PRIVACY POLICY

1. Information We Collect

1.1 Account Information

When you register for an account, we collect:

• Full name and email address
• Organisation name and tenant details
• Role and team membership information

1.2 User-Generated Content

Through your use of the Service, we process and store:

• Knowledge base content you upload or create
• Queries submitted to the platform
• Chat history and conversation logs
• Case-related data and associated metadata

1.3 Device and Usage Data

When you access our Service, we automatically collect:

• Device information (IP address, browser type, operating system)
• Usage data (pages viewed, time spent, features used)
• Cookies and similar tracking technologies (subject to your consent — see Section 7)
• Log data (access times, error logs)

1.4 OAuth and Third-Party Identity Information

When you sign in using OAuth providers (Google, Microsoft, or other OIDC-compliant providers), we receive basic profile information — such as your name, email address, and profile picture — as permitted by those services. We do not store your OAuth credentials or access tokens beyond what is necessary for session management.

2. How We Use Your Information

We use the collected information only for the purposes listed below, each with its corresponding lawful basis under the DPDPA 2023 and GDPR:

• Service Delivery: To provide, maintain, and operate the platform (Lawful Basis: Contract)
• Account Management: To create and manage your account and tenant (Lawful Basis: Contract)
• AI Processing: To process queries and provide AI-powered responses within your session (Lawful Basis: Contract)
• Communication: To send service updates, security alerts, and support messages (Lawful Basis: Contract)
• Analytics: To analyse usage patterns and improve the Service (Lawful Basis: Consent)
• Personalisation: To customise your experience and provide relevant features (Lawful Basis: Consent)
• Security: To detect, prevent, and address fraud, abuse, and security incidents (Lawful Basis: Legitimate Interest)
• Legal Compliance: To comply with applicable legal obligations and regulatory requirements (Lawful Basis: Legal Obligation)

Our AI Commitment: Your data is NEVER used to train any AI models — internal or external. All AI processing is performed solely for the purpose of responding to your queries within your active session context. We maintain strict data boundaries between tenants and ensure your proprietary information remains exclusively yours. Third-party AI providers process data under their commercial API terms, which prohibit use of API data for model training.

3. Data Storage and Security

We implement security measures to protect your data:

• Encryption in Transit: All data is transmitted using TLS 1.2+ / TLS 1.3 protocols with HSTS enforcement
• Encryption at Rest: All stored files are encrypted using AES-256 encryption (NIST FIPS 197)
• Tenant-Level Isolation: Each tenant is assigned a dedicated encryption key — compromise of one tenant's key does not affect others
• Schema Isolation: Each tenant's data is logically segregated in a dedicated database schema
• Passwordless Authentication: Secure access via Magic Link + OTP or OIDC-based single sign-on — no passwords are stored
• OWASP Compliance: Adherence to OWASP Top 10 and ASVS Level 2 security standards
• Access Controls: Role-based access controls with the principle of least privilege
• CVE Remediation: Critical vulnerabilities patched within 24 hours of disclosure

While we implement industry-leading security measures, no method of transmission over the Internet or electronic storage is 100% secure. We continuously monitor and improve our security posture.

4. Data Sharing and Disclosure

We do not sell your personal information to any third party.

4.1 Service Providers and Sub-Processors

We share data with trusted third-party service providers who assist us with cloud hosting, payment processing, analytics, and AI processing. All sub-processors are contractually bound by data protection obligations consistent with this Policy. See Section 12 for our sub-processor list.

4.2 Legal Requirements

We may disclose your information if required by law or in response to:

• Valid legal processes (court orders, summons, government directions under IT Act 2000)
• CERT-In directions under the Information Technology Act, 2000
• Protection of our rights, property, or safety, or that of our users
• Investigation of fraud, abuse, or security incidents

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity, subject to the same data protection obligations set out in this Policy. Tenants will be notified of any such transfer with adequate prior notice.

5. Your Data Rights

We respect your rights under applicable data protection legislation including the Digital Personal Data Protection Act, 2023 (DPDPA) and the General Data Protection Regulation (GDPR). To exercise any right — access, correction, erasure, data portability, or withdrawal of consent — contact our Data Protection Officer at [email protected]. Requests are handled by our Data Protection Officer; we may ask you to verify your identity before acting on a request, and we fulfil access, correction, portability, and consent-withdrawal requests free of charge. We will respond within 30 calendar days.

5.1 Rights Under DPDPA 2023

• Right to Access (s.11): Request confirmation and a summary of your personal data being processed
• Right to Correction (s.12): Request correction of inaccurate or incomplete personal data
• Right to Erasure (s.12): Request deletion of your personal data, subject to legal retention requirements
• Right to Grievance Redressal (s.13): Submit a complaint to our Grievance Officer or the Data Protection Board of India
• Right to Nominate (s.14): Nominate an individual to exercise your data rights on your behalf
• Withdraw Consent: Withdraw previously given consent at any time without affecting prior processing

5.2 Rights Under GDPR (EU/EEA Data Subjects)

• Right to Access (Art. 15): Request a copy of your personal data we hold
• Right to Rectification (Art. 16): Update or correct inaccurate personal information
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
• Right to Portability (Art. 20): Receive your data in a structured, machine-readable format
• Right to Object (Art. 21): Object to processing of your data based on legitimate interests
• Right to Restrict (Art. 18): Request restriction of processing in specified circumstances

5.3 Data Collected Through a Provider (Processor Relationship)

Where a business uses Xenora/DocFlow to collect your documents on your behalf — for example, your chartered accountant, auditor, HR team, or loan processor (your "Provider") — that Provider is the Data Fiduciary / Controller of your data, and ByteFalcon acts solely as a Data Processor on their documented instructions.

To exercise access or deletion rights over such data:

• Contact your Provider first. They hold the direct relationship with you and are responsible for responding to your request under the DPDPA 2023 (and GDPR / UAE PDPL where applicable).
• If they do not respond, write to [email protected] with proof of your request to the Provider. We will notify them and, unless they raise a lawful objection, assist in deleting your data.

6. Document Collection via WhatsApp

For convenience, Xenora/DocFlow offers WhatsApp as a channel for collecting documents. Where this channel is used, your documents pass through the infrastructure of Meta Platforms, Inc. (WhatsApp Business API), which acts as a named Sub-Processor for message and media delivery (see Section 12). Documents are retrieved promptly and stored within our own secured infrastructure.

If your organisation prefers not to route documents through Meta, the WhatsApp channel can be disabled at any time under Settings → Notifications → WhatsApp Notifications. Once disabled, no documents will be collected via WhatsApp; collection will instead occur only through our secure web and desktop upload links.

7. Cookies and Tracking Technologies

Essential Cookies (No Consent Required)

These cookies are strictly necessary for the platform to function. They cannot be disabled:

• Session management and authentication tokens
• Security and fraud prevention
• Load balancing and platform stability

Non-Essential Cookies (Consent Required)

The following cookies are only placed with your prior, explicit consent via the cookie banner displayed on first visit:

• Analytics Cookies: To analyse usage patterns and improve our Service (e.g., page views, feature adoption)
• Personalisation Cookies: To remember your preferences and customise your experience

Your Cookie Choices: You may accept all cookies, essential cookies only, or withdraw your analytics/personalisation consent at any time by clicking the cookie preference link in the footer. Withdrawing consent does not affect essential cookies required for the platform to function. You may also control cookies through your browser settings; however, disabling essential cookies may prevent you from using the Service.

8. Data Retention

Our retention practices are designed to give tenants full control over their data lifecycle:

• Active Subscriptions: Data is retained for the duration of your active subscription
• Tenant-Controlled Deletion: Organisation administrators may initiate deletion at the organisation-level or case-level at any time — no approval required
• Permanent Deletion: All deletions are permanent and irreversible. Once deleted, data cannot be recovered under any circumstances. No backup, archive, or secondary copy is retained
• Trial Accounts: Data from trial accounts is automatically and permanently deleted 30 calendar days after trial expiration
• Deactivated / Overdue Accounts: Upon deactivation or subscription lapse, your data enters a 6-month read-only retention period with advance notification, after which it is permanently deleted

Data may be retained beyond these periods only where required by applicable law or regulatory obligation (e.g., CERT-In directions, court orders).

9. Consent Mechanism

In accordance with Section 6 of the Digital Personal Data Protection Act, 2023, ByteFalcon Technologies obtains your free, specific, informed, and unambiguous consent before processing your personal data for non-essential purposes.

How We Obtain Consent

• At Registration: You are presented with a clear consent notice at account creation, describing the categories of data collected and their purposes, prior to submitting your details
• For Analytics & Personalisation Cookies: A cookie consent banner is displayed on your first visit, offering a clear choice between essential-only and full consent
• For Material Processing Changes: If we introduce a new processing purpose, we will request fresh consent before such processing begins

Withdrawing Consent

You may withdraw consent for non-essential processing at any time by contacting our Data Protection Officer at [email protected] or using the cookie preference link in the footer. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal, nor does it affect processing based on a different lawful basis (contract, legal obligation).

10. Children's Privacy

Important — DPDPA 2023 Age Threshold: Under the Digital Personal Data Protection Act, 2023 (India), a "child" means a person below the age of 18 years. Our Service is not directed at children under 18.

The Xenora platform is a business-to-business (B2B) professional service and is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children under 18. If you believe we have inadvertently collected information from a person under 18, please contact us immediately at [email protected] and we will take prompt steps to delete such information.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States, where our third-party AI and cloud infrastructure providers operate. We ensure appropriate safeguards are in place:

• DPDPA 2023: Cross-border transfers are made only to countries or territories notified by the Government of India as providing adequate data protection. ByteFalcon Technologies is actively monitoring the Government of India's adequacy notifications under the DPDPA 2023, which are pending as of the effective date of this Policy, and will update its transfer mechanisms accordingly upon notification. In the interim, transfers to third-party providers occur under the data protection terms published by the respective sub-processor.
• GDPR Chapter V (EU/EEA Data Subjects): For transfers involving EU/EEA data subjects, we rely on the Standard Contractual Clauses (SCCs) published and adopted by our sub-processors, or adequacy decisions as approved by the European Commission, as applicable.
• Contractual Safeguards: All sub-processors are bound by data processing agreements that include appropriate data protection, security, and breach notification obligations consistent with this Policy.

12. Sub-Processor List

The following key third-party sub-processors may process personal data on our behalf. All are subject to data processing agreements consistent with applicable law:

• Anthropic, PBC — AI Model API (United States). Commercial API Terms — no training use; 7-day deletion
• OpenAI, L.L.C. — AI Model API (United States). API Data Usage Policy — no training on API inputs
• Cloud Provider (GCP) — Infrastructure & Database Hosting. Cloud DPA with GDPR SCCs
• Razorpay — Payment Processing (India). PCI-DSS compliant; RBI regulated
• Meta (WhatsApp Business API) — Communication Channel (United States). WhatsApp Business API Data Processing Terms

This list is reviewed and updated periodically. Material additions are notified to Tenants with at least 14 days' prior notice.

13. Third-Party Links

Our Service may contain links to third-party websites. We are not responsible for the privacy practices of these external sites. We encourage you to read their privacy policies before providing any personal information.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will provide at least 14 days' prior notice of any material changes by:

• Posting the updated policy on our website with a revised "Last Updated" date
• Sending an email notification to all registered Tenant administrators
• Displaying an in-app notification on next login

Your continued use of the Service after the notice period constitutes acceptance of the updated policy. Where a material change affects consent-based processing, we will request fresh consent before the change takes effect.

15. Contact Us & Grievance Officer

For any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Data Protection Officer. Under the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, we designate the following Grievance Officer:

If you are not satisfied with our response, you may escalate your complaint to the Data Protection Board of India (upon its establishment under DPDPA 2023), or the relevant supervisory authority in your jurisdiction.