Privacy policy.

01 Scope of this policy

This Privacy Policy applies to all services, websites, software tools, and products offered by NetraInno HyperDrive, including but not limited to our AI tooling suite (Netrayzer, NetraSense, NetraReq, Netra Coder) and our ADAS products (NetraLite DMS, DMS/OMS ECU Platform). It also applies to our corporate website, customer portal, documentation site, and any professional services we deliver on behalf of customers.

When we process personal data on behalf of a customer (for example, when a vehicle OEM deploys our AI tools and uploads engineering artefacts), that customer is the data controller and we act as a data processor. In those cases, the customer's own privacy policy and the terms of our data processing agreement govern the relationship.

02 Information we collect

We collect information in three broad categories: information you provide to us directly, information we collect automatically when you use our services, and information we receive from third-party business partners.

Information you provide

• Account data: name, business email, company, job title, password (hashed), and contact preferences.
• Billing data: billing address, tax identification, and payment instrument details (processed by our PCI-DSS compliant payment provider; we do not store full card numbers).
• Support communications: the content of emails, tickets, and call recordings you send to our support, sales, or engineering teams.
• Engineering inputs: requirements documents, logs, signal databases, test artefacts, or model files that you upload into our AI tools for processing.

Information collected automatically

• Usage telemetry: feature usage, page views, search queries, tool invocations, response times, and error rates — typically aggregated and pseudonymised.
• Device & connection data: IP address, browser type and version, operating system, device identifiers, time zone, and approximate geolocation derived from IP.
• Cookies & similar technologies: see our Cookie Policy for the specific cookies and SDKs we use and how to control them.

Information from third parties

• Authentication providers: when you sign in via SSO, we receive profile fields (name, email, tenant ID) authorised by your identity provider.
• Business partners: resellers, integration partners, and enterprise procurement platforms may share contact and contract data to enable onboarding.

03 How we use information

We use personal information to deliver the services you and your organisation have engaged us for, to operate and improve our products, and to comply with legal obligations. Specifically:

• To provide, maintain, and secure our AI tools and ADAS products, including authenticating users, enforcing licence limits, and preventing abuse.
• To process transactions, issue invoices, and manage renewals.
• To personalise your experience — such as remembering preferences, recent projects, and tool settings.
• To improve model quality, reliability, and safety through aggregated analytics; we do not use customer engineering inputs to train foundation models without an explicit written opt-in.
• To send service announcements, security advisories, product updates, and — where permitted — marketing communications you can unsubscribe from at any time.
• To comply with law, respond to lawful requests, enforce our terms, and protect our rights and the rights of others.

04 AI model providers & safety

Our AI tooling suite (Netrayzer, NetraSense, NetraReq, Netra Coder) is built on top of large language models and multimodal foundation models supplied by OpenAI and Anthropic. We list these providers explicitly so you can make an informed decision about your data.

What is sent to OpenAI and Anthropic

• Prompt content: the engineering inputs you submit to a tool — for example, a requirement statement, a CAN log excerpt, a code snippet, or a diagnostic question — together with system instructions we add to steer the model.
• Model output: the generated response, which we return to you and store against your project for reproducibility and audit.
• Operational metadata: token counts, model name and version, latency, and request identifiers used for billing and reliability.

We do not send to OpenAI or Anthropic: your account password, payment details, raw cookie identifiers, or files you have not explicitly submitted to an AI tool.

Provider data handling commitments

• OpenAI — accessed through OpenAI's API platform (or the equivalent Microsoft Azure OpenAI endpoint where customers require it). Under the OpenAI Business Terms, API inputs and outputs are not used to train OpenAI's models and are retained only for a limited abuse-monitoring window before deletion. Where customers have a Zero Data Retention (ZDR) entitlement, we route their traffic accordingly.
• Anthropic — accessed through the Anthropic API (or AWS Bedrock / Google Vertex equivalents). Under Anthropic's Commercial Terms of Service, API inputs and outputs are not used to train Anthropic's models and are governed by Anthropic's published privacy and trust documentation.
• We maintain Data Processing Agreements (DPAs) with both providers and with the underlying cloud carriers used to deliver their endpoints.

Safety, alignment & human oversight

Foundation models are probabilistic systems and may produce inaccurate, biased, or unsafe output. To mitigate this:

• We apply input filters, output filters, and provider-side safety classifiers (OpenAI Moderation, Anthropic safety guardrails) on every request.
• We never use AI output as the sole basis for a safety-critical engineering decision; outputs are clearly labelled as AI-generated and require human review before being committed to a release artefact.
• For automotive use, our tooling is designed as a support aid within ISO 26262, ISO 21448 (SOTIF), ASPICE, and UNECE R155/R156 workflows. Final responsibility for verification, validation, and homologation remains with the customer.

Customer controls

• Provider selection: Enterprise customers may pin their workspace to a specific provider (OpenAI only or Anthropic only) and to a specific deployment region.
• Opt-out of AI features: Workspace admins can disable AI-powered features entirely; the rest of the platform continues to operate.
• Bring Your Own Key (BYOK): Enterprise customers may supply their own OpenAI / Anthropic / Azure OpenAI / Bedrock keys, in which case requests are billed and governed under their own provider account.
• Confidential / restricted projects: mark a project as restricted to disable retention beyond the request lifetime and disable any aggregated analytics.

For a current list of model providers and sub-processors, request our Trust Center pack at privacy@netrainno.ai.

05 Sharing & disclosure

We do not sell personal information. We share personal information only with the categories of recipients described below, and only to the extent necessary for the stated purpose:

• Sub-processors: cloud infrastructure (compute, storage, CDN), email delivery, analytics, customer support, error monitoring, and payment providers — all under written contract and bound to confidentiality and data protection obligations at least as strict as ours.
• Professional advisors: auditors, lawyers, insurers, and bankers, where disclosure is required for legitimate business purposes.
• Corporate transactions: in connection with a merger, acquisition, financing, or sale of business assets, subject to continued protection of your information.
• Legal & safety: where we reasonably believe disclosure is required by law, regulation, court order, or to protect against fraud, security threats, or imminent harm to any person.

A current list of our sub-processors is maintained in our Trust Center and is available on request for customers under a Data Processing Addendum.

06 Data retention

We retain personal information for as long as necessary to provide the services, satisfy a legitimate business purpose, or meet a legal obligation.

• Active account data: retained for the duration of your subscription, plus up to 90 days after termination to allow export, reactivation, and dispute resolution.
• Engineering inputs uploaded to AI tools: retained per your project settings; you can delete individual projects at any time. Backups are purged on a rolling 35-day cycle.
• Financial records: retained for the statutory period required by applicable tax and accounting law (typically 7–10 years).
• Support records: retained for 24 months for quality and training purposes, then anonymised.

07 Your rights

Depending on your jurisdiction, you may have the right to:

• Access, correct, export, or delete the personal information we hold about you.
• Object to, restrict, or withdraw consent for specific processing activities.
• Lodge a complaint with your local data protection authority.
• Opt out of marketing communications at any time via the unsubscribe link or by emailing us.

To exercise any of these rights, contact us at privacy@netrainno.ai. We will respond within the timeframes required by applicable law (typically 30 days).

08 Security

We apply industry-standard administrative, technical, and physical safeguards to protect personal information, including TLS 1.3 in transit, AES-256 at rest, role-based access control, audited privileged access, hardware-backed key management, and continuous security monitoring. Our platform undergoes regular third-party penetration testing and internal vulnerability management.

No system is ever perfectly secure. In the event of a data incident that affects personal information, we will notify affected customers and the appropriate authorities as required by law, typically within 72 hours of confirming the incident.

09 International transfers

NetraInno HyperDrive operates globally and your information may be processed in countries outside your home jurisdiction. Where we transfer personal data internationally, we rely on appropriate safeguards such as the EU Standard Contractual Clauses (SCCs), UK International Data Transfer Addendum, or equivalent mechanisms recognised under the GDPR, UK GDPR, and other applicable data protection laws.

10 Children's privacy

Our products are intended for business and engineering use. They are not directed at children under 16 and we do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, please contact us and we will delete it promptly.

11 Government & law enforcement requests

NetraInno HyperDrive respects the rule of law and the privacy of our customers in equal measure. We disclose customer personal information to government, regulatory, or law enforcement authorities only when we are legally compelled to do so or when disclosure is necessary to prevent imminent harm.

• Legal basis required: we require a valid subpoena, court order, search warrant, or equivalent legal instrument issued by a competent authority under applicable law (including, as relevant, GDPR Article 6(1)(c), UK Data Protection Act 2018, US CLOUD Act, India DPDP Act 2023, Japan APPI, Singapore PDPA, and automotive-specific statutes such as UNECE R155).
• Scope minimisation: we push back on overbroad requests and disclose only the narrow data set responsive to the order.
• Customer notice: where legally permitted, we notify the affected customer before disclosure so they may seek a protective order. Where notice is prohibited (e.g. gag order), we log the request for later transparency reporting.
• Cross-border requests: we do not voluntarily transfer data in response to foreign government requests that conflict with EU / UK law; we use the GDPR Article 48 / CLOUD Act executive agreement pathways where they apply.
• National security & export control: our AI tooling is subject to applicable export control regimes (US EAR, EU Dual-Use Regulation). We reserve the right to refuse service or restrict functionality to sanctioned parties, embargoed jurisdictions, or end uses prohibited by law.
• Transparency: we publish an annual Transparency Report summarising the number and type of government requests received and our response.

For law enforcement requests, contact legal@netrainno.ai. Fraudulent or improperly issued requests will be refused.

12 Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our services, law, or business practices. When we make material changes, we will post the updated policy here with a new effective date and, where required, notify you by email or through an in-product notice.