Your rows stay in your region.
OriginChain is a managed database service. This page says, plainly, what the marketing site and the cloud service each collect and what they do with it.
The short version
OriginChain is a managed database product operated by Silicoyn Technologies Pvt Ltd ("we"), an Indian private limited company headquartered in Bengaluru. You sign up, we run your managed instance for you. The rows you store are yours: we do not read them, sell them, or let them leave the region you picked.
This notice is published in compliance with Section 5 of the Digital Personal Data Protection Act 2023 ("DPDP Act") and applies to all personal data we process, regardless of where you are located.
Who we are
Data Fiduciary: Silicoyn Technologies Pvt Ltd, a company incorporated under the Indian Companies Act 2013 with its registered office in Bengaluru, Karnataka, India.
Grievance Officer / Data Protection Officer: reachable at grievance@originchain.ai. Complaints are acknowledged within 24 hours and resolved within 15 days, as required by Section 7(c) of the DPDP Act and the IT Rules 2021.
What this website collects
The marketing site is a static deployment. We do not set advertising cookies, we do not run third-party trackers, and we do not fingerprint visitors.
Our content-delivery and hosting layer records standard access logs - IP address, user agent, referrer, timestamp - for abuse prevention and security monitoring. Those logs are retained for 30 days and then discarded. We do not link them to any other identifier.
Lawful purpose: Section 4(2) DPDP Act - "specified purpose" of operating and securing a public website.
OriginChain Cloud - the managed service
When you sign up we collect the email, organisation name, and billing details you give us. Account-related personal data is stored in our managed account database in the Mumbai (Asia Pacific) region. That account system never touches the rows you put into your tenant.
Your tenant lives in the region you pick. Rows, transaction logs, backups, and snapshots stay in that region. We do not replicate personal data across regions unless you explicitly request it.
We collect operational metrics from your tenant - request rates, latencies, cache hit ratios, replication lag - over a private channel, and use them to run the service and show you dashboards. We never sample the content of your rows or your queries.
Access to your tenant from our side is limited to a small on-call team, fully audit-logged, and only used to respond to a support ticket you file or to a live incident affecting your tenant.
Lawful purpose: Section 4(2)(a) DPDP Act - performance of the service contract you signed up for; Section 4(2)(b) for tax / accounting record-keeping.
Categories of personal data
Identity & contact data: name, email address, organisation name.
Billing data: tokenised card identifier (we never receive PAN/CVV - Razorpay does), billing address, GSTIN if provided, invoice history.
Authentication data: hashed bearer tokens (Argon2id), session cookies, IP address of recent sign-ins.
Service-content data: any rows you choose to store in your tenant. We treat the entire row blob as opaque - we do not classify, index for ML, or enrich it.
Operational telemetry: request timestamps, error codes, latency buckets, cache-hit rates. No row content, no query content.
Where data is processed
By default, all customer rows and tenant operational data stay in the Mumbai (Asia Pacific) region - Indian sovereign territory.
Account-level data (email, billing) is processed in the Mumbai region.
Cross-border transfer occurs only if (a) you select a non-Indian region for your tenant, or (b) you route /v1/ask traffic through a model endpoint in another region. Both are explicit choices on your part.
Where the DPDP Act restricts cross-border transfer to specific countries, we comply with the restriction and notify you if your selected configuration becomes non-compliant.
How long we keep data
Tenant rows: as long as the tenant is active. Deleted within 24 hours of subscription cancellation; backup snapshots age out after 30 days.
Account / contact data: while the account is active, plus 7 years of billing record retention as required by Section 44AA of the Income Tax Act 1961.
Authentication & security logs: 90 days.
Marketing-site access logs: 30 days.
Your rights as a Data Principal
Under Sections 11–14 of the DPDP Act, you have the right to: (a) confirm whether we process your personal data and obtain a summary; (b) seek correction or erasure of inaccurate or unlawful data; (c) nominate a person to exercise these rights on your behalf in case of incapacity; (d) grievance redress for unsatisfactory responses.
To exercise any right, email grievance@originchain.ai. We respond within 15 days. If unsatisfied, you may approach the Data Protection Board of India established under Section 18 of the DPDP Act.
If you are an EU/UK resident and EU/UK data protection law applies, GDPR-equivalent rights apply: access, rectification, erasure, restriction, portability, objection. The same email reaches us; we respond within 30 days.
Consent and withdrawal
We rely primarily on contractual necessity (Section 4(2)(a) DPDP Act) - you signed up to use a service, we process the personal data needed to deliver it. For anything outside the strict service-delivery scope (e.g. opt-in marketing emails), we ask explicit consent and you can withdraw it at any time from /app/settings.
How we protect data
TLS 1.2+ on every external endpoint. Argon2id for stored credentials. AES-256 encryption at rest on all volumes and object storage (provider-managed keys; customer-managed keys available on Enterprise). Principle-of-least-privilege access control with no direct SSH - operator access is brokered and fully audit-logged. Daily encrypted backup snapshots into a 30-day-retention vault. See /security for the full posture.
Personal data breach
If we become aware of a personal data breach affecting you, we will notify you and the Data Protection Board of India in accordance with Section 8(6) of the DPDP Act and the breach-notification rules thereunder. The notification will describe the nature of the breach, categories and approximate number of affected records, likely consequences, and steps taken to mitigate it.
Data Processing Addendum
If you are processing personal data of others on the Service, you are the Data Fiduciary and Silicoyn Technologies Pvt Ltd is your Data Processor. The full DPA is at originchain.ai/dpa; email legal@originchain.ai for a counter-signed copy.
Children's data
OriginChain is not directed at children under 18 and we do not knowingly collect personal data of children. If you believe a child has provided us with personal data, email grievance@originchain.ai and we will delete it.
Changes to this notice
If this notice materially changes, we will update the date at the top of the page, note the change in our changelog, and email everyone on the managed service. We will not quietly start collecting anything new.