Kshatra Labs (“Kshatra Labs”, “we”, “us”, “our”) is a defence technology company headquartered in Bengaluru, India, focused on autonomous systems, precision hardware, and advanced defence solutions. We are committed to protecting the personal information of everyone who interacts with us — whether you are a site visitor, customer, business partner, government procurement contact, or technical user.

This Privacy Policy explains how Kshatra Labs collects, uses, discloses, retains, and otherwise processes personal information when you visit or use kshatralabs.in(the “Site”), make a purchase, interact with customer or technical support, submit a warranty or RMA request, subscribe to communications, or otherwise engage with us (collectively, the “Services”).

“Personal information” means any information that identifies, relates to, describes, or could reasonably be linked — directly or indirectly — with a specific individual.

This Policy applies to:

• Site visitors and general enquirers
• Customers and prospective customers (individual and business)
• Government, defence, and institutional procurement contacts and their authorised representatives
• Business customers and their employees/representatives (B2B contacts)
• Individuals who contact us for support, warranty/RMA, or technical assistance
• Research partners, integrators, and authorised third-party collaborators

This Policy does not govern data processed under classified government contracts or programmes; such handling is governed by the relevant contract, applicable national security law, and data agreements executed with the contracting authority.

If you do not agree with this Privacy Policy, please do not use the Services.

Under India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”) and applicable rules, Kshatra Labs is the Data Fiduciary responsible for your personal data.

Grievance Officer / Data Protection Contact
Email: contact@kshatralabs.in — Subject: Privacy Grievance
We acknowledge grievances within 48 hours and aim to resolve them within 30 days, in accordance with the DPDP Act.

A. Information you provide directly

• Contact details: name, email address, phone number, billing and shipping address
• Account details: login credentials, role, preferences, and communication history
• Order and transaction information: items purchased, quantities, order history, invoices, and payment confirmation. We do not receive or store full card numbers — payment processors handle card data under their own PCI-DSS compliance.
• Customer and technical support content: emails, chat transcripts, call notes, support tickets, warranty claims, and RMA submissions including device serial numbers
• B2B and procurement information: company or organisation name, job title/role, work email, GSTIN/TIN (where provided), procurement documents, signed agreements and NDAs, and authorised signatory details
• RMA and diagnostic submissions: installation photographs, wiring diagrams, system configuration files, telemetry logs, and test notes. These may contain personal information indirectly (e.g., names in filenames, metadata, email headers, IP addresses, or device IDs).
• Government and institutional contact information: name, designation, department, official email, and information provided during procurement engagement. See the Government & Defense Data section.

B. Information collected automatically

• Device and network data: IP address, browser type and version, OS, device identifiers, screen resolution, language, and time zone
• Usage data: pages viewed, links clicked, time on page, scroll depth, referral source, and cart interactions
• Approximate location inferred from IP address (city/region level only; no GPS)
• Session and performance data: page load times, errors, and crash reports

Collected via cookies, web beacons, pixels, and similar technologies. See the Cookies & Tracking section for your controls.

C. Information we receive from third parties

• Payment processors (e.g., Razorpay): payment status and confirmation; not full card numbers
• Shipping and logistics partners: delivery status, tracking events, and address validation
• Analytics and advertising partners (where enabled): aggregated campaign performance and attribution signals
• Fraud and security vendors: risk scores used to protect our customers and systems
• Public sources: company registries, GeM portal, and professional directories for B2B verification

D. Product telemetry and operational data

Certain Kshatra Labs hardware products (autonomous systems, sensor units, IoT devices) may transmit operational telemetry to our infrastructure for diagnostics, firmware updates, and performance monitoring. This may include:

• Device identifiers, firmware version, and uptime
• System health metrics, error codes, and sensor readings
• Network identifiers (e.g., local IP, MAC address of the device)
• Usage patterns (e.g., operational hours, mode of use)

Product telemetry scope is documented in the relevant product manual and data sheet. Customers operating products in sensitive environments should review telemetry settings and, where necessary, operate in an offline or air-gapped configuration per the product manual.

• Provide and operate the Services: process orders and payments, arrange shipping, manage returns and RMAs, generate invoices, and fulfil contractual obligations
• Customer and technical support: troubleshoot issues, evaluate warranty claims, process RMAs, issue product safety advisories, and provide firmware/software updates
• Security and fraud prevention: detect, investigate, and prevent fraudulent transactions, abuse, and security threats
• Product and service improvement: analytics, usage monitoring, telemetry analysis, and product quality improvement
• Research and development: improving autonomous systems, sensor performance, and related technologies, using anonymised data where possible
• Marketing and communications: newsletters, product launches, and defence-sector updates — subject to your consent where required by law
• Legal and compliance: tax records, accounting, statutory filings, responding to lawful government requests, and enforcing our terms
• Government and defence procurement: managing bids, quotations, GeM empanelment, contract execution, and institutional account management
• Export compliance:screening transactions against India’s SCOMET list and applicable international trade control obligations. See the Export Control section.

Under India’s DPDP Act, we process personal data based on:

• Consent: where you have given free, specific, informed, and unambiguous consent — e.g., marketing emails or non-essential cookies. You may withdraw consent at any time without affecting prior lawful processing.
• Contractual necessity: to fulfil a contract with you or take steps at your request before entering one (e.g., processing an order, RMA, or support request).
• Legal obligation: to comply with applicable laws — DPDP Act, GST, Companies Act, defence procurement regulations, and lawful orders from competent authorities.
• Legitimate uses / reasonable purposes: for fraud prevention, security, analytics, and operations — consistent with reasonable expectations under the DPDP framework.
• State / public interest: where processing is required to fulfil obligations to the State or a public authority under applicable Indian law, particularly in defence and national security contexts.

We provide notice at or before the point of data collection and maintain mechanisms for you to exercise your rights and raise grievances as described in the Your Rights section.

Kshatra Labs works with government ministries, defence establishments, public sector undertakings (PSUs), and institutional buyers. In these contexts we may process personal data of procurement officers, authorised representatives, and points of contact.

• Government contact data (name, designation, department, official email, phone) is used solely for the relevant procurement engagement, contract management, or institutional relationship — not for commercial marketing without separate consent.
• Procurement documents (bid documents, technical specifications, letters of intent, supply orders) may contain personal information and are retained for the duration required by applicable procurement and audit regulations.
• Data shared under classified or restricted government contracts is governed by the terms of that contract and applicable national security law, handled under separate security protocols outside the scope of this Policy.
• Organisations procuring via the Government e-Marketplace (GeM) should also refer to GeM’s own privacy policies applicable to their platform usage.

If you represent a government or defence organisation with specific data handling requirements, contact us at contact@kshatralabs.in to arrange a Data Processing Agreement or bespoke data handling arrangement.

Kshatra Labs develops and supplies defence and dual-use technology that may be subject to India’s Special Chemicals, Organisms, Materials, Equipment and Technologies (“SCOMET”) export control list administered by DGFT, as well as other applicable Indian and international trade control regulations.

To comply with these obligations, we may process personal data of customers, end-users, and business partners for:

• Verifying the identity and eligibility of buyers, end-users, and intermediaries
• Screening against applicable denied party, debarment, and sanctions lists
• Obtaining, maintaining, and evidencing end-user certificates (EUCs) and export authorisation documents where required
• Maintaining records required for export licence compliance and DGFT or authority audit

This processing is a legal obligation and cannot be opted out of where it applies. Records collected for export compliance are retained for the periods required by law, which may exceed our standard retention periods. For questions, contact contact@kshatralabs.in.

We use third-party infrastructure and service providers — including cloud hosting, analytics, email delivery, and payment processing — that may store or process your personal data outside India (e.g., in the United States, the European Union, Singapore, or other jurisdictions).

Where such international transfers occur, we ensure your data is protected by:

• Engaging only providers that maintain appropriate technical and organisational security measures
• Implementing contractual safeguards (data processing agreements, standard contractual clauses) with service providers where applicable
• Assessing whether the destination jurisdiction offers adequate protections for personal data

As India’s DPDP Rules on cross-border transfers are progressively notified under Section 16 of the DPDP Act, we will update our transfer mechanisms and this Policy accordingly to ensure ongoing compliance.

Defence-sensitive data note: Personal data related to classified or restricted defence programmes is not transferred to offshore infrastructure. Such data is handled under separate security arrangements as agreed with the relevant contracting authority.

We use cookies and similar technologies (pixels, tags, local storage) for:

• Strictly necessary: required for the Site and checkout to function — cannot be disabled
• Functional: remember preferences, language settings, and session state
• Analytics: understand how visitors use the Site to improve it
• Marketing/advertising: measure campaign performance and support targeted advertising — only with your consent where required by law

Your choices

• Manage non-essential cookies via the cookie consent banner when you first visit the Site
• Adjust or withdraw preferences at any time via your browser or device settings
• Opt out of marketing emails via the “Unsubscribe” link in any email (transactional messages such as order confirmations are not subject to marketing opt-out)

Global Privacy Control (GPC): If you visit the Site with GPC enabled, we treat it as a request to opt out of non-essential cookies and targeted advertising sharing where required by applicable law and where technically feasible.

We do not sell your personal data. We may disclose personal information to:

• IT and infrastructure service providers: cloud hosting, databases, CDN, monitoring, and security — operating as Data Processors under our instruction
• Payment processors (e.g., Razorpay): to securely process and confirm payments
• Shipping and logistics partners: to fulfil orders, arrange delivery, and manage returns
• Customer support platforms: helpdesk software and communication tools used to provide support
• Analytics providers: to measure Site performance in aggregate
• Marketing and advertising partners (only where consented or permitted): for campaign attribution and measurement
• Professional advisers: lawyers, accountants, and auditors — subject to confidentiality obligations
• Government authorities and regulators: when required by law, court order, or binding regulatory request, or to protect rights and safety. In a defence context, this includes lawful requests from the Ministry of Defence, DRDO, and other authorised national security bodies.
• Business transfers: in a merger, acquisition, or sale of assets — with reasonable notice and, where required, your consent before any transfer that materially changes how your data is used.

All service providers acting as Data Processors on our behalf are required to process personal data only on our documented instructions, maintain confidentiality, and implement security measures consistent with the DPDP Act.

If your organisation is itself a Data Fiduciary under the DPDP Act (or an equivalent data controller under another applicable law) and you engage Kshatra Labs to process personal data on your behalf — for example, by sharing end-user data for product integration or system deployment — a formal Data Processing Agreement (“DPA”) is required before any such personal data is shared with us.

Contact us at contact@kshatralabs.in (Subject: DPA Request) to initiate this process. For government and defence institutional buyers with sovereign data handling requirements, we can accommodate bespoke contractual arrangements.

We do not intentionally collect sensitive personal data — such as health or medical information, biometric data, financial account credentials, caste or religion, sexual orientation, or political opinion — for the purpose of inferring characteristics about individuals.

If you voluntarily share such information through support communications or diagnostic submissions, we use it only to address your specific request and for lawful compliance. We apply heightened access controls and security measures to any information classified as sensitive, and do not share it with third parties except as strictly required by law or to provide the requested service.

Personnel security data (e.g., information relating to security clearances or vetting) is never collected through our public-facing Services and is handled exclusively through appropriate government-mandated processes where relevant.

When submitting RMA requests, diagnostic data, telemetry logs, or technical support materials relating to products deployed in sensitive or operational environments, please exercise appropriate operational security:

• Do not submit classified, restricted, or mission-sensitive data through standard support channels. Contact contact@kshatralabs.in to arrange a secure channel before sharing such materials.
• Sanitise or redact operational details (deployment locations, unit identifiers, mission parameters) from logs and images before submission where operationally appropriate.
• If you believe you have inadvertently submitted sensitive operational data through standard channels, notify us immediately at contact@kshatralabs.in so we can take appropriate containment steps.

We retain personal data only as long as necessary for the applicable purpose:

• Order and transaction records: 7 years from the transaction date, per GST, Income Tax Act, and Companies Act requirements
• Customer support and RMA records: 3 years from closure of the support case or end of the product warranty period, whichever is later
• Product telemetry: 12 months from collection, unless retained longer for active fault investigation or product safety
• Marketing and communications data: until you unsubscribe or withdraw consent, after which it is suppressed to honour your opt-out
• Government and defence procurement records: as required by applicable procurement audit regulations (typically 5–10 years depending on contract type)
• Export compliance records: minimum 5 years as required by DGFT and applicable law, or longer if mandated
• Security and fraud prevention logs: up to 12 months, or longer if required for an active investigation
• Account data: for the duration of your account plus 2 years following closure, subject to legal retention obligations

When data is no longer required, we securely delete, anonymise, or pseudonymise it in accordance with our internal data lifecycle policy.

As a defence technology company, security is foundational to how we operate. We implement administrative, technical, and physical safeguards proportionate to the sensitivity of the data we handle, including:

• Encryption in transit (TLS) and at rest for personal data stored on our infrastructure
• Role-based access controls and the principle of least privilege for all internal systems
• Multi-factor authentication for administrative access to systems holding personal data
• Vendor security assessments before onboarding service providers that process personal data
• Periodic review of access rights and internal security assessments
• Physical access controls at our facilities

No system is perfectly secure. We cannot guarantee absolute security of data transmitted over the internet. Do not send sensitive or classified information via unencrypted channels. To arrange secure communication, contact contact@kshatralabs.in.

In the event of a personal data breach likely to result in harm, we will:

• Notify the Data Protection Board of India (once constituted) as required under the DPDP Act within the prescribed timeframe
• Notify affected individuals without undue delay where required by law, with sufficient information for them to take protective steps
• Maintain records of all personal data breaches, including those below the notification threshold, as required

If you believe your personal data held by us may have been compromised, please contact us immediately at contact@kshatralabs.in (Subject: Security Concern).

The Services are not directed at children under the age of 18, and we do not knowingly collect personal information from children. Our products and services are intended for professional, institutional, and adult individual use only.

If you believe a child has provided us with personal information without appropriate parental or guardian consent, please contact us at contact@kshatralabs.in and we will take prompt steps to delete such information.

Under the DPDP Act 2023

As a Data Principal under the DPDP Act, you have the right to:

• Access: obtain a summary of the personal data we hold about you and how it has been processed
• Correction and completion: request correction of inaccurate, incomplete, or outdated personal data
• Erasure: request deletion of personal data no longer necessary for the purpose it was collected — subject to our legal retention obligations (e.g., tax records, export compliance, procurement audit requirements)
• Withdraw consent: withdraw any consent given at any time, without affecting prior lawful processing. Note that withdrawal may affect our ability to provide certain services.
• Grievance redressal: raise a complaint with our Grievance Officer and, where unresolved, escalate to the Data Protection Board of India (once constituted)
• Nomination: nominate another individual to exercise your rights on your behalf in the event of your death or incapacity, as provided under the DPDP Act

Limitations

Certain rights may be limited or excluded where personal data is processed under a legal obligation — including defence procurement regulations, export control law, or a lawful order from a competent authority — or where erasure would conflict with ongoing legal or contractual obligations.

How to exercise your rights

Email contact@kshatralabs.in (Subject: Privacy Request) with:

• Your full name
• The email address associated with your order or account
• The type of request: access / correction / deletion / opt-out / withdraw consent
• Any supporting details to help us locate your records

We may request identity verification to protect against fraudulent requests. You may use an authorised agent where permitted by law, subject to verification. We respond within 30 days, with a possible extension of 30 additional days for complex requests.

The Site may link to third-party websites, platforms, or procurement portals — including government portals such as GeM, DRDO, or MoD procurement platforms. We are not responsible for the privacy practices, content, or security of those third parties. Review their privacy policies before providing any personal information on third-party platforms.

We may update this Privacy Policy for operational, legal, or regulatory reasons — including to reflect updates to India’s DPDP Rules as progressively notified, or changes in our products and processing activities.

We will post the updated version on the Site and update the “Last updated” date at the top of this page. Where changes are material — affecting your rights or how we use your personal data in a significant way — we will provide more prominent notice (such as a Site banner, account notification, or email). Continued use of the Services after any update constitutes acknowledgment of the revised Policy.

For any privacy-related queries, requests, or complaints, contact our Grievance Officer:

Please contact us first so we can investigate and respond within 30 days. If your grievance remains unresolved, you may escalate to:

• The Data Protection Board of India — once formally constituted and operational under the DPDP Act and rules
• Any other remedy available under applicable Indian law, including civil remedies under the Information Technology Act, 2000 (as amended)

We take every privacy complaint seriously and are committed to resolving concerns promptly, transparently, and fairly.