Privacy Policy

1. Introduction

StudAI Technologies Pvt. Ltd. (“StudAI,” “we,” “us,” or “our”) operates the StudAI BOS (Business Operating System) platform, an AI-native SaaS solution designed for enterprise workflow automation, strategic command, and organizational intelligence.

This Privacy Policy describes how we collect, use, store, share, and protect information obtained through our platform at app.studai.in, our website, APIs, integrations, and any related services (collectively, the “Service”). By using the Service, you agree to the practices described herein.

This policy applies to all users of the Service—including organization administrators, team members, and any individual whose data is processed through the platform on behalf of a subscribing organization.

2. Information We Collect

We collect the following categories of information:

2.1 Account Data

When you register for the Service, we collect your name, email address, organization name, job title, phone number (optional), and authentication credentials. Organization administrators may provide additional details such as billing address and GST identification numbers.

2.2 Organization Data

Data uploaded, created, or generated within your organization’s workspace—including documents, workflows, tasks, strategic objectives, department structures, team configurations, and any business records processed through the Service.

2.3 Usage Data

We automatically collect information about how you interact with the Service, including pages visited, features used, actions taken, timestamps, device type, browser type, IP address, and referring URLs.

2.4 AI Interaction Logs

When you interact with AI-powered features (including the command center, strategic insights, and workflow suggestions), we log prompts, responses, feedback signals, and interaction metadata to improve service quality and ensure auditability.

3. How We Use Information

We use collected information for the following purposes:

• Service Delivery: To provide, maintain, and improve the Service, including user authentication, workspace management, and feature functionality.
• AI Processing: To power AI-driven features such as intelligent workflows, strategic analysis, and organizational insights. AI processing is performed within our secured infrastructure and organization data is never used to train models for other customers.
• Analytics: To understand usage patterns, diagnose technical issues, and optimize platform performance. All analytics are aggregated and anonymized where possible.
• Communication: To send transactional emails (account verification, password resets, billing receipts) and, with consent, product updates and feature announcements.
• Compliance: To comply with legal obligations, enforce our terms of service, and protect the rights and safety of our users and the public.
• Security: To detect, prevent, and respond to fraud, abuse, security incidents, and technical issues.

4. Data Storage & Security

All customer data is stored exclusively in Microsoft Azure India regions (Central India and South India). We do not transfer data outside of India unless explicitly requested by the customer and authorized through a separate data transfer agreement.

Our security measures include:

• Encryption at Rest: All data is encrypted using AES-256 encryption.
• Encryption in Transit: All communications are protected with TLS 1.3.
• Network Security: Virtual network isolation, web application firewalls, and intrusion detection systems.
• Access Controls: Role-based and attribute-based access control with mandatory multi-factor authentication for administrative access.
• Audit Logging: Comprehensive audit trails for all data access and administrative actions.

For full details, please refer to our Security Policy.

5. Data Sharing

We do not sell, rent, or trade your personal data or organization data to any third party.

We may share data with the following categories of recipients:

• Sub-processors: We engage a limited number of sub-processors to deliver the Service, including Microsoft Azure (cloud infrastructure and compute) and SendGrid (transactional email delivery). A current list of sub-processors is maintained in our Data Processing Addendum.
• Legal Requirements: We may disclose data if required to do so by law, regulation, legal process, or enforceable governmental request, including orders from Indian courts or regulatory bodies.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, customer data may be transferred as part of the transaction, subject to the same privacy protections described herein.
• With Consent: We may share data with third parties when you have provided explicit consent to do so.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Data retention periods are configurable based on your subscription plan:

• Growth Plan: AI interaction logs retained for 30 days; audit logs retained for 90 days.
• Scale Plan: AI interaction logs retained for 90 days; audit logs retained for 365 days.
• Enterprise Plan: Fully configurable retention periods as defined in your enterprise agreement.

Upon account termination, we provide a 30-day data export window. After this period, all data is permanently deleted from our systems within 30 additional days, except where retention is required by law.

7. Your Rights

Under the Digital Personal Data Protection Act, 2023 and applicable law, you have the following rights as a Data Principal:

• Right to Access: You may request a summary of the personal data we hold about you and how it is being processed.
• Right to Correction: You may request correction of inaccurate or incomplete personal data.
• Right to Erasure: You may request deletion of your personal data, subject to legal retention requirements.
• Right to Data Portability: You may request an export of your data in a structured, commonly used, machine-readable format.
• Right to Nominate: You may nominate another individual to exercise your rights in the event of your death or incapacity.
• Right to Grievance Redressal: You may raise a grievance with our Grievance Officer (details below).

To exercise any of these rights, please contact us at privacy@studai.in. We will respond to your request within 30 days or as required by applicable law.

8. Cookies

The Service uses only essential cookies that are strictly necessary for the operation of the platform. These include session cookies for authentication, CSRF protection tokens, and user preference cookies (such as language and theme settings).

We do not use tracking cookies, advertising cookies, or any third-party analytics cookies. We do not participate in cross-site tracking or behavioral advertising networks.

9. Children’s Privacy

The Service is designed for business use and is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child under 18, we will take prompt steps to delete such data and terminate the associated account.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email at the address associated with your account and by posting a prominent notice on the Service at least 30 days before the changes take effect.

Your continued use of the Service after the effective date of the revised policy constitutes your acceptance of the changes. We encourage you to review this policy periodically.

11. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us: