Privacy Policy

Effective Date: 1st Aug 2025
Last Updated: 1st Aug 2025

1. Introduction

At AIVO Technologies Private Limited (“AIVO”, “we”, “our” or “us”), we believe that your privacy is not just a right but a fundamental trust. This Privacy Policy reflects our deep commitment to safeguarding your personal data and ensuring that you retain full control over the information you choose to share with us.

This Policy governs the use of our AI-powered document storage and retrieval application, AIVO DocAI (the “App”), and our associated websites and services (collectively, the “Services”). It outlines the types of personal data we collect, the purposes for which we process such data, and your rights under applicable data protection laws including the General Data Protection Regulation (EU) 2016/679 (“GDPR”), as well as other international privacy laws.

2. Scope of this Privacy Policy

This Privacy Policy applies to all users of our App and Services globally, unless specified otherwise. It applies whether you access our Services through a web interface, mobile application, desktop application, or through integrated APIs.

3. Data Controller

AIVO Technologies Private Limited is the data controller for all personal data collected through the App and Services.
Data Protection Officer (DPO): Mr. Kushal Singh
Email: support@mysmartassistant.ai.

4. Categories of Personal Data Collected

4.1. Directly Provided Data

Full name, email address, and phone number
User credentials and profile preferences
Identity documents (e.g., Aadhaar, PAN, Passport)
Property records, bills, invoices, medical documents, legal contracts, and other user-uploaded files

4.2. Sensitive Personal Data

Biometric data (e.g., facial recognition, fingerprint) used strictly for user authentication
Health-related or financial data stored by you in the app

4.3. Device & Usage Data

IP address, browser type, device information, OS
Time of access, duration, and frequency of usage
Crash logs, performance logs

4.4. AI Processing Data

Prompts and queries entered for document search or retrieval
Metadata extracted from stored documents
Classification or summarisation outputs (only when enabled by user)

4.5. Website Data

Cookies, pixels, and similar tracking tools
Pages visited, referral sources, and click patterns

4.6. Integration Data

If you choose to connect third-party accounts such as Google Calendar, we may collect and process calendar-related data, including event titles, descriptions, times, participants, reminders, and synchronization metadata, solely for the purpose of providing you with calendar-based reminder or scheduling functionalities.

4.7. Communication Data

When you enable WhatsApp reminders or calls, we may process your phone number, message content, timestamps, delivery/read receipts, and call status for service notifications or reminder calls initiated through verified business channels.

5. Legal Basis for Processing

We process your personal data under the following legal bases:

Consent: For optional AI classification/summarisation and biometric use, obtained via affirmative opt-in.
Contractual Necessity: To deliver our core services and provide access to the App.
Legitimate Interests: For enhancing security, preventing abuse, service analytics, and improving user experience.
Legal Obligation: To comply with tax, regulatory, or judicial requirements.

6. Purposes of Data Processing

Your data is processed for the following specific purposes:

To enable you to securely upload, classify, and retrieve your documents
To verify your identity and ensure data is only accessible to you
To improve performance of the AI engine (only when enabled)
To deliver notifications, service updates, or critical system alerts
To authenticate your access through optional biometric login
To facilitate payment processing (if you opt for paid features)
To ensure compliance with applicable laws and enforce our Terms
To provide optional calendar synchronization, allowing you to receive document- or task-related reminders through Google Calendar.
To send WhatsApp messages or automated reminder calls (5–10 minutes before scheduled actions) that you have opted in to receive, solely for service or reminder purposes.
To record and retain proof of consent for such communications and to honour any opt-out requests.

7. AI and Machine Learning Use

AIVO DocAI incorporates Artificial Intelligence (AI) and Machine Learning (ML) functionalities to enhance user experience, streamline document management, and enable intelligent retrieval and summarisation of documents. These technologies are designed and deployed in a privacy-conscious manner, with clear user control, opt-in preferences, and strict data governance.

7.1 Nature and Scope of AI Processing

The App leverages AI models to perform the following actions:

Natural Language Query Interpretation: Users may retrieve stored documents by typing or speaking natural language instructions (e.g., “show my electricity bill for April 2023”). Our AI engine interprets such commands to identify and surface the most relevant file from your stored documents.
Document Classification: When enabled by the user, AIVO DocAI uses machine learning techniques to automatically assign categories to your uploaded documents (e.g., "utility bill", "identity proof", "property document"). This helps improve the accuracy and speed of future searches.
Document Summarisation: Upon user request and explicit opt-in, the App may summarise the contents of lengthy documents using AI summarisation tools. This feature is purely optional and under user control.

No AI/ML processing occurs without your knowledge or consent. You can toggle AI summarisation or classification features on or off at any time through your account settings.

7.2 User Consent and Controls

AIVO ensures that AI functionality involving classification and summarisation is only activated when you have explicitly opted in. By default, these features are disabled for new users. Users can:

Enable or disable AI-powered features via in-app settings
Revoke previously granted consent at any time
Access logs or summaries generated by the AI (where available)

We do not use AI to make decisions that produce legal or similarly significant effects for users (as defined under Article 22 of GDPR).

7.3 Data Inputs and Outputs

All inputs used by the AI engine (such as documents, queries, and metadata) are securely encrypted during processing. Outputs generated by the AI (including classification tags or summaries) are linked only to your private account and are not shared externally or used to train future models.

AIVO maintains strict zero-knowledge processing principles, meaning that no AIVO employee or system has access to the content or AI results associated with your account in an unencrypted, readable format.

7.4 No Profiling or Behavioural Tracking

AIVO DocAI does not use AI to profile users, build behavioural models, or infer personal characteristics for advertising, marketing, or commercial exploitation. We do not conduct automated decision-making based on AI outputs that affect your rights, employment, legal status, or access to credit or benefits.

7.5 Data Minimisation and Privacy by Design

All AI features have been developed with a privacy-by-design approach, ensuring:

Minimal data retention (only what is required to support functionality)
Clear data lifecycle controls (automatic deletion of cached results)
End-to-end encryption of user inputs and outputs
Localised inference wherever possible to reduce cloud dependency

We do not use your personal data or documents to train or improve global AI models, and all processing is session-specific and confined to your account environment.

7.6 AI Model Transparency and Auditability

To ensure accountability, we maintain technical logs and audit trails of AI interactions where necessary. This includes:

Timestamped queries
Processing status (success/failure)
AI version used

These logs do not contain content or documents themselves and are retained only for security and debugging purposes.

8. Access Permissions

The App may request the following permissions on your device:

Camera and File Access: To scan/upload documents. All data is encrypted before transmission.
Biometrics/Face ID: Optional login mechanism for added security.
Contacts: Used only for in-app functionalities and not stored on our servers.
Location: Not collected or tracked by AIVO.
Google Calendar Access: Required only if you choose to enable calendar synchronization. Access is managed through Google OAuth, limited to the minimum scopes required, and may be revoked anytime via your Google Account settings or within the App.
WhatsApp Communication: Requires your explicit consent to receive service messages or reminder calls through WhatsApp on your registered number. No promotional or marketing content is sent without separate consent.

9. Data Retention Policy

All stored documents and user data remain in your control.
You may delete any document at any time from within the App.
Upon account deletion, your data is deleted within 7 calendar days, except:
- Basic user details (email/phone) retained for up to 1 year to prevent impersonation or repeated fraud attempts.
- Financial records retained as per applicable laws.
Formal confirmation of deletion will be sent post-completion.
Calendar and communication logs generated for reminder purposes are retained only as long as necessary to deliver or verify the notification and are automatically purged within 30 days.
WhatsApp reminder messages and call metadata are not stored beyond this period, except where legally required for audit or dispute resolution.

10. Data Security

At AIVO, we recognize that safeguarding your personal and sensitive data is not just a compliance obligation, but a core responsibility that underpins your trust in us. Accordingly, AIVO DocAI has been architected with security-by-design and zero-trust principles to ensure your data remains private, secure, and fully under your control at all times.

10.1 Technical and Organizational Security Measures

We implement a layered security framework combining state-of-the-art technologies, strict access controls, and rigorous internal policies, including but not limited to the following measures:

End-to-End Encryption: All documents uploaded through the App are encrypted locally on your device before being transmitted. During transit, data is protected via TLS 1.3 protocols. Once received, it is stored using AES-256 encryption at rest within AIVO’s secure infrastructure.
Zero-Knowledge Architecture: Our systems are designed so that neither AIVO nor any of its employees or contractors can view your documents, content, encryption keys, or passwords in a readable format. You are the sole party with access to decrypt and manage your data.
Biometric Access: Where enabled by the user, biometric authentication (e.g., Face ID or fingerprint) is implemented at the device level and is never transmitted to or stored on AIVO servers.
Strict Access Controls: Access to backend systems is strictly limited to authorized personnel on a need-to-know basis, enforced through multi-factor authentication (MFA), role-based access, and monitored activity logs.
File Integrity Monitoring: All stored documents are protected against tampering, unauthorized modification, or deletion through cryptographic file integrity checks and tamper detection systems.
Regular Penetration Testing: Our infrastructure is subjected to independent third-party penetration testing and vulnerability assessments to detect and remediate security threats on a proactive basis.
Cloud Security Controls: All servers are hosted with GDPR-compliant cloud providers, who themselves undergo regular compliance and security audits. Data centers are ISO/IEC 27001, SOC 2, and PCI DSS certified.

Technical Measures
Communications transmitted through WhatsApp Business or authorized API providers are end-to-end encrypted during delivery. Reminder call triggers are handled through secure APIs; no call content is recorded or stored.
Tokens or credentials obtained via Google OAuth for Calendar integration are encrypted and stored separately from user content. AIVO cannot access your Google account credentials or view personal calendar events except as required for the authorized synchronization.

10.2 Internal Security Protocols

Employee Confidentiality and Training: All employees handling infrastructure or support operations undergo background checks and are bound by confidentiality agreements. Ongoing training is provided on data protection, cybersecurity, and incident response.
Data Minimisation and Anonymisation: We collect only the data strictly necessary for stated purposes. Wherever possible, we implement pseudonymisation or anonymisation to reduce the risk profile of data stored.
System Monitoring and Audit Trails: We maintain comprehensive audit logs of all system activities, access events, and AI processing operations. Logs are reviewed regularly and stored in immutable formats for accountability.

10.3 User Responsibility

While we are committed to protecting your data, security is a shared responsibility. We encourage you to:

Use strong, unique passwords and enable biometric lock where possible
Do not share your login credentials with others
Regularly update your device software to reduce vulnerabilities
You are responsible for ensuring that your WhatsApp account and linked Google account remain secure. If you no longer wish to receive WhatsApp reminders or calendar sync notifications, please disable these features in the App or revoke the integration directly from your Google Account or WhatsApp settings.

In case of suspected unauthorized access or a potential breach of your account, please report it immediately to security@AIVO

10.4 Incident Response and Breach Notification

Despite our best efforts, if we detect a data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify you without undue delay, including details of the breach and recommended protective steps
Report the incident to the relevant supervisory authority (within 72 hours where required by GDPR)
Take prompt remedial actions to contain and mitigate the impact of the breach

All such incidents are managed under our formally documented Information Security Incident Response Policy.

11. Sharing of Data

We do not sell or rent your personal data. However, limited information may be shared with trusted third-party service providers, including Google LLC (for calendar synchronization) and Meta Platforms Inc. or its authorized WhatsApp Business API partners (for delivery of messages and reminder calls). Such sharing occurs only to the extent necessary to provide these optional integrations and is governed by strict data-processing agreements and encryption safeguards.

Only in the following circumstances may limited data be disclosed:

To comply with legal obligations or court orders
To enforce our Terms of Use or prevent fraud
To process payments via GDPR-compliant third-party billing gateways, limited to payment-specific information

12. International Data Transfers

At present, our services are primarily intended for users within India, and all personal data is stored and processed on servers located in India, subject to the requirements of applicable Indian laws, including the Digital Personal Data Protection Act, 2023.

In the event that, in the future, personal data is transferred or accessed outside India, AIVO shall ensure that such transfers are carried out in compliance with applicable data protection laws and are subject to appropriate contractual, technical, and organizational safeguards to protect the rights and interests of users. Where required under applicable law (such as the European Union’s General Data Protection Regulation), AIVO will implement recognized transfer mechanisms (for example, standard contractual clauses or equivalent safeguards) to ensure that users’ data continues to receive an adequate level of protection.

In cases where integrations involve third-party cloud providers such as Google or Meta (WhatsApp), data may be processed on their infrastructure, which may operate servers in multiple jurisdictions. AIVO ensures that such transfers comply with the Digital Personal Data Protection Act 2023 and, where applicable, international standards such as the GDPR, through contractual safeguards and technical controls.

13. Your Rights

As a user of AIVO DocAI, you have the right to exercise meaningful control over your personal data. You may request access to the information we hold about you, seek correction of any inaccurate or outdated details, or ask us to delete your data where applicable. You also have the right to object to or restrict certain types of data processing, including processing for automated decision-making or profiling, unless such processing is necessary for the provision of our services. Where we rely on your consent to process specific categories of data, such as sensitive personal data or for AI-based classification and summarisation, you may withdraw that consent at any time without affecting the lawfulness of prior processing. You may also request that your data be transferred to another service provider, subject to technical feasibility.

If you wish to exercise any of these rights, or if you have concerns about how your data is being handled, please contact our Data Protection Officer at support@mysmartassistant.aiDocAI.com. We aim to respond to such requests within a reasonable timeframe and in accordance with applicable legal requirements. If you are located in a region that provides additional statutory rights or remedies in relation to data protection, we will honour such rights as required under local law. We are committed to resolving all concerns fairly and transparently and encourage you to contact us before approaching a data protection authority.

You may withdraw consent for Google Calendar integration or WhatsApp communications at any time. Upon revocation, AIVO will disable synchronization and cease sending messages or calls immediately.

14. Analytics and Cookies

We use cookies and third-party analytics tools only on our website, not in the App, to:

Improve website performance and usability
Understand visitor patterns and site usage
Provide customer support tools

All analytics data is anonymized and never linked to personal user profiles.

15. Data Relating to Children

Our Services are not directed to or intended for children under 16 years of age. We do not knowingly collect personal data from minors. If we become aware that data has been inadvertently collected from a child, we will delete it immediately.

16. Data Breach Notification

In the unlikely event of a data breach that may pose a risk to your rights or freedoms, AIVO will:

Notify the affected users without undue delay
Inform relevant regulatory authorities within the statutory timelines
Take all necessary remedial measures to contain and resolve the breach

In the unlikely event of a data breach that may affect your rights or freedoms, we will inform you and the relevant supervisory authority in accordance with applicable data protection laws.

17. Updates to this Privacy Policy

We may update this Policy to reflect changes in technology, law, or service enhancements. When we do, we will:

Notify you through in-app alerts or email (if material changes are made)
Update the “Effective Date” and “Last Updated” dates at the top

In particular, any future introduction of new integrations (such as messaging or scheduling tools) will be notified through in-app communication prior to activation, and users will have the option to opt in before any data exchange occurs. Your continued use of our Services after such updates signifies your acceptance of the revised Policy.

18. Contact Information

For any questions, concerns, or to exercise your rights, please contact:

AIVO Technologies Private Limited
Attn: Data Protection Officer (DPO)
Email: support@mysmartassistant.ai