How we handle personal data.
- Effective
- 15 July 2026
- Version
- 1.0
- Entity
- Vananth AI
1Who we are
VANANTH AI (OPC) PRIVATE LIMITED (CIN U62099KA2026OPC221084), registered at # 222, Ground Floor, 4th A Cross, HRBR Layout 3rd Block, Kalyan Nagar, Bangalore 560043, Karnataka, India, operates this website and the software products described below. In this policy, “we” and “us” mean that company.
This policy explains what personal data we handle, why, who we share it with, how long we keep it, and what you can ask us to do about it. It applies to vananthai.in and to our products CaterPilot and vivah.tech. vivah.tech is currently in development and not yet generally available; this policy applies to it from the date it is offered for subscription.
2Our two roles
This distinction determines who owes what to whom, so we state it first.
- We are a Data Fiduciary for the account data we collect from you directly — when you sign up, subscribe, pay, or contact us. We decide why and how that data is processed, and this policy is our notice to you about it.
- We are a Data Processorfor the business data our customers put into our products — their own clients, staff, events, and finances. We process that data only on the customer’s instructions, to provide the service. The customer decides why and how it is processed, and the customer is the Data Fiduciary for it.
If you are an employee, client, or guest of a business that uses our products, that business — not us — is the Data Fiduciary for your data. Direct your requests to them. We will assist them in responding.
3What we collect from you, and why
| Data | Why | Basis | Retention |
|---|---|---|---|
| Name, work email, phone | Create and secure your account; contact you about the service | Necessary to provide the service you asked for | While the account is active, then 90 days |
| Password hash, multi-factor secret, session records | Authenticate you and protect the account | Necessary to provide the service | While the account is active |
| Business name, billing contact, payment reference and instrument metadata | Take payment, issue receipts, meet accounting obligations | Legal obligation and contract performance | 8 years, as required by Indian tax and company law |
| IP address, device and browser data, access logs | Keep the service secure, diagnose faults, prevent abuse | Necessary to provide a secure service | 12 months |
| Support correspondence | Answer your question and keep a record of what we agreed | Necessary to provide the service | 3 years from last contact |
We do not sell personal data.We do not use your data or your customers’ data to train AI models. We do not run advertising trackers.
4Customer business data, including sensitive data
Our products hold data our customers enter about their own business. We process it only to provide the service, on the customer’s instructions. We do not use it for our own purposes and we do not sell it.
Customers should know what this includes, because some of it is sensitive. CaterPilotcan hold, about a customer’s staff: name, photograph, date of birth, address, Aadhaar number, PAN, bank account number and IFSC, salary and attendance records. About a customer’s own clients it can hold: name, contact details, billing address, PAN and GSTIN. Some of this is sensitive personal data or information under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and Aadhaar data carries further restrictions under the Aadhaar Act, 2016.
vivah.techcan hold, about a customer’s business: leads and client contact details, event and venue details, quotes and payment schedules, the studio’s own bank and UPI details, and uploaded media.
A customer who enters this data into our products is responsible for having the lawful basis and consents required to do so, and for collecting no more than it needs. That obligation is set out in our Terms and Conditions. Where a customer requires a Data Processing Agreement, we will enter into one.
5Who we share data with
We use the service providers below to run our products. Each receives only the data its purpose requires. We do not share personal data with anyone else, except where the law requires it.
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| PhonePe Payment Gateway | Payment processing for subscriptions | Name, email, phone, payment instrument metadata, amount | India |
| Supabase | Managed database and application hosting | Account data and customer business data | India / Singapore |
| Vercel | Web application hosting and delivery | Request metadata, IP address | Global edge network |
| Resend (outside India) | Transactional email delivery | Name, email address, message content | United States |
| Amazon Web Services (S3, Mumbai) | Media storage and encrypted backups | Uploaded media, database backups | India (ap-south-1) |
| OpenAI (outside India) | AI decor image generation | Decor prompts and reference images only — no customer or guest personal data | United States |
| Higgsfield (outside India) | AI decor video generation | Decor prompts and reference images only — no customer or guest personal data | United States |
On transfers outside India.Customer and guest personal data stays in India. The only data that leaves the country for AI processing is decor prompts and reference images used by vivah.tech to generate decor visuals — these contain no customer or guest personal data. Transactional email is delivered by a provider in the United States and necessarily carries the recipient’s name and email address.
6Cookies and analytics
We use strictly necessary cookies to keep you signed in and to keep the service secure. These cannot be switched off without breaking the service.
Where we use product analytics, it is self-hosted, it is gated behind your consent, and you can withdraw that consent at any time without losing access to any feature. We do not use advertising or cross-site tracking cookies.
7Your rights
Under the Digital Personal Data Protection Act, 2023, in respect of the data for which we are the Data Fiduciary, you may:
- Access — ask what personal data of yours we hold, why we process it, and who we have shared it with.
- Correct — ask us to correct data that is inaccurate, or complete data that is incomplete.
- Erase — ask us to delete data we no longer need for the purpose we collected it for, subject to records we must keep by law.
- Withdraw consent — where we rely on your consent, withdraw it at any time. Withdrawal does not affect processing already carried out.
- Nominate — nominate another person to exercise these rights on your behalf if you die or become incapable of exercising them.
- Complain — raise a grievance with us, and escalate to the Data Protection Board of India if you are not satisfied.
To exercise any of these, write to contact@vananthai.in. We respond within 90 days. We may ask you to verify your identity first — so that we do not disclose your data to someone else.
8How long we keep data
Retention periods for account data are in the table at clause 3. Customer business data is kept while the customer’s subscription is active. After it ends, the customer has 30 days to export their data, after which we delete it. Encrypted backups are aged out on a rolling cycle and data deleted from the live service is removed from backups within 90 days.
We keep financial records for 8 years where Indian tax and company law requires it, regardless of any deletion request.
9How we protect data
We encrypt data in transit and at rest. Access is limited to what is needed to operate the service and is logged. Each customer’s data is isolated from every other customer’s. Changes to records are written to an append-only audit log. Backups are encrypted and stored in India.
No system is perfectly secure, and we do not claim otherwise. We tell you what we do so you can judge it.
10If there is a breach
If a personal data breach occurs, we will notify each affected person and the Data Protection Board of India without undue delay, describing what happened, what data was involved, what we are doing about it, and what you can do to protect yourself.
11Children
Our products are business software, sold to businesses and intended for use by adults. They are not directed at children, and we do not knowingly collect the personal data of a child. If you believe a child has provided us personal data, contact the Grievance Officer and we will delete it.
12Grievance redressal
Vedant Singhal, Founder & Director
Email: contact@vananthai.in
Phone: +91 70198 53528
Address: # 222, Ground Floor, 4th A Cross, HRBR Layout 3rd Block, Kalyan Nagar, Bangalore 560043, Karnataka, India
We acknowledge every grievance within 48 hours and resolve it within 90 days of receipt. If you are not satisfied with the outcome, you may complain to the Data Protection Board of India.
13Changes to this policy
We may update this policy. The version in force is the one published here, with its effective date shown at the top. Material changes are notified to the registered account email address before they take effect.