HeiBuddyLoading...
HeiBuddyData Fiduciary / Data Controller: Yugasys Software Private Limited (“Yugasys”, “Company”, “we”, “our”, “us”)
Platform: HeiBuddy / HeiBuddyAI (the “Platform”) — mobile applications, websites, APIs, voice interfaces, partner dashboards, and associated services
Document Version: 2.0
Effective Date: 20 April 2026
Last Updated: 20 April 2026
Document Classification: Public — Legal Notice
Primary Governing Law: India, with jurisdiction-specific Schedules for the EEA, UK, US, and other regions
This Privacy Policy (the “Policy”) explains how we collect, use, share, retain, and protect Personal Data when you use the Platform or otherwise interact with Yugasys. It forms part of our Terms and Conditions.
By accessing or using the Platform, you confirm that you have read this Policy and understand how your Personal Data will be processed. Where consent is required under applicable law, we will ask for it separately and in a clear, granular, withdrawable manner — not through continued use alone.
Special notices:
Yugasys Software Private Limited is a company incorporated in India (CIN: U72900KA2019PTC125835), with its registered office at NO. 558, 9TH CROSS, J P NAGAR 3RD PHASE, BENGALURU, Karnataka, India - 560078, Bengaluru, Karnataka, India. For the purposes of the Digital Personal Data Protection Act, 2023 (India), we act as a Data Fiduciary. For the purposes of the EU/UK GDPR, we act as a Data Controller for most processing described in this Policy, and as a Processor for certain Partner-facing services (addressed in a separate Data Processing Agreement).
This Policy applies to:
This Policy does not cover the independent processing of your Personal Data by third-party Merchants, Delivery Partners, payment aggregators, or medical professionals. Their processing is governed by their own privacy notices.
This Policy is read alongside the Terms and Conditions, the AI & Voice Biometrics Notice, the Cookies & SDK Notice, the Sub-Processor Register, and service-specific notices. In the event of conflict, a specific notice prevails over the general Policy for the subject matter it covers.
2.1 “Personal Data” — any data relating to an identified or identifiable natural person (“Data Principal” under the DPDP Act; “Data Subject” under GDPR/UK GDPR; “Consumer” under CCPA/CPRA).
2.2 “Sensitive Personal Data” — Personal Data requiring heightened protection, including: financial information, health information, biometric data (including voiceprints), genetic data, children’s data, religious/caste/tribe/political beliefs, sexual orientation, and other categories treated as “sensitive personal data or information” (SPDI) under the SPDI Rules 2011, “special category data” under GDPR/UK GDPR, “sensitive personal information” under CPRA, or equivalent under other Applicable Law.
2.3 “Processing” — any operation performed on Personal Data, including collection, recording, structuring, storage, retrieval, use, disclosure, combination, erasure, and destruction.
2.4 “Processor” / “Data Processor” — a service provider that processes Personal Data on our behalf under contract.
2.5 “Sub-processor” — a third party engaged by us or by a Processor to perform specific processing on our behalf (e.g., AI providers, cloud hosts, analytics providers).
2.6 “Applicable Law” — all data-protection, privacy, cybersecurity, financial, healthcare, and consumer-protection laws in force from time to time, including those listed in Section 25.
Other capitalised terms carry the meanings assigned in the Terms and Conditions.
| Category | Examples |
|---|---|
| Identity & contact | Name, mobile number, email, profile photo, date of birth (optional), gender (optional) |
| Authentication | OTP verification logs, password hash (if password-based), MFA factors, device-binding tokens |
| Address | Saved delivery and pickup addresses, home/work labels, geocoded coordinates |
| Financial (limited) | Payment-instrument last-4 digits, tokenised card reference, UPI handle, transaction identifiers. We do not store full PAN, CVV, or expiry. |
| Health (Doctor/Pharmacy) | Symptoms described, medical history you upload, prescriptions, teleconsultation notes, pharmacy orders |
| Customer-support content | Chat messages, call recordings (where notice is given and law permits), support tickets, attachments |
| KYC (where required) | Government-issued ID number and image, PAN, Aadhaar virtual ID (masked), address proof, liveness selfie, beneficial-ownership details |
| Partner/Delivery onboarding | Bank details (IBAN/IFSC+account), tax identifiers, vehicle registration, driving licence, professional licences (for RMPs) |
| Category | Examples |
|---|---|
| Device & technical | Device model, OS version, app version, unique device identifiers (IDFV/Android Advertising ID, Widevine ID), language, timezone, carrier |
| Network & session | IP address (and derived coarse location), session identifiers, connection type, cipher suite, user-agent |
| Usage | Features used, screens viewed, clickstream, search queries, order history, cart abandonment, referral attribution |
| Location | Precise GPS coordinates (only when you grant location permission and only while relevant features are active), approximate network-based location |
| Diagnostics | Crash logs, latency metrics, error stack traces, performance telemetry (with PII redacted) |
| Voice & audio | Wake-word audio (buffered locally on device), streamed voice commands (only when you invoke the assistant and consent to AI processing — see Section 10) |
| Cookies, SDKs & similar | See the Cookies & SDK Notice |
We collect Personal Data:
(a) Directly from you when you register, use features, place orders, upload content, or contact support;
(b) Automatically through your device, app, and interactions as described in Section 3.2;
(c) From Partners and Service Providers (e.g., Merchants confirming order fulfilment, Delivery Partners confirming drop-off, RMPs uploading prescriptions);
(d) From third-party sub-processors (e.g., payment aggregator, KYC vendor, fraud-detection);
(e) From public or governmental sources where needed for verification, regulatory compliance, or sanctions screening.
Under GDPR/UK GDPR, DPDP, LGPD, and similar laws, we process Personal Data only where a lawful basis applies. The primary basis per activity is mapped below (multiple bases may apply):
| Processing activity | Primary lawful basis |
|---|---|
| Account registration, authentication | Contractual necessity; legal obligation (KYC/AML) |
| Order processing, payments, delivery | Contractual necessity |
| KYC, AML, sanctions screening | Legal obligation (PMLA, RBI Master Directions, FATF) |
| Fraud prevention, security, abuse mitigation | Legitimate interests; legal obligation (CERT-In, IT Rules) |
| Voice assistant, AI chat, Smart Meal | Consent (explicit) |
| Voice biometric authentication or personalisation | Consent (explicit, for Sensitive Personal Data) |
| Health data (Doctor/Pharmacy) | Consent (explicit); necessity for healthcare (GDPR Art. 9(2)(h) where applicable) |
| Marketing communications | Consent; legitimate interests (for non-intrusive soft opt-in where lawful) |
| Analytics and product improvement | Legitimate interests; consent (for non-essential cookies/SDKs where required) |
| Tax, accounting, statutory record-keeping | Legal obligation |
| Complaints, disputes, litigation | Legal obligation; legitimate interests (establishing, exercising, defending claims) |
Where we rely on legitimate interests, we conduct a documented Legitimate Interests Assessment (LIA) and balance our interests against your rights and freedoms. You have the right to object (see Section 19).
We use Personal Data to:
(a) operate and secure the Platform, including account creation, authentication, and device binding;
(b) deliver the services you request — orders, bookings, consultations, payments, notifications, support;
(c) operate AI Features (voice assistant, Smart Meal, AI chat) where you have consented;
(d) personalise recommendations, routine orders, and location-based suggestions;
(e) facilitate communication between you and Partners/Delivery Partners/RMPs;
(f) detect, prevent, and investigate fraud, abuse, money-laundering, sanctions violations, and security incidents;
(g) monitor system health, diagnose faults, and improve reliability and performance;
(h) comply with legal, regulatory, tax, and audit obligations;
(i) conduct internal research, product development, and analytics (using aggregated, anonymised, or pseudonymised data wherever feasible);
(j) send transactional, service, and — where you have opted in — marketing messages;
(k) establish, exercise, or defend legal claims.
We do not use Personal Data for purposes incompatible with those set out here without obtaining fresh consent or confirming another lawful basis.
Where we process Sensitive Personal Data (health, financial, biometric, children’s, etc.), we apply additional safeguards:
8.1 Status. Health data — including symptoms, medical history, prescriptions, diagnostic reports, and teleconsultation notes — is treated as Sensitive Personal Data.
8.2 Framework. We process health data in line with:
8.3 Use limitations. Health data is used only to facilitate your consultation, prescription, or pharmacy order; to maintain the medical record as required by law; and to comply with regulatory obligations. It is not used for advertising or non-essential analytics.
8.4 Sharing. Health data is shared only with: (a) the RMP or pharmacy you have chosen; (b) the dispensing pharmacist and delivery agent (minimum necessary — typically a prescription reference and delivery address, not full history); (c) regulators or courts where legally required; (d) sub-processors bound by contractual confidentiality and security commitments.
9.1 Definition. Biometric Data includes voiceprints and voice-audio signatures derived from your interactions with the voice assistant where used for identification, authentication, or personalisation.
9.2 Explicit consent. Biometric Data is processed only on the basis of your separate, written, informed, explicit consent, consistent with:
9.3 Retention and destruction. Biometric Data is retained only for so long as the purpose requires and, in any event, destroyed no later than the earliest of: (a) the period specified in the published Biometric Data Retention and Destruction Schedule; (b) three (3) years after your last interaction; or (c) prompt destruction upon withdrawal of consent or account deletion, subject only to any residual legal-hold.
9.4 No sale, no profit. We do not sell, lease, trade, or otherwise profit from Biometric Data, and we do not disclose Biometric Data to third parties except: (a) to sub-processors acting on our instructions under binding confidentiality and security commitments; (b) where required by law or valid legal process.
9.5 Security. Biometric templates are stored in an isolated biometric vault, encrypted with dedicated keys, and are never transmitted or stored as raw audio files for biometric purposes once the template has been generated.
The Platform uses AI to power the voice assistant (“Hei Buddy”), Smart Meal recommendations, and natural-language chat. AI Features operate through a combination of in-house models and licensed third-party providers.
| Sub-processor | Purpose | Data shared | Regions |
|---|---|---|---|
| Google Cloud — Speech-to-Text (Google LLC / Alphabet Inc.) | Convert your voice command to text | Only the discrete audio clip of your command, plus language metadata | As configured (see Section 14) |
| OpenAI, L.L.C. | Natural-language understanding, intent extraction, and response generation | Only the text transcript / text prompt you submit, plus system prompts necessary for the feature | Per OpenAI enterprise residency options |
We will update this Policy and the Sub-Processor Register (available at https://www.heibuddy.ai/subprocessors) when we add, change, or remove AI sub-processors. Material changes trigger the notification mechanism in Section 22.
Your account details, authentication credentials, payment information, KYC documents, health records, location history, device identifiers, contact list, and persistent identifiers are not shared with Google Cloud Speech-to-Text or OpenAI. Only the minimum data needed for the specific AI task is shared.
Our enterprise contracts with Google Cloud and OpenAI contractually restrict the use of Platform-submitted data for training the providers’ foundation models. This is the current contractual position at the Last Updated date; we monitor provider terms and will update this Policy if the position changes. You may withdraw consent at any time (Section 11).
No legally or similarly significant decision about you (e.g., financial approvals, significant refunds, account restrictions, healthcare decisions) is taken solely by automated means without meaningful human review. You have the right, where provided under Applicable Law, to obtain human intervention, contest the decision, and express your point of view. See Schedules A–C for jurisdiction-specific automated-decision rights.
Where required by the EU AI Act (Regulation (EU) 2024/1689, Article 50) or equivalent frameworks, AI-generated responses are labelled to indicate their machine origin.
11.1 Granting consent. Before we first transmit your voice audio to a speech-to-text provider, your text prompt to an LLM provider, or generate a voice biometric template, the App shows a clear, standalone consent screen naming each sub-processor, the data involved, and the purpose. You must tap “Allow” — silent or bundled consent is not sufficient for these features.
11.2 Granular controls. In Settings → Privacy, you can independently control:
11.3 Withdrawal of consent. You may withdraw consent at any time. Withdrawal: (a) disables the dependent feature prospectively; (b) triggers deletion of voice biometric templates and transient AI working data within 30 days, subject only to lawful retention obligations; (c) does not affect the lawfulness of processing performed before withdrawal.
11.4 Consent ledger. We maintain an auditable, timestamped consent ledger to satisfy DPDP, GDPR, and sector-specific accountability requirements.
We honour:
We share Personal Data only as described below. We do not sell Personal Data for monetary consideration, and we do not engage in “sharing” for cross-context behavioural advertising, as those terms are defined under the CPRA.
| Recipient | Purpose | Legal basis |
|---|---|---|
| Merchants, Delivery Partners, RMPs, pharmacies | To fulfil the specific order, booking, or consultation you requested | Contractual necessity |
| Payment aggregator (e.g., Cashfree Payments India Pvt. Ltd.) | To process payments, refunds, chargebacks | Contractual necessity; legal obligation (PCI-DSS, RBI rules) |
| Identity, fraud-prevention, KYC vendors | To verify identity and detect fraud | Legal obligation; legitimate interests |
| Cloud infrastructure providers (e.g., AWS) | Hosting, storage, compute, key management | Contractual necessity |
| Analytics, crash-reporting, product-telemetry tools | To monitor stability and improve the Platform | Legitimate interests; consent (where required) |
| AI sub-processors (see Section 10.2) | AI Features | Explicit consent |
| Communications providers (SMS, push, email, voice) | To deliver transactional and (opted-in) marketing messages | Contractual necessity; consent |
| Professional advisors (lawyers, auditors, insurers) | To obtain advice, audit, or insurance | Legitimate interests; legal obligation |
| Regulators, courts, law-enforcement | To respond to valid legal process, CERT-In directions, FIU-IND reports, tax authority requests | Legal obligation |
| Acquirers / successors | In a merger, acquisition, or asset transfer, subject to equivalent privacy protections | Legitimate interests; contract |
A current list of our material sub-processors, including the processing location and transfer mechanism, is published at https://www.heibuddy.ai/subprocessors and updated when changes occur.
We may use, disclose, and retain aggregated or de-identified data that cannot reasonably be used to identify you, for research, benchmarking, and product development, consistent with the CPRA de-identification standard and applicable guidance.
14.1 Parts of the Platform and certain sub-processors are located outside India. When Personal Data is transferred across borders, we rely on one or more of the following mechanisms:
14.2 Data localisation — payments. Pursuant to RBI’s Storage of Payment System Data Directive, payment-system data relating to Indian customers is stored within India. Copies may be transmitted abroad solely for transaction processing and recalled to India within the prescribed timelines.
14.3 Configurable residency. Partners and enterprise tenants may configure preferred data-residency options via the Partner Dashboard.
We operate an information-security programme aligned with (and, where certified, compliant with) the following standards — currently at [state certification status: Certified / In audit / Targeted]:
Certification details, where held, are published at https://www.heibuddy.ai/trust.
No system is impenetrable. You must safeguard your credentials, device, SIM, and authentication factors. Report suspected compromise to security@heibuddy.ai.
16.1 Internal response. We operate a 24×7 incident-response capability. Incidents are triaged, contained, eradicated, and reviewed under a documented playbook.
16.2 Regulatory notifications. Where a Personal Data breach occurs, we will notify:
16.3 Your notification. Where a breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, using clear language and describing the nature of the breach, likely consequences, and steps you can take.
We retain Personal Data only for as long as needed for the purposes described, the duration of any lawful hold, and applicable statutory retention. The table below is indicative — specific retention is driven by purpose, jurisdiction, and law.
| Data category | Indicative retention | Driver |
|---|---|---|
| Account and profile data | Duration of account + 90 days (grace) after deletion request | Contractual necessity; dispute windows |
| Transaction and financial records | 8 years from the end of the relevant financial year | Income-tax Act (India); GST; equivalent tax laws |
| KYC records | 5 years after cessation of business relationship | PMLA; RBI Master Direction |
| Suspicious Transaction Reports (STRs) | 5 years post-reporting | PMLA; FATF Recommendation 11 |
| Payment data | As per RBI rules; tokenised card references retained until revoked | RBI CoF / PA-PG rules |
| Health consultation records | 3 years from last interaction (longer where clinical or legal hold requires) | Telemedicine Practice Guidelines 2020; medical-record norms |
| Prescriptions | 2 years | Drugs & Cosmetics Rules |
| Voice biometric templates | Earlier of 3 years after last use or withdrawal of consent | Section 9; BIPA; GDPR Art. 9 |
| Transient voice audio sent to STT provider | Not stored beyond real-time processing; debug logs (where enabled) retained no more than 30 days | Data minimisation |
| AI prompts / responses (LLM) | No more than 30 days for safety-review and debugging; otherwise not persisted | Data minimisation |
| Security logs, authentication logs | 180 days (minimum, per CERT-In Directions); longer where investigation requires | CERT-In Directions 2022 |
| Cookies / SDK identifiers | Per the Cookies & SDK Notice (session to max 13 months) | ePrivacy; ICO guidance; CPRA |
| Marketing preferences | Until withdrawn + audit window | Consent records |
| Customer support records | 3 years from case closure | Complaint-handling audit trail |
| Backups | Rolled per the DR policy (typically 30–90 days), after which recoverable data is overwritten | Operational continuity |
When a retention period ends, data is deleted or irreversibly anonymised. Anonymisation uses techniques aligned with ISO/IEC 20889 and relevant DPA guidance.
Subject to verification and applicable law, you have the following rights. The jurisdiction-specific Schedules (Section 24) describe local variations, exemptions, and timelines.
(a) Right of access — to know what Personal Data we hold about you and how we process it.
(b) Right to correction / rectification — to correct inaccurate or incomplete data.
(c) Right to erasure / deletion — to request deletion, subject to legal-retention exceptions.
(d) Right to data portability — to receive your data in a structured, commonly used, machine-readable format and to transmit it to another controller where technically feasible.
(e) Right to restrict processing (GDPR/UK GDPR).
(f) Right to object (GDPR/UK GDPR), including to direct marketing and legitimate-interests processing.
(g) Right to withdraw consent at any time, without affecting prior lawful processing.
(h) Right to opt out of sale, sharing, or targeted advertising (CPRA and similar US-state laws).
(i) Right to limit use of sensitive personal information (CPRA).
(j) Right to nominate another person to exercise rights in the event of your death or incapacity (DPDP Section 14).
(k) Right to grievance redressal (DPDP Section 13 and IT Rules; see Section 23).
(l) Right to lodge a complaint with your national Data Protection Authority / supervisory authority (see Schedules).
(m) Right not to be subject to a solely automated decision with legal or similarly significant effects (GDPR Art. 22; equivalent local laws).
(n) Right against retaliation / non-discrimination for exercising your rights.
We verify requests using information reasonably available to us (e.g., mobile OTP, account credentials, or additional proof for sensitive requests). Indicative response timelines:
| Jurisdiction | Acknowledgement | Substantive response |
|---|---|---|
| India (DPDP) | Without undue delay | As prescribed (rules forthcoming); we target 30 days |
| EU/EEA (GDPR) | Without undue delay | 1 month (extendable by 2 months for complex requests) |
| UK (UK GDPR) | Without undue delay | 1 month (extendable as above) |
| California (CPRA) | 10 business days | 45 days (extendable by 45 days) |
| Other US states | Per local law (typically 45 days) | Per local law |
| LGPD (Brazil) | 15 days | 15 days |
Requests are generally free. We may charge a reasonable fee or refuse manifestly unfounded, excessive, or repetitive requests, to the extent permitted by law, with written reasons.
19.1 Age gates. The Platform is not directed to children under 18 in India (DPDP Act Section 9), or under 13 in the United States (COPPA), or under the applicable digital-consent age in the EEA/EU Member States (between 13 and 16 under GDPR Article 8).
19.2 Verifiable parental consent. Where a child uses the Platform, we require verifiable parental consent through mechanisms compliant with COPPA, DPDP Section 9, GDPR Article 8, and the UK Age-Appropriate Design Code.
19.3 No tracking / no targeted ads. We do not track, behaviourally profile, or serve targeted advertising to children. DPDP Section 9(3) prohibitions apply by design.
19.4 California AADC and UK AADC. For California and UK users, we apply the relevant Age-Appropriate Design Code defaults (high-privacy defaults, minimal data collection, geolocation off by default, etc.) where a user is identified or reasonably likely to be a child.
19.5 Deletion. If we learn that a child has provided Personal Data without the required consent, we will delete it promptly and take steps to prevent recurrence.
Our detailed Cookies & SDK Notice is available at https://www.heibuddy.ai/cookies and within Settings. In summary:
A cookie banner (web) and consent panel (app) provide granular controls.
The Platform may link to or integrate with third-party services (maps, payment gateways, AI providers, government portals, airlines, insurers). Their processing of your Personal Data is governed by their own privacy policies, not this Policy. We encourage you to review them.
We may update this Policy. Material changes will be communicated via:
(a) an in-App notification;
(b) email to your registered address (where applicable);
(c) an updated “Last Updated” date and a summary of material changes published at the top of this Policy;
at least fifteen (15) days before the effective date, except where a shorter period is required by law, security, or regulatory order.
Non-material changes (clarifications, formatting, sub-processor substitutions at equivalent protection) take effect on posting.
Email: dpo@heibuddy.ai
Postal: Data Protection Officer, Yugasys Software Private Limited, [registered address], Bengaluru, Karnataka, India.
Name: Mr. Chetan S M (appointed; current details published in-App and on our website)
Designation: Grievance Officer
Email: grievance@heibuddy.ai
Acknowledgement: within 24 hours of receipt. Resolution: within 15 days, or such other period as Applicable Law may prescribe.
Where required, our EU and UK Representative details are published in Schedule A and on our website.
security@heibuddy.ai; 24×7 in-App and web reporting channels.
You may lodge a complaint with the applicable supervisory authority:
A.1 Controller: Yugasys Software Private Limited.
A.2 EU Representative (Art. 27): [●] (published on our website when appointed).
A.3 Legal bases: as set out in Section 5.
A.4 Rights: access, rectification, erasure, restriction, objection, portability, withdraw consent, lodge complaint with the DPA of your Member State.
A.5 Automated decision-making (Art. 22): see Section 10.5.
A.6 Transfers: SCCs (Modules 1 and 2 as applicable); TIAs.
A.7 Retention: as per Section 17, read subject to Member State–specific rules.
A.8 EU AI Act disclosures: see Section 10.6.
B.1 UK Representative (Art. 27 UK GDPR): [●].
B.2 Transfers: UK IDTA or UK Addendum to the EU SCCs.
B.3 Complaints: Information Commissioner’s Office (ICO), https://ico.org.uk.
C.1 California (CCPA/CPRA).
C.2 Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other state laws: equivalent rights honoured per each statute; universal opt-out signals (GPC) recognised where required.
C.3 Nevada (SB 220): you may direct us not to sell covered information — although we do not sell, we honour the opt-out request.
C.4 Illinois (BIPA), Texas (CUBI), Washington: Biometric Data handled per Section 9.
C.5 COPPA: see Section 19.
C.6 HIPAA: where applicable, covered PHI is handled under a Business Associate Agreement; this Policy does not override the BAA.
C.7 TCPA / CAN-SPAM: opt-out mechanisms provided; transactional messages remain enabled.
D.1 Verifiable parental consent per COPPA, DPDP §9, GDPR Art. 8, UK and California AADCs.
D.2 No behavioural advertising, profiling, or location tracking for known children.
D.3 High-privacy defaults.
This Policy is designed in alignment with, among others: DPDP Act 2023 (India); IT Act 2000 and IT Rules 2021 (India); CERT-In Directions 2022; Telemedicine Practice Guidelines 2020; RBI Master Directions on PA/PG, PPI, KYC, Digital Lending, Outsourcing, and Storage of Payment System Data; PMLA 2002; GDPR; UK GDPR; EU AI Act; ePrivacy Directive; DSA/DMA; PSD2/PSD3; HIPAA; GLBA; COPPA; CCPA/CPRA; VCDPA/CPA/CTDPA/UCPA; BIPA/CUBI; TCPA/CAN-SPAM; FTC Act §5; PCI-DSS v4.0; ISO/IEC 27001:2022, 27701, 27017, 27018, 42001; SOC 2; NIST CSF 2.0; CIS Controls v8; OWASP ASVS/MASVS; LGPD; APPI; PIPA; PDPA (SG/TH/MY/PH); PDP Law (Indonesia); PDPD (Vietnam); UAE PDPL; Saudi PDPL; POPIA; NDPR; Australian Privacy Act.
This Policy is governed by and construed in accordance with the laws of India, without regard to conflict-of-laws principles, subject to mandatory data-protection and consumer-protection laws of your place of habitual residence where those laws cannot be contractually displaced. Disputes are resolved per the Terms and Conditions (Section 21 of those Terms).
Yugasys Software Private Limited
Registered Office: NO. 558, 9TH CROSS, J P NAGAR 3RD PHASE, BENGALURU, Karnataka, India - 560078, Bengaluru, Karnataka, India
CIN: U72900KA2019PTC125835
Acknowledgement. By continuing to use the Platform after the Effective Date, you confirm your agreement to these privacy policies referenced herein.
Document control: Privacy Policy v2.0 | Owner: HeiBuddy Legal, DPO, Security | Reviewers: CISO, Product, Engineering | Next review: 3 months from Effective Date or upon material regulatory change, whichever is earlier.