Privacy Policy
Last updated: July 1, 2026
Who We Are
Datavtar AI Private Limited ("Datavtar," "we," "us") operates the Datavtar AI operating system for logistics at one.datavtar.com and the marketing website at datavtar.com. Datavtar acts as a data processor for the content your organization provides to or connects with the platform, and as a data controller for account information, usage data, and platform operations.
What Data We Collect
Platform (one.datavtar.com)
When you use the Datavtar platform, we collect:
- Account information: email address, name, organization name
- Documents and knowledge you upload to the platform
- Queries, conversations, and interactions with the AI
- Usage data: feature usage, session duration, actions taken
Google account & Drive
When you connect your Google account, you grant Datavtar access via OAuth to:
- Your basic Google profile (name, email) — to sign you in.
- Specific Google Drive files you choose — via the
drive.filepermission, which lets Datavtar access only the individual files you explicitly open with the app, or files the platform creates for you (for example, when an app you build saves its output to your Drive). Datavtar cannot see, read, or index any other file in your Drive.
Datavtar never receives or stores your Google password. OAuth tokens are stored encrypted at rest, and you can disconnect at any time — in your Datavtar settings or through your Google Account permissions — after which all associated tokens are permanently deleted from our systems.
Other connected systems
Beyond Google services, you may connect other business systems and data sources to the platform through connectors you choose to enable. Any data accessed through those connectors is processed as your organization's content — solely to provide the features you use, under the same isolation, encryption, and access controls described in this policy.
Website (datavtar.com)
When you visit our marketing website, we collect:
- Information you provide through the Get started and Book a demo forms: your name, work email, company, and job title. These details are submitted only when you choose to fill out and send the form, and are used solely to follow up about your interest in the Datavtar platform.
- With your consent, anonymous analytics and session-insight data describing how visitors interact with the website (see "Cookies, analytics and session insights" below).
Form submissions are stored in a separate Datavtar CRM database (a dedicated Firebase project) that is isolated from the platform and from any customer organization's data. Access is restricted to authorized Datavtar personnel. We do not share these details with third parties, and we do not use them for newsletters or marketing campaigns beyond responding to your specific request. You can ask us to delete the record at any time by emailing privacy@datavtar.com.
Blog
The blog content management system is accessible only to authorized administrators. We collect the administrator's email address for authentication purposes.
How We Use Google Data
Datavtar uses your Google data solely to provide the features you use. Your Google data is:
- Used only to provide the search and application features you use
- Never shared with other organizations or users outside your organization
- Never used for advertising, marketing, or profiling purposes
- Never sold to third parties or used for purposes other than providing the Service to you
When an app you build creates a file in your Drive, it is written directly to your Google Drive — not stored separately on Datavtar's servers.
We Never Train on Your Data
Your documents, conversations, business context, and any content you provide to the platform — including content accessed from connected sources — are never used to train, fine-tune, or improve any AI models, and we contractually require our AI providers not to use it for that purpose either. Your content is never shared with other organizations.
Data Isolation
Your document content and knowledge are stored in a dedicated, isolated store for your organization. Each organization gets its own separate knowledge store — your documents are never mixed with another organization's data. Account metadata and configuration are logically isolated per organization with strict access controls, ensuring no organization can access another's information.
Sub-Processors and Other Third Parties
Datavtar works with the following third parties to deliver and operate the Service. Most act as sub-processors, processing data on our behalf; where a party acts as an independent controller — such as our payment provider — that is indicated.
Infrastructure
- Microsoft Azure — cloud hosting and compute
- Cloudflare — network security, content delivery, and transactional email delivery
AI Providers
- Google — AI processing and knowledge-content storage
- Anthropic — AI processing
We use leading AI providers — currently Google and Anthropic — to power search, knowledge, and application-building features. They process your content solely to deliver the features you use, under data processing agreements, and do not use it to train their AI models.
Billing and business operations
- Paddle — billing and payment processing (merchant of record; independent controller for payment data)
- Google (Firebase) — storage of marketing contact-form submissions, isolated from the platform and from customer organization data
Marketing website analytics
The following sub-processors operate only on the marketing website (datavtar.com) and only after you grant consent. They have no access to the Datavtar platform or to any customer organization's data.
- Google LLC — Google Analytics 4 (anonymous web analytics)
- Microsoft Corporation — Microsoft Clarity (heatmaps and anonymized session insights)
A complete sub-processor list with entity names, processing locations, and purposes is available upon request at privacy@datavtar.com. We will notify customers of any changes to sub-processors at least 30 days before the change takes effect.
Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your personal data on the following legal bases:
- Performance of a contract (Art. 6(1)(b) GDPR) — to provide the Service you signed up for, including account management, document processing, search, and AI-generated responses
- Consent (Art. 6(1)(a) GDPR) — when you connect your Google account via OAuth and select which folders Datavtar may access. You can withdraw this consent at any time by disconnecting your Google account.
- Legitimate interest (Art. 6(1)(f) GDPR) — for platform security, fraud prevention, usage analytics to improve the Service, and audit logging. We do not use legitimate interest as a basis for marketing or profiling.
- Legal obligation (Art. 6(1)(c) GDPR) — where required by applicable law
International Data Transfers
Datavtar AI Private Limited is incorporated in India. The core platform — application, databases, and backups — is hosted within the European Union (Ireland). Your data may be transferred to and processed in the following jurisdictions:
- Ireland (EU) — core platform infrastructure: application, databases, and backups
- United States — AI processing by Google and Anthropic, including the storage and indexing of your uploaded knowledge content by Google to provide search; network, content-delivery and email services (Cloudflare); marketing contact-form storage (Google/Firebase); marketing-website analytics with consent (Google LLC, Microsoft Corporation)
- United Kingdom — billing and payment processing (Paddle)
- India — engineering and support operations by the Datavtar team
For transfers outside the EEA, we rely on the following legally recognized mechanisms:
- EU–US Data Privacy Framework (DPF) — primary safeguard for transfers to United States sub-processors that are DPF-certified, including Google LLC, Cloudflare, Inc., and Microsoft Corporation
- Standard Contractual Clauses (SCCs) — per European Commission Decision 2021/914, incorporated into our agreements for transfers outside the EEA. Where your organization (as controller) entrusts content to Datavtar (as processor) — including access by our engineering and support team in India — the Controller-to-Processor module applies, as completed in our Data Processing Agreement; onward transfers to our sub-processors, such as the US AI providers, are made under the Processor-to-Processor module
- UK transfers — the UK International Data Transfer Addendum applies to any onward transfer of UK-origin personal data outside the United Kingdom. Our billing provider (Paddle) acts as an independent controller for payment data and is responsible for its own transfer safeguards
- Adequacy decisions — where the European Commission has determined that a third country provides an adequate level of data protection
You can request a copy of the applicable transfer safeguards by contacting privacy@datavtar.com.
Cookies, analytics and session insights
Cookie and analytics behavior differs between the Datavtar platform and the marketing website. We describe each separately so that the distinction is precise.
Platform (one.datavtar.com)
The Datavtar platform uses only the cookies and session storage required for sign-in, security, and operation of the Service. The platform does not load any third-party analytics, session-recording, or advertising scripts, and no third-party cookies are set when you use the platform.
Marketing website (datavtar.com)
The marketing website uses three categories of cookies and similar technologies. Only the first category loads by default; the other two require your prior consent through the cookie banner shown on your first visit. You can change your decision at any time via the "Cookie preferences" link in the website footer.
Strictly necessary
Used for sign-in to the administrative content area, basic security, and to remember your consent choice itself. These cookies do not require consent under Article 5(3) of the ePrivacy Directive because they are strictly necessary to provide the service you requested. They are set by datavtar.com only.
Analytics (opt-in)
With your consent, we use Google Analytics 4, provided by Google LLC (United States), to measure aggregate usage of the marketing website — which pages are viewed, how long visitors stay, where traffic originates. We have enabled IP anonymization and disabled Google Signals. We do not use Google Analytics for advertising, remarketing, or profiling. Google may act as an independent data controller for some forms of measurement; their privacy practices are described at policies.google.com/privacy.
- Cookies set:
_ga,_ga_<container> - Maximum retention: 14 months from last visit
- Legal basis: consent (GDPR Art. 6(1)(a); ePrivacy Directive Art. 5(3))
- Transfer mechanism for processing in the United States: Google LLC is certified under the EU–US Data Privacy Framework. Standard Contractual Clauses apply as a secondary safeguard.
Session insights (opt-in)
With your consent, we use Microsoft Clarity, provided by Microsoft Corporation (United States), to capture aggregated heatmaps and anonymized session replays. This helps us identify friction points in navigation and content. Form fields, credentials, and any element marked sensitive are masked at capture time. The administrative content area is excluded entirely — Clarity is never loaded on it. Microsoft's privacy practices are described at privacy.microsoft.com/privacystatement.
- Cookies set:
_clck,_clsk, and related local-storage entries - Maximum retention: 13 months
- Legal basis: consent (GDPR Art. 6(1)(a); ePrivacy Directive Art. 5(3))
- Transfer mechanism for processing in the United States: Microsoft Corporation is certified under the EU–US Data Privacy Framework. Standard Contractual Clauses apply as a secondary safeguard.
Withdrawing or changing consent
You can withdraw or change your consent at any time, with the same one-click ease with which you granted it, via the "Cookie preferences" link in the website footer. For analytics, withdrawal stops further data collection immediately. For session insights, the active recording session ends immediately and the underlying script is not reloaded on subsequent page loads. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. Historical data collected prior to withdrawal will be deleted in accordance with the retention periods above, or earlier on request to privacy@datavtar.com.
What we do not do
- We do not load advertising pixels or remarketing tags of any kind.
- We do not engage in cross-site tracking or device fingerprinting beyond the cookies described above.
- We do not sell or share personal information with third parties for advertising purposes (within the meaning of the California Consumer Privacy Act).
- We do not use Global Privacy Control as a substitute for explicit consent, but we honor it where applicable.
Data Retention and Deletion
- Account and organization data — retained while your account is active. Upon account deletion, your organization's content, conversations, knowledge, and account data enter a recovery window of up to 90 days — during which an export can be requested and the deletion reversed — after which the active data is permanently and irreversibly erased from our systems; residual copies in encrypted backups are purged on the standard backup rotation cycle and remain inaccessible for live use until then.
- Documents and knowledge — retained while your account is active. When you delete a specific item, it is permanently removed within 30 days, including from sub-processor systems.
- Queries, conversations, and AI interactions — retained while your account is active. Deleted upon account termination or individual deletion.
- Audit logs and usage data — retained for security, fraud-prevention, billing, and compliance purposes. Authentication and security logs are permanently erased when your organization is deleted.
- Google OAuth tokens — deleted immediately when you disconnect a Google account or remove a connected folder. Indexed content from that source is removed from your knowledge store.
- Backups — residual copies in encrypted backups are purged on the standard rotation cycle and are inaccessible for live processing in the interim.
If you wish to delete your entire account and all associated data, contact us at privacy@datavtar.com.
Your Rights
Depending on your location, you may have the following rights under applicable data protection laws, including the GDPR:
- Access (Art. 15) — request a copy of the personal data we hold about you
- Rectification (Art. 16) — request correction of inaccurate or incomplete data
- Erasure (Art. 17) — request deletion of your personal data ("right to be forgotten")
- Restriction (Art. 18) — request that we limit processing of your data in certain circumstances
- Data portability (Art. 20) — receive your data in a structured, machine-readable format or request transfer to another provider
- Objection (Art. 21) — object to processing based on legitimate interest
- Withdraw consent (Art. 7(3)) — withdraw consent at any time where processing is based on consent (e.g., Google Drive connection), without affecting the lawfulness of processing before withdrawal
- Supervisory authority — lodge a complaint with your local data protection authority if you believe your rights have been violated
To exercise any of these rights, contact us at privacy@datavtar.com. We will respond within one month of your request, as the GDPR requires — extendable by up to two further months for complex or numerous requests, in which case we will let you know.
Where Datavtar processes personal data on behalf of your organization — the content in your knowledge store and the sources you connect — your organization is the data controller. If you are an employee or end user of a Datavtar customer, please direct requests concerning that content to your organization; we will assist the controller in responding. For personal data where Datavtar is the controller, such as your account and billing information, you may exercise these rights with us directly.
Security
We protect your data through the following measures:
- Encryption — all data encrypted in transit (TLS 1.2+) and at rest. OAuth credentials stored in an isolated, encrypted credential vault.
- Access controls — role-based access with organization-level isolation. Access to customer data is restricted to authorized personnel required for platform operations, and all access is logged.
- Audit trails — administrative actions and changes to customer data are logged for accountability and compliance.
- Infrastructure — the platform is hosted on Microsoft Azure (EU/Ireland); AI processing is provided by Google and Anthropic. These providers maintain recognized independent security certifications such as SOC 2 Type II and ISO 27001. Datavtar is pursuing independent security certifications as the company scales.
Incident Response
In the event of a confirmed personal data breach affecting data for which Datavtar is the controller, such as account and billing information, we will notify the relevant supervisory authority without undue delay and within 72 hours of becoming aware, as required by GDPR Art. 33, and inform affected individuals where the breach is likely to result in a high risk to their rights. Where a breach affects personal data we process on behalf of your organization, we will notify your organization — the controller — without undue delay and within 72 hours of becoming aware of the breach, with the nature of the breach, its likely consequences, and the measures taken or proposed to address it, so that it can meet its own notification obligations.
Automated Decision-Making
Datavtar uses AI to process queries, generate responses, classify documents, and help you build and run applications. These features assist your team's work. Where you choose to deploy an application or schedule an automated task, it runs according to the rules and parameters you configure, under your control as the data controller. Datavtar does not use AI to make solely automated decisions that produce legal or similarly significant effects on individuals (GDPR Art. 22).
Sensitive Data
Datavtar does not intentionally collect special categories of personal data as defined by GDPR Art. 9, including data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation. If your uploaded documents or connected drive folders contain such data, it is processed solely to provide the Service and is subject to the same isolation, encryption, and access controls as all other data.
Applicability of Indian Data Protection Law
Datavtar AI Private Limited is incorporated in India. To the extent the Digital Personal Data Protection Act, 2023 (DPDPA) applies to our processing of your personal data, we comply with its requirements regarding consent, purpose limitation, data retention, and the rights of data principals. Your rights under the DPDPA — including the right to access, correction, erasure, and grievance redressal — may be exercised by contacting us at privacy@datavtar.com.
Children's Data
The Service is designed for business use and is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a person under 18, we will promptly delete that information.
Google API Services — Limited Use Disclosure
Datavtar's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We only use Google user data to provide or improve user-facing features that are prominent in the Datavtar platform's user interface
- We only transfer Google user data to others if necessary to provide or improve user-facing features, with the user's affirmative consent, for security purposes, or to comply with applicable laws
- We do not use or transfer Google user data for serving ads, including retargeting, personalized advertising, or interest-based advertising
- We do not allow humans to read Google user data unless the user has provided affirmative consent, it is necessary for security purposes, it is necessary to comply with applicable law, or the data (including derivations) is aggregated and anonymized and used for internal operations in accordance with applicable privacy requirements
Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email to registered users at least 30 days before taking effect. The "Last updated" date at the top of this page reflects the most recent revision.
EU Representative
Datavtar AI Private Limited is established outside the European Union. In accordance with Article 27 of the GDPR, we have designated a representative in the Union who may be contacted by data subjects and supervisory authorities on all issues relating to our processing of personal data:
HoSuMuKu Communications B.V. (trading as XPL-AI)
Schildgronden 24, 2134 ZW Hoofddorp, Netherlands
eugenius.otte@xpl-ai.tech
Contacting our EU representative does not affect your right to contact Datavtar directly, or to lodge a complaint with your local supervisory authority.
Contact
For privacy-related questions or requests, contact us at privacy@datavtar.com.
Datavtar AI Private Limited (CIN: U58200PN2025PTC244471)
SR. No. 2143, Flat No. D-408, Life Montage, Armament, Pune, Maharashtra 411021, India