Your rows stay in your region.

OriginChain is a managed database product operated by Silicoyn Technologies Pvt Ltd ("we"), an Indian private limited company headquartered in Bengaluru. You sign up, we run your instance on AWS. The rows you store are yours: we do not read them, sell them, or let them leave the AWS region you picked.

This notice is published in compliance with Section 5 of the Digital Personal Data Protection Act 2023 ("DPDP Act") and applies to all personal data we process, regardless of where you are located.

Data Fiduciary: Silicoyn Technologies Pvt Ltd, a company incorporated under the Indian Companies Act 2013 with its registered office in Bengaluru, Karnataka, India.

Grievance Officer / Data Protection Officer: reachable at grievance@originchain.ai. Complaints are acknowledged within 24 hours and resolved within 15 days, as required by Section 7(c) of the DPDP Act and the IT Rules 2021.

The marketing site is a static deployment. We do not set advertising cookies, we do not run third-party trackers, and we do not fingerprint visitors.

Our hosting provider (AWS CloudFront + S3) records standard access logs — IP address, user agent, referrer, timestamp — for abuse prevention and security monitoring. Those logs are retained for 30 days and then discarded. We do not link them to any other identifier.

Lawful purpose: Section 4(2) DPDP Act — "specified purpose" of operating and securing a public website.

When you sign up we collect the email, organisation name, and billing details you give us. Account-related personal data is stored in our control-plane RDS PostgreSQL instance in ap-south-1 (Mumbai). The control plane never touches the rows you put into your tenant.

Your tenant lives in the AWS region you pick. Rows, write-ahead log, backups, and snapshots stay in that region. We do not replicate personal data across regions unless you explicitly request it.

We collect operational metrics from your tenant — request rates, latencies, cache hit ratios, WAL lag — over a private channel, and use them to run the service and show you dashboards. We never sample the content of your rows or your queries.

Access to your tenant from our side is limited to a small on-call team, audit-logged via AWS CloudTrail, and only used to respond to a support ticket you file or to a live incident affecting your tenant.

Lawful purpose: Section 4(2)(a) DPDP Act — performance of the service contract you signed up for; Section 4(2)(b) for tax / accounting record-keeping.

Identity & contact data: name, email address, organisation name.

Billing data: tokenised card identifier (we never receive PAN/CVV — Razorpay does), billing address, GSTIN if provided, invoice history.

Authentication data: hashed bearer tokens (Argon2id), session cookies, IP address of recent sign-ins.

Service-content data: any rows you choose to store in your tenant. We treat the entire row blob as opaque — we do not classify, index for ML, or enrich it.

Operational telemetry: request timestamps, error codes, latency buckets, cache-hit rates. No row content, no query content.

Sub-processors used to deliver the Service:

• Amazon Web Services, Inc. — compute (EC2), storage (EBS, S3), backups (AWS Backup), DNS (Route 53), control-plane database (RDS PostgreSQL), monitoring (CloudWatch).

• Razorpay Software Pvt Ltd — payment processing. Card data is tokenised; we never receive PAN or CVV.

• Anthropic / Amazon Bedrock — natural-language compilation of /v1/ask requests when the LLM compiler runs. Prompts are submitted to the model and discarded; we do not store model output beyond the response we return.

We do not sell personal data, share it with advertisers, or use it for cross-product marketing.

We may disclose personal data when compelled by a valid Indian legal request (court order, summons under Section 91 CrPC, lawful direction of a government agency under Section 69 IT Act). We notify you of such requests where legally permitted.

By default, all customer rows and tenant operational data stay in ap-south-1 (Mumbai) — Indian sovereign territory.

Account-level data (email, billing) is processed in ap-south-1.

Cross-border transfer occurs only if (a) you select a non-Indian AWS region for your tenant, or (b) you route /v1/ask traffic through Bedrock in another region. Both are explicit choices on your part.

Where the DPDP Act restricts cross-border transfer to specific countries, we comply with the restriction and notify you if your selected configuration becomes non-compliant.

Tenant rows: as long as the tenant is active. Deleted within 24 hours of subscription cancellation; backups in AWS Backup vault age out after 30 days.

Account / contact data: while the account is active, plus 7 years of billing record retention as required by Section 44AA of the Income Tax Act 1961.

Authentication & security logs: 90 days.

Marketing-site access logs: 30 days.

Under Sections 11–14 of the DPDP Act, you have the right to: (a) confirm whether we process your personal data and obtain a summary; (b) seek correction or erasure of inaccurate or unlawful data; (c) nominate a person to exercise these rights on your behalf in case of incapacity; (d) grievance redress for unsatisfactory responses.

To exercise any right, email grievance@originchain.ai. We respond within 15 days. If unsatisfied, you may approach the Data Protection Board of India established under Section 18 of the DPDP Act.

If you are an EU/UK resident and EU/UK data protection law applies, GDPR-equivalent rights apply: access, rectification, erasure, restriction, portability, objection. The same email reaches us; we respond within 30 days.

We rely primarily on contractual necessity (Section 4(2)(a) DPDP Act) — you signed up to use a service, we process the personal data needed to deliver it. For anything outside the strict service-delivery scope (e.g. opt-in marketing emails), we ask explicit consent and you can withdraw it at any time from /app/settings.

TLS 1.2+ on every external endpoint (rustls, AWS-LC). Argon2id for stored credentials. AES-256 encryption at rest on EBS and S3 (AWS-managed keys; customer-managed KMS available on Enterprise). Principle-of-least-privilege IAM with no-SSH access via SSM Session Manager. Daily AWS Backup snapshots into a 30-day-retention vault. See /security for the full posture.

If we become aware of a personal data breach affecting you, we will notify you and the Data Protection Board of India in accordance with Section 8(6) of the DPDP Act and the breach-notification rules thereunder. The notification will describe the nature of the breach, categories and approximate number of affected records, likely consequences, and steps taken to mitigate it.

If you are processing personal data of others on the Service, you are the Data Fiduciary and Silicoyn Technologies Pvt Ltd is your Data Processor. The full DPA is at originchain.ai/dpa; email legal@originchain.ai for a counter-signed copy.

OriginChain is not directed at children under 18 and we do not knowingly collect personal data of children. If you believe a child has provided us with personal data, email grievance@originchain.ai and we will delete it.

If this notice materially changes, we will update the date at the top of the page, note the change in our changelog, and email everyone on the managed service. We will not quietly start collecting anything new.