Legal

Privacy Policy

Plain English. How we handle the data you — and your customers — trust us with.

Last updated: April 2026

Hanvitt AI ("we", "us", "Hanvitt") runs a multi-tenant AI chat platform. This policy covers the data we collect across our website, dashboards, APIs, embedded chat widget, and connected WhatsApp numbers (collectively, the "Services"). If you're a business using Hanvitt, this also explains how we process data on behalf of your end-customers (your "visitors").

Aligned with India's Digital Personal Data Protection Act, 2023 (DPDPA) and GDPR Article 28 principles where applicable. Questions: hello@hanvitt.com.

1. What we collect

As the Data Fiduciary (your business account)

  • Account: name, business email, phone, company name, billing address.
  • Content you upload: knowledge base documents (PDFs, DOCX, CSV), FAQs, domain-pack rules, widget settings.
  • Operational data: login timestamps, IP address, plan tier, usage counters (conversations, KB entries).

As Data Processor (on behalf of your business, for visitors)

  • Lead data: visitor name, phone, email, requirement text — captured via the chat widget when a visitor submits the lead form.
  • Conversation content: messages exchanged between a visitor and your AI agent.
  • Technical: browser, language preference, IP address, session ID.

Your visitors see your brand — not Hanvitt's. You decide what to collect, how long to keep it, and who to share it with. We act on your instructions.

2. What we use it for

  • Deliver the Services (authenticate, answer visitor questions, capture leads, generate analytics).
  • Keep your account secure — detect abuse, throttle runaway usage, prevent impersonation.
  • Bill you correctly and send operational notices (renewals, quota alerts, incident emails).
  • Improve product quality via aggregate, de-identified metrics only.

We do not sell personal data. We do not feed your business content or your visitors' conversations into third-party foundation models for training — unless you explicitly opt in via a signed data-processing amendment.

3. Who we share with

Only the following categories, each under contractual confidentiality and security obligations:

  • Cloud infrastructure: databases, storage, compute (currently hosted in India and the US).
  • LLM providers (OpenAI, Anthropic, Google) — to generate responses. Prompts are not retained for model training under their enterprise APIs.
  • Payment processors — Stripe, Razorpay (card data never touches our servers).
  • Channel providers — Meta/WhatsApp Business API, where you enable it.
  • Email delivery — Zoho SMTP for transactional emails.
  • Law enforcement — only under valid legal process.

4. How long we keep it

  • Account data: as long as your subscription is active + 12 months after cancellation.
  • Conversation + lead data: per your plan's retention setting (default 90 days; configurable up to 365 days).
  • Billing records: 7 years, as required by the Income Tax Act, 1961.
  • Logs: 30 days for auth/access logs, 90 days for security-incident logs.

5. Your rights

Under DPDPA and GDPR, you can:

  • Access a machine-readable export of your personal data.
  • Correct or delete any inaccurate data.
  • Port your data to another provider.
  • Object to or restrict specific processing.
  • Withdraw consent anytime — prior lawful processing remains valid.
  • Nominate someone to exercise these rights on your behalf (DPDPA §14).

Email hello@hanvitt.com. We respond within 30 days — often the same business day.

If you're a visitor asking about data held by a business using Hanvitt, contact that business directly — they control your record, we only host it.

6. Security

  • TLS 1.3 everywhere in transit. AES-256 at rest.
  • Role-based access — super admin, tenant admin, agent — with audit trails on every privileged action.
  • Rate limiting, brute-force lockouts, and bcrypt-hashed passwords.
  • Per-tenant data isolation — no cross-tenant leakage, ever.
  • Regular dependency scans and quarterly security reviews.

If we ever discover a breach that materially affects you, we'll notify you and the relevant authority within 72 hours, per DPDPA §8(6).

7. Cookies

We use two types:

  • Essential: authentication tokens, preferences (theme, language, locale). Cannot be disabled without breaking the Services.
  • Analytics: anonymous product usage, funnel tracking. Opt-out via your browser's "Do Not Track" signal, which we honour.

8. International transfers

Your data may move between India, the US, and the EU (our infra + LLM provider regions). We rely on DPDPA-notified standard contracts or equivalent safeguards for cross-border flow.

9. Children

The Services aren't built for users under 18. We don't knowingly process children's data. If a parent or guardian discovers a child's data with us, email us — we'll delete it within 7 days.

10. Policy changes

Material changes get 30 days notice via in-product banner + email to your account owner. Non-material edits (typo fixes, link updates) can ship anytime — the "Last updated" date reflects the latest revision.

11. Contact

Grievance Officer: hello@hanvitt.com
Hanvitt AI · India

Your partner in Growth — For Individuals & Businesses

Hanvitt Consulting & Solutions — four disciplines, one partner. AI consulting, lead generation, modern websites, and legacy modernization, shipped end to end. We also run two platforms on the side: Hanvitt.in for individuals and Hanvitt AI Platform for SMEs.

Services

Platforms

Company

Resources

Legal

Contact

© 2026 Hanvitt Consulting & Solutions. All rights reserved.

Made for businesses that never want to miss a customer.