Privacy Policy

Rigid Body Dynamics (“Rigid Body Dynamics”, “we”, “us”, or “our”) builds AI agents that automate supply-chain and back-office operations for brand owners, manufacturers, and distributors. To do that, our agents read messages, voice notes, photos, emails, and spreadsheets that flow through your existing WhatsApp, email, Excel, and phone channels, and turn that activity into structured operational actions such as purchase orders, dispatch plans, credit holds, and forecasts.

This policy explains what we collect, why we collect it, who we share it with, and the choices and rights available to you. It applies to our website, our hosted platform, and any agent or workflow we operate on behalf of a customer.

We process two broad categories of personal information:

• Visitor data - information about people who visit our website, request a demo, or contact us. We act as the data fiduciary for this information.
• Customer operational data - information our agents process inside a customer’s operations (orders, vendor messages, distributor exchanges, dispatch plans, invoices, etc.). For this data, our customer is the data fiduciary and we act as a data processor on their behalf, under the contract in place with them.

From website visitors and prospects

• Contact details you submit (name, work email, phone number, company name, role).
• Meeting scheduling data when you book a demo through our calendar link.
• Device, log, and analytics data - IP address, browser type, pages visited, referrer, and approximate location derived from IP.
• Cookies and similar technologies (see Section 9).

From customers and their authorized users

• Account and billing information for the contracting entity.
• Authentication data (credentials, access tokens, audit logs).
• Configuration data (SKUs, pricing tiers, vendor list, credit rules, territory mapping).

Operational data our agents process

• WhatsApp messages, voice notes, images, and attachments shared with the numbers connected to our agents.
• Emails and attachments routed to inboxes that you connect.
• Excel, CSV, PDF, and ERP exports you upload or auto-sync.
• Phone call recordings and transcripts where you have enabled call ingestion.
• Order, inventory, dispatch, vendor, distributor, credit-limit, and related operational records used to run agents like the Procurement Agent, Production Planner, Dispatch Coordinator, Field Listener, Credit Watchdog, and Forecast Engine.

Operational data may include personal information of your employees, field staff, vendors, distributors, and their representatives - for example names, phone numbers, voice recordings, and photos. You are responsible for ensuring you have the legal basis and notices in place to share this data with us under applicable laws, including the Digital Personal Data Protection Act, 2023 (DPDP).

• To provide, operate, and improve our agents and platform.
• To turn unstructured WhatsApp, email, voice, and document inputs into structured actions (orders, POs, dispatch plans, credit holds, forecasts).
• To match orders to SKUs, check live inventory, and confirm orders back to your customers and field team.
• To detect anomalies, prevent abuse, and secure the platform.
• To respond to demo requests, support tickets, and other inquiries.
• To comply with legal obligations and enforce our agreements.
• To train and tune customer-specific models on your operational data when your contract permits. We do not use your operational data to train shared, multi-tenant models unless you have given us explicit, separate consent in writing.

Our agents combine our own systems with hosted large language model (LLM) and speech-to-text providers to interpret messages, voice notes, and documents. When the platform sends a snippet of operational data to one of these providers, we choose providers and configurations that contractually prohibit them from training their own foundation models on your data.

AI outputs are probabilistic. We design agent workflows with configurable approval steps for high-impact actions (e.g., releasing credit, confirming a purchase order, or sending a payment instruction) so that a human can review and override the agent before any irreversible action is taken on your behalf.

Where Indian law applies, we rely on the following bases under the DPDP Act and applicable contract:

• Consent - for marketing communications and optional features.
• Performance of contract - to deliver the platform to a customer and to interact with prospects who request a demo.
• Legitimate uses - for security, fraud prevention, debugging, and improving the platform.
• Legal obligation - to comply with tax, accounting, and regulatory requirements.

We do not sell personal information. We share it only as described below:

• Subprocessors and infrastructure providers - cloud hosting, LLM and speech providers, messaging gateways, email and analytics tools, payment processors. Each is bound by contract to use the data only to provide their service to us.
• Customer’s own systems - we write back to ERPs, accounting software, and dashboards you connect.
• Authorized users in the customer’s organization - agents send WhatsApp summaries, alerts, and reports to the people you add as recipients.
• Legal and safety - to comply with law, valid legal process, or to protect our rights, property, or safety, or that of our customers or the public.
• Business transfers - in connection with a merger, acquisition, or sale of assets, with the same protections in place.

A current list of material subprocessors is available on request to the contact below.

Some of our subprocessors (notably LLM and speech-to-text providers) are located outside India. When we transfer personal data internationally, we do so in compliance with applicable law and use contractual safeguards with each recipient. Customers who require all processing to remain inside India can request a India-only deployment at the time of contracting.

Our marketing website uses a small set of strictly necessary and analytics cookies to keep the site running, measure traffic, and understand which pages prospects find useful. We do not use third-party advertising cookies. You can block or delete cookies via your browser, although some parts of the site may not function as intended.

• Visitor and prospect data - retained for up to 24 months after the last interaction, then deleted or anonymized.
• Customer account and configuration data - retained for the duration of the contract and up to 90 days after termination.
• Operational data processed by agents - retained for the period agreed in the customer contract, with the default being 12 months on hot storage and longer on cold storage where required for audit or legal reasons.
• Backups - overwritten on a rolling cycle of up to 90 days.

• Encryption in transit (TLS 1.2+) and at rest for data stored on our managed cloud infrastructure.
• Role-based access controls and least-privilege defaults for our staff.
• Audit logging of administrative and agent actions.
• Network isolation between customer environments where contracted.
• Regular vulnerability scanning and dependency review.

No system is perfectly secure. If we become aware of a security incident affecting your personal data, we will notify the affected customer without undue delay in line with the DPDP Act and the terms of our contract.

Where the DPDP Act or other applicable law gives you rights over your personal data, you can ask us to:

• access a copy of the personal data we hold about you,
• correct inaccurate or incomplete personal data,
• erase your personal data, subject to legal retention obligations,
• withdraw consent you have given us at any time, and
• nominate another individual to exercise these rights in the event of your incapacity or death.

If your data was provided to us by one of our customers (for example, you are a distributor or field staff member of a brand we work with), please reach out to that customer first - we will support them in responding to your request.

Our platform is built for businesses and is not directed at children. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, please contact us and we will delete it.

We may update this policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page and, where required, notify customers by email or in-product message.

For privacy questions, requests under the DPDP Act, or to reach our grievance officer, book a call. We aim to acknowledge requests within 7 business days and resolve them within 30 days.