top of page

Privacy Policy

CertiSight AI respects your privacy. This Privacy Policy explains how we collect, use, disclose, and protect personal data when you visit our website, contact us, or use our image authenticity and forensic reporting services. It is written to meet the requirements of India’s Digital Personal Data Protection Act 2023 and to address obligations for clients in the EU or UK where the GDPR or UK GDPR applies. Additional notices for California and other US state laws are included below.

1. Who we are

CertiSight AI provides image authenticity and forensic analysis services to clients worldwide.

  • Company: CertiSight AI

  • Location: India. Please insert your full postal address.

  • Contact email: contact@certisightai.com

  • Grievance Officer / Contact person: Ram Kumar, contact@certisightai.com

  • Data Protection Officer: We are not designated as a Significant Data Fiduciary at this time. If that changes, we will appoint a DPO in India and update this notice.

For European clients: where the GDPR applies, CertiSight AI will identify the controller and, where needed, appoint an EU representative in the engagement agreement.

2. Scope

This policy covers personal data processed when you:

  • browse our website or interact with our pages

  • contact us by email, form, or phone

  • become a client or supplier

  • send us images, videos, or other files for analysis

  • subscribe to updates or attend our presentations

This policy does not cover third party websites that we link to. Their policies apply to their services.

3. Our roles

We may operate as:

  • Data Fiduciary / Controller for our website, sales, billing, client management, and events

  • Data Processor when we analyze content and generate reports on behalf of a client under contract or a data processing agreement. In that case the client is the Data Fiduciary or Controller and our processing follows their documented instructions

Our contract with you will specify our role.

4. Categories of personal data we process

4.1 Website and contact data

  • Identification and contact: name, email address, organization, role, phone number

  • Communications: messages, call and meeting notes, support requests

  • Technical and usage: IP address, device and browser type, pages viewed, timestamps, referral source, cookie identifiers

4.2 Client and supplier data

  • Contract, billing and payment details, invoicing information, tax identifiers where required by law

  • Account records and correspondence

4.3 Evidence files for analysis

  • Images, videos, and related files that may contain personal data including faces, locations, vehicle plates, or other identifiers

  • Metadata such as EXIF or XMP fields, file names, hashes, timestamps, device make and model, software tags

  • Context you provide about the file origin and purpose

We ask clients to ensure they have a lawful basis before sending any personal data and to avoid sending more data than is necessary.

4.4 Special category or sensitive data

Content may incidentally contain sensitive or special category data. We do not seek to infer or classify such data. Where such data is present we will process it only when a valid legal basis applies, for example explicit consent or processing necessary for the establishment, exercise, or defense of legal claims. We record the basis and apply additional safeguards.

4.5 Children

Our services are for professional users. We do not knowingly collect personal data from children. If you believe a child’s data has been sent to us without appropriate authority, contact us and we will address it promptly.

5. Purposes and legal bases

5.1 Under India’s DPDP Act 2023

We process personal data for lawful purposes based on consent or legitimate uses permitted by the Act. When we rely on consent we present a clear notice describing the data we collect, its purposes, how to exercise your rights, and how to make a complaint to the Data Protection Board of India. You may withdraw consent at any time.

5.2 Under the GDPR and UK GDPR (for EU or UK matters)

We identify a lawful basis for each purpose. Typical bases are contract, legitimate interests, consent, and legal obligation. Legitimate interests are balanced against your rights and expectations. If consent is the basis, you may withdraw it at any time.

PurposeExamplesPrimary legal bases

Provide and administer our servicesReceive evidence, run detection and forensic tests, produce and deliver reports, manage ticketsContract; Legitimate interests

Client support and communicationsRespond to enquiries, schedule calls, provide briefingsLegitimate interests

Improve and secure servicesQuality assurance, de identified samples for model evaluation, security logs and auditingLegitimate interests; Consent where required

Marketing and eventsSend updates you requested, manage registrationsConsent where required; Legitimate interests for B2B direct marketing with an opt out

Billing and complianceInvoicing, accounting, tax records, legal claimsLegal obligation; Legitimate interests

Protect rights and prevent abuseDetect misuse, respond to takedown requests, enforce agreementsLegitimate interests

5.3 Special category or sensitive data

Where evidence contains special category data under the GDPR, we rely on explicit consent, legal claims, or another Article 9 condition confirmed in writing. For Indian matters, we process such data only with consent or where a legitimate use under the Act applies and is documented.

5.4 Automated decision making

Our service uses automated models to generate scores. Human analysts review results and issue the final verdict. We do not make decisions with legal or similarly significant effects solely by automated means.

6. Sharing and disclosures

We share personal data only as necessary and subject to safeguards:

  • Service providers and sub processors for hosting, storage, analytics, ticketing, email, and secure transfer

  • Professional advisers such as accountants, auditors, insurers, and lawyers

  • Authorities where required by law or to protect rights, safety, or property

  • Business transfers in connection with a merger, acquisition, or restructuring subject to confidentiality

Core providers currently include:

  • Wix.com Ltd. website hosting and related services

  • Google Workspace email and document storage

  • Cloudflare, Inc. performance and security

We will update this list as our stack evolves. Contracted clients may request notice of changes.

7. International data transfers

We store data primarily in India and the European Union. Cross border transfers occur when we use global providers or serve clients in other regions.

  • India DPDP Act permits transfers to any country except those the Government of India may restrict. If restrictions are notified, we will implement required conditions.

  • EU GDPR and UK GDPR require appropriate safeguards for transfers from the EEA or UK to India. We typically use the European Commission Standard Contractual Clauses or the UK International Data Transfer Agreement, with supplementary measures as needed.

8. Security

We apply technical and organizational measures appropriate to the risk, including encrypted storage, strict access control, hashing of evidence files, network protections, staff confidentiality and training, vendor due diligence, and incident response procedures. No system can be perfectly secure. We will notify clients and authorities of personal data breaches when required by law.

9. Retention

We keep personal data only as long as necessary for the purposes described or as required by law. Typical periods are:

  • Quick Screen reports: up to 90 days

  • Forensic and Legal grade reports: up to 12 months

  • Contracts, invoicing, and tax records: up to 10 years or as required by applicable law

  • Marketing contacts: until you unsubscribe or we delete inactive contacts

Custom retention schedules are available under contract. When a period ends we delete or irreversibly anonymize the data.

10. Your rights

10.1 India DPDP Act rights

You have the right to request access, correction, and erasure, to nominate another person to exercise rights in case of death or incapacity, and to seek grievance redressal. You can also withdraw consent at any time. We will respond within reasonable time frames set by the Act and Rules.

10.2 EU and UK rights

Subject to conditions and exemptions, you have rights to information, access, rectification, erasure, restriction, portability, and objection to processing based on legitimate interests or direct marketing. We respond within one month and may extend by two months where requests are complex.

10.3 California and other US state rights

California residents have rights to know, delete, correct, and to opt out of the sale or sharing of personal information, and not to be discriminated against for exercising rights. Similar rights may exist under other state laws. We do not sell personal information. You may exercise rights using the contact methods below.

11. How to exercise your rights or raise a grievance

  • Email: contact@certisightai.com

  • Subject line: Privacy request or grievance

  • Describe the request, the data or processing involved, and the jurisdiction you are in. We may need to verify your identity.

If you are not satisfied with our response and you are in India, you may escalate to the Data Protection Board of India according to the procedure prescribed by the Rules. For EU or UK matters, you may complain to your local supervisory authority. For California, you may contact the California Attorney General.

12. Cookies and similar technologies

Our website may use cookies to operate the site, remember preferences, analyze traffic, and measure performance. Where required, we will present a consent banner that lets you accept or decline non essential cookies. You can change your preferences at any time. See our Cookie Notice for details of categories and providers.

13. Data processing agreements

For client work we offer a Data Processing Agreement that includes confidentiality, security, sub processor controls, international transfer safeguards, and deletion on completion. Contact us if you need a signed DPA.

14. Changes to this policy

We may update this policy from time to time. We will post the new version on this page with a new effective date and, where appropriate, notify you by email or on the site. Please review this page regularly.

Contact

Questions about this policy or our data practices: contact@certisightai.com

bottom of page