SecureRoom.ai (“SecureRoom,” “we,” “us,” or “our”) provides Virtual Data Room (VDR) software and related services globally, including websites, web applications, mobile and desktop apps, APIs, and connected services (collectively, “Services”). This Privacy Policy explains how SecureRoom collects, uses, discloses, transfers, retains, and protects personal data when individuals and organizations use the Services.

By using the Services, you acknowledge this Policy. Where a specific law requires consent for particular processing (e.g., marketing or non-essential cookies), we obtain consent via clear, granular notices.

Definitions

For clarity, the following terms apply.

(a) Personal Data (Personal Information): Information that identifies or can reasonably be used to identify an individual (e.g., name, email, phone, IP address, device identifiers, geolocation, online identifiers, and usage data).
(b)Customer Data / Your Content: Files, documents, communications, indexes, metadata, and other content uploaded to or generated in the VDR by or for a customer or its authorized users. Customers generally control Customer Data.
(c) Controller/Fiduciary and Processor: The party determining purposes and means of processing is a “Controller” (GDPR/UK GDPR) or “Data Fiduciary” (DPDP). The party processing on behalf of the Controller is a “Processor” (GDPR/UK GDPR) or “Data Processor” (DPDP).
(d) Subprocessor/Service Provider: A third party engaged by SecureRoom to process personal data in support of the Services (e.g., cloud hosting, support, analytics, security). Under CCPA/CPRA, these may be “service providers” or “contractors.”
(e) International Transfer: Any transfer of personal data across borders to a country with different data protection laws, subject to transfer mechanisms (e.g., SCCs, adequacy, Data Privacy Framework).

Roles

• Enterprise deployments: The customer is the Controller/Fiduciary for Customer Data; SecureRoom is the Processor/Processor under the DPA.
• Direct website accounts and marketing: SecureRoom is the Controller for account data, telemetry, and marketing data it determines the purposes for.

Information

We Collect

1. Account and Profile Data: Name, email, mobile number, organization, title, billing details, login identifiers, authentication factors, and user preferences.
2. Usage and Technical Data: IP address, device identifiers, browser/OS, session IDs, event logs, access timestamps, clickstream, feature usage, crash/error reports, and geolocation, where enabled.
3. Customer Data: Documents and communications stored or transmitted via the Services, including derived metadata and indexes necessary for search, versioning, and audit trails.
   Support and
4. Communications: Helpdesk tickets, chat transcripts, and feedback.
   Cookies/Similar
5. Technologies: Cookies, SDKs, pixels, tags, and beacons used for authentication, security, analytics, and personalization, subject to the Cookie Policy and consent where required.

Purposes of Processing

SecureRoom processes personal data to:

• Provide, operate, secure, and support the Services, including authentication, collaboration, watermarking, audit trails, and role-based access control.
• Configure data residency and storage location options per customer agreement.
• Improve performance and features, conduct analytics, quality assurance, and research with privacy safeguards.
• Detect, prevent, and investigate fraud, abuse, security incidents, and violations of terms.
• Provide customer service, training, onboarding, and communications about service changes.
• Comply with legal and regulatory obligations, including responding to lawful requests.
• Send marketing communications with consent where required; recipients can opt out at any time.

Legal Bases (by context)

1. Contractual necessity: Creating and maintaining accounts; providing core VDR functionality; responding to service requests.
2. Legitimate interests: Securing the Services; fraud prevention; improving features; usage analytics with appropriate safeguards and opt-out where required. Balancing tests are maintained.
3. Consent: Non-essential cookies, certain analytics/marketing, and any jurisdiction requiring consent for specific processing. Consent may be withdrawn at any time.
4. Legal obligation: Compliance with accounting, tax, AML/KYC, where applicable to customers’ regulated workflows, breach notifications, and recordkeeping.

Children’s Data

The Services are intended for use by individuals 18+ years of age. SecureRoom does not knowingly collect children’s personal data and prohibits child-directed use. If a child’s data is discovered, it is deleted promptly, and accounts are restricted.

How We Share Personal Data

• Subprocessors/Service Providers: Cloud hosting (e.g., AWS), support, email delivery, security monitoring, and optional analytics/marketing providers, each bound by written agreements imposing confidentiality, security, transfer safeguards, and use limitations.
• Affiliated entities subject to equivalent safeguards to support global operations.
• Customer-designated recipients within a data room (as configured by customer admins).
• Legal/Compliance: To comply with law, enforce agreements, or protect rights, safety, and security.
• Corporate Transactions: In mergers, acquisitions, or reorganizations, with continued protections and notice where required.
• SecureRoom does not “sell” or “share” personal information for cross-context behavioral advertising as defined by CCPA/CPRA.

International Data Transfers and Data Residency

SecureRoom operates globally. Personal data may be transferred to and processed in countries different from the data subject’s country. Safeguards include:

• European Economic Area/UK: European Commission Standard Contractual Clauses (SCCs) or UK IDTA/Addendum; reliance on adequacy decisions where applicable; participation in the EU-U.S. Data Privacy Framework and the UK Extension, where relevant.
• Contractual commitments with sub-processors to implement equivalent protections; transfer risk assessments where required.
• Data Residency: Enterprise customers may select preferred storage regions (e.g., EU, US, India) by agreement. Administrative, support, or security processing may still involve limited cross-border access subject to safeguards.

Data Retention and Deletion

SecureRoom retains personal data only as long as necessary for the purposes described, to comply with legal, regulatory, and audit requirements, to maintain security records, and to resolve disputes. Unless a different period is specified by applicable law or contract:

• Customer Data: Retained for the subscription term plus a retrieval window defined by contract, i.e. 10 years; securely deleted thereafter.
• Account, billing, and contract records: Typically retained for 10 years to meet financial, tax, and compliance requirements common in legal/financial sectors.
• Security and operational logs: Typically 5 years, unless required longer for investigations.
  Marketing data: Retained until consent is withdrawn and for a short period afterward to effectuate the request.
  
  Where retention periods differ due to law, the longest applicable legal period will apply, after which data is securely deleted or de-identified using industry-standard methods.

Security Measures

SecureRoom implements technical and organizational measures, including:

• Encryption at rest (AES256) and in transit (TLS 1.2+), key management, and secure coding practices.
• Multi-factor authentication, least-privilege and role-based access, SSO/SAML support.
• Network segmentation, continuous monitoring, vulnerability management, and regular penetration tests.
• Secure development lifecycle, change management, disaster recovery, and business continuity.
• Independent audits and certifications, summary reports available to customers under NDA.
  
  

Automated Decision-Making and Profiling

SecureRoom does not engage in automated decision-making or profiling that produces legal or similarly significant effects on individuals.

Your Privacy Rights

Subject to applicable law, individuals may have the right to:

• Access, correct, or delete your personal data; restrict or object to processing; and data portability in a structured, commonly used, machinereadable format.
• Withdraw consent at any time for processing based on consent, without affecting prior lawful processing.

SecureRoom will not discriminate for exercising privacy rights. Requests will generally be answered within 30–45 days, extendable where permitted.

Subprocessors and Third-Party Services

SecureRoom maintains a current list of subprocessors (e.g., hosting, email, analytics, support). Each is vetted and bound by security, confidentiality, transfer, and audit obligations. Customers can request notice of material changes and object per the DPA where applicable.

Government and Legal Requests

SecureRoom carefully reviews third-party and government requests for data. Unless legally prohibited, customers are notified prior to disclosure of Customer Data and may seek protective measures. SecureRoom challenges overbroad or unlawful requests.

Data Access by SecureRoom Personnel

Access to Customer Data by SecureRoom personnel is restricted to leastprivileged, needtoknow scenarios (e.g., support tickets or incident response) and is logged and monitored. Access is subject to confidentiality and disciplinary controls.

Changes to this Policy

Material changes are communicated via inproduct notice or email. The “Effective Date” indicates the latest revision. Continued use after updates indicates acknowledgment of the revised Policy, where permitted by law.


Contact, Data PO, and Representatives

Privacy Officer/Data Protection Officer: Sunita Panchal
Email ID of DPO: Info@secureroom.ai
Mailing Address: Room No. 8, Chawl No. 1, Motibhai Desai Chawl, Ganesh Nagar, Rawalpada, Dahisar East, Mumbai – 400068, Maharashtra, India.
Grievance Officer: +918433733707