Legals
Privacy Policy
How Onivo collects, uses, stores, and protects personal data under Indian law when you visit our website or engage our services.
1. Introduction
Onivo ('Onivo', 'we', 'us', or 'our') respects your privacy and is committed to handling personal data responsibly. This Privacy Policy explains how we collect, use, disclose, retain, and protect personal data when you visit https://onivo.design, contact us, book meetings, subscribe to communications, or engage us for web design and development, brand design, search engine optimization (SEO), answer engine optimization (AEO), AI workflow automations, CRM integrations, and related digital services.
This Policy is governed by the laws of India and is designed to comply with the Digital Personal Data Protection Act, 2023 (DPDPA), the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, as applicable.
We are based in India and serve clients in the United States, Poland, the Netherlands, and other countries worldwide. If you hire us to process personal data on your behalf (for example, customer data in a CRM automation), you are typically the data fiduciary or controller and we act as your Data Processor under the DPDPA, subject to any project-specific data processing terms.
2. Data Fiduciary & Contact
For personal data collected through the Website and our direct business communications, Onivo acts as the Data Fiduciary under the DPDPA, unless we expressly agree in writing that we process data solely on your instructions as your Data Processor.
Contact / Grievance contact: maddy@onivo.design
Operating region: India
If you have questions, complaints, or wish to exercise your rights under the DPDPA, contact us at the email above with 'Privacy Request' or 'Grievance' in the subject line.
3. Personal Data We Collect
Under the DPDPA, 'personal data' means any data about an individual who is identifiable by or in relation to such data. We may collect the following categories:
3.1 Data You Provide
- Name, email address, phone number, company name, and job title
- Messages, briefs, project requirements, and files you send us
- Billing and payment-related information processed by our payment providers
- Scheduling information submitted through our booking tools
- Marketing preferences and communication history
3.2 Data Collected Automatically
- IP address, browser type, device identifiers, operating system, and language settings
- Pages viewed, referral URLs, session duration, and interaction events
- Cookie and similar technology data as described in Section 10
- Approximate location derived from IP address
3.3 Client Project Data
When you hire us, you may provide customer lists, CRM records, call transcripts, form submissions, analytics data, credentials, and other business data. We process that data only to deliver the Services and as instructed by you, not for our own unrelated marketing purposes.
4. Purposes of Processing
We use personal data for the following purposes:
- Responding to inquiries and providing proposals, support, and Services
- Scheduling and conducting discovery calls and project meetings
- Performing contracts, delivering projects, and administering billing
- Operating, securing, maintaining, and improving the Website
- Sending service-related notices and, where permitted, marketing communications
- Complying with legal obligations under Indian law and enforcing our Terms of Service
- Establishing, exercising, or defending legal claims
5. Lawful Basis Under the DPDPA
We process personal data on one or more of the following bases under the DPDPA:
- Consent: where you have given free, specific, informed, unconditional, and unambiguous consent
- Contract: where processing is necessary to perform a contract or take steps at your request before entering a contract
- Legal obligation: where processing is necessary to comply with applicable law
- Legitimate uses: as permitted under the DPDPA, including certain voluntary disclosures and employment-related processing where applicable
5.1 Withdrawal of Consent
Where processing is based on consent, you may withdraw consent at any time by contacting us. Withdrawal does not affect the lawfulness of processing before withdrawal, and we may continue processing where another lawful basis applies.
7. Cross-Border Data Transfers
We are based in India. Personal data may be processed in India and transferred to other countries where our service providers operate, including the United States, Poland, the Netherlands, and other jurisdictions.
Under Section 16 of the DPDPA, cross-border transfers of personal data are generally permitted to countries or territories outside India unless the Central Government of India has notified a restricted destination. As of the date of this Policy, we transfer data subject to contractual safeguards and reasonable security practices.
Where you are a client located outside India, you remain responsible for ensuring that any transfer of your end users' personal data to us, and our onward processing, complies with laws applicable to your business in your country. We will cooperate with reasonable written instructions consistent with Indian law.
8. Data Retention
We retain personal data only for as long as necessary for the purposes described in this Policy, including:
- Active business relationships and a reasonable period afterward for support, disputes, and legal compliance
- Marketing records until you withdraw consent or we no longer have a lawful basis to contact you
- Financial and tax records for the period required under Indian law
- Website logs and security data for a limited period appropriate to security monitoring
8.1 Client Project Data
Upon project completion or termination, we delete or return client project data within a reasonable period unless retention is required by law, needed to enforce our agreements, or you request earlier deletion subject to technical and legal constraints.
9. Security Safeguards
We implement reasonable security safeguards as required under the DPDPA and applicable Indian rules to protect personal data against unauthorized access, loss, misuse, alteration, or disclosure. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
In the event of a personal data breach, we will take steps required under applicable Indian law, which may include notifying the Data Protection Board of India and affected Data Principals where required.
You are responsible for safeguarding credentials you receive from us and for configuring access controls within systems we build or integrate for you.
11. AI & Automated Processing
Some Services may involve automated processing, including AI-assisted content generation, lead routing, classification, or workflow actions.
We do not use your confidential project data to train public general-purpose AI models unless you expressly authorize that in writing.
Where automated processing affects individuals on your behalf, you are responsible for providing required notices and lawful bases to those individuals under laws applicable to your business. We will cooperate with reasonable instructions consistent with our Terms and any applicable data processing agreement.
12. Rights of Data Principals (DPDPA)
Subject to applicable Indian law, Data Principals may have the following rights:
- Right to access information about personal data we process and the processing activities undertaken
- Right to correction, completion, updating, and erasure of personal data
- Right to grievance redressal through our contact channel
- Right to nominate another individual to exercise rights in the event of death or incapacity
- Right to withdraw consent where processing is based on consent
12.1 How to Exercise Your Rights
Submit requests to maddy@onivo.design with sufficient detail for us to verify your identity and locate relevant data. We will respond within timelines prescribed under applicable Indian law.
12.2 International Visitors & Client End Users
If you are located in the United States, Poland, the Netherlands, or another country, laws in your jurisdiction may grant additional rights to you or to your customers. As an Indian Data Fiduciary, our primary obligations are under Indian law. Clients who collect personal data from their own users remain responsible for compliance with laws applicable in the markets where they operate.
13. Children
Our Website and Services are not directed to children, and we do not knowingly collect personal data from individuals below the age at which valid consent may be given under applicable Indian law. If you believe a child has provided us personal data, contact us and we will take appropriate steps to delete it.
14. Third-Party Links
The Website may link to third-party websites, platforms, or embedded tools. Their privacy practices are governed by their own policies, not this Policy.
15. Governing Law
This Privacy Policy is governed by the laws of India. Any disputes relating to this Policy are subject to the dispute resolution provisions in our Terms of Service at /terms.
16. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be reflected by updating the "Last updated" date and, where appropriate, providing additional notice on the Website or by email.
17. Contact Us
To exercise your rights, raise a grievance, or ask questions about this Privacy Policy, contact us at maddy@onivo.design.
Please include 'Privacy Request' or 'Grievance' in the subject line and describe your request with enough detail for us to verify your identity and respond.
This document is provided for general information and does not constitute legal advice. For advice tailored to your jurisdiction and business, consult qualified legal counsel.