OriginChain
privacy

Your rows stay in your region.

OriginChain is a managed database service. This page says, plainly, what the marketing site and the cloud service each collect and what they do with it.

The short version

OriginChain is a managed database product operated by Silicoyn Technologies Pvt Ltd ("we"), an Indian private limited company headquartered in Bengaluru. You sign up, we run your managed instance for you. The rows you store are yours: we do not read them, sell them, or let them leave the region you picked.

This notice is published in compliance with Section 5 of the Digital Personal Data Protection Act 2023 ("DPDP Act") and applies to all personal data we process, regardless of where you are located.

Who we are

Data Fiduciary: Silicoyn Technologies Pvt Ltd, a company incorporated under the Indian Companies Act 2013 with its registered office in Bengaluru, Karnataka, India.

Grievance Officer / Data Protection Officer: reachable at grievance@originchain.ai. Complaints are acknowledged within 24 hours and resolved within 15 days, as required by Section 7(c) of the DPDP Act and the IT Rules 2021.

What this website collects

The marketing site is a static deployment. We do not set advertising cookies, we do not run third-party trackers, and we do not fingerprint visitors.

Our content-delivery and hosting layer records standard access logs - IP address, user agent, referrer, timestamp - for abuse prevention and security monitoring. Those logs are retained for 30 days and then discarded. We do not link them to any other identifier.

Lawful purpose: Section 4(2) DPDP Act - "specified purpose" of operating and securing a public website.

OriginChain Cloud - the managed service

When you sign up we collect the email, organisation name, and billing details you give us. Account-related personal data is stored in our managed account database in the Mumbai (Asia Pacific) region. That account system never touches the rows you put into your tenant.

Your tenant lives in the region you pick. Rows, transaction logs, backups, and snapshots stay in that region. We do not replicate personal data across regions unless you explicitly request it.

We collect operational metrics from your tenant - request rates, latencies, cache hit ratios, replication lag - over a private channel, and use them to run the service and show you dashboards. We never sample the content of your rows or your queries.

Access to your tenant from our side is limited to a small on-call team, fully audit-logged, and only used to respond to a support ticket you file or to a live incident affecting your tenant.

Lawful purpose: Section 4(2)(a) DPDP Act - performance of the service contract you signed up for; Section 4(2)(b) for tax / accounting record-keeping.

Categories of personal data

Identity & contact data: name, email address, organisation name.

Billing data: tokenised card identifier (we never receive PAN/CVV - Razorpay does), billing address, GSTIN if provided, invoice history.

Authentication data: hashed bearer tokens (Argon2id), session cookies, IP address of recent sign-ins.

Service-content data: any rows you choose to store in your tenant. We treat the entire row blob as opaque - we do not classify, index for ML, or enrich it.

Operational telemetry: request timestamps, error codes, latency buckets, cache-hit rates. No row content, no query content.

Who we share data with

Sub-processors used to deliver the Service:

• Amazon Web Services, Inc. - cloud infrastructure: compute, storage, backups, DNS, object storage, our managed account database, and monitoring.

• Razorpay Software Pvt Ltd - payment processing. Card data is tokenised; we never receive PAN or CVV.

• Anthropic - natural-language compilation of /v1/ask requests when the LLM compiler runs. Prompts are submitted to the model and discarded; we do not store model output beyond the response we return.

We do not sell personal data, share it with advertisers, or use it for cross-product marketing.

We may disclose personal data when compelled by a valid Indian legal request (court order, summons under Section 91 CrPC, lawful direction of a government agency under Section 69 IT Act). We notify you of such requests where legally permitted.

Where data is processed

By default, all customer rows and tenant operational data stay in the Mumbai (Asia Pacific) region - Indian sovereign territory.

Account-level data (email, billing) is processed in the Mumbai region.

Cross-border transfer occurs only if (a) you select a non-Indian region for your tenant, or (b) you route /v1/ask traffic through a model endpoint in another region. Both are explicit choices on your part.

Where the DPDP Act restricts cross-border transfer to specific countries, we comply with the restriction and notify you if your selected configuration becomes non-compliant.

How long we keep data

Tenant rows: as long as the tenant is active. Deleted within 24 hours of subscription cancellation; backup snapshots age out after 30 days.

Account / contact data: while the account is active, plus 7 years of billing record retention as required by Section 44AA of the Income Tax Act 1961.

Authentication & security logs: 90 days.

Marketing-site access logs: 30 days.

Your rights as a Data Principal

Under Sections 11–14 of the DPDP Act, you have the right to: (a) confirm whether we process your personal data and obtain a summary; (b) seek correction or erasure of inaccurate or unlawful data; (c) nominate a person to exercise these rights on your behalf in case of incapacity; (d) grievance redress for unsatisfactory responses.

To exercise any right, email grievance@originchain.ai. We respond within 15 days. If unsatisfied, you may approach the Data Protection Board of India established under Section 18 of the DPDP Act.

If you are an EU/UK resident and EU/UK data protection law applies, GDPR-equivalent rights apply: access, rectification, erasure, restriction, portability, objection. The same email reaches us; we respond within 30 days.

How we protect data

TLS 1.2+ on every external endpoint. Argon2id for stored credentials. AES-256 encryption at rest on all volumes and object storage (provider-managed keys; customer-managed keys available on Enterprise). Principle-of-least-privilege access control with no direct SSH - operator access is brokered and fully audit-logged. Daily encrypted backup snapshots into a 30-day-retention vault. See /security for the full posture.

Personal data breach

If we become aware of a personal data breach affecting you, we will notify you and the Data Protection Board of India in accordance with Section 8(6) of the DPDP Act and the breach-notification rules thereunder. The notification will describe the nature of the breach, categories and approximate number of affected records, likely consequences, and steps taken to mitigate it.

Data Processing Addendum

If you are processing personal data of others on the Service, you are the Data Fiduciary and Silicoyn Technologies Pvt Ltd is your Data Processor. The full DPA is at originchain.ai/dpa; email legal@originchain.ai for a counter-signed copy.

Children's data

OriginChain is not directed at children under 18 and we do not knowingly collect personal data of children. If you believe a child has provided us with personal data, email grievance@originchain.ai and we will delete it.

Changes to this notice

If this notice materially changes, we will update the date at the top of the page, note the change in our changelog, and email everyone on the managed service. We will not quietly start collecting anything new.

Questions about any of this?

Email us directly. We reply within a day.

support@originchain.ai