DPDP Act 2023 Compliant

Data Processing Agreement

Last updated: March 10, 2026  |  Version 1.0

This Data Processing Agreement ("DPA") describes how MeraCXO collects, uses, processes, and shares your data when you use our platform. This document is compliant with the Digital Personal Data Protection Act, 2023 (DPDP Act) of India.

🗄️

Data We Collect

Business info, queries, consultation content

🤖

How We Process It

Sent to Anthropic Claude API for advisory generation

🇮🇳

Your Rights

Access, correct, delete under DPDP Act 2023

1 Parties to This Agreement

Data Fiduciary

Vedatricks, operator of MeraCXO platform (meracxo.vedatricks.com). We are the entity that determines the purpose and means of processing your personal data.

Data Principal

You — the individual or business owner using MeraCXO. As a Data Principal under the DPDP Act 2023, you have rights over your personal data.

Anthropic, PBC (USA) acts as a Data Processor when processing data sent to the Claude API on our behalf.

2 Data We Collect

We collect the following categories of data when you use MeraCXO:

A. Account & Identity Data

  • Name, email address, mobile number
  • Login credentials (password stored as a one-way hash; never readable)
  • Account creation date, last login date

B. Business Profile Data

  • Business name, industry, stage, city, state
  • Revenue range, team size, business goals
  • GSTIN (if provided voluntarily)
  • Uploaded documents (pitch deck, resume) — stored in your private upload directory
  • LinkedIn and social media URLs (if provided voluntarily)

C. Consultation Content

  • Questions and queries you submit to CXO advisors
  • AI-generated responses and advisory reports
  • Consultation history and session metadata

D. Payment Data

  • Transaction IDs, order IDs (from Razorpay)
  • Amount paid, plan purchased, GST details
  • Note: We do not store card numbers, CVV, UPI IDs, or banking credentials. All payment processing is handled by Razorpay.

E. Technical & Usage Data

  • IP address, browser type, device type
  • Pages visited, features used, session duration
  • Anonymous analytics via Vedatricks Analytics (no personal identifiers)

3 How We Process Your Data

We process your data for the following purposes, with the corresponding legal basis under the DPDP Act 2023:

Purpose Legal Basis (DPDP Act 2023)
Providing AI advisory consultations Consent (Section 6) + Contractual necessity
Processing payments and issuing invoices Contractual necessity; legal obligation (GST compliance)
Account management and authentication Contractual necessity
Platform improvement and bug fixing Legitimate use (Section 7) — anonymised or aggregated data
Sending transactional communications Contractual necessity
Marketing communications (optional) Explicit consent; you may opt out at any time
Fraud prevention and security Legitimate use (Section 7)

4 Anthropic Claude API — How Your Data Is Used

What gets sent to Anthropic

When you submit a consultation query, MeraCXO constructs a prompt that includes your business profile summary and your question. This prompt is sent to Anthropic's Claude API over an encrypted HTTPS connection. Anthropic processes this data to generate a response, which MeraCXO then displays to you.

Data sent to Anthropic is processed under Anthropic's commercial API terms. MeraCXO's API usage is subject to Anthropic's Privacy Policy and API usage agreements.
Anthropic states that data submitted through the commercial API is not used to train their models by default. Please refer to Anthropic's Privacy Policy for the current, authoritative statement.
! Anthropic's servers are located in the United States. By using MeraCXO, you consent to the transfer of your consultation data to the United States for processing by Anthropic, as necessary to provide the advisory service.
We recommend avoiding including highly sensitive personal information (e.g., individual financial account numbers, Aadhaar numbers, full PAN details) in your consultation queries.

5 Data Retention Policy

Data Category Retention Period Reason
Account & profile data Duration of account + 30 days post-deletion Account recovery window
Consultation history Duration of account + 30 days post-deletion Service continuity
Payment & invoicing records 7 years from transaction date GST / Income Tax Act obligation
Activity & security logs 90 days Fraud detection, security
Grievance records 3 years from resolution Legal / compliance records

After retention periods expire, data is securely deleted or irreversibly anonymised.

6 Your Rights Under the DPDP Act 2023

As a Data Principal under the Digital Personal Data Protection Act, 2023, you have the following rights:

Right to Access (Section 11)

You can request a summary of the personal data we hold about you and the processing activities we perform on it.

Right to Correction (Section 12)

You can request that inaccurate, incomplete, or outdated personal data be corrected. You can update most data directly from your Profile settings.

Right to Erasure (Section 12)

You can request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, subject to our legal retention obligations.

Right to Grievance Redressal (Section 13)

You have the right to have your grievance regarding data processing addressed by our Grievance Officer within the prescribed timeframe.

Right to Withdraw Consent (Section 6)

You may withdraw your consent to data processing at any time. Withdrawal may affect your ability to use certain features of the platform.

Right to Nominate (Section 14)

You may nominate another individual to exercise your data rights in the event of your death or incapacity, as per the DPDP Act provisions.

7 How to Request Data Deletion

To request deletion of your account and personal data:

1

Via Grievance Form (Preferred)

Submit a grievance at https://meracxo.vedatricks.com/grievance with complaint type "Data Issue" and request account deletion.

2

Via Email

Email grievance@vedatricks.com with subject line "Data Deletion Request — [your registered email]".

3

Processing Time

We will acknowledge your request within 24 hours and complete the deletion within 30 days, except for data we are legally required to retain (e.g., financial records for tax compliance).

8 Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction:

  • All data transmitted between your browser and our servers is encrypted using TLS 1.2+.
  • Passwords are stored as one-way bcrypt hashes. We cannot recover your password.
  • Access to production data is restricted to authorised personnel only.
  • Payment processing is handled by Razorpay (PCI-DSS compliant). MeraCXO does not process or store card data.

9 Third-Party Data Processors

Processor Purpose Data Shared
Anthropic, PBC (USA) AI response generation Business context + consultation query
Razorpay (India) Payment processing Name, email, transaction amount
Vedatricks Analytics (India) Anonymous usage analytics Anonymous page views (no PII)

We do not sell your personal data to third parties. We do not share your data with advertisers.

Contact Our Grievance Officer

For any data-related requests, questions, or concerns under the DPDP Act 2023, please contact:

Grievance Officer: Vedatricks Data Protection Team

Email: grievance@vedatricks.com

Response SLA: Acknowledgement within 24 hours; resolution within 30 days

Grievance Form: meracxo.vedatricks.com/grievance

If you are not satisfied with our response, you may approach the Data Protection Board of India once it is constituted under the DPDP Act 2023.