Privacy Policy · Last updated 29 May 2026

Privacy Policy

This policy explains how Ankai Inc. (operating as Ostronaut, “we”, “us”, “our”) processes personal data, and what rights you have over that data under India’s Digital Personal Data Protection Act 2023 (DPDP), as well as comparable laws where they apply.

On this page

  1. Who we are
  2. What this policy covers
  3. Our role: Data Processor / Data Fiduciary
  4. Data we process
  5. Lawful basis for processing
  6. Why we process data
  7. How long we keep it
  8. Who we share it with
  9. Cross-border transfers
  10. Your rights as a Data Principal
  11. How to exercise your rights
  12. Children’s data
  13. Security
  14. Breach notification
  15. Changes to this policy
  16. Contact & grievance redressal

Who we are

Ankai Inc. is a private limited company incorporated in India, with its registered office in Mumbai. We operate the Ostronaut product (the “Service”) — conversation intelligence for customer-facing teams.

Where this policy says “Ostronaut,” “we,” “us,” or “our,” it refers to Ankai Inc.

What this policy covers

This policy covers personal data we process in connection with the Service, including:

  • Personal data of end customers of our business customers (e.g., a pharmacy chain’s walk-in customers whose conversations are recorded by Rover devices on the chain’s premises);
  • Personal data of staff members of our business customers (voice embeddings, speaker identification);
  • Personal data of business contacts at our customer organisations (names, business emails, role);
  • Personal data collected via this website (form submissions, log data).

It does not cover personal data processed by other entities — including our business customers’ own systems — that are separate from our Service.

Our role: Data Processor / Data Fiduciary

For most personal data we handle — specifically, audio, transcripts, voice embeddings, and extracted events of conversations on a business customer’s premises — we act as a Data Processor under DPDP.

The business customer (the pharmacy chain, hospital network, brand, etc.) is the Data Fiduciary. They decide why and how personal data is processed. We process it on their behalf, on their instructions, under a written Data Processing Agreement.

For a narrower category of data — specifically, personal data we collect directly through this website (sales-form submissions, server logs, marketing analytics), and personal data of our business contacts — we act as a Data Fiduciary ourselves. The obligations described below apply to us directly in those cases.

Data we process

Conversation data (Processor)

  • Audio of conversations captured by Rover devices installed at the Data Fiduciary’s premises;
  • Transcripts of those conversations, with Devanagari script preserved;
  • Voice embeddings — mathematical tokens used to identify staff members who have opted in to identification. Embeddings are not reversible to audio;
  • Business events extracted from conversations (e.g., “stockout”, “bounce”, “cross-sell offered”) and the line of transcript that triggered each event;
  • Operational metadata: timestamps, store identifiers, device identifiers, conversation identifiers.

Account & business contact data (Fiduciary)

  • Name, business email, role, organisation;
  • Authentication credentials (hashed);
  • Phone number, if provided;
  • Business communications (sales emails, support tickets, contracts).

Website & service log data (Fiduciary)

  • IP address (truncated for analytics);
  • User agent;
  • Pages visited, referrer;
  • Form submissions on this site (name, email, phone, company, role, notes).

Lawful basis for processing

Under DPDP, every act of processing must have a lawful basis. The bases we rely on are:

  • Consent — the primary basis for conversation data of end customers. Notice is given at the point of capture (signage in 22 scheduled languages) and consent is implied through continued participation, with the right to object;
  • Explicit, separate consent — for voice biometric identification of staff members. This consent is documented per individual, with timestamp and version;
  • Legitimate use — for business contact data and operational metadata necessary to deliver the service the Data Fiduciary has contracted for;
  • Performance of a contract — where the Data Principal is a party to a contract with us (e.g., an account holder);
  • Compliance with legal obligation — where we are required to process data by Indian law or court order.

For each category of data, we use the narrowest applicable lawful basis. We do not rely on “public interest” or open-ended “legitimate interest” framings.

Why we process data

We process personal data for the following purposes, and no others without renewed consent or a new lawful basis:

  • To deliver the Service to the Data Fiduciary (transcription, diarisation, event extraction, coaching outputs);
  • To improve the Service — provided that no individual’s data is used to train models shared across customers, and aggregated metrics never re-identify individuals;
  • To detect, investigate, and respond to security incidents and abuse;
  • To communicate with our business contacts about the Service (account, billing, product updates);
  • To comply with applicable Indian law.

We do not sell personal data. We do not use customer audio, transcripts, or embeddings to train models that we then deploy for other customers.

How long we keep it

Retention defaults are configurable per Data Fiduciary in the Data Processing Agreement. Our default retention windows are:

  • Raw audio: 90 days from capture, then permanent deletion;
  • Transcripts: 24 months from capture, then permanent deletion (configurable shorter on request);
  • Voice embeddings: for the duration of the staff member’s opt-in. Deleted within 24 hours of consent withdrawal;
  • Business events & coaching artifacts: 24 months, configurable;
  • Account & business contact data: for the lifetime of the customer relationship plus 7 years (statutory retention for tax / contract records under Indian law);
  • Website log data: 90 days.

Shorter retention is available on request. Longer retention requires documented business need (e.g., active investigation, contractual obligation).

Who we share it with

We share personal data only with the following categories of recipient:

  • The Data Fiduciary who collected it — access is the entire point of the Service;
  • Sub-processors — the cloud and AI vendors listed on our Trust page — each under a written Data Processing Agreement that mirrors our obligations to you;
  • Indian regulatory authorities — where compelled by law (a valid court order, DPDP regulator request, or other binding legal instrument). We notify the Data Fiduciary of such requests where legally permitted;
  • Our professional advisors (lawyers, auditors) — under confidentiality, where necessary for legal or regulatory advice.

We do not share personal data with advertisers. We do not share it with other Ostronaut customers. We do not share it with anyone else without consent or a separate lawful basis.

Cross-border transfers

Primary infrastructure — the backend API, the primary database, the speaker identification service, and the frontend application — runs in India (Mumbai region).

A subset of our processing pipeline (including, but not limited to, certain audio processing functions and AI model inference) currently operates from enterprise cloud regions outside India. These cross-border transfers are governed by Standard Contractual Clauses with the relevant sub-processors, with equivalent technical safeguards including encryption in transit and at rest, access controls, and audit logging.

We are consolidating these processing functions into India-only infrastructure on an active roadmap. The current sub-processor list, including the operating regions of each and the specific data categories transferred, is provided to customers under the Data Processing Agreement.

Additional sub-processors may operate control-plane functions from regions outside India (for example, account management consoles of global cloud providers). A high-level list of sub-processors is published on the Trust page.

Where personal data is transferred to a region outside India, we ensure equivalent protection through:

  • Standard Contractual Clauses (SCCs) between us and the sub-processor;
  • Technical safeguards (encryption in transit and at rest, access controls);
  • Contractual obligations on the sub-processor that mirror our obligations under this policy and applicable Indian law.

We do not transfer data to jurisdictions designated by the Indian government as restricted for cross-border data flows.

Your rights as a Data Principal

Under DPDP, you have the following rights with respect to your personal data:

  • Right to access — you can ask us what personal data we hold about you, the purposes of processing, and the categories of recipients;
  • Right to correction — you can ask us to correct inaccurate or incomplete data;
  • Right to erasure — you can ask us to delete your data, subject to legal retention requirements. We honour erasure requests within 7 business days;
  • Right to nominate — you can nominate another person to exercise your rights in case of death or incapacity;
  • Right to withdraw consent — where processing is based on consent, you can withdraw it at any time. Withdrawal does not affect lawfulness of past processing;
  • Right to grievance redressal — if you believe we have not handled your data properly, you can lodge a grievance with us (see below). If unresolved within 30 days, you may approach the Data Protection Board of India.

Where we act as a Data Processor (not Fiduciary), we will forward your request to the Data Fiduciary, who is the appropriate decision-maker. We will also action it on the Data Fiduciary’s instructions, technically and within the timelines they specify.

How to exercise your rights

To exercise any of the rights above, email grievance@ostronaut.ai with:

  1. Your name and how to reach you;
  2. Which right you want to exercise;
  3. Enough information for us to identify your data (e.g., the business customer’s name, approximate date of the visit, store location for end customers; staff ID for opt-in withdrawals; email address for account-related requests);
  4. Any documents we need to verify identity, where applicable.

We respond within 30 days. For erasure requests, we complete deletion within 7 business days of verifying identity. We do not charge for these requests.

Children’s data

The Service is intended for use in adult-facing business contexts. We do not knowingly process personal data of children (defined under DPDP as individuals below 18). However, children may incidentally appear in audio captured at a Data Fiduciary’s premises (for example, accompanying a parent at a pharmacy counter).

For incidental child voices captured in adult-facing premises, we apply heightened safeguards:

  • No tracking, profiling, or targeted recommendations directed at children;
  • No voice fingerprinting of identifiable children;
  • Aggressive minimisation in transcripts;
  • Honouring deletion requests on behalf of children immediately on verified parental request.

Data Fiduciaries operating premises where children are systematically present (e.g., paediatric settings) must agree to additional safeguards in the Data Processing Agreement.

Security

We use a combination of technical and organisational safeguards to protect personal data:

  • AES-256 encryption at rest for all stored data;
  • TLS 1.3 for all data in transit;
  • Role-based access control with audit logging;
  • Multi-factor authentication for all employee access;
  • Network isolation between customer tenants;
  • Cloud-native key management with regular key rotation;
  • Vulnerability scanning and patching on a defined cadence;
  • Employee training on data handling and incident response;
  • Background checks for employees with production access;
  • Vendor security reviews for all sub-processors.

No security control is absolute. We continuously review and improve our posture as the Service evolves and as the regulatory landscape changes.

Breach notification

If we identify a personal data breach affecting your data, we notify:

  • The affected Data Fiduciary within 24 hours of confirmed detection;
  • The Data Protection Board of India within 72 hours, where the breach triggers statutory reporting obligations under DPDP §10;
  • Affected Data Principals (end customers, staff members) where required by DPDP or by the Data Fiduciary’s instructions.

Each notification includes: what happened, what data was affected, the steps we are taking, and what the recipient should do (if anything).

Changes to this policy

We may update this policy from time to time. Material changes — especially those that expand the categories of data we process or the purposes for which we process it — will be notified to existing Data Fiduciaries at least 30 days before they take effect, with a clear summary of what changed.

The version date at the top of this page records when we last updated it. Older versions are archived and available on request.

Contact & grievance redressal

Data Protection Officer

For any questions about this policy, our processing activities, or the Data Processing Agreement: dpo@ostronaut.ai

Grievance redressal officer

To exercise your DPDP rights, lodge a complaint, or report a privacy concern: grievance@ostronaut.ai

We acknowledge grievances within 7 days and resolve them within 30 days. If you are not satisfied with our response, you may approach the Data Protection Board of India under DPDP §27.

Security incidents

To report a suspected security incident: security@ostronaut.ai

Postal address

Ankai Inc., Mumbai, India. Full registered address available on request from legal@ostronaut.ai.

Related documents

Trust page · Terms of Service