1. Who We Are

Autroid Private Limited ("Autroid", "we", "our", "us") is an AI-native Business OS built for companies ready to break operational limits and scale exponentially. Our platform — available at app.autroid.comand the Autroid Android mobile application — gives businesses unified intelligence across operations, customers, finances, HR, inventory, and marketing from a single system.

This Privacy Policy explains how we collect, use, process, and protect information when you use our Service. By accessing or using Autroid, you acknowledge and agree to the practices described here. If you are using Autroid on behalf of an organization, you represent that you have authority to bind that organization to this policy.

2. Information We Collect

2.1 Information You Provide

Account Information — Your name, email address, phone number, hashed password, designation, and organization name when you register or are invited to join an Autroid organization.
Business Operational Data — All data you or your team enter into the platform: customer records, vehicle details (registration number, chassis, engine number), job cards, service estimates, invoices, purchase bills, expense records, inventory data, goods receipt notes, and financial transactions.
HR & Workforce Data — Employee profiles, department assignments, role configurations, attendance records, leave requests, payroll data, salary structures, loan and advance records, training progress, and uploaded HR documents — entered by administrators and managers.
Revenue Origination Data — Lead records, follow-up notes, remarks, activity log entries, and customer interaction history entered within the origination, job card, and activity panel modules.
Communications — WhatsApp campaign content, message templates, and broadcast configurations that you create within the platform.
Subscription & Billing — Subscription plan, billing cycle preferences, and payment details processed through our third-party payment partner.

2.2 Information Collected Automatically

Usage Data — Pages visited, features accessed, session duration, click events, search queries executed within the platform, timestamps, device type, browser version, operating system, and IP address.
Session Tokens — Authentication tokens and refresh credentials stored securely in your browser to maintain your logged-in session.
Performance & Error Logs — Anonymized crash reports and API performance telemetry used to diagnose issues and maintain platform reliability.

2.3 Third-Party Integration Data

When you authorize Autroid to connect to external advertising or messaging platforms, we collect the following on your behalf:

Google Ads —OAuth 2.0 access and refresh tokens (stored encrypted), your Google Ads account ID, campaign names, ad group names, keyword data, and performance metrics (impressions, clicks, spend, conversions). This data is fetched from Google's API and displayed exclusively in your Autroid marketing dashboard.
Meta Ads (Facebook / Instagram) —OAuth access tokens (stored encrypted), your Meta Business account ID, ad campaign metadata, ad spend figures, and performance metrics. Fetched via Meta's Marketing API and surfaced in your Autroid analytics dashboard.
WhatsApp Business API (via MessageBird) —Message delivery status, message template identifiers, and recipient phone numbers for messages you initiate through Autroid's campaign and communications modules.
Firebase Cloud Messaging — Device push token for delivering real-time notifications to the Autroid Android application.

3. How We Use Your Information

To provide, operate, and maintain all Autroid operational states (Workshop, Revenue Origination, Financial Lineage, Workforce State, Inventory State, Analytics).
To authenticate users and enforce your organization's role-based access control (RBAC) policies at the module and action level.
To process subscription billing, payment transactions, and account lifecycle management.
To synchronize advertising data from connected platforms (Google Ads, Meta Ads) and present unified ROAS and campaign analytics within your dashboard.
To send transactional service communications — appointment reminders, invoice notifications, service completion alerts — via WhatsApp Business and push notifications, only for messages explicitly configured by your organization's users.
To power the Global Search, lead scoring engine, revenue attribution pipeline, and marketing analytics — all strictly within your organization's data boundary.
To process WhatsApp broadcast campaigns that your team creates and schedules within the platform.
To detect, investigate, and prevent fraudulent activity, unauthorized access, and security threats.
To monitor service performance, diagnose technical failures, and continuously improve platform reliability.
To comply with applicable legal and regulatory obligations, including Indian GST requirements.

4. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information or business data to any third party for commercial purposes. Data is shared only in the following limited circumstances:

Within Your Organization —Data is visible only to authorized users within your organization as configured by your administrator via Autroid's permission system. Multi-branch data access is governed by your Group configuration. Each business's data is isolated by a uniquebusinessId — no cross-tenant data access is architecturally possible.
AWS Infrastructure — Your data is hosted and stored on Amazon Web Services (AWS) servers in the Mumbai, India (ap-south-1) region. AWS is bound by a data processing agreement and does not access your data independently.
MessageBird — WhatsApp message content and recipient phone numbers are passed to MessageBird solely to deliver messages you explicitly initiate. MessageBird is bound by its Data Processing Agreement and GDPR-compliant policies.
Firebase (Google) — Device push notification tokens are shared with Firebase to deliver in-app alerts to the Autroid Android application.
Payment Processor — Subscription payment details are processed by our PCI-DSS compliant payment partner. We do not store or handle full card numbers on our servers.
Ad Platforms (Google, Meta) — When you connect an ad account, we communicate with Google Ads API and Meta Marketing API exclusively to retrieve your existing campaign data. We do not upload, transmit, or share your customer records, vehicle data, or any other business data to these platforms.
Legal Obligation — We may disclose information if required by applicable law, court order, government authority, or to protect the rights, safety, or property of Autroid, our users, or the public.
Business Transfers —In the event of a merger, acquisition, or asset sale, user data may be transferred as part of that transaction. We will provide at least 30 days' advance notice to affected users before any such transfer.

5. Data Security

We implement enterprise-grade security measures appropriate to the sensitivity of the data we process:

Encryption at Rest — All OAuth tokens (Google Ads, Meta Ads), API keys, and sensitive credentials are encrypted using AES-256 before storage. Secrets are managed via AWS Secrets Manager.
Encryption in Transit — All data exchanged between your browser/mobile app and Autroid servers is protected by TLS 1.2 or higher. All connections are HTTPS-only.
Multi-Tenant Isolation — Every API request is scoped by businessIdand enforced at the middleware layer. No query can cross organizational boundaries.
Role-Based Access Control — Granular, module-level permissions are enforced on every API endpoint. Administrators fully control which users can view, create, edit, or delete specific data within their organization.
Financial Integrity — All financial transactions use MongoDB sessions and idempotency keys to ensure atomic, consistent writes. Stock movements are recorded in an immutable ledger with audit trails.
Infrastructure Security — Backend hosted on AWS with automated daily backups, VPC network isolation, and IAM-controlled access policies.

No security system is infallible. In the event of a data breach that affects your personal information, we will notify you as required by applicable Indian data protection law and will take prompt steps to contain and remediate the incident.

6. Data Retention

Active accounts — All data is retained throughout your active subscription period.
Post-cancellation — After subscription ends, you have 30 days to request a data export. After this window, organizational data may be permanently deleted from our systems.
Disconnected integrations — OAuth tokens for Google Ads and Meta Ads are deleted immediately upon disconnection through the Autroid integrations panel.
Financial records — Invoices, purchase bills, and financial statements may be retained for up to 7 years to comply with Indian GST regulations and the Companies Act, 2013.
Security logs — Authentication and security event logs are retained for a minimum of 12 months for fraud detection and incident investigation.

7. Your Rights

Subject to applicable laws (including India's Digital Personal Data Protection Act), you may have the following rights:

Access — Request a copy of the personal data we hold about you.
Correction — Request correction of inaccurate or incomplete personal data.
Erasure — Request deletion of your personal data, subject to legal retention requirements.
Portability — Request your business data in a structured, machine-readable format (CSV/JSON). Autroid provides data export functionality within the platform.
Objection — Object to specific types of data processing where we rely on legitimate interest as a legal basis.
Withdraw Consent — Disconnect any third-party integration at any time through Autroid Settings, which immediately revokes our OAuth access to that platform.

To exercise these rights, email privacy@autroid.ai. We will respond within 30 days of receiving a verified request.

8. Cookies

Autroid uses only essential first-party cookies required for authentication and session management. We do not use third-party advertising cookies or cross-site tracking. You can manage cookie preferences in your browser settings; however, disabling essential session cookies will prevent you from logging in to the platform.

9. Children's Privacy

Autroid is a B2B SaaS platform intended for use by businesses and professionals. We do not knowingly collect personal information from individuals under 18 years of age. If you believe a minor has provided personal data through our platform, please contact us at privacy@autroid.ai and we will promptly delete it.

10. Changes to This Policy

We may update this Privacy Policy to reflect changes in our data practices, platform features, or regulatory requirements. For material changes, we will notify organization administrators by email and/or in-app notification at least 30 days before the update takes effect. The "Last Updated" date at the top of this page always reflects the most recent revision. Continued use of Autroid after the effective date constitutes acceptance of the updated policy.

11. Contact Us

For questions, concerns, or requests related to this Privacy Policy, please contact us:

📧 Privacy enquiries: privacy@autroid.ai
📧 Support: support@autroid.ai
🌐 Platform: app.autroid.com
📍 Address: Autroid Private Limited, Gurugram, Haryana — 122001, India