Skip to main content

Introduction

Droog Technologies Private Limited (“we”, “our”, “us”) operates an AI bases solutions including chatbot (“Service”) that interacts with users (“you”, “your”). We are committed to protecting your privacy and personal data, in compliance with the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the rules and regulations framed thereunder, including the Draft DPDP Rules, 2025 (“DPDP Rules”) (to the extent applicable).

This Privacy Policy describes how we collect, use, store, disclose, transfer, and delete digital personal data in the course of providing the Service, and your rights in relation to your personal data as a “Data Principal” under the DPDP framework. By using our Service, you agree to the collection and use of your digital personal data as described in this policy.

Key Concepts & Legal Basis

  • Data Principal: An individual whose personal data is processed by us (i.e. you).
  • Data Fiduciary: We are a Data Fiduciary when we determine the means and purpose of processing your digital personal data under the DPDP Act.
  • Processing: Any operation performed on digital personal data (collection, storage, usage, transfer, disclosure, deletion, etc.).
  • Consent: We will, where required, obtain your free, explicit, specific, and informed consent before processing your personal data, unless an exemption under the DPDP Act applies.
  • Notice: Before or at the time of collection of your personal data, we will provide you with a clear, understandable notice containing specified information (e.g. purpose, categories of data, third-party sharing, retention, grievance redressal).
  • Purpose Limitation & Data Minimisation: We collect and process only personal data that is adequate, relevant, and limited to what is necessary for the specified purpose. We will not use your personal data for purposes incompatible with those originally informed to you.
  • Retention & Erasure: We will retain your personal data only as long as necessary to fulfill the purposes or as required by law. After that, we will securely erase or anonymize it. The Draft DPDP Rules propose specific time limits (e.g. 48 hours’ notice, deletion after no further activity) in some cases.
  • Security Safeguards: We will adopt reasonable technical, organizational, and administrative safeguards (e.g., encryption, access control, audit logs) to protect personal data from unauthorized access, alteration, disclosure, or destruction.
  • Cross-border Transfers: Transfer of personal data outside India is permitted only in compliance with Section 16 of the DPDP Act and corresponding rules. The Central Government may restrict transfers to certain jurisdictions.
  • Data Protection Board & Enforcement: The DPDP Act provides for a Data Protection Board of India, which may adjudicate complaints and impose penalties.

What Personal Data We Collect & Why

We may collect the following categories of personal data, depending on how you use our Service:

Category

Example Data

Purpose
Identity / Profile Data Name, username, user ID, email address, phone number To create your account, identify you, communicate with you
Conversation / Chat Data Messages you send, inputs to chatbot, context To provide and improve the chatbot responses, personalize experience
Device & Technical Data IP address, device type, operating system, browser, logs, usage metrics For system operation, analytics, debugging, security
Consent & Preference Data Your consent records, communication preferences To record and honor your consent, manage preferences
Support & Feedback Data Support requests, feedback, customer service interactions To handle your queries, improve service quality

We will only ask for or retain data required for the specific functionality you use, and we will not collect or retain extraneous data beyond what is necessary.

Special Note: We do not generally collect “sensitive personal data” under DPDP (since DPDP does not currently distinguish a separate “sensitive data” class), but if we do process data of children (minors) or data that involves profiling, behavioral monitoring, or targeted advertising, additional safeguards will apply as per rules.

How We Use Your Data

We use your personal data for the following lawful purposes:

Provision of Service

  1. To respond to your messages / queries.
  2. To maintain conversation context, adapt responses.
  3. To deliver features (e.g. memory of past chats, personalization).
  4. Improvement & Analytics
  5. To analyze usage patterns, improve performance, train/optimize our AI models.
  6. To detect and prevent misuse, fraud, security incidents.
  7. Communication & Notifications
  8. To send you service alerts, updates, changes to this Policy, or announcements.
  9. To respond to your support requests.
  10. Consent & Preferences Management
  11. To record and manage your consents, preferences, and rights exercise.
  12. Legal Compliance & Safety
  13. To comply with lawful requests (e.g. law enforcement).
  14. To enforce our terms of service or applicable policy obligations.

We will not use your personal data for any purpose incompatible with the original notice unless we obtain your fresh consent (unless permitted by law).

Sharing & Disclosure of Data

We may share your personal data under the following circumstances:

  • Service Providers / Sub-processors: With trusted third-party providers who help us operate the Service (hosting, analytics, security, customer support). We bind them to appropriate confidentiality and data protection obligations.
  • Affiliates / Partners: With affiliated entities or partners only for purposes you have consented to or as required by law.
  • Legal / Compliance Disclosures: To comply with legal obligations, judicial orders, or in response to lawful requests by authorities.
  • Business Transfers: In connection with mergers, acquisitions, or asset transfers, subject to appropriate safeguards.
  • Aggregated / Anonymized Data: We may share aggregated, de-identified, or anonymized data that does not identify individuals.

Under no circumstances will we sell or rent your personal data to third parties.

Cross-Border Data Transfers

If we transfer your personal data outside India, we will do so only in compliance with applicable DPDP Act provisions (e.g. Section 16) and rules. We will ensure:

  • Transfers are to jurisdictions permitted by the government, or
  • Appropriate safeguards (contractual, encryption, etc.) are in place, or
  • Explicit consent has been obtained, as required.
  • You will be informed at the time of consent about such transfers and the jurisdiction(s) involved.

Data Retention & Deletion

We retain personal data only as long as necessary to fulfill the purpose(s) for which it was collected or to meet legal or audit requirements. When the data is no longer needed:

  • We securely erase, purge, or anonymize it so it cannot be re-associated with you.
  • Where the Draft DPDP Rules specify timelines (e.g. deletion after 48 hours, or 3 years for certain intermediaries) or notices, we will comply as applicable.
  • If you request deletion, and provided no legal retention obligation exists, we will act within a “reasonable time” (or as mandated) to erase your data.

Your Rights

Under the DPDP Act and DPDP Rules (draft), you have the following rights:

  • Right to Access: You can request access to the personal data we hold about you.
  • Right to Correction / Update: You can request correction or updating of inaccuracies in your personal data.
  • Right to Erasure (Right to be Forgotten): You may request deletion of your personal data when processing is no longer justified.
  • Right to Withdraw Consent: You may withdraw your consent at any time for future processing.
  • Right to Object: To object to certain processing (if applicable) under specific conditions.
  • Right to Data Portability: You may request portability of your data to another entity (to the extent applicable).
  • Right to Grievance / Redressal: You may lodge a complaint with us, and if unsatisfied, with the Data Protection Board of India.
  • Right to Nominate: Under DPDP, you can nominate a person to exercise your rights in case of death or incapacity.

You can exercise these rights via [designated contact process — e.g. email, portal, support interface]. We will respond within the timelines required by law or rules. We will not charge for exercising your rights unless your request is manifestly unfounded or excessive.

Consent & Withdrawal

  • When you interact with the Service, we may request your explicit consent for processing your data (for specific optional features). You may decline or withdraw consent at any time, without affecting your use of essential functionality of the Service.
  • Upon withdrawal, we will cease the relevant processing and, unless otherwise required, delete related data (unless we have a lawful basis to continue).

Data Security

We implement reasonable technical and organizational measures to protect your personal data, including (but not limited to):

  1. Encryption of data in transit and at rest
  2. Role-based access control and least privilege
  3. Secure authentication and identity management
  4. Audit logs, monitoring, and intrusion detection
  5. Periodic security reviews, assessments, and penetration testing
  6. Incident response protocols

In the event of a data breach, we will notify the affected Data Principals and the Data Protection Board (where required) in accordance with applicable laws and rules (e.g. within 72 hours of discovery, or as extended) and take remedial actions.

Children / Minors

Our Service is not intended for individuals under the age of 18 (or applicable age threshold). We do not knowingly collect or solicit personal data from minors. If we become aware that we have collected personal data of a minor, we will promptly delete it, unless retention is required by law.

If any part of our Service is designed for minors, we will implement additional safeguards, parental consent, and restrictions on profiling / targeted advertising, as required under DPDP and rules.

Changes to This Policy

We may update this Privacy Policy from time to time (e.g. when DPDP Rules or related regulations come into force or change). When we do, we will indicate the “Last revised” date and, where significant, notify you via email or Service notice.

Your continued use of the Service after the change becomes effective constitutes your acceptance of the revised policy.

Contact & Grievance Redressal

If you have any questions, concerns, or requests regarding your personal data or this Privacy Policy, or wish to lodge a grievance, you may contact us at:

  • Data Protection Officer / Privacy Contact
  • Mabin Varghese, Data Protection Officer
  • contact@droog.io
  • Address: S8, Sarayu Complex, Kakkanad, Ernakualm – 682030

We will respond to your query, request, or grievance within the timelines mandated by DPDP Act / Rules. If you remain dissatisfied, you may approach the Data Protection Board of India for further redressal under the DPDP Act.

Miscellaneous & Disclaimers

This Privacy Policy is subject to the DPDP Act, the Draft DPDP Rules, and any future amendments / rules / notifications. If any provision of this Policy is found invalid or unenforceable under applicable law, it shall be severed, and the remaining provisions shall continue in full force. Our obligations as Data Fiduciary are subject to lawful orders, regulation, and rights of governmental or judicial authorities. In the event of conflict between this Policy and any mandatory legal requirement, the latter shall prevail.