Effective date: 5 June 2025

Background

On 25 May 2018, the European Union (EU) began enforcing the General Data Protection Regulation (GDPR). After Brexit, the United Kingdom adopted the UK GDPR. Together, these regulations harmonise data‑protection rules across the EU and UK and grant individuals stronger, more consistent rights over their personal information.

Our Commitment

Yin Yang Inc. ("we", "us", "our", elaichi.ai) takes data‑privacy and security obligations seriously. We continuously review our operations to keep every aspect of the elaichi.ai platform and our associated services—including MCP‑based connections to third‑party SaaS apps, custom integrations, and related professional services—aligned with GDPR requirements.

1. Controller and Processor Roles

• Data Controller. For any personal information submitted directly on elaichi.ai (e.g., contact forms, demo requests, job applications), elaichi.ai determines the purposes and means of processing.

• Data Processor. When customers use our Services and supply personal information about their end‑users, we process that data strictly on their documented instructions.

2. Risk Assessment

We conduct organisation‑wide information‑discovery exercises to identify:

1. what personal data we hold,

2. where it originates,

3. how and why we process it, and

4. with whom it is shared.

Findings drive continual improvements to our technical and organisational safeguards.

3. Data‑Subject Consent

• Website visitors must affirmatively consent to our Privacy Policy and Cookie Policy before we collect or process their personal data.

• Users can exercise GDPR rights—access, rectification, erasure, restriction, objection, and portability—by emailing legal@elaichi.ai.

4. Contracts with Sub‑processors

• When acting as Controller. We execute GDPR‑compliant data‑processing agreements with every sub‑processor, ensuring they handle personal data only under our instructions and with robust security controls.

• When acting as Processor. We adopt the safeguards and follow the instructions defined in each customer’s data‑processing addendum, available at https://elaichi.ai/dpa.

5. International Data Transfers

We rely on:

1. the EU Standard Contractual Clauses (SCCs), and

2. the UK International Data Transfer Addendum (ITDA)

to provide a lawful basis for any transfer of personal data outside the EU or UK.

6. Data Retention & Erasure

elaichi.ai’s internal Data‑Protection Compliance Policy embeds the GDPR principles of data minimisation and storage limitation. Personal data is retained only as long as necessary for its stated purpose, after which it is securely deleted or anonymised.

7. Article 30 Record‑Keeping

We maintain detailed records of all personal‑data processing activities—both as Controller and as Processor—in line with Article 30(1) and 30(2) requirements.

8. Breach Response

Robust preventive measures reduce the likelihood of a data breach. Should a breach occur, we will:

1. contain and investigate the incident immediately,

2. notify affected customers and the relevant supervisory authority without undue delay, following GDPR timelines, and

3. provide timely updates and remediation actions to all stakeholders.

9. Ongoing Compliance

We review policies, contracts, and security controls regularly, train staff on data‑protection best practices, and audit sub‑processors to ensure continued adherence to GDPR standards.

Questions?

For any GDPR‑related inquiry, reach us at legal@elaichi.ai. elaichi.ai remains committed to safeguarding personal data and upholding every right granted under the GDPR.