Your rights as a Data Principal under Indian law.

AEGIBIT is an Indian software company. India's Digital Personal Data Protection Act 2023 (the "DPDP Act") governs how we collect and process the personal data of individuals located in India.

Under the DPDP Act, AEGIBIT is the Data Fiduciary and you — the visitor, the lead, the customer — are the Data Principal. This page describes what data we process, why, and how you exercise the rights the Act gives you.

Our general (non-jurisdictional) privacy policy is at /privacy. Where the DPDP Act and the general policy differ, the language here is authoritative for Indian data principals.

We process your personal data only with your consent — given when you submit a form, send a chat message, or download a product — and only for the specific purpose you submitted it for. Under the DPDP Act, this is the "consent" ground (§4).

• ·Form submissions — email, name, company, phone (when you provide them) are processed to respond to the inquiry you submitted.
• ·Chat with Aira — your message text is sent to the Groq LLM service so the bot can reply. If you provide your email in chat, it goes into the lead pipeline the same as a form submission.
• ·Engagement signals — pages visited, time on site, scroll depth, anonymized IP-derived country. Used in aggregate to improve the site; never sold; never used to target you individually.
• ·Free product downloads — when you download MCP Shield from GitHub or Aira from this site, AEGIBIT itself does not collect any personal data tied to that download (GitHub may; the Aira free Windows installer is local-first and does not phone home).

We do not process "sensitive personal data" as defined under emerging DPDP Rules (e.g. financial information, health, biometric, caste, religion) on public pages. PayMint as a paid product processes certain financial data; that is governed by the MSA and a separate Data Processing Agreement signed at customer onboarding.

The DPDP Act gives you the following rights against AEGIBIT as Data Fiduciary. To exercise any of them, email contact@aegibit.com with subject "DPDP - Rights Request." We respond within 14 days.

• ·Right to access information (§11) — request a summary of the personal data we hold about you and the identities of any Data Processors we've shared it with.
• ·Right to correction and erasure (§12) — ask us to correct anything inaccurate or to delete your data entirely. We will comply unless we are legally required to retain (e.g. tax records under the Income Tax Act).
• ·Right to nominate (§13) — designate another person to exercise these rights on your behalf in the event of your death or incapacity. Email us the nomination details.
• ·Right of grievance redressal (§14) — if you're unsatisfied with how we've handled a request, you can escalate to the Data Protection Board of India (see below).
• ·Right to withdraw consent — at any point. The processing that already happened under your previous consent remains lawful, but we stop further processing once you withdraw.

Some of our sub-processors are located outside India (Vercel in the USA, Resend in the USA, Groq in the USA, Supabase in Singapore — see /privacyfor the full list). The DPDP Act permits cross-border transfer to any country except those the Central Government specifically restricts. As of this notice's last updated date, no relevant restriction list is in force under §16 of the DPDP Act.

We chose sub-processor regions to minimize unnecessary cross-border movement: Supabase Singapore is the closest available region; Upstash Redis runs in Mumbai (ap-south-1).

We retain personal data only as long as needed for the purpose it was collected, plus any period required by other Indian law (e.g. tax records, accounting records). The category-by-category retention schedule is in the privacy policy at /privacy.

When you exercise the right to erasure under §12, we delete your personal data from our active systems within 30 days. Sub-processor deletion may take additional time depending on their published deletion SLAs (typically 30–90 days). Backups containing your data are deleted on the next scheduled backup rotation.

In the event of a personal data breach affecting you, the DPDP Act requires AEGIBIT to notify both the Data Protection Board of India and the affected data principals. We will do so promptly after becoming aware of the breach, including a description of what happened, what data was affected, the likely consequences, and the steps AEGIBIT has taken to mitigate.

Our internal target is notification within 72 hours of awareness, in line with comparable global frameworks (GDPR Article 33). The exact statutory timeline under the DPDP Rules will be respected once finalized.

If we have not resolved your concern to your satisfaction, you have the right to file a complaint with the Data Protection Board of India. The Board is the designated regulator under §18 of the DPDP Act.

At the time of this notice, the Board's public contact channels are being established. Until they publish a direct grievance portal, the Ministry of Electronics and Information Technology (MeitY) is the relevant escalation route. We will update this paragraph with the Board's direct contact details as soon as they publish them.

AEGIBIT is below the "Significant Data Fiduciary" threshold under §10 of the DPDP Act and is not required to appoint a Data Protection Officer at this stage. The AEGIBIT team handles all DPDP requests through contact@aegibit.com.

If AEGIBIT crosses the threshold in the future, we will appoint a DPO and update this notice with their direct contact information.

The DPDP Act (§9) prohibits processing personal data of children (under 18) except for limited specified purposes, and requires verifiable parental consent where it is processed. AEGIBIT's products are operational software for businesses; we do not knowingly process data of anyone under 18 through www.aegibit.com. If you believe a child has submitted data, email contact@aegibit.com and we will delete it immediately.

When we change this notice materially, we update the "Last updated" date at the top. The diff is public on github.com/AegibitSecurity/aegibit-website. Existing data principals with an active account or correspondence on file receive direct notice.

This notice is written by the AEGIBIT team in plain English before formal counsel review. The DPDP Rules under the Act are still being notified by the Indian government and the operational specifics may tighten as those Rules come into force. AEGIBIT will engage external Indian counsel to review this notice before our first enterprise customer contract; the text may tighten further and the change history will be visible in the public git log. For specific legal questions about how the DPDP Act applies to your situation, consult your own counsel.

• ·/privacy — general (multi-jurisdictional) privacy policy.
• ·/terms — terms of service.
• ·/security — technical security posture.