Personal Information

• Identification Data: Name, email address, postal address, phone number, username, account credentials
• Professional Information: Company name, job title, department, business contact details
• Connection Data: IP address, login information, device identifiers, browser type, operating system, and other technical information about your device
• Usage Data: Information about how you use our website and Solutions, including browsing behavior, feature usage, and interaction patterns
• Communication Preferences: Your preferences for receiving communications from us
• Transaction Data: Records of products or services you have purchased, payment information, and billing details
• Customer Support Data: Information you provide when you contact our customer support
• User Content: Information you voluntarily provide through our platform, including any personal information contained in documents, files, or other content you upload to our Solutions

Sensitive Personal Data or Information (SPDI)

In some cases, we may collect Sensitive Personal Data or Information as defined under applicable laws, which may include:

• Financial information (in connection with payments)
• Health information (if you use our solutions for healthcare-related purposes)
• Biometric information (if relevant features are enabled)
• Government identifiers (in limited circumstances)

Qarbona collects personal information for a variety of reasons, including, but not limited to:

• Providing, operating, and maintaining our platform and services
• Processing transactions and managing accounts
• Sending administrative information and service-related notifications
• Providing customer support and responding to inquiries
• Improving and personalizing user experience
• Analyzing usage patterns and trends to enhance our Solutions
• Protecting against fraud and unauthorized access
• Complying with legal obligations

If you choose to provide Qarbona with a third party's personal information (such as name, email, and phone number), you represent that you have the third party's permission to do so. Examples include forwarding reference or marketing material. Third parties may unsubscribe from any future communication by following the unsubscribe instructions in the communications or by contacting us at connect@kenome.ai.

Direct Collection

• When you register for an account on our platform
• When you provide information through forms on our website or platform
• When you communicate with us via email, phone, or other channels
• When you participate in surveys, feedback sessions, or other research activities
• When you sign up for newsletters or marketing communications
• When you report issues or request support

Automated Collection

• Through cookies and similar technologies when you visit our website
• Through log files and analytics tools that record usage data
• Through application programming interfaces (APIs) and integrations
• Through our platform's normal operation when you use its features
• From devices and browsers you use to access our Solutions

Third-Party Collection

• From enterprise customers who provide their employee or user information
• From service providers who help us provide functionality,
• From partners who refer you to our Solutions
• From publicly available sources, where permitted by law

Providing and Improving Our Services

• Delivering the functionalities of our Solutions
• Personalizing your experience based on your preferences
• Analyzing usage patterns to improve our platform
• Developing new features and services
• Troubleshooting issues and optimizing performance
• Providing customer support and responding to inquiries

Business Operations

• Processing payments and managing billing
• Sending administrative communications
• Maintaining accounts and records
• Conducting internal research and development to enhance our Solutions
• Managing our relationship with you or your organization

Security and Compliance

• Protecting against fraud, unauthorized transactions, and security threats
• Verifying identity and authenticating access
• Ensuring compliance with our terms of service
• Resolving disputes and enforcing our agreements
• Complying with legal obligations and regulatory requirements

Communication and Marketing

• Sending service-related announcements and updates
• Providing information about new features or services
• Conducting surveys and gathering feedback
• Delivering marketing communications (with your consent where required)
• Measuring the effectiveness of our communications

AI and Platform Functionality

• Enabling AI-based features and recommendations
• Facilitating integrations with third-party systems through MCP
• Maintaining metadata indexes for improved performance
• Creating audit logs for system integrity and security

Within Our Organization

• With our subsidiaries, affiliates, and related entities for purposes consistent with this Privacy Policy

With Service Providers

• With third-party vendors who help us provide services (e.g., cloud hosting providers, payment processors, analytics services)
• With contractors and service providers who support our business operations
• These service providers are required to protect your information and are prohibited from using it for any other purpose

With Enterprise Customers

• When you use our Solutions as an employee, contractor, or agent of an enterprise customer, we may share your information with that customer's administrators

For Legal Reasons

• To comply with laws, regulations, or legal processes
• To protect the rights, property, or safety of Qarbona, our users, or others
• To detect, prevent, or address fraud, security, or technical issues
• To enforce our agreements, including investigating potential violations

Business Transfers

• In connection with a merger, acquisition, reorganization, sale of assets, or bankruptcy
• As part of due diligence for such transactions
• We will require the recipient to honor this Privacy Policy

With Your Consent

• When you have explicitly consented to the sharing
• As otherwise described to you at the point of collection

Third-Party Disclosure Limitations

We do not sell, rent, or lease your personal information to third parties. We may share aggregated, de- identified information that does not identify you with third parties for industry analysis, demographic profiling, and other purposes.

Data Protection Agreements

We require all third parties who process personal information on our behalf to enter into data processing agreements that ensure the protection of your information in accordance with this Privacy Policy and applicable laws.

Security Measures

Our security measures include, but are not limited to:

• Encryption: We utilize encryption technologies to protect data in transit and at rest
• Access Controls: We implement strict access controls and authentication mechanisms
• Secure Infrastructure: Our infrastructure is designed with security best practices in mind
• Regular Audits: We conduct security assessments and vulnerability scanning
• Employee Training: Our staff undergoes regular security awareness training
• Incident Response: We maintain incident response procedures
• Data Minimization: We limit collection and retention to what is necessary
• Continuous Monitoring: Our systems are monitored for unauthorized access attempts

Data Breach Procedures

In the event of a data breach involving your personal information, we will:

• Promptly investigate the incident
• Take measures to contain and mitigate the breach
• Notify affected individuals in accordance with applicable laws
• Notify relevant regulators where required by law
• Implement measures to prevent similar incidents in the future

Access and Information

You have the right to:

• Confirm whether we process your personal information
• Obtain a copy of your personal information
• Receive information about how we process your data

Correction and Update

You have the right to:

• Request correction of inaccurate personal information
• Complete incomplete personal information
• Update your personal information

Deletion and Restriction

You have the right to:

• Request deletion of your personal information in certain circumstances
• Restrict processing of your personal information in certain cases
• Object to processing based on legitimate interests

Data Portability

You have the right to:

• Receive your personal information in a structured, commonly used, machine-readable format
• Transmit this data to another service provider where technically feasible

Consent Withdrawal

You have the right to:

• Withdraw your consent at any time when we process data based on consent
• Opt-out of marketing communications

Complaint

You have the right to:

• Lodge a complaint with a supervisory authority about our data practices
• Contact us directly to resolve concerns

Response Process

When you submit a request:

1. We will acknowledge receipt of your request.
2. We may ask for additional information to verify your identity.
3. We will assess your request under applicable laws.
4. We will respond within the timeframe required by law (usually 30 days).
5. If we decline to act on your request, we will explain why.

There may be situations where we cannot fulfill your request, such as when:

• We cannot verify your identity
• The request is manifestly unfounded or excessive
• The information is subject to legal privilege or confidentiality
• Compliance would interfere with legal obligations, proceedings, or rights of others

Transfer Mechanisms

When we transfer personal information outside of regions with strict data protection laws (such as the EEA, UK, or Switzerland), we implement appropriate safeguards to ensure your information remains protected. These safeguards may include:

• Standard Contractual Clauses (SCCs): We use European Commission-approved SCCs in our agreements with third parties that receive or access personal information
• Data Processing Agreements: We enter into data processing agreements that include provisions for international transfers
• Privacy Shield: Where applicable, we may rely on the EU-U.S. Data Privacy Framework, UK Extension, and Swiss-U.S. Data Privacy Framework
• Adequacy Decisions: We may transfer data to countries deemed to provide adequate protection
• Consent: Where appropriate and permitted by law, we may rely on your explicit consent

Data Protection Impact Assessments

For transfers to countries without adequate protection, we conduct assessments to evaluate the level of protection and implement additional measures as needed.

Rights of Data Subjects in Different Jurisdictions

We respect the rights of data subjects regardless of location. If you are in the EEA, UK, or Switzerland, you may have specific rights under applicable law, and we are committed to facilitating the exercise of those rights.

By using our Solutions or providing personal information to us, you consent to the transfer, storage, and processing of your information in countries outside your own. If you have questions about our international data transfer practices, please contact us at connect@kenome.ai.

Retention Periods

We determine the appropriate retention period based on:

• The amount, nature, and sensitivity of the personal information
• The potential risk of harm from unauthorized use or disclosure
• The purposes for which we process the information
• Whether we can achieve those purposes through other means
• Applicable legal, regulatory, tax, accounting, or other requirements

Specific Retention Timeframes

While retention needs may vary based on the type of information and purpose, generally:

• Account Information: Retained for the duration of your account and for a period after account closure to allow for account recovery
• Transaction Data: Retained for the period required by tax and accounting regulations (typically 7-10 years)
• Communication Data: Retained for 3-5 years after last contact
• Usage Data: Retained for 12-24 months for analytical purposes
• Marketing Preferences: Retained until you opt out or request deletion

Data Deletion

When personal information is no longer needed, we will:

• Securely delete or anonymize the information, or
• If secure deletion or anonymization is not possible, we will securely store and isolate the information from further processing

What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They are widely used to make websites work more efficiently and provide information to website owners.

Essential Cookies

• Required for the website to function properly
• Enable basic features like page navigation and access to secure areas
• Cannot be disabled as they are necessary for website operation.

Analytical/Performance Cookies

• Help us understand how visitors interact with our websites
• Provide information about metrics such as visitor numbers and popular pages
• Used to improve website functionality

Functionality Cookies

• Allow the website to remember choices you make
• Provide enhanced, personalized features
• May be set by us or third-party providers

Targeting/Advertising Cookies

• Used to build profiles of your interests
• Deliver relevant content and advertisements
• Measure the effectiveness of marketing campaigns

Cookie Management

You can control cookies through your browser settings. Most browsers allow you to:

• Block all or certain cookies
• Delete cookies when you close your browser
• Allow cookies from specific websites

Please note that blocking some cookies may impact your experience on our websites and limit certain functionalities.

Third-Party Cookies

Some cookies are placed by third parties on our behalf. These third parties may collect information about your online activities over time and across different websites. We do not control these third-party cookies and suggest you check the respective privacy policies of these third parties.

Web Beacons and Other Technologies

In addition to cookies, we may use web beacons (clear GIFs), pixels, and other similar technologies to track user activities across our websites and marketing communications. These technologies help us understand usage patterns and improve our services.

Do Not Track Signals

Our websites currently do not respond to "Do Not Track" signals. However, you can set your browser to block cookies as described above.

AI Data Processing Principles

Qarbona is committed to the following principles regarding AI and data:

1. No Training on Customer Data: We do not use customer data to train our AI models. Your data remains yours, and we do not exploit it to improve our AI systems or for any purpose other than providing the service to you.
2. Real-time Access: Our Model Context Protocol (MCP) integrations access company data in real- time unless explicitly specified otherwise. This minimizes data duplication and ensures data freshness.
3. Limited Data Duplication: We only duplicate data for:
   • Metadata indexing to facilitate search and retrieval
   • Locally uploaded files that are manually updated by users
   • Specific integrations where real-time access is not possible (which will be explicitly stated)
   • Employee data required for account creation and authentication (if not using SSO)
4. System Enhancement: We use analytics and logs for system enhancement purposes, but not customer data directly. Any data used for this purpose is anonymized. Users can opt out of this data collection.
5. Transparency: We are transparent about which AI models we use, including any third-party AI services, and how they process data.
6. Human Oversight: For certain sensitive operations or high-risk decisions, we maintain appropriate human oversight of AI systems.

AI Model Information

Kenome may utilize various AI technologies and models, including:

1. First-Party Models: AI models developed and operated by Qarbona.
2. Third-Party Models: Models from established providers with strong security practices.
3. On-Premises Models: For customers with specific security requirements, we offer deployment options that keep AI processing within your infrastructure.

For third-party AI services, we implement strict data protection agreements to ensure they:

• Do not use your data to train their models
• Only process your data as necessary to provide the requested service
• Maintain appropriate security measures
• Delete data after processing, unless retention is required for the service

AI Decisions and User Control

Kenome empowers users with control over AI functionalities:

1. Transparency: We clearly indicate when content is generated by AI.
2. User Validation: Important AI-generated outputs require user review and validation.
3. Customization: Users can adjust AI behavior and limit its access to certain data.
4. Override: Users can override AI suggestions and decisions.
5. Opt-Out: Where appropriate, users can opt out of specific AI features.

AI Monitoring and Improvement

To ensure responsible AI usage:

• We regularly monitor AI systems for potential biases, inaccuracies, or other issues.
• We implement feedback mechanisms to improve AI performance.
• We maintain audit trails of significant AI actions.
• We regularly review and update our AI governance practices.

If you have concerns about how AI is used within our platform, please contact us at connect@kenome.ai.

GDPR Compliance

We respect the rights of EU data subjects under the General Data Protection Regulation (GDPR), including:

• Transparent processing
• Purpose limitation
• Data minimization
• Accuracy
• Storage limitation
• Integrity and confidentiality
• Accountability

SOC 2 Type 2

Our security practices are designed to align with SOC 2 principles:

• Security
• Availability
• Processing integrity
• Confidentiality
• Privacy

ISO 27001

We implement information security controls consistent with ISO 27001 standards:

• Risk assessment and treatment
• Security policy
• Organization of information security
• Asset management
• Human resources security
• Physical and environmental security
• Communications and operations management
• Access control
• Information systems acquisition, development, and maintenance
• Incident management
• Business continuity management
• Compliance

HIPAA

For healthcare-related processing, we implement safeguards aligned with HIPAA requirements:

• Administrative safeguards
• Physical safeguards
• Technical safeguards
• Organizational requirements
• Policies and procedures

Information Technology Act, 2000

We comply with the provisions of the IT Act governing electronic records, digital signatures, and cybersecurity.

Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

We adhere to these rules by:

• Obtaining consent before collecting sensitive personal data
• Using information only for the stated purpose
• Allowing individuals to review and correct their information
• Implementing reasonable security practices
• Publishing a privacy policy

Digital Personal Data Protection Act

We are aligning our practices with India's new data protection law by:

• Establishing lawful bases for processing
• Implementing data protection by design and default
• Enabling data subject rights
• Conducting impact assessments for high-risk processing
• Maintaining processing records

Certification Status

Qarbona Solutions Pvt. Ltd. is actively working towards obtaining formal certifications for SOC2 Type 2, GDPR, ISO27001, and HIPAA compliance. While we currently follow the principles and requirements of these standards, we have not yet completed the certification process. We will update this Privacy Policy once certifications are obtained.

Compliance Assurance

To ensure ongoing compliance:

• We conduct regular internal assessments
• We update our practices as laws and standards evolve
• We train our staff on data protection requirements
• We maintain records of processing activities
• We implement data protection impact assessments for new high-risk processing

If you have questions about our compliance with specific laws or standards, please contact us at connect@kenome.ai.

Age Restrictions

• Our Solutions are intended for business and professional use.
• Users must be at least 18 years old to use our services.
• Enterprise customers are responsible for ensuring their users meet age requirements.

Unintentional Collection

If we learn that we have collected personal information from a child under the applicable age limit, we will:

• Promptly delete that information
• Take reasonable measures to ensure we don't maintain any such information
• Implement additional safeguards to prevent future collection

Parental Involvement

If you are a parent or guardian and believe we may have collected information about your child, please contact us at connect@kenome.ai.

Educational Use

For educational institutions using our Solutions:

• We comply with applicable laws regarding student data
• We process such information solely to provide the requested services
• We implement additional safeguards as required by relevant laws

Notification of Changes

For material changes to this Privacy Policy, we will:

• Post a notice on our website
• Notify registered users via email or in-app notification
• Obtain consent where required by applicable law

Review of Changes

We encourage you to periodically review this Privacy Policy to stay informed about our data practices. Your continued use of our Solutions after any changes to this Privacy Policy constitutes your acceptance of the updated policy.

Prior Versions

We maintain prior versions of our Privacy Policy for your review. To request access to previous versions, please contact us at connect@kenome.ai.

Data Protection Officer

• Name: Achintya Gupta
• Email: achintya.gupta@kenome.ai

General Privacy Inquiries

• Email: connect@kenome.ai
• Phone:+91-9220711290