1. Introduction

Matayo AI Solutions Pvt. Ltd. (“Matayo”, “we”, “us”, or “our”) is a governance, risk, compliance (GRC), and cybersecurity consulting firm. This Privacy Policy (“Policy”) describes how we collect, use, disclose, and safeguard the personal data of individuals who visit our website, engage with our services, or otherwise interact with us (“You” or “Your”). 

We are committed to protecting your personal data and ensuring transparency in how we process it. This Policy reflects the key data protection principles under applicable laws, including the Digital Personal Data Protection Act, 2023 (“DPDPA”), the General Data Protection Regulation (“GDPR”), and the Personal Information Protection and Electronic Documents Act (“PIPEDA”). 

Your rights and our compliance obligations may vary depending on your jurisdiction. Where applicable, we apply jurisdiction-specific safeguards to ensure that your personal data is handled in accordance with the legal requirements of the relevant territory. 

2. Our Identity and Contact Details

Matayo AI Solutions Pvt. Ltd. is the primary Data Fiduciary / Controller responsible for the processing of personal data described in this Policy.

We may also act as a Data Processor when processing personal data on behalf of our clients, in accordance with applicable contractual and legal obligations.

India (Primary Entity – Data Fiduciary / Controller)

Matayo AI Solutions Pvt. Ltd.
14, Thamarai Kannan Rd, Halasuru, Murphy Town, Bengaluru, Karnataka 560008
Email: dpo@matayo-ai.com

Canada (Affiliate Entity)

Matayo Inc.
Lesterwood st , Hamilton, L8V 4P5 Canada
Email: dpo@matayo-ai.com

Depending on your location and the nature of services provided, your personal data may be controlled by Matayo AI Solutions Pvt. Ltd. (India), Matayo Inc. (Canada), or jointly by both entities where services are delivered across jurisdictions.
For any privacy-related queries, requests, or complaints, you may contact our Privacy Officer using the contact details provided above.

3. Scope of this Policy

This Policy applies to personal data processed by us in connection with:

• Visitors to our website
  • Clients and prospective clients
  • Individuals who contact or interact with us
  • Job applicants and employees
  • Individuals whose personal data is processed by us in the course of providing services to our clients (where we act as a Data Controller/Data Fiduciary).

This Policy does not apply to:

• Data that has been anonymised such that it cannot be used to identify an individual
  • Processing carried out by individuals for personal or household purposes
  • Personal data processed strictly on behalf of clients in our role as a Data Processor, which is governed by applicable Data Processing Agreements (DPAs).

4. Roles and Responsibilities

Matayo acts as:

• Data Fiduciary / Data Controller

As a Data Fiduciary under the Digital Personal Data Protection Act, 2023, we are committed to:

• Processing personal data lawfully, fairly, and in a transparent manner
• Collecting personal data only for specified and legitimate purposes
• Limiting data collection to what is necessary for such purposes
• Ensuring personal data is accurate and up to date
• Implementing reasonable security safeguards to protect personal data
• Retaining personal data only for as long as necessary
• Enabling Data Principals to exercise their rights
• Establishing effective grievance redressal mechanisms

Where we engage third-party processors, we ensure appropriate contractual safeguards are in place and remain responsible for ensuring compliance with applicable data protection obligations.

• Data Processor

When processing personal data on behalf of our clients, we act only on documented instructions and in accordance with applicable contractual and legal obligations. In such cases, the client acts as the Data Controller/Data Fiduciary, and we implement appropriate technical and organisational safeguards to ensure the security and confidentiality of personal data.

5. Notice at Collection (DPDPA Compliance)

At the time of collecting your personal data, we provide the following notice:

• Personal Data Collected: Name, contact details, professional information, and any data you voluntarily provide
• Purpose of Processing: To provide services, respond to enquiries, manage relationships, and comply with legal obligations
• Legal Basis: Consent and certain legitimate uses as permitted under applicable law
• How to Withdraw Consent: You may withdraw your consent at any time by contacting us at dpo@matayo-ai.com or using available opt-out mechanisms through DPDPA preferences at our website.
• Your Rights: You may request access, correction, or erasure of your personal data at the DPDPA preferences in our website.
• Grievance Redressal: You may contact us at dpo@matayo-ai.com

Consent, where required, is obtained in a free, specific, informed, and unambiguous manner through clear affirmative action. This notice is also made available at the point of data collection through forms, consent banners, or direct communication.

6. Personal Data We Collect

6.1 Data You Provide

• Name, job title, organisation
  • Email, phone number, address
  • Communication content
• Account credentials for internal systems, portals, or platforms
  • Billing and transaction data
  • Marketing preferences
  • Job application details

6.2 Data Collected Automatically

• IP address
  • Device and browser details
  • Website usage data
  • Cookie data

6.3 Data Received from Third Parties

In certain circumstances, we may receive personal data about you from third-party sources, including:

• Professional networking platforms, where you have made your profile information publicly available
• Existing clients or contacts who refer prospective clients or collaborators to us
• Background verification agencies, strictly in the context of employment screening for job applicants and employees

Where we receive personal data from third parties, we take reasonable steps to ensure that such data has been shared in accordance with applicable law. Where required, we will notify you that we hold your data and inform you of the source.

6.4 Sensitive Personal Data

We do not intentionally collect sensitive personal data via our website. Where required, such data is processed with explicit consent and enhanced safeguards.

7. Lawful Basis for Processing

We process personal data in accordance with applicable legal frameworks:

Under the Digital Personal Data Protection Act, 2023:
• Primarily based on consent
• In limited situations permitted by law (e.g., legal obligations, employment purposes, emergencies)

Under the General Data Protection Regulation and Personal Information Protection and Electronic Documents Act:
• Consent
• Contractual necessity
• Legal obligations
• Legitimate interests (where applicable)

Where we rely on legitimate interests as a lawful basis, we conduct a balancing assessment to ensure that our interests are not overridden by your rights and freedoms.

8. Cookies and Tracking Technologies

We use cookies and similar technologies to ensure website functionality , understand user behavior, and improve user experience.

For more detailed information about the cookies we use, including their purposes, duration, and third-party providers, please refer to our Cookie Policy.

Cookie Categories

Non-essential cookies (analytics, functional, and advertising) are placed only after you provide consent through our cookie banner.

You can:

• Accept or reject cookies
• Customize your preferences
• Withdraw your consent at any time by accessing the cookie settings available on our website

Consent Management

We use a third-party consent management platform to enable users to manage their cookie preferences and record consent choices.

This platform may process limited personal data such as IP address, device information, and consent preferences for compliance purposes. These service providers act as data processors and are bound by contractual obligations to protect personal data.

Some cookies may also be set by third-party service providers, such as analytics or advertising partners.

9. How We Use Personal Data

The Company may use Personal Data for the following purposes:

• To provide and maintain our Service, including to monitor the usage of our Service.
• To manage Your Account: to manage Your registration as a user of the Service. The Personal Data You provide can give You access to different functionalities of the Service that are available to You as a registered user.
• For the performance of a contract: the development, compliance and undertaking of the purchase contract for the products, items or services You have purchased or of any other contract with Us through the Service.
• To contact You: To contact You by email, telephone calls, SMS, or other equivalent forms of electronic communication, such as a mobile application’s push notifications regarding updates or informative communications related to the functionalities, products or contracted services, including the security updates, when necessary or reasonable for their implementation.
• To provide You: with news, special offers and general information about other goods, services and events which we offer that are similar to those that you have already purchased or enquired about unless You have opted not to receive such information.
• To manage Your requests: To attend and manage Your requests to Us.
• For business transfers: We may use Your information to evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Data held by Us about our Service users is among the assets transferred.
• For other purposes: We may use Your information for other purposes, such as data analysis, identifying usage trends, determining the effectiveness of our promotional campaigns and to evaluate and improve our Service, products, services, marketing and your experience.

We take reasonable steps to ensure that personal data is accurate and kept up to date. We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on individuals. We do not process personal data for purposes beyond those specified at the time of collection without obtaining further consent where required.

10. Sharing of Personal Data

We do not sell personal data. We may share Your personal information in the following situations:

• With Service Providers: We may share personal data with trusted third-party service providers who perform services on our behalf, such as cloud hosting, analytics, communication tools, IT support, and professional advisory services.
  These service providers act as data processors and are contractually bound to process personal data only on our instructions and to implement appropriate security safeguards.
• For business transfers: We may share or transfer Your personal information in connection with, or during negotiations of, any merger, sale of Company assets, financing, or acquisition of all or a portion of Our business to another company.
• With Affiliates: We may share Your information with Our affiliates, in which case we will require those affiliates to honor this Policy. Affiliates include Our parent company and any other subsidiaries, joint venture partners or other companies that We control or that are under common control with Us.
• With business partners: We may share personal data with business partners where this is necessary to deliver jointly offered services. In such cases, data sharing is governed by appropriate contractual arrangements, and personal data is not used for independent marketing purposes without your consent.
• With Your consent: We may disclose Your personal information for any other purpose with Your consent.                                                                                     

11. Cross-Border Data Transfers

Your personal data may be processed at our operating locations and in other jurisdictions where our service providers or partners are located. As a result, your personal data may be transferred to and processed in countries outside your place of residence, which may have different data protection laws.

Where such transfers occur, we implement appropriate safeguards to ensure that your personal data remains protected in accordance with this Privacy Policy and applicable laws.

These safeguards may include:

• Standard Contractual Clauses or equivalent mechanisms (where applicable)
  • Contractual and organisational safeguards with service providers
  • Compliance with applicable legal and regulatory requirements governing data transfers

Where required, cross-border transfers are carried out in accordance with restrictions and conditions notified under the Digital Personal Data Protection Act, 2023.

12. Retention of Your Personal Data

We retain personal data only for as long as is necessary to fulfil the purpose for which it was collected. Once that purpose has been met, personal data is securely deleted or anonymised in accordance with our internal retention procedures, unless applicable law requires us to retain it for a longer period.

The retention periods we apply are as follows:

13. Delete Your Personal Data

You have the right to delete or request that We assist in deleting the Personal Data that We have collected about You.

Our Service may give You the ability to delete certain information about You from within the Service.

You may request access to, correct, or delete any personal data that you have provided to us or through DPDPA preferences in our website or contact us at dpo@matayo-ai.com.

Please note, however, that We may need to retain certain information when we have a legal obligation or lawful basis to do so.

14. Disclosure of Your Personal Data

Business Transactions

If the Company is involved in a merger, acquisition or asset sale, Your Personal Data may be transferred. We will provide notice before Your Personal Data is transferred and becomes subject to a different Privacy Policy.

Law enforcement

Under certain circumstances, the Company may be required to disclose Your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).

Other legal requirements

The Company may disclose Your Personal Data in the good faith belief that such action is necessary to:

• Comply with a legal obligation
• Protect and defend the rights or property of the Company
• Prevent or investigate possible wrongdoing in connection with the Service
• Protect the personal safety of Users of the Service or the public
• Protect against legal liability

15. Security Measures

We implement appropriate technical and organisational measures, including:

• Encryption (TLS, AES-256)
  • Access controls and MFA
  • Security testing
  • Incident response procedures

Security of Your Personal Data

The security of Your Personal Data is important to Us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While We strive to use commercially acceptable means to protect Your Personal Data, We cannot guarantee its absolute security.

16. Personal Data Breach

In the event of a breach, we will notify the relevant supervisory authority within 72 hours of becoming aware of a breach where required by applicable law, and will inform affected individuals without undue delay where the breach is likely to result in high risk to their rights.

17. Your Rights

Depending on your jurisdiction, you may have the following rights in relation to your personal data:

• Access your personal data.
• Request correction of inaccurate or incomplete data.
• Request deletion of your personal data.
• Withdraw consent at any time (where processing is based on consent).
• Object to or restrict certain processing activities (where applicable).
• Request data portability (where applicable).
• Nominate another individual to exercise your rights in the event of death or incapacity (as permitted under applicable law)

You may exercise your rights through our Privacy Centre request portal in DPDPA preferences.

We will respond to your requests within the timelines prescribed under applicable data protection laws, including the Digital Personal Data Protection Act, 2023.

18. Children’s Privacy

We do not knowingly collect personal data from children without appropriate consent.

India (Digital Personal Data Protection Act, 2023):
A child is defined as an individual under 18 years of age. We process children’s personal data only with verifiable parental consent and in compliance with applicable restrictions, including limitations on tracking and behavioural monitoring.

European Union/UK (General Data Protection Regulation):
The age threshold for valid consent ranges between 13 and 16, depending on the country. Where required, parental consent will be obtained.

Canada (Personal Information Protection and Electronic Documents Act):
Consent requirements depend on the individual’s capacity to understand the nature and consequences of data processing.

If we become aware that personal data of a child has been collected without appropriate consent, we will take steps to delete such data.

19. Contact and Grievance Redressal

We have appointed a Grievance Officer in accordance with the Digital Personal Data Protection Act, 2023 to address concerns relating to personal data processing.

We have assessed our obligations under the General Data Protection Regulation and have designated a contact point for data protection matters.

For all privacy-related queries or requests, you may contact us at: dpo@matayo-ai.com

We aim to respond within:
• 30 days, in accordance with GDPR and PIPEDA
• Timelines prescribed under applicable law

If you are not satisfied with our response, you may escalate your complaint to the Data Protection Board of India.

20. Regulatory Authorities

You may have the right to lodge a complaint with the relevant data protection authority in your jurisdiction, including:

• India – Data Protection Board of India
  • Canada – Office of the Privacy Commissioner of Canada
  • European Union – Local supervisory authority
  • United Kingdom – Information Commissioner’s Office (ICO)

21. Updates to this Policy

We may update this Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other operational needs.

Where material changes are made, we will take appropriate steps to notify you, such as by updating this page or providing additional notice where required by applicable law.

We encourage you to review this Policy periodically to stay informed about how we protect your personal data.

22. Our Privacy Commitment

We are committed to protecting your personal data and upholding the following principles:

• Transparency in how we collect and use personal data
  • Data minimisation and purpose limitation
  • Implementation of appropriate security safeguards
  • Enabling user control and the exercise of data protection rights
  • Compliance with applicable data protection laws and regulations