← Back to home

Privacy Policy

Last updated: April 4, 2026

Who We Are

Datavtar AI Private Limited ("Datavtar," "we," "us") operates the Datavtar Enterprise AI Operating System at one.datavtar.com and the marketing website at datavtar.com. Datavtar acts as a data processor for the content your organization provides to or connects with the platform, and as a data controller for account information, usage data, and platform operations.

What Data We Collect

Platform (one.datavtar.com)

When you use the Datavtar platform, we collect:

  • Account information: email address, name, organization name
  • Documents and knowledge you upload to the platform
  • Queries, conversations, and interactions with the AI
  • Usage data: feature usage, session duration, actions taken

Google Drive, Sheets, and Docs (Connected Drives)

When you connect your Google account to Datavtar, you grant the platform access to specific Google services via OAuth. We request the following permissions:

  • Google Drive — to read files from the folders you select and to create files within those folders when AI-generated applications produce output
  • Google Sheets — to create, read, and update spreadsheets when applications you build require spreadsheet functionality
  • Google Docs — to create documents and read document content from your connected folders for knowledge indexing

Datavtar only accesses folders and shared drives that you explicitly select through the folder picker. No files outside your selected folders are read, indexed, or accessed in any way. You choose the scope of access, and you can disconnect your Google account or remove individual folders at any time — access is revoked immediately.

OAuth tokens are stored encrypted at rest. Datavtar never receives or stores your Google password. You may revoke Datavtar's access to your Google account at any time through your Datavtar settings or through your Google Account permissions. When you disconnect your Google account, all associated OAuth tokens and folder connections are permanently deleted from our systems.

Website (datavtar.com)

When you visit our marketing website, we collect:

  • Email address if you sign up for early access
  • Standard web analytics (page views, referral source)

Blog

The blog content management system is accessible only to authorized administrators. We collect the administrator's email address for authentication purposes.

How We Use Google Data

Files from your connected Google Drive folders are indexed into your organization's knowledge store so they become searchable through the Datavtar platform. Your Google data is:

  • Used solely to provide Datavtar's search and application features to you
  • Never shared with other organizations or users outside your organization
  • Never used for advertising, marketing, or profiling purposes
  • Never sold to third parties or used for purposes other than providing the Service to you

When AI-generated applications write files (such as Sheets or Docs) to your connected folders, those files are created directly in your Google Drive — the content is not stored separately on Datavtar's servers.

We Never Train on Your Data

Your documents, conversations, business context, and any content you provide to the platform — including content accessed from your connected Google Drive — are never used to train, fine-tune, or improve our AI models. They are never shared with other organizations. This is an unconditional commitment.

Data Isolation

Your document content and knowledge are stored in a dedicated, isolated store for your organization. Each organization gets its own separate knowledge store — your documents are never mixed with another organization's data. Account metadata and configuration are stored separately with strict access controls, ensuring no organization can access another's information.

Sub-Processors

Datavtar uses the following categories of third-party sub-processors to deliver the Service:

Infrastructure

  • Microsoft Azure — cloud hosting and compute
  • Google Cloud — cloud hosting and compute
  • Cloudflare — network security and content delivery

AI Providers

  • Google — AI processing
  • Anthropic — AI processing
  • OpenAI — AI processing

All AI providers are accessed via enterprise-grade, zero-data-retention API tiers. Your queries and content are not stored, logged, or used for model training by any AI provider. We contractually require this commitment from all providers we integrate with.

A complete sub-processor list with entity names, processing locations, and purposes is available upon request at privacy@datavtar.com. We will notify customers of any changes to sub-processors at least 30 days before the change takes effect.

Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your personal data on the following legal bases:

  • Performance of a contract (Art. 6(1)(b) GDPR) — to provide the Service you signed up for, including account management, document processing, search, and AI-generated responses
  • Consent (Art. 6(1)(a) GDPR) — when you connect your Google account via OAuth and select which folders Datavtar may access. You can withdraw this consent at any time by disconnecting your Google account.
  • Legitimate interest (Art. 6(1)(f) GDPR) — for platform security, fraud prevention, usage analytics to improve the Service, and audit logging. We do not use legitimate interest as a basis for marketing or profiling.
  • Legal obligation (Art. 6(1)(c) GDPR) — where required by applicable law

International Data Transfers

Datavtar AI Private Limited is incorporated in India. The platform infrastructure is hosted on Microsoft Azure in the North Europe (Ireland) region. Your data may be transferred to and processed in the following jurisdictions:

  • Ireland (EU) — primary platform infrastructure (Azure North Europe)
  • United States — AI provider processing (Google, Anthropic, OpenAI APIs)
  • India — engineering and support operations by the Datavtar team

For transfers outside the EEA, we rely on the following legally recognized mechanisms:

  • Standard Contractual Clauses (SCCs) — Module 2 (Controller-to-Processor) per European Commission Decision 2021/914, executed with all sub-processors processing personal data outside the EEA
  • UK International Data Transfer Addendum — as applicable for transfers from the United Kingdom
  • Adequacy decisions — where the European Commission has determined that a third country provides an adequate level of data protection

You can request a copy of the applicable transfer safeguards by contacting privacy@datavtar.com.

Cookies and Sessions

We use minimal cookies and session storage required for authentication and basic functionality. We do not use tracking cookies, advertising pixels, or cross-site tracking of any kind.

Data Retention and Deletion

  • Account and organization data — retained while your account is active. Upon account termination, retained for 30 days to allow export, then permanently deleted.
  • Documents and knowledge — retained while your account is active. When you delete a specific item, it is permanently removed within 30 days, including from sub-processor systems.
  • Queries, conversations, and AI interactions — retained while your account is active. Deleted upon account termination or individual deletion.
  • Audit logs and usage data — retained for up to 12 months for security, billing, and compliance purposes.
  • Google OAuth tokens — deleted immediately when you disconnect a Google account or remove a connected folder. Indexed content from that source is removed from your knowledge store.
  • Backups — may persist in encrypted backups for up to 90 days after deletion, after which they are permanently purged.

If you wish to delete your entire account and all associated data, contact us at privacy@datavtar.com.

Your Rights

Depending on your location, you may have the following rights under applicable data protection laws, including the GDPR:

  • Access (Art. 15) — request a copy of the personal data we hold about you
  • Rectification (Art. 16) — request correction of inaccurate or incomplete data
  • Erasure (Art. 17) — request deletion of your personal data ("right to be forgotten")
  • Restriction (Art. 18) — request that we limit processing of your data in certain circumstances
  • Data portability (Art. 20) — receive your data in a structured, machine-readable format or request transfer to another provider
  • Objection (Art. 21) — object to processing based on legitimate interest
  • Withdraw consent (Art. 7(3)) — withdraw consent at any time where processing is based on consent (e.g., Google Drive connection), without affecting the lawfulness of processing before withdrawal
  • Supervisory authority — lodge a complaint with your local data protection authority if you believe your rights have been violated

To exercise any of these rights, contact us at privacy@datavtar.com. We will respond within 30 days as required by the GDPR.

Security

We protect your data through the following measures:

  • Encryption — all data encrypted in transit (TLS 1.2+) and at rest. OAuth credentials stored in an isolated, encrypted credential vault.
  • Access controls — role-based access with organization-level isolation. Access to customer data is restricted to authorized personnel required for platform operations, and all access is logged.
  • Audit trails — complete logging of all data access and mutations for accountability and compliance.
  • Infrastructure — hosted on Microsoft Azure and Google Cloud, both of which maintain SOC 2 Type II and ISO 27001 certifications for their data center operations. Datavtar is pursuing independent security certifications as the company scales.

Incident Response

In the event of a confirmed personal data breach, we will notify the relevant supervisory authority within 72 hours as required by GDPR Art. 33. Affected customers will be notified without undue delay, with details of the nature of the breach, likely consequences, and measures taken or proposed to address it.

Automated Decision-Making

Datavtar uses AI to process queries, generate responses, classify documents, and build applications. These features assist your team's work but do not make automated decisions that produce legal or similarly significant effects on individuals (GDPR Art. 22). All AI-generated outputs are presented for human review before action.

Sensitive Data

Datavtar does not intentionally collect special categories of personal data as defined by GDPR Art. 9, including data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation. If your uploaded documents or connected drive folders contain such data, it is processed solely to provide the Service and is subject to the same isolation, encryption, and access controls as all other data.

Applicability of Indian Data Protection Law

Datavtar AI Private Limited is incorporated in India. To the extent the Digital Personal Data Protection Act, 2023 (DPDPA) applies to our processing of your personal data, we comply with its requirements regarding consent, purpose limitation, data retention, and the rights of data principals. Your rights under the DPDPA — including the right to access, correction, erasure, and grievance redressal — may be exercised by contacting us at privacy@datavtar.com.

Children's Data

The Service is designed for enterprise use and is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a person under 18, we will promptly delete that information.

Google API Services — Limited Use Disclosure

Datavtar's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We only use Google user data to provide or improve user-facing features that are prominent in the Datavtar platform's user interface
  • We only transfer Google user data to others if necessary to provide or improve user-facing features, with the user's affirmative consent, for security purposes, or to comply with applicable laws
  • We do not use or transfer Google user data for serving ads, including retargeting, personalized advertising, or interest-based advertising
  • We do not allow humans to read Google user data unless the user has provided affirmative consent, it is necessary for security purposes, it is necessary to comply with applicable law, or the data (including derivations) is aggregated and anonymized and used for internal operations in accordance with applicable privacy requirements

Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email to registered users at least 30 days before taking effect. The "Last updated" date at the top of this page reflects the most recent revision.

Contact

For privacy-related questions or requests, contact us at privacy@datavtar.com.

Datavtar AI Private Limited