Privacy Policy

When you use VirtuaizeAI, we process the following categories of data on your behalf:

• Document metadata extracted from ICEGATE Shipping Bills, Bills of Entry, and related customs paperwork you upload — including shipping bill numbers, IEC codes, FOB values, HS codes, port codes, drawback and RODTEP rates, container numbers, and similar structured fields (95+ fields per document).
• Account information about authorised users — name, work email, role, and authentication metadata.
• Operational logs that record who accessed which document, what they changed, and what was pushed to SAP. These power the audit trail.
• Inbound enquiries submitted via our website contact form (name, work email, company, role, optional message).

We do not collect or store payment card details, government IDs, or biometric data. We do not use cookies for advertising or cross-site tracking.

All customer data is stored in a managed Supabase Postgres instance hosted in an Indian region. Data at rest is encrypted with AES-256. Data in transit is protected with TLS 1.3 (HTTPS only). Row-level security policies are applied to every customer-facing table so that one customer's data is never reachable by another.

Source PDF documents you upload are stored in object storage in the same region, encrypted at rest. Database backups are taken daily and retained for 30 days within the same jurisdiction.

We retain your documents, extracted fields, and audit logs for the duration of your active subscription, plus a short wind-down period (typically 30 days) after termination to allow data export. After that period elapses, all customer-specific data is irreversibly deleted from primary storage and from backups on their natural rotation cycle.

Aggregate, non-identifying operational metrics (e.g. throughput counters) may be retained indefinitely for capacity planning, but contain no customer-identifying information.

We do not sell, rent, or trade customer data. We do not share it with advertisers, brokers, or analytics platforms. The only third parties with logical access to customer data are the infrastructure providers that run our service:

• Supabase — managed Postgres and object storage.
• Railway — application hosting and background workers.
• Customer-nominated SAP endpoints — to which validated fields are pushed at your instruction.

Each of these providers is bound by a Data Processing Agreement and is contractually prohibited from accessing customer data except as required to operate the service.

The AI Copilot answers natural-language questions about your documents. When you ask a question, the relevant subset of your data (only the records needed to compose the answer) is sent to a large-language-model provider for inference. We use providers that contractually commit to zero data retention: your prompts and the model's responses are not stored, not used to train models, and are discarded after the response is returned.

Coordinate-based field extraction does not use generative AI and runs entirely within our own infrastructure.

Under the Digital Personal Data Protection Act, 2023, and applicable law, you may request access to, correction of, or deletion of personal data we hold about you. Customer administrators can also delete user accounts and revoke access directly within the product. For data subject requests, contact privacy@virtuaize.com.

If we update this policy, we will revise the “Last updated” date and, for material changes, notify customer administrators by email at least 30 days before the change takes effect.