Privacy Policy

Aaida Technology Solutions (“Aaida”, “we”, “us”) operates the Aaida BRSR reporting and compliance platform (the “Platform”). This Privacy Policy explains how we handle Personal Data. It is written to align with India’s Digital Personal Data Protection Act, 2023 (DPDPA) and, for applicable users, the EU/UK GDPR.

1. Our two roles

• As a processor / Data Processor: For the BRSR disclosure data and user accounts our customers (listed companies) manage on the Platform, the customer is the controller / Data Fiduciary and we process on their instructions under a Data Processing Agreement. Questions about that data should go to the customer.
• As a controller / Data Fiduciary: For data we collect in our own right — prospects who contact us, billing contacts, and our own personnel — this policy governs directly.

2. Personal Data we handle

Authorised-user account data (name, work email, role, hashed password, MFA enrolment, session metadata); audit-trail records (actor identity and timestamps); value-chain partner contact data the customer collects; and, where we act as controller, prospect/marketing and billing contact data. We do not seek special-category / sensitive personal data, and ask customers not to enter it into free-text fields.

3. Why we process it & legal basis

To provide, secure, and support the Platform (performance of contract / legitimate use); to communicate with you about your account or enquiry; to comply with law (including retaining audit and filing-evidence records); and, for prospect data, with your consent where required. We do not sell Personal Data and do not use it for advertising.

4. Sub-processors & sharing

We share Personal Data only with the sub-processors needed to run the Platform — currently Supabase (database/auth/storage, India region), Vercel and Cloudflare (hosting/CDN), Upstash (rate-limiting), Backblaze B2 (encrypted backups), Sentry (error monitoring), our email provider, GitHub (code), and, on opt-in only, Anthropic (AI features, never tied to identifiable personal data). Each is bound by a data-protection contract. We may also disclose data where required by law.

5. Storage, location & security

Customer data is hosted in India (Supabase India region). We protect Personal Data with tenant isolation, encryption in transit and at rest, MFA, append-only audit logging, least-privilege access, and tested backups. International transfers, where they occur, use appropriate safeguards.

6. Retention

We keep Personal Data only as long as necessary for the purpose above or as required by law, then delete it. Audit-trail and statutory-evidence records follow our one-year-plus audit-log retention; backups age out on a rolling cycle of up to 30 days. Customer data is returned or deleted on contract end per the Data Processing Agreement.

7. Your rights

Depending on the law that applies to you, you may have rights to access, correct, complete, update, or erase your Personal Data, to withdraw consent, to grievance redressal, and to nominate. For data managed by a customer of ours, please contact that customer; we will assist them. For data we control, contact us at privacy@aaidatechnology.com. You may also complain to the Data Protection Board of India or your supervisory authority.

8. Children

The Platform is a business tool not directed at children and we do not knowingly collect children’s data.

9. Changes & contact

We will update this policy as the Platform or the law changes and revise the “Last updated” date. Contact our Data Protection Officer at privacy@aaidatechnology.com, Aaida Technology Solutions, Bengaluru, India.