GDPR Compliance

1. Data Controller Information

Aditya Labs is operated by B Mohan, trading as Aditya Labs, Watford, Hertfordshire, United Kingdom. Aditya Labs ("we", "us", or "our") operates the AI agent platform at adityalabs.ai. Our role under the GDPR depends on the type of personal data being processed:

• Aditya Labs as Data Controller: We act as the data controller for personal data we collect directly, including account registration information (such as your name and email address), data collected from visitors to our website, and billing and payment details.
• Aditya Labs as Data Processor: When our business customers deploy AI agents and end users interact with those agents, the business customer is typically the data controller for the end-user conversation data. In this context, Aditya Labs acts as a data processor, processing end-user data on behalf of and under the instructions of the business customer.

A standard Data Processing Agreement (DPA) is available for business customers who require one. To request our standard DPA, email dpo@adityalabs.ai with the subject line "DPA Request" and we will send you our pre-signed DPA within 2 business days. For custom DPA requirements, contact us at the same address. If you have any other questions about how we process your data, you can also reach us at dpo@adityalabs.ai.

2. Legal Basis for Processing

We process your personal data under the following legal bases as defined by the General Data Protection Regulation (GDPR):

• Consent (Article 6(1)(a)): Where you have given clear consent for us to process your personal data for a specific purpose, such as subscribing to communications or enabling optional analytics.
• Contract Performance (Article 6(1)(b)): Processing that is necessary to fulfil our contractual obligations to you, including providing the AI agent platform, managing your account, and processing payments.
• Legitimate Interests (Article 6(1)(f)): Processing that is necessary for our legitimate business interests, such as improving our services, ensuring platform security, preventing fraud, and conducting internal analytics. We balance these interests against your rights and freedoms.

3. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights regarding your personal data:

• Right to Access (Article 15): You have the right to request a copy of the personal data we hold about you and information about how it is processed.
• Right to Rectification (Article 16): You have the right to request correction of inaccurate personal data or completion of incomplete data.
• Right to Erasure (Article 17): You have the right to request deletion of your personal data when it is no longer necessary for the purpose it was collected, or when you withdraw consent.
• Right to Restrict Processing (Article 18): You have the right to request that we limit the processing of your personal data under certain circumstances.
• Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
• Right to Object (Article 21): You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent (Article 7(3)): Where processing is based on consent, you have the right to withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Right to Lodge a Complaint (Article 77): You have the right to lodge a complaint with a supervisory authority in the EU/EEA member state of your habitual residence, place of work, or place of the alleged infringement.

4. How to Exercise Your Rights

To exercise any of the rights described above, please contact us at dpo@adityalabs.ai. Please include sufficient information to identify yourself and specify the right you wish to exercise. We will respond to your request within 30 days of receipt. If your request is particularly complex, we may extend this period by an additional 60 days, in which case we will inform you of the extension and the reasons for the delay within the initial 30-day period. There is no fee for exercising your rights unless the request is manifestly unfounded or excessive.

5. Data Processing Activities

We process the following categories of personal data in connection with the operation of our platform:

• Account Data: Name, email address, and authentication credentials used to create and manage your account.
• AI Conversation Data: Messages and interactions between end users and AI agents you create on our platform. This data is used to generate AI responses and provide analytics.
• Analytics Data: Usage metrics, agent performance data, and aggregated statistics to help you understand how your agents are performing and to improve our platform.
• Payment Processing Data: Billing information processed through Stripe. We do not store full credit card numbers on our servers. Stripe acts as a data processor and handles payment data in accordance with PCI DSS standards.

6. International Data Transfers

Your personal data may be transferred to and processed in the United States, where our infrastructure providers are located. This includes data stored by Supabase (database hosting), served through Vercel (application hosting), and processed by our AI model providers (OpenAI, Anthropic, Google Gemini, and Groq). For transfers of personal data from the European Economic Area (EEA) to countries outside the EEA that have not received an adequacy decision from the European Commission, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure appropriate safeguards are in place. You may request a copy of the SCCs by contacting us at dpo@adityalabs.ai.

7. Sub-processors

We use the following third-party sub-processors to deliver our Service. Each sub-processor processes data only as necessary and under appropriate data processing agreements:

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected. Our retention periods are as follows:

• Account Data: Retained for as long as your account remains active. Upon account deletion, your data will be removed within 30 days, except where retention is required by law.
• AI Conversation (Chat) Data: Retained for 90 days from the date of the conversation, after which it is automatically deleted.
• Execution Logs: Retained for 1 year for debugging, security monitoring, and platform improvement purposes, after which they are automatically purged.

9. Data Protection Contact

If you have concerns about our data processing practices or wish to raise a data protection inquiry, you may contact our data protection contact:

• Data Protection Contact: B Mohan
• Email: dpo@adityalabs.ai
• Address: Watford, Hertfordshire, United Kingdom

We take all data protection inquiries seriously and will respond promptly to address your concerns.

10. Cookies

Our platform uses essential cookies (authentication session and CSRF protection) that are strictly necessary for the operation of the Service. We also use optional analytics cookies (Google Analytics 4 with anonymized IPs) to understand how visitors use our platform so we can improve it. Analytics cookies are only activated after you give explicit consent through our cookie consent banner, in full compliance with the GDPR and the ePrivacy Directive. You can change your cookie preferences at any time through the consent banner or your browser settings. We do not use advertising cookies or social media tracking cookies. For full details, see our Cookie Policy.

11. Children's Privacy

Our Service is not directed to children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information promptly. If you believe we may have collected data from a child under 16, please contact us at dpo@adityalabs.ai.

12. Breach Notification (Articles 33 & 34)

In the event of a personal data breach, we follow a structured incident response process in accordance with Articles 33 and 34 of the GDPR:

• Supervisory Authority Notification (Article 33): We will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where notification is not made within 72 hours, we will provide reasons for the delay.
• Data Subject Notification (Article 34): Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, we will communicate the breach to the affected data subjects without undue delay, describing the nature of the breach, the likely consequences, and the measures taken or proposed to address it.
• Incident Documentation: We maintain a record of all personal data breaches, including the facts relating to the breach, its effects, and the remedial actions taken. This documentation is maintained regardless of whether the breach is required to be reported to the supervisory authority.

For business customers acting as data controllers, we will notify you of any breach affecting your end-user data without undue delay so that you can fulfil your own notification obligations.

13. Data Protection Impact Assessment (Article 35)

In accordance with Article 35 of the GDPR, we conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to the rights and freedoms of natural persons. This includes, in particular:

• AI-powered customer interactions where personal data is processed at scale through our agent platform.
• Introduction of new features or sub-processors that significantly change how personal data is processed.
• Processing activities involving new technologies or novel applications of existing technologies.

Our DPIAs evaluate the necessity and proportionality of the processing, assess the risks to data subjects, and identify measures to mitigate those risks. We review and update DPIAs when there are material changes to the relevant processing activities.

14. Automated Decision-Making (Article 22)

Our AI agents provide conversational assistance only. They do not make automated decisions that produce legal effects or similarly significant effects concerning any individual. Specifically:

• AI agents answer questions, collect information, and facilitate tasks such as appointment scheduling and inquiry routing. They do not make decisions about credit, employment, insurance, legal rights, or access to services.
• All information collected by AI agents is reviewed and acted upon by the business customer's human staff. No binding decisions are made solely by the AI.
• Users interacting with any AI agent deployed on our platform can request human review of any interaction or outcome at any time by contacting the business that deployed the agent.

If you believe that an AI agent deployed through our platform has been used to make an automated decision that affects you, please contact us at dpo@adityalabs.ai and we will investigate the matter promptly.

15. Updates to This Policy

We may update this GDPR compliance page from time to time to reflect changes in our data processing practices or legal obligations. When we make material changes, we will notify you by email and update the "Last updated" date at the top of this page. We encourage you to review this page periodically to stay informed about how we protect your personal data. Continued use of the Service after changes are posted constitutes acceptance of the updated policy.