Privacy Policy
Effective Date: 18 June 2026 Version: 1.1 Replaces: Version 1.0 dated 01 March 2026
Violet InfoSystems Pvt. Ltd. ("Violetinfo.ai", "we", "us", or "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use any product across the Violetinfo.ai platform, visit any of our websites, or interact with us in any other way.
By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy.
1. Scope and Applicability
This Privacy Policy applies to all Violetinfo.ai products and services, including:
- VioletLMS — Enterprise Learning Management System
- VioletLXP — Learning Experience Platform
- VOnboard — AI-powered employee onboarding
- VRecruit — Recruitment intelligence
- VAuthor AI — AI content authoring
- VTest — Online assessment and proctoring
- VKnow — Knowledge management
- VForms — Digital forms and surveys
- VGen AI / VConverse / VInsights / VSearch / VTranslate / VGamify / VPath AI / VCoach — AI assistants and intelligence layers
- Competency Intelligence — Skills and competency framework
- Any future product released on the Violetinfo.ai platform
It also applies to:
- our websites:
violetinfo.ai,violetlms.com, and any subdomain (e.g.,customer.violetinfo.ai) - white-labelled customer domains (e.g.,
learn.yourcompany.com) - our mobile applications, browser extensions, and APIs
- communications you have with us by email, phone, chat, or through any support or sales channel
If you access any Violetinfo.ai product through your employer, educational institution, or another organization, your administrator's contract with us also governs how your data is handled.
2. Who We Are
Violet InfoSystems Pvt. Ltd. (corporate brand: Violetinfo.ai) is an Indian company registered under the Companies Act 2013, with its registered office at:
1106, Quantum Tower, Chincholi Phatak, S.V. Road, Malad (West), Mumbai — 400064, India
Violet InfoSystems Pvt. Ltd. is the Data Fiduciary (under India's DPDPA 2023) and the Data Controller (under the EU/UK GDPR) for personal data processed in connection with the Violetinfo.ai platform, unless your organization has separately agreed to act as the controller under a data-processing agreement.
For privacy queries, contact our DPO at dpo@violetinfo.ai or privacy@violetinfo.com.
3. Information We Collect
3.1 Information You Provide Directly
- Account registration: name, email address, phone number, organization name, job title, employee/student ID, password
- Profile information: profile photo, professional details, learning preferences, location, language, time zone, reporting manager
- Communications: messages, support tickets, feedback, survey responses, sales enquiries
- Payment information: billing name, billing address, GSTIN/tax ID. Payment card data is processed by our PCI-DSS Level 1 payment processor and is never stored on Violetinfo.ai systems
3.2 Information Collected Automatically
- Usage data: course completions, assessment scores, learning progress, login times, watch time, feature usage, search queries, click streams
- Technical data: IP address, browser type and version, device type and model, operating system, screen resolution, session duration, referrer URL
- Log data: system logs of your interactions with our platform, retained for security, performance monitoring, and regulatory compliance (including the CERT-In direction on log retention)
3.3 Information From Your Organization
Where you access a Violetinfo.ai product through your employer or institution, your administrator may provide us with your name, email, employee/student ID, department, location, designation, reporting manager, and other details required to provision your account or assign learning.
3.4 Special Categories of Data
We may process special categories of data only where strictly necessary for the Service and only with appropriate safeguards:
- Biometric data — only where your organization has enabled biometric authentication (e.g., facial verification during VTest proctoring) and only as permitted by applicable law
- Sensitive personal information (under CCPA/CPRA) — including precise geolocation, identity documents for proctoring, and any biometric data — handled with additional restrictions; you may opt out of certain uses where the law allows
- Children's data — see Section 12
3.5 Information We Do Not Collect
- We do not collect social security numbers, driving licence numbers, or other government IDs unless your organization specifically enables a feature that requires it (e.g., compliance training certifications)
- We do not access your microphone, camera, or location without your explicit in-product consent
- We do not read messages in third-party messaging apps
4. How We Use Your Information
We use personal data to:
- Provide the Services — create and manage your account, deliver learning, track progress, enable assessments and certifications, process onboarding/recruitment workflows
- Personalize your experience — surface relevant learning paths, AI coaching, recommended content, dashboards
- Communicate with you — send service notifications, password resets, course assignment alerts, account changes, security alerts, and (with your consent) marketing communications
- Provide customer support — respond to enquiries, troubleshoot, route to the right team
- Maintain security and prevent fraud — detect unauthorized access, abuse, account takeover, and policy violations
- Comply with law — meet our obligations under DPDPA 2023, GDPR, CCPA/CPRA, applicable tax laws, CERT-In directions, and law-enforcement requests
- Improve our products — analyze aggregated usage patterns to make the platform better
5. Legal Basis for Processing
We rely on the following legal bases, depending on jurisdiction and processing activity:
| Basis | When we use it |
|---|---|
| Contractual necessity | To deliver the Services under your account agreement or your employer's subscription |
| Legitimate interests | Security, fraud prevention, analytics, platform improvement — balanced against your rights |
| Legal obligation | Tax records, CERT-In log retention, court orders, regulator requests |
| Consent | Marketing communications, optional cookies, biometric features. You may withdraw consent at any time without affecting prior processing |
| Public interest / vital interest | Where applicable under specific local laws |
5.1 Aggregated and Anonymized Data
We may aggregate and anonymize personal data so that it can no longer reasonably be linked to you, and use that aggregated data for benchmarking, research, analytics, and product development. Aggregated data is not personal data.
6. Who We Share Your Information With
We share personal data only with the following categories of recipients:
- Your organization's administrators — your learning records, progress, and account details are visible to the administrators of the institution that gave you access
- Sub-processors — vetted third-party providers under written data-processing agreements (see Section 7)
- Legal and regulatory requirements — courts, government authorities, CERT-In, when required by law
- Business transfers — in the event of a merger, acquisition, or restructuring, personal data may be transferred subject to equivalent privacy protections; you will be notified before the transfer takes effect
- With your consent — any other recipient you specifically authorize
We do not sell your personal data. We do not share your personal data with advertisers. California residents — see Section 11.
6.1 DPDPA Consent Manager
Under India's DPDPA 2023, you may interact with us through a registered Consent Manager. Where the Government of India operationalizes Consent Managers, we will support consent-management requests routed through them.
6.2 Marketing Opt-Out
If you receive marketing communications from us:
- every email contains an Unsubscribe link in the footer
- you can also email privacy@violetinfo.com at any time
- opting out of marketing does not affect service-related communications (security alerts, course assignments, billing)
7. Sub-processors
We use a small set of trusted sub-processors to operate the Services. All sub-processors are bound by written Data Processing Agreements, are required to maintain equivalent security and privacy protections, and process data only on our documented instructions.
| Category | Sub-processor | Purpose | Data location |
|---|---|---|---|
| Cloud infrastructure | Amazon Web Services | Hosting, storage, databases | AWS Mumbai (ap-south-1) primary; backups within India |
| Payments | Razorpay / Stripe | Payment processing for paid subscriptions | India / US (PCI-DSS) |
| Transactional email | Amazon SES / SendGrid | Account emails, notifications, password resets | Region-specific |
| AI inference | Anthropic, OpenAI, AWS Bedrock | AI features (VAuthor, VGen, VConverse, VInsights) — see Section 9 for what we do and do not send | US / regional endpoints |
| Customer support | Zoho | Support ticketing | Region-specific |
| Analytics | First-party analytics + GA4 (cookie-consent gated) | Usage analytics | Region-specific |
8. How We Protect Your Information
We implement administrative, technical, and physical safeguards aligned to ISO 27001, SOC 2 Type II, and DPDPA-grade controls:
8.1 Technical controls
- Encryption at rest using AES-256
- Encryption in transit using TLS 1.2 or higher
- Least-privilege role-based access with multi-factor authentication required for any sensitive system
- AWS CloudWatch, GuardDuty, and CloudTrail for continuous monitoring
- Regular vulnerability scanning and annual third-party penetration testing
- Network segmentation, private VPC, AWS Web Application Firewall
8.2 Organizational controls
- Mandatory annual security and privacy training for every employee
- Background verification on every hire
- Quarterly access reviews
- Documented incident response procedure with on-call rotation
- ISO 27001 / SOC 2 Type II audited (refer to our Command Center https://commandcentre.violetcloud.io/)
8.3 Data Breach Notification
If we become aware of a security incident affecting your personal data, we will:
- notify your organization's administrators without undue delay, and at the latest within 72 hours of becoming aware (GDPR) and as required by the CERT-In direction (within 6 hours of becoming aware, for incidents involving Indian residents' data)
- notify the Data Protection Board of India as required by DPDPA 2023
- notify supervisory authorities in other applicable jurisdictions where required by law
- where the incident is likely to result in a high risk to your rights and freedoms, notify you directly
While we take significant measures, no internet transmission or electronic storage is completely secure, and we cannot guarantee absolute security.
9. AI and Automated Processing
Violetinfo.ai products use AI features (VAuthor AI, VGen AI, VConverse AI, VInsights AI, VCoach, VTest AI proctoring, and others). Here is what that means for your data:
- We do not use customer personal data to train our AI models or any third-party AI models. Customer content sent to AI providers (Anthropic, OpenAI, AWS Bedrock) is processed under zero-retention or no-training agreements wherever supported by the provider.
- AI suggestions are recommendations, not decisions. Where AI features influence outcomes — for example, AI-assisted scoring on VTest, AI competency recommendations on Competency Intelligence — a qualified human can review and override the AI output. You may request human review for any automated decision that affects your learning record, certification, or employment.
- AI proctoring transparency. If your organization enables AI proctoring on VTest, you will see an on-screen notice before the proctoring session begins, listing exactly what is captured (camera, screen, microphone, browser activity) and for how long it is retained.
- AI generation transparency. Content produced by VAuthor / VGen is labelled as AI-generated where appropriate.
You may exercise your right under GDPR Article 22 and CCPA to not be subject to a decision based solely on automated processing that produces legal or similarly significant effects on you. Email dpo@violetinfo.ai.
10. International Data Transfers
Your personal data is primarily stored and processed within India on Amazon Web Services infrastructure in the AWS Mumbai (ap-south-1) region.
Where we transfer personal data outside its country of origin, we rely on one or more of the following safeguards:
- DPDPA 2023 — transfers only to countries permitted by the Government of India by notification
- GDPR Chapter V — Standard Contractual Clauses (SCCs) approved by the European Commission, the UK International Data Transfer Addendum, or an adequacy decision
- CCPA — contractual provisions equivalent to the CPRA service-provider standard
- Other applicable law — equivalent local-law mechanisms in KSA, UAE, Singapore, Australia, and other regions
11. Your California Privacy Rights (CCPA / CPRA)
If you are a California resident, you have the following rights:
- Right to Know — what personal information we collect, the sources, the purposes, and the categories of third parties with whom we share it
- Right to Delete — request deletion of your personal information (subject to legal retention obligations)
- Right to Correct — request that we correct inaccurate personal information
- Right to Opt Out of Sale / Sharing — we do not sell or share your personal information for cross-context behavioural advertising
- Right to Limit Use of Sensitive Personal Information
- Right to Non-Discrimination — we will not deny you Services, charge you a different price, or provide a different quality of Service because you exercised any of these rights
To exercise these rights, submit a request at email privacy@violetinfo.com. We may verify your identity before responding.
You may also designate an authorized agent to act on your behalf.
12. Children's Privacy
Different ages of consent apply in different countries:
| Region | Threshold | What it means |
|---|---|---|
| India (DPDPA) | Under 18 | Verifiable parental consent required for processing |
| EU (GDPR) | Under 16 (some member states 13–15) | Parental consent required for online services |
| US (COPPA) | Under 13 | Federal verifiable parental consent required |
| California (CCPA) | Under 16 | Opt-in required for any sale/sharing |
Where Violetinfo.ai products are deployed for an audience that includes children below the applicable age, we require the deploying institution (school, training partner, or parent) to obtain all necessary parental consents before deployment and to confirm this in writing to us.
We do not knowingly collect personal data directly from children without verifiable parental consent. If you believe a child has provided us data without consent, please email privacy@violetinfo.com and we will delete the data without undue delay.
See our internal Violetinfo Children's Data Policy for the full operating procedure. (refer to our Command Center https://commandcentre.violetcloud.io/)
13. Cookies and Tracking Technologies
We use cookies and similar technologies in four categories:
| Category | Required? | What it does | How to control |
|---|---|---|---|
| Strictly necessary | Always on | Session, security, load balancing | Cannot be disabled; required for the Service to function |
| Functional | Opt-in | Remembers language, theme, preferences | Cookie banner |
| Analytics | Opt-in | Matomo + GA4 + Hotjar + Violetinfo Analytics to measure usage patterns | Cookie banner |
| Marketing | Opt-in | None on logged-in product surfaces; limited on violetinfo.ai marketing pages with consent |
Cookie banner |
You can manage your preferences through our cookie banner or your browser settings. Details are in our separate Cookie Policy, which forms part of this Privacy Policy.
14. Data Retention
| Data category | Retention period | Why |
|---|---|---|
| Active account data | Duration of your subscription + 3 years | Reactivation, dispute resolution, regulatory |
| Transaction and financial records | 8 years | Indian tax law |
| Security and system logs | 12 months active + 24 months archive | Security investigations, CERT-In direction |
| AI proctoring video/screen capture (when enabled) | 90 days unless dispute | Test integrity, audit |
| Marketing data | Until you unsubscribe + 1 year | Suppression list maintenance |
| Anonymized/aggregated data | Indefinitely | No longer personal data |
On request, account closure, or end of contract, we will delete or anonymize your personal data within 90 days, subject to legal retention obligations.
See our internal Data Restoration and Destruction Policy for the disposal procedure. (refer to our Command Center https://commandcentre.violetcloud.io/)
15. Third-Party Websites and Services
Our websites and products may contain links to third-party websites or integrate with third-party services (e.g., LinkedIn for SSO, YouTube for video, Razorpay for payments). This Privacy Policy applies only to the Violetinfo.ai-operated services. We are not responsible for the privacy practices of third parties and encourage you to review their policies.
16. Your Rights and How to Exercise Them
Subject to applicable law, you have these rights:
- Right to be informed — understand how your data is used
- Right of access — request a copy of the personal data we hold about you
- Right to rectification — correct inaccurate or incomplete data
- Right to erasure — request deletion (subject to legal retention)
- Right to restrict processing — limit how we use your data
- Right to object to processing — including direct marketing
- Right to data portability — receive your data in a machine-readable format
- Right to withdraw consent — at any time, where consent is the legal basis
- Right to grievance redressal (DPDPA) — to our Grievance Officer
- Rights related to automated decision-making and profiling — see Section 9
- Right to opt out of sale/sharing — see Section 11
- Right to non-discrimination — for exercising any of the above
How to exercise
- Email: privacy@violetinfo.com or dpo@violetinfo.ai
- Post: the address in Section 17
We will respond to verified requests within 30 days (DPDPA / India / most jurisdictions) or 1 month (GDPR), extendable by 2 further months for complex requests. We may need to verify your identity before responding.
17. How to Contact Us
| Role | Contact |
|---|---|
| Data Protection Officer (DPO) | dpo@violetinfo.ai |
| Privacy Contact | privacy@violetinfo.com |
| Grievance Officer (DPDPA 2023) | grievance@violetinfo.ai (replace with named officer before publishing) |
| General Support | support@violetinfo.ai |
| Registered Office | Violet InfoSystems Pvt. Ltd., 1106, Quantum Tower, Chincholi Phatak, S.V. Road, Malad (West), Mumbai — 400064, India |
18. Complaints and Supervisory Authorities
If you have a concern about our handling of your personal data, please contact our DPO first at dpo@violetinfo.ai. We will work with you to resolve the matter within 30 days.
If unresolved, you may lodge a complaint with the supervisory authority in your jurisdiction:
| Region | Authority |
|---|---|
| India | Data Protection Board of India (DPDPA 2023) · CERT-In for cyber incidents |
| EU / EEA | Your local data protection authority (list: edpb.europa.eu) |
| UK | Information Commissioner's Office — ico.org.uk |
| California (US) | California Privacy Protection Agency — cppa.ca.gov · California Attorney General |
| United States (Federal) | Federal Trade Commission |
| KSA | Saudi Data and Artificial Intelligence Authority (SDAIA) |
| UAE | UAE Data Office (Federal Law 45 of 2021) |
| Oman | Ministry of Transport, Communications and Information Technology |
| Bahrain | Personal Data Protection Authority |
| Singapore | Personal Data Protection Commission — pdpc.gov.sg |
| Australia | Office of the Australian Information Commissioner (OAIC) — oaic.gov.au |
| Malaysia | Personal Data Protection Commissioner |
| South Africa | Information Regulator |
19. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings. We will notify you of material changes by email and through a notice on the Violetinfo.ai platform at least 30 days before the changes take effect.
Version log
| Version | Date | Summary |
|---|---|---|
| 1.0 | 01-Mar-2026 | Initial public privacy policy for VioletLMS |
| 1.1 | 18-Jun-2026 | Expanded to full Violetinfo.ai product suite. Added CCPA/CPRA, AI processing, sub-processors, breach timelines, supervisory authorities, cookie categories, version log. Updated entity branding to Violetinfo.ai and contacts to violetinfo.ai domain. |
