DPDP Compliance

The Digital Personal Data Protection Act 2023 (“DPDP Act”) governs how digital personal data is processed in India. Kapis AI Tech Pvt Ltd acts as a Data Fiduciary when we process personal data of brand operators and their end-users. You · the individual whose data is being processed · are a Data Principal.

This page summarises how we meet our obligations under the Act. For how data is collected and used, see our Privacy Policy. For our overall agreement with you, see our Terms of Service.

We process your personal data only for the following lawful purposes, consistent with §§ 4 and 7 of the DPDP Act:

• Specific consent. The consent you provide when you sign up, redeem an invite, or upload content. Consent is informed, specific, and freely given · and you can withdraw it at any time.
• Performance of a contract. Processing necessary to deliver the service you signed up for · generating Brand Brains, hosting them, exporting adapters, invoicing.
• Compliance with law. Processing to meet our legal obligations · tax records, fraud prevention, response to lawful requests from authorities.
• Legitimate uses as listed in § 7 of the Act, including security and prevention of fraud.

Under the DPDP Act, you have the following rights, exercisable by emailing ops@kbie.ai with the subject line DPDP REQUEST:

• Right to access. Get a summary of the personal data we hold about you and the processing activities we have undertaken with it.
• Right to correction and erasure. Ask us to correct inaccurate data or delete data we no longer need.
• Right to grievance redressal. File a grievance with our Grievance Officer (see § 5 below).
• Right to nominate.Nominate another individual to exercise your rights in case of death or incapacity. Email us with the nominated person’s details.
• Right to withdraw consent. Withdraw consent at any time, after which we will stop processing on the consent basis. This does not affect the lawfulness of processing prior to withdrawal.

We will respond to verified rights requests within 30 days.

Kapis is a B2B service. We do not knowingly process data of children (under 18 in India) or of persons with disabilities who have a lawful guardian, except with verified parental or guardian consent. If you believe we hold such data, contact our Grievance Officer immediately.

Per § 8(10) of the DPDP Act, we have designated a Grievance Officer for you to address concerns about how we process your personal data:

If you remain unsatisfied with our response, you may escalate to the Data Protection Board of India per § 13 of the Act.

Some of our sub-processors are located outside India (LLM inference providers, error monitoring, payment processors · listed in our Privacy Policy). Under § 16 of the DPDP Act, the Central Government may restrict transfer to certain countries. We comply with all such notifications. For EEA Data Principals we additionally use Standard Contractual Clauses for any GDPR-relevant transfer.

In the event of a personal data breach as defined in § 8(6) of the Act, we will:

• notify the Data Protection Board of India in the form and manner prescribed (currently within 72 hours of becoming aware);
• notify each affected Data Principal in clear, plain language with details of the breach, likely consequences, and steps we are taking;
• document our response and the lessons learned, and feed those into our security posture.

As of the date of this policy, Kapis is not a Significant Data Fiduciary (“SDF”) under § 10 of the Act. If we are designated as an SDF, we will appoint a Data Protection Officer (DPO), conduct independent data audits, undertake periodic data protection impact assessments, and update this page accordingly.

We will update this page when our practices change, when our sub-processors change, when the Act’s rules are finalised, or when our SDF status changes. Material changes are announced via email to registered accounts at least 14 days in advance.

For DPDP-specific questions: ops@kbie.ai (subject line: DPDP Question). For other privacy questions, see our Privacy Policy.