Privacy Policy

Last updated: December 2024

This privacy policy ("Policy") applies to Tanishayan Technologies Private Limited along with its affiliates Blozum Inc. herein called as ContraVault AI and was last updated May 2024. We may change or update this policy at any time, and the same will be updated here.

If you are a ContraVault AI user or customer, we shall notify the changes or updates either by sending an email or a notification on the ContraVault AI App (as defined below). Please ensure to read such notices carefully.

We sincerely believe that you should always know what data we collect from you, the purposes for which such data is used, and that you should have the ability to make informed decisions about what you want to share with us.

Therefore, we want to be transparent about: (i) how and why we collect, store and use your personal data in the various capacities in which you interact with us; and (ii) the rights that you have to determine the contours of this interaction.

While we would strongly advise you to read the Policy in full, the following summary will give you a snapshot of the salient points covered herein:

  • This Policy details the critical aspects governing your personal data relationship with Tanishayan Technologies Private limited, having its registered office at 112-A, Red MIG Flats, Rajouri Garden, Delhi - 110027, and its subsidiary, Blozum, Inc., a company incorporated under the laws of United States of America, and having its registered office at 16192, Coastal Highway, Lewes, DE 19958 (collectively,ContraVault AI);
  • Your personal data relationship withContraVault AI varies based on the capacity in which you interact with us/avail of our products and solutions ("Services"). You could be: (i) a visitor to https://www.contravault.com/ ("Website") or any pages thereof ("Visitor"); (ii) a person/entity availing of one of our Services ("Customer"); or (iii) an employee/agent/representative/appointee of a customer who uses the said Service ("User");
  • Based on whether you are a Visitor, Customer or User, the type of data we collect and the purpose for which we use it will differ and this Policy details such variations;
  • This Policy will clarify the rights available to you vis-à-vis the personal data you share with us.

If you have any queries or concerns with this Policy, please contact our Grievance Officer (refer Section 12). If you do not agree with the Policy, we would advise you to not visit/use the Website or theContraVault AI application(s)/platform(s) (collectively "App").

INFORMATION WE COLLECT AND HOW WE USE IT

TYPE OF USERVISITORCUSTOMERUSER
WHAT DATA WE MAY COLLECT
  1. Your location;
  2. How you behave on the Website, (what pages you land on, how much time you spend, etc.);
  3. What device you use to access the Website and its details (model, operating system, etc.);
  4. Cookies and Web Beacon data;
  5. Name and e-mail.
  1. The name and e-mail of your representative who signs up for a Service on your behalf; and
  2. Credit Card/ Debit Card/Other Payment Mode information to check your financial qualifications, detect fraud, and facilitate payments for our Services.
  1. Your name, e-mail;
  2. How you behave in the relevant product environment and use the features;
  3. What device you use to access the Website/App and its details (model, operating system, etc.);
  4. Cookies and Web Beacon data;
HOW AND WHY WE USE IT

We use this information to analyse and identify your behaviour and enhance the interactions you have with the Website. If you submit your details and give us your consent, we may send you newsletters and e-mails to market other products and services we may provide.

We collect this data in order to help you register for and facilitate provision of our Services. We also use this data to enable you to make payments for our Services. We use a third-party service provider to manage payment processing. This service provider is not permitted to store, retain, or use information you provide except for the sole purpose of payment processing on our behalf. If you give us your consent, we may send you newsletters and e-mails to market other products and services we may provide.

We collect this data in order to facilitate provision of our Services. We will occasionally send you e-mails regarding changes or updates to the Service that you are using. In the event you report an issue with a Service, we may also screen/video record your device only when you use the App for a limited time period to help us better understand how to address the issue. If you give us your consent, we may send you newsletters and e-mails to market other products and services we may provide.

Information transferred via the Google API: ContraVault AI's use and transfer of information received from Google API's to any other app will adhere to Google API Services User Data Policy , including Limited Use requirements.

AI DATA PROCESSING AND GOVERNANCE

ContraVault AI uses artificial intelligence (AI) to enhance the services we provide, ensuring that customer data is processed accurately, efficiently, and securely. Our AI generates recommendations for human review only and does not make autonomous decisions.

Zero Data Retention (ZDR) Policy

We have implemented a ZERO DATA RETENTION (ZDR) policy within our LLMs and software. This means:

  • As soon as data is deleted from our system, it gets deleted from our servers forever
  • On contract termination, we will automatically delete all your data within 30 days
  • Your organization would be required to download all data before 30 days from contract termination date
  • We do not store any uploaded RFPs, organisational data, or AI-generated outputs longer than your organization chooses to keep them in the system

AI Accuracy and Fairness

Our AI evaluates each clause against your company's predefined go/no-go criteria and compliance rules, classifying them as compliant or non-compliant accordingly. We ensure fairness and accuracy through:

  • Multiple advanced AI models with strong validation controls to minimize inaccurate clause interpretations
  • Training on more than 3,00,000 publicly available tenders
  • Continuous testing on internal evaluation datasets (evals) with approximately 99%+ accuracy in clause analysis
  • Support for scanned, signed, and badly formatted tenders of 4,000+ pages

We do not use customer data to train external models or for any purpose beyond the agreed-upon scope of our services. Any personal data processed by our AI systems is handled in compliance with applicable data protection laws, including GDPR and CCPA where relevant.

Data Storage and Location

Data Storage Location: We do not collect or store any personal data (PII) directly. All data processing and storage occurs within secure cloud infrastructure without transferring data outside the primary region for maximum security and compliance.

Cloud Provider: All data is stored using AWS-native infrastructure with enterprise-grade security measures, including AES-256 encryption for data at rest and TLS 1.2 or higher for data in transit.

FOR THE AVOIDANCE OF ANY DOUBT, WE SHOULD CLARIFY THAT IN THE EVENT WE ANONYMIZE AND AGGREGATE INFORMATION COLLECTED FROM YOU, WE WILL BE ENTITLED TO USE SUCH ANONYMIZED DATA FREELY, WITHOUT ANY RESTRICTIONS OTHER THAN THOSE SET OUT UNDER APPLICABLE LAW.

YOUR RIGHTS & PREFERENCES AS A DATA SUBJECT

Subject to the GDPR and applicable law's limitations, the rights afforded to you as a data subject are:

  1. RIGHT TO BE INFORMED: You have a right to be informed about the manner in which any of your personal data is collected or used which we have endeavored to do by way of this Policy.
  2. RIGHT OF ACCESS: You have a right to access the personal data you have provided by requesting us to provide you with the same.
  3. RIGHT TO RECTIFICATION: You have a right to request us to amend or update your personal data if it is inaccurate or incomplete.
  4. RIGHT TO ERASURE: You have a right to request us to delete your personal data.
  5. RIGHT TO RESTRICT: You have a right to request us to temporarily or permanently stop processing all or some of your personal data.
  6. RIGHT TO OBJECT: You have a right, at any time, to object to our processing of your personal data under certain circumstances. You have an absolute right to object to us processing your personal data for the purposes of direct marketing.
  7. RIGHT TO DATA PORTABILITY: You have a right to request us to provide you with a copy of your personal data in electronic format and you can transmit that personal data for using another third-party's product/service.
  8. RIGHT NOT TO BE SUBJECT TO AUTOMATED DECISION-MAKING: You have a right to not be subject to a decision based solely on automated decision-making, including profiling.

In case you want to exercise the rights set out above you can contact our Grievance Officer whose details are set out in Section 12 below.

HOW WE OBTAIN USER CONSENT

We take proper user consent through a consent form, as required under the Information Technology Act and GDPR regulations. The data provided by you as a Visitor, or when you sign up as a Customer / User or register for our Services will be processed by us for the purpose of rendering Services to you or in order to take steps prior to rendering such Services, at your request. Where such data is not being used by us to render Services to you, we shall explicitly seek your consent for using the same.

Personal Data (PII) Processing: No personal data (PII) is handled/managed by us directly. We rely on our authentication partners, Google and Microsoft, for authentication purposes only.

Additionally, we may process your data to serve legitimate interests.

Accordingly, the grounds on which we can engage in processing are as follows:

NATURE OF DATAGROUNDS
Visitor Data
  • Consent;
  • Performance of a Contract; and
  • Legitimate Interest
  • Performance of a Contract; and
  • Legitimate Interest
Account Registration Data
  • Compliance with applicable laws;
  • Legitimate Interest
Service Usage Data
  • Performance of a Contract; and
  • Legitimate Interest
Data for Marketing our Services
  • Consent; and
  • Legitimate Interest
If you believe we have used your personal data in violation of the rights above or have not responded to your objections, you may lodge a complaint with your local supervisory authority.

YOUR RIGHTS UNDER CALIFORNIA CONSUMER PRIVACY ACT (CCPA) ContraVault AI

AI complies with CCPA by giving you the five privacy rights for California consumers:

  1. The right to know about the personal information a business collects about them and how it is used and shared
  2. You have a right to be informed about the manner in which any of your personal data is collected or used which we have endeavored to do by way of this Policy.
  3. The right to delete personal information collected from them.
  4. ContraVault AI gives you the right to request us to delete your personal data.
  5. The right to opt-out of the sale of their personal information.
  6. The right to non-discrimination for exercising their CCPA rights.

ContraVault AI does not sell any data of any of its users/customers/leads. ContraVault AIassures no discrimination against consumers exercising their right of privacy under CCPA.

ContraVault AI assures that it will not ask for waiver of privacy rights from California consumers. In case you want to exercise the rights set out above you can contact our Grievance Officer whose details are set out in Section 12 below.

YOUR RIGHTS UNDER INFORMATION TECHNOLOGY (REASONABLE SECURITY PRACTICES AND PROCEDURES AND SENSITIVE PERSONAL DATA OR INFORMATION) RULES, 2011

ContraVault AI adheres to the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) to ensure your data is secure. Here's howContraVault AI complies with the SPDI Rules:

The right to be informed and give consentBefore ContraVault AIcollects any of your personal data, we will clearly explain what information we need, why we need it, and how we will use it. We will only collect your personal data with your explicit consent.
The right to access your dataYou have the right to request access to the personal informationContraVault AI holds about you. This includes the ability to review and verify its accuracy and completeness.
The right to correct mistakesIf you find any errors or missing information in your data held by ContraVault AI, you have the right to request corrections. We will take reasonable steps to update your information promptly upon verification of your request.
The right to withdraw consentYou can withdraw your consent for ContraVault AIto process your sensitive personal data at any time. Once you withdraw consent, we will stop using your data for the purpose originally agreed upon, unless there's a legal reason for continued processing (like a court order). To withdraw consent, please click .
Please contact our Grievance Officer, whose details are presented in Section 12, if you would like to exercise the rights listed above.

Where such data is not being used by us to render Services to you, we shall explicitly seek your consent for using the same. You can choose to withdraw this consent at any time, .

Additionally, please note:

  • If you are a Customer/User using one of our Services to collect data about an EU data subject from third parties, it shall be your sole obligation to inform such data subject about the source of such data; and
  • We do not collect any Special Categories of Personal Data. Further, if you are a Customer/User, you hereby agree and acknowledge that you shall not, under any circumstances, whether directly or indirectly, use our Services to collect or process Special Categories of Personal Data or transfer to us any such data.
  • The term "Special Categories of Personal Data" shall have the meaning ascribed to it under the GDPR and shall include, without limitation, data pertaining to a data subject's race, ethnic origin, genetics, political affiliations, biometrics, health or sexual orientation.

RETENTION OF PERSONAL INFORMATION

We have implemented a ZERO DATA RETENTION (ZDR) policy within our LLMs and software. ContraVault AI Software stores uploaded RFPs, organisational data, and AI-generated outputs only for as long as your organisation chooses to keep them in the system. Your company can delete this data at any time.

As soon as the team deletes any tender or data, it gets deleted from our servers forever. On contract termination, we will automatically delete all your data within 30 days. Your organization would be required to download all data before 30 days from contract termination date.

We may need to retain your personal data even if you seek deletion thereof, if it is needed to comply with our legal obligations, resolve disputes and enforce our agreements.

If you are a customer, please be advised that: (i) you will need to inform your Leads about how you store and deal with any data you collect from them using one of our Services, in compliance with applicable laws including the GDPR; and (ii) after you terminate your usage of a Service, we may, unless legally prohibited, delete all data provided or collected by you from our servers.

TOOLS USED BY OUR CUSTOMERS

If you are a Customer, you are empowered to use proprietary or other third party technologies and integrate with our App. If you do, you agree and acknowledge that it is your sole obligation to inform your stakeholders about any data you collect by using such technologies and the policies by which such collection is bound.

TRANSFER OF INFORMATION & SUBCONTRACTORS

Data Transfer Policy: We do not transfer any data outside the primary region. All data processing and storage occurs within the same geographical region to ensure maximum security and compliance.

Subcontractor Engagement: We do not engage any subcontractors for data processing activities. All data processing is handled internally by our certified team using our own infrastructure and systems.

Authentication Partners: We rely on trusted authentication partners, Google and Microsoft, for authentication purposes only. No personal data (PII) is handled or managed by us directly for authentication - this is managed entirely by these trusted partners.

Where applicable – if the entities to which these transfers are affected are not situated in countries deemed 'adequate' by the European Commission, we shall enter into appropriate Data Protection Addendums with the transferee parties that comprehensively protect your data. We shall also put in place industry-standard technical and organizational measures (including robust data handling policies) to ensure that such transfers are completed in accordance with applicable laws.

COMPELLED DISCLOSURE

In addition to the purposes set out in the Policy, we may disclose any data we collected or processed from you if it is required:

  • Under applicable law or to respond to a legal process, such as a search warrant, court order, or subpoena;
  • To protect our safety, your safety or the safety of others or in the legitimate interest of any party in the context of national security, law enforcement,litigation, criminal investigation or to prevent death or imminent bodily harm;
  • If required in connection with legal proceedings brought against ContraVault AI, its officers, employees, affiliates, customers or vendors; or
  • To establish, exercise, protect, defend and enforce our legal rights.

SECURITY OF YOUR PERSONAL INFORMATION

We implement industry-standard technical and organizational measures by using a variety of security technologies and procedures to help protect your data from unauthorized access, use, loss, destruction or disclosure. When we collect particularly sensitive data it is encrypted using industry-standard cryptographic techniques including but not limited to SSL, TLS, RSA, and AES.

We are a SOC 2 Type 2–certified, GDPR-compliant company with the following certifications: ISO 9001:2015, ISO 27001:2022, ISO 27017:2015, and ISO 27018:2019. Our commitment to these standards ensures that we follow rigorous security practices and maintain high standards for information security. You can view our compliance documentation at https://contravault.scrut.io/.

We use AWS-native encryption, including AES-256 for data at rest (S3, DynamoDB, EBS, databases with AWS KMS–managed keys) and TLS (typically TLS 1.2 or higher) for data in transit. Secure file transfers use SFTP, data exchanged between frontend and backend is encrypted using RSA public/private keys, all S3 buckets and DynamoDB tables are encrypted with custom AWS KMS keys rotated every 15 days, and administration is managed internally on AWS Cloud.

In compliance with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, we adhere to the following reasonable security practices and procedures to protect your personal data:

Access ControlWe ensure that access to personal data is granted only to authorized personnel on a need-to-know basis and that such access is logged and monitored.
Data EncryptionWe use AWS-native encryption including AES-256 for data at rest (S3, DynamoDB, EBS, databases with AWS KMS–managed keys) and TLS 1.2 or higher for data in transit. All S3 buckets and DynamoDB tables are encrypted with custom AWS KMS keys rotated every 15 days.
Network SecurityWe employ secure network architecture, including firewalls and intrusion detection systems, to prevent unauthorized access.
Regular Audits & Penetration TestingOur cloud service provider conducts regular security assessments, including vulnerability assessments, penetration testing, and third-party security audits. We adhere to industry standards such as GDPR, SOC 2 Type 2, ISO 9001, and VAPT, ensuring that our services undergo rigorous annual evaluations with continuous security monitoring.
Incident ManagementWe have established protocols for managing and responding to security incidents, including data breaches, to mitigate any potential impact on your personal data.
Employee TrainingWe conduct regular training programs for our employees to ensure they are aware of and comply with our security policies and procedures.
Third-Party ComplianceWe ensure that any third-party service providers who handle personal data on our behalf adhere to equivalent security standards and practices.
Physical and Environmental SecurityWe have implemented robust physical security controls to protect our data centers and other facilities from unauthorized access, damage, and interference.
Business Continuity & Data BackupWe have developed and tested business continuity plans to ensure the availability of critical information and systems in the event of a disruption. We perform data backups on daily, weekly and monthly schedules with detailed RTO and RPO procedures available upon request.
Risk Assessment and TreatmentWe conduct regular risk assessments to identify potential security threats and vulnerabilities, and implement appropriate risk treatment plans to mitigate identified risks.
Audit and ComplianceWe conduct regular internal and external audits to ensure compliance with ISO 27001 standards and continuously improve our ISMS.
Zero Data Retention (ZDR)We have ZERO DATA RETENTION (ZDR) within our LLMs and software. As soon as data is deleted from our system, it gets deleted from our servers forever. On contract termination, we will automatically delete all your data within 30 days.
Authentication & Identity ManagementWe rely on trusted authentication partners, Google and Microsoft, for authentication purposes. No personal data (PII) is handled/managed by us directly for authentication.

GRIEVANCE OFFICER & DATA PROTECTION OFFICER DETAILS

The name and contact details of our Grievance Officer and Data Protection Officer, who you may contact if you have any concerns, complaints, or feedback pertaining to this Policy, are as follows:

ROLE & ADDRESSEMAIL/PHONE
General Support
ContraVault AI
112-A, Red MIG Flats, Rajouri Garden, Delhi - 110027		support@contravault.com
Grievance Officer
Isha Juneja
isha@contravault.com
Data Protection Officer (DPO)
Mr. Tanmay Juneja (CTO & DPO)
Oversees adherence to relevant standards and regulations such as ISO and GDPR		tanmay@contravault.com

NOTE: This Privacy-Policy is Website Specific only.

Turn complexity into clarity

One place to review, search, and draft—so you don't lose days in PDFs, email threads, and contradictory notes.

Request Demo