Privacy Policy
How we collect, use, and protect personal data — in plain language, aligned with India's Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025. We keep collection minimal and process only what's needed to run and improve our services.
About this policy & who we are
This Privacy Policy explains how ZeroOne AI Ventures Private Limited ("ZeroOne", "we", "us", "our") handles personal data. ZeroOne is an AI implementation partner for Indian MSMEs, operating under the principle "Own Your AI. Don't Rent It."
It applies to our website at dotsai.in, our products, and our consulting, implementation and support services. It describes the personal data we collect as a business in our own right — for example, from website visitors, prospective clients, and people who contact us.
It does not by itself govern the business data we process on behalf of a client while building or running AI for them — that is governed by our agreement with that client. Section 03 explains this distinction.
Key definitions
We use the terms defined in the DPDP Act, 2023. The most important ones:
- Personal Data — any data about an individual who is identifiable by or in relation to that data.
- Data Principal — the individual the data relates to (i.e. you); for a child, this includes the parent or lawful guardian.
- Data Fiduciary — the entity deciding the purpose and means of processing. ZeroOne is a Fiduciary for the data in this policy.
- Data Processor — an entity processing data on behalf of a Fiduciary. ZeroOne is a Processor for our clients' data (Section 03).
- Consent — your free, specific, informed, unconditional and unambiguous agreement, by clear affirmative action, to a stated purpose.
- DPB / Board — the Data Protection Board of India, which oversees and enforces the DPDP Act.
Our two roles: Fiduciary & Processor
Because we build AI on your own data, inside your own tools, it matters which "hat" we wear when handling data. We operate in both roles the DPDP Act recognises:
When you visit our site, fill a form, request a demo, or contact support, we decide why and how that data is used. This policy applies in full.
When we build or run AI for you, we process the data you entrust to us strictly on your instructions. You remain the Fiduciary and owner; we're the Processor, bound by our agreement.
Your data, and the custom models trained on it, belong to you. We don't use a client's business data to train shared or foundation models, or repurpose it for our own benefit. That's what "Own Your AI. Don't Rent It." means in practice.
Information we collect
We aim to collect the minimum needed for each purpose. As a Fiduciary we may collect:
Information you give us
- Contact & identity — name, business email, phone, company, role, city.
- Enquiry & engagement — what you tell us in demo requests, proposals, tickets, calls and emails.
- Account details — login identifiers and settings, if you hold a product account.
- Billing details — information to raise invoices and process payments (card data is handled by payment providers, not stored by us).
Information we collect automatically
- Device & usage — IP address, browser/device type, pages viewed, referrers, timestamps.
- Cookies & similar technologies — to keep the site working and understand usage (Section 07).
- Logs — security and diagnostic logs that keep services reliable and safe.
We don't seek special-category or sensitive personal data through our website, and ask you not to send it unless a service specifically requires it.
How and why we use it
We process personal data on the basis of your consent or a recognised legitimate use (such as responding to a request you make). Where we rely on consent, we state the purpose at collection, and you can withdraw it anytime — as easily as you gave it (Section 12). We use data to:
- Respond to enquiries, demos and proposals, and provide the services you ask for.
- Set up and operate your account, deliver implementations, and provide support.
- Raise invoices, process payments, and keep required business records.
- Maintain, secure, troubleshoot and improve our website and products.
- Send service updates and — only where permitted — relevant product information you can opt out of.
- Meet legal, tax and regulatory obligations, and protect our rights and users' safety.
Your business data & custom AI models
This applies when we act as your Processor — building or running AI on data you provide.
- You own your data. Business data you share stays yours; we hold it on your behalf and process it only to deliver the agreed services.
- You own your models. Custom models and workflows built on your data are yours under our engagement. Wherever feasible, we deploy them inside your own environment.
- We don't train shared models on your data. It's never used for other clients, or any general-purpose model, without your explicit instruction.
- We follow your instructions. We act on documented instructions, keep your data confidential, apply safeguards, and help you meet your own obligations.
- Return & deletion. At the end of an engagement we return or delete your data as agreed, subject to records we must keep by law.
Cookies & analytics
- Essential cookies keep the website functioning and secure.
- Analytics cookies help us understand usage so we can improve — they run only where you allow them.
You can control cookies through your browser and, where shown, our cookie controls. Blocking some may affect how parts of the site work.
How we share information
We do not sell your personal data. We share only as needed to run our services and meet obligations:
- Service providers (sub-processors) — vetted vendors for hosting, communications, analytics and payments, under contracts requiring security and breach-notification terms.
- Professional advisers — auditors, lawyers and accountants where reasonably required.
- Legal & safety — where required by law or to protect the rights, property or safety of ZeroOne, our users or the public.
- Business transfers — in a merger, acquisition or restructuring, subject to this policy.
International data transfers
We process and store data in India where practical. Some providers may process data abroad. The DPDP Act permits transfers except to countries the Government may restrict by notification. Where we transfer internationally, we use contractual safeguards to protect it consistently with this policy, and adjust as Government notifications change.
Data security
We apply reasonable technical and organisational safeguards — access controls, encryption in transit, segregation of client environments, logging and least-privilege access. No system is perfectly secure, but we work to reduce risk and respond quickly to issues.
If a personal data breach occurs, we act in line with the DPDP Rules — notifying the Board and affected individuals without undue delay, and reporting to the Board within the prescribed timeframe.
Data retention
We keep personal data only as long as needed for its purpose, or as required by law (e.g. tax and company records). When no longer needed and not legally required, we delete or anonymise it. For client business data we process as a Processor, retention follows the relevant service agreement.
Your rights as a Data Principal
Subject to the DPDP Act and applicable law, you have the right to:
- Access a summary of the data we hold about you and how we process it.
- Correct, complete or update inaccurate or incomplete data.
- Erasure where data is no longer needed and not legally required.
- Withdraw consent anytime, as easily as you gave it (not affecting prior lawful processing).
- Grievance redressal — raise a complaint and receive a response (Section 14).
- Nominate another person to exercise your rights in the event of death or incapacity.
To exercise a right, contact us (Section 14). We may verify your identity first, and will respond within a reasonable period. You may also complain to the Data Protection Board of India.
Children's data
Our website and services are intended for businesses and adults, and are not directed to children (under 18). We don't knowingly collect children's data. Where processing a child's data is required, we obtain verifiable parental or guardian consent, and we won't track, behaviourally monitor, or target advertising at children. If you believe a child has given us data, contact us and we'll delete it.
Grievance redressal & contact
For any question, request or complaint about your data or this policy, reach our Grievance Officer:
We aim to acknowledge grievances promptly and resolve them within the timelines required under the DPDP Rules. If unsatisfied, you may escalate to the Data Protection Board of India.
Changes to this policy
We may update this policy as our services, technology or the law evolve — including as the phased provisions of the DPDP Act and Rules come into force. For material changes we'll update the "Last updated" date and, where appropriate, notify you. Please review this page periodically.
For any privacy matter, write to hello@dotsai.in. We're glad to help.