Privacy Policy
Automate Routine
Effective Date: 7 June 2026
This Privacy Policy is a standalone document, separate from our Terms of Service, in compliance with Rule 3 of the Digital Personal Data Protection Rules, 2025 (India).
1. Who We Are (Data Fiduciary)
Automate Routine ("we," "our," or "us") is the Data Fiduciary responsible for processing personal data collected through our web application and website at www.automateroutine.com (collectively, the "Service").
Automate Routine
Phase 8B, Industrial Area
Mohali, 160071, Punjab, India
Grievance Officer (Data Protection contact):
Email: support@automateroutine.com
We aim to acknowledge grievances within 48 hours and resolve them within 30 days of receipt, as required under Section 13 of the DPDP Act, 2023.
2. Scope & Applicability
This Privacy Policy applies to all personal data we collect from users who register for, access, or use our Service, regardless of location. It is designed to comply with:
- Digital Personal Data Protection Act, 2023 (DPDP Act) and the DPDP Rules, 2025 (India), primary applicable legislation;
- Information Technology Act, 2000 and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (India);
- IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, as amended in 2026 (India); and
- Other applicable data protection laws where our Service is accessible.
3. Personal Data We Collect
We collect only the personal data necessary to provide and improve the Service. The following table itemises each category of personal data we collect and the specific purpose for which it is processed, as required under Rule 3 of the DPDP Rules, 2025.
| Category | Specific Data Items | Purpose of Processing |
|---|---|---|
| Account & Identity Data | Full name, email address, hashed password, email verification token, account creation date, last login timestamp | To create and maintain your account, authenticate your identity, verify your email address, and enable secure login to the Service |
| OAuth / Social Login Data | Name, email address, and profile picture (where provided by Google or GitHub via OAuth); OAuth access token (stored securely, used only for authentication) | To enable sign-in via Google or GitHub accounts as an alternative to email/password authentication, and to pre-populate your profile |
| Workspace & Sprint Data | Workspace name, sprint names and descriptions, task titles, task descriptions, comments, epic names, team member names and roles within the workspace, capacity data, velocity metrics, uploaded files (e.g., CSV imports) | To deliver the core Scrum management functionality of the Service, including sprint planning, backlog management, team collaboration, and reporting |
| AI Prompt & Response Data | Sprint context and retrospective notes submitted to our AI features (sent to Anthropic Claude API for processing) | To generate AI-powered sprint goal suggestions and retrospective analysis. Prompt data is transmitted to Anthropic's API for processing and is not stored by us beyond the session |
| Payment & Billing Data | Subscription plan, seat count, billing cycle, payment status, Razorpay transaction/order IDs. We do not store full card numbers or CVV; payment card data is processed exclusively by Razorpay | To process subscription payments, manage your billing cycle, issue invoices, and maintain financial records as required by Indian tax law |
| Communications Data | Support emails, contact form submissions, in-app feedback (including your name and email address when provided) | To respond to your enquiries, provide customer support, and address grievances |
| Technical & Usage Data | IP address, browser type and version, device type and operating system, session identifiers (cookies), pages visited, features used, timestamps of actions, error logs | To maintain platform security, detect and prevent fraud and abuse, diagnose technical issues, and improve Service reliability and performance |
We do not collect sensitive personal data (as defined under the IT Privacy Rules, 2011) such as biometric data, medical records, or financial information beyond what is described above. We do not sell, rent, or trade your personal data to third parties for their own marketing purposes.
4. Legal Basis for Processing
We process your personal data on the following legal bases:
- Consent: For optional data processing activities, including optional AI features and functional cookies. You may withdraw consent at any time (see Section 8).
- Performance of a Contract: Processing necessary to provide the Service you have subscribed to, including account management, sprint features, and payment processing.
- Legal Obligation: Processing necessary to comply with applicable Indian laws, including tax obligations (7-year retention of financial records) and court orders.
- Legitimate Interests: Processing for platform security, fraud prevention, and service improvement, where such interests are not overridden by your privacy rights.
5. Third-Party Data Processors
We share your personal data only with the following named third-party processors, each under a contractual obligation to protect your data and process it only for the purposes we specify:
| Processor | Location | Data Shared | Purpose |
|---|---|---|---|
| Vercel Inc. | USA (Global CDN) | All data in transit; server-side rendered pages | Application hosting and global content delivery |
| Neon Inc. (via AWS US-East-2) | USA (Ohio) | Account data, workspace and sprint data, session data, billing metadata | Serverless PostgreSQL database storage |
| Google LLC (OAuth) | USA | Name, email, profile picture (only when you choose Google sign-in) | Third-party OAuth authentication |
| GitHub Inc. | USA | Name, email, profile picture (only when you choose GitHub sign-in) | Third-party OAuth authentication |
| Razorpay Software Pvt. Ltd. | India | Payment card data, billing address (processed directly by Razorpay; we do not receive or store full card details) | Payment processing for Pro Plan subscriptions |
| Resend Inc. | USA | Email address, email content (verification emails, transactional notifications) | Transactional email delivery |
| Anthropic PBC | USA | Sprint context and retrospective notes you submit to AI features | AI generation of sprint goals and retrospective insights via Claude API |
| Pusher Ltd. | United Kingdom | Connection metadata (for real-time event delivery, when implemented) | Real-time WebSocket communication within workspaces |
| Google LLC (reCAPTCHA v3) | USA | Browser and behavioural signals (IP address, user-agent, mouse movements) | Bot detection and protection of registration/login forms |
We share personal data with government authorities, law enforcement, or regulators only where required by applicable Indian law or a valid court order.
6. Cross-Border Data Transfers
Our Service involves the transfer of your personal data to servers and third-party processors located outside India, specifically to the United States of America (hosting, database, Google/GitHub OAuth, Resend, Anthropic, reCAPTCHA) and the United Kingdom (Pusher). Your payment card data is processed by Razorpay within India and is not transferred abroad by us.
These cross-border transfers are carried out under contractual data processing agreements with each processor that impose data protection obligations equivalent to those applicable in India. We will update this section if additional transfer destinations are introduced.
7. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account & identity data | Duration of account + 30 days post-deletion | Service delivery; data export window |
| Workspace & sprint data | Duration of account + 30 days post-deletion | Core service delivery |
| AI prompt data | Not retained after API processing (session only) | Data minimisation; sent to Anthropic and not stored by us |
| Payment & billing records | 7 years | Indian tax law (GST, Companies Act) and financial audit requirements |
| Support communications | 2 years from last interaction | Dispute resolution and service improvement |
| Security & access logs | 1 year | Security monitoring, fraud detection, and incident response |
| Email verification tokens | 24 hours | Security (token expiry) |
8. Your Rights as a Data Principal
Under the Digital Personal Data Protection Act, 2023, you have the following rights with respect to your personal data. To exercise any of these rights, contact us at support@automateroutine.com. We will respond within 30 days of receiving a verified request.
Right to Access
You may request a summary of the personal data we hold about you and the purposes for which it is being processed.
Right to Correction
You may request that we correct any inaccurate or incomplete personal data. You can update most account information directly in your account settings.
Right to Erasure ("Right to be Forgotten")
You may request deletion of your personal data. We will delete or anonymise your data within 30 days of a verified request, subject to retention obligations required by law (such as financial records, see Section 7).
Right to Withdraw Consent
Where processing is based on consent, you may withdraw consent at any time with the same ease as it was given. You can withdraw consent for optional analytics or functional cookies via our Cookie Policy settings. For other consent-based processing, contact us at support@automateroutine.com. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
Right to Nominate (Section 14, DPDP Act 2023)
You have the right to nominate another individual to exercise your data rights on your behalf in the event of your death or incapacity. To register a nominee, contact us at support@automateroutine.com.
Right to Grievance Redressal
If you are dissatisfied with our response to a rights request or believe we have mishandled your data, you may:
- File a grievance with our Grievance Officer at support@automateroutine.com; or
- File a complaint with the Data Protection Board of India (once operational, via the official government portal at www.meity.gov.in).
9. Children's Data
The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected personal data from a person under 18, we will promptly delete it and terminate the associated account.
From November 2026 (Phase 2 of DPDP Act enforcement), we will implement verifiable parental consent mechanisms if the Service is made accessible to users under 18, as required by the DPDP Act and Rules.
10. Security Safeguards
We implement reasonable technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction, including:
- Encrypted data transmission using HTTPS/TLS for all communications;
- Encrypted database storage via Neon (PostgreSQL) on AWS;
- Passwords stored using BCrypt hashing (one-way, non-reversible);
- Role-based access control (RBAC) limiting data access to authorised personnel;
- CSRF protection on all authenticated routes;
- reCAPTCHA v3 to prevent automated bot attacks on registration and login; and
- Regular security reviews and incident response procedures in accordance with the OWASP Application Security Verification Standard (ASVS).
No system is entirely secure. In the event of a personal data breach that is likely to affect your rights or interests, we will notify the Data Protection Board of India and affected users as required by the DPDP Act, 2023, within the prescribed timeframe (72 hours of becoming aware of the breach for Board notification, and as soon as reasonably practicable for user notification).
11. Language Availability
This Privacy Policy is currently available in English. In compliance with the DPDP Rules, 2025, we will make this Policy available in additional languages listed in the Eighth Schedule of the Constitution of India upon reasonable request. Please write to support@automateroutine.com to request a translated version.
12. Updates to This Policy
We may update this Privacy Policy periodically to reflect changes in our data practices, the Service, or applicable law. When we make material changes, we will notify you by:
- Sending an email to the address registered with your account; and/or
- Displaying a prominent notice within the Service.
The "Effective Date" at the top of this page will always reflect the date of the most recent version. We encourage you to review this Policy periodically.
13. Contact & Grievance Officer
For any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact our designated Grievance Officer:
Grievance Officer, Automate Routine
Phase 8B, Industrial Area
Mohali, 160071, Punjab, India
Email: support@automateroutine.com
Acknowledgement: within 48 hours | Resolution: within 30 days
If you are not satisfied with our response, you may escalate your complaint to the Data Protection Board of India via www.meity.gov.in.