Privacy Policy — Ages of India App

The Ages of India mobile application is owned, developed, and operated by Cave Art Studios Private Limited, a company incorporated under the Companies Act, 2013, having its registered office at No. 442 Poonamallee High Road, Maduravoyal, Chennai – 600 095 (hereinafter referred to as the "Company", "we", "us", or "our").

"Ages of India" (the "App" or "Service") means the mobile application developed and operated by Cave Art Studios Private Limited, encompassing all associated features, immersive VR/AR experiences, digital cultural content, and related services accessed via the physical "Ages of India" product.

This Privacy Policy explains how we collect, use, store, protect, and disclose personal data when you download, install, register with, or use the Ages of India mobile application and any related services. By using the App, you consent to the practices described in this Privacy Policy. This Policy is an integral part of our Terms of Use and should be read together with it.

We are fully committed to complying with applicable Indian laws, including the Digital Personal Data Protection Act, 2023 (DPDP Act), the IT Act, 2000, and the Consumer Protection Act, 2019.

1Information We Collect

We collect only the data necessary to provide, improve, and secure the App.

1.1 Information You Provide

(a) On the App (during registration/activation/support):

Name and email address.
Mobile number (if you voluntarily provide it for registration or support).
The unique activation token or QR-linked identifier scanned from your physical "Ages of India" product (required for one-time access/login).

(b) Voluntary submissions: Any information you provide when contacting us (e.g., support queries, grievance requests).

(c) On the Website (when purchasing the physical product): Name, email address, shipping address, mobile number, and payment details (processed securely by the Zoho payment gateway). These details are not collected or stored by the App itself. The App only receives the activation token/QR code generated post-purchase for granting access. Purchase data is securely stored on AWS servers located in India.

1.2 Automatically Collected Information

The App does not collect any automatically generated device or usage information beyond what is strictly necessary for basic functionality and security. No device model, operating system version, unique device identifiers, IP address, or app version is collected, stored, or processed by us.

Usage data: Features accessed (Museum menus, AR scans, Map videos, Quizzes), session duration, interactions with content, and crash/error logs.
Camera data (AR Menu only): When you use the "Scan QR & Explore" feature, the App accesses your device camera temporarily and only during the session to scan the physical product QR code for activation, and to detect flat surfaces and anchor 3D cultural models in your real-world environment using on-device AR technology.

Important: The live camera feed is processed entirely on your device. No images, videos, or full spatial maps of your home/environment are stored, uploaded, or retained by us. The processing is session-only and ends when you close the AR feature.

1.3 No Sensitive Personal Data

We do not collect or process sensitive personal data such as biometric information, eye-tracking, facial expressions, fingerprints, health data, racial or ethnic origin, religious beliefs, or any data that could infer emotional states or medical conditions.

1.4 Third-Party VR/XR Hardware

If you choose to use the App with any third-party VR headset or viewer, we do not collect data from that hardware. Any data processed by the headset is governed solely by the headset manufacturer's privacy policy.

2How We Use Your Information

We use your personal data only for the following legitimate purposes:

To activate and provide access to the App using the QR code from your physical product
To deliver personalized educational and immersive experiences
To improve the App through analytics (e.g., which features are most used)
To provide technical support and respond to grievances
To send important service-related communications (e.g., updates, security alerts)
To detect and prevent fraud, misuse, or unauthorized sharing of access
To comply with legal obligations and court/government orders

We do not use your data for targeted advertising, profiling for marketing, or selling data to third parties.

3Legal Basis for Processing

Under the DPDP Act, 2023, our processing is based on:

Your consent via app permissions and continued use
Performance of the contract to deliver the Service you accessed via the purchase of the physical product
Legitimate interests
Legal compliance

You may withdraw consent at any time, but this may prevent you from using certain features — like revoking camera permission, which disables AR.

4Sharing & Disclosure of Information

We do not sell, rent, or trade your personal data. We may share data only in the following limited cases:

With trusted service providers for cloud hosting, analytics, and crash-reporting tools who are contractually bound to protect your data and process it only on our instructions
With payment processors or logistics partners, only if required for physical product delivery/refunds
When required by law, court order, or government authority
In the event of a merger, acquisition, or sale of assets, with notice where required

We do not transfer your personal data outside India. All personal data is stored and processed exclusively on servers located within India. Any future transfer outside India will comply with Section 16 of the DPDP Act, 2023.

5Confidentiality

We value your privacy and treat all collected personal data with the highest level of confidentiality. Access to your data is strictly limited to authorized personnel who are bound by contractual confidentiality obligations and required to process it solely for the purposes outlined in this Privacy Policy. We share your personal data only with trusted service providers who assist us in delivering the App and its services, and only to the extent necessary for that purpose. We never sell your personal information to third parties for marketing or any other commercial use. Our confidentiality commitments continue even after termination of your use of the App.

6Data Retention

We retain your personal data only for as long as necessary to fulfill the specific purposes for which it was collected, or as required by applicable law, in line with the DPDP Act, 2023 and DPDP Rules, 2025.

Account data (name, email, mobile number, activation identifiers): Retained for the duration needed to provide access, deliver Services, handle support queries, and prevent misuse. Erased upon your deletion request or when the purpose is no longer served — unless longer retention is legally required.
Usage analytics and crash/error logs (anonymized/aggregated, no personal identifiers): Since it is anonymized, this data is no longer personal data and may be kept indefinitely for legitimate business purposes.
Processing logs and traffic data: Retained for a minimum of one (1) year from the date of processing, as required under Rule 8(3) of the DPDP Rules, 2025 and the Seventh Schedule.
Camera/AR session data: Deleted immediately after the AR session ends. No images, videos, spatial maps, or session recordings are stored, uploaded, or retained by us.

7Your Rights as Data Principal

Under the Digital Personal Data Protection Act, 2023, you have the following rights:

Right to access: Obtain confirmation of whether we process your personal data and request a summary or copy of it
Right to correction: Request rectification or updating of inaccurate, incomplete, or outdated personal data
Right to erasure ("right to be forgotten"): Request deletion of your personal data when it is no longer necessary, consent is withdrawn, or processing is unlawful
Right to nomination: Nominate individuals who can exercise your rights in case of death or incapacity
Right to grievance redressal: Raise concerns or complaints about our processing activities
Right to withdraw consent: Withdraw consent at any time for consent-based processing

To exercise any of these rights, contact our Grievance Officer / Data Protection Officer at the details provided in Clause 16. We will verify your identity and respond within the timelines prescribed under the DPDP Act. There is no charge for exercising these rights, except in cases of manifestly unfounded or excessive requests as permitted by law.

8Withdrawal of Consent

You may withdraw your consent for any consent-based processing of your personal data at any time, with the ease of withdrawal comparable to how consent was given. To withdraw, contact our Grievance Officer (Clause 16) with your request. Upon withdrawal, we will cease relevant processing within a reasonable time (unless another lawful basis applies), without affecting prior lawful processing. Consequences of withdrawal (e.g., potential loss of app features) are borne by you.

9Children's Privacy

The App is intended for users 18 years and above. We do not knowingly collect data from children under 18. If we become aware that we have collected data from a child without parental consent, we will delete it immediately.

10Third-Party Services

The App may be compatible with third-party VR, AR, or XR hardware to enhance your immersive experience. We do not control, operate, or endorse these third-party services or hardware. Their collection, use, disclosure, and protection of your personal data are governed solely by their own privacy policies and practices.

We are not responsible for the privacy practices, data handling, security measures, or content of any third-party website, service, or hardware; any personal data you choose to provide directly to third parties; or any risks or liabilities arising from the use of third-party VR/XR hardware. We strongly recommend that you review their privacy policies before interacting with them.

11Limitation of Liability

11.1 No Warranty

The Company and its affiliates make no representation or warranty about the App's data handling, privacy protections, or related services, including any representation that data processing will be uninterrupted, error-free, completely secure, or free from breaches. The App's data processing activities and associated services are provided on an "as is" and "as available" basis.

To the fullest extent permitted under applicable law, the Company disclaims any implied or statutory warranty, including any implied warranty of title, accuracy, completeness, non-infringement, merchantability, fitness for a particular purpose, or adequacy of security safeguards.

11.2 Exclusion of Liability

To the fullest extent permitted by law, the Company will not be liable in connection with this Privacy Policy or the processing of your personal data for:

Loss of profits, business opportunities, goodwill, reputation, or anticipated savings
Loss, corruption, or unauthorized access to data
Any indirect, incidental, consequential, special, exemplary, or punitive damages
Any damages arising from data breaches, security incidents, unauthorized access, or any other losses connected to the use of the App's data processing features or services

12Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The "Last Updated" date at the top will be revised and will be updated in the App. Continued use after changes constitutes your acceptance of the revised Policy.

13Governing Law

This Privacy Policy is governed exclusively by the Laws of India.

14Dispute Resolution

Any dispute arising out of or in connection with this Policy shall first be resolved through arbitration under the Arbitration and Conciliation Act, 1996. The arbitration shall be conducted by a sole arbitrator mutually appointed by the Parties, or if no agreement is reached within 30 days, by three arbitrators (one appointed by each Party and the third by the two appointed arbitrators). The seat of arbitration shall be Chennai, Tamil Nadu, and the language shall be English. The arbitral award shall be final and binding.

Subject to the exhaustion of arbitration proceedings, the competent courts in Chennai, Tamil Nadu, India shall have exclusive jurisdiction over any disputes. We encourage amicable resolution — please contact our Grievance Officer (Clause 16) first for any issues.

15Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the Data Protection Board of India without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach, as required under the DPDP Act, 2023 and Rules.

The notification will include the nature of the breach, categories and approximate number of data principals affected, likely consequences, and measures taken or proposed to address the breach and mitigate its effects. If the breach poses a high risk, we will also provide specific recommendations on steps to protect yourself.

16Grievance Redressal Mechanism

In accordance with the Digital Personal Data Protection Act, 2023, we have appointed a Data Protection Officer and a Grievance Officer. For any questions, concerns, or grievances, contact our designated Officers:

Data Protection Officer

Yougesh Prabhu
Email: yougesh@caveartstudios.com
Cave Art Studios Private Limited
No. 442 Poonamallee High Road
Maduravoyal, Chennai – 600 095

Grievance Officer

Mr. Yougesh
Email: caveart.store@caveartstudios.com
Mobile: +91 98408 35656
Cave Art Studios Private Limited
No. 442 Poonamallee High Road
Maduravoyal, Chennai – 600 095

We will acknowledge and resolve grievances within the timelines prescribed under the DPDP Act and the Information Technology Act, 2000.

By using the Ages of India App, you acknowledge that you have read, understood, and agreed to this Privacy Policy. Thank you for trusting us with your data as you explore India's timeless heritage.