Privacy Policy DPDP Act 2023

Last updated: April 2026  ·  Effective: April 1, 2026  ·  Governing law: India

1. Who we are

VKatOS Private Limited ("VKatOS", "we", "us") is incorporated in Chennai, Tamil Nadu, India. We operate an AI-native autonomous business operations platform. Data fiduciary contact: privacy@vkatos.com.

2. What data we collect

2.1 Company and operational data

• Business pipeline data: cases, clients, leads, status updates you enter into the platform
• Documents uploaded for OCR and processing (visa applications, contracts, certificates, etc.)
• Staff names, roles, and attendance records as entered by your administrators
• WhatsApp message logs sent through the platform's notification system
• Pipeline configuration and workflow rules specific to your business

2.2 Account and user data

• Name, email address, and phone number of platform administrators and staff
• Hashed passwords (bcrypt, never stored in plain text)
• Login timestamps and device session tokens
• Role assignments and permission levels

2.3 Usage and telemetry data

• API request logs (endpoint, timestamp, HTTP status code — no request bodies stored in logs)
• VAASI autonomous agent activity logs (actions taken, decisions made, anomalies detected)
• System health metrics (CPU, memory, uptime — no personal data)
• Anonymised cross-client patterns in the intelligence database (aggregated, never attributable to an individual)

2.4 Data we do NOT collect

• We do not place tracking cookies or advertising pixels on any page
• We do not collect biometric data
• We do not access data on your devices beyond what you upload to the platform
• We do not monitor personal communications of your staff outside the platform

3. How we store your data

VKatOS uses a per-client isolated database architecture. Each client organisation has its own SQLite database at /data/clients/{your-slug}/client.db, separate from all other clients.

• On-premise deployment: Data never leaves your own servers. Full data sovereignty.
• Managed cloud deployment: Data is stored on your dedicated Hetzner VPS (Germany or Finland — EU GDPR jurisdiction). Data is AES-256 encrypted at rest. Encrypted backups are stored on the same server; remote backups require your explicit opt-in and written consent.
• AI inference: By default, VAASI uses Ollama (llama3.2:3b) running locally. If you opt in to cloud AI (Claude API or Gemini), only the specific prompt is sent — no case IDs, client names, or identifying data are included in cloud AI calls without your explicit configuration.
• Backups: Automated local backups every 6 hours, retained 30 days. Backup files are encrypted with your organisation's backup key.

4. How we use your data

• To operate the VKatOS platform on your behalf (pipeline tracking, document processing, alerts)
• To generate the 7am VAASI briefing for your director
• To detect anomalies and predict failures in your business operations
• To send WhatsApp and email notifications you have configured
• To generate invoices and manage your subscription (billing data only)
• To improve the platform's anomaly detection using anonymised, aggregated patterns (never individual client data)

We do not use your data for advertising, profiling, resale, or training third-party AI models.

5. Your rights under the Digital Personal Data Protection Act 2023

As a data principal under the DPDP Act 2023, you (and your staff) have the following rights. Exercise them by writing to privacy@vkatos.com. We will respond within 72 hours and fulfil requests within 30 days.

6. Data retention and deletion

• Active accounts: Data retained for the duration of the subscription plus 30 days after termination
• Deleted items: Moved to recycle bin, retained 90 days, then permanently deleted
• Account deletion: Request at privacy@vkatos.com. All data deleted within 30 days. A deletion certificate is provided.
• Audit logs: Retained 7 years as required by Indian financial regulations (if applicable). Anonymised before retention.
• Backups: Retained 30 days; deleted on a rolling basis.

7. Data sharing and third parties

We share data with third parties only as follows:

• Razorpay: Payment processing only. Billing name, email, and invoice amount. No operational data shared.
• WAHA (WhatsApp): Self-hosted on your own infrastructure. No data passes through VKatOS servers for WhatsApp delivery.
• Hetzner Online GmbH: Infrastructure provider for managed deployments. Data processed under a signed DPA.
• Law enforcement: Only with a valid court order from an Indian court of competent jurisdiction. We will notify you unless prohibited by law.

We never sell, rent, or trade your data.

8. Security

• AES-256 encryption at rest for all documents
• TLS 1.3 for all data in transit
• bcrypt password hashing (14 rounds)
• JWT tokens in httpOnly cookies; expires 4 hours; silent refresh at 5 minutes remaining
• Maximum 3 active sessions per user; new device triggers WhatsApp OTP
• SHA-256 tamper-evident audit log chain
• Zero-downtime deploys via gunicorn graceful reload

9. Grievance Officer

In accordance with DPDP Act 2023 and Information Technology Act 2000:

Velan Thulasirajan
Data Protection Officer, VKatOS Private Limited
Email: privacy@vkatos.com
Phone: +91 80562 38628
Address: Chennai, Tamil Nadu — 600 001, India
Response time: 72 hours

10. Changes to this policy

We will notify all account administrators via email and in-platform notification at least 30 days before any material change to this Privacy Policy. The updated policy will be posted at vkatos.com/privacy with a new "Last updated" date. Continued use after the effective date constitutes acceptance.

11. Governing law

This Privacy Policy is governed by the laws of India, including the Digital Personal Data Protection Act 2023 and the Information Technology Act 2000. Disputes shall be subject to the exclusive jurisdiction of the courts of Chennai, Tamil Nadu, India.