Privacy Policy

1. Information We Collect: Personal vs. Industrial Data

Opscion AI ("we," "us," or "our") operates MillOS. We strictly distinguish between two legally separate classes of data:

• Personal Data — Identifiable information such as employee names, mobile numbers, and work email addresses, collected for account provisioning, authentication, and support. Governed by the DPDP Act, 2023 (India) and applicable international privacy law. Retained only for the duration of an active user account plus the 60-day post-termination window in §5.
• Industrial / Operational Data — Proprietary factory information including fastener specifications, chemical compositions, PO numbers, lab reports, and raw material grades. This is not "personal data" under the DPDP Act and is governed exclusively by our Terms of Service. It remains Customer's intellectual property at all times.

Lawful Basis for Processing Personal Data: Personal Data is processed on the basis of: (i) contractual necessity — to provision accounts and deliver the Service; and (ii) explicit consent obtained at onboarding for any processing beyond contractual necessity. You may withdraw consent at any time by contacting our Grievance Officer (§8), though withdrawal may affect platform access.

2. Data Subject Rights

Under the DPDP Act, 2023, every authorized user (Data Principal) has the following enforceable rights regarding their Personal Data:

Rights under the DPDP Act, 2023 (India — all users)

• Right of Access — Request a copy of all Personal Data we hold about you.
• Right to Correction — Request correction of inaccurate or outdated personal information.
• Right to Erasure — Request definitive deletion of your Personal Data, subject to any legal retention obligations.
• Right to Grievance Redressal — Lodge a formal complaint with our designated Grievance Officer (§8).
• Right to Complain to the Data Protection Board of India — If your concern is unresolved within 30 days, you may escalate to the Data Protection Board of India at meity.gov.in.

Additional Rights under GDPR / UK GDPR (EEA & UK users only)

• Right to Data Portability (GDPR Article 20) — Receive your Personal Data in a structured, commonly used, machine-readable format (e.g. CSV, JSON) for transmission to another controller, where processing is by automated means on the basis of consent or contractual necessity. Note: this right does not exist under the DPDP Act, 2023 and applies exclusively to EEA/UK data subjects.
• Right to Restriction of Processing (GDPR Article 18) — Request that we limit how we use your Personal Data in certain circumstances (e.g. while accuracy is contested, or if you have objected to processing).
• Right to Object (GDPR Article 21) — Object at any time to processing of your Personal Data based on legitimate interests, including profiling. We shall cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
• Rights related to Automated Decision-Making (GDPR Article 22) — The right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. Where MillOS's AI parsing engine is used to generate outputs that inform compliance decisions, human QA review is always required as stated in our Terms of Service §2.2, satisfying the human-in-the-loop requirement.

All Subject Right requests will be acknowledged within 72 hours and resolved within 30 days. Contact: legal@opscion.ai.

Right of Nomination (DPDP Act, Section 14)

Every Data Principal has the right under Section 14 of the Digital Personal Data Protection Act, 2023 to nominate another individual to exercise their personal data rights on their behalf in the event of the Data Principal's death or incapacity. To register a nomination, submit a written request to legal@opscion.ai with the nominee's full name, relationship, and contact details. Nominations may be updated or revoked at any time.

3. Industrial Data Protection

All Industrial Data is stored within Customer's dedicated, isolated tenant environment. We do not aggregate, sell, share, or use Customer's proprietary factory data to train any public AI or machine learning models.

Opscion AI's personnel shall not access Customer's Industrial Data except as strictly necessary to provide technical support expressly requested by the Customer, or to investigate active security incidents. All such access is logged.

Opscion AI may use anonymized, aggregated, de-identified platform usage statistics — from which no individual Customer's data can be reconstructed — solely to improve platform reliability and performance.

4. Infrastructure, Security & International Data Transfers

4.1 Infrastructure & Encryption

All customer data is encrypted in transit using TLS 1.3 (preferred) with TLS 1.2 as a minimum fallback, and at rest using AES-256 encryption. MillOS's primary production infrastructure is hosted on Amazon Web Services (AWS), ap-south-1 region (Mumbai, India). AWS serves as a data processor under a formal Data Processing Agreement with Opscion AI, bound by the same data protection standards applicable to Opscion AI.

4.2 International Data Transfers

As Opscion AI serves a global customer base, Personal Data may be transferred to, stored, or processed in countries other than India — including countries where the applicable data protection law may differ. Where such transfers occur, Opscion AI implements appropriate legal safeguards:

• For transfers to or from the European Economic Area (EEA): EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Module 2 — Controller to Processor), available upon written request to legal@opscion.ai.
• For transfers to or from the United Kingdom: the UK International Data Transfer Agreement (IDTA), available upon written request.
• For other jurisdictions: equivalent contractual protections meeting the standard of the destination country's applicable law.

Opscion AI does not transfer Customer Personal Data to jurisdictions where equivalent protection cannot be legally ensured. A current list of jurisdictions and applicable safeguards is maintained and updated within 30 days of any material change; contact legal@opscion.ai for the current register.

4.3 Sub-Processors

Opscion AI engages sub-processors (including AWS for cloud hosting) under written agreements requiring data protection standards equivalent to those in this Policy. Customers will be notified of new sub-processors no fewer than 14 days prior to engagement, and may object in writing within that period. A current sub-processor register is available upon written request to legal@opscion.ai.

4.4 ERP Integrations

MillOS acts as a secure connector for ERP integrations (e.g., Tally). Data flows deterministically according to Customer's administrative permissions and is never shared with unauthorized third parties.

5. Data Retention & Deletion

Personal Data is retained for the duration of an active user account. Industrial Data is retained for the active subscription period. Upon termination or cancellation:

• A complete database export (CSV/PDF) is provided within 14 business days of termination.
• All customer data — both Personal and Industrial — is permanently deleted, or rendered permanently inaccessible via cryptographic erasure (destruction of all applicable encryption keys, in accordance with NIST SP 800-88 Guidelines for Media Sanitization), from active servers and all backup nodes within sixty (60) calendar days of the subscription termination date. Written confirmation of deletion or cryptographic erasure is provided to the account administrator upon request.
• Platform access logs and audit trails are retained for 180 days from the date of generation in compliance with the CERT-In Directions, 2022, after which they are purged.

6. Cookies & Session Management

MillOS uses strictly essential cookies for platform functionality, secure session authentication, and cross-request state management. We do not deploy advertising, marketing, cross-site tracking, or behavioral profiling cookies within the application.

Our marketing website may use limited, anonymized performance analytics. Where required by applicable law — including the EU ePrivacy Directive, UK PECR, or equivalent — prior informed consent will be obtained via a cookie consent banner before any non-essential cookies are placed. No third-party advertising networks have access to Platform user session data.

7. Personal Data Breach Notification

In the event of a personal data breach, Opscion AI shall:

• Notify the Data Protection Board of India in accordance with the Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Rules, 2025 (enacted). Opscion AI targets compliance with the prescribed breach notification window, currently aligned with the 72-hour standard per enacted DPDP Rules and GDPR Article 33.
• Notify affected Customer account administrators within 48 hours of becoming aware of a breach that may have materially affected their authorized users' Personal Data.
• Provide a written incident report detailing: the nature and scope of the breach, categories and approximate volume of Personal Data affected, estimated number of Data Principals impacted, and remediation actions taken or underway.
• Note: Opscion AI is additionally subject to the CERT-In Directions, 2022, which mandate reporting of certain cybersecurity incidents to India's CERT-In within 6 hours of becoming aware of the incident. Platform access logs and audit trails are retained for a minimum of 180 days in compliance with this obligation.