Privacy Policy — Colytics AI
Effective Date: 18 May 2026 Last Updated: 18 May 2026
Introduction
ATTROCK Consultancy Private Limited ("ATTROCK", "we", "us", or "our") operates Colytics AI, a SaaS AI visibility platform that uses artificial intelligence to generate recommendations, reports, and insights for our users. We are a private limited company incorporated under the laws of India, with our registered office at 33/34 Mansarwar, Jaipur, Rajasthan — 302020. This Privacy Policy explains how we collect, use, store, and share your personal data when you access or use Colytics AI, visit our website, or otherwise interact with us.
Colytics AI is used by individuals and businesses around the world. Because our users are global, this Policy is drafted to address the requirements of several data protection regimes, including India's Digital Personal Data Protection Act 2023 (DPDP Act), the European Union's General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the CPRA (CCPA), and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). Where the standards of these laws differ, we apply the one that affords the greatest protection to you. That said, this is an Indian company's privacy policy, and any dispute arising hereunder shall be subject to the exclusive jurisdiction of the courts at Jaipur, Rajasthan.
By using Colytics AI — whether by creating an account, signing up for early access, or simply browsing our website — you accept the practices described in this Policy. If you do not accept them, please do not use our services.
What Information We Collect
We collect only the personal data we actually need to run the platform. Broadly, this falls into three categories:
Information you give us directly. This includes your name and email address, which you provide when you sign up for an account, register for early access, fill out a form, or correspond with us. If you subscribe to our marketing communications, we also record your preferences in that regard. If you process payments through the platform, Stripe — our payment processor — collects your payment card details and billing information; we do not store your card details ourselves.
Information collected automatically. When you visit our website or use the platform, we collect your IP address, browser type and version, operating system, device type, screen resolution, language preference, and time zone. We also record which pages you visit, how long you spend on them, and your navigation path through the site. This is done primarily through Google Analytics and Microsoft Clarity.
AI interaction data. When you use Colytics AI's core features, your queries, prompts, and inputs are processed by third-party AI models (described below) to generate the recommendations, reports, and insights that you receive. We may retain these interactions to improve the platform and resolve technical issues.
We do not collect special categories of personal data under GDPR Article 9 — meaning we do not process data about your racial or ethnic origin, political opinions, religious beliefs, health, sex life, sexual orientation, genetic or biometric data, or trade union membership. We also do not collect government identification numbers unless required by law for invoicing purposes, and we do not collect precise geolocation data — at most, we derive approximate country or region-level location from your IP address.
How We Use Your Information
We use your personal data for the following purposes:
To provide the Colytics AI service. This is the core of what we do — account creation, authentication, delivering AI-generated insights, recommendations and reports, processing subscriptions, and communicating with you about service updates, security alerts, and technical matters. Without this data, we simply cannot operate the platform.
To send marketing communications, where you have consented. If you opt in, we send promotional emails about new features, product updates, industry insights, and related content. You can withdraw this consent at any time — every marketing email contains an unsubscribe link, and you can also email us at help@colytics.ai. We do not send marketing communications without your explicit opt-in, and your consent is never bundled with acceptance of our Terms of Service.
For analytics and product improvement. We use Google Analytics and Microsoft Clarity to understand how users interact with the platform, measure marketing performance, identify technical issues, and optimise the user experience. We also use aggregated and anonymised data for research and development.
For security and fraud prevention. We use technical data — particularly IP addresses and access patterns — to detect and prevent unauthorised access, abuse, and fraud. This is in our legitimate interest and, frankly, in yours as well.
To comply with legal obligations. This includes tax and accounting requirements, responding to lawful requests from public authorities, and enforcing our legal rights.
Legal Basis for Processing
Under Article 6 of the GDPR and Section 4 of India's DPDP Act , we process personal data only where we have a valid legal basis. The basis depends on what we are doing:
- Contract performance (GDPR Art. 6(1)(b); DPDP Act Section 7 — legitimate uses): account management, delivering the platform, processing payments, and sending service-related communications.
- Consent (GDPR Art. 6(1)(a); DPDP Act Section 4): marketing communications, and non-essential analytics and tracking cookies. Our consent mechanism involves a clear affirmative action — an unticked checkbox for marketing, and a granular cookie consent banner for tracking technologies. Consent can be withdrawn at any time, and the ease of withdrawal is comparable to the ease of giving it.
- Legitimate interests (GDPR Art. 6(1)(f)): security, fraud prevention, and product improvement using aggregated or pseudonymised data. We have conducted a balancing test to ensure our interests do not override your fundamental rights.
- Legal obligation (GDPR Art. 6(1)(c)): tax, accounting, and regulatory compliance.
For California residents, the CCPA/CPRA gives you the right to know what personal information we collect, the right to delete it (subject to exceptions), and the right to opt out of any "sale" or "sharing" of your personal information. We do not sell personal information for monetary consideration. However, our use of third-party analytics and marketing tools may constitute "sharing" under CCPA definitions, and we provide a "Do Not Sell or Share My Personal Information" link on our website for this purpose.
AI Systems and Transparency
Colytics AI is, as the name suggests, powered by artificial intelligence. This section addresses our transparency obligations under Article 50 of the EU AI Act (Regulation (EU) 2024/1689), which requires that you be informed when you are interacting with an AI system and when content has been artificially generated.
You are interacting with AI systems when you use Colytics AI. The platform integrates with several third-party AI model providers — OpenAI (GPT models), Anthropic (Claude), Google (Gemini), and xAI (Grok) — to process your inputs and generate outputs including recommendations, reports, and insights. Your queries and prompts are transmitted to these providers for processing, and the outputs they generate are returned to you through the platform. This processing may occur on servers located in the United States and other jurisdictions.
Any recommendations, reports, insights, or other text-based outputs you receive through the platform are AI-generated. These outputs are produced by third-party AI models and may not always be accurate, complete, or up-to-date. AI models have training cut-off dates, may reflect biases present in their training data, and may not fully understand your specific business context. You should exercise independent judgment and verify AI-generated outputs before relying on them for critical decisions. We do not accept liability for decisions you make based on AI-generated content — please refer to our Terms of Service for the full limitation of liability.
The AI model providers listed above process your data as our sub-processors under data processing agreements that include Standard Contractual Clauses where required. None of the processing involves automated decision-making that produces legal effects or similarly significant effects on you within the meaning of GDPR Article 22. If you do not wish your data to be processed by AI systems at all, please contact us — though you should know that opting out will prevent you from using the core features of the platform.
Cookies and Tracking Technologies
We use cookies and similar technologies — pixels, web beacons, and local storage — to operate and improve the platform. We categorise cookies as follows:
- Strictly Necessary cookies are essential for the platform to function and cannot be disabled. They enable security, authentication, and session management.
- Performance / Analytics cookies help us understand how users interact with the platform. These include cookies set by Google Analytics and Microsoft Clarity.
- Marketing / Targeting cookies enable us to deliver relevant communications and measure the effectiveness of our marketing campaigns. These include cookies set by HubSpot, Mailchimp, and ActiveCampaign.
- Functional cookies remember your preferences (language, display settings) and provide enhanced features.
Strictly Necessary cookies are placed automatically. All other categories require your consent, which we obtain through a cookie consent banner that allows you to select which categories you accept. We implement Google Consent Mode v2 to manage how Google's tags behave based on your choices. You can change your cookie preferences at any time through the "Cookie Settings" link in our website footer, or by adjusting your browser settings. Our detailed Cookie Policy contains further information.
Who We Share Your Information With
We do not sell your personal data. We share it only with carefully selected service providers who act as our sub-processors, and only to the extent necessary for them to perform their functions. All are contractually bound to process personal data only for our specified purposes and in accordance with applicable data protection law. We may also disclose data where required by law or to protect our legal rights — for instance, in connection with a merger or acquisition, or in response to a court order.
Our current sub-processors are:
- Google Analytics — website traffic analysis, user behaviour tracking, and conversion measurement.
- Microsoft Clarity — user behaviour analytics, heatmaps, and session recordings.
- Mailchimp (Intuit) — email campaign management and subscriber list management.
- HubSpot — marketing automation, CRM, and lead tracking.
- ActiveCampaign — email marketing automation and user segmentation.
- DigitalOcean — cloud hosting, server infrastructure, and data storage.
- Cloudflare — content delivery network, DDoS protection, and web application firewall.
- Trello (Atlassian) — internal project tracking and workflow management.
- Stripe — payment processing, subscription billing, and fraud prevention.
- OpenAI — AI-powered data analysis, insight generation, and report drafting.
- Anthropic — AI-powered data analysis and content generation.
- Google (Gemini) — AI-powered data processing and insight generation.
- xAI — AI-powered data analysis and insight generation.
We may update this list from time to time as our services evolve. We will notify you of material changes, and you may request our current sub-processor list at any time by emailing help@colytics.ai.
International Data Transfers
ATTROCK is based in India, and our servers and sub-processors are located in multiple jurisdictions, primarily the United States. When you use Colytics AI, your personal data may be transferred to and processed in countries other than your own.
For transfers of personal data from the European Economic Area or the United Kingdom to countries not recognised as adequate by the European Commission, we rely on EU Commission Standard Contractual Clauses (2021/914) as the transfer safeguard under GDPR Article 46. These clauses are incorporated into our data processing agreements with sub-processors. We have also assessed the law and practice of destination countries regarding government access to personal data — following the Schrems II judgment — and implemented supplementary technical measures including encryption in transit (TLS 1.2 or higher) and pseudonymisation where feasible.
For transfers from India, the DPDP Act permits cross-border transfers subject to conditions that the Central Government may specify. We implement contractual safeguards for such transfers, including data processing agreements with our sub-processors that restrict onward transfers and commit to data security and confidentiality.
How Long We Keep Your Data
We retain personal data only for as long as necessary to fulfil the purposes for which we collected it, including to satisfy legal, accounting, tax, and reporting requirements. As a general matter: account data is retained for the duration of your active account plus a reasonable period thereafter (typically up to seven years where required for tax or accounting purposes); usage and analytics data is retained for shorter periods consistent with the retention policies of our analytics providers; marketing data is retained until you withdraw your consent; and AI interaction data is retained for service delivery and debugging purposes. When data is no longer needed, we securely delete or anonymise it. Anonymised or aggregated data that can no longer identify you may be retained indefinitely.
Your Rights
Your rights depend on where you are located:
If you are in the European Union or United Kingdom , you have the right to access your personal data, correct inaccuracies, request erasure (the "right to be forgotten"), restrict processing, data portability, and to object to processing based on legitimate interests or for direct marketing. You also have the right to lodge a complaint with your local supervisory authority or the UK Information Commissioner's Office. These rights are set out in GDPR Articles 15–22.
If you are in California , you have the right to know what personal information we collect about you, the right to delete that information (subject to exceptions), the right to opt out of the "sale" or "sharing" of your personal information, and the right to non-discrimination for exercising these rights. You may also request information about our disclosure of personal information to third parties for direct marketing purposes under California's "Shine the Light" law (Cal. Civ. Code § 1798.83).
If you are in India , as a Data Principal under the DPDP Act, you have the right to access a summary of your personal data, request correction or erasure of inaccurate or misleading data, register a grievance with our Grievance Officer, and nominate another individual to exercise your rights in the event of your death or incapacity. You also have the right to withdraw your consent at any time, with the ease of withdrawal being comparable to the ease of giving it. These rights are found in Sections 8 and 6 of the DPDP Act.
If you are in Canada , under PIPEDA you have the right to access the personal information we hold about you, challenge its accuracy, and challenge our compliance with PIPEDA's fair information principles. You also have the right to withdraw consent (subject to legal or contractual restrictions) and to file a complaint with the Office of the Privacy Commissioner of Canada.
To exercise any of these rights, email us at help@colytics.ai with the subject line "Data Rights Request" along with your full name and a description of what you need. We will verify your identity before processing your request. We respond free of charge within the timeframe prescribed by applicable law — typically 30 days under the GDPR and 45 days under the CCPA. If a request is manifestly unfounded or excessive, we may charge a reasonable administrative fee.
Security
We implement reasonable technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include encryption in transit (TLS 1.2 or higher), encryption at rest where technically feasible, role-based access controls, multi-factor authentication for internal systems, regular vulnerability scanning, and security awareness training for our team. Our infrastructure provider, DigitalOcean, maintains SOC 2 Type II certification. We are also mindful of our obligations under Section 43A of the Information Technology Act 2000 , which imposes liability on body corporates that fail to implement reasonable security practices.
No method of transmission over the Internet or electronic storage is completely secure, and we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.
Breach Notification
In the event of a personal data breach, we will act promptly to assess the risk to affected individuals and take remedial measures. Where the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay. We will also notify the relevant supervisory authorities within the timeframes required by applicable law — including within 72 hours under the GDPR, and in accordance with Section 13 of the DPDP Act for breaches affecting Indian Data Principals. We maintain a record of all breaches for compliance and accountability purposes.
Children's Privacy
Colytics AI is not directed at children, and we do not knowingly collect personal data from anyone under the age of 18. Under the DPDP Act, a "child" is defined as a person who has not completed 18 years of age, and the Act imposes additional obligations for processing children's data — including obtaining verifiable parental consent. Since we do not target children and do not knowingly collect their data, these obligations do not currently arise in practice. If we become aware that we have collected personal data from a child under 18, we will delete that information promptly. Parents or guardians who believe their child has provided us with personal data may contact us at help@colytics.ai.
Grievance Officer
Under Section 12 of the DPDP Act , every Data Fiduciary must appoint a Grievance Officer to address grievances of Data Principals. Our Grievance Officer is:
Ankit Jain , Advocate, High Court of Rajasthan, Jaipur ATTROCK Consultancy Private Limited 33/34 Mansarwar, Jaipur, Rajasthan — 302020 Email: help@colytics.ai
You may contact Mr. Jain for any grievance relating to the processing of your personal data under Indian law. He will acknowledge your grievance and work to resolve it within a reasonable timeframe. If you are not satisfied with the resolution, you may escalate your grievance to the Data Protection Board of India once it is constituted.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, services, sub-processors, or applicable law. Material changes will be notified to you by email and through a prominent notice on the platform. Non-material changes will be posted on this page with an updated effective date. Your continued use of Colytics AI after the effective date of changes constitutes acceptance of the updated Policy.
Contact Us
For privacy-related inquiries, data subject requests, or any questions about this Policy, please contact us at help@colytics.ai or write to us at: ATTROCK Consultancy Private Limited, 33/34 Mansarwar, Jaipur, Rajasthan — 302020.
Note for Legal Review
EU Representative under GDPR Article 27: ATTROCK is assessing whether it requires an EU representative under Article 27 of the GDPR. While this assessment is ongoing, EU data subjects may direct any queries, requests, or complaints to our Grievance Officer, Ankit Jain, Advocate, at help@colytics.ai. We will appoint an EU representative if our legal assessment confirms this is required.