Privacy Policy

Effective Date: January 25, 2026

1. Introduction and Scope

REDSCVRY TECHNOLOGY PRIVATE LIMITED ("DscvryAI," "we," "us," or "our") is committed to protecting the privacy and security of personal information entrusted to us. This Privacy Policy describes how we collect, use, disclose, and protect personal information when you use the Axiom Word Plugin (the "Service").

This Policy applies to:

  • Users of the Axiom Word Plugin (desktop and web versions)
  • Visitors to our website at axiom.dscvryai.com
  • Enterprise administrators managing organizational deployments
  • Individuals who interact with our sales and support teams

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

2. Data Controller Information

For the purposes of applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the data controller is:

REDSCVRY TECHNOLOGY PRIVATE LIMITED
Email: axiom@dscvryai.com

For enterprise customers, DscvryAI acts as a data processor with respect to Customer Data processed on behalf of the customer, who remains the data controller.

3. Zero Data Retention Commitment

Our Core Privacy Promise: We do not train AI models on your data. Your documents are processed in-memory and are not persistently stored after the processing session ends.

We have architected the Axiom Service on "Zero Data Retention" principles:

  • No Document Storage: The content of your legal documents is processed in volatile memory only. We do not write document content to persistent storage on our servers.
  • No AI Training: We strictly do not use your documents, prompts, or outputs to train, fine-tune, or improve our AI models or any third-party AI models.
  • Session-Based Processing: When your session ends, document content in memory is released and cannot be recovered.
  • Enterprise Isolation: Enterprise customer data is logically isolated and processed in dedicated contexts.

4. Categories of Personal Data We Collect

We collect and process the following categories of personal data:

4.1 Account Information

When you create an account or authenticate via Single Sign-On (SSO), we collect:

  • Name and email address
  • Organization name (for enterprise accounts)
  • Azure AD/Microsoft Entra ID identifiers
  • Profile information provided by your identity provider

4.2 Document Content (Transient Processing)

When you use the Service, we transiently process:

  • Text content from your active Word document
  • Selected text or paragraphs you choose to analyze
  • Prompts, instructions, and queries you submit

Note: This data is processed in-memory only and is not persistently stored.

4.3 Usage and Analytics Data

We automatically collect:

  • Feature usage patterns (which functions are used, frequency)
  • Error logs and performance metrics
  • Session duration and interaction timestamps
  • Device type, operating system, and application version
  • General geographic location (country/region level)

4.4 Audit Trail Data (Enterprise)

For enterprise customers with audit logging enabled, we may log:

  • User actions within the Service (e.g., analysis performed, clauses generated)
  • Timestamps and user identifiers for each action
  • Metadata about documents (e.g., document name, action type)

Note: Document content is not included in audit logs unless specifically configured by the customer's administrator.

5. Legal Basis for Processing (GDPR)

We process personal data on the following legal bases:

Purpose Legal Basis
Providing the Service Performance of contract (GDPR Art. 6(1)(b))
Account management Performance of contract (GDPR Art. 6(1)(b))
Security and fraud prevention Legitimate interests (GDPR Art. 6(1)(f))
Service improvement and analytics Legitimate interests (GDPR Art. 6(1)(f))
Legal compliance Legal obligation (GDPR Art. 6(1)(c))
Marketing (where applicable) Consent (GDPR Art. 6(1)(a))

6. How We Use Your Data

We use personal data for the following purposes:

  • Service Delivery: To provide the AI-powered contract analysis, drafting, and research features you request.
  • Authentication: To verify your identity and manage access to the Service.
  • Ethics Firewall: To ensure AI outputs comply with ethical guidelines and legal restrictions (without storing content).
  • Security: To detect, prevent, and respond to security incidents, fraud, and abuse.
  • Service Improvement: To analyze usage patterns, identify bugs, and improve Service functionality.
  • Customer Support: To respond to inquiries and provide technical assistance.
  • Legal Compliance: To comply with applicable laws, regulations, and legal processes.
  • Communications: To send service-related notifications, updates, and security alerts.

7. Data Sharing and Third-Party Subprocessors

7.1 Categories of Recipients

We may share personal data with:

  • AI Model Providers: To process your prompts and generate AI outputs.
  • Infrastructure Providers: To host and deliver the Service.
  • Analytics Providers: To analyze usage and improve the Service.
  • Payment Processors: To process subscription payments (if applicable).
  • Legal and Regulatory Authorities: As required by law or to protect our rights.

7.2 Current Subprocessors

We use the following key subprocessors:

Subprocessor Purpose Location
Google Cloud (Gemini API) AI model inference and reasoning Global (Enterprise terms)
Cloudflare Edge hosting, AI Gateway, security Global edge network
Microsoft Azure SSO authentication (Azure AD/Entra ID) As configured by customer

AI Model Provider Commitment: Under our enterprise agreement with Google, inputs processed via the Gemini API are not used to train or improve Google's AI models.

8. International Data Transfers

Your personal data may be transferred to and processed in countries outside your country of residence. When we transfer data internationally, we implement appropriate safeguards:

  • Standard Contractual Clauses (SCCs): We use EU-approved SCCs for transfers from the EEA to countries without an adequacy decision.
  • Data Processing Agreements: We maintain DPAs with all subprocessors that include transfer impact assessments.
  • Encryption: All data transfers are encrypted using TLS 1.3.

Enterprise customers may request information about specific transfer mechanisms and supplementary measures upon request.

9. Data Retention Periods

We retain personal data for the following periods:

Data Type Retention Period
Document Content Not retained (in-memory processing only)
Account Information Duration of account + 90 days after deletion
Audit Trail Data As configured by customer (default: 12 months)
Usage Analytics 24 months (aggregated/anonymized)
Error Logs 30 days
Billing Records 7 years (legal requirement)

10. Your Privacy Rights

Depending on your location and applicable law, you may have the following rights:

  • Right of Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete personal data.
  • Right to Erasure: Request deletion of your personal data in certain circumstances.
  • Right to Restrict Processing: Request that we limit how we use your data.
  • Right to Data Portability: Request your data in a structured, machine-readable format.
  • Right to Object: Object to processing based on legitimate interests or for direct marketing.
  • Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time.
  • Right to Lodge a Complaint: File a complaint with your local data protection authority.

To exercise these rights, contact us at axiom@dscvryai.com. We will respond within 30 days (or as required by applicable law).

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources, purposes, and third parties with whom we share it.
  • Right to Delete: Request deletion of your personal information, subject to certain exceptions.
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing: We do not sell personal information or share it for cross-context behavioral advertising.
  • Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information for purposes beyond those permitted by law.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To submit a request, email axiom@dscvryai.com with the subject line "California Privacy Request."

12. European Economic Area Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have specific rights under the GDPR:

  • All rights listed in Section 10 above apply.
  • You have the right to lodge a complaint with your local supervisory authority.
  • For transfers outside the EEA, we rely on Standard Contractual Clauses or other approved mechanisms.

Our designated representative for GDPR purposes can be reached at axiom@dscvryai.com.

13. Cookies and Tracking Technologies

Our website and Service may use the following technologies:

  • Essential Cookies: Required for the Service to function (authentication, session management). Cannot be disabled.
  • Analytics Cookies: Help us understand how users interact with the Service. Can be disabled via browser settings.

The Axiom Word Plugin itself does not use tracking cookies. Any cookies are limited to web-based interfaces for authentication purposes.

You can manage cookie preferences through your browser settings. Note that disabling essential cookies may affect Service functionality.

14. Security Measures

We implement robust technical and organizational measures to protect your personal data:

  • Encryption: TLS 1.3 for data in transit; AES-256 for any data at rest.
  • Access Controls: Role-based access, multi-factor authentication, and least-privilege principles.
  • Edge Processing: All requests route through Cloudflare's secure global edge network, reducing latency and exposure.
  • Regular Audits: Security assessments and penetration testing conducted regularly.
  • Incident Response: Documented procedures for detecting, reporting, and mitigating security incidents.
  • Employee Training: Security awareness training for all personnel with access to customer data.

15. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately at axiom@dscvryai.com, and we will promptly delete it.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will provide notice of material changes by:

  • Posting the updated Policy on our website with a new "Effective Date"
  • Sending email notification to registered users for material changes
  • Displaying a notice in the Service interface

We encourage you to review this Policy periodically. Your continued use of the Service after any changes constitutes acceptance of the updated Policy.

17. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

REDSCVRY TECHNOLOGY PRIVATE LIMITED
Email: axiom@dscvryai.com
Subject Line: Privacy Inquiry

We aim to respond to all inquiries within 30 days.

18. Additional Disclosures

18.1 "Do Not Track" Signals

Some web browsers transmit "do not track" signals. The Service does not currently respond to these signals, but we honor our commitments regarding tracking and data use as described in this Policy.

18.2 Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of such third parties. We encourage you to review their privacy policies.

18.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity, subject to commitments consistent with this Privacy Policy.