How we treat your data.

Sapiex is operated by Genior Tech Systems Private Limited, a company incorporated under the laws of India, with its registered office at No. 36, KR Ramasamy Nagar, Gurunanak Salai, Velachery, Chennai 600042, Tamil Nadu, India.

For the purposes of India's Digital Personal Data Protection Act, 2023 ("DPDP Act"), Genior Tech Systems Private Limited is the "Data Fiduciary" responsible for your personal data when you use sapiex.ai, the Sapiex platform, or contact us.

This policy applies to personal data you provide when you (a) browse sapiex.ai or any sub-domain, (b) register or use an account on the Sapiex platform, (c) submit a contact form, (d) book a demo, (e) contract with us as an institutional customer, or (f) communicate with our support, sales, or grievance functions.

It does not cover third-party websites you reach via links from our site, nor does it cover data processed by your own systems before you submit it to Sapiex.

Account & identity data. Name, email address, work title, organisation, profile image (when supplied via single sign-on), authentication identifiers.

Content data. Documents you upload (Confidential Information Memoranda, financial models, transaction documents, board materials, primary research), prompts and instructions you submit to the agents, agent-generated output stored in your session history, and project memory entries you save.

Billing & transaction data. Where applicable, billing contact, GSTIN, invoice address, and metadata associated with payments (we do not store full payment instrument data; that is held by our payment processor).

Usage & device data. IP address, browser and operating system identifiers, request logs, session timing, tool-call traces, and aggregated performance telemetry.

Communications. Emails, contact-form submissions, and support tickets you send to us.

We collect data directly from you when you register, upload a document, type a message, or send us an email.

We collect data automatically through your browser when you visit the site (cookies, log events, performance traces required to deliver the service).

We collect a limited set of data from your identity provider (Google) when you sign in via single sign-on — your name, email address, and profile image.

To deliver the Service. Process documents and prompts through the agent runtime; persist your conversations and outputs so you can return to them; provide search, retrieval, and citation across your project.

To bill, invoice, and account. Where you are a paying customer, to charge subscription fees and meet tax-and-statutory obligations.

To secure the platform. Detect abuse, prevent fraud, investigate incidents, and enforce these terms.

To improve the product. Aggregate, de-identified usage analytics. We do not use your content for product improvement without your separate written consent — see Section 7.

To comply with law. Respond to lawful requests, court orders, and regulatory enquiries.

Our legal basis for each of the above, under the DPDP Act, is your consent or the necessity of the processing for the performance of a contract with you.

You give consent to our processing when you accept this policy (typically at account creation or, for a contact-form submission, by clicking submit). For processing that requires a separate, specific consent (for example, any future product feature that would use your content beyond delivering the Service), we will request that consent explicitly and surface what changes.

You may withdraw consent at any time by emailing rohith@sapiex.ai. If you withdraw consent for processing that is required to deliver the Service (for example, by requesting full account deletion), we will deactivate your account because we cannot operate the platform without that processing.

We do not use your personal data, uploaded documents, prompts, or agent-generated output to train, fine-tune, or improve any AI model — ours or any third party's — except where you give us explicit, separate written consent for a specific stated purpose.

Our use of third-party language models (see Section 8) is via commercial API endpoints that contractually do not train on inputs. We do not route customer content through public consumer chat surfaces.

We share your personal data with the following categories of sub-processors, each engaged under a written agreement that imposes confidentiality and data-protection obligations consistent with the DPDP Act and this policy:

Language-model providers. OpenAI (United States), Anthropic (United States), xAI (United States), Google (Gemini — global, primarily United States), DeepSeek (Singapore / China), Moonshot AI (China). These providers process your prompts and the documents you submit in order to generate agent output, under commercial API terms that prohibit training on the input.

Database & storage. Supabase Inc. (United States) — hosts your account data, project metadata, conversation history, and uploaded files.

Application hosting. Vercel Inc. (United States) — hosts the sapiex.ai web application. Railway Corp. (United States) — hosts the agent runtime service.

We update this list as our infrastructure evolves. Institutional customers receive prior notice of material sub-processor changes under their Data Processing Addendum.

Because our sub-processors are based outside India, your personal data is transferred to and processed in jurisdictions including the United States, Singapore, and China. The Digital Personal Data Protection Act, 2023 permits such transfers unless the Central Government restricts them to a specific country by notification. We will comply with any such restriction promptly upon notification.

For our largest customers, we can offer single-region storage in our Supabase deployment and isolated-tenant infrastructure; the terms are negotiated in your order form or DPA.

Account & identity data: for as long as your account is active and for up to 90 days after termination, after which we delete it unless statutory retention applies.

Content data (documents, prompts, outputs): for as long as the parent project exists. You may delete projects, sessions, or individual documents at any time from within the application, which triggers permanent deletion within 30 days.

Billing & transaction data: retained for the statutory periods required under Indian tax law (currently eight years).

Usage & device data: retained for up to twelve months for security and analytics, after which it is aggregated or deleted.

Communications: retained for as long as needed to resolve the matter and for our records.

Under the DPDP Act you have the right to:

(a) obtain a summary of the personal data we hold about you;
(b) obtain correction or completion of inaccurate or incomplete personal data;
(c) obtain erasure of personal data we no longer need to retain;
(d) withdraw consent (see Section 6);
(e) nominate, in case of death or incapacity, an individual to exercise your rights on your behalf;
(f) raise a grievance with our Grievance Officer (see Section 15).

To exercise any of these rights, write to rohith@sapiex.ai. We will acknowledge your request within 24 hours and act within the timelines prescribed by applicable law.

We use industry-standard technical and organisational measures including transport-layer encryption (TLS) for data in transit, encryption-at-rest for content storage, role-based access control, audit logging on administrative actions, and segregation between customer data sets at the application layer.

For institutional customers who require it, we offer isolated-tenant infrastructure (a dedicated database and runtime per organisation) and the option to deploy into your own Virtual Private Cloud. These terms are negotiated in your order form or DPA.

Sapiex is a professional tool aimed at investment professionals. We do not knowingly collect personal data from any individual under the age of 18. If you believe a child has provided us personal data, please contact rohith@sapiex.ai so we can delete it.

If we become aware of a personal data breach affecting your data, we will notify the Data Protection Board of India and impacted customers in accordance with the timelines prescribed under the DPDP Act and, where applicable, the CERT-In directions of 28 April 2022 — including initial reporting to CERT-In within 6 hours of becoming aware of the incident and detailed reporting within 72 hours.

The notification will describe the nature of the breach, the categories and approximate number of data principals affected, the likely consequences, and the measures taken or proposed to address it.

In accordance with the DPDP Act and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, the Grievance Officer for Sapiex is:

Name: Rohith K Rangan
Designation: Grievance Officer
Email: rohith@sapiex.ai
Address: Genior Tech Systems Private Limited, No. 36, KR Ramasamy Nagar, Gurunanak Salai, Velachery, Chennai 600042, Tamil Nadu, India

The Grievance Officer will acknowledge your grievance within 24 hours and resolve it within the timelines prescribed by applicable law.

We may revise this policy from time to time. Material changes — including any change to our sub-processor list, the categories of data we collect, or the purposes for which we process it — will be notified to active users by email or via an in-application notice at least 7 days before the change takes effect.

Non-material changes (typographical fixes, clarifications) are made without separate notice; the "Current as of" date at the top of this page is always updated.

For general questions about how Sapiex handles data, write to rohith@sapiex.ai.

For ops, billing, or contract questions, write to checkin@sapiex.ai.

Institutional customers requiring a Data Processing Addendum, a current sub-processor list, or specific security documentation, write to rohith@sapiex.ai with "DPA Request" in the subject line.