Inicio / GDPR Compliance

GDPR Compliance

GDPR COMPLIANCE

1. INTRODUCTION

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that applies to all organizations processing personal data of individuals within the European Union (EU) and European Economic Area (EEA). This page explains how Omkaar Group ("we," "our," or "us") through The AI Creators platform complies with GDPR requirements.

Company Information:

  • Company Name: Omkaar Group
  • Website: www.theaicreators.com
  • Address: Office No. 102, 1st Floor, Rituraj Business Park, Bicholi Mardana, Near Uno Business Park, Bypass, Indore (M.P) - 452016, India
  • Email: [email protected] / [email protected]
  • Phone: +91 93437 87741
  • Data Protection Officer: [email protected]

2. GDPR APPLICABILITY

2.1 When GDPR Applies to You

GDPR applies if you are:

  • A resident of any EU/EEA country
  • Located in the EU/EEA when using our services
  • A business established in the EU/EEA using our services

2.2 Our GDPR Obligations

As a service provider processing EU personal data, we comply with GDPR requirements including:

  • Lawful basis for data processing
  • Data subject rights implementation
  • Privacy by design and default
  • Data breach notification procedures
  • International data transfer safeguards

3. LAWFUL BASIS FOR PROCESSING

Under GDPR Article 6, we process your personal data based on the following lawful bases:

3.1 Consent (Article 6(1)(a))

  • When: Marketing communications, optional features, cookies
  • Your Control: You can withdraw consent at any time
  • Examples: Newsletter subscriptions, personalized recommendations

3.2 Contract (Article 6(1)(b))

  • When: Providing our AI services, account management, billing
  • Purpose: Fulfilling our service agreement with you
  • Examples: Account creation, subscription processing, customer support

3.3 Legal Obligation (Article 6(1)(c))

  • When: Compliance with applicable laws
  • Purpose: Meeting regulatory requirements
  • Examples: Tax records, fraud prevention, court orders

3.4 Legitimate Interest (Article 6(1)(f))

  • When: Business operations, security, improvements
  • Balancing Test: We ensure our interests don't override your rights
  • Examples: Website analytics, fraud detection, service optimization

3.5 Special Category Data

We do not intentionally collect special category data (sensitive personal data) unless explicitly required and with appropriate safeguards under GDPR Article 9.

4. YOUR GDPR RIGHTS

4.1 Right of Access (Article 15)

What it means: You can request confirmation of whether we process your data and obtain a copy.

How to exercise:

  • Log into your account dashboard
  • Email [email protected] with "Data Access Request"
  • Provide identity verification

Response time: Within 1 month (extendable to 3 months for complex requests)

4.2 Right to Rectification (Article 16)

What it means: You can correct inaccurate or incomplete personal data.

How to exercise:

  • Update information directly in your account
  • Contact customer support for assistance
  • Email [email protected] with corrections

Response time: Without undue delay, within 1 month

4.3 Right to Erasure / "Right to be Forgotten" (Article 17)

What it means: You can request deletion of your personal data under certain conditions.

When applicable:

  • Data no longer necessary for original purpose
  • You withdraw consent and no other lawful basis exists
  • Data processed unlawfully
  • Legal obligation requires erasure

Limitations:

  • Legal obligations require retention
  • Public interest or freedom of expression
  • Legitimate interests override your request

How to exercise: Email [email protected] with "Data Deletion Request"

4.4 Right to Restriction of Processing (Article 18)

What it means: You can limit how we use your data while maintaining the data.

When applicable:

  • Accuracy of data is contested
  • Processing is unlawful but you oppose deletion
  • We no longer need data but you need it for legal claims
  • You object to processing pending verification

How to exercise: Email [email protected] with "Processing Restriction Request"

4.5 Right to Data Portability (Article 20)

What it means: You can receive your data in a structured, machine-readable format and transfer it to another service.

Scope: Data you provided based on consent or contract performance Format: CSV, JSON, or other commonly used formats How to exercise: Request through [email protected]

4.6 Right to Object (Article 21)

What it means: You can object to processing based on legitimate interests or for direct marketing.

Direct Marketing: Absolute right to object Other Processing: We must demonstrate compelling legitimate groundsHow to exercise:

4.7 Rights Related to Automated Decision-making (Article 22)

What it means: Protection against purely automated decisions with significant effects.

Our Practice:

  • We use AI for content generation, not automated decision-making about individuals
  • Human oversight involved in account decisions
  • You can request human review of automated decisions

5. DATA PROCESSING DETAILS

5.1 Categories of Personal Data

We process the following categories of personal data:

Identity Data:

  • Name, username, email address
  • Account credentials and preferences
  • Profile information and settings

Technical Data:

  • IP address, device identifiers
  • Browser and system information
  • Usage logs and analytics data

Transaction Data:

  • Payment information and billing details
  • Subscription history and usage records
  • Customer support interactions

Content Data:

  • AI-generated content and prompts
  • File uploads and processed documents
  • User-created materials and preferences

5.2 Data Sources

We collect personal data from:

  • Directly from you: Account registration, service usage
  • Automatically: Website interactions, cookies, analytics
  • Third parties: Payment processors, integration partners

5.3 Recipients of Personal Data

We share data with:

  • Service Providers: Cloud hosting, payment processing, analytics
  • Legal Authorities: When required by law or court order
  • Business Partners: With your explicit consent only

6. INTERNATIONAL DATA TRANSFERS

6.1 Transfer Locations

Your data may be transferred to and processed in:

  • India: Our primary data processing location
  • United States: Cloud service providers (AWS, Google Cloud)
  • Other Countries: Where our service providers operate

6.2 Transfer Safeguards

We ensure adequate protection through:

Standard Contractual Clauses (SCCs):

  • EU-approved data transfer agreements
  • Binding contractual obligations for data protection
  • Regular compliance monitoring

Adequacy Decisions:

  • Transfers to countries with EU adequacy decisions
  • Automatic compliance with GDPR standards

Certification Schemes:

  • Service providers with recognized privacy certifications
  • Regular audits and compliance verification

6.3 Transfer Impact Assessments

We conduct Transfer Impact Assessments (TIAs) to evaluate:

  • Local laws in destination countries
  • Additional safeguards needed
  • Risk mitigation measures

7. DATA RETENTION

7.1 Retention Principles

We retain personal data only as long as necessary for:

  • Fulfilling the purposes for collection
  • Complying with legal obligations
  • Establishing, exercising, or defending legal claims

7.2 Specific Retention Periods

Account Data:

  • Active accounts: Duration of relationship
  • Inactive accounts: 3 years from last activity
  • Deleted accounts: 30 days for recovery, then permanent deletion

Transaction Data:

  • Payment records: 7 years for tax compliance
  • Billing information: Duration of relationship + 6 years
  • Refund requests: 3 years from resolution

Technical Data:

  • Analytics data: 26 months maximum
  • Log files: 12 months
  • Cookie data: As specified in cookie settings

Marketing Data:

  • Consent-based: Until consent withdrawn
  • Legitimate interest: 3 years from last interaction
  • Suppression lists: Permanently (to honor opt-outs)

8. DATA SECURITY

8.1 Technical Measures

Encryption:

  • Data encrypted in transit (TLS 1.3)
  • Data encrypted at rest (AES-256)
  • End-to-end encryption for sensitive communications

Access Controls:

  • Multi-factor authentication for admin accounts
  • Role-based access permissions
  • Regular access reviews and updates

Infrastructure Security:

  • ISO 27001 certified data centers
  • SOC 2 Type II compliant service providers
  • Regular penetration testing and vulnerability assessments

8.2 Organizational Measures

Staff Training:

  • Regular GDPR training for all employees
  • Data protection awareness programs
  • Incident response training

Policies and Procedures:

  • Data protection impact assessments
  • Data breach response procedures
  • Vendor management and due diligence

Monitoring and Auditing:

  • Continuous security monitoring
  • Regular compliance audits
  • Data protection officer oversight

9. DATA BREACH PROCEDURES

9.1 Detection and Assessment

Monitoring Systems:

  • 24/7 security monitoring
  • Automated threat detection
  • Regular security assessments

Breach Classification:

  • High Risk: Likely to result in high risk to rights and freedoms
  • Medium Risk: Some risk to individuals
  • Low Risk: Unlikely to result in risk to individuals

9.2 Notification Procedures

To Supervisory Authority:

  • Timeline: Within 72 hours of becoming aware
  • Information: Nature of breach, categories affected, likely consequences
  • Follow-up: Additional information provided as it becomes available

To Data Subjects:

  • When: High risk to rights and freedoms
  • Timeline: Without undue delay
  • Method: Direct communication (email, account notification)
  • Content: Nature of breach, likely consequences, measures taken

9.3 Breach Response

Immediate Actions:

  • Contain and assess the breach
  • Preserve evidence and documentation
  • Implement remedial measures

Investigation:

  • Determine cause and scope
  • Assess impact on individuals
  • Review and improve security measures

10. COOKIES AND TRACKING

10.1 Cookie Categories

Strictly Necessary:

  • Essential for website functionality
  • Cannot be disabled
  • No consent required under GDPR

Performance/Analytics:

  • Website usage statistics
  • Service improvement purposes
  • Consent required

Functional:

  • Enhanced functionality and personalization
  • Remember user preferences
  • Consent required

Marketing:

  • Targeted advertising and campaigns
  • Social media integration
  • Explicit consent required

10.2 Consent Management

Cookie Banner:

  • Clear information about cookie types
  • Granular consent options
  • Easy withdrawal of consent

Consent Records:

  • Documentation of consent given
  • Timestamp and scope of consent
  • Ability to review and modify

10.3 Third-Party Cookies

Analytics: Google Analytics (with IP anonymization), Payment: RazorPay, PayPal, Stripe (for payment processing), Support: Chat and helpdesk services, Marketing: Social media pixels (with consent)

11. CHILDREN'S DATA PROTECTION

11.1 Age Verification

  • EU Users: Service not available to users under 16
  • Parental Consent: Required for users aged 13-15 in applicable jurisdictions
  • Age Verification: Implemented during account creation

11.2 Special Protections

  • Enhanced privacy protections for minors
  • Limited data collection and processing
  • Regular review of child safety measures
  • Clear information for parents and guardians

12. DATA PROTECTION IMPACT ASSESSMENTS (DPIA)

12.1 When We Conduct DPIAs

  • New technologies or processing methods
  • Large-scale processing of personal data
  • High-risk processing activities
  • Systematic monitoring of public areas

12.2 DPIA Process

Assessment Components:

  • Description of processing operations
  • Assessment of necessity and proportionality
  • Risk assessment for individuals
  • Mitigation measures identification

Consultation:

  • Data Protection Officer involvement
  • Stakeholder input when appropriate
  • Supervisory authority consultation if high risk

13. DATA PROTECTION OFFICER (DPO)

13.1 DPO Responsibilities

  • Monitor GDPR compliance
  • Conduct privacy impact assessments
  • Serve as contact point for supervisory authorities
  • Provide data protection advice and training

13.2 Contacting Our DPO

Email: [email protected] Response Time: Within 5 business days Languages: English, Hindi

When to Contact:

  • GDPR-related questions or concerns
  • Data protection impact assessment requests
  • Complaints about data processing
  • Guidance on privacy rights

14. SUPERVISORY AUTHORITY CONTACTS

14.1 Lead Supervisory Authority

For EU users, our lead supervisory authority varies based on your location. Common authorities include:

Germany: Federal Commissioner for Data Protection and Freedom of Information France: Commission Nationale de l'Informatique et des Libertés (CNIL) Ireland: Data Protection Commission (DPC) Netherlands: Autoriteit Persoonsgegevens (AP)

14.2 Right to Lodge Complaints

You have the right to lodge complaints with:

  • Your local supervisory authority
  • The authority where the alleged infringement occurred
  • The authority where we have our main establishment (if applicable)

15. GDPR COMPLIANCE UPDATES

15.1 Regulatory Changes

We monitor and implement:

  • New GDPR guidance and interpretations
  • Court decisions and regulatory updates
  • Best practice recommendations
  • Industry-specific requirements

15.2 Compliance Improvements

Regular Reviews:

  • Annual GDPR compliance assessments
  • Quarterly policy and procedure updates
  • Ongoing staff training and awareness
  • Technology and security improvements

16. CONTACT INFORMATION

16.1 GDPR-Related Inquiries

For all GDPR-related questions, requests, or concerns:

Primary Contact:

Data Protection Officer:

General Contact:

Business Address: Omkaar Group Office No. 102, 1st Floor, Rituraj Business Park Bicholi Mardana, Near Uno Business Park, Bypass Indore (M.P) - 452016, India

16.2 Response Commitments

  • Simple Requests: 5-10 business days
  • Complex Requests: Up to 1 month (with notification if extension needed)
  • Urgent Matters: Within 24-48 hours
  • Breach Notifications: As required by GDPR timelines

This GDPR compliance information is effective as of 31st July 2025. We are committed to protecting your privacy rights and maintaining full GDPR compliance. For questions or to exercise your rights, please contact our Data Protection Officer.

Effective Date: 31st July 2025 Last Updated: 31st July 2025