GDPR Compliance
Effective date: June 6, 2026 · Last updated: June 6, 2026
Regulation (EU) 2016/679 — General Data Protection Regulation
Smritix AI LLP is committed to complying with the General Data Protection Regulation (GDPR) for all EU/EEA residents who use Vaultix-ID or whose data is processed through it. This page supplements our Privacy Policy with GDPR-specific information.
1. Roles: Controller vs. Processor
Smritix AI LLP as Controller
When you register as a Vaultix-ID operator (dashboard user), Smritix AI LLP acts as a data controller for your operator account data (name, email, organisation, usage logs).
Smritix AI LLP as Processor
When your end-users authenticate through applications you build on Vaultix-ID, you are the data controller and Smritix AI LLP acts as a data processor on your behalf. We process end-user data only according to your instructions (as configured in the platform) and as necessary to provide the authentication service.
If you are subject to GDPR and are using Vaultix-ID to process EU personal data, you should execute a Data Processing Agreement (DPA) with us. Contact legal@smritix-ai.com to request a DPA.
2. Legal Bases for Processing
We process personal data under the following legal bases (Article 6 GDPR):
- Contract performance (Art. 6(1)(b)) — Processing your account data and authentication events to provide the Services you have contracted for.
- Legitimate interests (Art. 6(1)(f)) — Security monitoring, fraud prevention, abuse detection, and improving service reliability. We have conducted a Legitimate Interests Assessment (LIA) and concluded our interests do not override your rights.
- Legal obligation (Art. 6(1)(c)) — Retaining records as required by applicable law.
- Consent (Art. 6(1)(a)) — For any optional processing (e.g. marketing communications), which you may withdraw at any time.
3. Your Data Subject Rights
EU/EEA residents have the following rights under GDPR. To exercise any of them, email legal@smritix-ai.com. We will respond within 30 days (extendable by 60 days for complex requests).
Request a copy of all personal data we hold about you, including the categories of data, purposes of processing, retention periods, and any third parties with whom it is shared.
Request correction of inaccurate or incomplete personal data. You can also update most data directly via the dashboard settings.
Request deletion of your personal data ("right to be forgotten") where we no longer have a legal basis to retain it. Note: we may retain data where required by law or for legitimate security/fraud prevention purposes.
Request that we limit processing of your data — for example, while a rectification request is being assessed.
Receive a copy of your personal data in a structured, commonly used, machine-readable format (JSON/CSV) and, where technically feasible, have it transmitted to another controller.
Object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your rights.
Vaultix-ID does not make solely automated decisions that produce legal or similarly significant effects on individuals.
4. International Data Transfers
Smritix AI LLP is incorporated in India. India has not received an EU adequacy decision. When personal data is transferred from the EU/EEA to India or to our sub-processors in third countries, we rely on one of the following mechanisms:
- Standard Contractual Clauses (SCCs) — We use the European Commission's approved SCCs (2021/914) with our sub-processors (Supabase, Vercel, Resend).
- Adequacy decisions — Where transfers are to countries with an EU adequacy decision.
You may request a copy of the relevant SCCs by emailing legal@smritix-ai.com.
5. Sub-processor List
As a processor, we engage the following sub-processors to deliver the Services. We maintain a current sub-processor list and provide 30 days' notice before adding new sub-processors.
- Supabase Inc. (USA) — Database storage. SCCs in place.
- Vercel Inc. (USA) — Compute and hosting. SCCs in place.
- Resend Inc. (USA) — Transactional email. SCCs in place.
6. Data Retention
We retain personal data only as long as necessary for the purpose for which it was collected, or as required by law:
- Active sessions: 30 days or until sign-out
- Auth event logs: 90 days (configurable on Enterprise)
- Operator account data: Duration of relationship + 90-day grace period
- Deleted end-user data: Permanently deleted within 30 days of operator request
7. Security Measures (Art. 32)
We have implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk:
- Passwords hashed with bcrypt (12 rounds) — plaintext never stored
- Sessions protected by RS256 JWTs + server-side validation on every request
- Data encrypted in transit (TLS 1.2+) and at rest (Supabase AES-256)
- API keys stored in encrypted environment variables — never in code or logs
- Regular security reviews; responsible disclosure policy at security@smritix-ai.com
- Access to production systems limited to authorised personnel on a need-to-know basis
8. Data Breach Notification (Art. 33–34)
In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach. Where required, we will also notify affected data subjects without undue delay.
As a processor, we will notify you (the controller) of any breach without undue delay, providing sufficient information to allow you to meet your own notification obligations.
9. Supervisory Authority
You have the right to lodge a complaint with your local supervisory authority. In the EU, this is typically the Data Protection Authority (DPA) in your country of residence. A full list is available at edpb.europa.eu ↗.
10. Contact & DPA Requests
For GDPR-related enquiries, to exercise your rights, or to execute a Data Processing Agreement:
- Email: legal@smritix-ai.com
- Company: Smritix AI LLP, India
- Response time: Within 30 days