Privacy Policy

Last updated: June 12, 2026

Responsible AI Labs Pvt. Ltd. ("RAIL", "we", "us", or "our") operates an AI evaluation and governance platform. This Privacy Policy explains how we collect, use, disclose, and protect personal data when you use our website, dashboard, API, SDKs, MCP server, and related services (the "Services").

We act as a Data Fiduciary under India's Digital Personal Data Protection Act, 2023 (the "DPDP Act") and the Digital Personal Data Protection Rules, 2025 (the "DPDP Rules"), and as a data controller under the EU and UK General Data Protection Regulation (GDPR) for personal data we process about our own users. When customers submit content to our API for evaluation, we act as a Data Processor (DPDP Act) and data processor (GDPR) on the customer's behalf.

1. Who We Are (Data Fiduciary / Controller Identity)

  • Legal entity: Responsible AI Labs Pvt. Ltd.
  • Corporate Identity Number (CIN): U62099MP2025PTC077495
  • Registered office: 672, Ruchi Lifescapes, 2nd Floor, Jatkhedi, Bhopal, Madhya Pradesh, India - 462023
  • Privacy contact: hello@responsibleailabs.ai
  • Grievance Officer (DPDP Act s.13 and DPDP Rule 14(3)): Sumit Verma, Co-Founder & Chief Technology Officer; email sumit@responsibleailabs.ai; mobile +91 7860263773; address: 672, Ruchi Lifescapes, 2nd Floor, Jatkhedi, Bhopal, Madhya Pradesh, India - 462023.
  • Data Protection Officer: Not currently designated as a Significant Data Fiduciary; direct data-protection queries to the Grievance Officer above.
  • EU/UK GDPR Article 27 representative: Not currently appointed; under review.

2. Information We Collect

2.1 Information You Provide

  • Account information: name, email address, password (stored hashed), and organization details.
  • Billing information: payment details processed by our payment processors (Razorpay for INR, PayPal for USD); billing address. We do not store full card numbers on our systems.
  • Communications: information you provide when you contact us, request support, or take part in research or surveys.

2.2 Information We Collect Automatically

  • Usage data: API calls, endpoints accessed, request and response metadata, timestamps, and feature usage.
  • Technical data: IP address, browser type, device information, operating system, and referring URLs.
  • Performance metrics: API latency, error rates, and service-health indicators.
  • Cookies and similar technologies: see our Cookie Policy. Non-essential cookies are set only with your consent.

2.3 Content Submitted for Evaluation (API Input and Output)

When you use the Services, we process the content you or your end users submit for evaluation, the resulting scores across our eight Responsible AI dimensions (Fairness, Safety, Reliability, Transparency, Privacy, Accountability, Inclusivity, and User Impact), compliance-check results, and associated request metadata. Submitted content may contain personal data if you choose to include it. Identical evaluation requests may return a cached result to improve performance and reduce cost.

You control what you send. Our SDKs provide optional client-side PII scanning, including detection and masking of Indian identifier types (Aadhaar, PAN, mobile number, UPI ID, passport, voter ID, driving licence, IFSC, bank account, and GSTIN) and child-signal detection, so that you can mask or block sensitive data before it leaves your environment.

2.4 Children's Data

The Services are intended for business users and are not directed to children. Under the DPDP Act, a "child" is any individual under 18 years of age. We do not knowingly process the personal data of children, and we do not knowingly carry out tracking, behavioral monitoring, or targeted advertising directed at children. If you use the Services in a context where children's personal data may be processed, you are responsible for obtaining verifiable parental or lawful-guardian consent as required by Section 9 of the DPDP Act and Rule 10 of the DPDP Rules before submitting such data. If we learn that we have processed a child's personal data without the required consent, we will delete it.

3. How We Use Your Information and Our Legal Bases

We use personal data to:

  • Provide, maintain, and improve the Services, process API requests, and deliver evaluation results.
  • Manage your account, subscriptions, credits, and billing.
  • Provide support and respond to inquiries and grievances.
  • Send service, security, and administrative messages.
  • Send marketing communications where you have consented; you may opt out at any time.
  • Detect, prevent, and address fraud, abuse, security incidents, and technical problems.
  • Comply with legal obligations and enforce our Terms of Service.

Legal bases under GDPR: performance of a contract (Article 6(1)(b)); legitimate interests in operating and securing the Services (Article 6(1)(f)); consent for marketing and non-essential cookies (Article 6(1)(a)); and compliance with legal obligations (Article 6(1)(c)). Under the DPDP Act, we process personal data on the basis of your consent or for legitimate uses permitted under Section 7, after providing the itemized notice required by Rule 3.

3.1 Use of Submitted Content for Model Improvement

We do not use customer API inputs or outputs to train models that serve other customers. Where we improve our evaluation models, we use only aggregated and anonymized signals that cannot be attributed to an individual or an organization. We do not sell personal data, and we do not "share" personal data for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act, as amended by the CPRA (the "CCPA").

4. Consent and Withdrawal (DPDP Act)

Where we rely on consent, we present a clear, itemized notice describing the personal data collected and the specified purpose, as required by Rule 3 of the DPDP Rules. The notice is available in English; on request we will make a copy available in any language listed in the Eighth Schedule to the Constitution of India. You may withdraw consent at any time with the same ease as giving it, by emailing hello@responsibleailabs.ai or using the controls in your account settings. Withdrawal does not affect processing carried out before withdrawal. When the Consent Manager framework under the DPDP Rules becomes operational (Consent Manager registration applies from around 13 November 2026), you will also be able to manage consent through a Consent Manager registered with the Data Protection Board of India.

5. Data Retention

  • Account data: retained while your account is active and for 90 days after closure, then deleted or anonymized, unless a longer period is required by law.
  • Evaluation content and API operational logs: retained for 90 days for operational purposes, then deleted or anonymized.
  • Security, audit, and processing logs: retained for at least 12 months to meet the security-safeguard and log-retention expectations under Rule 6 of the DPDP Rules and CERT-In directions, then deleted.
  • Billing records: retained for the period required by Indian tax and accounting law.
  • Aggregated and anonymized analytics: may be retained indefinitely, as they are no longer personal data.

When a retention period ends and no lawful purpose requires continued storage, we erase the personal data in line with Section 8(7) of the DPDP Act and Rule 8 of the DPDP Rules.

6. Data Sharing and Sub-Processors

We do not sell your personal data. We disclose personal data only to:

  • Service providers and sub-processors who process data on our behalf under written contracts that require appropriate security safeguards, including payment processors (Razorpay, PayPal), cloud infrastructure (Google Cloud Platform), and transactional email (Resend). A current list of sub-processors is available on request at hello@responsibleailabs.ai.
  • Authorities, where disclosure is required by law, court order, or lawful government request, or to protect our rights, users, or the public.
  • A successor entity in connection with a merger, acquisition, or sale of assets, with notice to you.

7. International Data Transfers

RAIL is established in India and processes data on infrastructure that may be located in multiple countries. India has not received an adequacy decision from the European Commission. For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland to RAIL in India, we rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable), supported by a transfer impact assessment and supplementary technical measures such as encryption. Under the DPDP Act, cross-border transfers from India are permitted except to countries or territories restricted by the Central Government by notification (a "negative list" model); we monitor such notifications and adjust our data flows accordingly.

8. Your Rights

Depending on where you are located, you may have the rights below. To exercise them, contact hello@responsibleailabs.ai or use your account settings. We will respond within the timeframes required by applicable law.

8.1 Rights under the DPDP Act

  • Right to access a summary of your personal data and our processing (Section 11).
  • Right to correction and erasure of your personal data (Section 12).
  • Right to grievance redressal (Section 13): we will address grievances within 90 days, as required by Rule 14(3).
  • Right to nominate another individual to exercise your rights in the event of death or incapacity (Section 14).
  • Right to withdraw consent at any time.

To make a request, contact our Grievance Officer (Section 1). If your grievance is not resolved, you may complain to the Data Protection Board of India, which operates as a digital-first body; appeals lie to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).

8.2 Rights under GDPR

Access, rectification, erasure, restriction, portability, objection, and the right not to be subject to certain automated decisions. You may withdraw consent and lodge a complaint with your supervisory authority.

8.3 Rights under the CCPA (California)

The rights to know, delete, correct, and to limit use of sensitive personal information, and the right of non-discrimination. We do not sell or share personal information for cross-context behavioral advertising. We honor opt-out preference signals, including the Global Privacy Control (GPC), and we will display confirmation that an opt-out preference signal has been honored, as required by the CCPA regulations effective January 1, 2026. If we use automated decision-making technology to make significant decisions about you, we will provide the notices and opt-out required under those regulations.

9. Security

We protect personal data with administrative, technical, and organizational safeguards, including encryption in transit (TLS 1.3) and at rest (AES-256), access controls, logging and monitoring, and periodic security reviews, consistent with the reasonable-security-safeguard requirements of Rule 6 of the DPDP Rules.

10. Data Breach Notification

If a personal data breach occurs, we will act in line with our legal obligations. Under Rule 7 of the DPDP Rules, we will intimate the Data Protection Board of India without delay and provide an updated, detailed report within 72 hours of becoming aware of the breach (or such longer period as the Board allows on written request), and we will notify affected Data Principals without delay (failure to notify the Board or affected individuals carries a penalty up to Rs. 200 crore under the Schedule to the DPDP Act). Where CERT-In Directions (No. 20(3)/2022-CERT-In) apply, we will report qualifying cyber incidents to CERT-In within 6 hours of becoming aware of them. Under GDPR, we will notify the relevant supervisory authority within 72 hours where required and affected individuals where the breach is likely to result in a high risk to their rights.

11. Health Data (HIPAA)

The Services are not intended to create, receive, maintain, or transmit Protected Health Information (PHI) under the U.S. Health Insurance Portability and Accountability Act (HIPAA). Do not submit PHI to the Services unless a Business Associate Agreement (BAA) is in place between you and RAIL. We will not use any PHI to train, improve, or refine our models. To request a BAA, contact hello@responsibleailabs.ai.

12. Changes to This Policy

We may update this Privacy Policy. We will post the updated policy with a new effective date and, for material changes, notify you by email or a prominent notice. Your continued use after the effective date constitutes acceptance.

13. Contact Us

Privacy contact: hello@responsibleailabs.ai

Grievance Officer: Sumit Verma, Co-Founder & Chief Technology Officer; sumit@responsibleailabs.ai; mobile +91 7860263773; 672, Ruchi Lifescapes, 2nd Floor, Jatkhedi, Bhopal, Madhya Pradesh, India - 462023.

Responsible AI Labs Pvt. Ltd., 672, Ruchi Lifescapes, 2nd Floor, Jatkhedi, Bhopal, Madhya Pradesh, India - 462023

Questions about this policy?

If you have any questions or concerns, please contact us:

Email: hello@responsibleailabs.ai

Registered office: Responsible AI Labs Pvt. Ltd.,
672, Ruchi Lifescapes, 2nd Floor, Jatkhedi, Bhopal, Madhya Pradesh, India - 462023