Privacy Policy

Altx Convergence Private Limited (“Altx,” “Company,” “we,” “us,” or “our”) operates altx forms, an AI-native enterprise form-building platform. This Privacy Policy explains what personal data we collect when you visit our website or use altx forms, why we process it, who we share it with, how long we retain it, and the rights you have as a Data Principal under the Digital Personal Data Protection Act, 2023 (“DPDPA”).

By accessing or using altxforms.ai, app.altxforms.ai, or the altx forms platform (collectively, the “Services”), you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use the Services.

This Privacy Policy applies to: (a) Account Holders who create forms, surveys, and other data-collection instruments; (b) Respondents who submit responses to forms created by Account Holders; and (c) Visitors who browse our websites without creating an account.

1. WHO IS THE DATA FIDUCIARY

Altx Convergence Private Limited (CIN U72900KA2021PTC145024), having its registered office at Pavilion 175 and 176, Dollars Colony, Phase 4, JP Nagar, Bannerghatta Main Road, Bengaluru, Karnataka 560078, India.

Data Protection Officer: Anitha — dpo@altx.one· +91 81973 19519. Privacy queries: privacy@altx.one. Grievance redressal under Section 13 DPDPA: grievance@altx.one.

2. INFORMATION WE COLLECT

2.1 Information You Provide to Us

Account Information: When you create an account, we collect your name, email address, password (hashed via Auth0), organisation name, and billing information (if applicable).

Form Content: We store the forms, surveys, questionnaires, and other data-collection instruments you create using the Services, including questions, logic, themes, and design configurations.

Response Data: We store responses submitted through forms you create. The content and nature of this data depends entirely on the questions you ask. As Data Processor for response data, we follow your instructions as the form-owner (the Data Fiduciary).

AI-Feature Usage: When you use AI features (form generation, conversational analytics, response intelligence), we process the prompts you send and the AI-generated drafts and analyses.

Communications: When you contact us for support or provide feedback, we collect the content of your communications, including any attachments.

Billing & Payment Information: If you subscribe to paid plans, we collect billing details (billing address, GSTIN, plan, invoice metadata). Payment-card information is processed by our third-party payment processors (Chargebee, Razorpay for India, Stripe for international) and is not stored on our servers.

2.2 Information Collected Automatically

Usage Data: Pages visited, features used, actions taken, time spent, clickstream.

Device Information: Device type, operating system, browser type and version, unique device identifiers, mobile network information.

Log Data: IP address, access times, referring URLs, system activity. Retained for a minimum of 180 days in line with the CERT-In Directions of April 2022 (we apply a 1-year floor for forensic margin).

Location Information: We infer your approximate location from your IP address. We do not collect precise geolocation data unless you explicitly enable it on a form.

2.3 Information We Do Not Collect

Children’s Data: altx forms is not directed at users under 18 years of age. We do not knowingly process personal data of children, and our Terms of Service prohibit account holders from using the platform to collect personal data from individuals under 18 without obtaining their own verifiable parental consent.

3. HOW WE USE YOUR INFORMATION

We use the personal data we collect for the following specific purposes:

• Account registration & authentication — creating your account, secure login via Auth0, password reset, SSO.
• Form building (core service) — creating, editing, publishing, and managing your forms.
• Response collection & dashboards — receiving responses, storing them, presenting them in dashboards and exports.
• AI-powered features — form generation, conversational analytics, response intelligence, adaptive questioning, semantic search over attachments. Aggregated and anonymised data only is used to improve our AI features; identifiable Customer Data is not used to train third-party AI models without your explicit consent.
• Payment processing & subscription management — processing subscription payments via Chargebee (Razorpay for India / Stripe for international), invoicing, GST handling, AltX Coins virtual currency.
• Customer support & grievance redressal — responding to support tickets and grievances under Section 13 DPDPA.
• Service improvement & analytics — understanding feature usage to improve the product. Aggregated and de-identified data only.
• Service communications — transactional emails (account, password reset, billing, security alerts), product announcements, downtime notices.
• Marketing communications — newsletters, product updates, event invites — only with your separate opt-in consent; you may withdraw consent at any time without affecting any other processing.
• Security, fraud prevention & abuse detection — detecting and preventing fraudulent activity, abuse, security incidents; enforcing our Terms of Service.
• Legal & regulatory compliance — complying with applicable laws (DPDPA 2023, IT Act 2000 + SPDI Rules 2011, CERT-In Apr-2022 directions, Indian tax law, court orders, lawful government requests).

4. LEGAL BASIS FOR PROCESSING

We process your personal data on the following legal bases under the DPDPA 2023:

• Consent (Section 6): For account creation, marketing, AI-feature usage, and any purpose that is not necessary for the core service or required by law.
• Legitimate Uses (Section 7): For performance of the contract, security and fraud prevention, employment-related processing (employee accounts), and compliance with legal obligations.
• Legal Obligation: Where we are required to retain or disclose data under Indian law (tax, CERT-In directions, court orders, lawful regulator requests).

5. HOW WE SHARE YOUR INFORMATION

Every recipient operates under a Data Processing Agreement with us. A current list of sub-processors is published at /sub-processors; we update that list whenever we engage a new sub-processor.

• Amazon Web Services (AWS), region ap-south-1 (Mumbai) — cloud hosting for compute, databases (PostgreSQL with pgvector), object storage (S3), transactional email (AWS SES), queues, background jobs.
• Auth0 (Okta) — user authentication, password management, SSO, MFA.
• Google Workspace — corporate email, calendar, Drive (for support communications and corporate documents only — not product data).
• Chargebee — subscription management.
• Razorpay — card / UPI / netbanking payments for Indian customers (card data captured directly by Razorpay; not seen by us).
• Stripe — card payments for international customers (card data captured directly by Stripe).
• Anthropic (Claude API) — AI form generation, conversational analytics, response intelligence — invoked only when you use an AI feature.
• OpenAI — AI features (alternate provider per workload configuration).
• Legal / regulatory authorities — on lawful request (court orders, statutory requests, regulator inquiries).

6. CROSS-BORDER TRANSFERS

As of the effective date of this Policy, all primary processing of your personal data (account, billing, forms, responses) is hosted in AWS region ap-south-1 (Mumbai, India). Limited categories listed in Section 5 are processed by sub-processors operating outside India (Stripe; Anthropic; OpenAI; potentially Auth0 / Google Workspace / Chargebee subject to region confirmation) under their own Data Processing Agreements. We monitor restricted-country notifications issued by the Data Protection Board of India under Section 16 of the DPDPA and will update this Policy on any change of region or sub-processor.

7. COOKIES AND TRACKING TECHNOLOGIES

We use cookies and similar technologies. Detailed information about the cookies we use, the categories, and how to manage your preferences is in our Cookie Policy. We provide a granular consent banner on your first visit and at any time you may revisit your choices.

8. DATA RETENTION

We retain your personal data only for as long as necessary for the stated purpose or as required by law:

• Account & identity data: Duration of the account + 90 days grace period after closure (export window), then erasure.
• Form content & response data: Held until you delete them or close your account, subject to your data-export rights. As Data Processor for response data, we follow the form-owner’s instructions.
• AI-feature logs (prompts and outputs): Identifiable prompts retained 90 days for abuse-detection; aggregated and de-identified outputs retained for service improvement.
• Billing & financial records: 8 years from the end of the financial year of the transaction (Income Tax Act / Companies Act).
• Behavioural / usage data: 24 months identifiable; thereafter aggregated indefinitely.
• Device / technical logs: 180 days minimum (CERT-In); longer if a security investigation is open.
• Marketing preferences: Until consent is withdrawn.
• Communications / support tickets: 3 years from ticket closure.
• Erased-data audit trail: 1 year from erasure (anonymised metadata only).

9. HOW WE PROTECT YOUR PERSONAL DATA

• Encryption: TLS 1.2+ in transit and AES-256 at rest (AWS KMS customer-managed keys).
• Access controls: role-based, principle of least privilege; multi-factor authentication on all administrative access.
• Security monitoring: AWS GuardDuty + centralised log aggregation; CERT-In-aligned log retention.
• Personnel: background-checked staff bound by written confidentiality obligations; annual security and DPDPA training.
• Incident response: documented breach-notification procedures (CERT-In within 6 hours of detection; DPBI within 72 hours under Rule 7); affected Data Principal notification without undue delay.

If you believe your account has been compromised, contact us immediately at security@altxforms.ai.

10. YOUR RIGHTS AS A DATA PRINCIPAL

Under the DPDPA 2023 you have the rights below. We acknowledge every request within 48 hours and respond substantively within 30 days of receiving a complete request, in line with our published Service Level Agreement.

10.1 Rights under the DPDPA

• Right of access (Section 11): obtain a summary of personal data we hold about you.
• Right to correction and erasure (Section 12): correct inaccurate data; request erasure where the purpose is no longer being served (subject to legal-hold exceptions).
• Right to grievance redressal (Section 13): raise any grievance about our processing.
• Right to nominate (Section 14): nominate another individual to exercise your rights in the event of incapacity or death.
• Right to withdraw consent (Section 6(4)): withdraw consent at any time, prospectively.

10.2 How to Exercise Your Rights

Submit a request at /data-rights (public form) or, if you have an account, in Account Settings → Data & Privacy → Data Rights. You can also email dpo@altx.one. We may need to verify your identity before processing your request.

10.3 Escalation to the Data Protection Board of India

If you are not satisfied with our response, you may approach the Data Protection Board of India under Section 13: https://dpboard.gov.in(portal to be enabled by the Board).

11. ACCOUNT HOLDERS AND RESPONDENTS

11.1 Account Holder Responsibilities

If you are an Account Holder who creates forms using our Services, you are the Data Fiduciary (data controller) for the response data you collect. You are responsible for:

• Obtaining appropriate consent from respondents before collecting their personal data.
• Providing respondents with clear information about how their data will be used.
• Complying with all applicable privacy laws and regulations.
• Responding to data-subject requests from your respondents within the timelines required by law.
• Not collecting personal data from individuals under 18 without your own verifiable parental consent under DPDPA Rule 10.

11.2 Respondent Rights

If you are a Respondent who has submitted data through a form created using our Services, you should contact the Account Holder (the person or organisation that sent you the form) to exercise your data rights. The Account Holder is the Data Fiduciary for your response data. If you cannot identify or reach the Account Holder, contact us at dpo@altx.oneand we will assist.

12. AI AND AUTOMATED PROCESSING

12.1 How We Use AI

Our Services include AI-powered features such as form generation, conversational analytics, response intelligence, and adaptive questioning. These features may process your data using machine-learning models to provide insights and recommendations.

12.2 AI Training

We may use aggregated, anonymised, and de-identified data to improve our AI features. We do not use your identifiable personal data or response data to train third-party AI models without your explicit consent.

12.3 Third-Party AI Providers

Some AI features are powered by third-party AI providers (Anthropic, OpenAI). When using such features, your prompts and content may be processed by these providers in accordance with their privacy policies and our Data Processing Agreements with them. See /sub-processorsfor the current list.

13. CHILDREN’S PRIVACY

altx forms is not directed to individuals under the age of 18 (the age of majority under the DPDPA). We do not knowingly collect personal information from children. If you are an Account Holder, you must not use the Services to knowingly collect data from children without verifiable parental consent and the safeguards required by DPDPA Rule 10.

If we become aware that we have collected personal information from a child without appropriate consent, we will take steps to delete that information. If you believe a child has provided us with personal information, please contact us at dpo@altx.one.

14. JURISDICTION

This Privacy Policy is governed by the laws of India. Any disputes arising out of or in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the courts located in Bangalore, Karnataka, India.

altx forms is available globally; data we process about you is held primarily in AWS ap-south-1 (Mumbai, India) as set out in Section 6.

15. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, our technology, our service offering, or applicable law. When we make a material change, we will notify you via email or via an in-product banner, and we will update the “Last Updated” date above. For significant changes that introduce a new purpose, a new sensitive data category, a new cross-border transfer, or a new sub-processor handling sensitive data, we will obtain fresh consent before the change takes effect.

16. CONTACT US

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: