Privacy Policy

This Privacy Policy (“Policy”) is published by Aveoearth Impact Private Limited, a company incorporated under the Companies Act, 2013, bearing Corporate Identification Number (CIN): [●], having its registered office at [●], New Delhi, India (“Company”, “we”, “us”, or “our”), operating under the trade name AveoStack.

“AveoStack” is a trade name only and does not have independent legal status. All data processing described in this Policy is undertaken solely by Aveoearth Impact Private Limited.

This Policy is issued in compliance with:

• The Digital Personal Data Protection Act, 2023 (“DPDP Act”)
• Rules and regulations notified under the DPDP Act
• The Information Technology Act, 2000
• The IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
• The IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021
• Where applicable, the GDPR and CCPA/CPRA

By accessing or using our Services, you acknowledge that you have read and understood this Policy.

This Policy applies to:

• Website visitors
• Prospective and existing clients
• End users whose data we process under client instructions
• Vendors, contractors, and job applicants

Where we process personal data strictly under a Data Processing Agreement (“DPA”), the DPA shall prevail in case of conflict.

Depending on context, we may act as:

3.1 Data Fiduciary / Controller

Where we determine the purpose and means of processing.

3.2 Data Processor / Service Provider

Where we process personal data strictly on documented instructions of a client.

Rights and obligations vary depending on our role under applicable law.

At or before the time of collection, we provide notice specifying:

• Categories of personal data collected
• Purposes of processing
• Lawful basis
• Your rights
• Grievance mechanism

Where consent is required, it is:

• Free
• Specific
• Informed
• Unambiguous
• Provided by clear affirmative action

Consent is not bundled beyond what is reasonably necessary for the specified purpose.

5.1 Data You Provide

Includes:

• Name, email, phone number
• Company and job details
• Billing and invoicing information
• Contractual communications
• Identity verification information where legally required

5.2 Automatically Collected Data

Includes:

• IP address
• Device identifiers
• Browser and operating system details
• Usage logs
• Cookies and similar tracking technologies

5.3 Data Processed Under Client Instructions

Where acting as a processor, personal data is handled solely under DPA terms and documented client instructions.

5.4 Sensitive Data

We do not intentionally collect sensitive personal data unless expressly required and with explicit consent or legal authorization.

We process personal data for:

• Service delivery
• Contract performance
• Billing and financial compliance
• Security and fraud prevention
• Analytics and system improvement
• Marketing communications (with consent where required)
• Legal and regulatory compliance
• Enforcement of agreements

We do not process personal data for purposes incompatible with those disclosed.

Where applicable, processing is based on:

• Consent
• Contract performance
• Legal obligation
• Legitimate interests (subject to documented balancing assessment)
• Other lawful bases permitted by applicable law

Our Services are not directed at individuals under 18 years of age.

Where processing of children's data is legally permitted, verifiable parental consent shall be obtained in accordance with applicable law.

We use:

• Essential cookies (required for functionality)
• Functional cookies (preference-related)
• Analytics cookies (subject to consent where required)

Non-essential cookies are deployed only after obtaining legally required consent.

Users may manage preferences via cookie banner or browser settings.

We may disclose personal data to:

• Service providers and sub-processors
• Professional advisors
• Legal and regulatory authorities
• Business transferees in corporate transactions

We do not sell personal data.

We do not share personal data for cross-context behavioural advertising except where expressly disclosed and legally permitted.

All third parties are bound by contractual confidentiality and data protection obligations.

Where personal data is transferred outside India:

• Transfers are conducted in accordance with applicable law
• We comply with any restricted or notified jurisdictions under the DPDP Act
• Where GDPR applies, appropriate safeguards such as Standard Contractual Clauses may be implemented
• Transfers are assessed for legal necessity, proportionality, and risk

We implement commercially reasonable and industry-standard safeguards, including:

• Encryption in transit and at rest (where appropriate)
• Role-based access controls
• Logging and monitoring
• Security assessments
• Incident response procedures

No method of transmission or storage is completely secure.

Nothing in this Policy guarantees absolute security.

Nothing in this Policy limits liability where such limitation is prohibited by applicable law.

In the event of a personal data breach, we will:

• Promptly investigate
• Implement containment measures
• Notify competent authorities and affected individuals within legally prescribed timelines

Notifications will contain legally required information.

Personal data is retained only for as long as necessary:

• Client account data: duration of contract + 5 years
• Financial records: as required under Indian law (typically up to 8 years)
• Analytics logs: up to 24 months
• Marketing consent records: duration of consent + 3 years
• Job applicant data: 12 months
• DPA data: as defined under applicable DPA

Data is securely deleted, anonymized, or archived after expiration of retention period.

Subject to identity verification and applicable law, you may have the right to:

• Access personal data
• Correct inaccurate data
• Request erasure
• Withdraw consent
• Restrict processing
• Object to processing
• Data portability (where applicable)
• Nominate a representative (DPDP)
• Non-discrimination (where applicable)

We respond within timelines prescribed under applicable law and, where no specific timeline exists, within 30 days unless complexity requires additional time.

Where AI systems are used:

• Outputs may be probabilistic
• Human review is recommended
• Personal data is not used to train AI models without explicit authorization
• No solely automated decisions producing legal or similarly significant effects occur without appropriate safeguards

The Company has designated a Grievance Officer:

We acknowledge grievances promptly and endeavor to resolve them within legally prescribed timelines and, in any event, within 30 days unless complexity requires additional time.

If you are not satisfied, you may approach the Data Protection Board of India or other competent authority.

Where applicable, you may lodge complaints with:

• Data Protection Board of India
• Relevant EU Supervisory Authority
• California Privacy Protection Agency

This Policy does not expand liability beyond that set forth in our Terms of Service or applicable agreements.

In case of conflict with a DPA, the DPA shall prevail.

Nothing in this Policy limits statutory rights or liabilities that cannot be contractually excluded.

We may update this Policy to reflect:

• Legal developments
• Operational changes
• Technological changes

Material changes will be notified appropriately.