Privacy Policy

1. Introduction & Scope

This Privacy Policy ("Policy") outlines how Kriyatoonz Private Limited ("we," "us," our," or "Data Controller/Fiduciary") collects, processes, and protects personal data across our platforms, including Kriya Learn and iKriyate Storyboard.

We are committed to operating in full compliance with the Indian Information Technology Act 2000 & IT (Amendment) Act 2008, India's Digital Personal Data Protection Act (DPDP Act) 2023, the General Data Protection Regulation (GDPR) for EU/UK users, and the California Consumer Privacy Act (CCPA).

By continuing to access or use our platforms and services, you acknowledge that you have read, understood, and accept the practices described in this Policy.

2. Information We Collect

We collect the following categories of information to provide and improve our services:

• Personal identification data: Name, email address, account credentials, and, for B2B users, organization name.
• Payment and billing information: Processed solely via secure third-party payment processors. Kriyatoonz does not store raw credit card or payment data on our servers.
• Usage and analytics data: IP address, device information, session data, feature usage, and clickstream behavior to monitor platform performance and user experience.
• User-uploaded content: Scripts, documents, characters, images, and training materials submitted for processing, including AI processing, within our platforms.

3. How We Use Your Information

We use the collected information for the following purposes:

• Service delivery and account management: To create, manage, and authenticate user accounts and provide the core functionalities of Kriya Learn and iKriyate Storyboard.
• AI-powered output generation: To process user-uploaded content securely to generate storyboard visuals, learning modules, and other platform outputs.
• Product analytics and improvement: To analyze usage patterns, troubleshoot technical issues, and improve our platform features.
• Customer support: To respond to inquiries, technical issues, and provide assistance.
• Marketing communications: To send updates, newsletters, and promotional materials. You retain the right to opt-out of these communications at any time.
• Fraud prevention and legal compliance: To maintain the security of our platforms, detect fraudulent activities, and comply with applicable legal obligations.

4. Legal Basis for Processing (GDPR Article 6)

For individuals located in the European Economic Area (EEA) and the United Kingdom, our processing of personal data is based on the following lawful bases:

• Contractual Necessity: Processing personal identification data, uploaded content, and billing information to fulfill our terms of service and deliver the requested product functionalities.
• Legitimate Interests: Processing usage and analytics data for platform security, fraud prevention, and continuous product improvement, provided these interests are not overridden by your fundamental rights.
• Consent: Processing data for direct marketing communications, which can be withdrawn at any time.
• Legal Obligation: Retaining necessary billing and transactional records to comply with statutory financial and legal requirements.

6. Data Storage & Security

• Infrastructure: Data is securely stored on reputable, industry-leading cloud infrastructure, utilizing services across Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).
• Residency: Primary personal data storage is located within India, while media assets (such as images, videos, and files) are securely stored in the US East region.
• Encryption: All personal data and user-uploaded content are encrypted both at rest and in transit using industry-standard cryptographic protocols.
• Access Controls: Access to infrastructure and user data is strictly governed by role-based access controls (RBAC) and robust authentication protocols.
• Monitoring and Response: We maintain regular security assessments, ongoing threat monitoring, and established breach response procedures to uphold data integrity and availability.

7. Content Delivery & CDN

To ensure optimal global performance and minimal latency, media assets such as images, videos, and static files may be served through a globally distributed Content Delivery Network (CDN).

The CDN functions solely for performance optimization by delivering cached, non-personal media content. It does not store, process, or transmit personal user data or sensitive account information.

8. Data Residency & International Transfers

As a company headquartered in India, our primary personal data processing and storage facilities are maintained within Indian territory. However, to optimize delivery and performance, media assets (such as encrypted images, audio, and video files) are stored in the US East region.

For users accessing our services globally, the delivery of cached media assets via our CDN does not constitute a cross-border transfer of primary personal identification data. For users in the European Union (EU) or the United Kingdom (UK), where any limited international transfer of personal data is required for service fulfillment, we ensure compliance with GDPR Article 46 by implementing Standard Contractual Clauses (SCCs) and adequate technical safeguards.

9. Third-Party Sub-Processors

We engage authorized third-party sub-processors solely to facilitate service delivery. We categorically state that no personal data is sold to third parties under any circumstance. Our sub-processors include:

• Microsoft Azure: Cloud infrastructure processing.
• Amazon Web Services (AWS): Cloud storage and content delivery.
• Google Cloud Platform (GCP): Cloud infrastructure processing.
• Enterprise AI Provider: AI and machine learning processing (strictly prohibited from model training via contract).
• Payment Processor(s): Secure billing and transaction handling.

10. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:

• Active Account Data: Retained for the duration of the active account lifecycle.
• Uploaded Content: Securely deleted from active servers upon user-initiated deletion or account termination.
• Billing Records: Retained for the statutory duration required by applicable Indian corporate and tax laws.
• Analytics Data: Retained indefinitely only in a strictly aggregated and anonymized format.

11. User Rights

Depending on your jurisdiction, you may exercise the following rights over your personal data:

• GDPR (EU/UK): The right to access, rectify, erase, restrict processing, port your data, and object to processing.
• CCPA (California, USA): The right to know what personal information is collected, the right to request deletion, and the right to opt-out of the "sale" of data. We explicitly confirm that we do not sell your personal data.
• DPDP Act 2023 (India): The right to information, correction, nomination, and grievance redressal.

To exercise any of these rights, please contact our Grievance Officer using the contact details provided in Section 14. We will authenticate your request and respond within the statutory timeframe applicable to your jurisdiction.

12. Children's Privacy

Our platforms and services are intended exclusively for general business and professional audiences. They are not directed toward, nor do we knowingly collect personal data from, individuals under the age of 18 without verifiable parental consent.

If you believe that a minor has provided us with personal information, a parent or legal guardian may contact us to request the immediate deletion of such data.

13. Grievance Officer

In mandatory compliance with the Indian Information Technology Act and the DPDP Act 2023, Kriyatoonz has appointed a Grievance Officer to address data privacy concerns. All inquiries will be acknowledged within 24 hours and resolved within 30 days.

14. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our operational practices, relevant laws, or regulatory requirements. We will notify you of any material changes through prominent platform notifications or direct email communications. Your continued use of our services following such notification signifies your acceptance of the updated Policy.

15. Contact Us

If you have further questions or require assistance regarding this Privacy Policy, please reach out to our team at our registered office: