1Introduction & Scope
Welcome to EXPLYRA. This comprehensive Privacy Policy ("Policy") rigorously details the data processing practices for the vast ecosystem of products, services, websites, mobile applications, and digital tools operated by EXPLYRA (Registered as a Micro Enterprise under MSME: UDYAM-DL-11-0156637). This Policy constitutes a legally binding agreement between EXPLYRA ("Company", "We", "Us", "Our") and the user ("User", "You", "Your").
Our expansive global ecosystem encompasses, but is not strictly limited to, TaxBodh (financial planning and tax calculation tools), Imgnodus (image processing and manipulation), Evercle (hosting and cloud-native solutions), specialized productivity platforms, sophisticated Artificial Intelligence (AI) models, and a suite of mobile applications targeting health metrics (sleep and cardiovascular monitoring), enterprise accounting (expense management), and Customer Relationship Management (CRM) across all major operating systems including Android, iOS, and Web modalities.
This document is engineered to ensure absolute adherence to stringent global data protection frameworks, notably the General Data Protection Regulation (GDPR - EU 2016/679), the California Consumer Privacy Act (CCPA) as amended by the CPRA, the Information Technology Act, 2000 (India), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the provisions of the Digital Personal Data Protection Act (DPDP), 2023. By establishing an account, utilizing our API endpoints, or visiting our digital estates, you provide unequivocal and informed consent to the data lifecycle semantics detailed herein. Should you dissent from any provision delineated in this Policy, you are compelled to immediately cease and desist all utilization of our systems.
2Exhaustive Parameterization of Information Collection
To enable and continuously refine our advanced digital services, EXPLYRA requires the systematic collection, ingestion, and processing of diverse datasets. We apply strict data minimization principles, isolating collection to operationally critical vectors.
A. Information Directly Supplied by the User
- Identity and Profile Vectors: Legal name, validated email addresses, primary and secondary cryptographic credentials, multi-factor authentication (MFA) backup queries, profile avatars, organization affiliations, role-based access control (RBAC) tiers, and billing/shipping addresses.
- Sensitive Financial Cryptography (TaxBodh & Enterprise Modules): Salary distributions, statutory tax identification numbers (PAN, SSN, EIN), enterprise balance sheets, receipt imagery, claim amounts, localized currency routing definitions, bank account mapping labels, and verifiable unified payment interface (UPI) IDs. (Note: Card-level cryptographic processing is entirely delegated to specialized payment gateways).
- Special Category Health Data (Mobile Modalities): Granular biometrics including calculated systolic/diastolic trends, historical sleep latency analytics, daily caloric consumption indices, and medicinal adherence regimes. Processing of this demographic undergoes explicit, compartmentalized affirmative consent workflows prior to ingestion.
- Unstructured User-Generated Content (UGC): Textual and semantic prompts passed to our Generative AI instances, bulk image/document uploads (via Imgnodus/Evercle), customer support communications, forum postings, and raw CRM contact matrices manually keyed into our databases.
B. Telemetry and Automated Signals
- Deep Diagnostic and Device Metrics: Public IPv4/IPv6 address allocations, user-agent payload distributions, operating system kernel versions, unique pseudonymous mobile device identifiers (IMEI fragments, Apple IDFA, Android AAID), geographic latency nodes, browser language headers, and WebGL rendering footprints.
- Behavioral Session Flow Logs: Micro-interactions, clickstream heatmaps, API call initiation latencies, feature-function engagement epochs, routing/URL traversal histories, crash stack-traces, and localized error exception thresholds.
- Cookies, Pixels, and Storage State: Systematic deployment of persistent and session-based cookies, local/session storage variables, indexedDB records, and invisible action-tracking pixels to securely manage tokenized authentications, preserve workflow continuity, and attribute analytical metrics.
3Lawful Bases and Extensive Data Utilization Protocols
Our systemic processing of user information is foundationally mapped to strict legal justifications. We aggressively leverage your data to deliver, optimize, and fortify our proprietary technology stack.
| Primary Processing Vector | Legal Basis / Justification |
|---|---|
| Service Execution: Provisioning SaaS interfaces, executing financial workflows, routing logic, and maintaining cross-device cloud synchronization. | Necessity of Contractual Performance |
| AI Model Refinement: Utilizing anonymized/sanitized prompts and analytical heuristics to train, fine-tune, and align Large Language Models (LLMs) and local machine learning endpoints. | Legitimate Enterprise Interest / Express Consent |
| Threat Mitigation: Defeating Distributed Denial of Service (DDoS) attacks, brute-force credential stuffing, API abuse, and transactional fraud. | Legal Obligation / Legitimate Interest |
| Audience Attribution: Serving personalized contextual or retargeted advertising through federated ad networks across the digital realm. | Specific, Revocable Consent |
4Cross-Border Infrastructure and International Transfers
EXPLYRA operates distributed architectural nodes globally to ensure robust 99.99% uptime. Consequently, your data traversing our pipelines may be geo-replicated to server infrastructures residing outside your domicile, such as data centers physically positioned within the United States, the European Union, and the Republic of India. For users falling under sweeping jurisdictions like the GDPR or DPDP Act, we legitimize all cross-border transmissions via rigorous Standard Contractual Clauses (SCCs), adequacy decisions, or binding corporate rules. All data retains its foundational cryptographic guarantees irrespective of geographic placement.
5Third-Party Ecosystem Collaborators
Sub-processor syndication is vital to modern software architecture. While we unequivocally reject the commoditization or indiscriminate "selling" of user datastores for profit, we systemically interoperate with hyper-scale partners. All partners are contractually restricted by Data Processing Addendums (DPAs).
- Hyper-Scale Compute & Storage Providers: Google Cloud Platform (GCP), Amazon Web Services (AWS), Cloudflare (for Edge compute and WAF), and Vercel for continuous deployment lifecycles.
- Tokenized Financial Gateways: Integration logic pointing seamlessly to Razorpay, Stripe, and localized unified payment nodes. Financial partners act as autonomous Data Controllers regarding your deep financial topology; EXPLYRA never touches or persists raw credit/debit PAN structures.
- Identities & Federated Auth: Google Identity Services, Apple Sign-In, and Firebase Authentication handling robust OAuth 2.0 / OIDC handshake mechanics.
- Algorithmic Marketing Networks: Google Analytics 4, Google AdSense, and affiliated retargeting DSPs allowing us to map anonymous cohorts for growth strategies.
6Data Retention Mechanics and Elite Security Enclaves
EXPLYRA protects "Book-Level" enterprise datasets utilizing multi-layered cryptographic fortification strategies parallel to banking protocols.
Cryptographic Footprint: Persistent data mapped on storage volumes utilizes AES-256 block-level encryption (Data At-Rest). Internal/External transmission traversing public networks enforces Transport Layer Security (TLS) 1.2/1.3 exclusively with strong cipher suites (Data In-Transit). Applications integrate robust stateless CSRF architectures, sanitized database ORMs, and routine penetration validation routines to neuter zero-day exploitations.
Retention Cadence: We enact logic-driven obsolescence. Active account data persists solely for the duration of the engagement. Tax/Enterprise artifacts are hard-archived up to seven (7) to ten (10) years strictly adhering to local statutory compliance (e.g., GST/IRS regulatory compliance frameworks). Telemetric server logs automatically overwrite on a 90-day rotational basis. Upon account purging user-initiated commands, all relational database rows trigger irreversible cryptographic shredding within a 30-day asynchronous sweep.
7Comprehensive Data Rights and Sovereignty
In accordance with global human rights regarding digital sovereignty, you possess expansive controls designed to empower your interactions with our infrastructure:
- Exhaustive Right of Access & Portability: Procure a structured, machine-readable JSON/CSV manifest denoting all telemetry and historical inputs intrinsically tied to your UUID.
- Right to Rectification: Formally compel internal system modifications to update fragmented, decayed, or inaccurate biographical parameters.
- Right to Total Erasure ("The Right to be Forgotten"): Demand comprehensive systemic unlinking and subsequent destruction of your footprint across primary datastores, backup archives, and caching layers (exception: legally constrained financial ledgers).
- Right to Opt-Out & Restrict Profiling: Sever connections to secondary marketing pipelines, revoke consent for advanced AI model training contributions, and suspend general processing pending dispute remediation.
8Children's Preemptive Privacy Guardrails
EXPLYRA's professional and enterprise suites are explicitly forbidden for utilization by individuals under the localized age of digital majority (commonly defined as sixteen (16) years of age, or thirteen (13) strictly aligned with the US Federal COPPA compliance standard). We aggressively restrict, via gated onboarding and AI heuristics, the intentional acquisition of datatypes belonging to minors. Upon authenticated discovery of minor data penetration, rapid and irreversible erasure sequences are initiated spanning our entire topological footprint.
9Designated Grievance Officer & Data Protection Officer (DPO)
To ensure strict operational compliance with Indian IT Rules (2011), the Digital Personal Data Protection Act, and the GDPR framework, we have appointed an authoritative Data Protection and Grievance Officer. For any legally sensitive matters, escalated disputes, immediate data rights exercising requests, or urgent systemic breach notifications, please contact the officer below.
Name: Mitanshu Bhasin
Title: Data Protection Officer (DPO) & Chief Grievance Officer
Direct Contact: +91 8076108584
Email Address: [email protected]
Corporate Entity: EXPLYRA (MSME ID: UDYAM-DL-11-0156637)
Address: J-36, Beri Wala Bagh, Milap Market, Hari Nagar, 110064, Delhi, India
Note: Time-sensitive legal escalations mapping to GDPR Article 27 or requests under the DPDP Act will be triaged and executed within standard 30-day statutory windows, or expedited subject to critical priority.
10MSME / Udyam Registration & Legal Efficacy
Explyra constitutes a legally sanctioned commercial entity functioning as a registered Micro, Small and Medium Enterprise (MSME) beneath the Ministry of Micro, Small & Medium Enterprises, Government of India. This corporate standing enforces rigorous transparency protocols.
View Certified Udyam Registration