Privacy Policy

1. INTRODUCTION

H2loop AI Pvt Ltd, having its registered office at COWRKS, 5th floor, D-block, Centennial EPIP Zone, Brookfield, Bengaluru, Karnataka 560048, India, is hereinafter referred to as “We”, “Us”, “Our', “Company” or “H2loop”. We have created this Privacy Notice [hereinafter also referred to as “Policy” or “Notice” or “Privacy Statement”] in order to demonstrate our privacy commitment to our users. We hereby request individuals who qualify as data subjects under the Indian Digital Personal Data Protection Act (DPDPA) and the EU General Data Protection Regulation (GDPR) to read this statement, together with any privacy statement we may provide on specific occasions when we are collecting or processing personal data about them, so that they are aware about the processing of their personal data throughout its lifecycle.

2. APPLICABILITY

This Policy applies to the personal data all vendors, visitors, existing and prospective customers, existing and prospective employees and other individuals who provide their personal data to the Company and all such individuals are hereinafter referred to as “Data Subject”.

3. OBJECTIVE OF THIS POLICY

This Privacy Policy, as mentioned above, is intended to inform you on how we gather, define, and use Personal Data that you provide to us when using our websites, software (the “Application”) and social media platforms or when relying on our services.

This Privacy Policy will primarily help you understand:

The nature of personal data we collect from you
The sources from where your personal data is collected (In cases where personal data is not directly collected from you)
The manner in which your personal data is collected
The purpose of collecting your personal data
The manner in which your personal data is stored, used and processed
The data subject rights that can be exercised by you
The process to contact the Company for any issues regarding the collection or use of your personal data or to exercise the above-mentioned rights of the data subject.

4. CATEGORY OF PERSONAL DATA COLLECTED AND USED

Personal Data collected by H2loop primarily consists of:

Personal Data
The below personal data elements may be collected from you:
1. Name
2. Email id
3. Location
4. IP Address
5. Cookie Data
6. Social media handles
7. User tokens provided by different applications
8. Details pertaining to user connection and disconnection.
Sensitive Personal Data
We do not collect sensitive personal data via website. In case, sensitive personal data is required to provide services, we will obtain consent or provide notification to data subject before collection.
Cookies
We may obtain information about your usage of our site by using a cookie file which is stored on your browser or on the hard drive of your computer. Cookies contain information that is transferred to your computer's hard drive. They help us to improve our site and to deliver a better and more personalised service. Some of the cookies we use are essential for the site to operate. If you continue to use our site, you agree to our use of cookies.
When visitors come to our site, third parties may place cookies on visitors' browsers for targeted advertising purposes. You may avoid that by utilizing ad blocker on your browser.
The types of data collected will include IP addresses, cookie identifiers, website activity and in the cases where customer fills out a form, it will include all field information filled out by the customer.
For more details, please contact us- admin@h2loop.ai

5. HOW WE COLLECT YOUR DATA

We collect your data through various methods to provide and improve our services. These methods include:

Data provided by visitors on website via web forms, email, chat box, etc.: When visitors interact with our website, they may choose to provide information through web forms, email inquiries, or chat boxes. This data may include contact details, inquiries, feedback, or any other information voluntarily shared by the visitor.
Data provided by users when signing up, connecting, or using the application: Users are required to provide certain information when signing up for or using our application. This information may include personal details such as name, email address, username, password, and any additional information required to create and manage their account or use our services.
Cookies: We use cookies and similar technologies to collect information about users' interactions with our website and application. Cookies are small text files stored on users' devices that track user activity, preferences, and session information. Users may adjust their browser settings to refuse cookies or to be notified when cookies are being sent, although this may affect the functionality of our website or application.

6. PURPOSE OF PROCESSING PERSONAL DATA

We use your data to conduct our business and to provide you with the best possible services. Most commonly, we will use your personal data in the following circumstances:

Where we need to perform the service contracts we have entered with you;
Where we need to comply with a legal obligation;
Where it is necessary for our legitimate interests (such as processing personal data to prevent fraud, for internal administrative purposes relating to employees and clients, to ensure network and information security, and to report possible criminal acts or threats to public security to a competent authority), and your interests and data subject rights and interests do not override those legitimate business interests;
To enable use of the services available.
To send statements, invoices and payment reminders and to collect payments;
To send non-marketing commercial communications;
To send email notifications that you have specifically requested for;
To send marketing communications relating to our business or the businesses of carefully-selected third parties where you have specifically agreed to this, by email or similar technology. However, you may inform us at any time if you no longer require such marketing communications;
To provide third parties with statistical information about our users in anonymized or de-identified format wherein those third parties will not be able to identify any individual user from that information;
To deal with enquiries and complaints made;
To keep our website and other systems secure and to prevent fraud;
Where you have given us the explicit consent to do so.

7. CHANGE OF PURPOSE

We will only use your data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis, which allows H2loop to do so.

Please note that we may process your personal data without knowledge or consent, in compliance with the above rules, where it is required or permitted by law.

Please note that if you wish to opt-out of any such processing activities for purposes other than the original purpose, you can reach out to us by writing to us at: admin@h2loop.ai

8. USE OF SERVICES BY MINORS (CHILDREN DATA)

We are committed to protecting the privacy of children online. Our services are not directed to children under the age of 13, and we do not knowingly collect personal information from children under this age. If you are a parent or guardian and believe that your child has provided us with personal information without your consent, please contact us immediately so that we can take appropriate action.

In instances where we may collect personal information from children under 13 with parental consent, we adhere to the following guidelines:

Parental Consent: We obtain verifiable parental consent before collecting, using, or disclosing personal information from children under the age of 13. This consent may be obtained through various means, such as a consent form signed by the parent or guardian.
Notice to Parents: We provide parents or legal guardians with clear notice of our information practices regarding children's personal information, including the types of information collected, how it is used, and any disclosures to third parties.
Limited Information Collection: We collect only the minimum amount of personal information necessary to participate in the activity, service, or contest for which the information is being collected. We do not condition a child's participation in an activity on the disclosure of more personal information than is reasonably necessary to participate.
Parental Rights: Parents or legal guardians have the right to review the personal information collected from their children, request its deletion, and refuse further collection or use of the information. They can exercise these rights by contacting us using the contact information provided below.
Data Security: We maintain reasonable security measures to protect the confidentiality, security, and integrity of the personal information collected from children, including encryption, restricted access, and regular security assessments.
Retaining Parental Consent Records: We retain records of verifiable parental consent for a reasonable period of time to ensure compliance with applicable privacy regulations.

9. WHERE DO WE STORE DATA

Your data is securely stored within the infrastructure provided by Microsoft Azure, specifically Azure Blob Storage and Azure Cosmos DB. These services offer robust security features and compliance certifications to ensure the confidentiality, integrity, and availability of your information.

Azure Blob Storage: Your data files, documents, and other stored content are housed within Azure Blob Storage, a highly scalable and durable object storage service. Azure Blob Storage utilizes multiple layers of security controls, encryption methods, and access management features to safeguard your data against unauthorized access, data loss, and other security threats.

Azure Cosmos DB: Your structured data and database records are stored in Azure Cosmos DB, a fully managed NoSQL database service. Cosmos DB provides high availability, automatic scaling, and built-in security features to protect your data at rest and in transit. Additionally, Cosmos DB offers encryption options and access controls to ensure the confidentiality and integrity of your stored information.

Security Measures

Both Azure Blob Storage and Azure Cosmos DB adhere to industry-leading security best practices and compliance standards, including but not limited to:

Encryption: Data stored in Blob Storage and Cosmos DB can be encrypted using encryption keys managed by Azure Key Vault for enhanced security.
Access Controls: Access to your data within Blob Storage and Cosmos DB is controlled through Azure Active Directory (AAD), allowing us to manage permissions and restrict access based on roles and policies.
Compliance: Azure undergoes regular security audits and certifications, including SOC 1, SOC 2, ISO 27001, HIPAA, and GDPR, to demonstrate adherence to industry standards and regulatory requirements.

10. INFORMATION SHARING AND DISCLOSURE

We may disclose your personal data to our employees, officers, insurers, professional advisers, agents, partners, suppliers, vendors or subcontractors insofar as reasonably necessary for the purposes set out in this policy and for the purpose of providing services to you. We may share user data with third-party vendors to enhance and support our services. These vendors include Meilisearch and OpenAI. Additionally, we will be sharing user keys with Truto for specific purposes. These third-party vendors are carefully selected based on their capabilities and commitment to data security and privacy.

Purpose of Data Sharing: User data may be shared with these third-party vendors for various purposes, including but not limited to:

Enhancing the functionality and features of our services.
Providing personalized experiences and recommendations.
Conducting data analysis and research to improve our products and services.
Facilitating specific integrations or partnerships to deliver additional value to users.

Data Protection Measures: We take appropriate measures to ensure the confidentiality, integrity, and security of user data when sharing it with third-party vendors. These measures include:

Implementing data processing agreements with vendors to outline data protection obligations.
Restricting access to user data to only those individuals or systems necessary for the intended purposes.
Regularly monitoring and auditing third-party vendors' compliance with data protection standards.
Encrypting sensitive data and employing secure transfer methods to prevent unauthorized access or interception.

User Consent and Control: We obtain user consent where required by law or regulation before sharing any personally identifiable information with third-party vendors. Users may have the option to opt out of certain data sharing activities or revoke consent at any time by adjusting their privacy settings or contacting us directly.

Except as provided in this policy, we will not provide your personal data to any other third party.

11. CROSS-BORDER DATA TRANSFERS

We may transfer your data across borders to fulfill the purposes outlined in this privacy notice. Specifically, your data is primarily stored in data centers located in the Mumbai region, India while at rest. However, it may be necessary to share your data with third-party vendors located internationally, such as OpenAI (which is based in the US), to provide certain services or functionalities.

Purpose of Cross-Border Data Transfer: The cross-border transfer of your data is conducted to enable collaboration with trusted third-party vendors for purposes such as data analysis, machine learning, and enhancing the functionality of our services. These vendors have been carefully selected based on their expertise, reliability, and commitment to data protection standards.

Data Protection Measures: We take appropriate measures to ensure the security and confidentiality of your data during cross-border transfers, including:

Implementing data processing agreements or similar legal mechanisms with third-party vendors to ensure they provide an adequate level of protection for your data, in line with regulations like GDPR and DPDPA.
Utilizing encryption and secure transfer protocols to safeguard data during transit.
Conducting due diligence on third-party vendors to assess their data protection practices and compliance with relevant regulations.

Consent to Cross-Border Data Transfer: By using our services and consenting to this privacy notice, you acknowledge and agree to the transfer of your data internationally as described above. You also consent to the processing of your data by third-party vendors in accordance with their respective privacy policies and terms of service.

12. AUTOMATED DECISION-MAKING

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention.

We do not envisage that any decisions will be taken about you using automated means. However, we will notify you in writing if there is any adoption of such techniques in our business processes.

13. DATA SECURITY

We take data security seriously and employ industry best practices to safeguard your information. Our commitment to protecting your data includes adhering to the principles of security and privacy established by relevant regulations. All information you provide to us will be secured using strict procedures and security features to try to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed by us.

Best Practices and Principle of Least Privilege: We implement and follow the Principle of Least Privilege, which ensures that access to your data is restricted to only those individuals or systems that require it to perform their designated tasks. This practice minimizes the risk of unauthorized access, data breaches, and misuse of information.

Encryption Standards: Your data is encrypted using the Advanced Encryption Standard (AES) with a key length of 256 bits (AES-256). AES-256 is a widely recognized and trusted encryption algorithm that provides a high level of security by converting your data into an unreadable format that can only be decrypted with the appropriate encryption key. This encryption ensures the confidentiality and integrity of your data both at rest and in transit.

Additional Security Measures: In addition to encryption and the principle of Least Privilege, we implement a range of security measures (technical and organisational measures) to protect your data, including but not limited to:

Access control policy and procedures in place: We have established and documented guidelines for controlling access to data and systems, including role-based access control and segregation of access control roles. We employ access controls and authentication mechanisms to verify the identity of users and restrict access to authorized personnel only.
Asset management: We maintain an inventory and tracking system for all digital and physical assets to ensure their security and integrity.
Change management: We follow structured procedures for implementing changes to our systems, applications, and infrastructure to minimize risks and maintain stability.
Business continuity: We have plans and protocols in place to ensure the continuation of critical operations in the event of disruptions or disasters.
Password Management: We enforce secure password practices, including complexity requirements and regular password updates, to protect against unauthorized access.
Two-factor authentication: We utilize additional authentication methods beyond passwords, such as biometric verification or one-time codes, to enhance account security.
Logging and monitoring: We maintain comprehensive logs of system activities and employ monitoring tools to detect and respond to security incidents in real-time.
Network and communication security: We implement measures to secure our network infrastructure and communication channels, including firewalls, encryption, and intrusion detection systems.
Backup and Restoration: We regularly back up data and systems to secure locations and have procedures in place for swift restoration in the event of data loss or system failure.
Physical and Environmental Security: We have measures in place to protect physical assets and facilities, including access controls, surveillance, and environmental controls to mitigate risks such as theft, vandalism, or environmental hazards.
Regular Security Audits: We conduct regular security audits and assessments to identify and address potential vulnerabilities, weaknesses, and threats to our systems and infrastructure.
Employee Training: Our employees undergo training on data security best practices and are bound by confidentiality agreements to ensure the protection of your information.

We strive to maintain compliance with all applicable data protection laws and regulations. Furthermore, we continuously evaluate and improve our data security practices to adapt to evolving threats and technology advancements.

By using our services, you acknowledge and consent to the security measures described above. If you have any questions or concerns regarding the security of your data, please contact us at admin@h2loop.ai

14. DATA RETENTION

We will only retain your data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Your data will be stored in our secure servers. We will destroy the personal data in a secure manner post retention period as per our internal data retention and destruction policy.

In addition, we retain certain types of data for specified periods to fulfill our business and legal obligations. The retention periods for different categories of data are as follows:

Analytics Data: We retain analytics data, which includes aggregated and anonymized information about user interactions with our services, indefinitely for historical analysis, reporting, and improvement purposes. This data does not contain personally identifiable information and is used to understand usage trends and optimize our services.

User Credentials Data: User credentials data, such as usernames, email addresses, and encrypted passwords, is retained for as long as the user maintains an active account with us. If a user chooses to deactivate or delete their account, their credentials data will be deleted accordingly. However, if the user requests deletion of their account, we will securely delete their credentials data upon verification of the request.

Search Query Data: Search queries entered by users are retained for 01 year unless the user requests deletion of their data. We understand the sensitivity of search queries and will honor user requests to delete this data promptly.

You have the right to request access to, rectification of, or deletion of your personal information retained by us. If you would like to exercise your rights or have any questions about our data retention practices, please contact us at admin@h2loop.ai

15. DATA SUBJECT RIGHTS

RIGHTS UNDER THE DPDPA (INDIA)

Under the Data Protection and Privacy Act (DPDPA), you have certain rights regarding the processing of your personal data. These rights include:

Right to Access Information about Personal Data: You have the right to obtain confirmation from us as to whether or not your personal data is being processed and, if so, to access the personal data and information about how it is being processed.

Right to Correction: You have the right to request the correction of inaccurate or incomplete personal data concerning you.

Right to Erasure: You have the right to request the erasure of your personal data under certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected or when you withdraw your consent.

Right to Nominate: You have the right to nominate individuals to exercise their rights in case of death or incapacity.

Right to Grievance Redressal: If you believe that we have violated your data protection rights under the Indian DPDPA, you have the right to accessible grievance redressal mechanisms through us, ensuring prompt responses within prescribed timeframes. Before seeking higher authorities, you must exhaust this redressal opportunity, promoting effective dispute resolution.

RIGHTS UNDER THE GDPR (EUROPEAN UNION)

Under the General Data Protection Regulation (GDPR), you have certain rights regarding the processing of your personal data. These rights include:

Right to Access: You have the right to obtain confirmation as to whether or not your personal data is being processed, and, if so, to access the personal data and information about how it is being processed.

Right to Rectification: You have the right to request the rectification of inaccurate or incomplete personal data concerning you.

Right to Restriction of Processing: You have the right to request the restriction of processing of your personal data under certain circumstances, such as when you contest the accuracy of the data or when the processing is unlawful.

Right to Data Portability: You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, and to transmit that data to another controller where technically feasible.

Right to Object: You have the right to object to the processing of your personal data under certain circumstances, such as when the processing is based on legitimate interests or for direct marketing purposes.

Rights in Relation to Automated Decision Making and Profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

Withdrawal of Consent: If we are processing your Personal Information based on your consent (as indicated at the time of collection of such data), you have the right to withdraw your consent at any time. Please note, however, that if you exercise this right, it may limit your ability to use some/ all of our Services or Platform and you may have to then provide express consent on a case-by-case basis for the use or disclosure of certain of your Personal Information, if such use or disclosure is necessary to enable you to utilize some or all of our Services and Platform.

Right to File Complaint: You have the right to lodge a complaint about our practices with respect to your Personal Information with the supervisory authority of your country or EU Member State. Please go to https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.html to locate your Data Protection Authority in the EU.

16. HOW TO EXERCISE YOUR DATA SUBJECT RIGHTS

If you wish to exercise any of the rights listed above, with respect to this Privacy Policy, our Terms or Use, and/or Personal Data, please contact us at admin@h2loop.ai. We will respond to your request without undue delay and in any event within one month of receipt of the request. We may extend this period by two further months where necessary, taking into account the complexity and number of requests.

No Fee Usually Required: There is no fee required to exercise your rights under the GDPR. However, if your requests are manifestly unfounded or excessive, we may charge a reasonable fee or refuse to act on the request. Rights of Data Subjects.

For your protection, we may only implement requests with respect to the personal data associated with the particular email address that you use to send us your request, and we may need to verify your identity before implementing your request. The Company will act on all data subject requests received without undue delay and respond within one month (30 days) of receipt, post completion of necessary verification checks.

Please note that we may need to retain certain personal data for record-keeping purposes and/or to complete any undertaking that you began prior to requesting a change or deletion. There may also be residual information which may be subject to a legal hold or subject to certain sectoral or regulatory retention requirements that will remain within our databases and other records, which will not be removed.

Please note that (i) if we delete your Personal Information as requested, we will no longer be able to provide our services to you and (ii) we may need to keep such Personal Information for a while during the shutting down and billing process.

Please note that if you opt-out of receiving direct marketing from us, we may still send you important administrative messages via email, such as invoicing and payment details, current status of dispatch or delivery of purchased products, etc. from which you cannot opt out (unless an applicable retention schedule or right to erasure request requires deletion of such email address).

Withdraw consent: If you withdraw your consent for the use or disclosure of your personal data for purposes set out in this Privacy Notice, you may not have access to all our Services and we might not be able to provide you all of the Services and customer support offered to our users and authorized under this Privacy Notice. We will continue to send updates to you about any existing orders or enquiries for purchase of products or services that you have made from us in the past.

17. DATA PROTECTION OFFICER

We have appointed a Data Protection Officer (DPO) to oversee our compliance with data protection laws and regulations. The DPO's role includes monitoring our data processing activities, providing advice and guidance on privacy matters, and serving as a point of contact for data subjects and regulatory authorities.

If you have any questions, concerns, or requests related to the processing of your personal information or our privacy practices, you may contact our Data Protection Officer using the following contact information: admin@h2loop.ai

We are committed to complying with all applicable data protection laws and regulations, and we will make reasonable efforts to ensure that your personal information is processed in accordance with these regulations.

If you have any questions or concerns about this Data Protection Officer clause or our privacy practices, please contact our Data Protection Officer at the provided contact information.

18. GRIEVANCE REDRESSAL

If you have any questions, grievances, or requests regarding the processing of your personal information or our privacy practices, please contact us using the following contact information:

Email ID: admin@h2loop.ai

Procedure for Grievance Redressal:

Submission of Grievance: You can submit your grievance or complaint to us via email, mail, or through our designated grievance redressal portal, if available. Please provide as much detail as possible to help us understand the nature of your concern.
Investigation: Upon receipt of your grievance, we will promptly initiate an investigation to assess the validity of your concerns and determine the appropriate course of action. We may request additional information from you to assist in our investigation.
Response: We will provide you with a written response to your grievance within a reasonable timeframe, typically within [insert timeframe as per internal policies or regulatory requirements]. Our response will include the outcome of our investigation and any remedial actions taken or proposed.
Appeal Process: If you are not satisfied with our response or believe that your grievance has not been adequately addressed, you may have the right to escalate your complaint to relevant regulatory authorities or seek legal remedies as provided by applicable laws.

We will not retaliate against you for filing a grievance or complaint regarding the processing of your personal information. Your privacy rights are important to us, and we are committed to addressing your concerns in a fair and transparent manner.

We are committed to complying with all applicable privacy regulations and will make reasonable efforts to ensure that your personal information is processed in accordance with these regulations.

19. CHANGES TO THIS PRIVACY POLICY

(a) The policy is subject to modification from time to time. If we decide to change our policy, we will post those changes here with date of change and version history so that you will always know what personal data we gather, how we might use that personal data and whether we will disclose it to anyone.
(b) We may also notify you in other ways such as email from time to time and notification in the application about changes or modifications to our privacy policy.

Privacy policy