Legal

Privacy Policy

How Vyana collects, uses, and protects personal data.

Template notice. This policy ships with the Vyana reference implementation. Replace the bracketed placeholders (entity name, addresses, contacts, processors) and have legal counsel review it before any production use.

Last updated: 26 May 2026

[Company Legal Name] (“Vyana”, “we”, “us”) operates the Vyana broker — an Agent Signup Protocol (ASP) identity provider that lets your AI agents sign up for and pay for third-party services within consent limits you set. This policy explains what personal data we process and the rights you have over it. It is written to align with India’s Digital Personal Data Protection Act, 2023 (DPDP) and comparable principles in other jurisdictions.

1. Data we collect

Account data — email address and, optionally, phone number.
Identity / KYC data — your verification level and authority (e.g. Aadhaar, passport), verification and expiry dates, and GST number / state where provided. Identity documents are handled by regulated KYC providers; we retain the verification outcome, not raw documents, except where law requires.
Device & agent data — the public key and fingerprint of each paired device, and agent-session metadata (platform, version, timestamps). Your device private keys never leave your device and are never sent to us.
Consent mandates — the signed User Consent Mandates (caps, allowed services and categories) that authorize your agents.
Transaction & billing data — services provisioned, plans, amounts (in INR), payment/order references, receipts, invoices, and subscription status. Card / UPI details are processed by our payment processor and are not stored by us.
Audit data — a hash-chained, cryptographically-signed provenance record of each verification and action, kept for security and dispute resolution.
Cookies — a single strictly-necessary session cookie. See the Cookie Policy.

2. How we use data

To provide the service: provision accounts, process payments, and enforce your consent limits.
To meet legal and regulatory obligations: KYC, tax (GST), and financial record-keeping.
To secure the service: fraud prevention, abuse detection, and integrity of the audit chain.
To communicate with you about your account, receipts, and material changes.

3. Legal basis

We process personal data on the basis of your consent (which you may withdraw at any time), to perform our contract with you, to comply with law, and for limited legitimate uses such as security and fraud prevention as permitted by applicable law.

4. Sharing

We share data only as needed to run the service:

Merchants / service providers you ask an agent to sign up for or pay — limited to what the signup or payment requires.
Payment processor ([e.g. Razorpay]) to execute payments and mandates.
KYC and infrastructure providers acting as our processors under contract.
Authorities where required by law, or to establish, exercise, or defend legal claims.

We do not sell personal data and we do not use it for third-party advertising.

5. Retention

We keep account data while your account is active. Transaction, tax, and audit records are retained for the periods required by applicable financial and data-protection law, after which they are deleted or anonymised.

6. Security

Authorizations are signed with Ed25519 keys held on your device; sensitive credentials are encrypted at rest (AES-256-GCM); every action is recorded in a tamper-evident, signed provenance chain; and the session cookie is httpOnly. No system is perfectly secure, but we apply controls appropriate to the sensitivity of the data.

7. Your rights

Subject to applicable law, you may request access to, correction of, or erasure of your personal data; withdraw consent; and (under DPDP) nominate another person to exercise your rights in the event of death or incapacity. You also have the right to grievance redressal.

8. Grievance / data-protection contact

Grievance Officer: [Name], [grievance@yourdomain]. Postal: [registered address]. We aim to acknowledge requests promptly and respond within the time required by law.

9. Children

The service is intended for users who can enter a binding contract and is not directed to children. We do not knowingly process children’s data without verifiable parental consent where required.

10. Changes

We may update this policy. We will post the new version here, update the “last updated” date, and notify you of material changes where required.

See also: Terms & Conditions · Cookie Policy.