Privacy at a Glance
1. Introduction & Scope
PiyAPI Cloud Inc. ("PiyAPI", "we", "us") is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, APIs, SDKs, website, and related services.
This policy is published in compliance with:
- Information Technology Act, 2000 (India), including Section 43A
- IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules")
- Digital Personal Data Protection Act, 2023 ("DPDP Act")
- Consumer Protection (E-Commerce) Rules, 2020
By using our Services, you consent to the collection and use of your information as described in this policy. If you do not agree, please do not use the Services.
2. Information We Collect
| Category | Data Collected | Purpose | Retention |
|---|---|---|---|
| Account Data | Email address, full name, organization name, password hash | Account creation, authentication, billing, communication | Duration of account + 30 days |
| Billing Data | Plan details, transaction IDs, invoices (card data handled by Razorpay) | Payment processing, tax compliance, fraud prevention | 7 years (tax/legal requirement) |
| Usage Data | API call logs, IP address, browser/device type, request timestamps | Security monitoring, rate limiting, debugging, aggregated analytics | 90 days (logs), indefinite (aggregated) |
| Content Data | Memories, documents, embeddings, metadata you submit | Providing the core service (stored encrypted) | Until you delete or 30 days post-account closure |
What We Do NOT Collect
- We do not store your complete credit/debit card numbers (handled by Razorpay).
- We do not collect biometric data, Aadhaar numbers, or government IDs.
- We do not track you across third-party websites.
3. How We Use Your Information
We use your information strictly for the following purposes:
- Service Delivery: Processing your memories, generating embeddings, executing search queries, and returning context.
- Account Management: Authentication, authorization, API key management, and support.
- Billing: Subscription management, invoicing, and payment processing via Razorpay.
- Security: Detecting abuse, preventing fraud, rate limiting, and protecting service integrity.
- Communication: Service announcements, billing notifications, and support responses (never marketing without consent).
- Improvement: Aggregated, anonymized analytics to improve service performance and reliability. Your individual Content is never used for this purpose.
4. Legal Basis for Processing
We process your data based on the following legal grounds:
- Contract Performance: Processing necessary to deliver the Services you subscribed to (SPDI Rules, Rule 5).
- Consent: Where you have given explicit consent, such as during account registration (SPDI Rules, Rule 5(1)).
- Legal Obligation: Processing necessary to comply with tax, financial reporting, or legal requirements.
- Legitimate Interest: Security monitoring, fraud prevention, and service improvement using only aggregated data.
5. Third-Party Sub-processors
We share data with trusted service providers only as necessary to deliver the Services. Each sub-processor is bound by data processing agreements ensuring adequate data protection.
| Provider | Service | Data Shared | Location |
|---|---|---|---|
| Razorpay | Payment Processing | Email, plan details, payment data | India |
| OpenAI / Azure OpenAI | LLM & Embedding Generation | Content text (for embedding only, no storage by provider) | US / EU |
| Neon | PostgreSQL Database Hosting | All persistent application data (encrypted) | US / EU |
| Vercel | Frontend Hosting & CDN | Static assets, session tokens | Global CDN |
| Railway | Backend Application Hosting | Application runtime, API requests | US |
We will notify you of any material changes to our sub-processor list via email or dashboard notification.
6. Security Measures
We implement industry-standard security practices to protect your data:
Encryption
AES-256 encryption at rest for all stored data. TLS 1.3 for all data in transit. Optional field-level encryption for HIPAA workloads.
Access Control
Role-based access, API key scoping, namespace isolation, and audit logging for all data access.
Infrastructure
Managed cloud infrastructure with automated backups, DDoS protection, and vulnerability scanning.
Compliance
HIPAA-ready infrastructure available for Enterprise customers. PHI detection and access logging built-in.
7. Cookies & Tracking Technologies
We use a minimal set of cookies to operate the Services:
| Cookie Type | Purpose | Duration | Required? |
|---|---|---|---|
| Session | Authentication, CSRF protection | Browser session | Yes (essential) |
| Preferences | Theme (dark/light), language, dashboard layout | 1 year | Yes (functional) |
| Analytics | Aggregated usage patterns (anonymized) | 30 days | No (opt-out available) |
We do not use advertising cookies or tracking pixels. You can manage cookies through your browser settings.
8. Your Rights
Under Indian data protection law and our commitment to transparency, you have the following rights:
- Right to Access: Request a copy of all personal data we hold about you.
- Right to Correction: Request correction of inaccurate or incomplete personal data.
- Right to Deletion: Request deletion of your personal data (subject to legal retention requirements).
- Right to Data Portability: Export all your data via our Export API (GET /api/v1/export/memories) in standard JSON or CSV format.
- Right to Withdraw Consent: Withdraw your consent at any time by deleting your account or contacting us. Note: withdrawal may affect your ability to use the Services.
- Right to Lodge a Complaint: You may file a complaint with our Grievance Officer (see below) or with the relevant data protection authority in India.
To exercise any of these rights, email privacy@piyapi.cloud. We will respond within 30 days.
9. Cross-Border Data Transfers
Your data may be processed in countries outside India where our sub-processors operate (primarily the United States and European Union). We ensure that:
- All cross-border transfers are governed by Data Processing Agreements with adequate safeguards.
- Sub-processors maintain security standards equivalent to or exceeding those required by Indian law.
- Enterprise customers may request India-only data residency where technically feasible.
10. Data Breach Notification
In the event of a confirmed data breach affecting your personal data, we will:
- Notify affected users within 72 hours of confirming the breach.
- Report the breach to relevant authorities as required by applicable law.
- Provide details of: the nature of the breach, data affected, steps taken, and your recommended actions.
- Offer support to affected users, including complimentary credit monitoring where appropriate.
11. Children's Privacy
PiyAPI is not intended for users under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us at privacy@piyapi.cloud, and we will promptly delete such data.
12. Enterprise Data Processing Agreement (DPA)
Enterprise customers requiring a formal Data Processing Agreement can request our standard DPA, which covers: data processing scope, security obligations, sub-processor management, breach notification procedures, and data deletion commitments. The DPA may be incorporated into your Master Services Agreement. Contact enterprise@piyapi.cloud to request.
13. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be communicated via email and/or a prominent notice on our Dashboard at least 30 days before they take effect. Continued use of the Services after changes take effect constitutes your acceptance.
Grievance Officer
In accordance with the Information Technology Act, 2000 and the SPDI Rules, 2011, the name and contact details of the designated Grievance Officer are provided below. If you have any concerns or complaints regarding the processing of your personal information, you may contact:
14. Contact Us
PiyAPI Cloud Inc.
Privacy: privacy@piyapi.cloud
Security: security@piyapi.cloud
General: support@piyapi.cloud