DPDP Act 2023 CompliantIT Rules 2021 CompliantB2B Data Only

Privacy Policy

Effective Date: May 15, 2025 | Data Fiduciary: GhOst AI Technologies | Jurisdiction: Bangalore, Karnataka, India

⚠ Legal Disclaimer — Authorized B2B Use Only

GhOst AI (ghostai.one) is a business-to-business (B2B) security testing and quality assurance software tool. It is designed and licensed exclusively for:

Organizations that own, operate, or are contracted to audit online proctoring and assessment platforms
Authorized security researchers and penetration testers holding written authorization from the platform owner
QA professionals engaged under a professional services agreement
Academic institutions conducting approved security research

This tool is NOT intended for and must NOT be used by:

Individual students during college, university, or school examinations
Job seekers or candidates during recruitment tests, placement drives, or technical interviews
Any person seeking unauthorized assistance during a live proctored assessment

Criminal Liability Warning: Unauthorized use may constitute an offence under the Public Examinations (Prevention of Unfair Means) Act, 2024 (imprisonment up to 10 years), BNS 2023 Section 318 (cheating, up to 7 years), and IT Act 2000 Section 66D (cheating by impersonation using computer resources).

References to "interview assistance" or "undetectable overlay" in marketing materials are directed exclusively at platform vendors for security demonstration and QA audit purposes. These features are tools for identifying vulnerabilities in proctoring systems — not for facilitating cheating in real examinations. Governing Law: India | Jurisdiction: Bangalore, Karnataka.

Terms & Conditions →Privacy Policy →

1. Introduction & Scope

GhOst AI Technologies ("Company," "we," "us," "our") is committed to protecting the privacy of its B2B Clients and their authorized representatives. This Privacy Policy describes how we collect, use, store, share, and protect personal data in connection with the GhOst AI platform (ghostai.one).

This Policy applies to personal data of:

Authorized representatives and employees of Client organizations who register for or use the Service
Visitors to the ghostai.one website
Prospective Clients who submit inquiries or sign up for demos

Scope Limitation — B2B OnlyGhOst AI is a B2B security tool. We do not collect or process personal data of end examination candidates. Our data processing activities are limited to organizational Clients and their designated representatives. Children's data (persons under 18) is not within the scope of this Policy as the Service is not available to minors.

2. Data Fiduciary Information

Data Fiduciary — as defined under Section 2(i), DPDP Act 2023

Entity: GhOst AI Technologies

Address: Bangalore, Karnataka – 560001, India

Email: privacy@ghostai.one

Grievance Officer: Deva — admin@ghostai.one

3. Personal Data We Collect

3.1 Account & Registration Data

When Client representatives register for the Service, we collect:

Full name and professional email address
Organization name, designation, and contact number
Account credentials (passwords stored in hashed form — never in plaintext)
Authorization documents submitted per Terms of Service Section 3.3

3.2 Billing & Transaction Data

Billing contact details and GST/PAN (if applicable for invoicing)
Transaction IDs and subscription history
Payment instrument type (we do not store full card numbers — payments processed via PCI-DSS compliant third parties)

3.3 Usage & Technical Data

IP address, device type, operating system, browser type
Session logs, feature usage patterns, and error reports
Installation telemetry: OS version, system architecture, installation status (non-identifying)
API call logs for security and audit purposes

3.4 Communication Data

Emails, support tickets, and chat messages between the Client and the Company
Demo request and sales inquiry details

3.5 Data We Do NOT Collect

Screen recordings, keystrokes, or microphone audio (unless explicitly triggered by the Client for authorized testing features)
Personal data of examination candidates assessed via Client platforms
Biometric data of any kind
Data from minors (persons under 18)

4. Lawful Basis for Processing (DPDP Act 2023)

We process personal data only on one or more of the following lawful bases:

Purpose	Lawful Basis
Account creation and service delivery	Consent + Contractual necessity
Billing and payment processing	Contractual necessity
Security logging and fraud prevention	Legitimate interest
Customer support communications	Contractual necessity + Consent
Product improvement (aggregated analytics)	Legitimate interest
Legal compliance (court orders, CERT-In)	Legal obligation
Marketing emails (opt-in only)	Explicit consent

5. How We Use Personal Data

To create, manage, and maintain Client accounts and access credentials
To process subscriptions, invoices, and payments
To provide technical support and respond to Client inquiries
To verify Client authorization before enabling security testing features
To detect, prevent, and respond to unauthorized use, fraud, or security incidents
To send service notifications, renewal reminders, and security alerts
To improve the Service through anonymized, aggregated analytics
To comply with applicable law and respond to lawful orders from Indian authorities

6. Data Sharing & Disclosure

We do not sell, rent, or trade personal data. We may share data only as follows:

6.1 Service Providers (Data Processors)

We engage trusted third-party processors bound by data processing agreements:

Cloud Infrastructure: Servers and database hosting (India-primary)
Payment Processors: PCI-DSS certified payment gateways for Indian payment methods
AI Inference Providers: For processing authorized security testing outputs (subject to cross-border safeguards per Section 8)
Email & Communication: Transactional email delivery services
Analytics: Privacy-first, aggregated analytics platforms

6.2 Legal Requirements

We may disclose personal data to law enforcement, CERT-In, or judicial authorities when required by a lawful order, warrant, or court direction under applicable Indian law.

6.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity subject to equivalent privacy protections and prior notice to affected Data Principals.

6.4 Aggregated / Anonymized Data

We may share de-identified, aggregated statistics (e.g., usage trends) that cannot reasonably identify any individual or organization.

7. Your Rights as Data Principal (DPDP Act 2023)

Client representatives (as Data Principals under the DPDP Act, 2023) have the following rights:

Right to Access (Section 11)

Request confirmation of and access to personal data processed by the Company.

Right to Correction (Section 12)

Request correction of inaccurate, incomplete, or outdated personal data.

Right to Erasure (Section 12)

Request deletion of personal data that is no longer necessary for the stated purpose, subject to legal retention requirements.

Right to Grievance Redressal (Section 13)

Lodge a complaint with the Company's Grievance Officer; escalate to the Data Protection Board of India if unsatisfied.

Right to Nominate (Section 14)

Nominate another person to exercise data rights on your behalf in case of death or incapacity.

Right to Withdraw Consent

Withdraw previously given consent at any time, without affecting prior processing. Withdrawal may impact ability to use certain features.

To exercise any of the above rights, contact privacy@ghostai.one. We will respond within 15 days. If dissatisfied, you may approach the Data Protection Board of India upon its establishment under the DPDP Act, 2023.

8. Data Storage, Retention & Localisation

8.1 Primary Storage

Personal data of Indian Clients is stored primarily on servers located within India, in compliance with applicable data localisation norms.

8.2 Cross-Border Transfers

Where personal data is transferred to or processed by sub-processors outside India (e.g., AI model inference), the Company ensures:

Standard contractual clauses or equivalent safeguards are in place with the sub-processor
The sub-processor's country provides an adequate level of data protection
Clients are informed of cross-border processing upon request
Transfers comply with DPDP Act 2023 provisions as notified by the Central Government

8.3 Retention Periods

Data Type	Retention Period
Account data	Duration of subscription + 3 years
Billing records	7 years (as per Indian tax law)
Security & access logs	180 days (IT Rules 2021 requirement)
Support communications	2 years from resolution
Authorization documents	Duration of engagement + 5 years

9. Data Security

We implement industry-standard technical and organizational measures to protect personal data:

TLS 1.3 encryption for all data in transit
AES-256 encryption for data at rest
Role-based access controls with least-privilege principles
Multi-factor authentication for administrative access
Regular security audits and penetration testing of our own infrastructure
Incident response procedures aligned with CERT-In guidelines

No method of electronic transmission is 100% secure. In the event of a data breach affecting personal data, we will notify affected Data Principals and the Data Protection Board of India within 72 hours as required by the DPDP Act, 2023.

10. Cookies & Tracking

The ghostai.one website uses minimal cookies:

Essential Cookies: Required for authentication and session management — cannot be disabled
Analytics Cookies: Aggregated, anonymised usage analytics — optional, opt-out available
No Third-Party Advertising Cookies: We do not use advertising networks or behavioural tracking

You may manage cookie preferences through your browser settings. Disabling essential cookies may impair Service functionality.

11. Children's Data

The Service is strictly B2B and intended exclusively for authorized professionals within Client organizations. We do not knowingly collect any personal data from persons under the age of 18. If we become aware that a minor has registered, we will immediately delete their account and associated data. In line with the DPDP Act, 2023, we do not process children's data and have no legitimate use case requiring it.

12. Grievance Mechanism

Grievance Officer — Rule 4, IT (Intermediary Guidelines) Rules, 2021 & DPDP Act 2023

Name: Deva

Email: admin@ghostai.one

Address: GhOst AI Technologies, Bangalore, Karnataka – 560001, India

Acknowledgment: Within 24 hours of receipt

Resolution: Within 15 days of receipt

If the Grievance Officer does not resolve your complaint satisfactorily, you may escalate to the Data Protection Board of India once operationalized under the DPDP Act, 2023.

13. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in law, our practices, or our Service. Material updates will be communicated via email to Client representatives at least 14 days before the effective date. The "Effective Date" at the top of this Policy will be updated accordingly. Continued use of the Service after the effective date constitutes acceptance.

14. Governing Law

This Privacy Policy is governed by the laws of India, including the Information Technology Act, 2000, IT (Intermediary Guidelines) Rules, 2021, and the Digital Personal Data Protection Act, 2023. Disputes arising from this Policy shall be subject to the exclusive jurisdiction of courts in Bangalore, Karnataka, India, subject to the arbitration clause in the Terms & Conditions.

15. Contact Us

Privacy Queries: privacy@ghostai.one

Grievance Officer: admin@ghostai.one

General: contact@ghostai.one

Website: ghostai.one