Clustral.AI← Back to home

This Privacy Notice explains how Clustral AI Labs Pvt. Ltd. ("Clustral AI", "we", "our") collects, uses, shares and protects personal information when you visit clustralai.com, contact us, or engage our services. For service-engagement processing performed on a client's behalf, our role is that of a Data Processor and the relevant Data Processing Addendum (DPA) prevails over this Notice.

1. Who we are

Clustral AI Labs Pvt. Ltd. is a private limited company incorporated under the Companies Act, 2013, in India. For the purposes of the DPDP Act, 2023 we are the "Data Fiduciary"; for the purposes of GDPR/UK GDPR we are the "Controller".

2. Scope of this Notice

This Notice covers our website, marketing communications, and pre-contractual and contractual interactions. It does not cover personal data we process under contract on behalf of a client (governed by that engagement's DPA), nor third-party websites linked from ours.

3. Personal Data we collect

  • You provide directly: name, work email, company, phone (optional), and the contents of any message you send through our forms or by email.
  • Automatically collected: IP address, browser/user-agent, device type, referring URL, pages viewed, approximate location derived from IP, timestamps. We use this for security, abuse prevention and aggregate analytics.
  • From third parties: publicly available business information (e.g., company size, role) used solely to qualify enquiries.
  • We do not knowingly collect sensitive personal data (e.g., financial account details, health, biometric, or government IDs) through this Website.

4. How we use your data

  • respond to your enquiry and operate our sales pipeline (creating a CRM lead in our Odoo system);
  • perform the services agreed under an SOW;
  • send service-related communications (e.g., status, security advisories, scheduled changes);
  • improve and secure our website (analytics, abuse detection, audit logs);
  • comply with legal obligations and defend or establish legal claims.

5. Legal bases (GDPR / DPDP)

  • Contract — to take steps at your request before entering, and to perform, a contract with you.
  • Legitimate interests — direct B2B outreach to a business contact who provided their work details, and to keep our services secure. We balance these interests against your rights.
  • Consent — where required, e.g., for non-essential cookies or marketing emails to individuals. You may withdraw consent at any time without affecting prior lawful processing.
  • Legal obligation — tax, accounting, anti-money-laundering, and lawful requests from authorities.
  • DPDP basis — "legitimate use" under Section 7 (where you have voluntarily provided personal data for a specified purpose) and explicit consent under Section 6 where applicable.

6. Cookies & similar technologies

We use only strictly necessary first-party storage to make the site work (e.g., session security, form integrity). We do not deploy advertising cookies. Where we use analytics, it is privacy-preserving and aggregated; we will request consent before setting any non-essential cookie that requires it.

7. AI & form-data handling

Submissions to our contact form are validated server-side, optionally screened by an automated abuse / bot-detection service (Cloudflare Turnstile), and stored as a CRM lead in our Odoo tenant. We do not use the content of your enquiry to train any general-purpose AI model. We may use aggregated, de-identified metrics (e.g., daily submission counts, error rates) to improve our services.

8. Sharing & sub-processors

We share personal data only with:

  • Service providers acting as our processors (e.g., Odoo S.A. for CRM hosting, Cloudflare, Inc. for abuse prevention and content delivery, our cloud-infrastructure providers, our email provider). They act on documented instructions under written contracts containing GDPR Art. 28 / DPDP Section 8 obligations.
  • Professional advisers (lawyers, auditors, insurers) under duties of confidentiality.
  • Authorities where required by law, after assessing the lawfulness and proportionality of the request.
  • In a corporate transaction (merger, acquisition, financing or asset sale), subject to confidentiality obligations.

We do not sell personal data, and we do not engage in cross-context behavioural advertising.

9. International transfers

Where personal data is transferred outside its country of origin, we rely on lawful transfer mechanisms — including the EU Standard Contractual Clauses (2021/914), the UK International Data Transfer Addendum, supplementary measures where required by Schrems II, and any future Government of India notification under Section 16 of the DPDP Act. A list of current sub-processors and their hosting regions is available on request at privacy@clustralai.com.

10. Retention

  • Enquiries that do not become engagements — up to 24 months from last contact, then deleted or anonymised.
  • Client engagement records — for the term of the engagement plus the limitation period required by Indian and applicable foreign law (typically 7 years for tax/accounting).
  • Security logs — up to 12 months.
  • Marketing preferences — until you withdraw consent.

11. Security

We maintain technical and organisational measures aligned with ISO/IEC 27001 — encryption in transit and at rest, least-privilege access, audit logging, secret rotation, vendor due diligence, employee confidentiality and security training, and a documented incident-response plan. We will notify affected persons and regulators of a personal-data breach where and within the time frames required by applicable law (e.g., 72 hours under GDPR Art. 33; without delay under DPDP Section 8(6)).

12. Your rights

Depending on your jurisdiction, you have rights to:

  • access the personal data we hold about you and obtain a summary;
  • correct inaccurate or incomplete data;
  • erase data, subject to legal retention obligations;
  • restrict or object to processing, including direct marketing;
  • portability of data you provided to us;
  • withdraw consent where processing is consent-based;
  • nominate a person to exercise your rights in the event of death or incapacity (DPDP §14);
  • lodge a complaint with a supervisory authority (e.g., the Data Protection Board of India under DPDP, your EU/UK supervisory authority, or the UK ICO).

Send requests to privacy@clustralai.com. We respond within the statutory timelines (typically 30 days under GDPR; without undue delay under DPDP) and may need to verify your identity.

13. Children

Our Website and services are intended for business users and are not directed to children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will delete it.

14. Changes to this Notice

We may update this Notice to reflect changes in law or our practices. Material changes will be highlighted on the Website. The "Last updated" date at the top indicates the most recent revision.

15. Grievance & contact

In compliance with Rule 3(2) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and Section 8(9) of the DPDP Act, our Grievance Officer / Data Protection Contact details are below. We acknowledge complaints within 48 hours and aim to resolve them within 15 days.

Clustral AI Labs Pvt. Ltd.
India
Privacy: privacy@clustralai.com
Grievance: grievance@clustralai.com
Legal: legal@clustralai.com

This Notice does not constitute legal advice. For full contractual terms see our Terms & Conditions.