Privacy Policy

1. Introduction

Rupam.ai is a product of Xillentech Private Limited, registered in Ahmedabad, Gujarat, Bharat. This Privacy Policy describes how we collect, use, store, and protect your personal data when you use our website, API, Shopify plugin, and related services (collectively, the “Services”).

We are committed to complying with Bharat’s Digital Personal Data Protection Act, 2023 (DPDPA) and applicable data protection regulations. By using our Services, you consent to the practices described in this policy.

2. Data We Collect

We collect the following categories of data:

• Account information: Name, email address, company name, and role when you sign up or request a demo.
• Facial image data: Photographs submitted through the skin analysis API for the purpose of AI-powered skin analysis. These images are processed in real time and are not stored beyond the analysis session unless you explicitly opt in to data retention.
• Skin analysis results: The structured output of our AI analysis, including Fitzpatrick classification, skin concern scores, and product recommendations.
• Usage data: API call logs, scan counts, timestamps, and error logs for service monitoring and billing.
• Payment information: Billing details processed through our payment provider. We do not store credit card numbers on our servers.
• Device and browser data: IP address, browser type, and device information collected automatically for security and analytics.

3. How We Use Your Data

We use your data for the following purposes:

• To provide, maintain, and improve the skin analysis API and related Services.
• To generate personalised skin analysis reports and product recommendations.
• To process payments and manage your subscription.
• To communicate with you about your account, service updates, and support requests.
• To monitor API usage, detect abuse, and enforce rate limits.
• To improve our AI models using anonymised and aggregated data (never individual facial images without explicit consent).
• To comply with legal obligations under Bharatiya law.

4. Facial Image Processing

Rupam.ai processes facial images solely for the purpose of skin analysis. We take the following measures to protect your biometric data:

• Images are processed in real time and are automatically deleted from our servers within 24 hours unless you opt in to extended retention for before/after tracking.
• We do not use facial images for facial recognition, identity verification, or any purpose other than skin analysis.
• All image processing occurs on Bharat-hosted infrastructure (AWS Mumbai ap-south-1 region).
• Images are encrypted in transit (TLS 1.3) and at rest (AES-256).
• You can request deletion of all stored images at any time via the API or by contacting us.

5. Data Storage and Security

All data is stored on Bharat-hosted infrastructure in the AWS Mumbai (ap-south-1) region. We implement industry-standard security measures including:

• Encryption in transit (TLS 1.3) and at rest (AES-256).
• Role-based access controls with principle of least privilege.
• Regular security audits and penetration testing.
• Automated anomaly detection on API access patterns.
• SOC 2 Type II compliance (available on Professional and Enterprise plans).

6. Data Sharing

We do not sell your personal data. We may share data only in the following circumstances:

• Service providers: Cloud hosting (AWS), payment processing, and email delivery services that process data on our behalf under strict contractual obligations.
• Legal compliance: When required by Bharatiya law, court order, or government authority.
• Business transfers: In connection with a merger, acquisition, or sale of assets, with prior notice to affected users.
• With your consent: When you explicitly authorise sharing with a third party.

7. Your Rights Under DPDPA 2023

Under Bharat’s Digital Personal Data Protection Act, 2023, you have the following rights:

• Right to access: Request a summary of the personal data we hold about you.
• Right to correction: Request correction of inaccurate or incomplete personal data.
• Right to erasure: Request deletion of your personal data, subject to legal retention requirements.
• Right to grievance redressal: File a complaint with our Grievance Officer or the Data Protection Board of Bharat.
• Right to nominate: Nominate another individual to exercise your rights in case of death or incapacity.

To exercise any of these rights, contact us at privacy@rupam.ai or see our DPDPA Compliance page for full details.

8. Cookies and Tracking

Our website uses essential cookies required for functionality (session management, authentication). We use privacy-respecting analytics to understand site usage. We do not use third-party advertising cookies or cross-site tracking.

9. Data Retention

We retain your data for the following periods:

• Account data: For the duration of your account plus 90 days after deletion.
• Facial images: Deleted within 24 hours of processing unless you opt in to extended retention.
• Analysis results: Retained for the duration of your subscription. Deleted within 30 days of account closure.
• API logs: Retained for 12 months for billing and compliance purposes.
• Payment records: Retained as required by Bharatiya tax and accounting regulations.

10. Children’s Privacy

Rupam.ai Services are not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us immediately at privacy@rupam.ai and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email or a prominent notice on our website at least 30 days before the changes take effect. Your continued use of the Services after the effective date constitutes acceptance of the updated policy.