Legal

Privacy Policy

Last updated: 1 June 2026

Beta notice: Contravi is currently offered as pre-release "beta" software that is still under active development. Features, data-handling practices, and this Policy may change as the platform evolves. Please do not upload sensitive personal data that you are not comfortable processing in a beta environment.

This Privacy Policy explains how XYZ Private Limited ("Contravi", "we", "us", or "our") collects, uses, shares, and protects personal data when you use the Contravi contract-workflow platform, our website, and related services (collectively, the "Service"). We act as a Data Fiduciary in respect of personal data we determine the purpose and means of processing, and this Policy is intended to comply with India's Digital Personal Data Protection Act, 2023 ("DPDP Act") and applicable rules made under it.

By using the Service, you ("you", the "Data Principal") acknowledge that you have read and understood this Policy. Where we rely on your consent, we will request it separately and you may withdraw it at any time as described below.

Personal data we collect
How and why we use your data
Consent and its withdrawal
Documents and content you upload
When we share data
Cross-border transfers
Data retention
How we protect your data
Your rights as a Data Principal
Children's data
Cookies and analytics
Grievance redressal
Changes to this Policy
Contact us

1. Personal data we collect

We collect personal data that you provide directly, data generated as you use the Service, and limited data from third parties that help us operate the Service.

Category	Examples
Account & identity data	Name, work email address, phone number, employer/organisation, role, and login credentials.
Document & workflow data	Contracts, engagement letters, employment letters and other documents you upload or create, along with comments, signatures, signatory details, and workflow metadata (status, dates, owners).
Billing data	Billing name, address, GSTIN (if applicable), and transaction records. Card and bank details are handled by our payment processor and are not stored by us.
Usage & device data	IP address, browser and device type, pages viewed, actions taken, log and diagnostic data, and approximate location derived from IP.
Communications	Messages, support requests, and feedback you send us.

2. How and why we use your data

We process personal data for the following purposes, relying either on your consent or on the "certain legitimate uses" permitted under the DPDP Act (such as performing the service you have requested):

To create and administer your account and provide the Service;
To enable contract upload, creation, sharing, negotiation, commenting, e-signature, search, and management;
To send service, security, and transactional communications;
To process payments and maintain billing records;
To provide support and respond to your requests;
To monitor, secure, debug, and improve the Service, including during the beta period;
To send product updates or marketing where you have consented (you can opt out at any time); and
To comply with legal obligations and enforce our terms.

Where processing is based on consent, your consent is free, specific, informed, unconditional, and unambiguous, and limited to the purpose for which it is given. You may withdraw your consent at any time by contacting us at founders@contravi.ai or through in-product settings where available. Withdrawing consent will not affect the lawfulness of processing carried out before withdrawal, and may limit or prevent your continued use of certain features.

4. Documents and content you upload

The Service lets you upload and process documents that may themselves contain personal data of third parties (for example, counterparties, employees, or signatories). In respect of that content, you are the Data Fiduciary and we act as a Data Processor processing such data on your instructions and on your behalf. You are responsible for ensuring you have a lawful basis and any required notices or consents to process that data through the Service.

We do not sell your personal data. We share it only as follows:

Service providers (Data Processors): cloud hosting, storage, payment processing, e-signature, email delivery, and analytics providers who process data under contract and only on our instructions;
Within a workflow: with the parties you choose to share a document or workflow with;
Legal and safety: where required by law, regulation, court order, or to protect rights, safety, and the integrity of the Service; and
Business transfers: in connection with a merger, acquisition, or sale of assets, subject to this Policy.

6. Cross-border transfers

We and our service providers may process and store personal data on servers located outside India. Where we transfer personal data outside India, we do so in accordance with the DPDP Act and will not transfer data to any country or territory that the Central Government may notify as restricted. We take reasonable steps to ensure such transfers are subject to appropriate safeguards.

7. Data retention

We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, to provide the Service, and to comply with legal, accounting, or reporting obligations. When personal data is no longer required, we will erase it or anonymise it, unless retention is required by law. You may request deletion of your account and associated data as described under your rights below. Note that during the beta period, backups and logs may persist for a limited additional time.

8. How we protect your data

We implement reasonable security safeguards designed to protect personal data, including encryption in transit, access controls, and monitoring. However, the Service is pre-release beta software and no method of transmission or storage is completely secure. While we work toward independent certifications (such as SOC 2 and ISO/IEC 27001), these audits are still in progress and have not been completed. In the event of a personal data breach, we will notify the Data Protection Board of India and affected Data Principals as required under the DPDP Act.

9. Your rights as a Data Principal

Subject to the DPDP Act, you have the right to:

Access a summary of the personal data we process about you and the processing activities;
Correction, completion, and updating of your personal data;
Erasure of your personal data where it is no longer necessary for the purpose it was collected;
Grievance redressal through the mechanism described below; and
Nominate another individual to exercise your rights in the event of death or incapacity.

To exercise any of these rights, contact us at founders@contravi.ai. We may need to verify your identity before acting on a request.

10. Children's data

The Service is intended for business use and is not directed at children. We do not knowingly process the personal data of children (individuals under 18 years of age) without verifiable consent of a parent or lawful guardian, and we do not undertake tracking, behavioural monitoring, or targeted advertising directed at children, in line with the DPDP Act.

11. Cookies and analytics

We use cookies and similar technologies to keep you signed in, remember preferences, secure the Service, and understand usage. You can control cookies through your browser settings; disabling some cookies may affect functionality. Where required, we will request your consent for non-essential cookies.

12. Grievance redressal

If you have any concern or complaint regarding the processing of your personal data, you may contact our Grievance Officer:

Grievance Officer: [Grievance Officer Name]
XYZ Private Limited
[Registered Office Address], [City], India
Email: founders@contravi.ai

We will acknowledge and endeavour to resolve your grievance within the timelines prescribed under applicable law. If you are not satisfied with our response, you may have the right to escalate your complaint to the Data Protection Board of India.

13. Changes to this Policy

We may update this Policy from time to time, particularly as the beta product evolves. We will post the updated version here and revise the "Last updated" date, and where changes are material we will take reasonable steps to notify you.

14. Contact us

XYZ Private Limited
[Registered Office Address], [City], India
CIN: [CIN]
General privacy queries: founders@contravi.ai
Support: founders@contravi.ai