Legal

Privacy Policy

What we collect, what we do with it, and the rights you have. Saaya treats customer data as something we hold in trust, not something we monetise.

This Privacy Policy explains how illusionart AI Private Limited ("Saaya," "we," "us") handles personal data when you visit saaya.ai, sign in to the dashboard at app.saaya.ai, use our APIs, or otherwise interact with the Service. It also explains how we treat data your AI agents process about your end users when you use Saaya as part of your own product.

Saaya is an Indian startup, registered in Bengaluru, Karnataka, and governed by Indian law. This Policy is written under the Digital Personal Data Protection Act, 2023 (the "DPDP Act"), the Information Technology Act, 2000 and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (together, "IT Rules"), and the other Indian rules applicable to us.

We've written this in plain English where we can, with the legal precision where the law requires it. If something is unclear, write to info@illusionart.ai and we'll explain.

1. Who we are

Saaya is operated by illusionart AI Private Limited, a company registered under the Companies Act, 2013 with its principal office in Bengaluru, Karnataka. Under the DPDP Act, for personal data we collect about you as a customer, prospect, or visitor, we are the Data Fiduciary of that data. For data your AI agents process about your end users on your instruction, we are a Data Processor acting on your behalf — that relationship is governed by our Data Processing Agreement.

2. Roles

It matters who is responsible for which data:

  • Marketing-site visitors (you browsing saaya.ai): we are the Data Fiduciary.
  • Account holders (your name, email, password hash, role, billing): we are the Data Fiduciary.
  • Customer Data that flows through your agents (call audio, transcripts, knowledge-base content, end-user identifiers): we are a Data Processor; you, the Customer, are the Data Fiduciary.

If a request from one of your end users (a "Data Principal" under the DPDP Act) reaches us directly, we will, where appropriate, refer them to you and assist you in responding.

3. What we collect

3.1 Account information

When you sign up or accept an invitation: your name, work email, password hash, role, organisation, and the timestamps of sign-ins. Approved-access requests collect the same information plus a free-text description of what you would build with the Service. We use that solely to triage onboarding.

3.2 Billing information

We use third-party payment processors (typically Razorpay or Stripe, depending on your country and payment instrument) to handle payment. We do not store full card numbers, CVVs, or bank credentials. We do receive and store invoicing metadata (name, billing address, GSTIN, amounts, currency, status) which we retain to comply with the GST Act and the Income Tax Act.

3.3 Usage data

When you use the dashboard or the API, we record operational telemetry: endpoints called, agent and session identifiers, request timing, errors, IP address, user-agent string, and feature events that help us understand how the Service is being used. This is used to keep the Service healthy, detect abuse, and bill accurately.

3.4 Communications

When you contact us — support tickets, sales conversations, feedback forms — we keep a record of the exchange and any attachments you send.

3.5 Cookies and similar technologies

The marketing site at saaya.ai and the dashboard at app.saaya.ai use Google Tag Manager (container GTM-N9XVWKSQ) to load measurement tags such as Google Analytics. We do not run cross-site behavioural advertising trackers. The dashboard also uses a small number of strictly necessary cookies and local-storage keys to keep you signed in, remember your theme, and maintain workspace context. Where the DPDP Act and the rules under it require notice or consent, we present that. See the Cookie Policy for the full list.

3.6 Customer Data processed via your agents

When your agents run, the Service processes the content of voice, video, and chat sessions; knowledge-base documents you upload; retrieved embeddings; session recordings or transcripts you choose to retain; and metadata about end users (phone numbers, names, lead attributes, conversation outcomes).

This data is yours. We process it on your instruction under the DPA.

4. How we use information

We use personal data to:

  • provide, secure, support, and improve the Service;
  • authenticate you, enforce role-based access controls, and detect suspicious activity;
  • send service-critical messages (security alerts, billing notices, terms updates);
  • respond to support, sales, and partnership inquiries;
  • run analytics on the marketing site and dashboard so we can understand which features actually get used;
  • comply with our legal obligations under Indian law (including the DPDP Act, IT Act, GST Act, Income Tax Act, Companies Act, CERT-In Directions, and lawful directions of Indian regulators and courts).

We do not:

  • sell personal data;
  • train Saaya's own models on Customer Data;
  • share Customer Data with third-party model providers beyond what is required to fulfil the agent run you initiated;
  • use Customer Data for advertising.

The DPDP Act requires a lawful ground for processing personal data. We rely on the following grounds, depending on the activity:

  • Consent — for direct marketing, non-essential cookies, and any processing where we ask you to consent in the Service.
  • Certain legitimate uses under Section 7 of the DPDP Act, including:
    • performance of services you have requested or signed up for;
    • employment-related purposes for our own personnel;
    • compliance with any judgment, decree, or order issued under Indian law;
    • response to a medical or public-health emergency;
    • prevention or mitigation of an immediate threat to safety;
    • any other legitimate use specifically permitted by the Act.

For Customer Data your agents process about your end users, we act on your instruction as a Data Processor; the lawful ground is determined by you as the Data Fiduciary.

6. Sharing & disclosures

We share personal data only:

  • with sub-processors that help us operate the Service — cloud hosting, observability, customer support, payment processing, email delivery, and the AI providers you choose for your agents (e.g. OpenAI, Anthropic, Google, Sarvam, ElevenLabs, Deepgram, Cartesia, LiveKit, Twilio, Meta, and the avatar providers listed at /legal/subprocessors);
  • with professional advisers (legal, accounting) under confidentiality;
  • when required by Indian law or in response to a valid legal request from an Indian regulator, court, or law-enforcement authority — including directions under the IT Act and the CERT-In Directions, April 2022;
  • with a successor entity in a merger, acquisition, or sale of substantially all our assets, subject to equivalent confidentiality protections;
  • with your consent for any other sharing.

7. Cross-border processing

Saaya operates from India. To deliver the Service, we use sub-processors that may store or process personal data outside India (for example, US-based AI model providers when you select them for an agent). Section 16 of the DPDP Act allows transfer of personal data to any country other than those notified by the Central Government as restricted; we comply with that list as it is published and updated. Where Indian law imposes a residency or localisation requirement that applies to us or to your data, we will follow it.

You can choose providers in the dashboard that keep data in India where that matters to your use case. The current list and locations are at /legal/subprocessors.

8. Retention

We retain account data for the duration of your relationship with us plus 12 months for legal, billing, and audit reasons (including the retention periods required under the IT Act, the Income Tax Act, the GST Act, and the Companies Act).

Customer Data retained on the platform is governed by your settings — you can delete agents, knowledge bases, and sessions from the dashboard at any time. Backups containing Customer Data are retained for up to 30 days before being overwritten on a rolling schedule.

When you close your account, you have 30 days to export Customer Data through the dashboard. After that window, we delete or anonymise remaining personal data, except where applicable Indian law requires longer retention or where pseudonymous aggregates are required to protect the integrity of the Service.

9. Your rights as a Data Principal

Under the DPDP Act, if you are a Data Principal (an identified or identifiable natural person), you have the right to:

  • access a summary of the personal data we are processing about you and the activities we have undertaken with it;
  • correct, complete, update, and erase your personal data, subject to our retention obligations;
  • grievance redressal — raise a grievance with us about our processing;
  • nominate another individual to exercise your rights in the event of your death or incapacity;
  • withdraw consent at any time, where we are processing on the basis of consent. Withdrawal does not affect the lawfulness of processing done before withdrawal.

To exercise any of these rights, write to info@illusionart.ai from the email on file (prefix the subject "[Privacy request]" so we route quickly). We respond within 30 days, sooner where the DPDP Act requires.

If your data was processed by an agent on behalf of one of our customers, that customer is the Data Fiduciary for that data. We will refer the request to the customer and assist them as required by the DPA.

If you are not satisfied with our response, you may approach the Data Protection Board of India in accordance with the procedure prescribed under the DPDP Act and the rules issued under it.

10. Children's data

The Service is not directed to children below the age of 18, and we do not knowingly process personal data of children. The DPDP Act requires verifiable parental consent before processing a child's personal data, and prohibits tracking, behavioural monitoring, and targeted advertising directed at children. If you believe a child has provided personal data to us, write to info@illusionart.ai and we will delete it.

11. Security

We protect personal data with administrative, technical, and physical measures appropriate to the risk and consistent with the IT Rules, 2011 ("Reasonable Security Practices and Procedures") and our obligations under the DPDP Act — TLS 1.2+ in transit, managed-storage encryption at rest, role-based access controls with least privilege, audit logging, scoped JWT credentials, monitored infrastructure, and recurring access reviews. The full posture is documented at /security.

We comply with the CERT-In Directions, April 2022 for cyber incident reporting. If you become aware of a security issue, please write to info@illusionart.ai with the subject "[Security disclosure]".

12. Cookies

For details on the specific cookies we set, the categories they fall into, and how to opt out of non-essential cookies, see the Cookie Policy.

13. Third-party services

Following links from the Service to third-party services takes you outside the scope of this Policy. We encourage you to read the privacy policies of those services. The current sub-processor list is at /legal/subprocessors.

14. Changes to this Policy

We will post any updates to this Policy on this page with a new effective date. Material changes will additionally be communicated through the dashboard or by email at least 15 days before they take effect.

15. Grievance officer & contact

Privacy questions, grievances, or requests: info@illusionart.ai. Use the subject "[Privacy request]" for rights requests so we can route them quickly.

In compliance with the IT Act and the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, the Grievance Officer for Saaya is contactable at the address below. We acknowledge grievances within 24 hours and resolve them within 15 days.

illusionart AI Private Limited Bengaluru, Karnataka, India info@illusionart.ai

A privacy contact within the company handles DPDP requests and grievances. We do not have a designated Significant Data Fiduciary status under the Act as of the effective date; if we are designated, we will publish a formal Data Protection Officer at that time.

Version history
  1. v1.0 · Initial publication.