Privacy Policy

To provide, operate, secure, and improve the Platform and/or Services, Pavo AI may collect the following categories of data:

• Name, business email address, contact information, job title, company name;
• Account registration and account management details;
• Authentication credentials (stored in hashed or encrypted form, where applicable);
• Communication with us, including correspondence via email, support channels, or social media pages, and the content of such communications;
• Billing and payment related contact information (payment processing is typically handled by third-party providers); and
• Personal Data included in inputs to the Services, including prompts, files, images, audio, or other content uploaded or submitted by you or your Authorised Users, depending on the features used.

The following categories of Personal Data are collected automatically when you access, visit, or otherwise interact with the Platform or Services. Such data may be collected automatically through server logs, cookies, SDKs, APIs, or similar technologies, regardless of whether you actively provide such information for purposes including security, performance, monitoring, analytics, and operation of the Platform:

• Log Data, including but not limited to your internet protocol ("IP") address, browser type and settings, the date and time of your request;
• Usage data relating to interactions with the Platform or Services;
• Device information, including but not limited to the name of the device, operating system, device identifiers, and configuration details;
• Approximate location information derived from IP address or device settings;
• Technical and usage data collected through APIs, SDKs, and other integration tools used to interact with the Platform, including request metadata, timestamps, and error logs;
• System performance metrics, diagnostic information, telemetry data, and operational logs generated through the use of the Platform for monitoring, security, reliability, and optimization purposes; and
• Cookies and similar technologies used to operate, administer, and improve the Platform and Services.

Personal Data may also be incidentally included within Customer Data submitted to the Platform as part of datasets, logs, prompts, or other inputs provided by or on behalf of the Customer, including by individual users accessing the Platform through PLG onboarding flows. The scope of automatically collected data may vary depending on the deployment model, including SaaS, PLG access, or Customer-Hosted/VPC deployments and the Platform configuration.

We collect and process Personal Data solely for legitimate business purposes connected with the provision, operation, security, and improvement of the Platform and Services. Subject to the applicable law, Personal Data may be collected and used for the following purposes:

• To enable access to, operate, administer, and support the Platform and Services, including user authentication, account management, provisioning, configuration and SaaS or PLG access, Customer-Hosted/VPC deployment of the Platform, providing technical support, troubleshooting, maintenance, and incident response, enabling integrations with the Customer systems, API, SDKs, and third-party services.
• To ensure the stability, reliability, availability, and security of the Platform and Services, including monitoring system performance, usage patterns, operational health, detecting, preventing, responding to security incidents, fraud, misuse, or abuse, enforcing access controls, license restrictions, and acceptable use requirements.
• To analyze usage trends and operational metrics in order to improve functionality, usability, scalability, performance of the Platform, develop enhancements, updates, new features, and generate aggregated, anonymized, or de-identified insights that do not identify any individual or Customer.
• To comply with applicable laws, regulations, and lawful governmental requests, including tax, accounting, audit, record-keeping obligations, data protection, privacy, export control and sanctions laws, responding to legal claims, investigations, or regulatory inquiries.
• To communicate with Customers and users regarding service-related notices, updates, and administrative messages; responses to inquiries, support requests, feedback and, billing, or operational matters.
• To generate Derived Data as described in our Terms and Conditions, including aggregated, anonymized, or statistical information, for internal business purposes such as analytics, benchmarking, service improvement, and research, provided that such data does not identify any individual or Customer.

We process your Personal Data where such processing is necessary for the performance of a contract, for compliance with legal obligations, for our legitimate business purposes in providing and improving the Services, or, where required, on the basis of your consent.

For the purposes of this Policy, the term “Special Category Data” or “Sensitive Personal Information” refers to personal data that is afforded enhanced protection under Applicable Data Protection Laws, which may include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for identification, health data, or data concerning a person's sex life or sexual orientation, and any other category designated as sensitive under Applicable Data Protection Laws.

Pavo AI does not intentionally seek to process Sensitive Personal Data or Special Category Data through the Platform, and Customers are instructed not to provide such data unless expressly agreed in writing.

We may disclose your Personal Data collected or processed in connection with the Platform, and Services, only to the following categories of recipients and solely to the extent necessary to provide, operate, support, secure, and improve the Platform and Services, or as otherwise permitted or required by applicable law:

• To our parent entities, subsidiaries, affiliates, and other entities under common control ("Pavo Group Companies") for purposes including service delivery, infrastructure management, technical support, analytics, security monitoring, operational continuity, research and development, compliance, and internal administration, in accordance with the Terms and Conditions and this Policy.
• To third party service providers, contractors, and subprocessors engaged to perform services on its behalf, such as cloud hosting providers, infrastructure vendors, analytics providers, monitoring and security vendors, customer support tools, payment processors, and professional service providers. Such disclosures shall be subject to contractual obligations requiring confidentiality, data protection, and security measures no less protective than those set forth in this Policy.
• Where Customers elect to integrate the Platform with third party applications, services, APIs, SDKs, or data sources, Personal Data may be disclosed to such third parties as directed or authorized by the Customer. We are not responsible for the data handling practices of such third parties, which are governed by their respective privacy policies and agreements.
• Where required to do so by applicable law, regulation, court order, governmental request, or legal process, or where disclosure is necessary to establish, exercise, or defend legal claims, enforce contractual rights, protect the rights, property, or safety of Pavo AI, its customers, users, or others, or investigate potential violations of law or policy.
• To our legal counsel, auditors, accountants, insurers, and other professional advisors in connection with compliance, risk management, audits, corporate governance, or similar legitimate business purposes.
• In connection with any merger, acquisition, reorganization, sale of assets, financing, or similar corporate transaction, Personal Data may be disclosed to prospective or actual counterparties and their advisors, subject to appropriate confidentiality and data protection safeguards.
• We may disclose aggregated, anonymized, or de-identified data that does not reasonably identify any individual or Customer for analytics, research, benchmarking, product improvement, or business purposes.

If you choose to submit feedback, suggestions, ideas, feature requests, bug reports, or other input regarding the Platform or Services, you acknowledge and agree that Pavo AI may use such feedback for any purpose, including to operate, improve, develop, and enhance its products and services, without restriction or obligation to you.

Pavo AI may also collect and analyze usage metrics, diagnostic information, telemetry, and operational data generated through your use of the Platform for purposes of product improvement, performance optimization, reliability, security, and feature development. Any such use will be limited to aggregated, anonymized, or de-identified information and will not identify you, your users, or your organization, nor disclose Customer Data or confidential business information.

Feedback does not create any ownership rights, intellectual property claims, or entitlement to compensation.

For Customer-Hosted or local deployments, the collection and use of telemetry or diagnostic data may be configured or limited by the Customer in accordance with applicable agreements and technical controls.

Customers may opt out of non-essential telemetry or analytics by written notice or configuration, subject to technical feasibility.

Pavo AI uses cookies and similar tracking technologies to operate, secure, and improve the Platform and Services, to enable core functionality, and to enhance user experience. Cookies are small text files that are placed on a user's device when visiting a website or accessing an online service. Similar technologies may include pixels, tags, SDKs, local storage, and other identifiers.

The scope and use of cookies and tracking technologies may vary depending on the deployment model, including SaaS Deployments or Customer-Hosted Deployments or access via PLG. In Customer-Hosted Deployments, certain cookies or tracking technologies may be configured, limited, or controlled by the Customer in accordance with its own policies and technical environment.

We may use third party service providers, such as analytics, monitoring, or security providers, that place cookies or use similar technologies on our behalf solely to support the operation, security, and performance of the Platform and Services. Such third parties are contractually restricted from using Personal Data for their own independent purposes.

Where required by applicable law, users may manage cookie preferences through cookie consent tools, browser settings, or other available mechanisms. Please note that disabling or blocking certain cookies may affect the functionality, performance, or availability of the Platform or Services.

Certain Cookies are mandatory for the operation, security, and core functionality of the Platform, while other Cookies are optional.

Where Pavo AI processes Personal Data provided or made available by the Customer or its Authorised Users in connection with the Platform, the Customer acknowledges and agrees that it is solely responsible for determining and establishing the appropriate lawful basis for such processing under Applicable Data Protection Laws. The Customer represents and warrants that:

• It has provided all legally required notices to, and obtained all necessary consents or authorisations (where required by law) from, the relevant data subjects prior to disclosing Customer Personal Data to Pavo AI;
• Such disclosure and subsequent processing by Pavo AI in accordance with the Agreement and this Privacy Policy will not cause Pavo AI to violate Applicable Data Protection Laws; and
• To the extent consent is relied upon as the lawful basis, such consent is freely given, specific, informed, and unambiguous, and may be withdrawn by the data subject at any time.

Pavo AI relies on the Customer's instructions and these representations when processing Customer Personal Data provided by or made available through the Customer or its Authorised Users and does not independently determine the purposes or means of such processing except as expressly agreed in writing or required by Applicable Data Protection Laws.

To the extent Pavo AI processes Personal Data on behalf of the Customer in connection with the provision of the Services, the Parties acknowledge and agree that the Customer shall determine the purposes and means of such processing and shall act as the “Controller,” “Business,” or “Data Fiduciary,” as such terms are defined under Applicable Data Protection Laws. Pavo AI shall process such Personal Data solely on behalf of the Customer and shall act as the Customer's “Processor,” “Service Provider,” or “Data Processor,” as applicable.

In the event Pavo AI becomes aware of a Personal Data Breach affecting Customer Personal Data processed by Pavo AI on behalf of the Customer, Pavo AI shall notify the Customer without undue delay. Pavo AI's obligation shall be limited to providing the Customer with information reasonably available to Pavo AI in order to assist the Customer in meeting its legal obligations.

Pavo AI shall not have any direct obligation to notify Data Subjects/Data Principals, supervisory authorities, regulators, or any third parties of a Personal Data Breach, except where such obligation is expressly imposed upon Pavo AI under Applicable Data Protection Laws and cannot lawfully be delegated. The Customer shall be solely responsible for determining whether any notifications are required and for making such notifications, except as otherwise required by law.

The Customer acknowledges and agrees that, as Controller/Data Fiduciary/Business, it is responsible for complying with its obligations under Applicable Data Protection Laws, including with respect to transparency, notice, consent (where applicable), responding to data subject requests, and breach notification to affected individuals and/or regulators.

Depending on your jurisdiction of residence and the Applicable Data Protection Laws, you may have certain rights in relation to your Personal Data, including rights of access, correction, deletion, restriction, objection, portability, or limitation of use, as further described in this Policy and any applicable Privacy Supplements.

You acknowledge and agree that the exercise of certain rights, particularly in relation to your Customer Personal Data that may have been incorporated into machine learning systems, Derived Datasets, or training processes, may be subject to technical, legal, and operational limitations. Accordingly, we may not be able to fully comply with certain requests, where doing so is not technically feasible, would require disproportionate effort, would compromise the integrity, security, or lawful operation of the Platform or Services, or where we have a lawful basis to retain or process such data under applicable law.

We reserve the right to deny or limit any request to the extent permitted by Applicable Data Protection Laws, including where compliance would adversely affect the rights and freedoms of others, interfere with contractual obligations, or undermine legitimate business or security interests. Where a request is denied or limited, we will provide a response consistent with applicable legal requirements.

Notwithstanding the foregoing, we are committed to respecting individual privacy rights, implementing appropriate safeguards, and processing Personal Data in compliance with Applicable Data Protection Laws. We will make commercially reasonable efforts to respond to valid requests in a timely manner and in accordance with applicable legal standards.

You may exercise any of the rights described in this section consistent with the Applicable Data Protection Laws in your jurisdiction.

We retain your Personal Data only for as long as is reasonably necessary to fulfil the purposes for which we have collected and processed, or for other legitimate purposes, as described in this Policy, unless a longer retention period is required or permitted under applicable law. Where the Personal Data collected is no longer required by us, we and our service providers will perform the necessary procedures for securely destroying, deleting, erasing, or converting it into an anonymous form as permitted or required under applicable laws.

In determining the appropriate retention periods, we take into account factors including: (a) the volume, nature and sensitivity of your Personal Data; (b) the purposes for which the Personal Data is processed and whether those purposes can be achieved through other means; (c) the potential risk of harm from unauthorized use or disclosure; (d) applicable legal, regulatory, accounting, or contractual retention requirements.

Notwithstanding the foregoing, we may retain and use Personal Data to the extent necessary to: (a) comply with applicable legal obligations; (b) respond to lawful requests from governmental or regulatory authorities; (c) resolve disputes; (d) enforce our agreements, policies, or terms; or (e) establish, exercise, or defend legal claims.

If you end the subscription of the Platform or Services, or if your account is deactivated or deleted, we will delete or anonymize your Personal Data in accordance with this Policy, unless retention is required or permitted under applicable law or necessary for legitimate business purposes. Aggregated or anonymized data that does not identify, and cannot reasonably be used to identify, any individual may be retained and used by Pavo AI on an indefinite basis, including for analytics, research, and improvement of the Platform and Services, in accordance with applicable law.

You may request deletion of your account or withdrawal of consent by writing to the Grievance Officer at support@pavoai.com. Upon receipt of a valid request, Pavo AI shall acknowledge the request by email and delete the account and associated Personal Data within forty-eight (48) hours. A log of such deletion or withdrawal shall be maintained. Where any Personal Data is required to be retained for legal or regulatory reasons or is technically incapable of deletion, the Grievance Officer shall inform the Customer accordingly.

We implement and maintain appropriate technical, administrative, and organizational security measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the nature of the Personal Data, the risks involved in processing, and industry best practices. Such measures may include, as appropriate, access controls, encryption, network security controls, monitoring, and internal security policies and procedures. Where applicable, we also engage independent third-party auditors or assessors to evaluate aspects of our security practices, including systems involved in financial or sensitive processing. These security measures apply across deployment models, including SaaS, or PLG access, and Customer-Hosted or VPC deployments, subject to the applicable configuration and shared responsibility model.

Notwithstanding the foregoing, you acknowledge that no system of transmission or electronic storage is completely secure. While we strive to protect Personal Data using commercially reasonable safeguards and in compliance with Applicable Data Protection Laws, we do not and cannot guarantee absolute security of Personal Data transmitted to or stored on the Platform.

You acknowledge and agree that the security of Personal Data also depends on factors outside our control, including your own security practices, device security, credential management, and, where applicable, the security of Customer-Hosted or VPC environments or PLG environment.

In the event of a Personal Data breach affecting Personal Data processed by us, as a data controller or a data fiduciary, we will assess the incident without undue delay and take reasonable steps to contain, mitigate, and remediate the breach.

Where we are acting as a data controller, or a data fiduciary, or as defined as such in the Applicable Data Protection Laws, we will notify the relevant supervisory authority or regulatory authority within the prescribed timeframe and will notify affected individuals without undue delay where the breach is likely to result in a risk to their rights and freedoms. Such notifications will describe, to the extent reasonably practicable, the nature of the breach, the categories and approximate number of individuals concerned, the likely consequences of the breach, and the measures taken or proposed to address it.

We may delay notification to individuals, where permitted by law, including where notification would impede a lawful investigation, compromise security, or where the risk to individuals is unlikely to materialize.

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a competent data protection authority or supervisory authority or data protection board, if you believe that the processing of your Personal Data violates Applicable Data Protection Laws.

For additional jurisdiction specific rights, procedures, and contact details are set out in the applicable jurisdiction specific Privacy Policy Supplement, which forms an integral part of this Policy.

Our Services are not intended for children, and we do not collect Personal Data from them. We define “children” as anyone under 18 years old. If we learn we have collected or received Personal Data from a child without verification of parental consent, we will delete the information. If you believe we might have any information from or about a child, please contact us via the contact information noted below.

For purposes of Applicable Data Protection Laws, the Pavo AI entity acting as the data controller or data fiduciary depends on your place of residence (contact: support@pavoai.com):

• If you reside in the United States of America, the data controller is Pavo AI USA.
• If you reside in the United Kingdom, the European Economic Area (EEA), or Switzerland, the data controller is Pavo AI UK.
• If you reside in India, the data fiduciary is Pavo AI India.

Each of the above entities may act independently or jointly with other Pavo Group Companies, as described in this Policy and the applicable Terms and Conditions.

This United States Privacy Supplement applies to our Customers residing in the State of California in the United States of America and supplements the Pavo AI Privacy Policy.

This Supplement is provided to comply with the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (the “CCPA/CPRA”), and describes the additional rights applicable to California Residents.

Except as otherwise stated in this Supplement, all capitalised terms have the meanings set forth in our Terms and Conditions and the Privacy Policy.

Categories of Personal Data Collected

As described in the Privacy Policy, Pavo AI collects Personal Data described in Section 1 (Collection of Personal Data) of the Privacy Policy, including identifiers, commercial information, internet or network activity information, professional or employment-related information, and other information provided or generated in connection with the use of the Platform and Services.

Purposes of Collection and Use

We collect and use Personal Data for providing the Services, as described in Section 2 (Purpose of Collection of Personal Data) of the Privacy Policy including to operate, secure, support, and improve the Platform and Services; comply with legal obligations; and generate aggregated or anonymized insights.

Disclosure of Personal Information

We may disclose Personal Data to the categories of recipients described in Section 4 (Disclosure of Your Personal Data) of the Privacy Policy for business purposes consistent with the CCPA/CPRA.

We do not sell Personal Data nor do we share it for purposes of cross-context behavioural advertising or targeted advertising.

Your Rights

Right to Access and Data Portability

Subject to verification of your identity and as permitted by applicable law, you have the right to request that Pavo AI disclose the Personal Data we have collected about you. Upon receipt of a verifiable customer request, and as required by CCPA/CPRA, we will provide information regarding:

1. The categories of Personal Data collected about you;
2. The categories of sources from which such Personal Data was collected;
3. The purposes for collecting or processing such Personal Data; and
4. The categories of third parties or service providers to whom such Personal Data was disclosed.

The purpose of the Personal Data processed is included in Section 2, the Purposes of Processing and Legal Bases of our Privacy Policy.

Where required by the CCPA/CPRA, such information will be provided in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the information to another entity without hindrance.

Right to Delete

You have the right to request deletion of your Personal Data, subject to applicable exceptions. We may retain Personal Data as permitted by law, including where necessary to:

1. Complete a transaction or provide Services requested;
2. Comply with legal obligations;
3. Detect security incidents or prevent fraud;
4. Exercise or defend legal claims; or
5. Conduct internal uses reasonably aligned with your relationship with Pavo AI.

Right to Opt-Out

You have the right to direct Pavo AI to opt out of certain processing activities, for purposes of profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

Pavo AI does not engage in automated decision-making without human intervention, or profiling of individuals that produces legal or similarly significant effects on the Customers.

Where machine learning or automated processing is used within the Platform, such processing is:

1. Performed at the direction of enterprise Customers;
2. Used to support operational, analytical, or decision-support workflows; and
3. Not used by Pavo AI to make unilateral decisions about individuals.

Pavo AI does not sell Personal Data, nor does it share Personal Data for purposes of cross-context behavioural advertising. Accordingly, Pavo AI does not engage in activities that would require an opt-out of the “sale” or “sharing” of Personal Data under the CCPA/CPRA.

Pavo AI does not use Personal Data for targeted advertising based on a consumer's activity across unaffiliated websites, applications, or services.

Where limited marketing or promotional activities are conducted (such as identifying Customers by name, logo, or high-level case studies), such use is:

1. Limited to business-to-business marketing;
2. Based on contractual permissions set forth in the Terms and Conditions or applicable SOWs; and
3. Not based on cross-context behavioural tracking or profiling of individuals.

Where required by applicable law, Pavo AI will make commercially reasonable efforts to honour valid opt-out preference signals detected through supported browsers or technologies.

Right to Non-Discrimination

You have the right not to receive discriminatory treatment for exercising any of your rights under applicable CCPA/CPRA. Pavo AI will not deny Services, charge different prices, or provide a different level or quality of Services solely because you exercised your rights.

Notwithstanding the foregoing, Pavo AI may limit, modify, or be unable to provide certain Services where the exercise of a particular right (such as deletion, restriction of processing, or withdrawal of consent) makes it technically or legally impossible to provide the requested Services, or where such processing is strictly necessary to perform contractual obligations, comply with applicable law, or maintain the security and integrity of the Platform.

Any such limitation shall be applied in a lawful, proportionate, and non-discriminatory manner and only to the extent permitted under CCPA/CPRA.

Right to Correct

You have the right to request correction of inaccurate Personal Data maintained by Pavo AI, taking into account the nature of the information and the purposes for which it is processed.

Right to Limit

To the extent Pavo AI processes Sensitive Personal Information, you may have the right to limit its use and disclosure. Pavo AI uses Sensitive Personal Information for purposes only permitted under applicable law, including providing and securing the Platform and Services; authenticating users and maintaining account security; performing Services requested by Customers; and complying with legal obligations.

Pavo AI does not use Sensitive Personal Information for purposes that would require a right to limit or opt-out. If such use were to occur in the future, Pavo AI would provide appropriate notice and opt-out mechanisms as required by law.

De-Identification

We commit to maintain and use information in de-identified form and not to attempt to re-identify the information. We may use such information in de-identified form or otherwise as consistent with applicable law.

Third Party List

You may request, once per calendar year and free of charge, information regarding whether Pavo AI has disclosed Personal Data to third parties for their direct marketing purposes during the preceding calendar year, and if so, the categories of Personal Data disclosed.

Right to Authorized Agents

You may designate an authorized agent to exercise your rights on your behalf. Pavo AI may require proof of authorization and verification of identity before processing such requests.

Cross-Jurisdictional Transfers

By providing Personal Data to Pavo AI or using the Platform or Services, you acknowledge and agree that your Personal Data may be transferred to, accessed from, processed, and stored in jurisdictions other than your country of residence, including jurisdictions where Pavo Group Companies operate or engage service providers.

Such jurisdictions may include, without limitation, the United Kingdom, India, the European Economic Area, and other countries where Pavo AI or its authorized subprocessors maintain facilities or personnel.

Where required by Applicable Data Protection Laws, Pavo AI will implement appropriate safeguards to ensure lawful cross-border transfers of Personal Data, which may include standard contractual clauses, adequacy decisions, data transfer agreements, or other lawful transfer mechanisms recognized under applicable law.

Personal Data may also be disclosed or transferred in such jurisdictions where required to comply with applicable law, regulation, legal process, or governmental request, or where Pavo AI reasonably believes such disclosure is necessary to establish, exercise, or defend legal claims, protect the rights, property, or safety of Pavo AI, its Customers, users, or others, or prevent fraud, security incidents, or misuse of the Platform or Services.

Breach Notification

In the event of a data breach involving your unencrypted personal information, we will notify you without unreasonable delay and in any case within 30 calendar days of discovery (effective January 1, 2026), unless delayed to accommodate law enforcement needs or to determine the breach scope and restore system integrity.

Lodge a Complaint

If you believe we have not complied with your privacy rights under this Supplement, you may submit a complaint regarding the violation under the CCPA/CPRA to the California Privacy Protection Agency (CPPA) or the California Attorney General's office via their online form at cppa.ca.gov or by mail.

We encourage you to first reach out to us at support@pavoai.com to resolve any concerns.

Exercising Your Rights

Requests may be submitted by contacting:

We may verify your identity before fulfilling a request, as permitted by law.

This UK and EEA Privacy Supplement applies solely to Customers residing in the European Economic Area or the United Kingdom, and supplements the Pavo AI Privacy Policy.

Depending on the specific Services provided and the deployment model, Pavo AI may act as a data controller, joint controller, or processor; however, this Supplement applies solely where Pavo AI acts as a controller under the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) or UK GDPR. This Supplement is provided to comply with the GDPR and describes the additional rights and disclosures applicable to the UK GDPR.

Except as otherwise stated in this Supplement, all capitalized terms have the meanings set forth in the Privacy Policy.

Categories of Personal Data Collected

As described in the Privacy Policy, Pavo AI collects Personal Data described in Section 1 of the Privacy Policy, including identifiers, commercial information, internet or network activity information, professional or employment-related information, and other information provided or generated in connection with the use of the Platform and Services.

Purposes of Collection and Use

We collect and use Personal Data for providing the Services, as described in Section 2 of the Privacy Policy (Collection of Personal Data) including to operate, secure, support, and improve the Platform and Services; comply with legal obligations; and generate aggregated or anonymized insights.

Disclosure of Personal Information

We may disclose Personal Data to the categories of recipients described in Section 4 (Disclosure of Your Personal Data) of the Policy for business purposes consistent with the GDPR.

Your Rights

Right to Access

Subject to verification of your identity and as permitted by applicable law, you have the right to obtain from Pavo AI upon request, as to whether or not the Personal Data concerning you is being processed, and if that is the case, access to the Personal Data and the following information:

1. The categories of Personal Data collected about you;
2. The categories of sources from which such Personal Data was collected;
3. The purposes for collecting or processing such Personal Data; and
4. The recipients or categories of recipient to whom the Personal Data have been or will be disclosed.

If possible, the period of data retention, and wherever not possible the criteria used to determine that period.

If the Personal Data is not collected from you, any available information as to their source.

If the Personal Data is transferred to a third country or to an international organisation, you shall have the right to be informed of the appropriate safeguards.

Upon request, we will provide a copy of your Personal Data undergoing processing. We can provide you with any further copies, subject to a reasonable fee based on administrative costs. You can also make a request by electronic means, and unless otherwise requested by you, the data shall be provided in a commonly used electronic form.

Right to Erasure

You shall have the right to obtain the erasure of your Personal Data and we shall erase it, where one of the following grounds apply:

1. The Personal Data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
2. You withdraw your consent on which the processing of your Personal Data is based, and there is no other lawful basis under Applicable Data Protection Laws for the continued processing of such Personal Data;
3. You object to the processing of your Personal Data, and there are no overriding legitimate grounds for the processing under applicable law;
4. If the Personal Data has been processed unlawfully;
5. If the Personal Data must be erased to comply with a legal obligation under Applicable Data Protection Laws.

Where Pavo AI has made Personal Data public and is required to erase such data, Pavo AI shall take reasonable steps, taking into account available technology and the cost of implementation, to inform other controllers and/or processors processing such Personal Data that you have requested the erasure of any links to, or copies or replications of, such Personal Data.

You acknowledge that certain Personal Data may have been incorporated into machine learning systems, logs, backups, derived datasets, or technical records. In such cases, erasure may be subject to technical feasibility, proportionality, and lawful retention obligations. Where complete erasure is not technically feasible, Pavo AI will implement appropriate safeguards, including anonymization or restriction of processing, where permitted by law.

The right to erasure shall not apply to the extent that processing is necessary:

1. For exercising the right of freedom of expression and information;
2. For compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority;
3. For reasons of public interest in the area of public health, where applicable;
4. For archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, where erasure would render impossible or seriously impair the achievement of the objectives of such processing; or
5. For the establishment, exercise, or defence of legal claims.

Right to Restriction of Processing

You have the right to request the restriction of processing of your Personal Data where one or more of the following conditions apply:

1. You contest the accuracy of the Personal Data, for a period enabling Pavo AI to verify the accuracy of such data;
2. The processing is unlawful and you oppose the erasure of the Personal Data and instead request the restriction of its use;
3. You have objected to processing based on legitimate interests, pending verification of whether Pavo AI's legitimate grounds override your interests, rights, or freedoms.

Where processing has been restricted, such Personal Data shall, with the exception of storage, only be processed:

1. With your consent;
2. For the establishment, exercise, or defence of legal claims;
3. For the protection of the rights of another natural or legal person; or
4. For reasons of important public interest, as permitted under Applicable Data Protection Laws.

You will be informed by Pavo AI before any restriction on processing is lifted.

You acknowledge that certain Personal Data may have been incorporated into machine learning systems, Derived Datasets, logs, or model training artefacts. Where technically infeasible, disproportionate, or legally restricted, complete erasure or restriction may not be possible, provided that such data has been irreversibly anonymized or aggregated and no longer identifies you or any individual.

Pavo AI shall communicate any rectification, erasure, or restriction of processing carried out in accordance with applicable law to each recipient to whom the Personal Data has been disclosed, unless this proves impossible or involves disproportionate effort. Upon request, Pavo AI shall inform you of such recipients.

Where the Platform is deployed in a Customer-Hosted or VPC environment, certain Personal Data may be controlled, stored, or managed by the Customer, in such cases:

1. Pavo AI's ability to directly erase or restrict Personal Data may be limited; and
2. Pavo AI will reasonably cooperate with the Customer to support compliance with applicable data protection obligations, subject to contractual and technical constraints.

Right to Data Portability

Where required, you have the right to receive certain Personal Data concerning you, which you have provided to Pavo AI, in a structured, commonly used, and machine-readable format, and to transmit such Personal Data to another controller without hindrance from Pavo AI.

This right applies only where:

1. The processing of the Personal Data is based on your consent or is necessary for the performance of a contract to which you are a party; and
2. The processing is carried out by automated means.

This right to data portability does not apply to processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Pavo AI, and shall not adversely affect the rights and freedoms of other individuals.

Right to Object

Where we process your Personal Data on the basis of legitimate interests, you shall have the right to object, on grounds relating to your particular situation, at any time.

Upon receipt of a valid objection, Pavo AI shall cease processing the relevant Personal Data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or where the processing is necessary for the establishment, exercise, or defence of legal claims.

Where Personal Data is processed for direct marketing purposes, including any profiling to the extent that it relates to such direct marketing, you have the right to object at any time to such processing. If you object to processing for direct marketing purposes, Pavo AI shall no longer process your Personal Data for such purposes.

Where Personal Data is processed for scientific or historical research purposes or statistical purposes, you have the right to object to such processing on grounds relating to your particular situation. This right shall not apply where the processing is necessary for the performance of a task carried out for reasons of public interest, and appropriate safeguards have been implemented in accordance with applicable law.

Right to Rectification

You shall have the right to obtain without undue delay the rectification of inaccurate Personal Data concerning you. You shall have the right to have incomplete Personal Data completed, including by means of providing a supplementary statement.

Right to Not Be Subject to Automated Decision-Making, Including Profiling

For the purposes of this Policy, “automated processing” refers to a decision-making process carried out without human involvement, based exclusively on automated means.

You shall have the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

This right shall not apply, if the decision is necessary for entering into, or performance of, a contract between you/your authorised users and Pavo AI, and if it is authorised by Union or Member State law to which we are subjected to and which also lays down suitable measures to safeguard your rights and freedoms, and or it is based on your explicit consent, where required by law.

Where automated decision-making is permitted, we will implement appropriate safeguards to protect your rights, freedoms, and legitimate interests. Such safeguards may include, where applicable and technically feasible:

1. The right to obtain human intervention by Pavo AI;
2. The right to express your point of view; and
3. The right to contest the decision.

Automated decisions made by or through the Platform shall not be based on special categories of Personal Data, unless permitted by law and subject to appropriate safeguards.

Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a competent supervisory authority if you consider that the processing of your Personal Data by Pavo AI infringes the GDPR or the UK GDPR, as applicable. Before lodging a complaint with a supervisory authority, we encourage you to contact Pavo AI directly so that we may attempt to resolve your concern in a timely and effective manner.

You may lodge such a complaint with the supervisory authority in:

1. The European Union Member State of your habitual residence;
2. Your place of work; or
3. The place of the alleged infringement.

If you reside in the United Kingdom, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO). Further information about the ICO and how to submit a complaint is available at: ico.org.uk.

If you reside in the European Economic Area, a list of EU supervisory authorities and their contact details is available at: edpb.europa.eu.

You also have the right to an effective judicial remedy against a supervisory authority and against Pavo AI where you consider that your rights under applicable data protection laws have been infringed.

Data Transfers

This section supplements Section 4 (Disclosure of Your Personal Data) set out in our Privacy Policy.

By providing Personal Data to Pavo AI, or by accessing or using the Platform or Services, you acknowledge and agree that your Personal Data may be transferred to, accessed from, processed, and stored in jurisdictions outside your country of residence, including jurisdictions in which Pavo Group Companies, or their authorized service providers operate.

Such jurisdictions may include, without limitation, the United States of America, India, the United Kingdom, and other countries in which Pavo AI or its approved subprocessors maintain facilities, personnel, or infrastructure. Where Personal Data is transferred across borders, Pavo AI implements appropriate safeguards and lawful transfer mechanisms as required under Applicable Data Protection Laws, including:

Special Categories of Personal Data

Pavo AI does not intentionally collect or process special categories of personal data, including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for unique identification, health data, or data concerning sex life or sexual orientation (“Special Category Data”). Customers and users are instructed not to provide such data through the Platform unless expressly agreed in writing and permitted under applicable law.

Notwithstanding the foregoing, to the extent that Special Category Data is incidentally or inadvertently included within Customer Data and processed, then such processing shall occur only in the following cases, including where:

1. You have provided your explicit consent;
2. Processing is necessary for the purpose of carrying out the obligations and exercising certain rights by us, in the field of employment, social security, and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and in your interests;
3. Processing relates to Personal Data which are manifestly made public by you or your authorised users;
4. Processing is necessary for the establishment, exercise or defence of legal claims;
5. Processing is required to comply with legal obligations;
6. Processing is necessary to protect your vital interests or of another natural person where you are physically or legally incapable of giving consent;
7. Processing is necessary for reasons of substantial public interest, on the basis of applicable law, and subject to suitable and specific measures to safeguard your rights and interests.

Any processing of Special Category Data shall be limited to what is strictly necessary, shall be subject to enhanced technical and organizational safeguards, and shall comply with Applicable Data Protection Laws, this Privacy Policy, and the applicable Terms and Conditions.

Breach Notification

In the event of a Personal Data breach, Pavo AI shall, without undue delay, assess the nature, scope, and impact of the breach and take appropriate measures to contain, mitigate, and remediate the incident.

Where the Personal Data breach is likely to result in a risk to the rights and freedoms of natural persons, Pavo AI shall notify the competent supervisory authority in any event within seventy-two (72) hours of becoming aware of the breach, unless a longer period is permitted under applicable law.

Where the Personal Data breach is likely to result in a high-risk breach to the rights and freedoms of affected individuals, Pavo AI shall notify the affected Customers without undue delay, unless an exception applies under applicable law.

Notification to affected individuals may be delayed or omitted where permitted by applicable law, including where notification would likely impede a lawful investigation, compromise security measures, or where appropriate technical and organizational safeguards (such as encryption) render the data unintelligible to unauthorized persons.

Where the Platform or Services are deployed in a Customer-Hosted or VPC environment, and the Customer acts as the data controller with respect to the affected Personal Data, Pavo AI shall notify the Customer without undue delay upon becoming aware of a relevant personal data breach and shall reasonably cooperate with the Customer to support compliance with applicable GDPR notification obligations, subject to contractual and technical limitations.

Exercising Your Rights

Requests may be submitted by contacting:

We may verify your identity before fulfilling a request, as permitted by law.

This Indian Privacy Supplement applies solely to Customers residing in India. This supplement applies where Pavo AI processes Personal Data of Data Principals in India directly through the Platform, Services, or website; or indirectly where Personal Data is included within Customer Data submitted by Customers or users.

This Supplement is provided to comply with the Digital Personal Data Protection Act, 2023 and associated rules (“DPDP Act”). It describes additional rights and obligations applicable to Data Principals in India where Pavo AI acts as a Data Fiduciary or Data Processor, as applicable.

This India Supplement shall be read together with the Privacy Policy and the Terms and Conditions. Except as otherwise stated in this Supplement, all capitalized terms have the meanings set forth in the Privacy Policy.

Bases for Processing the Personal Data

We process your Personal Data only in accordance with the provisions of the DPDP Act and for a lawful purpose, for which you have given your consent; or for certain legitimate uses and to comply with the legal obligations under applicable laws.

Categories of Personal Data Collected

As described in the Privacy Policy, Pavo AI collects Personal Data described in Section 1 (Collection of Personal Data) of the Privacy Policy, including identifiers, commercial information, internet or network activity information, professional or employment-related information, and other information provided or generated in connection with the use of the Platform and Services.

Purposes of Collection and Use

We collect and use Personal Data only for purposes that are lawful and for providing the Services, as described in Section 2 (Purpose of Collection of Personal Data) of the Privacy Policy including to operate, secure, support, and improve the Platform and Services; comply with legal obligations; and generate aggregated or anonymized insights.

Disclosure of Personal Information

We may disclose Personal Data to the categories of recipients described in Section 4 (Disclosure of Your Personal Data) of the Privacy Policy for business purposes consistent with the DPDP Act.

Your Rights

Right to Access Information About Personal Data

You shall have the right to obtain from Pavo AI information relating to the processing of your Personal Data, upon making a request.

Upon receipt of a valid request, Pavo AI shall provide you with the following information, to the extent applicable and available:

1. A summary of the Personal Data relating to you that is being processed by Pavo AI, together with a description of the processing activities undertaken with respect to such Personal Data;
2. The identities of all other data fiduciaries and data processors with whom such Personal Data has been shared by Pavo AI, along with a description of the categories of Personal Data so shared; and
3. Such other information relating to your Personal Data and its processing as may be prescribed under applicable law.

The obligations set out in clauses (b) and (c) above shall not apply to the extent that Personal Data has been shared by Pavo AI with another data fiduciary authorised by law to obtain such Personal Data, where such sharing is pursuant to a written request made for the purposes of prevention, detection, investigation, prosecution, or punishment of offences or cyber incidents.

Where Personal Data is processed within a Customer-Hosted or VPC deployment controlled by a Customer, Pavo AI's ability to directly access or provide such information may be limited. In such cases, Pavo AI shall provide information to the extent reasonably available with it and shall, where appropriate, cooperate with the Customer to facilitate the data principal's request, subject to contractual and technical constraints.

Right to Correction and Erasure of Personal Data

You shall have the right to correction, completion, and updating of your Personal Data that is processed by Pavo AI pursuant to consent previously given, in accordance with applicable law.

Upon receipt of a valid request for correction, completion, or updating, Pavo AI shall:

1. Correct inaccurate or misleading Personal Data;
2. Complete incomplete Personal Data; and
3. Update Personal Data.

You may request the erasure of your Personal Data by submitting a request. Upon receipt of such request, Pavo AI shall erase the Personal Data, unless retention of such Personal Data is necessary for the specified purpose or for compliance with any law for the time being in force.

Where Personal Data has been incorporated into system logs, backups, machine learning workflows, Derived Datasets, or other technical or operational records, complete erasure may be subject to technical feasibility. In such cases, Pavo AI shall take reasonable measures to restrict further processing, anonymize the data where feasible, or otherwise safeguard your interests in accordance with the DPDP Act.

Where Personal Data is processed within a Customer-Hosted or VPC deployment, Pavo AI's ability to directly correct or erase such data may be limited. In such circumstances, Pavo AI shall reasonably cooperate with the relevant Customer to support compliance with applicable obligations, subject to contractual terms and technical constraints.

Right to Withdrawal of Consent

You shall have the right to withdraw your consent for the processing of Personal Data at any time. Upon withdrawal of consent:

1. Pavo AI shall cease processing the Personal Data for which consent has been withdrawn, unless such processing is permitted or required under applicable law; and
2. The withdrawal of consent shall not affect the lawfulness of processing carried out prior to such withdrawal.

You acknowledge and agree that the withdrawal of consent may result in Pavo AI being unable to provide or continue providing certain Services where such processing is necessary for the performance of a contract or the provision of the Platform or Services.

Right to Approach the Data Protection Board of India

Where you are not satisfied with the response received from Pavo AI through its grievance redressal mechanism, you may file a complaint with the Data Protection Board of India, in accordance with the procedures prescribed under the DPDP Act.

Right of Grievance Redressal

You shall have the right to have readily available means of grievance redressal in respect of any act or omission regarding the performance of our obligations in relation to the Personal Data or the exercise of your rights under the provisions of the DPDP Act and the rules made thereunder.

We shall respond to any grievances within such period as may be prescribed from the date of its receipt.

You shall exhaust the opportunity of redressing your grievance with us before approaching the Board.

Right to Nominate

You shall have the right to nominate any other individual, who shall, in the event of your death or incapacity, exercise your rights.

Your Duties

You shall perform the following duties:

1. Comply with the provisions of all applicable laws for the time being in force while exercising your rights;
2. Ensure not to impersonate another person while providing your Personal Data for a specified purpose;
3. Ensure not to suppress any material information while providing your Personal Data for any document, unique identifier, proof of identity or proof of address issued by the State or any of its instrumentalities;
4. Furnish only such information as is verifiably authentic, while exercising the right to correction or erasure.

Data Transfers

By providing Personal Data to Pavo AI or using the Platform or Services, you acknowledge that Personal Data may be transferred outside India for processing and storage. Such transfers shall occur subject to any restrictions notified by the Central Government under the DPDP Act.

Nothing in this Supplement shall restrict the applicability of any Indian law that provides:

1. A higher degree of protection; or
2. Stricter restrictions on cross-border transfers in respect of any personal data, Data Fiduciary, or class thereof.

Breach Notification

Upon becoming aware of a Personal Data Breach, Pavo AI shall, without undue delay:

1. Notify affected Customers in clear and plain language; and
2. Provide information regarding the nature of the breach, likely consequences, mitigation measures taken or proposed, and protective steps you may take.

We will also notify the Data Protection Board of India without delay, providing details of the breach, its cause, impact, mitigation and remedial measures, and reports of communications with affected Customers within 72 hours or a longer period allowed by the Data Protection Board of India.

Right to Lodge a Complaint

If you have any questions, concerns, or complaints regarding the processing of your Personal Data by Pavo AI or any Pavo Group Company, including any alleged violation of Applicable Data Protection Laws, you are encouraged to first contact us through our internal grievance redressal mechanism.

You may submit a complaint or request by contacting:

We will acknowledge receipt of your complaint and make commercially reasonable efforts to investigate and respond within the timelines prescribed under Applicable Data Protection Laws.

Exercising Your Rights

Requests may be submitted by contacting:

We may verify your identity before fulfilling a request, as permitted by law.