Skip to main content

Audacieuse: Data Processing Addendum (DPA)

Effective Date: June 18, 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service between the Merchant ("you", the Data Fiduciary) and Audacieuse AI Innovations Private Limited (the Data Processor), and applies where we process personal data on your behalf through the Platform. This is principally personal data of your Shoppers and end users ("Shopper Data") through your KiEo storefront; it also covers any personal data contained in the financial and tax records you process through GanitSy, which we handle on the same terms (references to "Shopper Data" below apply equally to such GanitSy data). It is intended to align with the Digital Personal Data Protection Act, 2023 (DPDP).

1. Roles

You are the Data Fiduciary (controller) of Shopper Data and determine the purposes and means of processing. We are your Data Processor and process Shopper Data only on your documented instructions (which include your configuration and use of the Platform), except where law requires otherwise.

2. Scope of processing

  • Subject matter: provision of the Platform (KiEo and GanitSy).
  • Nature/purpose: hosting, storing, and processing Shopper Data to operate your store (orders, customers, communications, analytics) and provide support.
  • Categories of data subjects: your Shoppers and store users.
  • Categories of data: identifiers and contact details, order and delivery details, transaction metadata, and storefront activity.
  • Duration: for the term of the Terms and the retention period in §7.

3. Our obligations

We will:

  1. Process Shopper Data only on your instructions and for the purposes above.
  2. Maintain reasonable security safeguards (§5).
  3. Ensure personnel with access are bound by confidentiality.
  4. Assist you by providing access to Shopper Data, logs, and other information you reasonably need to respond to Data Principal access, correction, and erasure requests and to meet your security-incident, breach-notification, and compliance obligations. This assistance is technical and informational; we do not provide legal advice.
  5. Make available information reasonably necessary to demonstrate compliance.
  6. Refuse or seek clarification on any instruction we reasonably believe violates applicable law or this DPA.

4. Your obligations

You will:

  1. Have a valid legal basis (e.g. consent, a legitimate use, or a legal obligation recognised under the DPDP Act) and provide all required notices to your Shoppers.
  2. Issue only lawful instructions and ensure your use of the Platform complies with applicable law.
  3. Be responsible for the accuracy and lawfulness of Shopper Data you collect.

5. Security

We implement reasonable technical and organisational measures appropriate to the risk, including encryption in transit, access controls, tenant/row-level isolation, and monitoring. You are responsible for securely configuring your store and managing your users' access.

6. Sub-processors

6.1 You authorise us to engage sub-processors (e.g. cloud hosting, payment processing, email/communications, analytics, and AI providers) to process Shopper Data to provide the Platform.

6.2 We impose data-protection obligations on sub-processors substantially equivalent to those in this DPA (including the security measures in §5) and remain responsible for their performance. We will maintain a current list of material sub-processors, including each one's primary function (e.g. cloud hosting, payment processing, email/communications, analytics, and AI providers such as Azure OpenAI, Google, and Anthropic), available on request from our Grievance Officer ([email protected]). We will notify you of material sub-processor changes at least 30 days in advance; if you reasonably object, you may terminate this agreement. For sub-processors that process Shopper Data outside India, the transfer safeguards in §9 and the Privacy Policy §6 (contractual safeguards permitted under the DPDP Act framework) apply.

7. Retention and deletion

We retain Shopper Data for the term and, after termination, delete or return it (at your election) within 90 days, except where longer retention is required by law (e.g. GST invoices, litigation holds). This aligns with the export window in the Billing Policy §9 and the Privacy Policy §7.

8. Personal data breach

We will notify you of a personal data breach affecting Shopper Data without undue delay and in any case no later than 24 hours after we discover it. We will provide the information reasonably available to us, including (a) the categories of data subjects and data affected, (b) the likely impact, and (c) recommended mitigation, so that you can meet your own breach-reporting and Shopper notification obligations within the timelines required under the DPDP Act.

9. International transfers

Some sub-processors (e.g. the AI providers named in §6.2 and the Privacy Policy §4) operate outside India, including in the United States. Where Shopper Data is processed outside India, we transfer it only to jurisdictions and under mechanisms permitted by the DPDP Act framework , including the contractual safeguards permitted under the DPDP Act framework, and impose the obligations in §6.2 on those sub-processors. See the Privacy Policy §6 for further detail. A list of provider jurisdictions and the safeguards relied on is available on request.

10. Liability

The liability limitations and exclusions in the Terms of Service apply to this DPA. In case of conflict between this DPA and the Terms regarding processing of Shopper Data, this DPA prevails.