Privacy & Data Governance Policy

1. Corporate Information

Knowlance AI Private Limited
Registered Operational Entity: India
Corporate Identification Number (CIN): U62091AP2025PTC122282

This Privacy & Data Governance Policy ("Policy") governs the collection, processing, and protection of personal and corporate data by Knowlance AI Private Limited ("we," "us," or "our"). As a provider of enterprise AI engineering, deployment, and architecture services, we treat data security and confidentiality as foundational infrastructure, not optional compliance.

Direct Contact & Grievance Routing: contact@knowlanceai.com

2. B2B Scope & Processing Application

This Policy specifically applies to:

• Corporate clients engaging us for AI system engineering and deployment ("Clients").
• Authorized end-users accessing managed project workspaces, API endpoints, or deployed AI infrastructure ("Authorized Users").
• Prospective enterprise partners initiating technical or commercial inquiries.
• Visitors utilizing our public digital footprint.

Note: Where we act strictly as a Data Processor under a Master Service Agreement (MSA) or Statement of Work (SOW), the explicit terms of that contract's Data Processing Addendum (DPA) shall supersede this generalized policy.

3. Data Acquisition Matrix

A. Client & Procurement Data

• Corporate identity (Name, title, organization, procurement details).
• Contact coordinates (Primary email, secondary routing, operational phone networks).
• Technical specifications, system architecture logs, and project parameters voluntarily disclosed during Discovery or Blueprint phases.

B. Authentication & System Telemetry

• Identity verification hashes (e.g., OTP-enabled professional email addresses).
• OAuth 2.0 provisioning tokens (e.g., Enterprise Google Sign-in vectors).
• Cryptographic session footprints mapping to authorized client workspaces.

C. AI Interaction & Inference Payloads

• Real-time telemetry regarding the execution latency and volume of deployed AI agents.
• System state metrics required for uptime monitoring (99.9% SLA enforcement).
• Critical Distinction: We distinguish absolutely between "System Telemetry" (used to keep the application running) and "Client PII/Proprietary Data" (which passes through isolated pipelines).

4. The "No Foundational Training" Guarantee

5. Legal Basis for Global Processing (GDPR / CCPA)

We process corporate and personal data strictly anchored to the following lawful architecture:

• I. Contractual Necessity: The execution of Master Service Agreements (MSAs), SOWs, and the provisioning of contracted AI workflows.
• II. Legitimate Enterprise Interest: Maintaining strict Zero-Trust security postures, threat surveillance, and engineering optimization.
• III. Compliance Obligations: Adherence to global operational, tax, and cyber-reporting statutes.

6. Authorized Sub-Processors & Data Sharing

We do not sell, rent, or lease corporate data. We utilize elite, globally compliant third-party sub-processors solely to facilitate isolated engineering environments. All sub-processors are bound by stringent Data Processing Agreements (DPAs) barring secondary data usage:

7. Enterprise Security Posture

Knowlance AI architects security from the ground up, aligning with SOC2 and ISO27001 operational frameworks:

• Data in Transit: Cryptographically secured via TLS 1.3/HTTPS.
• Data at Rest: Encrypted using AES-256 block ciphers via our cloud partners.
• Access Governance: Granular, role-based access controls (RBAC) and mandatory Multi-Factor Authentication (MFA) across all internal operational nodes.
• Isolation Protocols: Dedicated cloud tenants and logical database separation preventing cross-client data contamination.

8. Cryptographic Retention & Destruction

We retain project payload data only for the terminal lifecycle of your active Master Service Agreement. Upon contract conclusion, or at explicit client request, all proprietary datasets, vector embeddings, and PII are subjected to cryptographic erasure within a standard 30-day window, except where residual logs must be maintained to fulfill legal/tax compliance.

9. Cross-Border Sovereign Data Flow

As a globally operating entity headquartered in India, data routing may occur across international zones. We strictly adhere to Standard Contractual Clauses (SCCs) for the transit of EU/UK data, ensuring parity with GDPR strictures regardless of the host server’s geographical origin.

10. Your Rights & The Grievance Officer

Governed by the Indian Digital Personal Data Protection (DPDP) Act 2023, augmented by GDPR and CCPA considerations for global clients, you retain ultimate sovereignty over your provided data:

• Right to Extraction: Request structured, machine-readable exports of provided data.
• Right to Erasure: Mandate the "Right to be Forgotten" across our operational pipeline.
• Right to Restriction: Temporarily halt processing during disputes.