yoxa.ai

Privacy Policy

Effective Date: May 1, 2026

This privacy notice for YOXA Technologies Private Limited ("YOXA," "we," "us," or "our") describes how and why we collect, store, use, and process information when enterprise customers use our B2B multi-agent orchestration platform ("Services").

This applies when you visit our website at www.yoxa.ai, deploy and use the YOXA platform via YOXA Cloud (managed SaaS) or YOXA Local (self-hosted), or engage with us in sales, support, or events.

Governing Law: This policy is legally binding and published in compliance with the laws of India, including the Information Technology Act, 2000, the SPDI Rules, 2011, and the Digital Personal Data Protection Act, 2023 (DPDP Act). YOXA operates strictly on a Business-to-Business (B2B) model.

Summary of Key Points

Q. What personal information do we process? Depending on your deployment method, we process enterprise user names, contact details, uploaded files (e.g., PDFs), and orchestration logs. For YOXA Local deployments, we process zero customer data and only collect system telemetry.

Q. Are we a Data Fiduciary or Data Processor? Under the DPDP Act, the Customer is the Data Fiduciary. YOXA acts strictly as a Data Processor. Customers are responsible for obtaining lawful consent from their end-users before uploading data into YOXA.

Q. Do we use your data to train AI models? No. We maintain an absolute firewall. YOXA does not and will never use Customer Data (including uploaded PDFs, multi-agent prompts, user names, or outputs) to train, fine-tune, or improve our foundational AI/ML models or any third-party models.

Q. How do we keep your information safe? We implement enterprise-grade organizational and technical processes (AES-256 encryption at rest, TLS 1.2+ in transit). However, no electronic transmission is 100% secure.

Q. What are your rights? We assist our Enterprise Customers in fulfilling the rights of their Data Principals (end-users) under the DPDP Act, including rights to access, correction, and erasure.

1.0 Personal and Corporate Information

1.1. Purpose for the Collection of Information We collect information strictly to provide, secure, and administer our B2B Services. This includes executing multi-agent workflows, managing your enterprise account, billing, and ensuring platform stability.

1.2. How Will the Information Be Processed? The nature of processing depends entirely on your deployment architecture: YOXA Cloud securely processes the data you input into our multi-agent swarms (PDFs, prompts, orchestration logs) on isolated servers to execute automated workflows. YOXA Local processing occurs entirely within the Customer's own Virtual Private Cloud (VPC) or infrastructure, and YOXA has zero access to this data.

1.3. Controls for the Protection of Information We implement rigorous technical safeguards compliant with standard industry frameworks (SOC2, GDPR) and India's SPDI Rules. All tenant data in YOXA Cloud is logically isolated.

1.3.1. Do we Collect Information from Minors? We operate strictly B2B and do not knowingly solicit data from anyone under 18. If a Customer uploads data regarding minors, the Customer (as the Data Fiduciary) warrants they have the legal right and consent to do so.

1.4. Usage of Cookies and Tracking Technologies We use cookies on our marketing website and Cloud dashboard for authentication, session management, and security. You can manage cookie preferences via your browser.

1.5. Details of Information Captured About the User: Customer Provided Data (Cloud) includes user names, corporate email addresses, uploaded PDFs, API keys, and multi-agent workflow prompts. Automatically Collected Data includes IP addresses, browser types, API call volumes, error logs, and orchestration latency metrics. Telemetry Data (Local) includes pseudonymized telemetry (e.g., active agent count, CPU loads, license verification pings) for billing and audit purposes. Sensitive Information is not intentionally collected; Customers are prohibited from uploading such data unless executed under a specific, custom Data Processing Agreement (DPA).

2.0 Data Processing Principles and AI Firewall

All data shared by enterprise users shall be processed fairly, lawfully, and securely, strictly for the purpose of executing requested multi-agent orchestrations.

Zero AI Training Guarantee: YOXA strictly prohibits the use of Customer Data for model training. Your proprietary workflows, PDFs, and outputs remain exclusively yours.

Runaway Agent Liability: Customers are fully responsible for the logic and API consumption of their orchestrated agents. YOXA reserves the right to suspend workflows that threaten platform infrastructure via infinite loops or malicious configurations.

3.0 Sharing of Information with Third Parties

We do not sell Customer Data. We may share information only with sub-processors, such as cloud hosting providers (e.g., AWS, Azure), strictly to run YOXA Cloud and bound by identical privacy and security obligations.

We may share information for legal compliance to investigate potentially unlawful activity, prevent fraud, or comply with mandatory lawful requests from Indian law enforcement agencies.

4.0 International Data Transfers

YOXA's primary servers are located in India. However, to utilize certain third-party LLM integrations within your multi-agent swarms, data may be transferred internationally. By configuring agents to use external APIs, the Customer authorizes such transfers. YOXA ensures all international transfers comply with the DPDP Act and relevant standard contractual clauses.

5.0 Data Principal Rights (Under DPDP Act, 2023)

Because YOXA is a Data Processor, we do not respond directly to Data Principal (end-user) requests. If an individual wishes to exercise their rights regarding data processed through YOXA, they must contact the Enterprise Customer (the Data Fiduciary).

YOXA will provide the Customer with the necessary technical tools to fulfill these requests, including the right to access data, the right to correction or erasure of data, and the right to restrict processing.

6.0 Data Retention

YOXA Cloud: Orchestration logs and uploaded PDFs are retained only for the duration specified in the Customer's MSA/DPA, or until manually deleted by the Customer. Upon contract termination, all data is permanently destroyed within 30 days.

YOXA Local: Data retention is entirely controlled by the Customer on their own infrastructure.

7.0 Grievance Redressal and Contact Details

In accordance with the Information Technology Act, 2000, and the DPDP Act, 2023, YOXA has appointed a Data Protection / Grievance Officer to address concerns regarding data privacy and security.

Data Protection & Grievance Officer: Name: [Insert Officer Name] Email: legal@yoxa.ai Address: YOXA Technologies Private Limited, [Insert Full Registered Address], Pune, Maharashtra, India.

We acknowledge all grievances within 24 hours and resolve them within the timelines mandated by Indian law.

8.0 Jurisdiction and Dispute Resolution

This Privacy Policy shall be governed exclusively by the laws of India. Any disputes arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the competent courts situated in Pune, Maharashtra, India.

9.0 Updates to This Notice

We may update this privacy notice periodically to reflect changes in legal or regulatory obligations. The updated version will be indicated by a revised "Effective Date." Material changes will be communicated to Enterprise Customers via the YOXA dashboard or email.