1. Information We Collect

1.1 Information You Provide Directly

• Personal Information: Name, email address, phone number, profile information, and login credentials.
• Account Data: Profile preferences, language settings, theme preferences, and account configurations.
• User Content: AI prompts, chat messages, documents, audio files, images, resumes, and any other content you upload or create using the Service.
• Communication Data: Support emails, feedback, survey responses, and other communications you send us.
• Payment Information: Billing address and payment method details — processed directly by Razorpay. We store only transaction confirmations, payment status, the last 4 digits of your card, card network, card type, and billing metadata for receipt generation and billing reference. We never store your full card number, CVV, or UPI credentials.

1.2 Information Collected Automatically

• Device Information: IP address, browser type and version, device identifiers, operating system, and device model.
• Usage Information: Feature usage patterns, tool interactions, pages visited, session duration, and API request data.
• Log Data: Server logs, error reports, and timestamps.
• Cookies and Tracking Technologies: As described in Section 9 below.

1.3 Information Collected from Guest (Unauthenticated) Users

If you use the Service without creating an account ('Guest Use'), we still collect certain information automatically in order to operate the Service fairly and prevent abuse:

• IP Address: We collect and store your IP address to identify your device session, enforce usage limits for guest users, and prevent circumvention of those limits.
• Usage Counters: We track the number of AI requests, prompts, and tool interactions made during your guest session to enforce fair usage restrictions.
• Session Identifiers: Temporary session tokens or cookies may be used to maintain your guest session and associate usage with your device.
• Browser and Device Signals: Browser type, device type, and operating system, used in combination with your IP address for usage tracking purposes.

Guest usage data is collected solely for the purpose of enforcing usage limits and preventing abuse. We do not use guest IP addresses for advertising, profiling, or sale to third parties. Guest usage data is retained for a maximum of 30 days, after which it is automatically deleted.

1.3 Information from Third Parties

• Authentication Providers: If you sign in using Google or another third-party provider, we receive your name, email address, and profile picture from that provider.
• Payment Processors: We receive transaction confirmations, payment status, and billing metadata from Razorpay and Stripe.

2. How We Use Your Information

• Service Delivery: To provide AI tools, generate content, process documents and audio, and deliver core platform functionality.
• Account Management: To create, maintain, authenticate, and secure your account and profile.
• Payment Processing: To manage subscriptions, process payments, handle billing disputes, and prevent payment fraud.
• Customer Support: To respond to inquiries, resolve technical issues, and address grievances.
• Platform Improvement: To analyse usage patterns, enhance existing features, and develop new tools.
• AI Model Training: As described in Section 19 below, subject to your consent and opt-out rights.
• Guest Usage Enforcement: To track unauthenticated (guest) usage via IP address and session data in order to enforce fair usage limits and prevent circumvention of those limits without account registration.
• Security and Fraud Prevention: To protect against unauthorised access, fraud, abuse, and threats to the platform, including detection of automated or bulk guest usage.
• Legal Compliance: To comply with applicable laws, regulations, court orders, and legal obligations.
• Communications: To send service updates, billing notifications, security alerts, and important account information.
• Subscription Lifecycle Management: To automatically process subscription renewals, expirations, plan downgrades, and free plan activations. This includes sending expiry warning emails 3 days before your subscription expires when auto-renewal is disabled.
• Account Lifecycle Management: To manage account deletion pipelines including soft-deletion (30-day recovery window) and permanent hard-deletion after 30 days. Orphaned accounts without an active subscription are automatically assigned a Free plan.

3. Legal Bases for Processing

We process your personal data on the following legal bases depending on your jurisdiction:

• Consent (DPDP Act / GDPR Art. 6(1)(a)): Where you have given explicit, informed, and unambiguous consent for specific processing activities, including AI model training and marketing communications. You may withdraw consent at any time.
• Contract Performance (GDPR Art. 6(1)(b)): Processing necessary to provide services under our Terms and Conditions and to fulfil your subscription.
• Legal Obligation (GDPR Art. 6(1)(c)): To comply with applicable laws, tax obligations, and regulatory requirements.
• Legitimate Interests (GDPR Art. 6(1)(f)): For platform security, fraud prevention, service improvement, business operations, and enforcement of fair guest usage limits (including IP-based usage tracking), where such interests are not overridden by your rights and interests.

For Indian users, processing is primarily based on your consent as required under the DPDP Act 2023. Consent is obtained through clear, affirmative action (such as checking a box during registration) and may be withdrawn at any time.

4. Third-Party Service Providers

We share your information with trusted third-party providers who help us deliver our services. All third-party providers are bound by data processing agreements and are required to maintain appropriate security standards.

• Payment Processing: Razorpay — for secure payment processing and subscription management.
• AI Model Providers: OpenAI, Google AI (Gemini), Microsoft Azure AI (including OpenAI on Azure), Anthropic, Mistral AI, DeepSeek, and xAI (Grok) — for content generation and natural language processing. Your inputs may be transmitted to these providers to generate responses.
• Cloud Infrastructure: Microsoft Azure and Amazon Web Services (AWS) — for secure data storage, hosting, and processing.
• Translation Services: Microsoft Azure Translator — for multilingual content delivery across supported languages.
• Communication: Email service providers — for transactional emails, billing notifications, and service communications.
• SMS / OTP Verification: Twilio — for phone number verification and OTP delivery.
• Analytics: We use Google Analytics 4 (Google LLC) and Microsoft Clarity (Microsoft Corporation) to collect data about website traffic, unique visitors, geographic location, session behaviour, and device information. These tools may set cookies and transmit data to servers in the United States. Microsoft Clarity may also record session replays and heatmaps of user interactions. Data collected is governed by Google's Privacy Policy and Microsoft's Privacy Policy respectively. We also maintain our own server-side usage logging for internal platform metrics.
• Security: Security monitoring services — for fraud detection, threat prevention, and platform integrity.
• Legal Compliance: Government authorities and legal bodies — when required by applicable law, court order, or regulatory mandate.

We do not sell your personal data to third parties for their own marketing or commercial purposes.

5. Payment Processing Details

• Razorpay is our sole payment processor for all transactions — both domestic (India) and international.
• Credit card, debit card, UPI, net banking, EMI, and digital wallet details are processed directly by Razorpay and are never stored on our servers.
• We store only the following payment metadata: transaction ID, Razorpay order ID, payment status, last 4 digits of card, card network, card type, and billing currency — solely for receipt generation, billing support, and legal compliance.
• We also store the UPI VPA (Virtual Payment Address) and bank name where applicable, for transaction reference and audit purposes only.
• All payment data processed by Razorpay is governed by Razorpay's privacy policy and PCI-DSS compliance standards.
• We retain payment transaction records and billing history for 7 years for legal, tax, and accounting compliance.
• Subscription renewal and auto-renewal status, including Razorpay subscription IDs and plan IDs, are stored to manage recurring billing.
• PDF receipts are automatically generated and stored on our servers for each successful transaction and are accessible via your account billing portal.

6. International Data Transfers

Your data may be processed outside your country of residence, including in India, the United States, the European Union, and other countries where our service providers operate. When your data is transferred internationally, we ensure appropriate legal safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission, for transfers of EEA/UK personal data to third countries.
• Data Processing Agreements (DPAs) with all third-party providers who process personal data on our behalf.
• Adequacy decisions by relevant data protection authorities, where applicable.
• Binding corporate rules or certification schemes, where applicable.

For Indian users, cross-border transfers of personal data are conducted in accordance with the DPDP Act 2023 and applicable government notifications regarding permitted transfer destinations.

7. Data Retention Periods

We retain your personal data only for as long as necessary for the purposes for which it was collected, or as required by law.

• Account Data: Retained while your account is active and deleted within 30 days of account closure, unless retention is required by law.
• User-Generated Content and Chat History: Retained according to your subscription plan — 30 days for Free plan users, and for the duration of the subscription for paid users.
• Payment and Billing Records: Retained for 7 years for legal, tax, and accounting compliance.
• Support Communications: Retained for 3 years for quality assurance and dispute resolution.
• Security and Audit Logs: Retained for 12 months for security monitoring, fraud prevention, and incident investigation.
• Anonymised Analytics Data: Retained for up to 26 months for service improvement. Once anonymised, this data is no longer considered personal data.
• AI Training Data: Where used for model training, processed in anonymised or aggregated form. Identifiable data is not retained beyond the standard retention periods above.

Upon expiry of the applicable retention period, your data is securely deleted or irreversibly anonymised.

8. Your Data Rights

Depending on your jurisdiction, you have the following rights regarding your personal data:

• Right to Access: Request a copy of the personal data we hold about you and information about how it is processed.
• Right to Rectification / Correction: Correct inaccurate, incomplete, or misleading personal data.
• Right to Erasure ('Right to be Forgotten'): Request deletion of your personal data, subject to legal obligations that require retention.
• Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format.
• Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
• Right to Restrict Processing: Request that we limit how we process your personal data in certain circumstances.
• Right to Withdraw Consent: Withdraw consent for any specific processing activity at any time, without affecting the lawfulness of prior processing.
• Right to Grievance Redressal (DPDP Act): File a complaint with our Grievance Officer and, if unresolved, escalate to the Data Protection Board of India.
• Right to Nomination (DPDP Act): Nominate another individual to exercise your data rights on your behalf in case of death or incapacity. Contact us at privacy@sytrusai.com to submit a nomination.
• Right to Lodge a Complaint (GDPR): EEA/UK users may lodge a complaint with their local Data Protection Authority if they are unsatisfied with our response.

To exercise any of these rights, contact us at privacy@sytrusai.com. We will acknowledge your request within 72 hours and respond within 30 days (or sooner where required by law). We may require identity verification before processing your request.

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to operate the Service, remember your preferences, and analyse usage. Cookies may be set whether or not you are logged in and may track activity across pages and sessions.

You can manage or disable non-essential cookies through your browser settings. Disabling non-essential cookies may limit some features but will not affect core functionality.

We honour recognised Global Privacy Control (GPC) signals where legally required. See Section 21 for more detail.

10. Security Measures

We implement industry-standard technical and organisational security measures to protect your personal data, including:

• Encryption in transit (TLS/HTTPS) and at rest for sensitive data.
• Access controls and role-based permissions limiting data access to authorised personnel.
• Multi-factor authentication and secure credential management.
• Regular security assessments, vulnerability scanning, and penetration testing.
• Employee training on data protection and security protocols.
• Incident response procedures and data breach notification protocols.
• Maintain automated security cleanup processes including daily IP lockout reviews, OTP expiry cleanup, and account deletion pipelines that run on scheduled intervals.
• Audit logs of all automated system jobs (cron jobs) are maintained for security monitoring and forensic investigation.

No method of transmission over the internet is 100% secure. While we take all reasonable steps to protect your data, we cannot guarantee absolute security. If you discover a security vulnerability, please report it responsibly to security@sytrusai.com.

11. Automated Decision-Making and Profiling

The following automated processes run on scheduled intervals and may affect your account without direct human intervention:

• Subscription Expiry Processing (hourly): Expired paid subscriptions are automatically detected, deactivated, and downgraded to the Free plan if auto-renewal fails or is disabled.
• Auto-Renewal (hourly): Subscriptions with auto-renewal enabled are automatically renewed at expiry. Free plans are renewed every 30 days automatically.
• Expiry Warning Emails (daily): If your subscription is set to expire within 3 days and auto-renewal is disabled, you will automatically receive a warning email.
• Account Hard Deletion (daily at 03:30 IST): Accounts soft-deleted more than 30 days ago are permanently and irreversibly hard-deleted from our systems.
• Data Retention Cleanup (daily at 03:00 IST): User content older than your configured data retention period is automatically deleted.
• IP Lockout Management (weekly): IP-based security lockout records older than 30 days are deleted. Expired lockouts are automatically reset.
• OTP Cleanup (daily at 04:00 IST): Expired or used one-time passwords are automatically deleted after 7 days.
• AI Model Routing: AI model selection and routing based on your subscription tier and request type.
• Usage Quota Enforcement: Token usage limits are automatically tracked and enforced per billing cycle. Access is restricted when limits are reached.
• Account Suspension Triggers: Accounts may be automatically flagged or restricted based on detected policy violations or suspicious activity.

Where any of these automated processes significantly affect your account — for example, unexpected account deletion, subscription deactivation, or access restriction — you have the right to request human review by contacting support@sytrusai.com. We will respond within 15 business days.

We do not use your personal data for automated profiling that produces legal or similarly significant effects beyond the operational purposes described above.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the Data Protection Board of India (where required under the DPDP Act) within the timeframe prescribed by applicable law.
• Notify affected users via registered email address within 72 hours of becoming aware of the breach, where required by GDPR or DPDP Act.
• Provide information about the nature of the breach, data affected, likely consequences, and steps we are taking to address it.
• Post a notice on our website if the breach affects a large number of users and individual notification is not immediately practicable.
• Take immediate steps to contain the breach, assess its impact, and prevent recurrence.

If you suspect a breach or security incident, please notify us immediately at security@sytrusai.com.

13. Third-Party Links and Services

Our platform may contain links to third-party websites, applications, or services. We are not responsible for the privacy practices or content of these external services. We encourage you to review the privacy policies of any third-party services you access through the Service before providing any personal information.

14. Children's Privacy

Our Service is not intended for children under 13 years of age. If you are located in the European Economic Area (EEA) or United Kingdom, the minimum age is 16 (or as defined by your local law). For Indian users, the DPDP Act 2023 requires verifiable parental consent before processing personal data of children under 18.

• We do not knowingly collect personal data from children below the applicable minimum age without verifiable parental or guardian consent.
• If we discover that we have inadvertently collected personal data from a child below the applicable age without proper consent, we will delete it promptly.
• If you believe we may have collected information from a child below the applicable age, please contact us immediately at privacy@sytrusai.com.
• Users aged 13–18 may use the Service only under the strict guidance and supervision of a parent or guardian, who must agree to these terms on their behalf.

15. California Consumer Privacy Act (CCPA / CPRA) Rights

If you are a California resident, you have the following additional rights under the CCPA and California Privacy Rights Act (CPRA):

• Right to Know: Know what categories and specific pieces of personal information we collect, use, disclose, and sell.
• Right to Delete: Request deletion of your personal information, subject to certain exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out: We do not sell or share personal information for cross-context behavioural advertising.
• Right to Limit Sensitive Data Use: Limit our use of sensitive personal information to permitted purposes.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise these rights, contact us at privacy@sytrusai.com with 'CCPA Request' in the subject line. We will respond within 45 days as required by California law.

16. India Data Protection Rights (DPDP Act 2023)

For users in India, you have the following rights under the Digital Personal Data Protection Act 2023 and DPDP Rules 2025:

• Right to Access Information: Obtain a summary of the personal data we process about you and the purposes of processing.
• Right to Correction and Erasure: Correct inaccurate or incomplete personal data, and request erasure of data that is no longer necessary for the purpose it was collected.
• Right to Grievance Redressal: File complaints with our Grievance Officer (see Section 18). If unresolved within 15 working days, you may escalate to the Data Protection Board of India.
• Right to Nomination: Nominate an individual to exercise your data rights on your behalf in the event of your death or incapacity. Submit nominations to privacy@sytrusai.com.
• Right to Withdraw Consent: Withdraw consent for processing at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

We will respond to DPDP Act data requests within 30 days. Requests may be submitted to privacy@sytrusai.com.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable legal requirements. The latest version is always available at https://www.furobox.com/privacy-policy. We will notify you of significant changes through:

• Email notifications sent to your registered email address at least 30 days before major changes take effect.
• In-app notifications when you next log in.
• A prominent notice on our website for material policy updates.

Your continued use of the Service after changes take effect constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you must stop using the Service before the effective date.

This Privacy Policy is drafted in English. Translations into other languages are provided for convenience only. In the event of any inconsistency between the English version and a translated version, the English version shall prevail.

18. Grievance Officer (India — IT Rules 2021 / DPDP Act 2023)

In accordance with the Information Technology Act, 2000, the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the Digital Personal Data Protection Act, 2023, we have appointed a Grievance Officer to address privacy and data protection concerns:

• Name: Het Patel
• Designation: Grievance Officer, Sytrus AI Pvt Ltd
• Email: grievance@sytrusai.com
• Address: Sytrus AI Pvt Ltd, Gandhinagar, Gujarat, India
• Working Hours: Monday–Friday, 9:00 AM – 6:00 PM IST
• Response Time: Acknowledgment within 24 hours; resolution within 15 working days as required by law.

If your grievance remains unresolved after 15 working days, you may escalate to the Data Protection Board of India (for DPDP Act complaints) or the appropriate consumer forum under the Consumer Protection Act, 2019.

19. AI Training and Model Improvement

We may use your prompts, uploaded files, generated outputs, and usage metadata to train, fine-tune, evaluate, or otherwise improve our own AI models. We do not sell your personal data. Where feasible, we apply anonymisation, pseudonymisation, or aggregation to minimise the risk of identifying you.

• Scope: Training and evaluation may include textual inputs and outputs, metadata (e.g., timestamps, feature usage), and de-identified metrics.
• Third-Party AI Providers: When we route requests to third-party AI providers (e.g., OpenAI, Anthropic, Google, Mistral, DeepSeek, xAI), we instruct them not to use your data to train their foundation models unless you or we have separately consented or opted in per their policies. See their respective privacy policies for details.
• Enterprise / Confidential Workflows: For enterprise or high-sensitivity use cases, you or your organisation may request a restricted processing mode excluding your data from our model training pipelines, subject to technical feasibility. Contact privacy@sytrusai.com.
• Your Opt-Out Choices: You may opt out of AI model training use at any time by:
  • Updating your privacy preferences in your account settings (Privacy tab), or
  • Emailing privacy@sytrusai.com with the subject line 'Training Data Opt-Out'.
  Opting out may limit certain improvement features but will not affect core Service delivery.
• Legal Bases: Legitimate interests in improving the Service and developing new features; and where required, your consent.

20. Marketing Communications and Opt-Out

With your consent, we may send you product updates, tips, promotional offers, and newsletters about Furobox and Sytrus AI products. You can opt out of marketing communications at any time by:

• Clicking the 'Unsubscribe' link in any marketing email.
• Updating your communication preferences in your account settings.
• Contacting us at privacy@sytrusai.com.

Even after opting out of marketing, we may still send you transactional or service-related communications such as billing notifications, security alerts, and important account updates. These are necessary for the operation of your account and cannot be disabled while your account is active.

22. Business Transfers

If Sytrus AI Pvt Ltd is involved in a merger, acquisition, financing, reorganisation, sale of assets, or similar transaction, your personal data may be transferred as part of that transaction, subject to applicable law. We will provide you with reasonable notice of any such transfer and any material change to how your data is handled, and where required by law we will seek your consent.

23. GDPR / UK GDPR Notice (EEA and UK Users)

If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data in accordance with the General Data Protection Regulation (GDPR) and UK GDPR respectively.

• Data Controller: Sytrus AI Pvt Ltd (see Section 24 for contact details).
• Lawful Bases (GDPR Art. 6): Performance of a contract, your consent, legal obligation, and legitimate interests (e.g., security, fraud prevention, service improvement).
• International Transfers: We rely on Standard Contractual Clauses (SCCs) and other appropriate safeguards when transferring personal data outside the EEA/UK. See Section 6.
• Right to Complain: You have the right to lodge a complaint with your local Data Protection Authority (e.g., the ICO in the UK, or your national DPA in the EU) if you are unsatisfied with how we handle your personal data.
• Data Retention: Personal data is retained only for as long as necessary. See Section 7 for specific retention periods.

For EU/UK data subject requests, contact privacy@sytrusai.com. We will respond within one calendar month, subject to permitted extensions for complex or multiple requests.

24. Contact Information

For questions, concerns, or requests regarding this Privacy Policy or your personal data:

• General Support: support@sytrusai.com
• Privacy / Data Rights / Training Opt-Out: privacy@sytrusai.com
• Grievance Officer (India): grievance@sytrusai.com — Het Patel
• Security Vulnerabilities: security@sytrusai.com
• Company: Sytrus AI Pvt Ltd, Gandhinagar, Gujarat, India
• Business Hours: Monday–Friday, 9:00 AM – 6:00 PM IST