Privacy Policy
Effective Date: May 31, 2026|Last Updated: May 31, 2026
1. Introduction
AIGO Private Limited (“AIGO,” “we,” “us,” or “our”) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, share, and protect information when you access or use our websites, platforms, and services (collectively, the “Services”), including AIGO-X, AIGO-P, AIGO-S, AIGO-T, AIGO-N, and associated applications.
This Privacy Policy applies to all deployment models: SaaS (cloud-hosted), Private Cloud (Bring Your Own Cloud), and On-Premises installations. It also applies if you access our Services through an authorized partner, reseller, or system integrator.
Please read this Privacy Policy carefully. By using our Services, you acknowledge that you have read and understood this policy and consent to the practices described herein. If you do not agree, please discontinue use of our Services immediately.
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, including name, email address, phone number, IP address, and identification numbers.
- "Sensitive Personal Data" means personal data revealing racial or ethnic origin, political opinions, religious beliefs, biometric data, health data, or financial account details.
- "Customer Data" means all data, documents, records, and materials that you or your organization submit to the Services, which may include Personal Data of your employees, vendors, or other data subjects.
- "Data Subject" means the individual to whom Personal Data relates.
- "Data Controller" means the entity that determines the purposes and means of processing Personal Data.
- "Data Processor" means the entity that processes Personal Data on behalf of the Data Controller.
- "You" or "User" means the individual or organization using our Services.
- "Partner" means authorized resellers, system integrators, or managed service providers who distribute or implement our Services.
3. Information We Collect
We collect different categories of information depending on how you interact with our Services:
3.1 Information You Provide Directly
- Account Information: Name, email address, phone number, job title, company name, billing address, and payment details.
- Profile Information: Profile photo, preferences, timezone, and language settings.
- Customer Data: Audit records, risk assessments, compliance documentation, vendor information, employee records, and other materials you upload or create within the platform. This may include Personal Data of your employees, contractors, and third parties.
- Communications: Records of your interactions with our support, sales, and legal teams.
- Feedback and Surveys: Information you provide when participating in surveys, beta programs, or feedback requests.
3.2 Information Collected Automatically
- Usage Data: Log files, pages viewed, features used, clicks, searches, timestamps, and session duration.
- Device and Browser Information: IP address, browser type and version, operating system, device type, screen resolution, and language preferences.
- Location Data: General geographic location derived from your IP address (not precise GPS location).
- Cookies and Tracking Technologies: See Section 7 for details.
3.3 Information from Third Parties
- Identity Providers: If you log in via SSO (e.g., Azure AD, Okta, Google Workspace), we receive your name, email, and organizational role from your identity provider.
- Partners: If you access our Services through a Partner, we may receive your contact information and account details from that Partner.
- Public Sources: Publicly available professional information (e.g., LinkedIn profile data) for sales and marketing purposes, where permitted by law.
4. How We Collect Information
| Method | Description |
|---|---|
| Direct Collection | When you register, complete forms, upload documents, or communicate with us. |
| Automated Technologies | Through cookies, web beacons, server logs, and analytics tools. |
| Third-Party Integrations | When you connect third-party services (cloud providers, identity systems, communication tools). |
| Partners | When a Partner provisions your account or manages your deployment. |
5. Purpose and Legal Basis for Processing
We process Personal Data for the following purposes and legal bases:
| Purpose | Legal Basis | Description |
|---|---|---|
| Service Provision | Contractual Necessity | To create and manage your account, provide platform functionality, process transactions, and deliver customer support. |
| Platform Improvement | Legitimate Interest | To analyze usage patterns, debug errors, develop new features, and improve user experience. |
| Security and Fraud Prevention | Legitimate Interest / Legal Obligation | To detect unauthorized access, prevent fraud, ensure data integrity, and comply with security standards. |
| Compliance and Legal Obligations | Legal Obligation | To respond to legal requests, enforce our Terms, comply with regulatory audits, and meet tax/accounting requirements. |
| Marketing and Communications | Consent / Legitimate Interest | To send product updates, newsletters, and promotional materials (you may opt out at any time). |
| Partnership Management | Legitimate Interest | To manage relationships with Partners who refer or support your account. |
5.1 GRC and Compliance Context
Given the nature of our Services, you acknowledge that:
- The platform generates immutable audit trails, timestamps, and compliance records that may contain Personal Data.
- You are responsible for ensuring that your collection and upload of Personal Data to the Services complies with applicable data protection laws.
- We may be legally required to retain certain records (including Personal Data) for regulatory, audit, or litigation purposes, even if you request deletion.
5.2 Legitimate Uses
Under the Digital Personal Data Protection Act, 2023 (DPDP Act), we may process Personal Data without consent where such processing is necessary for certain legitimate uses, including: (a) performance of any function under any law; (b) compliance with any judgment or order of any Court or Tribunal; (c) response to a medical emergency involving a threat to life; or (d) employment-related purposes. Where we rely on legitimate use, we will document the basis and notify you where required by law.
6. Data Processing Roles
6.1 AIGO as Data Controller
AIGO acts as a Data Controller for Personal Data that we collect directly from you, such as account information, billing details, and usage data.
6.2 AIGO as Data Processor
For Customer Data that you upload to the Services — including Personal Data of your employees, vendors, or other individuals — AIGO generally acts as a Data Processor and you act as the Data Controller. Our processing of such data is governed by: These Terms and our Terms of Service; Your instructions as provided through the platform; Any executed Data Processing Addendum (DPA) or Standard Contractual Clauses (SCCs).
6.3 Deployment Model Implications
| Deployment Model | Controller/Processor Relationship | Data Location |
|---|---|---|
| SaaS | AIGO is Processor; Customer is Controller | AIGO's cloud environment (AWS India or as specified) |
| Private Cloud (BYOC) | AIGO is Processor; Customer is Controller | Customer's cloud account; AIGO may access metadata for support |
| On-Premises | AIGO is Processor (for support purposes only); Customer is Controller | Customer's premises; AIGO does not host or store Customer Data |
6.4 Partner-Managed Deployments
If a Partner hosts or manages your deployment, the Partner may also act as a Data Processor or sub-processor. AIGO remains responsible for our own processing activities, but you should review the Partner's privacy practices for their handling of your data.
7. Cookies and Similar Technologies
7.1 What We Use
| Type | Purpose | Duration |
|---|---|---|
| Essential | Authentication, session management, security | Session / 1 year |
| Functional | Language preferences, display settings | 1 year |
| Analytics | Usage analytics, feature adoption, error tracking | 2 years |
| Marketing | Ad personalization, campaign tracking | 90 days |
7.2 Your Choices
- You can manage cookie preferences through your browser settings.
- You may opt out of non-essential cookies via our cookie consent banner.
- Disabling essential cookies may impair platform functionality.
7.3 Third-Party Analytics
We use Google Analytics, Mixpanel, or similar tools. These services may set their own cookies and collect data according to their privacy policies.
8. How We Share Information
We do not sell your Personal Data. We share information only in the following circumstances:
8.1 Service Providers and Sub-Processors
| Provider Category | Examples | Purpose |
|---|---|---|
| Cloud Infrastructure | Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform | Hosting, storage, compute |
| Email and Communications | SendGrid, Amazon SES | Transactional and marketing emails |
| Analytics | Google Analytics, Mixpanel | Usage analytics and reporting |
| Payment Processors | Razorpay, Stripe | Billing and payment processing |
| Identity Management | Azure AD, Okta, Auth0 | Single sign-on and authentication |
All sub-processors are bound by data protection obligations consistent with this Privacy Policy and applicable law. A current list of sub-processors is available upon request.
8.2 Partners and Resellers
If you were referred to us by or manage your account through a Partner, we may share: Account status and subscription details (for commission/billing); Support ticket summaries (for tier-1 support delegation); Aggregated usage metrics (for partnership reporting). We do not share Customer Data with Partners unless you have expressly authorized such sharing or the Partner acts as your authorized sub-processor.
8.3 Legal and Regulatory Disclosures
We may disclose Personal Data if required to do so by law or in response to valid requests by public authorities, including: Court orders, subpoenas, or search warrants; Regulatory investigations or audits; Enforcement of our Terms of Service; Protection of our rights, property, or safety, or that of our users or the public.
8.4 Business Transfers
If AIGO is involved in a merger, acquisition, financing, or sale of all or a portion of its assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our website of any change in ownership or uses of your Personal Data.
8.5 With Your Consent
We may share your information for any other purpose with your explicit consent.
9. International Data Transfers and Data Residency
9.1 Customer-Selected Data Location
You control where your Customer Data is stored. During onboarding or as specified in your Order Form, you may select your preferred hosting region. For SaaS deployments, AIGO will host your Customer Data exclusively in the AWS region you select (e.g., ap-south-1, eu-west-1, us-east-1).
| Deployment Model | Data Residency Control |
|---|---|
| SaaS | You select the AWS region at the time of account provisioning. Customer Data remains within that region unless you explicitly request a cross-region replication or backup. |
| Private Cloud (BYOC) | Customer Data resides entirely within your own cloud account and region. AIGO does not transfer your data outside your chosen infrastructure. |
| On-Premises | Customer Data resides on your premises. AIGO does not host or transfer your data. |
9.2 No Automatic Cross-Border Transfers
For SaaS and IaaS deployments, your Customer Data will not be transferred across international borders unless: (a) You have explicitly requested and consented to a multi-region deployment, disaster recovery configuration, or cross-region backup; (b) Such transfer is strictly necessary for the provision of the Services you have subscribed to; or (c) We are legally compelled to disclose data to a competent authority under applicable law, and such disclosure requires cross-border transfer.
9.3 Sub-Processor Location
Our sub-processors may process limited metadata (such as system logs, support tickets, or billing records) in regions other than your selected data location. We ensure that such metadata processing is subject to appropriate safeguards, including Standard Contractual Clauses (SCCs) where applicable.
Customer Data itself — including audit trails, compliance records, and uploaded documents — is not processed by sub-processors outside your selected region without your explicit consent.
9.4 Transfers from the EEA, UK, and Switzerland
If you are located in the EEA, UK, or Switzerland and select a hosting region within your jurisdiction, your Customer Data will remain within that jurisdiction. If you request data to be hosted outside the EEA/UK/Switzerland, you explicitly consent to such transfer, and we ensure adequate protection through: Standard Contractual Clauses (SCCs) approved by the European Commission; UK International Data Transfer Agreements (IDTAs) where applicable; Transfers to countries with adequacy decisions under GDPR.
9.5 Compliance with Indian Law
We comply with the Digital Personal Data Protection Act, 2023 (DPDP Act) and the Information Technology Act, 2000. Cross-border transfers of Personal Data from India will only occur: With your explicit consent; or Where permitted under the DPDP Act and applicable notifications from the Government of India.
10. Data Security
We implement a comprehensive security program designed to protect your data, including:
10.1 Technical Safeguards
- Encryption: AES-256 encryption at rest; TLS 1.2+ encryption in transit.
- Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA), and principle of least privilege.
- Network Security: Firewalls, intrusion detection/prevention systems, DDoS mitigation, and VPC isolation.
- Vulnerability Management: Regular security assessments, penetration testing, and patch management.
10.2 Organizational Safeguards
- Employee background checks and confidentiality agreements.
- Security awareness training programs.
- Incident response and business continuity plans.
- Annual third-party security audits and compliance certifications (e.g., ISO 27001, SOC 2).
10.3 Security Incident Notification
In the event of a confirmed personal data breach affecting your Personal Data, we will:
- Notify you without undue delay and no later than 72 hours after becoming aware, where required by law;
- Notify the Data Protection Board of India and other relevant regulatory authorities where required by the DPDP Act 2023;
- Provide details of the breach, affected data categories, likely consequences, and remediation steps;
- Coordinate with you to meet regulatory notification obligations to affected data subjects where required.
10.4 Your Security Responsibilities
You are responsible for: Maintaining the confidentiality of your login credentials; Configuring appropriate access controls for your users within the platform; Ensuring your devices and networks are secure; Promptly reporting any suspected unauthorized access or security incidents.
11. Data Retention and Deletion
11.1 Retention Responsibility by Deployment Model
| Deployment Model | Who Controls Retention | What AIGO Retains |
|---|---|---|
| SaaS | AIGO hosts; you configure retention policies within platform settings | Customer Data per your configured policy; account metadata for billing/legal compliance |
| Private Cloud (BYOC) | You control retention on your own infrastructure | Only support logs, billing records, and deployment metadata; no Customer Data |
| On-Premises | You retain full control | Only license usage records and support tickets; no Customer Data |
11.2 Configurable Retention Policies (SaaS)
| Data Category | Default Retention | Configurable by Customer | Minimum Legal Retention |
|---|---|---|---|
| Customer Data | Duration of active subscription + 90 days | Yes | 90 days post-termination, or longer if under litigation hold |
| Audit trails and immutable logs | 7 years | No — locked for compliance integrity | As required by applicable regulations (typically 3–7 years) |
| User activity logs | 2 years | Yes — between 1–7 years | 1 year |
| Support and communication records | 3 years | No | 3 years |
| Billing and payment records | 7 years | No | 7 years (tax/accounting compliance) |
| Deleted items (trash/recycle bin) | 30 days | Yes — between 7–90 days | 7 days |
Note: If you configure a retention period shorter than the legal minimum for your industry or jurisdiction, you assume full responsibility for any compliance violation.
11.3 Post-Termination Handling
| Deployment Model | Data Handling After Termination |
|---|---|
| SaaS | You may export Customer Data within thirty (30) days of termination. After the export window, AIGO will securely delete or anonymize your Customer Data within ninety (90) days. Backup copies may persist in encrypted, immutable storage for up to one (1) additional year before automatic purging. |
| Private Cloud (BYOC) | Customer Data remains in your cloud account. AIGO will revoke access credentials and delete deployment metadata (excluding billing and support records) within thirty (30) days. You are responsible for deleting or retaining data in your own infrastructure. |
| On-Premises | Customer Data remains on your premises. AIGO will deactivate license keys and delete support-related metadata (excluding license audit records) within thirty (30) days. You retain full control over local data deletion or retention. |
11.4 Litigation Hold and Legal Obligations
Notwithstanding any configured retention period or deletion request, AIGO may retain Personal Data or Customer Data where: Required by applicable law, regulation, or regulatory audit; Subject to an active litigation hold, subpoena, or investigation; Necessary to resolve disputes or enforce our agreements. Once the legal obligation expires, such data will be deleted in accordance with the applicable retention schedule.
11.5 Audit Trail Immutability
Certain compliance records, audit trails, and system-generated logs are designed to be tamper-evident or immutable by platform architecture. While you may archive or export these records, platform-level deletion may be technically restricted to preserve regulatory integrity. You acknowledge this limitation when using the Services for compliance and audit purposes.
11.6 Deletion Procedures
- Active Accounts: Administrators may delete users, records, and uploaded documents through the platform interface. Deleted items enter a configurable trash/recycle bin before permanent purging.
- Hard Delete Requests: For SaaS deployments, you may request certified hard deletion (cryptographic erasure) of specific datasets by contacting contact@aigo.ai. Such requests are subject to legal and audit trail retention exceptions.
- Anonymization: Where deletion is not technically feasible or legally permitted, we may anonymize data so that it can no longer identify you or any data subject.
12. Your Rights and Choices
Depending on your jurisdiction, you may have the following rights regarding your Personal Data:
| Right | Description | How to Exercise |
|---|---|---|
| Access | Request a copy of the Personal Data we hold about you. | contact@aigo.ai |
| Correction | Request correction of inaccurate or incomplete Personal Data. | contact@aigo.ai |
| Deletion | Request deletion of your Personal Data, subject to legal retention obligations. | contact@aigo.ai |
| Restriction | Request restriction of processing in certain circumstances. | contact@aigo.ai |
| Data Portability | Request transfer of your Personal Data in a structured, machine-readable format. | contact@aigo.ai |
| Objection | Object to processing based on legitimate interests or direct marketing. | contact@aigo.ai |
| Withdraw Consent | Withdraw consent where processing is based on consent, without affecting prior lawful processing. | contact@aigo.ai |
| Nomination | Nominate another individual to exercise your data subject rights in case of death or incapacity. | contact@aigo.ai |
| Complaint | Lodge a complaint with a data protection authority. | contact@aigo.ai |
12.1 Response Time
We will respond to all requests within thirty (30) days. Complex requests may require additional time, in which case we will notify you.
12.2 Verification
To protect your privacy, we will verify your identity before processing your request. We may refuse requests that are manifestly unfounded, excessive, or repetitive.
12.3 Authorized Agents
You may designate an authorized agent to exercise your rights on your behalf. The agent must provide written proof of authorization.
12.4 Consent Withdrawal Impact
Withdrawing consent may result in termination of your account and loss of access to Services where processing is essential to service delivery. We will notify you of such consequences before processing your withdrawal request.
13. Children's Privacy
Our Services are not intended for individuals under the age of 18 (or the age of majority in your jurisdiction). We do not knowingly collect Personal Data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at contact@aigo.ai, and we will take steps to delete such information.
14. Grievance Officer and Data Protection Contact
In accordance with the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023, we have appointed the following officers to address your concerns regarding data privacy and protection:
Response Time: We will acknowledge receipt of your complaint within 48 hours and endeavor to resolve the matter within 30 days.
You also have the right to lodge a complaint directly with the Data Protection Board of India or your local data protection authority if you are not satisfied with our response.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or Service offerings.
- Material Changes: We will notify you via email and/or prominent notice on our website at least thirty (30) days before material changes take effect.
- Non-Material Changes: We may post updates with a revised “Last Updated” date.
- Continued Use: Your continued use of the Services after the effective date of changes constitutes acceptance of the revised Privacy Policy.
16. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
| Department | Purpose | |
|---|---|---|
| Privacy Team | contact@aigo.ai | General privacy inquiries, data subject requests |