Privacy Policy

Edilitics is managed and operated byDecision Sciences & Analytics Private Limited, a company incorporated under the Companies Act, 2013, having its registered office at WeWork NESCO IT Park, Building 4, Western Express Highway, Goregaon (East), Mumbai, Maharashtra 400063 (“Edilitics”, “we”, “us”, or “our”). CIN: U72200MH2021PTC360344; Date of Incorporation: 13 May 2021. + The company acts as the data fiduciary or controller, as applicable, for the processing + of account, billing, support, and platform telemetry data, and as a data processor for + customer-supplied workspace data under written agreements.Edilitics operates from Mumbai, India, and provides data analytics and AI-powered workflow products to customers worldwide. Our Services are priced in both INR and USD, depending on your billing region. This Privacy Policy explains how we collect, use, and protect your information across all Edilitics modules, including AskEdi, Integrate, Vizualize, Transform, and Replicate. This document is an electronic record under the Information Technology Act, 2000 and applicable rules, generated by a computer system and not requiring physical or digital signatures.

We comply with globally recognised privacy principles and frameworks, including the Digital Personal Data Protection Act (DPDP 2023 – India) and the EU/UK General Data Protection Regulation (GDPR). Our infrastructure and controls are aligned with SOC standards for security, availability, and confidentiality.

This Policy applies to all visitors, registered users, and customers who access or use the Edilitics Platform, our websites, or any connected integrations. By continuing to use our Services, you agree to this Policy. If you do not agree, please discontinue use and contact support@edilitics.com for assistance.

We may update this Privacy Policy periodically to reflect new features, regulations, or subprocessors. Material updates will be notified via email or in-app message.

User testimonials or content you voluntarily share on our website or marketing channels may include your name, role, or organisation details only with your explicit consent.

“Platform” refers to the Edilitics SaaS environment accessible via web or API, including its modules – AskEdi, Integrate, Vizualize, Transform, and Replicate.

“Services” means all analytics, AI, integration, or data-processing features made available through the Platform.

“Personal Information” (PI) means any data relating to an identified or identifiable individual, including but not limited to name, email address, account credentials, payment information, and online identifiers.

“Sensitive Personal Information” (SPI) includes data such as financial information, government IDs, or biometric identifiers that require enhanced protection under applicable laws.

“Cookies” are small data files used by browsers to remember user preferences and sessions. Edilitics itself does not deploy proprietary cookies but may rely on third-party analytics cookies, as described later.

“Controller” and “Processor” are used as defined in global data-protection frameworks. In most cases, Edilitics acts as the Processor for data uploaded or generated by customers, and as the Controller for account and billing data.

Signal: When you sign up, we process your email domain (and, where applicable, public DNS metadata) to determine whether it’s a personal mailbox (e.g., gmail.com) or an organisational domain. This helps us assign the correct account type.

Purpose: Ensuring service integrity, anti-abuse detection, and access to team-specific features. We do not access or read email content for this purpose.

Legal basis / lawful purpose: For EU/UK users, processing is based on performance of contract (account creation) and legitimate interest (fraud prevention). For India, it is processed with notice for a reasonable purpose under DPDP 2023.

We collect only the information necessary to operate and improve our Services. This includes account data, payment information, usage metrics, and limited technical telemetry. We never sell personal data.

Children & Age Limits: Our Services are intended for adults (18+) and are not directed toward children. If we become aware of a minor’s registration without proper consent, we will delete their data unless retention is required by law.

Identity & Access Data: Name, email address, password (encrypted), and workspace association. We may also receive OAuth identifiers from Google or GitHub solely for authentication.

Usage & Telemetry: Metadata on workspace activity, module usage, and system performance. Used to improve reliability and deliver support.

Uploads & Integrations: Files, images, and configuration data uploaded by you are stored securely in Google Cloud Storage (India – Asia South region) and encrypted at rest. Integrations like Slack notifications, Razorpay payments, and Google/GitHub OAuth involve limited data exchange strictly for functionality.

Cookies & Local Storage: Edilitics itself does not place marketing cookies. We use Google Analytics and Tag Manager for aggregate site metrics. Session tokens may persist in Redux store or, temporarily, in local storage for sign-in continuity.

Real-time event metadata (WebSockets/SSE): To deliver in-app notifications, quota usage/updates, and live dashboard refreshes, we process minimal transport metadata such as connection/session IDs, routing keys, event types, timestamps, and workspace/resource identifiers. Payloads are limited to what is necessary for the event and scoped to authorised viewers in the relevant workspace. This metadata is not used for profiling or marketing.

Sensitive Personal Information (SPI) refers to data that merits additional protection, including financial details, health-related information, and credentials such as passwords or government IDs.

We collect SPI only where strictly necessary – for example, billing information processed through our payment provider (Razorpay) to complete transactions. We do not store full card numbers on our servers.

Any SPI you voluntarily submit – for example in uploaded data – is treated as confidential and processed only under your workspace’s access policies.

Equivalent protections apply in all regions. Terms like “special category data” (GDPR) or “sensitive personal data” (US/UK/India) are covered under this single definition.

We use Personal Information and workspace data to operate, secure, and improve the Services; provide support; and deliver account and billing functions. We do not sell Personal Information.

Product operations: account provisioning, role-based access control, feature enablement, telemetry, and reliability.

Communications: service updates, security notices, invoices, and support responses. You can opt out of non-essential marketing communications at any time.

Governance & security: audit logging, fraud/abuse prevention, vulnerability management, and incident response.

AI-powered features across modules: Certain modules - including Integrate, AskEdi, and Visualise - provide AI-assisted functionality such as prompt-based querying, summarisation, or transformation. Each session begins with user-controlled settings that define what contextual data may be shared with approved model providers. Users can include or exclude specific columns, even where datasets contain Personal or Sensitive Personal Information (PII/SPI). Only the data explicitly permitted by the user for that session is transmitted for inference. Model providers are used strictly for inference; no training on customer data is permitted by default for enterprise/API usage. Future modules with AI capabilities will follow the same principle of user-defined sharing and inference-only processing.

Module scope and processing boundaries: All modules run primarily within Edilitics’ secure Google Cloud tenancy (Asia-South, India). Certain AI-enabled capabilities may leverage approved external inference providers as described above, but no module transmits data beyond those explicitly authorised providers. Non-AI features, data transformations, and storage functions are executed entirely within Edilitics’ controlled infrastructure.
Replicate & Transform flows: Data used in these modules is processed within ephemeral, short-lived compute environments (Cloud Run jobs) that are instantiated per execution and destroyed immediately upon completion. No user data is written to persistent storage within these environments. This design minimises the blast radius of any potential incident and enhances isolation between workspaces.

Real-time services: We use secure real-time transports (e.g., WebSockets, Server-Sent Events, or equivalent) to push quota deductions/additions, in-app notifications, and live dashboard updates to authenticated users. Events are access-controlled, tenant-scoped, and rate-limited. Message payloads contain only the fields necessary for the intended action. Where available, users may mute or configure certain notification types.

We disclose Personal Information to subprocessors strictly as needed to provide the Services (e.g., hosting, payments, email delivery, analytics). Each subprocessor is bound by confidentiality and security obligations under written agreements.

Legal, safety & integrity: We may disclose information (including audit logs) where required by law, to respond to lawful requests, or where reasonably necessary to protect the rights, security, or integrity of users and the Service (e.g., fraud/abuse prevention, incident response).

Business transfers: In a merger, acquisition, or asset sale, your information may be transferred subject to equivalent protections. Where processing materially changes, you will have an opportunity to object or discontinue use as applicable.

Third-party integrations (opt-in): When you connect applications like Slack, only the data necessary to perform the integration (e.g., channel ID and notification content) is transmitted. Disconnecting the integration stops further transmission.

Cross-border processing: Primary processing and storage occur in the Asia-South (India) region. Where international transfers are necessary (e.g., for support or global infrastructure), we implement appropriate safeguards to ensure substantially equivalent protection.

Real-time broadcasts: We do not broadcast customer content to third parties. Real-time events are delivered only to authenticated recipients within your workspace according to access controls.

Overview: We work with carefully selected subprocessors to host and operate the Services. They are engaged under written agreements requiring confidentiality, security, and compliance with applicable data-protection laws.

Core infrastructure: The Platform is hosted on Google Cloud Platform (GCP) with workloads and storage in the Asia-South (India) region. Storage is handled via Google Cloud Storage (GCS) with encryption at rest; data in transit is protected with TLS.

Subprocessors (as of October 2025):

• Google Cloud Platform (GCP) - Hosting, storage, networking, and managed services (India – Asia-South region).
• OpenAI, Anthropic, Google DeepMind (Gemini) - LLM inference for AI-powered features across modules. We do not permit training on customer data by default.
• Razorpay - Payment processing for INR and USD billing with compliance to applicable RBI requirements; Edilitics does not store full card numbers.
• Brevo (Sendinblue) - Transactional/service email delivery.
• Slack Technologies, LLC - Optional user-initiated integration to receive workspace or AI-generated notifications in Slack. Transmitted data is limited to what is needed for the notification (e.g., channel ID, message content, workspace identifier).
• Google Analytics & Google Tag Manager - Website analytics and tag management for marketing site visitors; not required for core logged-in platform features.
• Google / GitHub OAuth - Identity providers used for authentication (limited identifiers only).

Updates: We review and update this list periodically. Material subprocessor changes will be reflected in this Policy and, where required by law, notified in advance.

Infrastructure & controls: The Platform operates on Google Cloud Platform (Asia-South, India) with encryption in transit (TLS 1.2+) and at rest (AES-256). All production systems are monitored and access-controlled via least-privilege IAM.

Application security: We maintain role-based access control, continuous vulnerability scanning, automated dependency checks, and audit logging across all modules. Security testing is part of every release cycle.

Authentication & token storage: Session tokens are securely persisted using encrypted Redux-persist storage. In limited flows, a temporary token may reside in localStorage to support short-lived authentication events. Tokens never contain credentials or Personal Information and are transmitted only over HTTPS.

Incident response: Any detected or suspected breach is investigated immediately, with user notification where required by law. Audit trails and evidence are retained for forensic review.

Third-party integrations: Connections such as Slack use secure OAuth authentication. Revoking the integration disconnects the data flow instantly and deletes any cached tokens.

Audit logs & access tiers: Workspace audit logs (user/admin actions, system events, AI request metadata) are retained in line with our security and compliance obligations. Live log access in the app depends on your plan (e.g., 7/30/90 days). Beyond live access windows, logs are encrypted at rest and stored in tenant-scoped folders in Google Cloud Storage (GCS) with strict access controls and monitoring.

Transport security for real-time channels: Real-time connections use wss:// (TLS) and are established with short-lived authentication tokens. Authorisation is enforced at connect and per-message where applicable to prevent cross-tenant access. Messages and metadata are encrypted in transit; tenancy isolation applies to channels and subscriptions. We do not expose third-party public brokers directly to clients.

Overview: Edilitics does not deploy proprietary tracking cookies. Only essential session identifiers and third-party analytics tools (Google Analytics, Google Tag Manager) may set cookies, subject to user consent where required.

Purpose: Analytics cookies help us understand website traffic patterns and improve site performance. They do not identify individuals or track logged-in platform usage.

Control: You can manage or disable analytics cookies via your browser or device settings. Our core platform functionality does not depend on analytics or marketing cookies.

Users may withdraw consent for processing that is based on consent at any time by contacting support@edilitics.com. Withdrawing consent does not affect processing performed before the withdrawal.

Marketing communications include an unsubscribe link or equivalent control. System and transactional notices (security alerts, invoices, password resets) cannot be opted out of as they are essential to service operation.

For analytics cookies, consent can be managed through browser settings or by enabling “Do Not Track.” Respect for such signals will be applied where technically feasible.

General retention: Personal Information is retained only as long as necessary to fulfil the purpose for which it was collected, including legal, accounting, and reporting requirements.

Workspace data: Data uploaded or generated in your workspace is retained until deleted by the workspace owner or until your account is terminated. Back-ups are purged within 30 days of deletion.

AI session data & chat history: Prompts, model responses, and related metadata are retained for as long as the user or workspace maintains the chat to support “continue chat” and historical context. When a chat is deleted, associated content is removed from active storage; minimal audit records (timestamps, anonymised identifiers) may be retained as required for security, fraud prevention, and legal obligations. All inputs, outputs, and metadata are encrypted in transit and at rest.

Legal retention: Records required by applicable laws (e.g., tax, audit, regulatory) are retained for the statutory period.

Audit logs (security/forensics): Live access to logs in the product is provided according to plan tier (e.g., 7/30/90 days). Thereafter, logs are archived in encrypted, tenant-scoped GCS storage for up to 24 months to support security investigations, incident response, legal compliance, and service integrity. Archived logs are not used for profiling or marketing and are accessible only to authorised personnel under least-privilege controls. Where applicable law or contract requires a shorter/longer period, we will apply that schedule.

Real-time transport logs: Connection events, delivery status, and error codes for real-time channels are treated as audit/ops logs and retained per our audit-log schedule (see above). These logs are encrypted at rest in tenant-scoped storage and are not used for marketing or profiling.

You may review, update, or correct your Personal Information through your account settings. For changes to billing or legal identity, contact support@edilitics.com.

Requests to delete or export your data will be honoured within reasonable time frames and in accordance with applicable law and data portability provisions.

Identity verification may be required before processing certain requests to protect against unauthorised access or deletion.

Scope: Certain modules - including Integrate, AskEdi, and Visualise - provide AI-assisted functionality (e.g., natural-language querying, summarisation, transformation). Future modules with AI features will follow the same controls described here.

User-controlled sharing: Each chat/session begins with user-defined settings that control what contextual data may be shared with approved model providers. Users can include or exclude specific columns, including those that may contain Personal or Sensitive Personal Information (PII/SPI). Only the data explicitly allowed by the user for that session is transmitted for inference.

Inference-only use: Model providers are engaged solely to generate responses to your prompts. We do not permit training on customer data by default for enterprise/API usage.

Auditability: We maintain audit logs for AI requests (timestamps, request IDs, provider and policy references, and response summaries) to support governance, incident response, and abuse prevention. See Retention for how long these logs are kept.

De-identified improvement (Edilitics-hosted models only): We may use de-identified, aggregated context (e.g., schema names, column descriptions, generated queries or logic) to improve model quality on our own infrastructure. This information is stripped of tenant/user identifiers and cannot reasonably be linked back to an individual or organisation.

Encryption: All AI inputs, outputs, and intermediate metadata are encrypted in transit and at rest within our Google Cloud tenancy (Asia-South, India).

India (DPDP 2023): You may request access, correction, erasure, and withdrawal of consent; you may also raise grievances via our support channel. We process digital personal data for lawful purposes with notice and choice.

EU/EEA & UK (GDPR/UK GDPR): Depending on context, processing is based on performance of contract, legitimate interests, or consent. You may have rights to access, rectification, erasure, restriction, portability, and objection. International transfers, where necessary, are subject to appropriate safeguards.

US (CCPA/CPRA): We disclose categories of personal information processed and involved third parties. Subject to law, you may have rights to know, delete, correct, and opt out of certain processing (including “sharing” for cross-context behavioural advertising). We do not discriminate against you for exercising your privacy rights.

International transfers: Primary processing occurs in the Asia-South (India) region. Where transfers are necessary (e.g., global support or model endpoints), we implement appropriate safeguards to ensure substantially equivalent protection.

Cookies (EU/UK): Non-essential analytics cookies (e.g., Google Analytics) are set only with your consent via the cookie banner. You can withdraw consent at any time in your browser settings.

How to exercise your rights: Email support@edilitics.com. We may request additional verification to protect your account.

Deletion vs. retention duties: When you request deletion, we remove Personal Information from active systems except where retention is required for legal, security, or fraud-prevention purposes (e.g., audit logs). In such cases, data is isolated from routine use and deleted upon expiry of the applicable retention schedule.

The Services are not directed to, and we do not knowingly collect Personal Information from, children under the age of 18. If we become aware that a child has provided us with Personal Information, we will delete such data from our systems without undue delay. Parents or guardians who believe their child has provided us data may contact us at support@edilitics.com for prompt assistance.

In accordance with applicable data protection laws, you may contact our designated Data Protection Contact (Grievance Officer) for any questions, requests, or concerns about how your Personal Information is handled.

Grievance Officer (India):
Name: Data Protection Contact – Edilitics
Email: support@edilitics.com
Address:
DECISION SCIENCES & ANALYTICS PRIVATE LIMITED
WeWork NESCO IT Park
Building 4, Western Express Highway
Goregaon (East), Mumbai
Maharashtra 400063
Hours: Monday – Friday, 10:00 AM – 7:00 PM IST

For users located in other jurisdictions, please direct all privacy inquiries to the same email address above, and they will be routed to the appropriate contact or regional representative.

We may update this Privacy Policy from time to time to reflect operational, legal, or regulatory changes. The “Last Updated” date at the top of the page indicates the latest revision. Continued use of the Services after such updates constitutes acceptance of the revised Policy.

Material updates will be announced through reasonable means such as in-product notifications, email, or banners on our website prior to taking effect.

Questions, feedback, or concerns regarding this Privacy Policy can be directed to:

DECISION SCIENCES & ANALYTICS PRIVATE LIMITED
WeWork NESCO IT Park
Building 4, Western Express Highway
Goregaon (East), Mumbai – 400063
Maharashtra, India
Email: support@edilitics.com