Privacy Policy

ArthaVedh Consulting & Products Limited (“ArthaVedh,” “we,” “us,” or “our”) provides enterprise AI governance infrastructure through our products and services: CertiVus (AI governance certification), Stanli (BFSI compliance intelligence), ArthaTRACK (operational telemetry), and the Clarvus governance platform.

This Privacy Policy explains how we collect, use, store, and protect your personal data when you interact with any ArthaVedh product, service, website, or advisory engagement.

We are committed to protecting your privacy in compliance with the Indian Digital Personal Data Protection Act 2023 (DPDP Act), the EU General Data Protection Regulation (GDPR), and other applicable data protection laws worldwide.

The data controller for all personal data processed across ArthaVedh products is:

3.1 Account & Identity Data. Name, email address, organisation name, role, and authentication credentials. We never store plaintext passwords.

3.2 Organisational Data. Company information, billing address, GSTIN (where applicable), and jurisdiction details provided during onboarding or advisory engagements.

3.3 Product Usage Data. Platform interactions, feature usage patterns, API call metadata, session timestamps, and browser/device information used to deliver and improve our services.

3.4 Assessment & Governance Data. Governance scores, audit trail records, compliance evidence, policy configurations, and certification outputs generated through CertiVus, Stanli, ArthaTRACK, and the Clarvus platform. This data is institutional in nature and handled with the highest confidentiality.

3.5 Repository & Source Data (CertiVus). For code assessment services, repository metadata (URL, branch, language, framework) is processed. Source code is handled in isolated, ephemeral environments and is never stored on our servers.

3.6 Field & Operational Data (ArthaTRACK). Geo-location data, field productivity metrics, and operational telemetry collected for enterprise field execution intelligence. This data is processed strictly under the terms of the enterprise engagement and is never used for profiling beyond the contracted purpose.

3.7 Billing Data. Plan selection, payment method metadata (last 4 digits, expiry), and invoice history. Full payment card details are processed by our payment processors (Razorpay, Stripe) and never stored on our servers.

3.8 Communication Data. Emails, support tickets, feedback, and advisory engagement correspondence.

We process your personal data for the following purposes:

• Service Delivery: Operating governance platforms, running assessments, and generating certification evidence (Legal basis: Contract performance)
• Account Management: Authentication, authorisation, and subscription management (Legal basis: Contract performance)
• Advisory Delivery: Conducting AI readiness assessments and governance architecture engagements (Legal basis: Contract performance)
• Security: Fraud detection, abuse prevention, rate limiting, and audit logging (Legal basis: Legitimate interest)
• Improvement: Aggregated, anonymised analytics to improve assessment quality and governance framework accuracy (Legal basis: Legitimate interest)
• Communication: Service notifications, security alerts, and product updates (Legal basis: Legitimate interest / Consent for marketing)
• Legal Compliance: Responding to lawful requests from regulatory authorities (Legal basis: Legal obligation)

Source code submitted for governance assessment is given the highest level of protection:

• Processed in isolated, ephemeral compute environments destroyed after each assessment
• Never stored on our servers, databases, or backup systems
• Never used for AI model training, fine-tuning, or improvement
• Never accessed by our employees, contractors, or support staff
• Never shared with any third party beyond what is necessary for assessment processing

Third-party AI inference providers used for assessment are bound by contractual obligations prohibiting code retention, storage, or training use.

We do not sell your personal data. We share data only in these limited circumstances:

• AI Inference Providers: Data transmitted for governance assessment processing (ephemeral, contractually zero-retention)
• Payment Processors: Razorpay (India) and Stripe (international) for payment processing
• Infrastructure Providers: Cloud hosting providers for service delivery (data encrypted at rest and in transit)
• Legal Requirements: When required by law, court order, or government request
• Business Transfer: In the event of merger, acquisition, or sale, with equivalent privacy protections maintained

ArthaVedh governs its own AI systems under the same standards we advise enterprises to adopt. Our data security posture reflects this:

• Encryption at rest (AES-256) and in transit (TLS 1.3)
• Bcrypt password hashing with salt
• Tenant isolation — complete data separation between organisations
• Rate limiting and account lockout policies
• Regular security assessments and penetration testing
• Access controls with principle of least privilege
• Audit logging of all data access operations
• Cryptographic integrity of governance evidence records

8.1 Governance & Assessment Data: Retained for 12 months by default. Enterprise engagements may configure custom retention aligned to their regulatory requirements.

8.2 Account Data: Retained for the duration of your account plus 30 days after deletion.

8.3 Audit Logs: Retained for 12 months for security and regulatory compliance purposes.

8.4 Source Code (CertiVus): Zero retention — destroyed immediately after assessment completion.

8.5 Advisory Engagement Records: Retained for the duration of the engagement plus 24 months, in accordance with professional services obligations.

Depending on your jurisdiction, you have the following rights:

• Access (DPDP Act Sec. 11 / GDPR Art. 15): Request a copy of your personal data
• Correction (DPDP Act Sec. 12 / GDPR Art. 16): Request correction of inaccurate data
• Erasure (DPDP Act Sec. 13 / GDPR Art. 17): Request deletion of your personal data
• Data Portability (GDPR Art. 20): Export your data in a machine-readable format
• Objection (GDPR Art. 21): Object to processing based on legitimate interest
• Withdraw Consent: Withdraw consent at any time for consent-based processing
• Grievance Redressal (DPDP Act): File a grievance with our Data Protection Officer

To exercise these rights, contact us at legal@arthavedh.com. We respond within 30 days.

We use essential cookies for authentication and session management only. We do not use third-party tracking cookies, advertising pixels, or behavioural tracking. Analytics data is aggregated and anonymised. No personal data is shared with advertising networks.

If your data is transferred outside India or the EEA, we ensure adequate protection through Standard Contractual Clauses (SCCs), adequacy decisions, or equivalent safeguards as required by applicable law.

Our services are designed for enterprise use and are not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If we discover that we have collected data from a child, we will delete it promptly.

ArthaVedh products use AI systems for governance assessment, compliance analysis, and operational intelligence. We do not make legally significant automated decisions about individuals without human oversight. All AI-generated outputs are treated as advisory inputs subject to institutional review, consistent with the REAPS governance principles we publish and operate under.

We may update this Privacy Policy from time to time. Material changes will be communicated via email and/or in-product notification at least 30 days before taking effect. Your continued use of our services after the effective date constitutes acceptance of the updated policy.

For privacy inquiries, data requests, or grievances: