EFFECTIVE DATE: NOVEMBER 11, 2025

EFFECTIVE DATE: NOVEMBER 11, 2025

EFFECTIVE DATE: NOVEMBER 11, 2025

Privacy policy

This Privacy Policy explains how Natiec Technology LLP (“Natiec,” “we,” “our,” or “us”), the company behind Rayrift AI, collects, uses, processes, stores, and protects information through the Rayrift AI platform and related services (“Services”). It applies to our B2B customers (“Customers”), who manage and deploy Rayrift AI on their own websites or applications. End users only see a simplified “Accept Terms” notice within the chatbot widget.

By accessing or using our Services, Customers agree to the practices described herein.

1. Information we collect from B2B customers

We collect information that Customers voluntarily provide to create and manage accounts:

  • Identity & contact: Name, email address, phone number (if provided), company name

  • Billing: Payment details, subscription information, transaction history

  • Account Activity: Set up information, dashboard configurations, API usage

  • Communications: Support tickets, emails, and correspondence with our team

Purpose: We use this information to operate the Platform, maintain accounts, process billing, provide support, improve services, and fulfill legal obligations.

Legal Basis: Contract performance, legitimate business interests, legal compliance, and consent where applicable.

2. Information we collect from end users

End users are individuals who interact with Customer-deployed AI chatbots. We collect minimal data necessary for service delivery:

  • Technical Data: IP address, browser type, device information, session timestamps

  • Interaction Data: Chat messages, conversation timestamps, session identifiers

  • Voluntary Information: Contact details submitted through optional contact forms within the widget

Purpose: Service delivery, session management, performance optimization, abuse prevention, aggregated analytics (non-individual), quality assurance, debugging, and legal compliance.

Legal Basis: Legitimate interests in providing secure and reliable services, contract performance, legal obligations, and consent obtained through the widget acceptance mechanism.

We do not collect login credentials, account details, government IDs, financial information, or create persistent user profiles.

3. Analytics and aggregated data

We use analytics systems to monitor platform performance, usage trends, and service reliability—not individual user behavior.

  • Analytics focus on aggregated metrics: performance, load patterns, error rates, conversation trends

  • Personal identifiers are anonymized or pseudonymized where feasible

  • IP addresses are truncated or hashed

  • Aggregated data may be retained indefinitely; identifiable analytics data follows retention periods in Section 8

4. Third-party service providers

We engage trusted third-party providers for essential operations:

  • Categories: Cloud hosting, AI/ML processing, payment processing, email delivery, analytics, monitoring, customer support infrastructure

  • Data Sharing Principles: We share only necessary data, require contractual data protection obligations, ensure security compliance, limit use to specific services, and oversee sub-processors

  • No Unauthorized Sharing: We do not share data with unauthorized third parties

We may disclose data to governmental authorities when required by law, legal process, or to protect rights and safety.

5. No selling of personal data

We do not and will never sell, trade, rent, or transfer Customer or End User data to any third party for marketing, advertising, or any other commercial purpose.

6. Cookies and tracking technologies

For end users:

  • We minimize cookie use. Analytics is primarily session-based, anonymous, and script-based

  • No persistent tracking across sites or long-term user profiling

For B2B customers:

  • Essential cookies: Authentication, security, session management

  • Analytics cookies: Dashboard usage analysis to improve user experience

  • Functional cookies: Preference storage and interface enhancement

Customers may see cookie consent notices if required by applicable regional laws (e.g., GDPR). You can manage cookie preferences through browser settings, though disabling essential cookies may affect Platform functionality.

7. Data storage and transfers

  • Primary location: All Customer and End User data is stored in the United States using secure, certified cloud infrastructure providers

  • Security measures: Industry-standard encryption (in transit and at rest), access controls, regular security audits, intrusion detection

  • International transfers: For Customers and End Users in the EEA, UK, Switzerland, or other jurisdictions with data localization requirements, we rely on Standard Contractual Clauses (SCCs), adequacy decisions, or other lawful transfer mechanisms

  • Change notification: Material changes to storage locations will be communicated to Customers via email or dashboard notification

8. Data retention periods

Chat Conversations:

  • Retained for six (6) months from the date of the conversation

  • After six months, data is marked for deletion and automatically purged from active systems

  • Deletion is handled through automated processes; manual access is restricted to compliance or security investigations

Customer Account Data:

  • Retained for the duration of the business relationship and as long as necessary for legitimate business purposes

  • Following account termination, data is retained for up to twelve (12) months for legal, accounting, and dispute resolution purposes, then deleted

Anonymized/Aggregated Data:

  • May be retained indefinitely, as it cannot be used to identify individuals

Legal Holds:

  • Data subject to legal holds, litigation, investigations, or regulatory requirements will be retained until the matter is resolved

9. End user rights and data subject requests

We recognize that End Users may have rights under GDPR, CCPA, DPDP, and other privacy laws, including:

  • Right to access Personal Data

  • Right to correct inaccurate data

  • Right to delete data (right to erasure/"right to be forgotten")

  • Right to restrict processing

  • Right to data portability

  • Right to object to processing

  • Right to withdraw consent

  • Right to non-discrimination

Request Process:

  1. End User submits a request to the Customer (Data Controller)

  2. Customer validates the request and verifies the End User identity

  3. Customer submits the validated request through the Natiec dashboard

  4. Natiec processes the request within applicable timeframes (typically 30 days, or as required by law)

Important: We do not accept direct data requests from End Users. All requests must be channeled through the Customer for verification and authorization purposes.

10. Protection of minors

We do not knowingly collect or process Personal Data from individuals under the age of 13 (or 16 in certain jurisdictions, such as the EEA). Our Services, marketing, and Platform are directed at adults and business entities.

If we become aware that we have inadvertently collected data from a minor without appropriate parental consent, we will take immediate steps to delete such information. Parents or guardians who believe their child's information has been collected should contact us immediately at contact+dpo@natiec.com.

11. Security measures

We implement comprehensive technical and organizational security measures designed to protect data against unauthorized access, alteration, disclosure, or destruction:

Technical Safeguards:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256 or equivalent)

  • Multi-factor authentication for administrative access

  • Automated security monitoring and intrusion detection

  • Regular vulnerability assessments and penetration testing

  • Secure software development lifecycle practices

Organizational Safeguards:

  • Role-based access controls with the principle of least privilege

  • Restricted manual access to Personal Data; most operations are automated

  • Confidentiality agreements for all personnel with data access

  • Regular security training and awareness programs

  • Incident response and disaster recovery plans

Limitations: No security system is completely impenetrable. While we implement industry-standard protections, we cannot guarantee absolute security. Customers are responsible for securing their own credentials and systems.

12. Data breach notification

In the event of a confirmed data breach that affects Customer or End User Personal Data, we will:

  • Notification Timing: Notify affected Customers within seventy-two (72) hours of confirming the breach

  • Notification Method: Dashboard notification, email, or other effective means based on circumstances

  • Information Provided: Nature of the breach, categories of data affected, approximate number of individuals impacted, measures taken to contain and remediate, recommendations for affected parties, contact information for inquiries

Customers are responsible for onward notification to End Users where required by applicable law.

13. International privacy frameworks

Although our data is stored in the United States, we respect international privacy rights and comply with applicable frameworks:

GDPR (European Economic Area, UK, Switzerland)

For End Users in GDPR jurisdictions:

  • Rights to access, rectification, erasure, restriction, portability, objection

  • Right to lodge complaints with supervisory authorities

  • Legal bases: Legitimate interests, contract performance, legal obligations, consent

  • Natiec Technology LLP acts as the Data Processor for Rayrift AI Services

  • Data Processing Addendum (DPA) available upon request

CCPA/CPRA (California, USA)

For California residents:

  • Right to know what Personal Information is collected, used, and shared

  • Right to deletion of Personal Information

  • Right to opt-out of "sale" or "sharing" (we do not sell data)

  • Right to correct inaccurate information

  • Right to limit use of sensitive personal information

  • Right to non-discrimination for exercising rights

DPDP Act (India)

For Indian data principals:

  • Right to access and correction

  • Right to erasure and data portability

  • Right to nominate representatives

  • Transparency in data processing

  • Consent and purpose limitation principles

Other jurisdictions:
We monitor evolving privacy laws globally (including Brazil's LGPD, Canada's PIPEDA, and Australia's Privacy Act) and adapt practices accordingly.

14. Global compliance banner

End Users see a simplified "Accept Terms" notice within the chatbot widget. Our backend compliance framework addresses:

  • United States privacy standards

  • California CCPA/CPRA requirements

  • European GDPR principles

  • India's DPDP Act

  • Other applicable regional laws

Additional disclosures or consent mechanisms depend on Customer configuration and deployment location.

15. Customer responsibilities and obligations

As Data Controllers for End User data, Customers must:

  • Legal Compliance: Ensure compliance with all applicable privacy laws in their jurisdiction

  • Notice and Transparency: Provide clear privacy notices on websites/applications where the chatbot is deployed

  • Consent Management: Obtain necessary consents and maintain appropriate legal bases for processing

  • End User Requests: Handle End User rights requests, verify identities, and submit validated requests to Natiec

  • Age Verification: Implement measures to prevent minors from using the chatbot where prohibited

  • Data Accuracy: Provide accurate information and promptly update account details

  • Security: Secure their own systems, credentials, and integration endpoints

Disclaimer: Natiec does not provide legal advice. Customers should consult qualified legal counsel regarding their specific compliance obligations.

16. Your rights and choices

Customers may exercise the following rights regarding their account data:

  • Access and obtain copies of your data

  • Correct inaccuracies

  • Request deletion (subject to legal retention requirements)

  • Object to processing based on legitimate interests

  • Withdraw consent where processing is based on consent

  • Export data in portable formats

To exercise rights, contact us at contact+dpo@natiec.com or use the account management features in the dashboard.

17. Contact information and data protection officer

For privacy-related inquiries, data subject requests, compliance questions, or security concerns:

Email: contact+dpo@natiec.com
Designation: Data Protection Officer – Rayrift AI (operated by Natiec Technology LLP)
Response Time: We aim to respond within 5-7 business days

For urgent security matters, please mark your communication as "URGENT - SECURITY" in the subject line.

18. Changes to this privacy policy

We reserve the right to modify this Privacy Policy at any time to reflect changes in our practices, legal requirements, or Services.

Notification of Material Changes:

  • Email notification to registered Customer contacts

  • Prominent dashboard notification

  • Updated "Last Updated" date at the top of this Policy

Effective Date: Changes become effective upon posting unless otherwise specified. Material changes that reduce Customer rights will not apply retroactively without consent.

Your Acceptance: Continued use of the Services after changes become effective constitutes acceptance of the updated Policy. If you do not agree with changes, you must discontinue use and may terminate your account.

19. Governing law and dispute resolution

This Privacy Policy shall be governed by and construed in accordance with the laws of India, without regard to conflict of law principles.

Any disputes arising from or relating to this Policy shall be subject to the exclusive jurisdiction of the courts located in Telangana, India.

For international Customers, we will make reasonable efforts to resolve disputes amicably and in accordance with applicable local laws where required.