DPDP Act Compliance

How AIVE ONE Beta complies with India's Digital Personal Data Protection Act, 2023 (DPDP Act). This page supplements our Privacy Policy with India-specific regulatory details.

1. About the DPDP Act

The Digital Personal Data Protection Act, 2023 ("DPDP Act") is India's comprehensive data protection law. It establishes the rights of Data Principals (individuals whose personal data is processed), the obligations of Data Fiduciaries (entities that determine the purpose and means of processing), and the regulatory framework overseen by the Data Protection Board of India.

AIVE ONE LLP ("AIVE", "we", "us") operates as a Data Fiduciary under the DPDP Act. This page describes how we fulfil our obligations under the Act.

2. Data Collection and Purpose Limitation

We collect and process personal data only for specific, lawful purposes directly related to providing and improving AIVE ONE Beta. We do not process personal data for purposes incompatible with the original purpose of collection.

Data Category	Purpose	Legal Basis (DPDP Act)
Account information (name, email)	Account creation, authentication, and communication	Consent (Section 6)
Payment and billing data	Subscription management and invoicing	Consent / Legitimate use (Section 7)
Usage analytics	Product improvement and feature development	Consent (Section 6)
Device and system information	Technical support, compatibility, and crash diagnostics	Legitimate use (Section 7)
Media files uploaded to cloud services	Cloud rendering, collaboration, and content delivery	Consent (Section 6)
AI interaction data	AI model improvement and personalized editing assistance	Consent (Section 6)
Support correspondence	Resolving queries and maintaining service quality	Legitimate use (Section 7)

Data minimisation: We collect only the minimum personal data necessary for each stated purpose. Local editing sessions in AIVE ONE Beta do not transmit your media files to our servers unless you explicitly use cloud features.

3. Consent

Under the DPDP Act, consent must be free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action. AIVE obtains consent as follows:

Account registration: By creating an AIVE ONE account, you consent to the processing of your account information as described in our Privacy Policy.
Cookie consent: A consent banner is presented on first visit, allowing you to accept or decline non-essential cookies and analytics. Only essential cookies are set without consent.
AI features: Cloud-based AI processing is opt-in. You are informed before your data is sent to AI services, and you may use local-only processing modes instead.
Marketing communications: Promotional emails require explicit opt-in. You may withdraw consent at any time via account settings or the unsubscribe link in any email.

Withdrawal of Consent

You may withdraw your consent at any time with the same ease with which it was given. Withdrawal can be done through:

Your AIVE ONE account settings page
Email to privacy@aive.one
The grievance officer (see Section 8 below)

Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. However, we will cease processing your personal data for the specified purpose promptly upon receiving your withdrawal request, and no later than 7 business days.

4. Data Principal Rights

The DPDP Act grants every Data Principal the following rights. AIVE honours all of these without exception:

Right to Access (Section 11)

You have the right to obtain a summary of your personal data being processed by AIVE, the processing activities undertaken, the categories of personal data involved, and the identities of all Data Fiduciaries and Data Processors with whom your data has been shared.

Right to Correction and Erasure (Section 12)

You may request correction of inaccurate or misleading personal data, completion of incomplete data, updating of outdated data, and erasure of personal data that is no longer necessary for the purpose for which it was collected.

Right to Grievance Redressal (Section 13)

You have the right to lodge a complaint with our Grievance Officer regarding any processing of your personal data. If unsatisfied with our response, you may escalate to the Data Protection Board of India.

Right to Nominate (Section 14)

You may nominate another individual to exercise your Data Principal rights on your behalf in the event of your death or incapacity. Nomination can be registered through your account settings or by contacting our Data Protection Officer.

How to Exercise Your Rights

To exercise any of the above rights, contact our Data Protection Officer at privacy@aive.one with the subject line "DPDP Act Request". We will verify your identity and respond within 30 days, as required by the Act. There is no fee for exercising these rights.

5. Data Retention

We retain personal data only for as long as it is necessary to fulfil the purpose for which it was collected, or as required by applicable law. When personal data is no longer needed, we erase or anonymise it.

Data Category	Retention Period	Rationale
Account information	Duration of account + 90 days	Account recovery window
Payment records	7 years after transaction	Income Tax Act, 1961 and GST requirements
Usage analytics	24 months (rolling)	Product improvement cycles
Cloud-rendered media	30 days after last access	Delivery and re-download window
Support correspondence	3 years after resolution	Service quality and dispute resolution
AI interaction logs	12 months (rolling)	Model improvement and audit
Server and access logs	12 months	Security monitoring and compliance

Upon account deletion, we erase all personal data within 90 days, except where retention is required by law (such as tax and financial records under the Income Tax Act, 1961).

6. Cross-Border Data Transfers

The DPDP Act permits transfer of personal data outside India, except to countries or territories notified by the Central Government as restricted. As of the effective date of this page, no such restricted list has been published.

Our Transfer Practices

Primary processing: All core data processing occurs on servers located in India.
Cloud infrastructure: We use infrastructure providers with data centres in India (Mumbai region) as the primary location for all user data.
Third-party processors: Certain third-party services (payment processors, email delivery) may process data outside India. We ensure contractual safeguards are in place requiring equivalent data protection standards.
AI processing: AI model inference for cloud features may occur on servers outside India. No personally identifiable information is included in AI inference requests; only anonymized content data is transmitted.

Restricted territories: If the Central Government notifies any country or territory as restricted for data transfers under Section 16(1) of the DPDP Act, we will promptly cease transfers to those jurisdictions and update this page accordingly.

7. Data Security

As a Data Fiduciary, we implement reasonable security safeguards to protect personal data from unauthorised access, use, modification, disclosure, or destruction. Our measures include:

Encryption of personal data in transit (TLS 1.3) and at rest (AES-256)
Access controls with role-based permissions and multi-factor authentication for administrative access
Regular security audits and vulnerability assessments
Incident response procedures with notification to the Data Protection Board and affected Data Principals in the event of a personal data breach
Employee training on data protection obligations under the DPDP Act
Data Processing Agreements with all third-party processors

Breach Notification

In the event of a personal data breach, we will notify the Data Protection Board of India and affected Data Principals without unreasonable delay, as required under Section 8(6) of the DPDP Act. Notification will include the nature of the breach, the personal data affected, and the remedial measures taken.

8. Grievance Officer

In accordance with Section 13 of the DPDP Act, we have appointed a Grievance Officer to address your concerns regarding the processing of your personal data.

Grievance Officer Details

Name: Data Protection Officer, AIVE ONE LLP

Address: AIVE ONE LLP, New Delhi, India

Email: privacy@aive.one

Response time: We will acknowledge your grievance within 48 hours and provide a resolution within 30 days of receipt.

Escalation

If you are not satisfied with the resolution provided by our Grievance Officer, you may file a complaint with the Data Protection Board of India, as established under the DPDP Act.

9. Children's Data

AIVE ONE Beta is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. Under the DPDP Act, processing of children's personal data requires verifiable consent from a parent or lawful guardian.

If we become aware that we have collected personal data from a child without verifiable parental consent, we will take steps to erase that data promptly. If you believe we have inadvertently collected a child's data, please contact our Grievance Officer.

10. Significant Data Fiduciary

If the Central Government designates AIVE ONE LLP as a Significant Data Fiduciary under Section 10 of the DPDP Act, we will comply with all additional obligations, including:

Appointing an independent Data Auditor to evaluate compliance
Conducting periodic Data Protection Impact Assessments
Appointing a Data Protection Officer based in India
Publishing the results of audits as required by the Board

11. Updates to This Page

We will update this DPDP compliance page as the regulatory framework evolves, including when the Central Government issues rules, notifications, or guidance under the DPDP Act. Material changes will be communicated through our Privacy Policy update mechanism (30 days advance notice via email or in-app notification).

Last updated: 3 June 2026

Related Legal Pages

Privacy Policy — Full privacy policy including data processing details
Terms of Service — Terms governing use of AIVE ONE Beta
Open-Source Licenses — Third-party software attributions
Trademarks — Trademark attributions and usage guidelines