Privacy Policy

1.1 Who we are

Versoaltima India Pvt. Ltd., a company incorporated under the laws of India having its registered office at Navi Mumbai, Maharashtra, India ("we", "us", "our") operates Ask VAI, an internal business-operations, ticketing, HR, requirements, meetings, project-performance, KPI, and AI-assistant platform (the "Service"). Ask VAI is an internal organizational tool provided for controlled, authenticated use by authorized members of the organization. It is not a commercial product sold to the public. For the purposes of the Digital Personal Data Protection Act, 2023 ("DPDP Act"), we are the Data Fiduciary for the personal data we process for internal operations. For the purposes of the Information Technology Act, 2000 read with the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), we are a Body Corporate.

1.2 Our role as Data Fiduciary

We are the Data Fiduciary for the personal data of internal users and employees that we process to operate the Service. We determine the purposes and means of processing this internal user, employee, and operational data for internal operations such as ticketing, HR, requirements, meetings, and the AI assistant. We do not act as a Data Fiduciary on behalf of any external commercial customer, and we do not sell the Service to the public. We do not sell personal data, do not share personal data for advertising, and do not profile Data Principals beyond what is necessary to operate the Service. We do not use personal data to train any AI or machine-learning model without consent.

1.3 Personal data we collect

Account and identity data

• name, work email address, phone number (if provided)
• organization name, domain, job title or department, manager relationship
• user role (User, Manager, CxO, Org Admin, Product Admin), account status

Authentication and security data (treated as Sensitive Personal Data under SPDI Rules)

• login identifiers, password hashes (we do not collect or store plain-text passwords)
• session records, device and browser information, IP address
• access audit logs, security events, login outcome and timestamps

Operational product data (provided within the organization)

• tickets, descriptions, comments, remarks, severity, blockers, status, owners, teams, due dates, revenue impact, third-party-system references, UAT details, go-live details
• HR records, requirements, and meeting content processed within the organization
• project, team, and resource-level performance metrics
• Excel imports, dashboard filters, and saved views
• Community Pulse content: ideas, anonymous concerns, help requests, and comments

Usage and technical data

• browser type, device type, operating system
• pages and features used, API request metadata, crash logs, performance logs
• cookie and similar-technology identifiers (see Cookie Policy)

We do not solicit financial account, biometric, health, sexual orientation, religious, political, or other special-category data. Users must not upload such data to the Service.

1.4 Specified purposes for which personal data is processed

Per Section 5 of the DPDP Act, the specified purposes for which we process personal data are:

• creating and managing internal user accounts; verifying email and access
• enabling Product Admin approval of organizations and Org Admin provisioning
• providing ticketing, HR, requirements, meetings, KPI, dashboard, analytics, workflow, AI-assistant, and Community Pulse features
• importing and normalizing Excel tracker data
• generating project, team, resource, and revenue-leakage dashboards
• maintaining audit logs and security records
• preventing unauthorized access, abuse, fraud, and misuse
• improving reliability, usability, and performance of the Service (using aggregated/anonymized data only)
• complying with legal obligations including the DPDP Act, the IT Act, the CERT-In Direction dated 28 April 2022, the Companies Act 2013, and tax laws
• responding to legal process, court orders, and lawful requests of government authorities in India

Personal data is not used for any other purpose without obtaining fresh consent or another lawful ground. Aggregated/anonymized data that does not identify any individual may be used to improve the Service.

1.5 Lawful grounds for processing

We process personal data on the following lawful grounds under the DPDP Act:

• Consent — for non-essential cookies and any optional features. Consent is specific, informed, freely given, capable of being withdrawn, and recorded.
• Legitimate uses under Section 7 of the DPDP Act — including provision of the internal Service requested, employment-related processing, response to medical emergencies, and compliance with the judgment or decree of any Indian court.
• Legal obligation — to comply with Indian law including the DPDP Act, IT Act, CERT-In Direction, Companies Act, and tax laws.

1.6 AI-assisted features

The Service includes an AI assistant and AI-assisted features such as risk summaries, revenue-leakage explanations, project-health insights, meeting recaps, and ticket classification suggestions. AI features may process content that users submit. AI outputs are assistive only and may be incomplete, inaccurate, or contextually wrong. Users must review AI-generated suggestions before relying on them and must not use AI output as the sole basis for any material decision. We do not use personal data to train, fine-tune, or improve any AI model without consent. Where third-party AI or large-language-model providers are used, they are contractually bound to: (a) not use our data to train any model; (b) retain inputs and outputs only for the strict request-handling window; (c) delete data after processing; and (d) maintain at least the security standard required under the SPDI Rules. We accept no liability for losses arising from a user's reliance on AI output without human review.

1.7 Cookies and similar technologies

We use strictly-necessary cookies for authentication and security on a legitimate-use basis without consent. All other cookies (preference, analytics, performance) are deployed only after the user provides explicit, granular, withdrawable consent through our cookie banner. See the Cookie Policy.

1.8 Disclosures of personal data

We may disclose personal data only to:

• authorized users within the organization, based on role permissions and tenant isolation
• sub-processors that support hosting, database, email, storage, security monitoring, and AI processing — each is bound by a written data-processing agreement compliant with Section 8(2) of the DPDP Act
• Indian or foreign legal, regulatory, or government authorities where required by an order of a court, tribunal, or statutory authority of competent jurisdiction in India
• professional advisors (auditors, lawyers, tax consultants) under confidentiality obligations
• successors in connection with a merger, acquisition, or sale of business assets, subject to the receiver agreeing in writing to honour this Privacy Policy and applicable law

A current list of material sub-processors is available at our Sub-processor List and updates are notified at least 30 days in advance through the Service.

1.9 Tenant isolation and role-based access

The Service is designed as a multi-tenant platform. Users access only data belonging to their organization, subject to their assigned role. Role-based access controls, audit logs, and tenant isolation are enforced at the application layer on every request. Cross-organization access is prevented by application-layer organizationId checks on every read and write.

1.10 Data retention

• Active organizational data: retained while the account is active
• Deleted/terminated account data: deleted or anonymized within 90 days of termination, except where retention is required by law
• Backups: retained for up to 30 days, after which deleted data is purged from backups
• Security logs and ICT system logs: retained for a minimum of 180 days as required by paragraph (iv) of the CERT-In Direction dated 28 April 2022
• Audit logs (application-level): retained for 24 months
• Support communications: retained for up to 24 months after resolution
• Tax and accounting records: retained for at least 8 years per Indian tax laws

1.11 Data security and CERT-In compliance

We implement technical, organizational, and administrative safeguards reasonable under Section 8(5) of the DPDP Act, Rule 8 of the SPDI Rules, and the CERT-In Direction dated 28 April 2022. These include: TLS 1.2+ encryption in transit, encryption at rest for sensitive fields, bcrypt password hashing, role-based access control, tenant isolation, access logging and audit trails, vulnerability management, secure backups, principle-of-least-privilege access, NTP-synchronized system clocks, and 180-day log retention. No system is completely secure. Users are responsible for protecting credentials, enabling multi-factor authentication where available, and promptly reporting suspected misuse to grievance@askvai.in.

1.12 Personal data breach notification

In the event of a personal data breach affecting personal data, we will:

• report the cyber incident to the Indian Computer Emergency Response Team (CERT-In) within 6 hours of becoming aware, per the CERT-In Direction dated 28 April 2022
• notify the Data Protection Board of India and each affected Data Principal as required under Section 8(6) of the DPDP Act, in the manner and timelines prescribed by the Board
• notify affected users and the organization without undue delay where the breach affects organizational data
• contain, remediate, and document the incident

1.13 Rights of Data Principals

Subject to the DPDP Act and applicable law, Data Principals have the following rights, exercisable by writing to the Grievance Officer named in section 1.18:

• Right to information about personal data being processed (Section 11)
• Right to correction, completion, updating, and erasure of personal data (Section 12)
• Right of grievance redressal in respect of any act or omission regarding personal data (Section 13)
• Right to nominate another individual to exercise rights in the event of death or incapacity (Section 14)
• Right to withdraw consent at any time, with the same ease with which it was given (Section 6(4))

We will respond to and resolve grievances within the timelines prescribed by the DPDP Act and rules thereunder; pending such rules, within 30 days of receipt. If the Data Principal is not satisfied with our resolution, they may file a complaint with the Data Protection Board of India.

1.14 Children's data

The Service is intended for internal organizational use by individuals 18 years or older. We do not knowingly process personal data of any individual below 18 years of age (a "Child" under Section 9 of the DPDP Act) or any person with a disability (where a lawful guardian is appointed) without verifiable consent of the parent or lawful guardian. Organizations must not create accounts for Children. If we discover an account belongs to a Child without parental consent, we will close it and delete the data within a reasonable time.

1.15 Cross-border transfers

Personal data is processed and stored primarily in India. We may transfer personal data outside India only to countries or territories not specifically restricted by the Central Government under Section 16 of the DPDP Act. Where the AI/LLM providers used by the Service process a request outside India, we use contractual safeguards including data-processing agreements that bind the recipient to standards equivalent to Indian law. Transfers required by an order of an Indian court or authority are not restricted.

1.16 Significant Data Fiduciary status

We monitor whether we cross thresholds for designation as a Significant Data Fiduciary under Section 10 of the DPDP Act. If designated, we will appoint a Data Protection Officer based in India, conduct periodic Data Protection Impact Assessments and audits, and meet additional obligations as prescribed.

1.17 Changes to this Privacy Policy

We may update this Privacy Policy from time to time. Material changes that affect a Data Principal's rights or our processing purposes will be notified through the application, email, or website notice at least 30 days before the effective date. Where required by law, fresh consent will be obtained. Continued use after the effective date for non-material updates indicates acknowledgement; for material updates, fresh consent or written acceptance applies.

1.18 Grievance Officer (mandatory under DPDP Act and IT Rules)

For any grievance regarding personal data or the Service, users should first contact support@askvai.in. If there is no response within 15 days, users may escalate to the Grievance Officer at grievance@askvai.in.

Grievance Officer / Data Protection Officer email: grievance@askvai.in
India address: Navi Mumbai, Maharashtra, India
Business hours: Monday to Friday, 10:00–18:00 IST (excluding gazetted Indian public holidays)
Acknowledgement timeline: 24 hours from receipt of complaint
Resolution timeline: 15 days from acknowledgement (per IT Intermediary Rules 2021), or as required by the DPDP Act
Escalation: If unresolved, Data Principals may approach the Data Protection Board of India.

1.19 Jurisdiction and applicable law

This Privacy Policy is governed by the laws of India. Any dispute relating to this Privacy Policy is subject to the exclusive jurisdiction of the courts at Navi Mumbai, Maharashtra, India, subject to the jurisdiction of the Data Protection Board of India and other statutory authorities of competent jurisdiction.