Legal · Privacy

Privacy Policy.

How Anty AI collects, uses, protects and shares your personal data — including the most sensitive data we handle, your biometric template. Written in plain language. Drafted to comply with India's DPDP Act 2023, the EU GDPR, the California CCPA, and any successor regimes.

Effective: [TO BE FILLED ON LAUNCH] Last updated: [TO BE FILLED ON LAUNCH] Version: 1.0 · Pre-launch draft
01

Overview.

Anty AI is an identity-protection service that detects unauthorized use of your face, voice and likeness across the internet and helps you get such content removed. To do that, we hold the most sensitive personal data anyone could entrust to a service: a biometric template of you. This Privacy Policy explains how we treat that data, what you can ask us to do with it, and what we will never do with it.

Two commitments above all others:

  • We do not sell, rent, license or share your biometric data with any third party. Not advertisers, not partners, not affiliates, not data brokers. This is a contractual commitment, not a marketing line.
  • You can demand deletion at any time. Within 30 days of a verified request, every trace of your data — including backups — is wiped from our systems, subject only to narrow legal-retention obligations clearly disclosed in this policy.
Plain-language summary.   You give us biometric samples. We build an encrypted template. We use it only to find unauthorized content of you online. We never sell or share it. We delete it when you tell us to. That's the whole deal.
02

Who we are.

"Anty AI", "we", "us" refers to [Insert legal entity name — e.g., Anty AI Technologies Private Limited], a company incorporated under the laws of India and operating the website antyai.com and the Anty AI service. Our registered office is at [Insert registered address]. Our CIN is [Insert CIN].

We are the Data Fiduciary under India's Digital Personal Data Protection Act 2023 ("DPDP Act") and the Data Controller under the EU General Data Protection Regulation ("GDPR") and the UK GDPR for personal data processed about you in connection with the service.

03

What we collect.

3.1 Biometric data — the most sensitive category we handle.

To recognize you in unauthorized content, we need a baseline of what you actually look and sound like. We collect:

  • Facial samples — a short live-recorded video, optional archival photographs, and any reference images you authorize us to use.
  • Voice samples — a short live-recorded audio clip, optional archival recordings, voice clips you authorize.
  • Optional non-biometric markers — known stage names, aliases, signature gestures, catchphrases, on-screen mannerisms, autograph patterns.

From these samples we generate a single mathematical representation — a biometric template — that lets our matching engine recognize you across the internet. The raw samples themselves are deleted after template generation unless you specifically ask us to retain archival copies for re-training as detection models improve.

3.2 Account & identity verification data.

  • Full name, date of birth (where required for legal-age verification), nationality.
  • A copy of one government-issued photo ID — Aadhaar, passport, driving licence, PAN, or equivalent.
  • For celebrity / public-figure tiers: documentation of authority to act (e.g., agency letter, manager authorization, NDA-bound representative).

3.3 Contact & account-management data.

  • Email, phone number, preferred language.
  • Authorized representative details — manager, agent, lawyer, family member as applicable.
  • Subscription tier, billing history, support correspondence.

3.4 Payment data (post-launch only).

We do not collect any payment, card, bank or escrow data from waitlist members. Payment data is collected only when you choose to subscribe to a tier after the service launches in 2026:

  • Subscription billing details (handled by our regulated payment processors — we never store full card numbers ourselves).

3.5 Service operations data.

  • Detection records — URLs, timestamps, content fingerprints, biometric match scores.
  • Takedown history — notices filed, platform responses, removal confirmations, counter-notices received.
  • Dashboard activity — logins, actions taken, settings changes.

3.6 Technical data.

  • IP address, browser type, device identifiers, time zone, OS version.
  • Cookies and similar technologies as described in our Cookie Notice.
04

How we use what we collect.

We use your data only for the purposes listed below — and only with the lawful basis identified for each.

  1. Generate and maintain your biometric template so we can match unauthorized content to your identity. Lawful basis: explicit consent (DPDP Act §6, GDPR Art. 9(2)(a)).
  2. Crawl the internet and match content against your template, classify matches by intent, and deliver the resulting detections to your dashboard. Lawful basis: contract performance (GDPR Art. 6(1)(b)) and explicit consent.
  3. File takedowns on your behalf with platforms, hosting providers, registrars and payment processors. Lawful basis: contract performance and your explicit authorization.
  4. Provide the evidence package if you choose to pursue civil or criminal action against an uploader through your own legal counsel. Lawful basis: legitimate interest in defending your rights, with your explicit authorization.
  5. Verify identity and prevent abuse — confirm you are who you claim to be (or are authorized to act for someone) before issuing takedowns in their name. Lawful basis: legal obligation, legitimate interest in service integrity.
  6. Operate the service — billing, support, security, fraud prevention, audit logs. Lawful basis: contract performance, legitimate interest.
  7. Improve detection models — only with your explicit, separately granted consent, and only on samples you affirmatively authorize for this purpose. We never use a celebrity client's data to train models that benefit other clients without that explicit consent. Lawful basis: explicit, separately captured consent.
  8. Comply with law — respond to legally compelled requests, court orders, regulatory inquiries. Lawful basis: legal obligation.
What we never do.   We do not use your biometric data for advertising. We do not profile you for purposes other than service delivery. We do not sell, rent or license your data. We do not let any third party access your raw biometric samples or template — not even for "research" or "academic" purposes — without your specific, written authorization for that specific use.
05

Sharing & disclosure.

The narrow list of parties with whom we share data, and the strict reasons we share it:

  • Platforms and hosts (YouTube, Meta, TikTok, X, Telegram, etc.) — limited to the takedown notice itself: the source URL, your name, the lawful basis for takedown, and proof of authority. We never share your raw biometric template or samples with platforms.
  • Sub-processors we rely on to operate the service — cloud-hosting providers, payment processors (post-launch), KYC/identity-verification vendors, legal-document automation services. Each is bound by a Data Processing Agreement that mirrors or exceeds the protections in this Policy. A current list of sub-processors is available on written request from privacy@antyai.com.
  • Your authorized representatives — agents, managers, legal counsel — only as you have explicitly designated.
  • Law enforcement and regulators — only when legally compelled (subpoena, court order, statutory request) and subject to the narrow scope of what is compelled. We will tell you about any such request unless we are legally prohibited from doing so.
  • Acquirers in a corporate transaction — if Anty AI is acquired, your data may transfer to the acquirer, but only on terms at least as protective as this Policy, and you will be notified before the transfer takes effect.

We do not share data with advertisers, data brokers, AI training companies, or any party seeking to monetize biometric data. We never have, and we never will.

06

How we protect your data.

Your data is encrypted both at rest and in transit. Specifically:

  • Encryption at rest — AES-256 for biometric templates and sensitive identifiers.
  • Encryption in transit — TLS 1.3 for all API and dashboard traffic.
  • Access controls — strict role-based access, multi-factor authentication for all employees, segregation of duties so that no single employee can both view your biometric template and modify our security controls.
  • Audit logs — every access to a biometric template is logged immutably, with the employee identity, the time and the reason. Logs are reviewed regularly.
  • Compliance certifications — we are pursuing SOC 2 Type II and ISO 27001 certification ahead of our public launch in 2026. Once obtained, audit reports will be available to qualified clients under NDA.
  • Penetration testing — third-party security testing is conducted at least annually and after every major release.
  • Vulnerability disclosure — we maintain a responsible-disclosure programme at security@antyai.com.
No system is unbreachable.   While we apply industry-leading security controls, we cannot guarantee that no breach will ever occur. If a security incident affecting your data does occur, we will notify you as required by applicable law — under DPDP Act we will notify the Data Protection Board and affected Data Principals; under GDPR within 72 hours of becoming aware where the risk threshold is met; under CCPA in line with California breach-notification requirements.
07

How long we keep your data.

  • Biometric templates — for the duration of your active subscription. On termination or verified deletion request, deleted within 30 days from primary systems and within 90 days from encrypted backups.
  • Raw biometric samples — deleted immediately after template generation unless you explicitly authorize retention for model-improvement purposes.
  • Account data — retained for the duration of your subscription plus 7 years for tax and statutory record-keeping (Companies Act 2013, Income Tax Act 1961).
  • Detection & takedown records — retained for 7 years to enable legal defense, regulatory audit, and counter-notice handling.
  • Payment records — retained as required by tax, anti-money-laundering and accounting law (typically 7 years in India, longer in some jurisdictions).
  • Support correspondence — retained for 3 years from last contact.
08

Your rights.

Regardless of where you live, you have the following rights with respect to your personal data:

  1. Right to access — request a copy of the personal data we hold about you.
  2. Right to rectification — correct inaccurate or incomplete data.
  3. Right to erasure — demand deletion, subject only to narrow legal-retention exceptions explicitly disclosed above.
  4. Right to withdraw consent — at any time, with effect from the date of withdrawal.
  5. Right to data portability — receive your data in a structured, commonly-used, machine-readable format.
  6. Right to object — to processing based on legitimate interest.
  7. Right to lodge a complaint — with the supervisory authority in your jurisdiction.

To exercise any of these rights, email privacy@antyai.com. We respond within 30 days (or sooner where law requires it). We may need to verify your identity before acting on the request — necessary to prevent fraud against celebrities whose accounts are themselves targets.

09

For Data Principals in India — DPDP Act 2023.

If you are located in India, the Digital Personal Data Protection Act 2023 ("DPDP Act") applies to your personal data. Under the DPDP Act:

  • Anty AI is the Data Fiduciary; you are the Data Principal.
  • Biometric data is classified as sensitive personal data; we process it only with your explicit, free, specific, informed and unambiguous consent.
  • You have the rights under §11–§14 of the DPDP Act: access, correction, completion, updating, erasure, grievance redressal and nomination.
  • You may withdraw consent at any time; consequences of withdrawal — primarily that we can no longer provide the service — are explained in our Reservation Terms and Subscription Terms.
  • We do not engage in "significant data fiduciary" activities such as processing children's data without parental consent or making decisions that have a significant effect on Data Principals through purely automated means without human review.

For a separate, fuller account of how the DPDP Act applies to Anty AI, see our dedicated DPDP Notice.

Grievance Officer · India

Name: [TO BE APPOINTED BEFORE LAUNCH]

Email: grievance@antyai.com

Postal address: [TO BE FILLED]

Response time: Acknowledgement within 48 hours; resolution within 30 days as required by §8(10) of the DPDP Act.

10

For Data Subjects in the EU & UK — GDPR.

If you are in the European Economic Area, the United Kingdom or Switzerland, the EU General Data Protection Regulation, the UK GDPR and the Swiss Federal Data Protection Act apply.

  • Anty AI is the Data Controller; you are the Data Subject.
  • Biometric data used to uniquely identify a natural person is a special category of personal data under GDPR Article 9; we process it only on the basis of your explicit consent under Article 9(2)(a).
  • You have the rights under Articles 15–22 of the GDPR: access, rectification, erasure ("right to be forgotten"), restriction, data portability, objection, and not to be subject to solely automated decision-making.
  • You have the right to lodge a complaint with a supervisory authority — for EU residents, the data protection authority of your member state; for UK residents, the Information Commissioner's Office (ICO).
EU / UK Representative

Representative entity: [TO BE APPOINTED BEFORE EU LAUNCH UNDER GDPR ART. 27]

Email: eu-rep@antyai.com

Data Protection Officer

Name: [TO BE APPOINTED]

Email: dpo@antyai.com

11

For California residents — CCPA / CPRA.

If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) gives you specific rights. The categories of personal information we collect, why we collect them, and our retention periods are described in §3, §4 and §7 above.

You have the right to:

  • Know what personal information is collected about you.
  • Know whether it is sold or disclosed and to whom — for Anty AI: we do not sell personal information.
  • Opt out of any future sale of personal information should our practices ever change (they will not, but the right exists).
  • Access, delete and correct personal information.
  • Limit use of sensitive personal information — including biometric data.
  • Not be discriminated against for exercising these rights.

Email privacy@antyai.com to exercise these rights. Authorized agents may submit requests on your behalf with proof of authorization.

12

Cross-border data transfers.

Anty AI operates from India. To provide a global service we use cloud infrastructure in multiple regions and have sub-processors in several countries. Your data may be stored or processed outside the country in which you reside.

For each cross-border transfer, we apply the appropriate legal mechanism:

  • From the EU/UK: Standard Contractual Clauses (2021), supplemented by transfer-impact assessments where required.
  • From India: transfers comply with §16 of the DPDP Act and any restrictions notified by the Central Government from time to time.
  • From other jurisdictions: the legal mechanism appropriate to that jurisdiction.

We will, on written request, disclose to you the countries in which your data is stored or processed.

13

Minors.

The Anty AI service is not intended for use by individuals under the age of 18. We do not knowingly collect personal data of minors. If we discover that we have collected data from a minor without verified parental consent, we will delete that data promptly.

For child performers and minor public figures, the service can only be used by a verified parent, legal guardian, or court-appointed representative of the minor, in accordance with §9 of the DPDP Act 2023 and equivalent provisions in other jurisdictions.

14

Changes to this Policy.

We may update this Privacy Policy from time to time. When we make material changes — changes that affect your rights, the types of data we collect, the parties we share with, or the lawful basis for processing — we will:

  • Notify you by email at least 30 days before the change takes effect.
  • Post a prominent notice on the antyai.com site.
  • Where the change requires renewed consent (e.g., to add a new processing purpose for biometric data), we will request your renewed consent. If consent is not given, the change will not apply to you.

The current version, effective date and a complete change log are always posted at antyai.com/privacy.

15

How to reach us.

General Privacy Enquiries

Email: privacy@antyai.com

Response time: Within 7 business days for routine enquiries; within 30 days for rights requests.

Postal Address

Anty AI

[Insert registered office address]

India

Other contacts

Grievance Officer (India / DPDP): grievance@antyai.com

Data Protection Officer (EU / UK / Global): dpo@antyai.com

Security disclosures: security@antyai.com

Press / press enquiries: press@antyai.com

Legal notices: legal@antyai.com