Legal
Privacy Policy
Effective Date: March 16, 2026
Novamind Tech LLP ("Company", "we", "us", or "our") operates Oriv ("Platform", "Service"), an AI-native operating system for business conversations, accessible at oriv-ai.com and related applications.
This Privacy Policy explains how we collect, use, disclose, store, and protect your personal and business information when you use our Service. We are committed to protecting your privacy and handling your data transparently, in compliance with the Digital Personal Data Protection (DPDP) Act, 2023 (India), the General Data Protection Regulation (GDPR) (where applicable), and other relevant data protection laws.
By using Oriv, you consent to the practices described in this Privacy Policy. If you do not agree, please discontinue use of the Service.
1. Information We Collect
1.1 Information You Provide Directly
- Account Information: Name, email address, phone number, organization name, and role when you register for an account.
- Business Data: Contacts, deals, invoices, freelancer records, tickets, and other business information you input into the Platform.
- Conversation Data: Messages and instructions you send to the AI chat assistant, including the business context referenced in those conversations.
- Payment Information: Billing address and payment details (processed by our third-party payment processor, Razorpay — we do not store your full payment card details).
- Communications: Emails, support requests, and feedback you send to us.
1.2 Information Collected Automatically
- Usage Data: Pages visited, features used, timestamps, click patterns, and interaction data.
- Device Information: Browser type, operating system, device type, screen resolution, and language preference.
- Network Information: IP address, approximate location (city/country level), and referral source.
- Cookies and Similar Technologies: We use essential cookies for authentication and session management, and analytics cookies to improve the Service (see Section 9).
1.3 Information from Third-Party Services
- Firebase Authentication: When you sign in via Google or other identity providers, we receive your name, email, profile picture, and unique identifier from Firebase (Google).
- Payment Processors: Transaction status, payment confirmation, and billing information from Razorpay.
2. How We Use Your Information
We use the information we collect for the following purposes:
| Purpose | Legal Basis |
|---|---|
| Providing and operating the Service | Contract performance; Consent |
| Processing AI chat requests and generating responses | Contract performance; Consent |
| Managing your account and authentication | Contract performance |
| Processing payments and billing | Contract performance |
| Sending transactional notifications (e.g., overdue invoices, stalled deals) | Legitimate interest; Consent |
| Improving and optimizing the Service | Legitimate interest |
| Ensuring security and preventing fraud | Legitimate interest; Legal obligation |
| Complying with legal obligations | Legal obligation |
| Responding to support requests | Contract performance; Legitimate interest |
3. AI-Specific Data Processing
Important: This section describes how your data is processed in connection with our AI features. We believe in full transparency about AI data handling.
3.1 What Data Is Processed by AI
When you interact with the AI chat assistant, the following data may be processed:
- Your conversation messages and instructions.
- Relevant business context from your Tenant (e.g., contact names, deal values, invoice amounts) necessary to fulfill your request.
- Conversation history (up to the last 20 messages) for maintaining context.
3.2 Third-Party AI Model Providers
We use third-party large language model (LLM) providers to power our AI features. Currently, these include:
- Google Gemini (primary) — governed by Google's AI Terms of Service
- Groq (fallback) — governed by Groq's Terms of Use
These providers process your data solely to generate AI responses and are contractually prohibited from using your data for any other purpose, including model training. We may change or add AI providers in the future; this Privacy Policy will be updated accordingly.
3.3 No Training on Your Data
We do not use your personal data, business data, or conversation content to train, fine-tune, or improve any AI or machine learning models. This applies to both our own systems and any third-party AI providers we use. Your data is processed in real-time to generate responses and is not retained by AI model providers beyond the scope of the individual request.
3.4 AI Observability and Monitoring
We use Langfuse (self-hosted) for AI observability, which includes logging AI request/response metadata for quality monitoring, debugging, and performance optimization. This data is stored on our own infrastructure and is not shared with external parties. Logs are retained for a limited period and are used solely for service improvement and debugging.
3.5 Automated Decision-Making
Oriv's AI features may involve automated processing, including:
- Automated CRM data entry based on conversations.
- AI-suggested deal values, contact categorizations, and business insights.
- Automated notifications and alerts based on business rules.
These automated processes are designed to assist, not replace, human decision-making. All automated actions performed by the AI can be reviewed, modified, or reversed by you. You have the right to request human intervention in any automated process that significantly affects you.
4. Data Sharing and Disclosure
We do not sell your personal data. We share information only in the following circumstances:
4.1 Service Providers
We share data with trusted service providers who assist us in operating the Service:
- Cloud Infrastructure: Railway (hosting), PostgreSQL, Redis — for data storage and service operation.
- Authentication: Firebase (Google) — for user identity management.
- AI Processing: Google (Gemini), Groq — for AI response generation (see Section 3).
- Payment Processing: Razorpay — for handling payments.
- Email Services: Resend — for transactional emails.
All service providers are bound by contractual obligations to process your data only as instructed and to maintain appropriate security measures.
4.2 Legal Requirements
We may disclose your information if required to do so by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
4.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of the transaction. We will notify you before your data becomes subject to a different privacy policy.
5. Data Security
We implement comprehensive security measures to protect your data:
- Encryption: Data is encrypted in transit (TLS/HTTPS) and at rest.
- Access Controls: Role-based access control (RBAC) and Row-Level Security (RLS) policies ensure data is accessible only to authorized users within your Tenant.
- Multi-Tenant Isolation: All database queries are scoped to your Tenant, enforced at both the application and database level through RLS policies.
- Audit Logging: All significant data operations are logged in an audit trail for security monitoring.
- Authentication Security: Firebase Authentication with industry-standard practices including secure token handling.
- Infrastructure Security: Our services run on Railway's secure infrastructure with network-level isolation.
While we employ best-practice security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security, and you use the Service at your own risk.
6. Data Retention
- Account Data: Retained for the duration of your active account, plus 30 days after account deletion.
- Business Data: Retained as long as your account is active. Deleted within 30 days of account termination unless legally required to retain.
- Conversation/AI Data: Chat history is retained for the duration of your account to provide continuity. AI processing logs (Langfuse) are retained for up to 90 days for debugging and quality purposes.
- Payment Records: Retained as required by applicable tax and financial regulations (typically 7 years under Indian law).
- Audit Logs: Retained for 1 year for security and compliance purposes.
- Usage Analytics: Retained in anonymized/aggregated form indefinitely for service improvement.
Upon expiration of retention periods, data is securely deleted or anonymized so that it can no longer be associated with you.
7. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
7.1 Under the DPDP Act (India)
- Right to Information: Know what personal data we collect and how it is processed.
- Right to Correction and Erasure: Request correction of inaccurate data or deletion of your personal data.
- Right to Grievance Redressal: Lodge complaints with our Grievance Officer or the Data Protection Board of India.
- Right to Nominate: Nominate another individual to exercise your rights in case of your death or incapacity.
- Right to Withdraw Consent: Withdraw previously given consent at any time, with the understanding that withdrawal does not affect the lawfulness of processing prior to withdrawal.
7.2 Under the GDPR (EU/EEA Users)
If you are located in the EU or EEA, you additionally have:
- Right of Access: Obtain a copy of your personal data.
- Right to Rectification: Correct inaccurate personal data.
- Right to Erasure: Request deletion of your personal data ("right to be forgotten").
- Right to Restriction: Restrict processing of your personal data in certain circumstances.
- Right to Data Portability: Receive your data in a structured, machine-readable format.
- Right to Object: Object to processing based on legitimate interests, including profiling.
- Rights Related to Automated Decision-Making: Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects.
7.3 Exercising Your Rights
To exercise any of these rights, contact us at [email protected]. We will respond to your request within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.
8. Cross-Border Data Transfers
Your data may be transferred to and processed in countries other than India, including the United States (where some of our third-party service providers are based). When transferring data internationally, we ensure:
- Appropriate contractual safeguards are in place with all service providers.
- Transfers comply with the DPDP Act's cross-border transfer provisions.
- For EU/EEA users: transfers are protected by Standard Contractual Clauses (SCCs) or other approved mechanisms under the GDPR.
Currently, the Indian government has not restricted transfers to any specific countries. We monitor government notifications and will update our practices accordingly.
9. Cookies and Tracking Technologies
9.1 Types of Cookies We Use
- Essential Cookies: Required for authentication, session management, and core platform functionality. These cannot be disabled.
- Analytics Cookies: Help us understand how users interact with the Service so we can improve it. These can be opted out of.
9.2 Managing Cookies
You can manage your cookie preferences through your browser settings. Note that disabling essential cookies may prevent you from using the Service. We do not use cookies for third-party advertising or cross-site tracking.
10. Children's Privacy
Oriv is a business-to-business service and is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children under 18. In compliance with the DPDP Act's stringent requirements for children's data protection, if we become aware that we have collected personal data from a child under 18, we will take steps to delete such data promptly. If you believe a child has provided us with personal data, please contact us at [email protected].
11. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the Data Protection Board of India (or relevant supervisory authority) within 72 hours of becoming aware of the breach, as required by applicable law.
- Notify affected users without undue delay via email and/or platform notification.
- Provide details of the nature of the breach, the data affected, and the remedial steps taken.
12. Grievance Officer
In accordance with the DPDP Act, we have appointed a Grievance Officer to address your concerns regarding data processing:
- Name: Grievance Officer, Novamind Tech LLP
- Email: [email protected]
- Response Time: We will acknowledge your complaint within 48 hours and resolve it within 30 days.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:
- Post the updated Privacy Policy on the Platform with a new "Effective Date".
- Notify you via email or in-app notification for material changes.
- Obtain fresh consent where required by law for changes to data processing practices.
We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy.
14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- Company: Novamind Tech LLP
- Email (Privacy): [email protected]
- Email (General): [email protected]
- Email (Grievance): [email protected]
- Website: https://oriv-ai.com
Summary of Key Points
- We never use your data to train AI models.
- Your business data is strictly isolated within your organization's tenant.
- AI responses are generated in real-time and not retained by third-party AI providers.
- You can export or delete your data at any time.
- We comply with the DPDP Act (India) and GDPR (EU) where applicable.
- We use encryption, RLS, and audit logging to protect your data.