Privacy Policy — VedaX Studio

1. Overview & Scope

This Privacy Policy applies to all individuals who interact with VedaX Studio's platform, website (vedaxstudio.com), APIs, and related products or services (collectively, the "Service"), regardless of location. It is incorporated by reference into our Terms of Service.

VedaX Studio complies with the following data protection frameworks to the extent applicable: India's Digital Personal Data Protection Act 2023 (DPDP), the EU/UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act / CPRA, India's IT (SPDI) Rules 2011, Singapore/Thailand PDPA, Brazil's LGPD, and Canada's PIPEDA.

2. Who Controls Your Data

Account data: VedaX Studio is the Data Controller (Data Fiduciary under Indian law) for personal information you provide when creating an account, contacting support, or interacting with our marketing.

User data: For data you import from your own systems (databases, Google Sheets, Shopify), VedaX Studio acts as a Data Processor on your behalf. You remain the Data Controller for that data. Enterprise customers may request a formal Data Processing Agreement (DPA) at dpo@vedaxstudio.com.

3. Data We Collect

3.1 Account & Registration Data

Full name and email address.
Encrypted password (bcrypt hashing; we never store plaintext passwords).
Google account information (if you use Google OAuth) — name, email, and profile picture.
Organization name and role (for team accounts).
Billing information — card details are handled directly by PCI-DSS-compliant processors (Stripe / Razorpay) and never stored on our servers.

3.2 User-Uploaded / Connected Data

Data from connected databases (PostgreSQL, MySQL, MongoDB): schema metadata and query results you request.
Google Sheets content: spreadsheet data from sheets you explicitly authorize (read-only).
Shopify store data: orders, products, customers, and inventory synced via your authorized OAuth connection.
Stripe / Razorpay transaction data, CSV / Excel uploads, and custom API responses you configure.

Sensitive Data Caution: The platform is not designed for regulated sensitive data (health records, financial account numbers, government IDs, biometrics) without a custom Enterprise agreement. You are responsible for ensuring your inputs comply with applicable laws.

3.3 Usage & Analytics Data

We automatically collect log data (IP, browser, pages, timestamps), device data, feature usage (aggregated), error/performance data, and referral data — for security, debugging, product improvement, and reliability.

3.4 Data We Do NOT Collect

Payment card numbers (handled entirely by Stripe/Razorpay).
Government identification numbers unless explicitly provided in your own User Data.
Biometric data or sensitive health/medical information.
Information from individuals under 13 years of age.

4. How We Use Your Data

We process personal information only with a lawful basis (contract performance, legitimate interests, consent, or legal obligation). We use data to authenticate users, connect to authorized data sources and run queries on your behalf, generate AI insights and reports, send transactional emails, provide support, improve the platform, and ensure security and legal compliance.

We Do NOT: sell, rent, or trade your personal information; profile you for unrelated purposes; or share your data with advertisers or ad networks.

5. Data Sharing & Disclosure

We share data only with vetted sub-processors acting on our behalf, all bound by data processing agreements:

Sub-processor	Purpose	Data Shared
Stripe / Razorpay	Payment processing	Billing name, email, address
MongoDB Atlas	Database hosting	Account & metadata
OpenAI / Google AI	AI inference	Query context (anonymized)
Sendgrid / SES	Transactional email	Name, email address
Cloudflare	CDN, DDoS protection	IP address, request metadata
Sentry	Error monitoring	Stack traces, error context

We may also disclose information where required by law (court orders, subpoenas, lawful government requests) or in a business transfer (merger, acquisition), with prior notice where required.

We Do NOT Sell Data. VedaX Studio has never sold and does not sell or share personal information for cross-contextual advertising. This applies globally, including under CCPA, DPDP, and GDPR.

6. Google API Services Disclosure

Google API Services User Data Policy Compliance. VedaX Studio's use and transfer of information received from Google APIs to any other application will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

6.1 OAuth Scopes Requested

Scope	Purpose	Access
spreadsheets.readonly	Read spreadsheet data for analysis	Read-only
drive.readonly	List and access spreadsheet files	Read-only
openid, profile, email	Google Sign-In authentication	Identity only

6.2 How We Use Google Data

Data received via Google APIs is used exclusively to import and display your spreadsheet data within your account, run analytics queries you instruct, and generate dashboards, charts, and AI insights you request.

6.3 Limited Use — What We Will NOT Do

We will not use Google user data for serving advertisements.
We will not transfer Google user data to third parties for advertising purposes.
We will not allow humans to read your Google data unless you explicitly request support assistance and grant temporary access, for security, or to comply with law.
We will not use Google user data to build profiles for data brokers.
We will not train AI models on your Google Sheets content.

6.4 Revoking Google Access

You can revoke access at any time via Google Account Permissions or by disconnecting Google Sheets in VedaX Studio Data Sources settings. On revocation, imported Google Sheets data is purged from active systems within 30 days.

7. Cookies & Tracking

We use strictly necessary cookies (authentication, session, CSRF), functional cookies (preferences), and analytics/performance cookies (Google Analytics, Sentry). You can manage cookies through our consent banner, your browser settings, or third-party opt-out tools. We do not deploy third-party advertising or retargeting cookies and do not participate in ad networks.

8. Security Measures

Encryption at rest: AES-256 for stored User Data, backups, and credentials.
Encryption in transit: TLS 1.3, HSTS enforced.
Data isolation: per-user DuckDB instances; strict multi-tenant separation.
Access control: RBAC, MFA support, JWT sessions, OAuth 2.0.
Monitoring: anomaly/intrusion detection and security monitoring.

In the event of a personal data breach posing risk to your rights, we will notify relevant authorities and affected users without undue delay (within statutory timeframes), with clear information about the breach and mitigation steps.

9. Data Retention

Data Category	Retention Period
Account information	Account duration + 90 days after deletion
User Data (imported)	Active account; deleted within 30 days of closure
Billing & transaction records	7 years (tax law compliance)
Audit & activity logs	2 years
Anonymized usage analytics	Indefinite (non-personal)

You may request deletion at any time via the "Delete Account" option in Settings or by emailing privacy@vedaxstudio.com. We process deletion within 30 days, subject to legal retention requirements.

10. International Data Transfers

VedaX Studio operates globally; your data may be stored and processed in countries other than where you reside, including the United States and India. For EEA/UK transfers we use Standard Contractual Clauses (SCCs). Indian user data transfers comply with the DPDP Act 2023. Primary infrastructure is hosted in US-East-1 and AP-South-1 (Mumbai) regions.

11. Your Privacy Rights

Regardless of jurisdiction, you have the right to access, rectify, erase, and port your data; to restrict or object to processing; to withdraw consent; and to lodge a grievance. To exercise any right, email privacy@vedaxstudio.com. We verify your identity and respond within the timeframes required by law (generally 30 days). We will not discriminate against you for exercising these rights.

Region-specific rights apply under the CCPA/CPRA (California), the DPDP Act 2023 (India), and the GDPR (EEA/UK), including the right to lodge a complaint with your local supervisory authority.

12. AI Features & Privacy

VedaX Studio's AI features process your User Data in real-time within your isolated account environment. When third-party LLM providers (e.g., OpenAI, Google AI) are used, only the minimum necessary context is transmitted, subject to API data-handling policies that prohibit training on API inputs. We do not train, fine-tune, or improve any AI or machine-learning model using your User Data, your Google user data, or your Google Sheets content — ever. Any product analytics we use to improve the Service rely solely on aggregated, de-identified usage signals (such as which features are clicked) and never include Google user data or any data you connect. You may opt out of de-identified product analytics anytime via Settings → Account → AI Training Preferences or by emailing privacy@vedaxstudio.com.

13. Children's Privacy

The Service is not directed to, and we do not knowingly collect personal information from, individuals under 13 (or under 16 in the EEA/UK). If we discover such data, we will terminate the account and delete the data. Report concerns to privacy@vedaxstudio.com.

14. Policy Changes

We may update this Privacy Policy periodically. For material changes, we will email your registered address at least 30 days before the change takes effect and display a prominent notice within the platform. Continued use after the effective date constitutes acceptance.

15. Contact & Grievance

Purpose	Email
General privacy inquiries	privacy@vedaxstudio.com
DPO (GDPR — EEA/UK)	dpo@vedaxstudio.com
Legal & compliance	legal@vedaxstudio.com
Customer support	support@vedaxstudio.com

Grievance Officer (India — DPDP Act / IT Act): Himanshu Yadav — VedaX Studio. Contact privacy@vedaxstudio.com. Acknowledgement within 24 hours; resolution within 30 days as mandated by the DPDP Act, 2023.