
Integration authorization screens showing requested permissions
Data flow documentation for each integration
Activity logs showing third-party data access
10.4 Third-Party Cookies and Tracking
Third parties may use cookies and tracking technologies on our Platform:
Analytics: Google Analytics, Mixpanel
Advertising: Google Ads, LinkedIn Ads (with your consent)
Support: Intercom, Zendesk chat widgets
You can control third-party tracking through:
Browser cookie settings
Opt-out mechanisms (e.g., Google Analytics opt-out add-on)
Our cookie preference center
11. CALIFORNIA PRIVACY RIGHTS ("SHINE THE LIGHT")
California Civil Code Section 1798.83 permits California residents to request information about disclosure of personal information to third parties for direct marketing purposes.
Our Practice: We do not share personal information with third parties for their direct marketing purposes without your explicit consent.
If you are a California resident and would like to make such a request, please contact us at support@elsaifoundry.ai.
12. NEVADA PRIVACY RIGHTS
Nevada residents have the right to opt out of the sale of certain covered information collected about them. We do not sell covered information as defined under Nevada law.
If you are a Nevada resident and would like to make such a request, please contact us at support@elsaifoundry.ai.
13. ACCESSIBILITY
We are committed to making our Privacy Policy accessible to all users, including those with disabilities.
13.1 Accessibility Features
Screen reader compatibility
Keyboard navigation support
High contrast mode support
Plain language explanations
Clear document structure and headings
13.2 Alternative Formats
If you require this Privacy Policy in an alternative format (e.g., large print, audio, Braille), please contact support@elsaifoundry.ai. We will provide the requested format within 30 days at no charge.
13.3 Accessibility Assistance
For assistance with privacy-related matters due to disability, contact:
Email: support@elsaifoundry.ai
Phone: Available upon request
Video relay services: Supported
14. CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
14.1 Notification of Changes
When we make material changes, we will:
Update the "Last Updated" date at the top of this Privacy Policy
Notify you via email to the address associated with your account
Display a prominent notice on the Platform
For material changes affecting your rights, provide at least 30 days' notice when commercially reasonable
Post the updated policy on our website with change summary
14.2 Material Changes
Material changes include:
Changes to types of personal data collected
New purposes for processing data
Changes to data sharing practices
Reductions in your rights or protections
Changes to international data transfers
Changes to retention periods
14.3 Acceptance of Changes
Your continued use of the Services after receiving notice of changes constitutes acceptance of the updated Privacy Policy.
If you do not agree to the changes:
You should discontinue use of the Services
You may close your account before changes take effect
You may request deletion of your data
We encourage you to periodically review this Privacy Policy to stay informed about how we protect your information.
14.4 Version History
Previous versions of this Privacy Policy are available upon request at support@elsaifoundry.ai.
15. CONTACT INFORMATION
If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:
O2V Private Limited (elsai Foundry)
Email Contacts:
General Inquiries: info@elsaifoundry.ai
Privacy and Data Protection: support@elsaifoundry.ai
Security Concerns: security@elsaifoundry.ai
Data Protection Officer: support@elsaifoundry.ai
Mailing Address:
129B, East Coast Road
Thiruvanmiyur
Chennai - 600041
Tamil Nadu, India
Website: https://www.elsaifoundry.ai
Privacy Request Portal: https://www.elsaifoundry.ai/privacy-request
Response Time:
General inquiries: Within 30 days of receipt
GDPR requests: Within 1 month (extendable to 3 months)
DPDPA requests: Within reasonable time (typically 30 days)
CCPA requests: Within 45 days (extendable to 90 days)
Security incidents: Within 72 hours for critical matters
16. DATA PROTECTION OFFICER
For questions specifically related to data protection and privacy compliance, you may contact our Data Protection Officer (DPO):
Email: support@elsaifoundry.ai
Mailing Address:
Data Protection Officer
O2V Private Limited
129B, East Coast Road
Thiruvanmiyur
Chennai - 600041
Tamil Nadu, India
16.1 DPO Responsibilities
The DPO is responsible for:
Overseeing data protection strategy and compliance
Monitoring compliance with privacy laws and policies
Conducting privacy impact assessments
Serving as the point of contact for data subjects and supervisory authorities
Providing guidance on privacy matters to employees and management
Maintaining records of processing activities
Coordinating data breach response and notification
Conducting privacy training and awareness programs
16.2 Independent Authority
The DPO operates independently and reports directly to senior management. The DPO is not dismissed or penalized for performing their duties.
17. SUPERVISORY AUTHORITY
You have the right to lodge a complaint with a supervisory authority if you believe we have processed your personal data in a manner that violates applicable privacy laws.
17.1 Relevant Supervisory Authorities
India:
Data Protection Board of India
Website: https://www.dataprotection.gov.in
Email: As published by the Board
European Union/EEA:
Your local supervisory authority (based on your habitual residence, place of work, or place of alleged infringement)
List of EU supervisory authorities: https://edpb.europa.eu/about-edpb/board/members_en
United Kingdom:
Information Commissioner's Office (ICO)
Website: https://ico.org.uk
Phone: 0303 123 1113
United States (California):
California Privacy Protection Agency
Website: https://cppa.ca.gov
California Attorney General
Website: https://oag.ca.gov
Other US States:
Contact your state Attorney General's office
We encourage you to contact us first at support@elsaifoundry.ai so we can address your concerns directly and promptly.
18. POLICY SCOPE AND INTERPRETATION
18.1 Scope
This Privacy Policy applies to all users of the elsai Foundry Platform and Services, regardless of location or Service Plan, unless otherwise specified.
Where specific provisions apply only to:
Certain Service Plans (e.g., Advanced Enterprise): Clearly indicated in the relevant section
Specific jurisdictions (e.g., GDPR, CCPA, DPDPA): Clearly indicated in the relevant section
18.2 Language and Translation
This Privacy Policy is written in English. In the event of any conflict between the English version and translated versions, the English version shall prevail.
Translations are provided for convenience only and may not reflect the most current updates. Always refer to the English version for the authoritative text.
18.3 Relationship to Other Documents
This Privacy Policy should be read in conjunction with:
Terms of Service
Acceptable Use Policy
Data Processing Agreement (for enterprise customers)
Business Associate Agreement (for HIPAA customers)
Cookie Policy
Service-specific privacy notices or addenda
Service Level Agreements (SLAs)
18.4 Conflicts and Precedence
In the event of any conflict between this Privacy Policy and other agreements:
Privacy and data protection matters: This Privacy Policy prevails
Contractual and commercial matters: Terms of Service and other agreements prevail
Specific agreements: More specific agreements (e.g., DPA, BAA) prevail over general terms
18.5 Severability
If any provision of this Privacy Policy is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect. The invalid or unenforceable provision shall be replaced with a valid and enforceable provision that most closely reflects the original intent.
18.6 Waiver
Our failure to enforce any provision of this Privacy Policy shall not constitute a waiver of that provision or any other provision. No waiver shall be effective unless in writing and signed by an authorized representative.
19. ADDITIONAL OBLIGATIONS UNDER DPDPA (INDIA)
For users in India, the following additional obligations apply under the Digital Personal Data Protection Act (DPDPA), 2023:
19.1 Rights of Nomination
You have the right to nominate another individual (nominee) to exercise your rights under DPDPA in the event of your death or incapacity.
How to Nominate:
Submit nomination request to support@elsaifoundry.ai
Provide nominee's name and contact information
Nominee must provide consent to the nomination
Nomination takes effect upon our acknowledgment
Nominee Rights:
Access your personal data
Request correction or erasure
Withdraw consent on your behalf
Exercise any other rights under DPDPA
Changing or Revoking Nomination:
You may change or revoke nomination at any time
Contact support@elsaifoundry.ai with updated nomination details
19.2 Consent Manager Integration
We support integration with Consent Managers registered with the Data Protection Board of India under DPDPA Rules, 2025.
Consent Manager Benefits:
Centralized consent management across multiple Data Fiduciaries
Single platform to give, manage, review, and withdraw consent
Interoperable consent framework
Enhanced transparency and control
Using Consent Managers:
If you have a Consent Manager account, you may link it to your elsai Foundry account
Consent preferences from Consent Manager will be honored
Contact support@elsaifoundry.ai for integration assistance
19.3 Accountability and Transparency
As required under DPDPA, we maintain:
Records of Processing Activities:
Description of data processing operations
Purposes of processing
Categories of data subjects and personal data
Recipients of personal data
Data retention periods
Security measures implemented
Transparency Reports:
Available to users upon request
Includes information about data breach incidents
Government data requests (aggregate statistics)
Data Principal rights requests and responses
Contact: support@elsaifoundry.ai to request records or reports.
19.4 Cross-Border Data Transfer Restrictions
Under DPDPA, the Central Government may restrict transfer of personal data to certain countries or territories.
Our Commitment:
We will comply with any transfer restrictions notified by the Government
We will provide Indian users with data localization options if required
We will implement appropriate safeguards for cross-border transfers
We will notify affected users of any changes to data transfer practices
19.5 Exclusions from DPDPA
The following processing activities are excluded from DPDPA requirements:
Personal data made publicly available by you or by any other person under legal obligation
Processing necessary for preventing, detecting, investigating, or prosecuting offenses
Processing for regulatory purposes, recovery of penalty, or tax collection
Issuance of registration certificates, licenses, or permits for specified purposes
Specified judicial, legislative, or other governmental or regulatory purposes
20. DATA MINIMIZATION AND PURPOSE LIMITATION
20.1 Data Minimization
We collect and process only the personal data that is adequate, relevant, and necessary for the specified purposes.
Our Practices:
Collection limited to what is required for service delivery
Regular reviews to identify and eliminate unnecessary data
Default settings minimize data collection
Optional data clearly marked as such
No collection of data for undefined future purposes
20.2 Purpose Limitation
We use personal data only for the purposes disclosed at the time of collection, plus compatible purposes.
Compatible Uses:
Purposes that are closely related to the original purpose
Purposes you would reasonably expect
Purposes that do not override your interests or rights
New Purposes:
Require separate consent or other lawful basis
Will be disclosed with opportunity to object
Subject to privacy impact assessment
20.3 Storage Limitation
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected (see Section 5.2 for detailed retention periods).
Retention Reviews:
Regular reviews of stored data
Automated deletion of expired data
Manual review for legal hold requirements
Documentation of retention decisions
21. PRIVACY BY DESIGN AND BY DEFAULT
We implement privacy by design and by default principles throughout the data lifecycle:
21.1 Privacy by Design
Proactive not reactive: Privacy measures built in from the start
Privacy as default: Maximum privacy settings by default
Privacy embedded: Privacy built into system design and business practices
Full functionality: Privacy without diminishing functionality
End-to-end security: Lifecycle protection from collection to deletion
Visibility and transparency: Open and transparent practices
User-centric: Designed with user privacy interests in mind
21.2 Privacy by Default
Minimal data collection enabled by default
Strictest privacy settings applied automatically
Users must explicitly opt-in for additional data collection
Regular privacy settings reminders
Easy-to-use privacy controls
21.3 Privacy Impact Assessments
We conduct Privacy Impact Assessments (PIAs) or Data Protection Impact Assessments (DPIAs) for:
New products or features involving personal data
Significant changes to data processing activities
High-risk processing operations
Processing of sensitive personal data at scale
New technologies with privacy implications
DPIA Process:
Description of processing operations
Assessment of necessity and proportionality
Identification of privacy risks
Mitigation measures
Stakeholder consultation
Documentation and review
22. EMPLOYEE AND CONTRACTOR ACCESS
22.1 Access Controls
Employee and contractor access to personal data is strictly controlled:
Need-to-know basis: Access granted only when necessary for job functions
Least privilege: Minimum access rights required
Regular reviews: Quarterly access rights reviews
Prompt deprovisioning: Immediate access removal upon termination
22.2 Confidentiality Obligations
All employees and contractors with access to personal data are bound by:
Confidentiality agreements
Non-disclosure agreements
Professional secrecy obligations
Code of conduct and ethics policies
Violations: Subject to disciplinary action, termination, and legal consequences.
22.3 Training and Awareness
We provide regular privacy and security training to all personnel:
Onboarding privacy training (mandatory)
Annual privacy refresher training
Role-specific privacy training (for personnel with data access)
Security awareness training
Incident response training
Updates on regulatory changes
Training Topics:
Privacy laws and regulations (GDPR, DPDPA, CCPA)
Data handling best practices
Security measures and protocols
Incident identification and reporting
User rights and response procedures
23. VENDOR MANAGEMENT
23.1 Third-Party Risk Assessment
We conduct thorough privacy and security assessments of vendors and service providers:
Pre-Engagement:
Privacy and security questionnaires
Review of vendor privacy policies and practices
Assessment of data handling capabilities
Evaluation of security controls
References and reputation checks
Ongoing Monitoring:
Annual reassessments
Security audit rights
Incident notification requirements
Performance monitoring
23.2 Contractual Requirements
All vendors processing personal data on our behalf must agree to:
Process data only per our instructions
Implement appropriate security measures
Maintain confidentiality
Assist with data subject rights requests
Notify us of data breaches
Delete or return data upon termination
Allow audits and inspections
Not engage sub-processors without authorization
23.3 Sub-Processor Management
Maintain list of approved sub-processors
Notification before engaging new sub-processors
Opportunity to object to new sub-processors
Same contractual obligations imposed on sub-processors
We remain liable for sub-processor actions
Sub-Processor List: Available at https://www.elsaifoundry.ai/sub-processors or upon request.
24. TRANSPARENCY AND REPORTING
24.1 Transparency Commitments
We are committed to transparency about our data practices:
Clear, plain language privacy communications
Detailed explanations of data processing activities
Transparency about data sharing and third parties
Open communication about privacy incidents
Regular privacy policy updates
24.2 Privacy Reports (Upon Request)
Available to users upon request:
Data Processing Report: Types of data processed, purposes, retention periods
Third-Party Sharing Report: List of third parties receiving your data
Data Subject Rights Report: Summary of rights requests and responses
Security Incident Report: Incidents affecting your data (if any)
Request: Contact support@elsaifoundry.ai to request reports.
24.3 Transparency Reports (Public)
We publish periodic transparency reports (annually) containing:
Number and types of government data requests
Number of users affected
Percentage of requests complied with
Types of data disclosed
Number of data breach incidents (aggregate)
Number of data subject rights requests (aggregate)
Access: Available at https://www.elsaifoundry.ai/transparency
25. DISPUTE RESOLUTION
25.1 Internal Dispute Resolution
For privacy-related disputes:
Contact Us: Email support@elsaifoundry.ai with detailed description
Investigation: We will investigate and respond within 30 days
Escalation: Unresolved disputes may be escalated to Data Protection Officer
Resolution: We will work in good faith to resolve disputes
25.2 Regulatory Complaints
You may file complaints with relevant supervisory authorities (see Section 17) at any time, even during internal dispute resolution.
25.3 Arbitration and Governing Law
Privacy disputes may be subject to arbitration or court proceedings as specified in the Terms of Service.
Governing Law:
Indian users: Laws of India
EU users: Laws of user's country and EU law
US users: Laws of Delaware and applicable federal law
26. EMERGENCY DATA REQUESTS
We recognize the importance of responding to legitimate emergency requests from law enforcement and government agencies.
26.1 Emergency Request Criteria
We may disclose personal data in response to emergency requests when we have a good faith belief that:
Immediate danger of death or serious physical injury exists
Disclosure is necessary to prevent the harm
Request comes from legitimate law enforcement or government agency
Request specifies the emergency nature and time sensitivity
26.2 Emergency Request Process
Requests should be submitted to security@elsaifoundry.ai with subject line "EMERGENCY DATA REQUEST"
Include detailed description of emergency and data needed
Provide official agency contact information for verification
We will respond within 24 hours for verified emergencies
26.3 Post-Emergency Notification
After responding to emergency requests, we will:
Notify affected users when legally permitted
Document the emergency request and our response
Include emergency requests in transparency reports
27. ACKNOWLEDGMENT AND ACCEPTANCE
BY USING THE SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO BE BOUND BY THIS PRIVACY POLICY. IF YOU DO NOT AGREE TO THIS PRIVACY POLICY, YOU MUST NOT ACCESS OR USE OUR SERVICES.
For Indian Users: By using the Services, you acknowledge that you have read and understood this Privacy Policy, including your rights as a Data Principal under the Digital Personal Data Protection Act (DPDPA), 2023, and you consent to the processing of your personal data as described herein.
For EU Users: By using the Services, you acknowledge your rights under the General Data Protection Regulation (GDPR) and consent to processing where consent is the legal basis.
For California and US State Residents: You acknowledge your rights under applicable state privacy laws and have been provided with notice of data practices at or before the point of collection.
Last Updated: March 4, 2026
Version: 2.0
Effective Date: March 4, 2026
Review Schedule: This Privacy Policy is reviewed and updated at least annually, or more frequently as required by regulatory changes or business practices.
Contact for Policy Questions: support@elsaifoundry.ai
Copyright © 2026 O2V Private Limited. All rights reserved.
APPENDIX A: DEFINITIONS
Data Principal: An individual to whom the personal data relates (under DPDPA).
Data Fiduciary: An entity that determines the purpose and means of processing personal data (under DPDPA).
Data Processor: An entity that processes personal data on behalf of a Data Controller (under GDPR).
Personal Data: Any information relating to an identified or identifiable natural person.
Sensitive Personal Data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life, or sexual orientation data.
Processing: Any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.
Consent: Free, specific, informed, and unambiguous indication of the data subject's wishes by which they signify agreement to processing of personal data.
Data Breach: A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.
Pseudonymization: Processing of personal data in such a manner that the data can no longer be attributed to a specific data subject without use of additional information.
Anonymization: Processing of personal data in such a manner that the data can no longer be attributed to a specific data subject, even with use of additional information.
APPENDIX B: COOKIE CATEGORIES
Essential Cookies:
Authentication tokens
Session management
Security features
Load balancing
Performance Cookies:
Google Analytics
Page load times
Error tracking
Usage metrics
Functional Cookies:
Language preferences
Theme settings
User preferences
Recent searches
Advertising Cookies:
Google Ads
LinkedIn Ads
Retargeting pixels
Conversion tracking
For detailed cookie information, see our Cookie Policy at https://www.elsaifoundry.ai/cookie-policy.
