Privacy Policy

1. Introduction

Kraver AI Pvt. Ltd. ("Kraver.ai," "we," "us," or "our"), incorporated in India and headquartered at Green Park, Delhi, India, is committed to protecting the privacy and personal data of all individuals who interact with our platform, website (kraver.ai), and services.

This Privacy Policy explains how we collect, use, store, share, and protect your personal data in accordance with the Digital Personal Data Protection Act, 2023 (DPDPA), the DPDP Rules, 2025, and other applicable Indian laws. By using our services, you acknowledge that you have read and understood this policy.

For the purposes of the DPDPA, Kraver AI Pvt. Ltd. acts as the Data Fiduciary — the entity that determines the purpose and means of processing your personal data.

2. Key Definitions (As Per DPDPA)

• Personal Data: Any data about an individual who is identifiable by or in relation to such data, in digital form.
• Data Principal: The individual to whom the personal data relates — i.e., you, the user.
• Data Fiduciary: The entity (Kraver AI Pvt. Ltd.) that determines the purpose and means of processing personal data.
• Data Processor: Any entity that processes personal data on behalf of the Data Fiduciary.
• Consent: Free, specific, informed, unconditional, and unambiguous indication of the Data Principal's wishes, signifying agreement to the processing of their personal data.
• Data Protection Board of India (DPBI): The statutory enforcement body established under the DPDPA to adjudicate complaints and impose penalties.

3. Personal Data We Collect

We collect the following categories of personal data, limited to what is necessary for the stated purposes:

3.1 Data You Provide Directly

• Identity Data: Full name, job title, company name.
• Contact Data: Email address, phone number, business address.
• Communication Data: Content of messages you send us via the contact page, email, or scheduling tools (e.g., Calendly).
• Account Data: Login credentials if you create an account on our platform.

3.2 Data Collected Automatically

• Usage Data: Pages visited, time spent, click patterns, referral source.
• Device Data: Browser type, operating system, screen resolution, IP address.
• Cookie Data: Functional and analytics cookies as described in our Cookie Consent banner. You may manage cookie preferences at any time via the cookie settings on our website.

3.3 Data Collected from Third-Party Sources

We may receive your personal data from third-party platforms and services in the following circumstances:

• LinkedIn Events & Webinars: When you register for a Kraver.ai-hosted event on LinkedIn, LinkedIn shares your registration data (name, email, job title, company) with us as the event organiser. This data is processed solely for the purpose of event communication, follow-up, and providing you with relevant compliance resources.
• Social Media Interactions: If you interact with our content on LinkedIn, Twitter, or other social platforms, we may receive limited profile information (name, profile URL) as part of platform analytics.
• Partner Referrals: If you are referred to us by a partner organisation, they may share your contact details (name, email, company) with your knowledge. We will contact you only to introduce our services and will obtain your direct consent before any further processing.
• Calendly & Scheduling Tools: When you book a meeting via Calendly, your name, email, and any information you provide in the booking form is shared with us by Calendly as a data processor.

For all data received from third parties, we will: (a) inform you of the source of your data upon first contact or within 30 days, (b) provide you with this Privacy Policy, (c) obtain your consent for any processing beyond the original purpose, and (d) honour all Data Principal rights including access, correction, and erasure.

3.4 Data We Do Not Collect

We do not collect Aadhaar numbers, biometric data, financial account details, health records, caste, religious beliefs, political opinions, or any special category data unless explicitly required for a specific compliance service and with your separate, informed consent.

4. Purpose of Processing & Lawful Basis

Under Section 4 of the DPDPA, we process your personal data only for lawful purposes. The table below sets out each purpose and its lawful basis:

We will never process your personal data for a purpose incompatible with the original purpose for which it was collected, unless we obtain your fresh consent.

5. Consent Management

In accordance with Section 6 of the DPDPA, we obtain your consent before collecting personal data. Our consent mechanism is:

• Free: Not tied to or bundled with unrelated services.
• Specific: Clearly stating the purpose for which data is collected.
• Informed: Accompanied by a clear privacy notice describing what data is collected and why.
• Unconditional: Not conditioned on accepting unrelated terms.
• Unambiguous: Requiring an affirmative action (no pre-ticked boxes).

Withdrawal of Consent

You may withdraw your consent at any time by contacting us at [email protected]. Withdrawal of consent is as easy as giving it. Upon withdrawal, we will cease processing your personal data for the consented purpose and delete it within 30 days, unless retention is required by law.

6. Data Retention & Deletion

We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, or as required by applicable law. Specific retention periods:

• Contact enquiries: 12 months from last interaction, then deleted.
• Customer account data: Duration of the service relationship + 3 years for legal compliance.
• Analytics data: Anonymised after 26 months (Google Analytics default).
• Legal/tax records: As required by Indian law (typically 7-8 years).

When data is no longer needed, it is securely deleted or anonymised so that it can no longer be associated with you. We do not retain personal data "just in case."

7. Your Rights as a Data Principal

Under the DPDPA, you have the following rights. To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

• Right to Access (Section 11): You can request a summary of the personal data we hold about you and the processing activities performed on it.
• Right to Correction (Section 12): You can request correction of inaccurate or incomplete personal data.
• Right to Erasure (Section 12): You can request deletion of your personal data when the purpose of processing has been fulfilled or consent is withdrawn.
• Right to Grievance Redressal (Section 13): You have the right to file a grievance with us regarding any aspect of our data processing. Our Grievance Officer will acknowledge your complaint within 48 hours and resolve it within 30 days.
• Right to Nominate (Section 14): You may nominate another individual to exercise your data rights in the event of your death or incapacity.
• Right to Withdraw Consent: As described in Section 5 above.

If you are not satisfied with our response, you may escalate your complaint to the Data Protection Board of India (DPBI).

8. Data Sharing & Third Parties

We do not sell your personal data. We share personal data only in the following limited circumstances:

• Service Providers (Data Processors): Trusted third parties who process data on our behalf — such as cloud hosting (Indian data centres), email delivery, analytics, and scheduling tools. All processors are bound by data processing agreements requiring DPDPA-compliant security safeguards.
• Legal Obligations: Where required by Indian law, court order, or direction from the Data Protection Board of India.
• Business Transfers: In the event of a merger, acquisition, or asset sale, your data may be transferred to the successor entity, who will be bound by this Privacy Policy.

We maintain a register of all Data Processors and conduct periodic audits to ensure compliance.

9. Cross-Border Data Transfers

Under Section 16 of the DPDPA, personal data may be transferred outside India unless the Central Government restricts transfer to specific jurisdictions. As of April 2026, no restricted country list has been published.

Where we use service providers located outside India (e.g., Google Analytics, Calendly), we ensure that:

• Contractual safeguards are in place requiring the provider to protect your data to standards equivalent to the DPDPA.
• Data transfers are limited to what is strictly necessary.
• We will comply immediately with any future government restrictions on cross-border transfers.

10. Data Security Safeguards

In accordance with Section 8 of the DPDPA, we implement reasonable security safeguards to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These include:

• Encryption: All personal data is encrypted in transit (TLS 1.3) and at rest (AES-256).
• Access Controls: Role-based access with multi-factor authentication for all team members.
• Infrastructure: Hosted on cloud infrastructure with SOC 2 and ISO 27001 certified providers.
• Monitoring: Continuous security monitoring and vulnerability scanning.
• Incident Response: Documented breach response plan with notification to the DPBI and affected Data Principals within the prescribed timelines.

11. Children's Data

Our services are designed for businesses and professionals. We do not knowingly collect personal data from children under the age of 18. In accordance with Section 9 of the DPDPA, if we become aware that we have collected personal data from a child without verifiable parental consent, we will delete it immediately.

If you believe we have inadvertently collected a child's data, please contact us at [email protected].

12. Cookies & Tracking Technologies

Our website uses cookies to enhance your experience and analyse usage patterns. When you first visit our site, a cookie consent banner allows you to choose which categories of cookies to accept:

• Strictly Necessary: Required for the website to function. These cannot be disabled.
• Analytics: Help us understand how visitors interact with our website (e.g., Google Analytics). Enabled only with your consent.
• Marketing: Used for targeted advertising. Enabled only with your consent.
• Preferences: Remember your settings for a personalised experience. Enabled only with your consent.

You can change your cookie preferences at any time via the cookie settings on our website. You can also clear cookies through your browser settings.

13. Data Breach Notification

In the event of a personal data breach, we will:

• Notify the Data Protection Board of India (DPBI) within the prescribed timeline under the DPDP Rules.
• Notify CERT-In within 6 hours as required under the Information Technology Act.
• Notify affected Data Principals without undue delay, providing details of the breach, data affected, and remedial actions taken.

14. Grievance Officer

In accordance with Section 13 of the DPDPA, we have appointed a Grievance Officer to address your concerns regarding data processing:

If your grievance is not resolved satisfactorily, you may file a complaint with the Data Protection Board of India.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or the DPDPA/DPDP Rules. When we make material changes, we will:

• Update the "Last updated" date at the top of this page.
• Notify registered users via email for significant changes.
• Obtain fresh consent where required by the DPDPA.

We encourage you to review this page periodically.

16. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us: