Trust

Ostronaut handles the most sensitive conversation a retail brand has — the one happening on the floor. Here’s how we treat it.

Our customers are pharmacy chains, hospital networks, and consumer brands. The conversations our AI listens to carry real privacy weight — health context, financial decisions, customer identity. Below is the contract we hold ourselves to, the controls we ship, and the legal posture we run under in India.

Who owns what

You are the Data Fiduciary. We are the Data Processor.

Under India’s Digital Personal Data Protection Act 2023 (DPDP), the entity that decides why personal data is processed is the Data Fiduciary. The entity that processes it on the Fiduciary’s instructions is the Data Processor.

Your data is yours. We process it on your behalf, under contract, with the controls you set. We don’t sell it, we don’t train shared models on it, and we don’t use it for any purpose other than delivering the service you bought.

What this means in practice: you control consent collection, retention windows, access permissions, and the right to be forgotten. We provide the contracts, the signage kit, the consent flows, and the technical guardrails — so being a Data Fiduciary doesn’t become a second job.

Data scope

What we collect, what we don’t.

We collect

Only what the service needs.

Every category below is processed because the product can’t deliver value without it. Nothing is collected speculatively.

  • Audio of conversations on your premises
  • Transcripts of those conversations (Devanagari preserved)
  • Voice embeddings of staff who opt in to identification
  • Business events extracted by our AI (stockouts, bounces, missed cross-sells)
  • Operational metadata: timestamps, store IDs, device IDs

We don’t collect

The things our AI doesn’t need to do its job.

Categories we are explicit about not capturing. If a future feature requires any of these, we will get fresh consent before turning it on.

  • Customer faces or images of any kind
  • Customer names, phone numbers, or payment data — unless spoken aloud in conversation
  • Anything outside your store’s physical footprint
  • Data from any other employer or brand
  • Location tracking of customers or staff outside the store

Data residency

Where your data lives, and for how long.

Residency

India-first. Cross-border under SCCs.

Primary infrastructure — backend API, the primary database, speaker identification, and the frontend application — runs from our India region. A subset of our processing pipeline operates from enterprise cloud regions outside India, governed by Standard Contractual Clauses with equivalent technical safeguards. The detailed regional breakdown is shared with customers under the Data Processing Agreement, and we are consolidating cross-border processing into India-only infrastructure on an active roadmap.

Encryption

AES-256 at rest, TLS 1.3 in transit.

Every byte we store is encrypted with AES-256. Every connection over the public internet uses TLS 1.3 with modern cipher suites. Encryption keys are managed through cloud-native key management services with regular rotation.

Retention

Configurable per customer.

Defaults: raw audio for 90 days, transcripts and events for 24 months, voice embeddings for the duration of the staff member’s opt-in. Shorter retention available on request. Longer retention available with documented business need.

Right to be forgotten

Honoured within 7 days.

When a customer or staff member exercises their right to erasure under DPDP, we delete their data — including derivative outputs such as events and embeddings — within 7 business days of the request reaching our grievance officer.

Access control

Who can see what.

Your team

Role-based, audit-logged.

Every user in your account has a defined role with explicit permissions. Operators see their stores. Managers see their teams. Owners see everything. Every access — including audio playback — is logged with timestamp and reason.

Ostronaut engineering

Only for incidents, only with consent.

Ostronaut engineers do not browse customer data. Access is granted only for active incident response or with the customer’s written approval, scoped to the minimum data needed, and revoked when the work is done. Every access is logged and reviewable.

Staff voice biometrics

Voice identification is opt-in. Always.

Voice embeddings (mathematical fingerprints of how a person speaks) are sensitive biometric data. Under DPDP and global privacy norms, biometric data requires explicit, separate consent — it can’t be bundled into an employment contract.

Each staff member individually opts in through a documented consent flow. The consent is recorded with timestamp and version. It can be revoked any time — the embedding is deleted within 24 hours of revocation. Embeddings themselves are mathematical tokens, not reversible to audio.

Staff who don’t opt in still benefit from the service — their conversations are transcribed and tagged, just without per-person attribution.

Customer notice

Signage kit included — ready in Hindi, Marathi, English.

Every Ostronaut deployment ships with a signage pack: physical posters and digital displays you put on your floor that notify customers their conversation may be recorded for quality and coaching purposes. Notice text complies with DPDP §5 requirements (clear, specific, in any of 22 scheduled languages).

If a customer objects, the right to opt out is handled at our backend — the operator flags the visit, and our pipeline excludes that conversation from further processing.

Sub-processors

The categories of vendors we use to deliver the service.

We disclose every sub-processor that touches your data. Each has a Data Processing Agreement with Ostronaut that mirrors the obligations we owe you. We give 30 days’ written notice before adding or changing any sub-processor. The current named list of sub-processors, including the role and operating region of each, is provided to customers under the Data Processing Agreement.

  • AI model providers — large-language and embedding models for transcription, diarisation, and event extraction.
  • Compute & container hosting providers — backend services and the AI inference pipeline.
  • Operational database providers — events, accounts, and audit logs.
  • Edge / CDN / DDoS protection providers — the public web layer for this site and the customer dashboard.
  • Transactional email providers — incident notifications and account communications.

For each sub-processor that operates from a region outside India, we use Standard Contractual Clauses (SCCs) and require equivalent technical and organisational measures. The Privacy Policy details the legal basis for each transfer.

Incidents

When something goes wrong, you hear about it fast.

24 hours

Notification to you.

If we identify a security incident that affects your data, we notify the designated customer contact within 24 hours of detection — with what we know, what we don’t yet know, and what we’re doing about it.

72 hours

Notification to the regulator.

Where the incident triggers DPDP §10 reporting obligations, we notify the Data Protection Board of India within 72 hours, in coordination with you as Data Fiduciary. We share the same incident notice we send to you, plus regulatory requirements.

Talk to us

Who to reach.

Depending on what you need — a procurement question, a security review, a data subject request, or an incident report — here’s where to send it.

Data Protection Officer
dpo@ostronaut.ai — for DPDP questions, sub-processor changes, DPA negotiation
Security incidents
security@ostronaut.ai — 24-hour response window
Grievance redressal
grievance@ostronaut.ai — for data subject rights requests under DPDP
Procurement / contracts
legal@ostronaut.ai — MSA, DPA, SOC questionnaires
Sales / pre-sales
hello@ostronaut.ai — demos, pricing, pilots

See also: Privacy Policy · Terms of Service

Last updated: 29 May 2026 · Ankai Inc. (operating as Ostronaut) · Mumbai, India