DRAFT

These documents are starter templates pending review by legal counsel and are NOT yet in force. Last updated 2026-05-30.

LEGAL

Privacy Policy

KairosAI Technologies Private Limited · Last updated 2026-05-30 · Effective date: [______]

This Privacy Policy explains how KairosAI Technologies Private Limited (“KairosAI”, “we”, “us”) collects, uses, shares, and protects personal data. It is framed around India’s Digital Personal Data Protection Act, 2023 (the “DPDP Act”) and applies to our website, dashboard, and the KairosAI customer-service agent platform (the “Service”).

For personal data we process about a business customer’s own end-users (for example, the people who call or message an AI agent), our customer is the Data Fiduciary and KairosAI acts as a Data Processor on the customer’s documented instructions. That relationship is governed by our Data Processing Addendum. This Policy primarily describes the data for which KairosAI is itself the Data Fiduciary (such as account and billing data).

1. Data we collect

  • Account data — name, work email, phone number, organisation details, GSTIN and billing address, and authentication data.
  • Usage & billing data — wallet balance and transactions, metered usage (voice minutes, messages, sessions), logs, device/browser information, and diagnostic data.
  • Conversation content — the content of interactions handled by the Service, which may include voice recordings, call transcripts, chat and email message contents, and any personal data contained within them. This is generally processed on behalf of our customer (see the DPA).
  • Support & communications — messages you send us and records of support interactions.

2. Purposes & lawful basis

We process personal data to provide, operate, secure, and improve the Service; to authenticate users; to bill and issue GST invoices; to provide support; to comply with legal obligations; and to communicate service and account information. Under the DPDP Act, our lawful basis is principally your consent and, where applicable, “certain legitimate uses” recognised by the Act (such as for a purpose for which you voluntarily provided data, or to comply with law). Where we rely on consent, you may withdraw it as described below.

3. How we use the data

We use data only for the purposes above and do not sell personal data. We may use aggregated or de-identified data (that does not identify any individual) for analytics and to improve the Service. We do not use customer conversation content to train third-party foundation models, and we instruct our LLM providers not to retain or train on data sent through the Service except as needed to deliver the response, subject to their published terms.

4. Sharing with sub-processors

We share personal data with vetted service providers (Data Processors / sub-processors) strictly to deliver the Service, including:

  • Telephony / PSTN providers — to place and receive voice calls;
  • LLM providers — to generate agent responses and transcriptions;
  • Messaging / WhatsApp Business Solution Providers — to send and receive messages;
  • Cloud hosting and infrastructure providers — to host and run the Service; and
  • Payment processors — to process wallet top-ups.

A current list of sub-processors and their roles is maintained at [link / on request]. We impose appropriate confidentiality and data-protection obligations on each sub-processor. We may also disclose data where required by law or to protect our legal rights.

5. Data retention

We retain personal data only for as long as necessary for the purposes described, to comply with legal, tax, and accounting obligations, and to resolve disputes. Conversation content processed on behalf of a customer is retained per the customer’s configured retention settings and the DPA. Indicative retention periods are [______]; thereafter data is deleted or de-identified.

6. Security

We maintain reasonable technical and organisational security measures appropriate to the risk, including encryption in transit and at rest, access controls, network protections, and logging. No method of transmission or storage is fully secure; in the event of a personal data breach we will act in accordance with the DPDP Act and notify affected parties and the Data Protection Board of India as required.

7. Your rights as a Data Principal

Subject to the DPDP Act, you (as a Data Principal) have the right to:

  • Access a summary of the personal data we process about you and the processing activities;
  • Correction and updating of inaccurate or incomplete personal data;
  • Erasure of personal data that is no longer necessary for the purpose for which it was collected (subject to legal-retention requirements);
  • Grievance redressal — to readily raise grievances with us (see below); and
  • Nominate another individual to exercise your rights in the event of death or incapacity.

You may also withdraw consent at any time, with effect for future processing. To exercise any right, contact our Grievance Officer below. Where KairosAI processes data on behalf of a customer (Data Fiduciary), we will direct or assist with such requests through that customer.

8. Grievance Officer

In accordance with the DPDP Act, our Grievance Officer is:
[Grievance Officer name: __________]
Email: [grievance@__________]
Address: KairosAI Technologies Private Limited, [Registered office: __________, India]

We aim to acknowledge grievances promptly and respond within the timelines prescribed under the DPDP Act and its rules. If unsatisfied, you may approach the Data Protection Board of India.

9. Cross-border transfer

Some sub-processors (such as certain LLM or cloud providers) may process data outside India. Where we transfer personal data outside India, we do so in accordance with the DPDP Act and applicable restrictions, and under appropriate contractual safeguards with the recipient.

10. Children’s data

The Service is intended for business use and is not directed at children. Where processing of a child’s personal data is implicated (for example, in the higher-education context), the relevant customer is responsible for obtaining verifiable consent of a parent or lawful guardian as required by the DPDP Act, and we do not knowingly undertake tracking, behavioural monitoring, or targeted advertising directed at children.

11. Cookies

Our website and dashboard use strictly necessary cookies (for authentication and security) and may use limited analytics cookies. You can control cookies through your browser settings; disabling necessary cookies may affect functionality. Details are available at [cookie notice link].

12. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified through the dashboard or by email, and the “Last updated” date above will change accordingly.

13. Contact

For privacy questions, contact [privacy@__________] or write to KairosAI Technologies Private Limited, [Registered office: __________, India].