This Privacy Policy explains how The Deep Intelligence (operating as Deepint AI; “we”, “us”, “our”) collects, stores, uses and shares (together, “processes”) information when you use our services (the “Services”) – for example when you visit https://deepintshield.com or any other website of ours that links to this Policy, sign in to the DeepintShield dashboards, call our APIs, install our SDKs, or interact with us through sales, marketing or events.

Reading this notice will help you understand your rights and choices. If you do not agree with our practices, please do not use the Services. For questions, write to legal@deepintshield.com.

Summary of key points

This summary captures the headline points; full detail follows the table of contents below.

• What we process. When you use the Services, we may process personal information depending on how you interact with us, the choices you make and the features you use. See Section 1.
• Sensitive categories. We do not routinely process sensitive personal data or information as defined under the SPDI Rules, 2011 or the DPDP Act, 2023.
• Third-party data. We do not buy personal information about you from third parties.
• How we use it. To provide, operate, secure, support and improve the Services, to comply with law, and (with your consent) for product communications.
• Sharing. Only with sub-processors and categories of recipients described in Section 4, under appropriate confidentiality and data-protection obligations.
• Security. We use organisational and technical safeguards described in Section 9.
• Your rights. Under the DPDP Act, 2023 you have rights of access, correction, erasure, withdrawal of consent, nomination and grievance redressal. See Section 11.
• How to exercise them. Write to legal@deepintshield.com from the email associated with your account.

Table of contents

1. What information do we collect?
2. How do we process your information?
3. What legal bases do we rely on to process your personal information?
4. When and with whom do we share your personal information?
5. Do we use cookies and other tracking technologies?
6. How do we handle your social logins?
7. Is your information transferred internationally?
8. How long do we keep your information?
9. How do we keep your information safe?
10. Do we collect information from minors?
11. What are your privacy rights?
12. Controls for Do-Not-Track features
13. Do Indian residents have specific privacy rights?
14. Do we make updates to this notice?
15. How can you contact us about this notice?
16. How can you review, update or delete the data we collect from you?

1. What information do we collect?

Personal information you provide. We collect personal information that you voluntarily provide when you register for the Services, request information about us, take part in features, or otherwise contact us. The information we collect depends on how you interact with the Services and may include your name, email address, organisation, role, password (stored as a one-way hash), and any other information you choose to share with us.

Sensitive information. We do not request and do not knowingly process sensitive personal data or information (as defined under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 – the “SPDI Rules”) for our own purposes. You should not submit sensitive personal data through the Services unless your use case strictly requires it; if you do, you remain the controller of that data and must have the lawful basis to do so.

Payment data. If you make a purchase, we may collect data needed to process the payment, such as a payment-instrument identifier and tokens issued by our payment processor. We do not store full card numbers, CVVs or full bank-account details – these are handled by the processor under their own privacy notice. Indian customers may be asked for GSTIN and PAN to enable tax invoicing under the Central Goods and Services Tax Act, 2017 and the Income-tax Act, 1961.

Social login data. Where you choose to sign in via Google, Microsoft Entra or another single sign-on (SSO) provider, we receive identity-provider data as described in Section 6.

All personal information you provide to us must be true, complete and accurate. Please notify us of any changes.

Information we collect automatically. Some information is collected automatically when you visit or use the Services. It does not, by itself, identify you, but may include device and usage information, such as your Internet Protocol (IP) address, user agent, operating system, language preference, referring URLs, locale, approximate region, and information about how and when you use the Services. We collect this primarily to operate and secure the Services and for internal analytics. Categories include:

• Log and usage data. Service-related diagnostic, usage and performance information that our servers automatically collect when you access or use the Services and that we record in log files. Depending on how you interact with us, this may include your IP address, browser type and settings, the date and time of your activity, the pages or features used, error reports, and hardware settings.
• Device data. Information about the computer, phone, tablet or other device used to access the Services, which may include device identifiers, browser type, hardware model, internet-service or mobile-network operator, operating system and configuration.
• Approximate location. An approximate region derived from your IP address. We do not collect precise GPS location.

2. How do we process your information?

We process personal information for a variety of reasons, depending on how you interact with the Services, including:

• Account creation and authentication. So you can create and log in to your account and manage user provisioning.
• Service delivery. To deliver the Services you have requested, including routing, governance, virtual-key management and audit logging.
• Support. To respond to your enquiries and resolve issues you raise.
• Service messages. To send security alerts, billing notices, password resets, changes to legal terms and other operational communications you cannot opt out of for as long as you have an account.
• Order management. To process payments, manage subscriptions, raise tax invoices and respond to refund or chargeback claims.
• Feedback. To request feedback from you and to contact you about your experience with the Services.
• Marketing communications. To send product updates and event invitations where you have separately opted in. You can opt out at any time using the link in any marketing email.
• Security and abuse prevention. To detect, investigate and respond to fraud, abuse and security incidents.
• Product improvement. To compute aggregated, de-identified analytics that help us improve the Services. We do not use Customer Data to train our models or any third party’s models.
• Marketing effectiveness. To understand which campaigns are useful and to improve their relevance.
• Vital interests. Where necessary to save or protect a person’s vital interests, such as preventing imminent harm.
• Legal obligations. To comply with our obligations under Indian law, including the Information Technology Act, 2000, the DPDP Act, 2023, GST law and applicable record-retention rules.

3. What legal bases do we rely on to process your personal information?

We process personal information only when we have a valid lawful basis under applicable data-protection law. As a Data Fiduciary under the DPDP Act, 2023, we rely on the following grounds:

• Consent. Where you have given us specific, informed, free and unambiguous consent for a defined purpose – for example, to create an account, to opt in to marketing emails, or to enable a non-essential feature. You may withdraw consent at any time; withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Legitimate uses. The DPDP Act, 2023 (§7) recognises specified “legitimate uses” including providing services or benefits explicitly requested, complying with law, performing functions under law and responding to medical or other emergencies. We rely on these where applicable.
• Contractual necessity. Where processing is required to deliver the features described in our Terms and Conditions.
• Compliance with legal obligations. Where we are required to process information to comply with Indian law (for example, tax-invoicing under §31 of the CGST Act, 2017, lawful interception under §69 of the Information Technology Act, 2000, or court orders).
• Vital interests. Where processing is necessary to protect the vital interests of you or another natural person.

If you are accessing the Services from the European Economic Area or the United Kingdom, we additionally rely on the lawful bases set out in the General Data Protection Regulation and the UK GDPR (consent, performance of a contract, legitimate interests, legal obligation and vital interests). Customers in Canada, Singapore or other regions may rely on equivalent local concepts including express and implied consent. Where we rely on legitimate interests, we have considered whether those interests are overridden by your fundamental rights and freedoms and can describe that assessment on request.

4. When and with whom do we share your personal information?

We share personal information only as needed to operate the Services and only with parties bound by appropriate confidentiality and data-protection obligations:

• Cloud hosting and database providers who host the gateway, audit logs, billing systems and back-office tools.
• Identity providers (Google, Microsoft Entra and other SSO sources you choose to use).
• Model and tool providers you select to route traffic to. Your prompts and tool inputs flow to that provider; we are not responsible for their independent processing under their own privacy notices.
• Payment and tax processors for billing, refunds and statutory compliance.
• Email-delivery and customer-support tools we use to send transactional emails and respond to your tickets.
• Observability and security tools used to monitor uptime, errors and abuse – typically receiving metadata only.
• Professional advisors (auditors, legal counsel, tax advisors) under confidentiality obligations.
• Acquirers and successors in the event of a merger, acquisition, reorganisation or sale of substantially all of our assets, with notice to you.
• Public authorities and courts where compelled by lawful order under Indian law (including §69 and §69A of the Information Technology Act, 2000, the Code of Criminal Procedure, 1973 and successor statutes) or by comparable foreign law.
• With your consent for any disclosure outside the cases described above.

A current list of sub-processors is available on request from legal@deepintshield.com. We do not sell personal information.

5. Do we use cookies and other tracking technologies?

We use cookies and similar technologies (such as web-storage entries and pixels) only as needed to operate the Services. The categories we set are:

• Strictly necessary cookies for session management, CSRF protection and load-balancer affinity. These cannot be disabled if you want to remain signed in.
• Preferences entries for theme, sidebar state and dismissal of UI prompts.
• First-party analytics for product usage at the page-view level. We do not run third-party advertising trackers, retargeting pixels or device-fingerprinting.

Most browsers allow you to refuse or clear cookies through their settings; doing so for strictly-necessary cookies will break login. We respect global privacy controls where applicable law requires it.

6. How do we handle your social logins?

The Services may let you sign in or register using a social or enterprise identity provider, such as Google, Microsoft Entra or another SSO source. When you do, we receive certain profile information from that provider – typically your name, email address, profile picture (if available) and provider-issued user identifier.

We use the information we receive only to enable sign-in, to display your account profile and (where you have granted us specific permissions) to populate your workspace. We do not control the privacy practices of the identity provider; please review the provider’s own privacy notice to understand how they collect, use and share information.

7. Is your information transferred internationally?

Our infrastructure is operated primarily from India. Some of our sub-processors (for example, certain email-delivery, payment-processor or model-provider sub-processors) may operate from outside India. Where personal information is transferred outside India, we rely on contractual safeguards consistent with the DPDP Act, 2023 and any restrictions notified by the Central Government regarding cross-border transfer. We will update this Policy if those rules change.

If you are in the European Economic Area or the United Kingdom, transfers of your personal information outside that region are made under safeguards that meet the requirements of the GDPR and the UK GDPR.

8. How long do we keep your information?

We retain personal information only as long as necessary for the purpose for which it was collected, plus any additional period required by law. Indicative retention periods:

• Account records: for the life of the account and up to ninety (90) days after closure, unless statutory retention applies.
• Authentication and security logs: typically twelve (12) months, longer where investigation or legal hold is required.
• Billing records and tax invoices: at least eight (8) years, in line with §36 of the Central Goods and Services Tax Act, 2017.
• Records of consent to legal terms: for the life of the account plus the limitation period under the Limitation Act, 1963.
• Customer Data: under your control and retained per your account configuration; deleted on your verified request, subject to legal exceptions.

When we no longer need personal information, we will delete or anonymise it; if that is not feasible (for example, where data is held in backup) we will isolate it from further processing until deletion is possible.

9. How do we keep your information safe?

We use technical and organisational measures appropriate to the risk and consistent with industry practice to protect personal information, including encryption in transit, encryption at rest for primary data stores, hashed credential storage, role-based access control, audit logging, the principle of least privilege, network segmentation, vulnerability management and incident-response procedures.

However, no electronic transmission over the internet or storage technology can be guaranteed to be secure; we cannot promise that unauthorised third parties will not be able to defeat our security and improperly collect, access, steal or modify your information. Where a personal-data breach is likely to result in risk to the rights of users, we will notify affected users and the Data Protection Board of India, and report to CERT-In, in line with applicable law and the timelines set by the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 and the Digital Personal Data Protection Rules.

10. Do we collect information from minors?

The Services are not directed to children under eighteen (18). We do not knowingly solicit personal information from children, and we do not knowingly market to them. If we learn that personal information of a child under 18 has been collected without verifiable parental consent as required by §9 of the DPDP Act, 2023, we will take reasonable steps to delete that information. If you believe a child has provided us with personal information, please contact legal@deepintshield.com.

11. What are your privacy rights?

Under the DPDP Act, 2023 and other applicable law, you have the following rights:

• Access. A summary of personal information we process about you and the categories of recipients with whom we have shared it.
• Correction. Correction of personal information that is inaccurate, incomplete or misleading.
• Updating and completion. Updating or completing personal information held about you.
• Erasure. Erasure of personal information that is no longer needed for the purpose for which it was collected, subject to legal retention obligations.
• Withdrawal of consent. Withdrawal of consent at any time, with effect from the time of withdrawal.
• Nomination. Nomination of another individual to exercise your rights in the event of your death or incapacity, in line with §14 of the DPDP Act, 2023.
• Grievance redressal. A right to lodge a grievance with our Grievance Officer (Section 12 of the website’s contact details below) and, if not satisfied, to escalate to the Data Protection Board of India.

If you are in the European Economic Area or the United Kingdom and believe we are unlawfully processing your personal information, you also have the right to lodge a complaint with your local data-protection authority. To exercise any right, write to legal@deepintshield.com from the email associated with your account or by another verified channel we may reasonably request. We will consider and act on your request within the timelines set by applicable law.

Withdrawing consent. Where we rely on consent, you may withdraw it at any time. You can also opt out of marketing emails through the unsubscribe link in any marketing email. Operational messages cannot be opted out of for as long as your account is active.

12. Controls for Do-Not-Track features

Most web browsers and some mobile operating systems include a Do-Not-Track (“DNT”) signal you can activate to express your preference not to have data about your online activities monitored and collected. There is currently no agreed technical standard for recognising and acting on DNT signals, and we do not currently respond to them. If a final standard is adopted in future, we will update this Policy to describe how we honour the relevant signal.

13. Do Indian residents have specific privacy rights?

If you are a resident of India, you have specific privacy rights under the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000 and the SPDI Rules, 2011, summarised below.

• Notice. A right to receive a clear notice of the personal data being processed and the purpose for which it is processed (§5 of the DPDP Act, 2023).
• Consent. A right to give and to withdraw free, informed, specific, unconditional and unambiguous consent (§6).
• Access, correction and erasure. Rights of access (§11), correction and erasure (§12) of your personal data.
• Grievance redressal. A right to grievance redressal (§13) and to escalate to the Data Protection Board of India.
• Nomination. A right to nominate another person to exercise your rights in the event of your death or incapacity (§14).
• Duties. The DPDP Act, 2023 also imposes duties on Data Principals (§15), including not registering false or frivolous grievances and providing authentic information when exercising rights of correction or erasure.

We have published the contact details of our Grievance Officer in Section 15 below. If you are not satisfied with how a grievance is handled, you may approach the Data Protection Board of India once it is constituted.

Other regions. Customers located in the European Economic Area, the United Kingdom, California or other jurisdictions may have additional rights under their local law. Please contact us using the details below to exercise those rights.

14. Do we make updates to this notice?

We may update this Privacy Policy from time to time to reflect changes in our practices, in technology or in applicable law. The date at the top of this page tells you when it was last updated. Where the changes are material, we will notify you by email or through the Services and, where required, request fresh acceptance the next time you sign in. We encourage you to review this Policy from time to time to stay informed about how we protect your information.

15. How can you contact us about this notice?

In line with rule 3(2) of the SPDI Rules, 2011, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and §10 of the DPDP Act, 2023, the Grievance Officer is reachable at:

We will acknowledge a grievance within seventy-two (72) hours of receipt, redress it within fifteen (15) days for issues falling under the IT Rules 2021, and within thirty (30) days for other matters – or sooner where the law requires it. For general questions about this notice, write to legal@deepintshield.com; for operational support, write to support@deepintshield.com.

16. How can you review, update or delete the data we collect from you?

Based on applicable law, you have the right to request access to the personal information we hold about you, details of how we have processed it, correction of any inaccuracies, withdrawal of consent or erasure of your personal information, subject to legal retention obligations. To make any such request, please write to legal@deepintshield.com from the email associated with your account, or use the in-product controls where available. We may need to verify your identity before responding.