Privacy Policy
Contents
1. Who we are 2. What we collect 3. Why we process 4. Where data lives 5. Retention 6. Your rights (DPDP) 7. Security 8. Contact + Grievance1. Who we are
ZyroAI Technologies Pvt Ltd, Bangalore (Karnataka, India), is the data processor for identity verification on behalf of our customers (banks · NBFCs · brokers · fintechs). Your bank / fintech is the data fiduciary; we process under their instructions.
2. What we collect
| Category | When | Source |
|---|---|---|
| ID document image | You upload during KYC | You |
| Selfie · live-capture video | Liveness step | Your camera |
| Voice sample (optional) | Voice biometric step | Your microphone |
| Extracted text (name · DOB · ID #) | Auto-OCR | From your document |
| Mobile · email (optional) | Form input | You |
| Device fingerprint · IP | Service use | Your browser/app |
| Verification result · reason code · LLM rationale | Generated | ZyroAI ML |
3. Why we process
| Purpose | DPDP Section 7 |
|---|---|
| Identity verification for your bank | Consent |
| Fraud · deepfake · sanctions screening | Legitimate use |
| RBI · SEBI · PMLA compliance | Legitimate use |
| Continuous model improvement (opt-in) | Consent · opt-in by tenant |
We do not sell data. We do not use it for advertising.
4. Where data lives
Storage · Mumbai region (asia-south1) · AWS / GCP India. Cross-border · zero personal data leaves India. Encryption · AES-256-GCM at rest · TLS 1.2+ in transit. Access · only your bank (via webhook) and ZyroAI engineers under least-privilege.
5. Retention
| Data | Retention |
|---|---|
| Verification record + audit log | 8 years (PMLA Sec 12(a)) |
| Selfie / document image | 90 days post-verification |
| Live-capture video | 30 days |
| Failed-verification PII | 30 days |
| Anonymized metrics | Indefinite |
6. Your rights under DPDP Act 2023
| Right | How |
|---|---|
| Access | Email dpdp@zyroai.com with verification reference |
| Correction | Same email · officer-mediated |
| Erasure | Same email · within 30 days |
| Withdraw consent | Same email · immediate |
| Grievance | grievance@zyroai.com · 7-day SLA |
| Nominee | Email with nominee details |
7. Security
- AES-256-GCM at rest · per-field PII encryption
- TLS 1.2+ all endpoints
- SHA-256 chained tamper-evident audit log
- Per-tenant API tokens · rate-limited · revocable
- HMAC-SHA256 signed outbound webhooks
- WAF + DDoS shield · India POP
- Quarterly secret rotation
- Annual penetration test (in plan)
Data breach · we will notify affected data principals and the Data Protection Board within 72 hours per DPDP Sec 8(6).
8. Contact + Grievance
Grievance Officer · designated under DPDP Sec 13.
Response SLA · 7 working days. Escalation · Data Protection Board of India.