Data Policy
Last updated: 7 July 2026
1. Ownership
Your organisation owns its data. SHOBHA KAMAL SOLUTIONS PRIVATE LIMITED processes it only to operate, secure, and improve the Services. Nothing in this policy transfers ownership of your business data to us.
2. Tenant isolation
Every organisation's data is isolated at the database layer through row-level security enforced by the database itself, not only by application code. Cross-tenant access is structurally prevented, and platform-level operations run under separately controlled roles. AI response caching is scoped per organisation so one tenant's AI outputs can never be served to another.
3. Model training — what we do and don't do
We use data to train and improve our models and systems. Concretely:
- We analyse usage patterns, AI execution outcomes, and anonymised interaction data to improve routing, prompts, and system behaviour.
- Semantic indexes (embeddings) are computed over your content to power search and capability matching within your own tenant.
- Aggregated, de-identified signals may inform platform-wide improvements.
- We do not sell your data, and we do not expose one tenant's identifiable business content to another tenant through training or otherwise.
- To object to the use of your organisation's data for improvement purposes, contact raajat.agarwal@gmail.com.
4. Third-party processing
The Services rely on third-party subprocessors — cloud hosting and database infrastructure (Vercel, Supabase) and AI model providers reached through our model-routing layer (which may include OpenRouter and the model vendors behind it). These subprocessors maintain GDPR compliance commitments and SOC 2 attestations. Where you bring your own AI provider keys (BYOK), your data is processed by your chosen provider under your own agreement with them; we store such keys encrypted and use them only to make the calls you configure.
5. Our compliance posture
Our systems are designed and operated in accordance with GDPR principles (lawfulness, purpose limitation, data minimisation, security, accountability) and SOC 2 trust-service criteria (security, availability, confidentiality), and run exclusively on infrastructure that holds current SOC 2 attestations and GDPR commitments. Every AI execution on the platform is logged with its model, token usage, and outcome, giving an auditable ledger of automated processing.
6. Retention, export, deletion
You may export your data during the life of your account. On termination or verified request we delete or anonymise your organisation's data within a reasonable period, except where law requires longer retention. Backups age out on rolling schedules.
7. Contact
Data questions, objections, and requests: raajat.agarwal@gmail.com.