Data Protection Policy
Version: 1.0 | Effective: 21 Nov 2024
Last Reviewed: 11 Apr 2025
Prepared by: Privacy & Compliance Office, AtomLeap.ai
1. Purpose

This Data Protection Policy outlines AtomLeap.ai's commitment to safeguarding the personal data of its users, clients, employees, and other stakeholders. The purpose is to define the principles and framework for collecting, storing, processing, and securing personal data to ensure compliance with applicable data protection laws including India's Digital Personal Data Protection Act (DPDP), GDPR and CCPA.

2. Scope

This policy applies to:

  • All employees, contractors, vendors, interns, and temporary workers of AtomLeap.ai.
  • All business functions and departments within AtomLeap.ai.
  • All personal data processed in digital or physical form.
3. Definitions
  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation performed on personal data, such as collection, storage, use, disclosure, or deletion.
  • Data Subject: The individual whose personal data is being processed.
  • Data Controller: The entity that determines the purposes and means of processing personal data.
  • Data Processor: The entity that processes personal data on behalf of the controller.
  • DPO (Data Protection Officer): An individual appointed to ensure compliance with data protection laws and practices.
4. Legal Framework

AtomLeap.ai adheres to the following data protection regulations:

  • Digital Personal Data Protection Act (India)
  • General Data Protection Regulation (EU) 2016/679 (GDPR)
  • California Consumer Privacy Act (CCPA)
  • ISO/IEC 27001 Information Security Management Standard
  • Applicable local and international laws
5. Principles of Data Protection

AtomLeap.ai follows these key principles:

  • Lawfulness, Fairness, and Transparency
  • Purpose Limitation – Data is collected for specified, explicit, and legitimate purposes.
  • Data Minimization – Only data necessary for the intended purpose is collected.
  • Accuracy – Data must be accurate and up to date.
  • Storage Limitation – Data is retained only for as long as necessary.
  • Integrity and Confidentiality – Data is secured against unauthorized access and loss.
  • Accountability – AtomLeap.ai is responsible for demonstrating compliance.
6. Data Collection
6.1 Types of Data Collected
  • Identity Information: Full name, address, email, phone number
  • Employment Information: Job title, company, work email
  • Technical Data: IP address, browser type, device identifiers, cookies
  • Behavioral Data: Clickstream, usage patterns, preferences
  • Financial Data: Bank details, transaction history (if applicable)
  • Special Category Data: Biometric or sensitive data (only when necessary)
6.2 Collection Methods
  • Web forms
  • Service registration
  • Feedback and support channels
  • Automated tracking (cookies, analytics)
  • Third-party integrations and APIs
7. Purpose of Processing

AtomLeap.ai processes personal data for the following reasons:

  • Service provisioning and account management
  • Customer support and service communication
  • Billing and payment processing
  • Recruitment and HR operations
  • Legal and regulatory compliance
  • Product improvement and research
  • Marketing and newsletters (with consent)
8. Lawful Basis for Processing

We rely on the following lawful bases:

  • Consent – User provides clear permission
  • Contractual Necessity – Processing is required to fulfill contractual obligations
  • Legal Obligation – Required by applicable laws
  • Legitimate Interests – For improving services and operations
9. Data Subject Rights

Under applicable laws, individuals have the right to:

  • Access their personal data
  • Correct inaccurate data
  • Delete their data (Right to be forgotten)
  • Restrict or object to data processing
  • Data Portability – Receive their data in a portable format
  • Withdraw Consent at any time
  • Lodge a Complaint with a supervisory authority

AtomLeap.ai provides mechanisms to exercise these rights via privacy@atomleap.ai.

10. Data Security

AtomLeap.ai implements the following security controls:

  • Encryption: AES-256, HTTPS, TLS 1.3
  • Authentication: 2FA, RBAC
  • Monitoring: Intrusion detection and prevention systems
  • Secure Development Lifecycle (SDLC)
  • Physical Security: Secure office access, biometric entry
  • Incident Management Plan
  • Regular Penetration Testing and Audits
11. Data Retention and Disposal
  • Retention Schedule: Based on data type and regulatory requirements
  • Secure Disposal Methods: Data wiping, shredding, digital destruction tools
  • Archival Policies: Data archived for legal or research needs with access control
12. Data Sharing and Transfers
12.1 Internal Sharing
  • Only authorized teams with role-based access.
12.2 Third-Party Sharing
  • Under data processing agreements (DPAs)
  • Compliance with SCCs and adequate safeguards
  • Shared for cloud services, analytics, support, and payments
12.3 Cross-Border Transfers
  • Adequacy decisions
  • Standard Contractual Clauses (SCCs)
  • Binding Corporate Rules (if applicable)
13. Data Breach Response

AtomLeap.ai follows a strict Incident Response Procedure:

  • Identification and containment of the breach
  • Assessment of scope and impact
  • Notification to supervisory authorities and affected data subjects within 72 hours (GDPR)
  • Remediation and root cause analysis
  • Documentation of all incidents
14. Roles and Responsibilities

The following roles and their responsibilities are defined to ensure proper data protection management:

Role Responsibility
DPO Compliance, policy enforcement, training
Management Oversight and resourcing
IT Security Implementation of security protocols
HR Employee awareness and access management
Legal & Compliance Team Regulatory updates and contract reviews
All Employees Responsible data handling
15. Training and Awareness

AtomLeap.ai promotes data protection awareness by:

  • Requiring all employees to undergo annual data protection training
  • Providing specialized training for HR, DevOps, Marketing, and Compliance teams
  • Circulating internal newsletters and conducting awareness drives
16. Data Protection Impact Assessments (DPIA)

DPIAs are conducted:

  • For new tools or technologies involving personal data
  • During high-risk processing such as automated decision-making or profiling
  • When conducting large-scale processing of special category data

Each DPIA includes the following elements:

  • Description of the processing activity
  • Assessment of necessity and proportionality
  • Risk evaluation and mitigation measures
17. Use of Cookies and Tracking

AtomLeap.ai uses cookies to:

  • Improve user experience
  • Collect analytics and traffic data
  • Facilitate login sessions

Types of cookies used:

  • Necessary
  • Performance
  • Functional
  • Marketing (with user consent)

Users can manage cookie settings via our cookie banner.

18. Data Protection by Design and by Default

The following practices are embedded in product development and operations:

  • Secure defaults in application development
  • Conducting Privacy Impact Assessments before launching new features
  • Using pseudonymization and anonymization when applicable
  • Data minimization at the system architecture level
19. Audits and Compliance Monitoring

To ensure continuous compliance, AtomLeap.ai performs:

  • Annual internal audits
  • External audits by certified assessors
  • Review of third-party contracts and service-level agreements
  • Ongoing monitoring using compliance dashboards and reporting tools
20. Contact Information

For questions or concerns regarding data protection:

Data Protection Officer
AtomLeap.ai Email: privacy@atomleap.ai
Subject line: "Data Protection Policy Inquiry"

We aim to respond within 7–10 business days.