Annotatory AI - Compliance Master

Privacy Policy & Governance

A comprehensive framework governing the protection, processing, and management of data across Annotatory AI platforms worldwide.

01

Section 01

Purpose and Scope

This Master Privacy Policy establishes the data-protection framework of Annotatory AI Projects Pvt Ltd and any future digital health or AI-based divisions under Annotatory AI Projects Pvt Ltd.

It aligns with the following international standards and regulations:

  • Digital Personal Data Protection Act (DPDP), 2023 (India)
  • EU General Data Protection Regulation (GDPR 2016/679)
  • U.S. HIPAA Privacy and Security Rules (45 CFR Part 164)
  • ISO/IEC 27001:2022 and ISO/IEC 27701:2019

This policy governs all personal, sensitive, psychological, and derived data processed through Annotatory AI's platforms, research, and analytics systems.

02

Section 02

Definitions

Personal Data

Any information relating to an identifiable individual.

Sensitive Personal Data

Includes psychological assessments, mental-health data, biometric identifiers, or medical records.

Processing

Any operation on personal data, including collection, storage, analysis, sharing, or deletion.

Data Principal

Individual to whom the data relates (Data Subject).

Data Controller

Annotatory AI Projects Pvt Ltd (Data Fiduciary).

Data Processor

Any third party engaged by Annotatory AI for processing data under its instruction.

03

Section 03

Governance and Compliance Framework

Annotatory AI maintains a Privacy Management System (PMS) aligned with ISO/IEC 27701:

  • The Compliance Office acts as the designated Data Protection Officer (DPO).
  • Annual privacy impact assessments (PIAs) and risk registers are maintained.
  • All employees undergo periodic data-protection training.
  • Independent audits occur annually or after significant system changes.
04

Section 04

Data Collection and Classification

Type 1

Identification Data

name, age, gender, contact details

Type 2

Psychological Data

responses, cognitive patterns, self-reports

Type 3

Technical Data

device IDs, IP, browser fingerprints

Type 4

Transactional Data

billing and payment information

Type 5

Communication Logs

chat records, emails, consent receipts

Type 6

Derived Data

anonymized for research and analytics

Classification: All data is catalogued under a Data Inventory Register (Annexure A) with sensitivity classification (Public / Internal / Confidential / Restricted).

05

Section 05

Lawful Basis for Processing

  • DPDP 2023

    Consent or legitimate use grounds (Section 7).

  • GDPR Art. 6 & 9

    Consent, contract necessity, legal obligation, legitimate interest.

  • HIPAA

    Permitted uses for treatment, payment, operations under 45 CFR Section 164.506.

Annotatory AI ensures consent is freely given, specific, informed, and unambiguous.

06

Section 06

Purpose of Processing and Use of Data

  • 1
    Deliver psychological assessments and AI-based insights.
  • 2
    Provide teleconsultation and professional services.
  • 3
    Conduct research using anonymized datasets under ethical approval.
  • 4
    Develop AI models for behavioural analytics and market insight.
  • 5
    Ensure regulatory compliance and fraud prevention.
  • 6
    Collaborate with public health institutions and universities.

Research Use Case

Anonymized data may be used for statistical and scientific purposes consistent with Recital 26 GDPR and Section 8 DPDP Act.

07

Section 07

Data Minimization and Retention

Only necessary data is collected for stated purposes.

Retention periods follow the schedule in Annexure B and are reviewed annually.

Secure erasure and anonymization protocols are enforced.

Aggregated datasets may be retained indefinitely for research and AI training (non-identifiable).

08

Section 08

Data Subject Rights

Individuals may exercise rights to:

Access and obtain copies of data
Correct or update information
Withdraw consent at any time
Request erasure of record
Restrict processing or profiling

Requests will be acknowledged within 48 hours and acted upon within 15 working days via privacy@annotatory.com.

09

Section 09

Security Controls

AES-256 Encryption

Applied for data at rest and TLS 1.3 in transit.

Access Management

Multi-Factor Authentication and Role-Based Controls.

Audit Trail

Logging and audit trail retention per ISO 27001.

Regular Audits

Annual penetration testing and third-party audits.

10

Section 10

Cross-Border Data Transfers

Data may be processed in India, EU, U.S., or other jurisdictions with adequate protection. Transfers strictly adhere to GDPR Standard Contractual Clauses and DPDP cross-border rules.

11

Section 11

Automated Processing and AI Governance

[1]

AI algorithms provide insights but do not constitute medical diagnosis.

[2]

We maintain a Model Ethics Register covering bias audits.

[3]

Data subjects may request human review of AI decisions.

12

Section 12

Third-Party Processors

Vendors and partners operate under Data Processing Agreements per ISO 27701 clauses 7.2.

Strict Non-Sale Guarantee

No data is sold for advertising purposes.

13

Section 13

Breach Response

ProtocolIncident Management
2h

Escalation: Data breach is escalated to the DPO.

72h

Reporting: Reported to authorities within 72 hours.

14

Section 14

Children's Data Protection

18+

Age Requirement

Services are intended for users 18+. Minors require verified parental consent. Compliance with COPPA and Section 10 DPDP Act.

15

Section 15

Roles & Responsibilities

Board of DirectorsOversight of privacy strategy.
Compliance OfficeDPO: Implementation and reporting.
IT Security TeamOperational controls and management.
All EmployeesAdherence to policies and training.
16

Section 16

Review & Amendments

Reviewed annually or upon material change in law. Version control records are maintained internally.

17

Section 17

Public-Facing Overview

Effective Date:January 1, 2026

Annotatory AI Values your privacy. This section summarizes how we handle your data across all platforms.

1.

Scope: Applies globally to all users of our platforms.

2.

Information We Collect: Identification, test responses, technical data.

3.

How We Use Your Data: Insights, improvement, and ethical research.

4.

Legal Basis: Consent and legitimate business needs.

5.

Your Rights: Access, correct, or delete via privacy@annotatory.com.

6.

Retention: Kept only as long as needed, then securely erased.

7.

Security: AES-256 encryption and standard controls.

8.

AI Governance: Tools support feedback, not clinical diagnosis.

9.

International: Processed in India, EU, or U.S. with safeguards.

10.

Children: Users under 18 require parental consent.

11.

Updates: Periodically updated version on our website.

Contact:Compliance Office, Annotatory AI Projects Pvt Ltd, GF-3, Plot No. 35, HUDA Enclave, Hyderabad | privacy@annotatory.com | +91 7893384949
18

Section 18

Annexures

A

Data Flow Matrix

Internal mapping of data sources and flows.

B

Retention Schedule

Data types, periods, and erasure methods.

C

Consent Register

Record of user consents and lawful bases.

D

Vendor Registry

Approved processors and DPAs.

19

Section 19

Compliance Declaration

Annotatory AI Projects Pvt Ltd hereby declares compliance with DPDP Act (India), EU GDPR, HIPAA, and ISO 27001/27701.

Authorized SignatureDirectorAnnotatory AI Projects Pvt Ltd
Issue DateJanuary 1, 2025
Rights© 2026 All Rights Reserved