Privacy Policy

Last updated: April 2026. Policy version: 2.0 (DPDP-compliant)
This Privacy Policy is drafted in compliance with India's Digital Personal Data Protection (DPDP) Act, 2023.

1. Data Fiduciary

ESSENTIAL INTERFACES PRIVATE LIMITED (CIN: U62010PB2025PTC066615), F-539, Phase-8B Sector-74, 3rd Floor, Mohali Tower, Balongi, Rupnagar, S.A.S.Nagar (Mohali), Punjab, India, 160055 ('Company', 'we', 'us') is the Data Fiduciary responsible for your personal data.

Data Protection Officer

Our Data Protection Officer can be reached at dpo@unpod.ai or at the above address. For grievances, contact our Grievance Officer at the same details. Acknowledgment within 48 hours; resolution within 30 days.

2. Personal Data We Collect

We collect the following categories of personal data:
  • Account Data: name, email, phone number, password (hashed) — for providing our service
  • Device Data: device type, model, OS, IP address, timezone — for security and service delivery
  • Communication Data: call recordings, transcripts, chat messages — for service delivery (with consent)
  • Payment Data: transaction IDs, amounts, billing address, GST number — for billing and legal compliance
  • Usage Data: page views, feature usage, session duration — for product improvement (with consent)
  • Contact Data: names, emails, phones of contacts you upload — for CRM features
  • Location Data: latitude, longitude (only when explicitly requested) — for AI agent features (with consent)

3. Lawful Basis for Processing (DPDP Section 4)

We process your data under the following lawful grounds:
  • (a) Your explicit consent, obtained separately for each purpose
  • (b) Performance of a contract to provide our services
  • (c) Compliance with legal obligations (tax, financial regulations)
  • (d) Legitimate interests where they do not override your rights

4. Your Consent (DPDP Sections 6-7)

We obtain your free, specific, informed consent before processing personal data. Consent is collected separately for: service provision, analytics, marketing, third-party sharing, AI processing, call recording, and location data. You may withdraw consent at any time from your account settings — withdrawal is as easy as granting consent. Withdrawing consent does not affect the lawfulness of processing done before withdrawal.

5. Purposes of Processing (DPDP Section 8)

Your data is processed only for stated purposes:
  • (1) Providing and maintaining the platform
  • (2) Account creation and management
  • (3) Processing payments and subscriptions
  • (4) Sending transactional emails (password resets, invoices)
  • (5) Analytics and product improvement (with consent)
  • (6) Marketing communications (with consent)
  • (7) AI agent processing and call handling (with consent)
  • (8) Legal compliance and dispute resolution

6. Data Retention (DPDP Section 8(3))

We retain personal data only as long as necessary.. Specific retention periods:
  • Account dataduration of account + 30 days
  • Call recordings30 days (configurable)
  • Call logs90 days (phone numbers anonymized after)
  • Chat messages90 days
  • Notifications90 days
  • Inactive devices90 days
  • Payment records7 years (RBI compliance)
  • Expired invitations30 days after expiry
  • AI processing data90 days

7. Security Safeguards (DPDP Section 8(5))

We implement the following technical measures:
  • Passwords hashed with Argon2 (industry best)
  • Data encrypted in transit via TLS/HTTPS with HSTS
  • RSA-OAEP 2048-bit encryption for credential transmission
  • HMAC-SHA256 integrity validation
  • Content Security Policy (CSP) with nonce-based protection
  • Two-factor authentication (OTP via email/SMS)
  • Rate limiting on authentication endpoints
  • IP whitelisting for admin access
  • Audit logging of security events
  • Private S3 storage with ACL controls

8. Data Breach Notification (DPDP Section 8(6))

In the event of a personal data breach:
  • We will notify the Data Protection Board of India within 72 hours of becoming aware
  • We will notify affected individuals without unreasonable delay if the breach is likely to result in high risk
  • Notification will include: nature of the breach, data affected, likely consequences, measures taken

9. Children's Data (DPDP Section 9)

Our Service requires verifiable parental consent for users under 18
We do not knowingly collect data from anyone under 18 without verified parental consent
We do not engage in tracking, behavioral monitoring, or targeted advertising directed at children
Analytics and location services are disabled for accounts flagged as belonging to minors
If you believe a child has provided data without consent, contact us immediately

10. Your Rights (DPDP Sections 11-14)

Right to Access (Section 11)

Request a copy of all personal data we hold about you via the Data Export feature in your account settings or by contacting the DPO. We respond within 30 days.

Right to Correction (Section 12)

Update or correct your information anytime via profile settings.

Right to Erasure (Section 12)

Request deletion of your account and all data. A 30-day grace period applies, after which data is permanently erased from all systems (databases, file storage, caches).

Right to Grievance Redressal (Section 13)

Submit a complaint via the Grievances section in your profile. We acknowledge within 48 hours and resolve within 30 days. If unsatisfied, you may escalate to the Data Protection Board of India.

Right to Nominate (Section 14)

Designate a nominee to exercise your data rights on your behalf, particularly in case of death or incapacity. Manage nominees in your profile settings.

11. Cross-Border Data Transfers (DPDP Section 16)

Your data may be transferred to the following countries for processing:
  • United StatesAWS (file storage), Firebase (authentication), OpenAI/Anthropic (AI processing), Deepgram (speech-to-text), LiveKit (voice/video), Mux (video), Cloudinary (images), Microsoft Clarity (analytics, with consent). India — Razorpay (payments), Msg91 (SMS)
We ensure adequate safeguards through Data Processing Agreements with all processors.

12. Third-Party Data Processors

We share data with these processors:
  • AWS (US)file storage, email delivery
  • Firebase/Google (US)authentication, analytics
  • OpenAI (US)AI language processing
  • Anthropic (US)AI language processing
  • Deepgram (US)speech-to-text
  • ElevenLabs (US)text-to-speech
  • Cartesia (US)text-to-speech
  • VAPI (US)voice agent platform
  • LiveKit (US)real-time voice/video
  • Mux (US)video processing
  • Cloudinary (US)image management
  • Razorpay (India)payment processing
  • Msg91 (India)SMS delivery
Data Processing Agreements are in place with all processors.

13. Cookies and Tracking

  • Essential cookies: Session management, CSRF protection, authentication — always active, required for service
  • Analytics cookies: Google Analytics, Microsoft Clarity — loaded only after your explicit consent
  • These help us understand usage patterns
  • Marketing cookies: Not currently used
  • You can manage cookie preferences via the consent banner or your profile settings at any time

14. Your Duties as Data Principal (DPDP Section 15)

As a Data Principal, you are expected to:
  • Provide accurate and truthful information
  • Not impersonate another person
  • Report suspected unauthorized access to your account
  • Keep your login credentials secure

15. Changes to This Policy

We will notify you via email or prominent in-app notice before changes become effective. Continued use after notification constitutes acceptance. Material changes require fresh consent.

16. Contact Us

  • Data Protection Officer: dpo@unpod.ai
  • General enquiries: info@unpod.ai
  • Address: ESSENTIAL INTERFACES PRIVATE LIMITED, F-539, Phase-8B Sector-74, 3rd Floor, Mohali Tower, Balongi, Rupnagar, S.A.S. Nagar (Mohali), Punjab, India 160055
  • Website: https://unpod.ai