DATA PRIVACY POLICY

Last Updated: 05-Nov-2025

This Privacy Policy (“Policy”) describes how Xcelore (“Company,” “we,” “us,” or “our”) collects, uses, discloses, and protects the Personal Data of customers (“End Users”) of businesses (“Our clients”) using the software product, ‘Exei’ (“AI Agent”). Exei is a tool for helping businesses to elevate their customer service and automate the redundant operational tasks, thereby reducing cost & elevating customer experience while driving growth. The AI Agent powered by Exei can integrate with many channels, such as Websites, Mobile Applications, WhatsApp, Instagram, Facebook, Slack, Toll-Free Numbers, etc., allowing End Users to communicate with businesses in these channels. By engaging our Services, our Clients agree to the practices described herein. End Users should refer to the Client’s privacy policy for additional details about their data handling.

1. Objective

Xcelore is dedicated to the highest level of data privacy and adheres to all guidelines established by law. The safeguarding of Personal Data and Sensitive Personal Data or Information is fundamental to developing confidence in Xcelore and maintaining its reputation. This Policy designates a sound framework to control and protect Personal Data, and to process Personal Data lawfully, securely, and transparently, which will enhance our operations and fill customers with trust. Xcelore processes Personal Data according to Client requirements, as outlined in our service agreements and Data Processing Agreements, ensuring compliance with the applicable laws.

2. Definitions

• Data Controller - Our Business Clients using Exei’s services for their customers act as Data Controller and determine the purposes and methods of processing Personal Data, including the types of Personal Data collected and the purposes for their use.
• Data Processor - Xcelore, while acting as Data Processor, processes the Personal Data of customers / End Users on behalf of the Data Controller as per strict contractual agreements.
• Customers / End Users: An individual whose Personal Data is subject to Processing.
• Personal Data: Any information relating to an identified or identifiable Customer / End User, including but not limited to name, email address, contact number, payment information, billing details, IP address, device information, usage data, location data and chat logs, provided by Data Controller to Xcelore for processing or submitted to AI Agent by Data Controller’s Customer / End User.
• Sensitive Personal Data or Information: Personal Data requiring heightened protection provided by the Data Controller to Xcelore for processing or submitted to the AI Agent by the Data Controller’s Customer / End User, such as:
  • Political affiliations
  • Religious beliefs
  • Philosophical beliefs
  • Race or ethnicity
  • Sexual orientation
  • Health data
  • Biometric data
  • Criminal history
  • Credit or financial data
  • Trade union and membership information
• Consent: A freely given, specific, informed, and unambiguous indication of agreement by the Data Controller and/or the End Users to the retention and Processing of Personal Data, expressed through a clear affirmative action.
• Processing Personal Data: Any operation or set of operations performed on Personal Data, such as collection, recording, organisation, storage, use, disclosure, analysis, restriction, erasure, or destruction.
• Software: The software product ‘Exei’ is provided by Xcelore to Businesses and is accessible to End Users via AI Agent interactions.
• Sub-processors: Trusted service providers engaged by Xcelore to support its Services. The list of Xcelore’s sub-processors can be found Sub-processors
• Third Party / Parties: Any individual or entity other than the Customers / End Users, Data Controller, Data Processor and Sub-processors.

3. Roles of Data Controller and Data Processor

When we deliver services to our Business Clients who are data controllers, we process data as a data processor. We process personal data on behalf of and according to the requirements of our Clients and in response to queries submitted by the End Users. Our Clients are responsible for the purposes and manner in which personal data is processed. Our Clients are responsible for the lawful collection of personal data, including obtaining any necessary consent or other legally mandated authorisations and dealing with End Users in relation to their data rights.

4. How Xcelore Collects and Processes Personal Data

When End Users interact, submit their Personal Data or raise their queries to the AI Agent, or when our Clients share Personal Data of End Users with us, we collect information that helps our clients to serve the End Users with the best services. We may collect data in the following ways:

1. Personal Data provided directly by our Business Clients about their End Users / Customers.
2. Personal Data submitted by End Users / Customers as they engage with the AI agent.

We process the Personal Data as per the requirements of our client and in response to queries submitted by the End Users. We take reasonable measures to ensure that the personal data is secure and to prevent unauthorised access or disclosure.

5. Sources of Personal Data

Personal data processed by Xcelore is generally obtained from the following sources:

1. Data Provided by our Business Clients: Our Clients share personal data of their End Users / Customers, which may then be used by our AI agent to deliver customer service. The Personal Data that may be collected for the below-mentioned processing activities includes contact information, account details, technical data or other information that may be necessary to provide customer support services.
2. Data Collected from End Users: When Customers / End Users interact with our AI agent, we may collect personal data that they provide during conversations and chats with the AI Agent to resolve their queries and inquiries. We may also collect technical data, such as IP addresses, and device information to facilitate our services to the End Users and our Business clients.

6. Purposes of Personal Data Collection and Processing

We do not process personal data for purposes other than to provide such services to our Clients and End Users, including but not limited to:

1. Running the AI agent to answer End Users’ queries / provide customer service queries on behalf of our Clients.
2. Enhancing personal interactions as per data provided by our Client or inputs by the End users for catering to the specific requirement of customer service.
3. Improving the performance and functions of our AI agent, where permitted by the Clients.
4. Protecting the security and integrity of the Services, including disrupting the unauthorised access to our Services or any fraudulent activity.
5. Responding to legal obligations, including but not limited to lawful purposes or record keeping, as much of the applicable laws provide.

We do not process personal data for our purposes unless explicitly authorised by our Clients or End Users, nor do we sell personal data to third parties.

7. Cookies and Tracking Technologies

We may use cookies or similar technologies to facilitate the functions of our AI agent, which are strictly necessary for service delivery. We do not track the Customers / End Users for marketing purposes. We collect technical data to ensure security and enhance interactions. Our Clients are responsible for informing their customers / End Users about such technologies in their respective privacy policies. We provide details to our clients to support compliance with their policy.

8. Data Processing Activities

We only process data that is required to provide the services, such as:

1. Safely storing personal data on servers to allow access by AI agents during interactions.
2. Processing conversation inputs to produce relevant answers or carry out client directives.
3. Sharing Personal Data with Clients or authorised service providers to complete service tasks.
4. Technical data analysis to identify and prevent security risks.
5. When allowed, transforming personal data into aggregated or anonymised forms for AI training.

All processing is carried out in accordance with applicable data protection laws and at the request of our Client or End User.

9. Data Sharing

We may share Personal Data in the following circumstances:

1. With Clients: Personal Data collected from End Users / Customers is shared with the relevant Client to provide customer service and fulfil contractual obligations.
2. With Sub-processors: We engage trusted service providers to support our Services. Such service providers are contractually obligated to protect Personal Data and process it only for purposes specified by us.
3. For Legal Purposes: If required by law, we may disclose Personal Data, in cases such as compliance with court orders, responding to government requests, or protecting our rights, property, or safety.
4. Business Transfers: In the event of a merger, acquisition, or asset sale, Personal Data may be transferred to the acquiring entity, subject to appropriate safeguards.

We do not sell Personal Data to third parties.

10. International Data Transfers

We may process Personal Data on servers located outside the country where it was collected. We comply with the applicable data protection laws for international transfers. Our respective Clients, as Data Controllers, are responsible for ensuring that they comply with their obligations for international transfers.

11. Data Security

We implement robust technical and organisational measures to protect Personal Data against unauthorised access, loss, alteration, or disclosure, including:

1. Encryption: Data is encrypted in transit and at rest.
2. Access Controls: Access is restricted to authorised personnel only, with role-based permissions.
3. Security Assessments: Regular audits and vulnerability scans to maintain system integrity.
4. Contractual Safeguards: Agreements with third-party service providers to ensure compliance with data protection.

In the event of a data breach, we will:

1. Notify affected Business Clients as soon as reasonably practicable, as required by our DPAs, to enable them to inform End Users or authorities.
2. Take immediate steps to mitigate the breach and prevent recurrence.
3. Cooperate with Clients to comply with applicable breach notification laws.
4. Despite these measures, no system is completely secure, and we cannot guarantee absolute security.

12. Rights of End Users

End Users may have rights under data protection laws, including:

1. Access: Request a copy of their Personal Data.
2. Rectification: Correct inaccurate or incomplete data.
3. Deletion: Request deletion of their data.
4. Restriction: Limit processing in certain circumstances.
5. Objection: Object to processing based on legitimate interests.
6. Data Portability: Receive their data in a structured, commonly used format.

As a data processor, we do not directly handle End-user rights requests. End Users should contact the relevant Client, who acts as the data controller, to exercise their rights. We assist Clients in fulfilling these requests as required by our DPAs.

13. Data Retention

We retain Personal Data only as long as necessary to provide the Services to the End Users, comply with the requirements of our Client and to meet legal obligations. When Personal Data is no longer needed, we securely delete or anonymise it using industry-standard methods.

14. Children’s Privacy

We do not intentionally request or collect Personal Data from children under 18 years of age through our AI agent chatbot services. Our Services are provided to business Clients, who act as data controllers and are responsible for ensuring that any Personal Data they provide or that we collect on their behalf, including from End Users under 18, is obtained with verifiable parental consent as required by applicable laws. If we become aware that Personal Data from a child under 18 has been collected without such consent, we will promptly take all reasonable steps to delete that data from our systems and refrain from using it, except as necessary to ensure the child’s safety or comply with legal obligations.

End Users under 18 years of age, or their parents/guardians, may request the deletion of their Personal Data by contacting the relevant Client, who acts as the data controller. We will assist Clients in processing such deletion requests as required by our Data Processing Agreements.

Please note that while we strive to fulfil these requests diligently, removing Personal Data may not guarantee its complete elimination from all systems due to technical limitations.

For inquiries about our handling of children’s data, please contact us at the contact information provided below.

Parents or guardians should first refer to the Client’s privacy policy for contact information to address concerns or exercise data rights related to children’s Personal Data.

15. Transparency and Notifications

Our respective Business Clients are primarily responsible for informing their customers / End Users as Data Controllers, about the collection and processing of their Personal Data by us, through their privacy policies. We ensure transparency by:

1. Maintaining this publicly accessible Data Privacy Policy, detailing the categories of Personal Data collected, purposes of processing, and our role as a data processor.
2. Providing our Clients with details of the Personal Data categories processed to assist in their transparency obligations.

16. Changes to This Policy

We may update this Data Privacy Policy to reflect changes in our practices or legal requirements. Updates will be posted on our website with a revised effective date. Clients will be notified of significant changes as required by our agreements. End Users should check their Client’s privacy policy for updates on data processing.

17. Contact Information and Grievance Redressal

For questions about this Data Privacy Policy or our data processing practices, please contact:

• Email: support@exei.ai
• Address: A-47, Third Floor, Sector 2, NOIDA, Gautam Buddha Nagar, Uttar Pradesh, India - 201301.
• Phone Number:

End Users should refer to the Client’s privacy policy for contact information to exercise data rights or raise concerns. We will assist Clients in addressing such inquiries as needed. We will respond to grievances within a reasonable timeframe.