popkorn.techSign in

Privacy Policy

How we collect, use, and protect your data

Last updated: 16 May 2026

Last Updated: 16 May 2026

This Privacy Policy ("Policy") describes how YV Labs LLP ("YV Labs," "we," "us," or "our") collects, uses, discloses, and protects personal data in connection with popkorn — the conversational AI platform we make available at popkorn.tech and app.popkorn.tech (collectively, the "Services"). This Policy is written to be compliant with the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the Digital Personal Data Protection Rules, 2025 ("DPDP Rules") notified on 13 November 2025; the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), each as in force from time to time; and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 ("IT Rules, 2021").

If you have questions about this Policy, write to privacy@popkorn.tech. If you wish to raise a grievance, please write to our Grievance Officer at grievance@popkorn.tech — full contact details are in Grievance Officer at the end of this Policy.

1. Who this Policy applies to

popkorn is a business-to-business conversational AI platform. Two distinct groups of people interact with us, and the law treats their personal data differently.

1.1 Account Holders

If you sign up for popkorn on behalf of an organisation — typically as an "owner," "admin," "agent," or "member" of an account — you are an Account Holder. For Account Holder personal data (such as your email address, your role within the organisation, and your billing identity), YV Labs is the Data Fiduciary within the meaning of §2(i) of the DPDP Act. We determine the purposes and the means of processing your personal data and we are directly responsible to you for the obligations set out in this Policy.

1.2 End Customers

If an Account Holder uses popkorn to call you, send you a WhatsApp message, reply to your email, or chat with you on a website, you are an End Customer. For End Customer personal data, the Account Holder's organisation (the "Client") is the Data Fiduciary. We act only as the Client's Data Processor under §8(2) of the DPDP Act — we process End Customer personal data on the Client's documented instructions, for the purposes that the Client has set, and we do not decide independently what to do with it.

If you are an End Customer and want to exercise any rights in relation to your personal data, your first point of contact is the Client whose conversation reached you. We will support the Client in responding to your request, and you may also write to us at privacy@popkorn.tech if you cannot reach the Client, or if you believe your request is not being handled properly.

2. Personal data we process

The categories of personal data we process depend on whether you are an Account Holder or an End Customer.

2.1 Account Holder personal data (we are the Data Fiduciary)

  • Account identity — your email address and an internal user identifier generated when you log in via a one-time link.
  • Organisation profile — the name and short identifier of your organisation, your role within it, the team you belong to, and any invitations you have issued or accepted.
  • Billing identity — references to payments, subscriptions, and credit transactions associated with your organisation. We do not store full card numbers, UPI handles, or bank-account numbers; payment instruments are held by our payment processor under its own merchant arrangement.
  • Operational metadata — the agents, system prompts, voice configurations, telephone numbers your organisation has claimed, automation flows, campaigns, integration connections you have authorised, and knowledge-base content you have uploaded so that your agents can answer questions.
  • Session and usage data — authentication cookies that keep you signed in, the state of your dashboard sidebar, and audit-log entries capturing administrative actions you take.
  • Communications with us — any messages you send to our support, billing, or legal email addresses, and our replies.

2.2 End Customer personal data (we are the Data Processor; the Client is the Data Fiduciary)

When a Client uses popkorn to communicate with End Customers, we process — on the Client's instructions — the personal data that flows through the conversation. Depending on which channels the Client has enabled, this may include:

  • voice audio captured during inbound and outbound calls;
  • recordings of those calls, where recording is enabled by the Client;
  • turn-by-turn transcripts of conversations;
  • telephone numbers, email addresses, and messaging-platform identifiers (such as WhatsApp or Instagram handles) used to reach the End Customer;
  • message bodies and media attachments exchanged over WhatsApp, email, web chat, Instagram, RCS, or SMS;
  • structured information that the AI agent extracts during a conversation (such as an order number, postal code, or complaint type the End Customer has shared);
  • post-call AI summaries generated automatically to help the Client follow up;
  • customer data the Client has integrated from third-party systems (such as order history from the Client's e-commerce platform, calendar availability, or invoice status) — fetched on demand to answer the End Customer's question, not bulk-replicated by us;
  • support-desk tickets created from these conversations, along with the messages and attachments exchanged on those tickets;
  • longer-term conversation memory the Client may have configured to make repeat interactions feel continuous;
  • records of opt-outs and do-not-disturb preferences indicated by the End Customer.

We do not decide what data the Client collects from End Customers, what purpose it is used for, or how long it should be kept. The Client must obtain any required consent, give any required notice, and answer any End Customer rights request — as the Data Fiduciary.

2.3 Knowledge-base content uploaded by Clients

Clients upload documents, websites, and other reference material into popkorn so that their AI agents can answer questions accurately. This content may incidentally identify or describe individuals (for example, an internal policy document may name the staff member who owns a process). We process this content on the Client's instructions for the sole purpose of retrieval-augmented generation in the Client's own conversations. We do not use knowledge-base content for any other purpose and we do not share it across accounts.

3. Sensitive personal data

Some personal data is more sensitive than other personal data. Both the DPDP Act and the SPDI Rules treat the following categories as sensitive personal data or information:

  • Voice biometrics — a voice recording is a biometric identifier. Every recorded call captures this category of data.
  • Financial information — when a Client integrates an e-commerce or accounting system, AI agents may discuss order totals, refunds, invoice status, or payment status with End Customers. We do not store raw card, UPI, or bank-account information on our infrastructure; this stays with the Client's connected systems and our payment processor.
  • Health information — Clients in health-adjacent verticals may operate agents that discuss appointments, prescriptions, or symptoms. This content sits in the same conversation tables as any other transcript. Clients in regulated health contexts should sign a separate processing agreement with us before going live.
  • Government identifiers, religious belief, caste, political opinion, or sexual orientation — popkorn does not have schema fields for these categories and we do not actively collect them. They may, however, appear incidentally in a transcript if an End Customer mentions them in conversation.

Until the SPDI Rules are formally omitted on 13 May 2027, both the DPDP Act and the SPDI Rules govern our handling of sensitive personal data. We maintain reasonable security practices under both regimes; see How we protect personal data below.

4. Purposes for which we process personal data

4.1 Account Holder personal data

We process Account Holder personal data for the following purposes:

  • To deliver popkorn — provision your account, route requests, store agent configurations, and deliver the dashboard at app.popkorn.tech.
  • To bill your organisation — issue invoices, take payment, reconcile credit usage, and communicate about pricing and subscriptions.
  • To send service communications — security notices, invitations to your organisation, policy updates, support replies, and operational notifications about scheduled work.
  • To keep popkorn safe and reliable — detect and respond to abuse, capture diagnostic information when something goes wrong, and comply with our legal obligations.
  • To improve the product — analyse aggregated, non-identifying patterns of how popkorn is used so that we know where to invest. We do not use Account Holder personal data, and we do not use End Customer personal data, to train or fine-tune our AI models; see We do not train AI models on customer data below.

4.2 End Customer personal data

We process End Customer personal data only for the purposes the Client has set when configuring its agents, channels, flows, and campaigns. These typically include answering End Customer queries, taking orders, sending updates, scheduling appointments, processing returns, and following up on prior conversations. We do not use End Customer personal data for our own product analytics, our own marketing, or our own profiling.

4.3 Data minimisation

We aim to collect only the personal data we need for each of the purposes above. Where we can deliver a feature using less personal data, we do.

5. Lawful basis for processing

Under §6 and §7 of the DPDP Act, we rely on one or more of the following lawful bases:

  • Consent — when you sign up as an Account Holder and create an organisation, you consent to the processing described in this Policy. You may withdraw consent at any time by closing your account; the consequences are described in Data retention below.
  • Legitimate uses under §7 of the DPDP Act — including for the performance of a contract you have entered into with us, for compliance with our legal obligations under Indian law, and for the prevention and investigation of fraud or abuse of the Services.
  • The Client's lawful basis — for End Customer personal data, the lawful basis is established by the Client as Data Fiduciary. Our agreement with each Client requires the Client to ensure that a valid lawful basis exists before sending personal data to us, and to obtain any consent or give any notice that the DPDP Act may require for the relevant category of processing.

6. Categories of sub-processors

To run popkorn, we share personal data with carefully selected service providers (each a "sub-processor"). We disclose the categories of sub-processor below. A current list of named sub-processors is made available to Clients on written request to legal@popkorn.tech and forms part of the data processing agreement we sign with each enterprise Client.

  • Cloud infrastructure and managed-database providers — host the application servers, the dashboard, the operational database, and authentication services.
  • Object storage providers — store call recordings, message media, and uploaded knowledge-base files.
  • AI and machine-learning model providers — perform speech-to-text and text-to-speech, run the large language models that generate replies, produce embeddings for retrieval, and generate post-call summaries. Multiple model providers may be invoked in a single conversation.
  • Telephony and SIP providers — connect calls between popkorn and the Indian public telephone network and provision Direct Inward Dial numbers.
  • Real-time WebRTC media providers — carry voice audio between the caller, the SIP gateway, and the AI agent.
  • WhatsApp Business platform providers — deliver and receive WhatsApp messages on the Client's behalf, subject to the platform's own Business Messaging Policy.
  • Other social and messaging platform providers — for Clients who have enabled Instagram, Facebook Messenger, RCS, SMS, or email-channel inbound flows.
  • OAuth aggregator providers — securely manage the OAuth tokens that connect Clients' third-party SaaS accounts (such as e-commerce stores, calendars, or accounting platforms) to popkorn.
  • Payment processors — collect payments under their own merchant arrangements with us. We do not handle card, UPI, or bank-account details on our infrastructure.
  • Email delivery providers — send transactional email from popkorn (account invitations, security notices, billing emails).
  • Observability and error-monitoring providers — capture backend exceptions and operational metrics so that we can resolve incidents quickly.
  • Self-hosted vector-database services — store the embeddings we use for retrieval-augmented generation; these run on our infrastructure in India.

Each sub-processor receives only the personal data necessary for the specific function it performs (least-privilege). Where a sub-processor processes personal data on our behalf, we put in place contractual protections appropriate to its role and we flow down the privacy obligations we owe to you and to our Clients. We review our sub-processor list periodically and update it when we change providers.

7. Data retention

We retain Account Holder personal data and the End Customer personal data processed under a Client's account for as long as the relevant account is active. When an account is closed — whether by the Client or by us — we delete the personal data we hold for that account within 30 days of closure, subject to the exceptions described next.

We may retain certain records for a longer period where Indian law requires us to. These include billing and tax records under the Companies Act, 2013 and the Central Goods and Services Tax Act, 2017; logs we are obliged to keep under the DPDP Rules, 2025 (one year minimum); records subject to a legal hold or to ongoing law-enforcement or regulatory requests; and entries in our opt-out registry, which we intentionally retain so that we can continue to honour an End Customer's request not to be contacted.

Clients can also configure shorter retention windows for specific data types within their own account. Where a Client has configured a shorter window, the shorter window applies.

8. Cross-border transfers of personal data

Our primary processing of personal data takes place in India, in the Mumbai region (asia-south1). The application servers, the operational database, the object storage we use for recordings and media, and our vector database all sit in India.

However, popkorn relies on certain AI model providers whose inference endpoints may be served from any of several regions globally. When these AI model providers process voice audio, transcripts, prompts, or tool inputs to generate a response, that processing may occur outside India. The same may be true for some of our payment, email-delivery, observability, and social-media-platform sub-processors.

The Central Government has not, as of the date of this Policy, restricted transfer of personal data to any specific country under §16 of the DPDP Act. If you are a Client in a regulated sector (such as banking, financial services, insurance, or healthcare) and require additional data-residency commitments, please contact us at legal@popkorn.tech before going live, so that we can confirm what we can and cannot commit to in your case.

9. How we protect personal data

We follow what we believe are reasonable security practices and procedures within the meaning of §43A of the Information Technology Act, 2000 and Rule 8 of the SPDI Rules. These include:

  • Encryption in transit — all communication with popkorn over the public internet uses Transport Layer Security (TLS).
  • Encryption at rest — provided by the underlying cloud infrastructure, managed database, and object storage providers we use.
  • Access controls — role-based access for Account Holders within an organisation (owner, admin, agent, member); least-privilege internal access for popkorn personnel; sub-processors receive only the data they need to perform their function.
  • Multi-tenant isolation — Account Holder data and the End Customer data associated with an account are scoped by organisation; queries against the database are constrained to the organisation of the requesting user.
  • Authentication — we use one-time-link authentication for the dashboard, with short-lived session tokens.
  • Audit logging — administrative actions are logged so that we can investigate suspected misuse.
  • Operational diligence — secrets and credentials are stored in protected configuration; production access is limited; we review our security posture periodically.
  • Security disclosure — please report a suspected security vulnerability responsibly to security@popkorn.tech.

No set of security controls can guarantee absolute security, and we cannot guarantee that personal data will never be exposed in a breach. We will respond promptly and transparently when something goes wrong; see Breach notification below.

10. Your rights as a Data Principal

As a Data Principal under the DPDP Act, you have the following rights with respect to your personal data:

  • Right to access — to obtain a summary of the personal data we process about you and the categories of recipients with whom we have shared it (§11 of the DPDP Act).
  • Right to correction and erasure — to ask us to correct inaccurate or incomplete personal data, to complete personal data that we hold, or to erase personal data we no longer need to keep under any legal obligation (§12 of the DPDP Act).
  • Right to grievance redressal — to raise a grievance with our Grievance Officer if you believe we are not meeting our obligations under the DPDP Act. You must use this remedy before approaching the Data Protection Board of India (§13 of the DPDP Act).
  • Right to nominate — to nominate another individual to exercise these rights on your behalf in the event of your death or incapacity (§14 of the DPDP Act).
  • Right to withdraw consent — to withdraw any consent you have previously given for processing. Withdrawing consent will not affect the lawfulness of processing carried out before withdrawal. Withdrawing the consent on which your account is based will typically require us to close your account.

If you are an End Customer of a Client that uses popkorn, please exercise these rights with the Client in the first instance. If the Client does not respond, or if you believe your request is not being handled properly, you may write to us at privacy@popkorn.tech and we will support a fair resolution.

11. How to exercise your rights

To exercise the rights described above:

  • For access, correction, erasure, nomination, or consent withdrawal — write to privacy@popkorn.tech with enough information for us to identify you and the personal data your request is about (for example, the email address you signed up with).
  • For a grievance — write to our Grievance Officer at grievance@popkorn.tech; see Grievance Officer below for full contact details and response times.

We may ask you for additional information so that we can verify that the request is genuinely from you, particularly where the personal data involved is sensitive. We will respond to verified requests without undue delay and within the timelines set out in the DPDP Rules, 2025 and the IT Rules, 2021.

12. Children's personal data

popkorn is a business-to-business service intended for adult Account Holders. We do not knowingly process the personal data of any individual under the age of 18 as the Data Fiduciary.

For End Customer personal data, our Acceptable Use Policy at /acceptable-use prohibits Clients from using popkorn to contact persons under the age of 18. Clients are required to maintain appropriate age-gating in their own consent collection processes. If you believe that a child's personal data is being processed through popkorn by one of our Clients and that the Client has not obtained verifiable parental consent under §9 of the DPDP Act, please write to privacy@popkorn.tech and we will investigate.

We do not engage in tracking, behavioural monitoring, or targeted advertising directed at any individual whom we know or suspect to be a child, in accordance with §9(3) of the DPDP Act.

13. Cookies and similar technologies

popkorn.tech, our public marketing website, does not set its own cookies and does not use third-party analytics. app.popkorn.tech, the authenticated dashboard, uses a small number of cookies and browser-storage entries that are strictly necessary for the dashboard to function — including an authentication session token and your sidebar layout preference. Our Cookie Policy describes each cookie and storage entry in detail.

14. We do not train AI models on customer data

We do not use Account Holder personal data, End Customer personal data, knowledge-base content, transcripts, recordings, message content, or any other data flowing through your account to train, fine-tune, or otherwise improve our own AI models or those of any sub-processor. The AI model providers we work with process this data under enterprise terms that do not permit them to train their general-purpose models on it.

15. Breach notification

If we discover a personal data breach within the meaning of the DPDP Act and the DPDP Rules, 2025, we will notify the Data Protection Board of India and each affected Data Principal within 72 hours of discovery, in the form and manner the DPDP Rules require. Where the affected Data Principal is an End Customer of a Client, we will also notify the Client within 72 hours of discovery so that the Client can comply with its own DPDP obligations.

16. Changes to this Policy

We may amend this Policy from time to time. Where the change is material, we will notify Account Holders by email and post a notice in the dashboard with at least 15 days' advance notice, consistent with our notice obligations under the IT Rules, 2021. The "Last Updated" date at the top of this Policy will always reflect when it was most recently revised, and earlier versions remain available on request to legal@popkorn.tech.

17. Grievance Officer

In accordance with §5(2) of the DPDP Act and Rule 3(2)(b) of the IT Rules, 2021, we have appointed a Grievance Officer to handle complaints relating to personal data and to our intermediary obligations.

Grievance Officer: Ashok Kumar
Email: grievance@popkorn.tech
Address: YV Labs LLP, 901 Satguru Towers, North Avenue, Santacruz West, Mumbai 400054, India

We will acknowledge your grievance within 24 hours of receipt and resolve it within 15 days of receipt, in accordance with Rule 3(2)(a)(ii) of the IT Rules, 2021. For grievances under the DPDP Act specifically, we will provide a full response within 90 days of receipt; thereafter, you may approach the Data Protection Board of India under §13 of the DPDP Act.

18. Contact us

YV Labs LLP — the company behind popkorn — is registered in India at 901 Satguru Towers, North Avenue, Santacruz West, Mumbai 400054. You can reach us at:

questions? email hello@popkorn.tech.