Privacy Policy | AndOr Skip to content

LEGAL · PRIVACY

Privacy policy.

We take your privacy seriously. This page explains what data we collect, how we use it, who we share it with, and the rights you have over it — under GDPR, India's DPDP Act, and applicable global frameworks.

EFFECTIVE: 01 JAN 2026 · LAST UPDATED: 19 MAY 2026 · VERSION 1.0

This Privacy Policy describes how Andor Communications Pvt. Ltd. (“AndOr,” “we,” “us,” or “our”) collects, uses, stores, and discloses information about you when you visit andor.in, use our consumer products, or engage us for enterprise AI services and consultancy.

1. Introduction

We are an AI-first technology company building Computer Vision, Multimodal, and Generative AI systems. Our services include a public-facing website at andor.in, consumer products (including LightX Editor, PhotoCut, Photoleaf, VMX, and StoryZ), and enterprise engagements involving AI strategy, design, build, and operations.

For the purposes of GDPR, AndOr is the data controller for personal data collected through this website and through our enterprise engagements; for our consumer products, AndOr is the controller unless otherwise stated in that product's own policy. For India's DPDP Act, AndOr is the data fiduciary. Where we process personal data on behalf of an enterprise customer, we act as a data processor under terms specified in our written agreement with that customer.

By using our website or services, you acknowledge that you have read and understood this Privacy Policy.

2. Data we collect

2.1 Information you provide directly

  • Contact information — name, email, company, role, country, and any details you submit through our consultation forms, newsletter signup, or careers page.
  • Engagement information — content of emails, meeting notes, project briefs, and other materials you share with us during a sales or delivery engagement.
  • Recruitment information — resumes, portfolios, and application details you submit to careers@andor.in.

2.2 Information we collect automatically

  • Device & browser data — IP address, user agent, device type, operating system, referring URL, language preference, and timezone.
  • Usage data — pages viewed, time on page, navigation paths, and interaction events on andor.in.
  • Cookies and similar technologies — see Section 4.

2.3 Information from third parties

  • Analytics providers, advertising partners, and identity providers (where applicable).
  • Publicly available business information (e.g., company size, role, sector) used to qualify enterprise inbound enquiries.

2.4 Enterprise customer data

During an enterprise engagement we may process personal data belonging to your customers, employees, or end users. We process this data strictly as your data processor, only on documented instructions, and only for the purpose set out in the relevant Master Services Agreement and Data Processing Addendum. We do not use customer data to train general-purpose models without explicit written authorization.

3. How we use data

We use personal data on one or more of the following legal bases under GDPR (and the corresponding lawful purposes under the DPDP Act):

  • Contract performance — to deliver services you have requested, respond to consultation requests, and operate ongoing engagements.
  • Legitimate interest — to operate, maintain, secure, and improve our website and services; to detect abuse; and to communicate with current and prospective customers about AndOr.
  • Consent — for newsletter subscriptions, optional cookies, and any other processing that requires opt-in.
  • Legal obligation — to comply with tax, accounting, regulatory, and audit obligations.

We do not sell personal data. We do not engage in cross-context behavioural advertising.

4. Cookies & tracking

We use a small number of cookies and similar technologies to make our website function and to understand how it is used. Cookie categories we may set:

  • Strictly necessary — required for the site to load, route, and remain secure. Cannot be disabled.
  • Analytics — anonymous or aggregate usage statistics that help us improve content and structure.
  • Functional — remember your preferences (e.g., dismissing a banner).

We do not set advertising cookies on andor.in. Where required by law, we present a cookie banner allowing you to accept or reject non-essential cookies. You can also manage cookies through your browser settings — refer to your browser's help section for guidance.

5. Sharing & disclosure

We share personal data only with the following categories of recipients, and only as necessary:

  • Service providers — hosting (AWS), email delivery, analytics, CRM, customer support, payment processing, and similar vendors. All such providers are bound by written agreements that restrict their use of data to providing services to AndOr.
  • Professional advisors — accountants, auditors, and legal counsel, where required for a defined business purpose.
  • Government and regulatory authorities — where required by valid legal process, court order, or applicable law.
  • Successors — in the event of a merger, acquisition, restructuring, or asset sale, personal data may transfer to the acquiring entity subject to equivalent protections.

We do not sell or rent personal data to third parties.

6. Data retention

We retain personal data only as long as needed for the purposes set out above, including:

  • Account and contact data: for the duration of our business relationship, plus a reasonable period to handle queries and meet legal obligations.
  • Engagement records: for the contractual period plus up to seven (7) years to meet audit and statutory obligations.
  • Marketing and newsletter data: until you unsubscribe or for two (2) years of inactivity, whichever is earlier.
  • Recruitment data: up to twelve (12) months after the application, unless you ask us to retain it longer for future opportunities.

When personal data is no longer needed, we securely delete or anonymize it.

7. Your rights

Depending on your location, you have the following rights with respect to your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Correction — ask us to correct inaccurate or incomplete data.
  • Erasure — ask us to delete personal data, subject to legal retention requirements.
  • Restriction — ask us to limit how we process your data.
  • Objection — object to processing based on legitimate interest, including direct marketing.
  • Portability — receive your data in a structured, commonly used, machine-readable format.
  • Withdraw consent — where processing is based on consent, withdraw it at any time. Withdrawal does not affect prior lawful processing.
  • Lodge a complaint — with the relevant supervisory authority (e.g., your EU Member State data protection authority, or the Data Protection Board of India under the DPDP Act).

To exercise any of these rights, write to hello@andor.in. We will respond within thirty (30) days, or sooner where required by law.

8. International transfers

AndOr is headquartered in India. Some of our service providers may store or process personal data in other jurisdictions, including the European Economic Area, the United States, and Singapore. Where personal data is transferred outside its country of origin, we rely on appropriate safeguards such as Standard Contractual Clauses (under GDPR) or other recognized legal mechanisms to ensure your data remains protected to the standards described in this policy.

9. Security

We implement technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, or destruction. These include:

  • Encryption of data in transit (TLS) and at rest for sensitive datasets.
  • Role-based access controls and the principle of least privilege.
  • Routine audits, logging, and monitoring of our infrastructure.
  • SOC2-aligned operational practices across our MLOps and production systems.
  • Security awareness training for our team and incident response procedures.

No method of transmission or storage is 100% secure. If a personal data breach occurs, we will notify affected users and regulators within the timeframes required by applicable law.

10. Children's privacy

Our website and enterprise services are not directed to children under the age of 16 (or the equivalent minimum age in the user's jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time to reflect operational, legal, or regulatory changes. When we do, we will revise the “Last updated” date at the top of the page. For material changes, we will provide additional notice (such as a banner on the website or a direct email where appropriate).

12. Contact us

For privacy-related questions, requests, or complaints, please write to us at:

Andor Communications Pvt. Ltd.
Email: hello@andor.in
Subject line: “Privacy Request”

END OF PRIVACY POLICY

Questions about how we handle your data?

hello@andor.in
Book a Call