Legal · Data Processing Addendum
EU / EEA Privacy Policy Addendum
Last updated: May 2026
This EU/EEA Privacy Policy Addendum ("EU Addendum") supplements the Privacy Policy of MASIN PROJECTS PRIVATE LIMITED("MASIN AI", "we", "us", or "our") and applies to the processing of Personal Data of individuals located in the European Union and European Economic Area (collectively, the "EU Area").
This EU Addendum forms part of, and is incorporated into, the Privacy Policy. In the event of any conflict or inconsistency between this EU Addendum and the Privacy Policy, this EU Addendum shall prevail for individuals located in the EU Area. For enterprise customers, the Data Processing Addendum governs the processing of Customer Personal Data.
1. Definitions
1.1 "Controller" means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. References to "Data Fiduciary" in the Privacy Policy shall be read as references to "Controller" for EU Customers.
1.2 "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
1.3 "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation).
1.4 "Personal Data" means any information that identifies or can be used to identify a living individual, whether directly (such as a name) or indirectly (such as an identification number, location data, or online identifier). This includes system-generated technical or usage data (such as IP addresses or device identifiers) where such data can be linked to an identifiable individual.
1.5 "Processor" means a natural or legal person which processes Personal Data on behalf of the Controller. References to "Data Processor" in the Privacy Policy shall be read as references to "Processor" for EU Customers.
1.6 "Special Category Data" means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person's sex life or sexual orientation.
1.7 "Supervisory Authority" means an independent public authority established by an EU Member State pursuant to Article 51 GDPR.
2. Scope and Applicability
This EU Privacy Policy Addendum applies to individuals located in the EU Area whose Personal Data is processed by MASIN AI.
3. Controller and Processor Roles
3.1 MASIN AI acts as Controller in respect of Personal Data that we collect directly from you for our own purposes, including: account registration and authentication; marketing communications (where consented); website analytics and performance monitoring; and compliance with legal obligations.
3.2 MASIN AI acts as Processor in respect of Customer Personal Data processed on behalf of enterprise customers pursuant to a Data Processing Addendum. In such cases, the enterprise customer is the Controller.
3.3 MASIN AI acts as an independent Controller for processing where it processes Personal Data through cookies and similar technologies for authentication, security, preferences, analytics, and performance.
3.4 MASIN AI may act as either a Controller or Processor depending on the context of processing.
3.5 Third-Party Service Integrations. When you enable integrations with third-party services, we may receive information from those third-party services as necessary to provide the integration functionality. Please note that third-party services are governed by their own privacy policies, and we are not responsible for their data practices.
4. Legal Bases for Processing
4.1 Under the GDPR, we must have a lawful basis for processing your Personal Data. The principal bases we rely upon are:
- (a) Performance of a Contract (Article 6(1)(b) GDPR): Processing necessary to perform our contract with you or to take pre-contractual steps at your request. We rely on this basis for providing the Platform and Services, account management, payments, and customer support.
- (b) Legitimate Interests (Article 6(1)(f) GDPR): Processing necessary for our legitimate business interests. We rely on this basis for security, fraud prevention, abuse detection, and service improvement.
- (c) Consent (Article 6(1)(a) GDPR): Where you have given your specific, informed agreement to the processing. We rely on this basis for marketing communications. You may withdraw consent at any time without affecting the lawfulness of prior processing.
- (d) Legal Obligation (Article 6(1)(c) GDPR): Where processing is necessary to comply with a legal obligation to which we are subject, including responding to lawful requests from authorities.
| Purpose of Processing | Legal Basis |
|---|---|
| Providing and operating the Platform and Services | Performance of a contract (Art. 6(1)(b)) |
| Account creation and authentication | Performance of a contract (Art. 6(1)(b)) |
| Processing payments and billing | Performance of a contract (Art. 6(1)(b)) |
| Customer support and communication | Performance of a contract (Art. 6(1)(b)) |
| Security, fraud prevention, and abuse detection | Legitimate interests (Art. 6(1)(f)) |
| Service improvement and analytics | Legitimate interests (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
| Responding to lawful requests from authorities | Legal obligation (Art. 6(1)(c)) |
4.4 Where we rely on consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
4.5 We do not process Special Category Data unless strictly necessary and with your explicit consent or another lawful basis under Article 9 GDPR.
5. Data Subject Rights Under EU Data Protection Law
5.1 If you are located in the EU Area, you have the following rights under the GDPR:
| Right | Description |
|---|---|
| Right of Access | You have the right to obtain confirmation of whether we process your Personal Data and, if so, to request access to that data and a copy of it. |
| Right to Rectification | You have the right to have inaccurate Personal Data corrected and incomplete Personal Data completed. |
| Right to Erasure | You have the right to request deletion of your Personal Data in certain circumstances, including where the data is no longer necessary for the purposes for which it was collected, or where the processing is unlawful. |
| Right to Restriction of Processing | You have the right to request that we restrict the processing of your Personal Data in certain circumstances, including where you contest the accuracy of the data. |
| Right to Data Portability | You have the right to receive your Personal Data in a structured, commonly used, and machine-readable format and to transmit it to another controller, where processing is based on consent or contract and carried out by automated means. |
| Right to Object | You have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will cease processing for that purpose. |
| Rights Related to Automated Decision-Making | You have the right not to be subject to decisions made solely by automated means that significantly affect you. |
5.2 To exercise any of these rights, please contact us using the details in Section 11 below. We will respond to your request within one (1) month, which may be extended by a further two (2) months where necessary, taking into account the complexity and number of requests.
5.3 We may request proof of identity before processing your request.
5.4 There is no fee for exercising your rights, unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.
6. International Data Transfers
6.1 MASIN AI is established in India. When you use the Platform, your Personal Data is transferred to India.
6.2 We also use sub-processors located in the United States (including Microsoft Teams) and other countries outside the EU Area. For US-based sub-processors, we have implemented Standard Contractual Clauses or rely on the EU-US Data Privacy Framework certification where applicable. A full list of sub-processors is available in Annex 2 of the Global DPA.
6.3 For all transfers of Personal Data from the EU Area to countries without an adequacy decision, we implement appropriate safeguards, including Standard Contractual Clauses (SCCs). We enter into the European Commission's Standard Contractual Clauses (adopted 4 June 2021) with data importers to ensure Personal Data is protected to EU standards.
6.4 Transfer Impact Assessments. Prior to any transfer, we conduct and document an assessment of the laws and practices of the destination country, including government access risks. Where risks are identified, we implement supplementary technical and organisational measures. Where supplementary measures cannot adequately address identified risks, we will suspend or cease the transfer.
6.5 You may request a copy of the Standard Contractual Clauses, Transfer Impact Assessments, and other transfer safeguards we have implemented by contacting us using the details in Section 11 below.
7. Data Retention
7.1 We retain your Personal Data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements.
7.2 Retention periods by category:
| Category of Data | Retention Period |
|---|---|
| Account information | Duration of your account plus 180 days after termination |
| Support ticket data | 30 days after ticket closure |
| Payment and billing records | As required by applicable law |
| Security logs and access records | As necessary for security and compliance purposes |
| Marketing preferences | Until you withdraw consent or object |
| Cookies and technical data | As specified in the Cookie Policy |
7.3 Where MASIN AI acts as Processor in respect of Customer Personal Data processed on behalf of enterprise customers: (a) MASIN AI shall delete or return all Customer Personal Data within thirty (30) days of termination of the applicable agreement; and (b) MASIN AI shall provide written certification of data deletion within thirty (30) days of completing the deletion process, and in any event no later than one hundred and eighty (180) days after termination.
7.4 Where we process Customer Personal Data as a Processor, retention is governed by the Data Processing Addendum and the Controller's instructions.
8. Cookies and Similar Technologies
8.1 Our use of cookies is described in our Cookie Policy and Article 10.4 of the Terms and Conditions.
8.2 We may use cookies, pixels, and similar technologies for authentication, security, preferences, analytics, and performance.
8.3 For cookies that are not strictly necessary (such as analytics cookies), we will obtain your consent before placing such cookies, in accordance with applicable ePrivacy requirements.
8.4 You may withdraw your consent or manage your cookie preferences at any time through your browser settings or, where available, through the Platform's cookie management interface.
8.5 Do-Not-Track Signals. As there is no uniform standard for interpreting DNT signals, we do not currently respond to DNT browser signals. If a standard is adopted that we must follow, we will update this EU Addendum accordingly.
9. Complaints to Supervisory Authorities
9.1 If you are located in the EU Area and believe that our processing of your Personal Data infringes the GDPR, you have the right to lodge a complaint with a Supervisory Authority.
9.2 You may lodge a complaint with the Supervisory Authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.
9.3 We would, however, appreciate the opportunity to address your concerns before you approach a Supervisory Authority, and we invite you to contact us first using the details in Section 11 below.
10. Children
10.1 The Platform is not intended for individuals under the age of 16 years. We do not knowingly collect Personal Data from children under 16. If you are under 16, please do not provide any Personal Data to us.
10.2 If we become aware that we have collected Personal Data from a child under 16 without verification of parental consent, we will take steps to delete that information.
11. Contact Details
General Contact
MASIN PROJECTS PRIVATE LIMITED
Plot 847, Phase V, Udyog Vihar, Sector-19, Gurugram, Haryana 122008, India
12. Changes to This EU Addendum
12.1 We may update this EU Addendum from time to time to reflect changes in our practices or applicable law.
12.2 Where we make material changes, we will notify you by posting the updated EU Addendum on the Platform and updating the "Effective Date" above. Where required by law, we will seek your consent to material changes.
12.3 We encourage you to review this EU Addendum periodically.