Legal

Privacy Policy

Last updated: June 28, 2026

This Privacy Policy explains how AIRA, operated by Bug Hunters Private Limited (“Bug Hunters”, “we”, “us”), collects, uses, shares, and protects personal data when you use our DPDPA readiness assessment platform. We act as the Data Fiduciary for the personal data described below and are committed to handling it in line with India’s Digital Personal Data Protection Act, 2023 (DPDPA).

Who we are

AIRA is a product of Bug Hunters Private Limited. If you have any questions about this policy or how your data is handled, you can reach us at hello@bughunters.io.

Scope of this policy

This policy applies to the AIRA website and assessment platform. It does not cover third-party websites we may link to, which have their own privacy practices.

Information we collect

  • Organization profile: industry, size, data types processed, geographic scope, and data volume.
  • Assessment responses: the answers you select for each control during the assessment.
  • Contact details you choose to provide: name, work email, company, and phone- for example when you unlock a full report or submit a “Request DPDPA Readiness” form.
  • Technical and usage data your browser sends automatically, such as device, browser, and basic interaction information.
  • Local browser storage: we use your browser’s session storage to hold your in-progress assessment and to remember that you have unlocked your report. We do not use advertising cookies.

How we use your information

  • To generate your readiness score, classification, charts, risks, recommendations, roadmap, and report.
  • To provide the in-assessment AI advisor and to generate a single AI-written executive summary.
  • To deliver your report by download or email when you request it.
  • To respond to enquiries and, where you have agreed, to contact you about DPDPA compliance and related services.
  • To maintain the security, integrity, and performance of the platform.

AI processing

To power the in-assessment advisor and the executive summary, we send the minimum necessary context (such as your organization profile, the current question, and your deterministic results) to our AI provider, OpenAI, to generate text. This is used only to explain and guide. AI never computes, changes, or determines your score, classification, risks, recommendations, or any number in your report. We do not use your data to train third-party models.

Sharing and processors

We do not sell your personal data. We share it only with service providers (Data Processors) that help us operate the platform under appropriate contractual safeguards, and where required by law or to protect our rights.

  • AI provider (OpenAI)- to generate advisory text and the executive summary.
  • Email provider (e.g., Resend)- to deliver your report and respond to requests.
  • Hosting and infrastructure providers- to run the application securely.

International transfers

Some of our processors may store or process data outside India. Where this occurs, we rely on safeguards consistent with the DPDPA and applicable law, and we only transfer to destinations not restricted by the Central Government.

Data retention

Your in-progress assessment lives in your browser session and is cleared when you close it. Contact details and request information are retained only as long as necessary to respond to you and for the purposes described, or as required by law, after which they are deleted or anonymized.

Security

We apply reasonable technical and organizational safeguards to protect personal data, including keeping AI and email credentials strictly server-side (never exposed to your browser), restricting access on a need-to-know basis, and transmitting data over encrypted connections. No method of transmission or storage is completely secure, but we work to protect your information and to address incidents promptly.

Your rights as a Data Principal

  • Access: request a summary of the personal data we hold about you and how it is processed.
  • Correction and completion: ask us to correct inaccurate or incomplete data.
  • Erasure: ask us to delete your personal data where it is no longer required.
  • Withdraw consent: withdraw your consent to processing at any time.
  • Grievance redressal: raise a complaint about how your data is handled and receive a timely response.
  • Nominate: nominate another individual to exercise your rights in the event of death or incapacity.

Children’s data

AIRA is intended for use by organizations and business users, not children. We do not knowingly collect the personal data of children, and we do not undertake tracking or targeted advertising directed at children.

Changes to this policy

We may update this policy from time to time. Material changes will be reflected by updating the “Last updated” date above, and continued use of the platform constitutes acceptance of the revised policy.

Contact & grievances

To exercise any right, withdraw consent, or raise a grievance, contact us at hello@bughunters.io. We will acknowledge and respond within a reasonable timeframe consistent with the DPDPA.