Privacy Policy
Last updated: 27 May 2026 · Effective: 27 May 2026
Executive summary
| Scope | Platform role | Primary basis (India DPDP) | Primary basis (EU/UK GDPR) |
|---|---|---|---|
| Website & marketing Visitors, demo requests | Data Fiduciary / Controller | §6: affirmative, explicit consent | Art. 6(1)(a): consent; Art. 6(1)(f): legitimate interest |
| Tenaxis platform Account holders, billing | Data Fiduciary / Controller | §7(b): fulfillment of contract | Art. 6(1)(b): contractual necessity |
| AI agent workflows Data processed inside APIs | Data Processor / Processor | Governed by customer instructions | Governed by customer instructions |
1. Who we are
This Privacy Policy governs the website tenaxis.ai, its subdomains (e.g. semiconductor.tenaxis.ai), and the Tenaxis orchestration platform (collectively, the “Service”), operated by:
DeepBlick Digital Private Limited
Registered office: Mumbai, Maharashtra, India
(“DeepBlick”, “Tenaxis”, “we”, “us”, “our”)
Data Protection / Privacy Officer: privacy@tenaxis.ai
Grievance Redressal Officer (India): grievance@tenaxis.ai, see Section 13.
Regulatory roles
- Under India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”), we act as a “Data Fiduciary” for personal data collected from website visitors, prospects, and direct account holders, and as a “Data Processor” for personal data submitted by our enterprise customers to the core platform workflows.
- Under the EU/UK General Data Protection Regulation (“GDPR”), we act as a “Controller” for our website visitors, marketing prospects, and account administrators, and as a “Processor” for data processed within our customers’ platform environments.
2. Scope of this Policy
This Policy applies to personal data we collect through our website, APIs, official sales and support channels, and corporate events. Use of the Tenaxis platform by enterprise customers is additionally governed by our Terms of Use and our corporate Data Processing Addendum.
3. Personal data we collect
a. Information you provide directly
- Identity & contact data: name, work email, company name, professional role, and phone number (only if voluntarily provided).
- Inquiry content: the message body, system metadata, and timestamps submitted via our demo or contact forms.
- Account & billing infrastructure: authentication identifiers, organisation profiles, subscription tiers, GSTIN/PAN (for Indian corporate entities), and billing addresses.
- Support communications: text, chat logs, email correspondence, and attachments transmitted via our support tickets.
b. Information collected automatically
- Technical log data: IP addresses (truncated where possible), browser user-agent strings, referring URLs, system language, and network timestamps.
- Cookies & tracking: localised telemetry managed in accordance with our Cookie Policy.
- Security signals: automated bot-detection tokens (via Cloudflare Turnstile), rate-limiting metadata, and unique server request IDs.
c. Information from third parties
- Identity providers: verified email addresses and authentication tokens when you sign in via a secure access broker (e.g. Google, GitHub, or enterprise single sign-on).
- B2B intelligence: publicly available firmographic and corporate directory data, used exclusively for lawful business-to-business prospecting.
Prohibited data. We do not intentionally collect, store, or process special categories of personal data (such as health conditions, biometrics, religious beliefs, or political opinions). Please do not submit sensitive personal data into our public marketing or demo forms.
4. Purposes & lawful bases
| Purpose | GDPR lawful basis (EU/UK) | DPDP ground / basis (India) |
|---|---|---|
| Responding to demo & contact requests | Art. 6(1)(b): steps prior to contract; Art. 6(1)(f): legitimate interest | §7(a): specified purpose through voluntary disclosure and explicit consent |
| Platform provisioning & security infrastructure | Art. 6(1)(b): contract performance; Art. 6(1)(f): overriding corporate security interests | §7(b): performance of a valid commercial contract and legitimate platform use |
| Service & transactional notifications | Art. 6(1)(b): contractual necessity | §7(b): standard operational performance of a contract |
| Marketing communications | Art. 6(1)(a): explicit consent; Art. 6(1)(f): B2B soft-opt-in where legally recognised | §6: unconditional, free, specific, and clear affirmative consent |
| Telemetry & system improvement | Art. 6(1)(a): cookie consent; Art. 6(1)(f): aggregated metrics | §6: consent for non-essential cookies; anonymisation for metrics |
| Legal, statutory, and financial audit compliance | Art. 6(1)(c): legal obligation | §7(c) / §7(g): compliance with statutory laws or specified public interest directives |
Where processing is based on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before the request. Where processing is based on our legitimate interests, you may object, see Section 7.
5. How we share personal data
DeepBlick Digital does not sell personal data. We share information strictly on a need-to-know basis:
- Sub-processors: third-party cloud infrastructure, transactional email systems, and security vendors required to deliver the Service. The current list is at Sub-processors, and each is bound by data protection agreements that require GDPR-equivalent and DPDP-equivalent safeguards.
- Professional advisers: external legal counsel, auditors, and accountants under a duty of confidentiality.
- Law enforcement & statutory authorities: only when compelled by a valid legal process, court order, or state security directive.
- Corporate restructuring: successor entities in a merger, acquisition, or asset financing, subject to notification to affected data subjects where required.
6. International data transfers
Our administrative headquarters and core data engineering functions are in India. Some of our infrastructure sub-processors operate within the European Economic Area (EEA), the United Kingdom, and the United States.
- EEA / UK protections: when transferring data from European jurisdictions to a country without an adequacy decision, we deploy the European Commission’s Standard Contractual Clauses (SCCs) alongside the UK International Data Transfer Addendum (IDTA), complemented by encryption measures.
- Indian DPDP framework: transfers originating from India are permitted to any region except territories specifically restricted by notifications of the Central Government of India. We audit these lists and restrict transfers accordingly.
7. Your legal rights
You have statutory rights regarding your personal data. To exercise them, submit an identity-verified request to privacy@tenaxis.ai or use the form at Contact. We respond to valid requests within 30 days, or sooner where required by law.
Under India’s DPDP Act, 2023
- Right to access a plain-language summary of your data and its processing (§11)
- Right to correction and erasure once the purpose is completed (§12)
- Right of grievance redressal (§13), see Grievance Redressal
- Right to nominate another individual to exercise your rights in the event of death or incapacity (§14)
- Right to withdraw consent as easily as it was given (§6(4))
- Right to complain to the Data Protection Board of India
Under the EU/UK GDPR
- Access and portability (Articles 15 & 20)
- Rectification and erasure (Articles 16 & 17)
- Restriction of, and objection to, processing (Articles 18 & 21)
- Withdraw consent at any time
- Lodge a complaint with a supervisory authority (Article 77)
8. Protection of minors and vulnerable individuals
The Service is built for enterprise and business-to-business workflows.
- Under India’s DPDP Act, 2023: we do not knowingly process the personal data of any individual under the age of 18, nor of a Person with a Disability under the care of a lawful guardian, without verifiable parental or guardian consent.
- Under GDPR: we apply the regional age of digital consent (commonly 16, and 13 in some Member States).
If we discover that a minor’s or vulnerable individual’s data has been uploaded without proper authorisation, we will delete it from our active databases.
9. Data retention lifecycle
- Inquiry & demo form data: up to 24 months from your last recorded interaction, unless converted into an active customer account.
- Corporate account data: the active lifecycle of your subscription, plus the period mandated by financial and tax frameworks (typically 8 years under Indian tax law).
- Security logs & audit trails: 12 months, to satisfy compliance, security investigations, and diagnostics.
- System backups: secure, immutable, rolling snapshots that automatically expire within a maximum window of 35 days.
After the retention period we delete or irreversibly anonymise the data.
10. Data security architecture and incident response
We follow the “reasonable security practices and procedures” standard under Section 43A of India’s Information Technology Act, 2000 and its 2011 Rules, aligned with the ISO/IEC 27001 control baseline:
- Encryption: Transport Layer Security (TLS 1.2 or higher) in transit and AES-256 encryption at rest.
- Access governance: multi-factor authentication across administrative control planes, with least-privilege role access.
- Tenant separation: logical isolation between customer tenants to prevent cross-contamination of live data.
- Incident response: our procedures mandate reporting severe cybersecurity incidents to the Indian Computer Emergency Response Team (CERT-In) within 6 hours of discovery, alongside breach notifications to the Data Protection Board of India and affected data subjects as required under DPDP §8(6) and GDPR Articles 33 to 34.
11. Automated decision-making and multi-agent orchestration
The Tenaxis platform orchestrates autonomous AI agents on behalf of our enterprise clients. DeepBlick Digital does not use autonomous AI models to make decisions that produce legal or similarly significant effects on website visitors or general users.
Where an enterprise customer deploys our infrastructure to run AI workflows that interact with or affect individuals, that customer acts as the sole Data Fiduciary / Controller. The customer is responsible for compliance, including human-in-the-loop overrides, transparency under GDPR Article 22, and local grievance tracks.
12. Updates to this Privacy Policy
We may modify this Policy at any time. When material changes are made, we will update the “Last updated” date above. Where required by local frameworks, we will prompt you for fresh, affirmative consent on your next interaction with the Service.
13. Grievance redressal mechanism (India)
If you have questions, unresolved concerns, or formal complaints about how DeepBlick Digital manages your personal data, you may escalate directly to our designated Grievance Officer.
Designation: Grievance Redressal Officer
Email: grievance@tenaxis.ai
Postal: DeepBlick Digital Private Limited, Mumbai, Maharashtra, India
See also Grievance Redressal.
In accordance with Indian IT and data frameworks, we acknowledge receipt of your grievance within 36 hours and work to resolve the matter within a maximum window of 30 days.
EU/UK data subjects: until an Article 27 representative is formally appointed, you may contact us via the channels above, and we will respond on the same legal standards.