Data Protection Policy
This Data Protection Policy explains how we collect, process, store, and safeguard personal data to ensure privacy and security. It outlines our commitment to protecting user information in compliance with applicable data protection laws and best practices.
Last Updated On:
At Ramco Systems Limited ("us", "we", "our", or “Ramco”), we are committed to protecting the privacy of personal information and complying with applicable data protection laws wherever we operate.
This Data Protection Policy governs your use of our Chia conversational AI platform and associated APIs, and explains how we collect, safeguard, and disclose information resulting from your use of the Service. By using the Service, you agree to the collection and use of information in accordance with this Policy.
Our Terms and Conditions ("Terms") govern all use of our Service and, together with this Policy, constitute your agreement with us ("Agreement").
Definitions:
Processing: Any operation performed on personal data including collection, storage, use, transmission, analysis or deletion.
Data Subject: The individual to whom personal data relates.
Data Fiduciary / Controller: The entity determining the purpose and means of processing personal data. For the purposes of this Policy, Ramco Systems Limited acts as the Data Fiduciary / Controller.
Data Processor: Any entity processing data on behalf of the Company.
1. Scope
This Policy's "Data Privacy Scope" encompasses both personal and non-personal data:
Personal Data: Any information relating to an identified or identifiable individual — including telephone numbers, email addresses, identification numbers, account information, physical location details, or customer identifiers.
Non-Personal Data: Data that cannot be used, alone or in combination, to identify an individual.
This Policy governs the processing of both personal and non-personal data collected by Chia, whether obtained directly or indirectly from customers and end-users. Specifically, Chia will:
Process Customer Data only for the purpose of providing and supporting Chia's services, including insights, reporting, analytics, and trust and safety monitoring.
Process data in compliance with instructions received from the Customer.
Promptly inform you in writing if we cannot comply with a requirement of the applicable Data Processing Agreement (DPA).
Not provide remuneration in exchange for Customer Data, and not "sell" or "share" personal data as defined by applicable U.S. Privacy Laws and CCPA.
Inform you promptly if, in our opinion, an instruction from you violates applicable Data Protection Laws.
2. Principles for Processing Personal Data
Chia incorporates the following internationally recognized data protection principles in the way we collect, store, and process data:
# | Principle |
|---|---|
1 | Processed lawfully, fairly, and in a transparent manner in relation to data subjects. |
2 | Collected for specified, explicit, and legitimate purposes only, and not further processed incompatibly. |
3 | Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed (data minimization). |
4 | Accurate and, where necessary, kept up to date. We take every reasonable step to erase or rectify inaccurate data. |
5 | Kept in an identifiable form for no longer than is necessary for the purposes for which it is processed (storage limitation). |
6 | Processed in a manner that ensures appropriate security, including protection against unauthorized access, loss, or damage. |
7 | Providing conversational AI services |
Where required by applicable law, processing is based on one or more of the following grounds:
Under GDPR
User consent
Performance of a contract
Legitimate interests
Legal obligation
Under DPDP Act (India)
Consent of the Data Principal
Legitimate uses permitted under the Act
Under CCPA
Processing is conducted for permitted business purposes.
Personal data will not be sold to third parties.
3. Security of Data
We employ appropriate technical and organizational measures to protect the personal and non-personal data we collect and process. Our information security measures include:
Encryption of data at rest and in transit using industry-standard protocols
Strict access controls and role-based permissions
Regular security audits and vulnerability assessments
Dedicated, isolated processing environments per enterprise customer
Incident response and breach notification procedures
In the event of a personal data breach, Ramco shall:
Investigate and contain the breach
Notify relevant authorities where legally required
Inform affected users if the breach presents a significant risk to their rights or freedoms
Notifications will be issued within the timelines prescribed under applicable laws.
While we strive to use commercially acceptable and enterprise-grade means to protect your data, no method of transmission over the Internet or electronic storage is 100% secure.
4. Data Subject Rights
To adequately protect the personal data we collect and process, we adhere to the following data subject rights:
Right to be Informed: Know how personal data is used in clear, plain language.
Right of Access: Know and have access to personal data held about you.
Right to Portability: Receive and transfer data in a machine-readable electronic format.
Right to be Forgotten: Request erasure of personal data from our systems.
Right to Rectification: Have inaccurate or incomplete data corrected.
Right to Object: Object to the processing of your personal data.
Right to Restriction: Limit the extent to which your personal data is processed.
Rights re Automated Decisions: Not be subject to solely automated decisions with significant legal effects.
Right to Non-Discrimination: Not be discriminated against for exercising your rights.
To exercise any of these rights, please contact us at chia-support@ramco.com. We may ask you to verify your identity before responding.
5. AI Data Handling
As an enterprise AI platform, Chia processes conversation data, knowledge base content, and customer interaction records to power AI agent functionality. We are committed to responsible AI data practices:
Customer data is not used to train Chia's or any third-party's foundational AI models without explicit written consent.
Conversation logs processed by Chia are isolated per customer tenant and are not shared across accounts.
PII present in conversational data is masked or redacted before being passed to underlying AI processing where technically feasible.
Enterprise customers may configure their own data retention, deletion, and export settings through their account dashboard or DPA.
6. Deletion of User Data
Chia is committed to honoring your right to erasure in accordance with applicable data protection laws, including GDPR Article 17, the California Consumer Privacy Act (CCPA), and India’s Digital Personal Data Protection Act (DPDP Act 2023). This section describes how user data is deleted, the timelines we adhere to, and the limited exceptions that apply.Scope of Deletion
A deletion request covers all personal data associated with your account and interactions with the Service, including:
Account registration data (name, email address, contact information)
Conversation logs and AI interaction history generated through Chia
Uploaded knowledge base content and documents linked to your account
Usage data, session logs, and device identifiers tied to your identity
Preferences, configuration settings, and customisation data
Any derived analytics or reports that directly identify you.
How to Request Deletion
You may request deletion of your personal data through any of the following channels:
Email request: Submit a written request to chia-support@ramco.com with the subject line “Data Deletion Request” and include your registered email address and account identifier.
Enterprise accounts: Deletion of end-user data within an enterprise deployment must be initiated by the authorised enterprise account administrator via the admin console or through the Data Processing Agreement (DPA) process.
We will acknowledge your request within 72 hours and complete the deletion within 30 calendar days, consistent with GDPR, CCPA, and DPDP Act obligations. Where identity verification is required, the 30-day period commences upon successful verification.
Deletion vs. De-identification
In most cases, personal data will be permanently deleted from our active systems. However, in limited circumstances, data may be de-identified (anonymised) rather than deleted outright — specifically:
Aggregated, statistical, or anonymised analytics where your identity cannot be re-established
AI model evaluation logs stripped of all personally identifiable information
Aggregated usage metrics used solely for platform performance analysis
De-identified data that cannot be re-linked to any individual is not considered personal data under GDPR, CCPA, or the DPDP Act, and is therefore retained for legitimate operational purposes.
Exceptions — Data We Are Required to Retain
Certain categories of data may be exempt from deletion where retention is required by applicable law or legitimate business necessity:
Financial and billing records: Invoice data, payment transaction records, and tax documentation may be retained for up to 7 years in accordance with applicable tax and accounting regulations.
Active legal disputes: Data relevant to pending litigation, regulatory investigations, or disputes involving you or your organisation will be retained until the matter is fully resolved.
Legal holds and court orders: Data subject to a valid legal hold, subpoena, or court order cannot be deleted until the hold is lifted.
Fraud prevention and security records: Logs related to suspected fraudulent activity, security incidents, or platform abuse may be retained for investigation and prevention purposes.
Contractual obligations: Data that must be retained to fulfil the terms of an active enterprise agreement will be retained for the duration of that agreement.
Where an exception applies, we will inform you of the specific reason and the expected retention period for the data that cannot be deleted.
Third-Party and Sub-Processor Deletion
Upon receiving a valid deletion request, Ramco will instruct all relevant sub-processors and third-party service providers that have received your personal data to delete it in accordance with our Data Processing Agreements. This includes, but is not limited to, analytics providers and infrastructure partners.
Please note that certain third-party processors may be subject to their own independent legal retention obligations. For example, Stripe (our payment processor) retains transaction records as required by financial regulations, irrespective of a deletion request made to Ramco. In such cases, we will notify you that deletion from the third party’s systems falls outside our direct control.
Backup and Residual Copies
Following deletion from our active systems, residual copies of your data may persist in encrypted backup storage for up to 90 days, after which they are purged as part of our regular backup rotation cycle. These backup copies are not accessible for operational use and are protected by the same security controls as live data.
Deletion Confirmation
Once deletion of your personal data is complete, we will send a written confirmation to your registered email address. If deletion could not be completed in full due to a legal exception, the confirmation will specify which data was retained, the applicable legal basis, and the expected retention period.
Effect on Service Access
Deletion of your account and personal data is irreversible. Upon completion, you will lose access to all features, history, and configurations associated with your account. This action cannot be undone. If you are an enterprise customer, account-level deletion should be coordinated with your Ramco account manager to avoid unintended disruption to your organisation’s deployment.
Google API and OAuth Data
If you have connected your account to Google services via OAuth or the Google Cloud Console, the following additional deletion commitments apply in accordance with Google API Services User Data Policy:
Chia will delete all Google user data obtained via Google APIs within 30 days of a verified deletion request or account termination.
Google user data is used only for the purposes explicitly disclosed at the time of authorisation and is not shared with third parties for advertising or unrelated purposes.
You may revoke Chia’s access to your Google account at any time via your Google Account Permissions page (https://myaccount.google.com/permissions), which will immediately halt any further data access. Revocation does not automatically delete data already collected; a separate deletion request to chia-support@ramco.com is required for that.
Chia does not store Google user data beyond what is strictly necessary to provide the connected service features you have authorised.
Regulatory Alignment
This section fulfils and should be read in conjunction with the following rights and obligations set out elsewhere in this Policy:
GDPR Article 17 (Right to Erasure / Right to be Forgotten): EU and EEA residents may invoke this right as described in Section 8.
CCPA Deletion Rights: California residents may invoke deletion rights as described in Section 10.
DPDP Act 2023 (India): Data Principals have the right to erasure of personal data under the Digital Personal Data Protection Act 2023, and Ramco as Data Fiduciary will comply within the prescribed timelines.
7. Staff Training
Ramco Systems Limited ensures that all employees who have frequent access to personal data, are involved in data collection, or are involved in the development of tools used to process personal data receive mandatory, role-appropriate data protection training.
All Chia team members are required to annually acknowledge that they have completed the required Data Protection training and understand this Policy.
8. Non-Compliance
Customers and users of Chia trust us to protect the personal data they share with us. To uphold that trust, we maintain clear accountability for any violations of this Data Protection Policy.
Severity | Examples | Response |
|---|---|---|
Minor | Procedural lapses, minor access control deviations | Oral or written warning; mandatory re-training |
Moderate | Unauthorized data access, failure to report incidents promptly | Formal written warning; disciplinary review |
Serious | Intentional data misuse, sharing data without authorization | Suspension or termination; potential legal action |
Ramco management will assess the severity of each incident and determine appropriate action in line with applicable employment law and internal policy.
9. Your Rights Under GDPR
If you are a resident of the EU or EEA, you have certain data protection rights under GDPR. We aim to take reasonable steps to allow you to correct, amend, delete, or limit the use of your Personal Data. To make a request, email chia-support@ramco.com.
The right to access, update, or delete the information we hold about you
The right of rectification — to have inaccurate or incomplete information corrected
The right to object to our processing of your Personal Data
The right of restriction — to request that we limit how we process your information
The right to data portability — to receive your data in a structured, machine-readable format
The right to withdraw consent at any time where processing is consent-based
You may also complain to a Data Protection Authority in your country of residence. For more information, see GDPR Regulation 2016/679 at https://eur-lex.europa.eu/eli/reg/2016/679/oj.
10. CalOPPA Compliance
In accordance with the California Online Privacy Protection Act, we agree to the following:
Users can visit our site anonymously.
Our Privacy Policy link is clearly accessible from our homepage and includes the word "Privacy".
Users will be notified of any privacy policy changes on this Policy page.
Users may update their personal information by contacting chia-support@ramco.com.
California residents may additionally exercise:
Right to know categories of personal data collected
Right to delete personal data
Right to opt-out of sale of personal information (the Company does not sell personal data)
Right to non-discrimination for exercising privacy rights
Do Not Track: We honor Do Not Track signals and do not track, plant cookies, or use advertising when a DNT mechanism is active in your browser.
11. Your Rights Under CCPA
If you are a California resident, the California Consumer Privacy Act grants you the right to:
Know what personal information we hold
We will disclose the categories of data collected, sources, business purposes, third parties with whom it is shared, and whether data has been sold or disclosed for a business purpose. You may make this request up to twice in any 12-month period.
Delete your personal information
We will delete personal information we hold about you and direct service providers to do the same. In some cases, de-identification may be used. Deletion may impact your ability to use certain Service features.
Opt out of the sale of personal information
We do not sell or rent personal information to any third party. We will never discriminate against you for exercising your CCPA rights. To make a request, email chia-support@ramco.com.
12. Questions
If you have any questions regarding this Data Protection Policy, or wish to exercise your data rights, please contact us at chia-support@ramco.com.
13. Changes to This Policy
We may update this Data Protection Policy from time to time to reflect changes in law, technology, or our business practices. The updated Policy will be published on the Platform with the revised effective date.
Continued use of the Service after changes are posted constitutes your acceptance of the updated Policy.
14. Contact Us
For any questions about this Data Protection Policy, to exercise your rights, or to reach our Data Protection team:
Ramco Systems Limited Email: chia-support@ramco.com Website: https://www.ramco.com/ai/conversational-ai
