Privacy Policy

SpycAI Pvt Ltd ("SpycAI", "we", "us", or "our") is a company incorporated in India (CIN: U72900MH2026PTC000000) with its registered office in Mumbai, Maharashtra. We operate the SpycAI platform — a suite of AI-powered WhatsApp, SDR outreach, and voice agents for small and medium businesses. For privacy-related queries, contact our Data Protection Officer at: privacy@SpycAI.com

Account & Identity Data: Name, email address, phone number, company name, GST number (if provided), and billing address when you register or subscribe. Usage & Interaction Data: Conversation logs between your customers and our AI agents (WhatsApp messages, voice call transcripts, SDR outreach records), dashboard activity, feature usage, and session metadata. Payment Data: Billing details processed via Razorpay (India) or Stripe (international). We do not store full card numbers — payment processors handle PCI-DSS compliance. Technical Data: IP address, browser type, device identifiers, cookies, and log data collected automatically when you use our platform. Customer Data (Tenant Data): Data your end-customers share with your AI agents (names, phone numbers, queries). You are the data controller for this data; we process it on your behalf as a data processor.

We use your data to: • Provide, operate, and improve the SpycAI platform and AI agents • Process payments and send invoices • Send transactional emails (account alerts, usage warnings, billing receipts) • Send product updates and marketing communications (opt out anytime) • Detect fraud, abuse, and security threats • Comply with legal obligations under Indian law (IT Act 2000, DPDP Act 2023) • Conduct analytics to improve AI model accuracy and platform performance We do not sell your personal data to third parties.

All data belonging to Indian customers is stored on DigitalOcean servers located in the Bangalore (BLR1) region. We use PostgreSQL with Row-Level Security (RLS) to ensure strict tenant isolation — your data is never accessible to other tenants. Voice call transcripts are stored encrypted at rest using AES-256. PII within transcripts is automatically redacted before long-term storage. Backups are retained for 30 days in the same geographic region.

We share data only with trusted sub-processors required to deliver our service: • Meta (WhatsApp Cloud API) — message delivery • Deepgram / Sarvam AI — speech-to-text for voice calls • ElevenLabs — text-to-speech synthesis • Twilio / Exotel — telephony infrastructure • Razorpay / Stripe — payment processing • AWS Lambda / DigitalOcean — cloud infrastructure • Qdrant — vector database for knowledge retrieval • Zoho / HubSpot / Pipedrive — CRM sync (only if you enable the integration) All sub-processors are contractually bound to process data only as instructed and to maintain appropriate security standards. We do not share data with advertising networks.

We use essential cookies for authentication and session management, and first-party analytics cookies to understand platform usage. We do not use third-party advertising cookies. See our Cookie Policy for full details.

Under the Digital Personal Data Protection Act, 2023 and applicable Indian law, you have the right to: • Access the personal data we hold about you • Correct inaccurate or incomplete data • Request erasure of your data (subject to legal retention requirements) • Withdraw consent for processing where consent is the legal basis • Nominate a representative to exercise rights on your behalf • File a complaint with the Data Protection Board of India To exercise any of these rights, email privacy@SpycAI.com. We will respond within 30 days.

We retain your account data for the duration of your subscription plus 90 days after cancellation (to allow data export). Conversation logs are retained for 12 months by default; you can configure shorter retention in your dashboard settings. Payment records are retained for 7 years as required by Indian tax law.

We implement industry-standard security measures including: • TLS 1.3 encryption for all data in transit • AES-256 encryption for data at rest • Multi-factor authentication for all admin access • Regular penetration testing and vulnerability assessments • SOC 2-aligned access controls and audit logging • Automatic PII redaction on voice transcripts In the event of a data breach affecting your personal data, we will notify you within 72 hours as required by applicable law.

Our platform is intended for business use only and is not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, contact privacy@SpycAI.com immediately.

We may update this Privacy Policy from time to time. We will notify you of material changes via email and by posting a notice on our platform at least 14 days before the changes take effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

SpycAI Pvt Ltd — Data Protection Officer Email: privacy@SpycAI.com Address: Registered Office, Mumbai, Maharashtra – 400001, India