Legal · UnifyIQ.ai

Privacy Policy

UnifyIQ.ai is primarily a service provider and technology intermediary. We handle client data only to deliver contracted services. This policy explains what limited personal data we hold, how we use it, and your rights under Indian law.

IT Act 2000 & SPDI Rules 2011 DPDPA 2023 — Aligned Chennai, Tamil Nadu, India
Effective date: April 2025  ·  Last updated: April 2025
Sections
1. Who We Are 2. Our Role — Service Provider 3. Legal Framework 4. What Data We Hold 5. How We Use It 6. Platform Data 7. Sharing Data 8. Security 9. Retention 10. Your Rights 11. Cookies 12. Children 13. Changes 14. Grievances
Plain English Summary

We are primarily a service provider and technology intermediary — not a data collector. The only personal data we hold is what's needed to run our business: contact details for enquiries, enrolment records for training, and account details for platform access. We do not sell data. We do not collect data beyond what is operationally necessary. Client engagement data (your documents, TARA analyses, strategy materials) belongs entirely to you. Questions? Email help@unifyiq.ai.

Section 01

Who We Are

UnifyIQ.ai (operated by Business of Insights) is an AI strategy consulting firm and technology platform provider, based in Chennai, Tamil Nadu, India. We provide three service lines: AI strategy consulting, enterprise AI training programmes (via AIChampionsHub), and the HATARA compliance automation platform for the automotive industry.

Section 02

Our Role — Service Provider and Intermediary

Understanding our legal role is important. Under the Digital Personal Data Protection Act 2023 (DPDPA) and the IT Act 2000, UnifyIQ.ai acts in two distinct capacities depending on the context:

Primary Role
Data Processor / Intermediary
When delivering consulting services, operating the HATARA platform, or processing client documents — we act as a Data Processor (DPDPA) or Intermediary (IT Act S.79). We process data only on our clients' instructions and for their purposes. Our clients are the Data Fiduciaries who control the data.
Examples: Processing your TARA documents on HATARA, reviewing your vehicle architecture files during consulting, analysing your business data to build your AI roadmap.
Limited / Secondary Role
Data Fiduciary (narrow scope)
For our own operational data only — contact enquiries, training enrolments, and platform account management — we determine the purpose of processing and act as a Data Fiduciary. This is a limited, unavoidable part of running any business.
Examples: Your name and email when you contact us, your enrolment details for a training programme, your billing information.
What This Means Practically

Client engagement data is yours. Any documents, analyses, strategies, TARA/HARA outputs, or proprietary information you share with us or generate on our platform belongs to you. We process it only to deliver your contracted services. We have no independent right to use it. Your rights over this data are governed by your service agreement with us — not by this Privacy Policy.

Important — Intermediary Safe Harbour (IT Act S.79)

As an intermediary under the IT Act 2000, UnifyIQ.ai is not liable for third-party content or data processed through the HATARA platform provided we: (a) do not initiate or modify the transmission; (b) act expeditiously to remove unlawful content upon notice; and (c) comply with applicable government directions. Clients uploading content to the platform are responsible for ensuring it complies with applicable law.

Section 03

Applicable Legal Framework — India

This Privacy Policy is issued in accordance with:

  • Information Technology Act, 2000 (IT Act) — Governs electronic data, intermediary liability, and cybersecurity obligations in India.
  • IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) — Specifies obligations for collecting, storing, and protecting sensitive personal data. Requires a published Privacy Policy and a Grievance Officer. These Rules are currently enforceable.
  • Digital Personal Data Protection Act, 2023 (DPDPA) — India's new data protection law. We are proactively aligning our practices with the DPDPA as its provisions are notified and brought into force.
  • Indian Contract Act, 1872 — Governs our contractual data processing obligations with clients.
  • GST Act / Income Tax Act — Requires retention of billing and financial records for statutory periods.

For clients in the EU/UK or other jurisdictions, we comply with applicable local laws to the extent required. EU clients may request a GDPR-aligned Data Processing Agreement (DPA).

Section 04

What Personal Data We Actually Hold

We hold the minimum personal data necessary to operate our services. The table below is a complete picture of what we collect in our capacity as a Data Fiduciary (our own operational data only):

Data CategorySpecific FieldsSource
Contact & Enquiry Data Name, email, phone, organisation, role, enquiry message Website forms, email, LinkedIn
Training Enrolment Data Name, email, phone, organisation, role, programme enrolled Enrolment forms, AIChampionsHub
Training Learning Records Attendance records, assessment scores, completion status Programme delivery
Platform Account Data Name, work email, organisation, role, login credentials (hashed) Platform registration
Billing & Invoicing Contact name, organisation, GST number (if applicable), bank reference (last 4 digits only) Service agreements, invoices
Website Analytics Anonymised page views, session duration, browser type, approximate location (city-level) Analytics cookies (with consent)
Support Communications Email correspondence, support tickets Email, platform support
What We Explicitly Do NOT Collect as Fiduciary
  • Aadhaar numbers, PAN cards, or government ID details
  • Health, medical, or biometric data
  • Financial account numbers or full card details (never stored — handled by payment processors only)
  • Personal data of persons under 18
  • Data collected through covert tracking, profiling, or surveillance
  • Client engagement data (your strategic documents, TARA files, etc.) — this is your data, processed under your instructions only
Section 05

How We Use Your Personal Data

We use the personal data we hold (our own operational data) only for the following specific purposes:

  • Responding to service enquiries — to reply to contact form submissions, emails, and booking requests.
  • Service onboarding and delivery — to set up consulting engagements, training programmes, and platform accounts.
  • Training administration — to manage attendance, assessments, and certificates.
  • Billing and invoicing — to issue invoices and maintain financial records as required by law.
  • Service communications — updates, schedules, and information directly related to a service you have engaged.
  • Marketing communications — newsletters, new programme announcements, and insights — only to those who have opted in or are existing clients (with easy opt-out).
  • Legal compliance — to meet our obligations under Indian law, respond to valid legal requests, and maintain statutory records.
  • Security and fraud prevention — to protect the platform and our users from unauthorised access and abuse.
We Never

Sell your personal data · Use your data for automated profiling that produces significant decisions about you · Use client engagement data for our own marketing · Use platform data to train AI models without your explicit written consent · Share your data with advertisers or ad networks

Section 06

Platform Data — HATARA

The HATARA platform processes technical data — vehicle architecture documents, threat models, TARA/HARA analyses, safety artefacts — on behalf of our clients. This is fundamentally different from the personal data discussed in Section 4.

6.1 Nature of Platform Data

Data uploaded to HATARA is primarily technical and commercial confidential information rather than personal data in the conventional sense. It includes vehicle system descriptions, threat catalogues, risk assessments, and compliance documentation. Where such documents incidentally contain personal information (e.g. names of engineers), such information is processed only as part of the document — not extracted, profiled, or used independently.

6.2 Intermediate / Processed Data

The HATARA platform generates intermediate data during processing — for example, parsed threat models, generated risk matrices, and AI-assisted analysis outputs. This processed data:

  • Is stored temporarily to enable the platform to function and to allow you to retrieve your outputs
  • Belongs entirely to you as the client — we have no independent right to use it
  • Is retained only for the duration of your active subscription plus a 90-day wind-down period
  • Is accessible only to you (and UnifyIQ personnel for technical support, with your knowledge)
  • Is deleted on your request or upon subscription termination
6.3 Our Processor Obligations

In processing your data on the platform, we act as a Data Processor. Our obligations are:

  • Process data only on your documented instructions
  • Maintain confidentiality of all data processed
  • Implement appropriate technical and organisational security measures
  • Not engage sub-processors without your knowledge and equivalent contractual protections
  • Assist you in meeting your own obligations to your data subjects (if applicable)
  • Delete or return all data at end of contract as you direct
  • Provide you with all information necessary to demonstrate compliance
Enterprise Clients — Data Processing Agreement

If your organisation requires a formal Data Processing Agreement (DPA) — for regulatory compliance, internal governance, or because you are subject to GDPR or other data protection regimes — please contact help@unifyiq.ai. We will execute a DPA that documents our processor obligations, security measures, sub-processor list, and data handling procedures.

Section 07

Sharing of Personal Data

7.1 Who We Share With (and Why)
  • Specialist subcontractors and SME trainers: Members of our delivery network who assist in consulting engagements or training delivery — bound by written confidentiality agreements and data handling obligations equivalent to ours.
  • Cloud infrastructure providers: For hosting the HATARA platform and storing operational data (e.g. AWS, Google Cloud) — subject to data processing agreements and security certifications.
  • Payment processors: For billing — we use reputable, PCI-DSS compliant processors. We do not store payment card details ourselves.
  • Communication and CRM tools: Email, video conferencing, and support tools — accessed only by authorised UnifyIQ team members.
  • Analytics tools: Anonymised, aggregated website analytics only — no personally identifiable information shared.
  • Legal and regulatory authorities: Only where required by law, court order, or to protect our legal rights — and only to the extent required.
7.2 What We Never Do
  • Never sell or rent personal data to any third party — ever
  • Never share client names or engagement details publicly without explicit written consent
  • Never share data with advertising networks, data brokers, or marketing platforms
  • Never disclose government or law enforcement without a valid legal mandate, and we will notify you where legally permitted to do so
Section 08

Security of Data

We implement reasonable security practices as required by Rule 8 of the SPDI Rules 2011, which mandates a documented information security programme commensurate with the information assets. Our measures include:

  • Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent)
  • Password hashing — plain-text passwords are never stored
  • Role-based access controls — data accessible only to those who need it to deliver services
  • Multi-factor authentication for platform administrator and privileged accounts
  • Regular security reviews of the HATARA platform infrastructure
  • Contractual security obligations on all sub-processors and subcontractors
  • Secure deletion of data at end of retention period
No Absolute Guarantee

No electronic system is 100% secure. We implement reasonable and appropriate measures, but cannot guarantee absolute security. In the event of a breach that is likely to affect your rights, we will notify you and, where required, the relevant Indian authority, within the timeframes prescribed by applicable law.

Section 09

How Long We Keep Data

We retain data only for as long as operationally necessary or required by Indian law:

Data CategoryRetention PeriodReason
Website contact enquiries2 years from last interactionLegitimate operational interest
Consulting engagement records7 years from engagement closeIT Act / Companies Act compliance
Training enrolment & completion records5 years from completionCertificate verification and legal compliance
Platform account data (active)Duration of subscription + 90 daysService delivery
Platform technical / intermediate dataActive subscription + 90 days, then deletedClient ownership — deleted on request or at contract end
Billing and invoice records8 yearsGST Act and Income Tax Act
Support communications2 years from resolutionDispute resolution
Marketing opt-out recordsIndefiniteEvidence of opt-out status

After applicable periods, data is securely deleted or irreversibly anonymised. You may request earlier deletion where legally permissible — see Section 10.

Section 10

Your Rights

For personal data we hold about you in our capacity as Data Fiduciary (your contact, enrolment, or account details), you have the following rights under the SPDI Rules 2011 and the forthcoming DPDPA 2023:

Access
Request a copy of the personal data we hold about you
Correction
Request correction of inaccurate or incomplete data
Deletion
Request erasure of your data where no legal retention obligation applies
Withdraw Consent
Opt out of marketing at any time — via unsubscribe link or email request
Grievance Redressal
Lodge a formal complaint with our Grievance Officer — responded to within 30 days
Data Portability
Receive your data in a structured, portable format on request (DPDPA, when notified)

To exercise any right, email help@unifyiq.ai with the subject "Data Rights Request". We respond within 30 days. We may verify your identity first. Some rights are limited by legal retention obligations — we will explain any restrictions clearly.

Note on client engagement data: Your rights over data you have uploaded to the HATARA platform or shared in a consulting engagement are governed by your service agreement — not this Policy. Contact us to arrange data export or deletion of platform data.

Section 11

Cookies and Website Analytics

  • Essential cookies: Required for the website and platform to function (session management, login). Cannot be disabled without breaking functionality.
  • Analytics cookies: Anonymised, aggregated data to understand how our website is used — no personally identifiable information. Requires your consent.
  • No advertising or retargeting cookies — we do not use third-party advertising cookies on our website.

You can manage cookie preferences through your browser settings. Disabling non-essential cookies does not affect your ability to use our services.

Section 12

Children

Our services are for business professionals and enterprises only. We do not knowingly collect data from persons under 18. Under DPDPA Section 9, processing a child's personal data requires verifiable parental consent — a situation that should not arise given our B2B focus. If we discover we have inadvertently received data relating to a child, we will delete it immediately. Contact help@unifyiq.ai if you believe this has occurred.

Section 13

Changes to This Policy

We may update this Privacy Policy as our services evolve or as Indian data protection law develops (particularly as DPDPA provisions are notified). Material changes will be communicated by email (to registered contacts) or via a notice on our website at least 30 days before taking effect. The current version is always at unifyiq.ai/privacy.

Section 14

Contact and Grievance Redressal

In compliance with Rule 5(9) of the SPDI Rules 2011, we have designated a Grievance Officer for all privacy-related concerns:

  • Grievance Officer: S T Balaji, Founder — UnifyIQ.ai
  • Email: help@unifyiq.ai
  • Subject line: "Privacy Grievance"
  • Phone: +91 9840768200
  • Location: Chennai, Tamil Nadu, India
  • Response time: Acknowledgement within 3 business days · Resolution within 30 days

For training-specific queries: help@aichampionshub.com | +91 8554888110

Escalation

If unsatisfied with our response, you may approach the Data Protection Board of India (once operational under the DPDPA 2023) or seek appropriate legal remedies in courts of competent jurisdiction in Chennai, Tamil Nadu. EU/UK clients may contact their local supervisory authority (e.g. the ICO in the UK).

Privacy Questions

Our Grievance Officer responds within 3 business days.

help@unifyiq.ai — subject "Privacy Grievance"
www.unifyiq.ai
© 2025 UnifyIQ.ai · Chennai, Tamil Nadu, India
IT Act 2000 · SPDI Rules 2011 · DPDPA 2023 (aligned)
This policy does not constitute legal advice.
Related Documents
Privacy Policy (this page) Terms of Service AIChampionsHub
Legal Framework
IT Act 2000 (Intermediary)
SPDI Rules 2011 (currently enforceable)
DPDPA 2023 (proactive alignment)
IT Act S.79 (Safe Harbour)
GST Act / Income Tax Act (billing records)