GDPR Compliance Policy

Context & Purpose

  1. The domain name www.airveda.com, an internet-based portal, and Airveda, a mobile application, is owned and operated by Airveda Technologies Pvt Ltd., a company duly incorporated under the provisions of the Companies Act, 2013 (hereinafter referred to as "Airveda" or "We" or "Our" or "Us" or "Company"). Airveda is committed to protecting the privacy, confidentiality, integrity, and security of Personal Data processed through our products, services, websites, mobile applications, dashboards, APIs, cloud infrastructure, air quality monitoring devices, environmental monitoring platforms, analytics systems, and related technologies. As a provider of environmental monitoring and air quality management solutions, Airveda recognizes the importance of protecting the personal information entrusted to us by our customers, users, partners, employees, and other stakeholders.
  2. This GDPR Compliance Policy supplements Airveda's Privacy Policy and describes Airveda's approach to complying with applicable data protection laws, including Regulation (EU) 2016/679 (the General Data Protection Regulation or "GDPR"), the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018 (United Kingdom), the Digital Personal Data Protection Act, 2023 (India), and other applicable national and international privacy and data protection laws in jurisdictions where Airveda operates. Where there is any conflict between the provisions of this Policy and Airveda's Privacy Policy in respect of individuals located in the EEA, the UK, or Switzerland, the provisions of this Policy shall take precedence to the extent of such conflict.
  3. This Policy applies to Personal Data relating to individuals located within the European Economic Area ("EEA"), the United Kingdom ("UK"), Switzerland, and other jurisdictions where similar legal obligations apply. Airveda continuously reviews and improves its privacy, security, and governance practices to ensure compliance with evolving legal, regulatory, technological, and industry requirements, and undertakes periodic internal reviews of this Policy as part of its broader data protection governance program.
  4. Airveda is headquartered in India, and our core operations and infrastructure are designed around the requirements of Indian law. However, as our user base, customers, and research partnerships increasingly extend to Europe and the United Kingdom, we have adopted this Policy to ensure that wherever an individual covered by the GDPR or UK GDPR interacts with our products and services, their data protection rights are recognized and honored to a standard consistent with those frameworks.

Scope of This Policy

  1. This Policy applies to all Personal Data processed by Airveda through its websites, mobile applications, Android TV applications, customer dashboards, APIs, cloud services, connected monitoring devices, support services, communications, business operations, and related activities, regardless of the channel through which such data is collected.
  2. This Policy applies when Airveda acts as a Data Controller and determines the purposes and means of processing Personal Data, for example where an individual creates an Airveda account, browses our website, or chooses to use the optional respiratory wellness features within the app. This Policy also applies when Airveda acts as a Data Processor on behalf of customers that use Airveda products and services to collect, process, store, monitor, analyse, or manage information through Airveda platforms, such as where an organization deploys Airveda air quality monitors across its sites and uses our dashboards and analytics tools to manage that data.
  3. The obligations described in this Policy apply to Airveda employees, officers, directors, contractors, consultants, service providers, sub processors, and any other authorized persons involved in the processing of Personal Data on behalf of Airveda. All such persons are required to handle Personal Data in accordance with this Policy and any related internal procedures, and Airveda provides appropriate training and guidance to support this.
  4. Where Airveda's products and services are used by a customer's own employees, contractors, or end users, this Policy applies to Airveda's processing of any Personal Data relating to those individuals to the extent that such data passes through or is hosted on Airveda's platforms, without affecting any separate obligations that the customer itself may have as a Data Controller in respect of its own personnel or end users.

Key Terms Used in This Policy

  1. Personal Data means any information relating to an identified or identifiable natural person, that is, information that can be linked, directly or indirectly, to a specific individual. A Data Subject means an identified or identifiable individual whose Personal Data is processed. Processing means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, use, disclosure, transmission, retrieval, analysis, restriction, deletion, or destruction.
  2. A Data Controller is the entity that determines the purposes and means of processing Personal Data, while a Data Processor is the entity that processes Personal Data on behalf of, and under the instructions of, a Data Controller. A Subprocessor is a third party engaged by Airveda to process Personal Data on Airveda's behalf, typically to help us deliver, host, secure, or support our products and services.
  3. Customer Data means any data, information, measurements, reports, analytics, records, content, environmental monitoring information, or other materials collected, generated, stored, transmitted, or processed through Airveda products and services. A Personal Data Breach means a breach of security resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. Anonymized Data means information that has been processed in such a way that it can no longer reasonably be used to identify an individual, either on its own or in combination with other information that is reasonably likely to be available.

Our Commitment to Data Protection

  1. Airveda is committed to processing Personal Data in accordance with the fundamental principles established under the GDPR and other applicable privacy laws, and these principles inform every decision we make about how data is collected, used, stored, shared, and ultimately deleted. Personal Data shall be processed lawfully, fairly, and transparently, and information shall be collected only for specified, explicit, and legitimate purposes and shall not be processed in a manner incompatible with those purposes.
  2. Airveda shall collect only the Personal Data necessary to fulfil legitimate business, contractual, operational, or legal purposes, in line with the principle of data minimization. Reasonable measures shall be implemented to maintain the accuracy, completeness, and reliability of Personal Data, and users are encouraged to keep their account information up to date so that we can continue to provide our services effectively.
  3. Personal Data shall not be retained longer than necessary and shall be protected through appropriate technical and organizational safeguards throughout its lifecycle, from the point of collection to the point of deletion or anonymization.
  4. Airveda shall maintain appropriate governance structures, policies, procedures, controls, and training programs designed to demonstrate accountability and compliance with applicable data protection laws, and shall be able to demonstrate this accountability to supervisory authorities and individuals upon request, where required by law.

Lawful Basis for Processing

  1. Airveda processes Personal Data only where a lawful basis exists under applicable data protection laws. Depending on the circumstances, Personal Data may be processed on the basis of consent provided by the Data Subject, performance of a contract, compliance with a legal obligation, protection of vital interests, legitimate business interests, or performance of tasks carried out in the public interest where required by law.
  2. In many cases, processing is necessary for the performance of a contract with the individual, for example where certain account information is required in order to provide the Airveda app, dashboard, or device-linked services that a User has signed up for. In other cases, processing may be based on Airveda's legitimate business interests, such as understanding how our platform is used so that we can improve it, or maintaining the security of our systems, provided that these interests are appropriately balanced against the rights and freedoms of the individual concerned.
  3. Data Subjects may withdraw consent at any time without affecting the lawfulness of processing conducted prior to such withdrawal, although withdrawing consent may mean that certain optional features can no longer be provided. Airveda shall maintain records of processing activities and lawful bases where required by applicable law, so as to demonstrate compliance to regulators and individuals.

Categories of Personal Data Processed

  1. Depending on the products and services used, Airveda may process various categories of Personal Data, including account registration information, names, usernames, and email addresses; telephone numbers and profile information; authentication credentials and device identifiers; operating system information and IP addresses; usage, log, and diagnostic information; location information; customer support communications; and project-related information or other information voluntarily provided by Users.
  2. Where a User registers an Airveda monitor with their account, Airveda may also process the data records generated by that device, including environmental readings such as air quality measurements, along with device identifiers and connectivity information necessary to maintain the link between the device and the User's account.
  3. Airveda does not intentionally collect more Personal Data than is reasonably necessary to provide its products and services, and we periodically review the categories of data collected across our products to confirm that each category continues to serve a clear and legitimate purpose.

Customer Data Ownership

  1. Airveda recognizes that customers may use Airveda products and services to collect, generate, monitor, analyse, process, store, and manage environmental, operational, scientific, educational, industrial, commercial, and research-related information that is important to their own organizations. Unless otherwise agreed in writing, all Customer Data remains the sole and exclusive property of the Customer, and Airveda acquires no ownership rights, intellectual property rights, or proprietary interests in Customer Data merely by virtue of hosting or processing it.
  2. Where Airveda processes Customer Data containing Personal Data, Airveda acts solely in accordance with applicable contractual arrangements, customer instructions, and legal obligations, and shall not use Customer Data for purposes unrelated to the provision of services without appropriate authorization from the Customer. This includes a commitment not to use a customer's environmental monitoring data, site-specific readings, or analytics for the benefit of any other customer or third party without the originating customer's consent.

Processing of Customer Data

  1. Airveda processes Customer Data solely for the purpose of providing, maintaining, supporting, securing, and improving its products and services. Such processing may include facilitating communication between monitoring devices and Airveda platforms, generating environmental insights, providing dashboards and reports, supporting device management, conducting diagnostics, providing customer support, monitoring platform performance, detecting security incidents, and complying with legal obligations.
  2. Airveda shall process Customer Data only to the extent necessary to fulfil contractual commitments, provide requested services, and comply with applicable legal requirements, and shall not repurpose Customer Data for unrelated internal initiatives without first identifying an appropriate lawful basis and, where applicable, obtaining the customer's consent.

Use of Customer Data for Marketing and Public Communications

  1. Airveda respects the confidentiality of Customer Data and shall not sell, trade, rent, commercialize, or disclose Customer Data to third parties for advertising, promotional, or unrelated commercial purposes. This commitment applies in particular to environmental monitoring data, analytics, and any other information generated through a customer's use of Airveda's products and services in regards with their projects, sites, or operations.
  2. Airveda may request permission from customers to reference specific deployments, projects, case studies, testimonials, implementation outcomes, research collaborations, or success stories in marketing materials, presentations, reports, publications, website content, conferences, or investor communications. Any such use shall occur only after obtaining appropriate written authorization from the Customer, and customers remain free to decline such requests without any impact on the services provided to them.
  3. Where information has been anonymized or aggregated such that individuals and customers cannot reasonably be identified, Airveda may use such information for research, analytics, product development, service improvement, environmental studies, and business intelligence purposes. Such aggregated insights, for instance broad regional air quality trends, help Airveda improve its monitoring algorithms and develop new features without exposing any individual customer's specific data.

Data Processing Agreements

  1. Where required by law, Airveda shall enter into a Data Processing Agreement ("DPA") with customers for whom Airveda processes Personal Data. Such agreements may define the nature and purpose of processing, categories of Personal Data and Data Subjects, security requirements and confidentiality obligations, retention periods, international transfers and sub processors, audit rights, incident notification obligations, and deletion requirements upon termination of services.
  2. Airveda shall ensure that appropriate contractual safeguards are maintained throughout the processing lifecycle, from the onboarding of a customer through to the offboarding and deletion of their data once the relationship with Airveda ends, and shall make a standard form of DPA available to customers upon request where one is required.

Sub processors

  1. Airveda may engage trusted third-party service providers to assist in the delivery, maintenance, operation, security, hosting, analytics, communication, customer support, and infrastructure management of its products and services. Where such service providers process Personal Data on behalf of Airveda, Airveda shall ensure that appropriate contractual obligations are implemented to protect Personal Data to a standard consistent with Airveda's own commitments under this Policy.
  2. Airveda shall take reasonable steps to ensure that sub processors maintain security, confidentiality, and compliance standards consistent with applicable legal requirements, and shall periodically review such arrangements as part of its broader vendor oversight processes. Airveda does not engage sub processors without first considering the nature of the Personal Data involved and the safeguards that the prospective sub processor has in place.

International Transfers of Personal Data

  1. Airveda may process, store, access, or transmit Personal Data using infrastructure located in multiple jurisdictions, which is a normal part of operating cloud-based environmental monitoring services at scale. Where Personal Data originating from the EEA, UK, Switzerland, or other jurisdictions is transferred internationally, for example to infrastructure located in India or elsewhere, Airveda shall implement appropriate safeguards in accordance with applicable laws, which may include Standard Contractual Clauses approved by the European Commission, the UK International Data Transfer Addendum, adequacy decisions, or other legally recognized transfer mechanisms.
  2. Airveda shall assess transfer risks where required and implement supplementary safeguards, such as additional technical, organizational, or contractual measures, where necessary to ensure an appropriate level of protection for Personal Data once it leaves its country of origin.

Rights of Data Subjects

  1. Subject to applicable law, Data Subjects may exercise various rights regarding their Personal Data, including the right to access their Personal Data, request correction of inaccurate information, request deletion of Personal Data, restrict or object to processing, request data portability, withdraw consent, and exercise rights relating to automated decision-making, as further described in this Policy.
  2. Where a Data Subject wishes to exercise any of these rights, Airveda shall respond to verified requests within the timeframes required under applicable law, and may take reasonable steps to confirm the identity of the requester before acting on the request, in order to protect the security of Personal Data.
  3. Where Airveda acts as a Data Processor, for example where the Personal Data in question forms part of a customer's deployment, requests may be forwarded to the relevant Data Controller where appropriate, and Airveda shall inform the individual that this has been done so that they are aware of how their request is being handled.

Children's Data

  1. Airveda does not knowingly collect Personal Data directly from children where such collection is prohibited under applicable law, and our products and services are designed with a general adult audience in mind.
  2. Where Airveda becomes aware that Personal Data has been collected from a child without appropriate authorization or legal basis, Airveda shall take reasonable steps to delete such information from its systems as soon as practicable.
  3. Parents, guardians, educational institutions, or authorized representatives who believe that a child has provided Personal Data to Airveda may contact Airveda for assistance at info@airveda.com, and Airveda will look into the matter and take appropriate action.

Automated Decision-Making

  1. Airveda does not make decisions that produce legal effects or similarly significant effects on individuals solely through automated processing without appropriate safeguards being in place to protect the rights and interests of the individuals concerned.
  2. Where automated processing is used to support analytics, reporting, environmental monitoring, system optimization, or service delivery, such processing shall be subject to appropriate oversight and controls so that it operates fairly and as intended, and where required by law, individuals shall be provided information regarding such processing and the rights available to them, including the right to request human review of a particular outcome.

Data Retention

  1. Airveda retains Personal Data only for as long as necessary to fulfil the purposes for which it was collected. Retention periods may be influenced by contractual obligations, customer requirements, legal and regulatory obligations, dispute resolution requirements, security and audit requirements, and legitimate business needs, and may therefore vary depending on the type of data and the context in which it was collected.
  2. When Personal Data is no longer required, Airveda shall securely delete, anonymize, archive, or otherwise dispose of the information in accordance with applicable laws and internal retention policies, so that Personal Data is not held for longer than is genuinely necessary.

Data Deletion Requests

  1. Data Subjects and customers may request deletion of Personal Data or Customer Data, subject to legal, contractual, regulatory, audit, security, and operational requirements. Upon receiving a verified request, Airveda may delete, anonymize, restrict, or otherwise process the relevant information as required by applicable law.
  2. Where retention remains necessary to comply with legal obligations or protect legitimate rights and interests, for example in connection with an ongoing dispute, Airveda may retain the information for the period required, and shall explain this to the individual where appropriate.
  3. You can access or delete your personal information directly from the Airveda App using the option available in the side navigation, or by writing to us at info@airveda.com. For Users who interact with Airveda primarily through a customer's deployment, deletion requests may be coordinated with the relevant customer where Airveda acts as a Data Processor for that data.

Security Measures

  1. Airveda maintains appropriate technical and organizational measures designed to protect Personal Data against unauthorized access, disclosure, alteration, destruction, misuse, or loss. Such measures may include access controls and authentication systems, encryption technologies for data in transit and at rest, network security controls, infrastructure monitoring and logging mechanisms, vulnerability management processes, and secure development practices.
  2. Airveda also relies on organizational measures such as employee confidentiality obligations, role-based access on a need-to-know basis, vendor oversight, and incident response procedures designed to ensure that we are prepared to act quickly should a security issue arise.
  3. Airveda regularly reviews and updates its security controls to address evolving risks and threats, recognizing that maintaining the security of Personal Data is an ongoing responsibility rather than a one-time exercise.

Personal Data Breaches

  1. Airveda maintains procedures for identifying, investigating, containing, mitigating, documenting, and responding to security incidents and Personal Data Breaches. Where a Personal Data Breach is likely to result in a risk to the rights and freedoms of individuals, Airveda shall notify the relevant supervisory authority without undue delay and, where required by law, within seventy-two (72) hours of becoming aware of the breach.
  2. Where a breach is likely to result in a high risk to affected individuals, Airveda shall notify affected individuals without undue delay and in accordance with applicable legal requirements that apply in their jurisdiction.
  3. Airveda shall maintain records of Personal Data Breaches and remediation activities as required by law, so that any incident can inform improvements to our security practices going forward.

Right to Lodge a Complaint

  1. Data Subjects have the right to lodge a complaint with a competent supervisory authority if they believe that the processing of their Personal Data violates applicable data protection laws.
  2. Airveda encourages individuals to contact Airveda directly in the first instance so that concerns may be reviewed and addressed promptly and effectively, and we are committed to engaging constructively with anyone who raises a concern about how their data has been handled.

Exercising Your Rights

  1. Requests relating to Personal Data, privacy rights, data protection concerns, access requests, correction requests, deletion requests, or complaints may be submitted to info@airveda.com.
  2. Airveda shall respond to such requests within the timeframes required under applicable law and may require reasonable verification of identity before processing a request, in order to ensure that Personal Data is only accessed, corrected, or deleted at the request of the individual it relates to.

Changes to This Policy

  1. Airveda may update this GDPR Compliance Policy from time to time to reflect legal, regulatory, operational, technological, or business developments as our products and services continue to evolve. Any material changes shall be communicated through Airveda's website, mobile applications, dashboards, customer communications, or other appropriate channels.
  2. Continued use of Airveda's products or services following publication of updates shall constitute acknowledgment of the revised Policy to the extent permitted by law, and individuals are encouraged to review this Policy periodically to stay informed of how Airveda protects their Personal Data.

Contact Information

  1. Airveda addresses any discrepancies, queries, and grievances of all Data Subjects with respect to the processing of Personal Data in a time-bound manner. Individuals may write to the Airveda team at info@airveda.com for this purpose, and our team will be happy to assist with any questions relating to this Policy or our privacy practices more generally.
  2. Airveda Technologies Private Limited, Website: www.airveda.com

Last Updated: 1 June 2026