Legal · Privacy

Privacy Policy

Last updated · June 4, 2026 · v1.0

This Privacy Policy explains how OpsNGIN ("OpsNGIN," "we," "us," or "our") collects, uses, protects, discloses, and retains information when you use the OpsNGIN platform, the websites at opsngin.ai (including lab.opsngin.ai and echo.opsngin.ai), and any related services (together, the "Services").

OpsNGIN is an autonomous AI infrastructure operations platform. By design, the Services connect to and operate on infrastructure that you authorize us to access. Because of this privileged access, we hold ourselves to a higher standard of data protection than a typical website, and this policy is written to be clear about exactly what we touch, what we never touch for our own purposes, and what choices you have.

If you do not agree with this policy, please do not use the Services.

1. Who we are and how to contact us

The Services are provided by Triophase Global Services Pvt. Ltd. and/or OpsNGIN.ai, depending on the contracting entity identified in your order or agreement.

  • Privacy / data protection contact: admin@opsngin.ai
  • Postal address: ASO 411, Astra Towser, Rajarhat, NewTown, Kolkata 700135, West Bengal, India
  • Data protection point of contact: Sayan Nandi

2. Scope of this policy

This policy covers:

  • Account and website data — information you provide when you sign up, subscribe, browse our sites, or communicate with us.
  • Customer infrastructure data — information OpsNGIN observes, ingests, or generates while operating on the servers and systems you connect to the Services.

Where you are our customer's end user (for example, a user of a service that runs on infrastructure managed via OpsNGIN), our customer is the controller of your personal data, and your relationship is governed by their privacy policy. We process such data only as a processor, under our agreement with that customer.

3. Customer data ownership

You own your data. As between you and OpsNGIN, you retain all right, title, and interest in and to your infrastructure data — including logs, telemetry, metrics, operational context, command outputs, configurations, file contents, and any other data collected from or generated about your systems (collectively, "Customer Data").

OpsNGIN receives no ownership rights in Customer Data. We process Customer Data solely to provide the Services to you, on your instructions, and as described in this policy and your agreement with us. We do not use Customer Data for our own commercial purposes, do not sell it, and do not use it to train AI models shared across customers (see Sections 7 and 12).

Any insights, configurations, or outputs that OpsNGIN generates specifically for your environment in the course of providing the Services are made available to you as part of the Services. Nothing in this policy transfers ownership of your data to us.

4. Your authorization and our lawful basis for processing

OpsNGIN acts only on infrastructure, credentials, and permissions that you provide or authorize. You are responsible for ensuring that you have the necessary rights and authority to grant OpsNGIN access to the systems, infrastructure, logs, data, and services you connect to the platform, and for ensuring that such access and processing is lawful in your context. This is particularly important where you connect systems on behalf of another party — for example, as a managed service provider, contractor, or employee acting for an organization.

We process Customer Data on the basis of the instructions you give us and the authority you warrant you hold — in most cases, to perform our contract with you and to carry out your authorized requests. Where a particular processing activity requires consent or relies on another legal basis under applicable law, we rely on the basis permitted by that law. You can ask us about the legal basis for a specific processing activity by contacting us at admin@opsngin.ai.

Your responsibilities regarding authorization, warranties, and indemnities are set out more fully in your agreement with us (Terms of Service and, where applicable, Data Processing Agreement).

5. Information we collect

5.1 Information you provide to us

  • Identity and contact data: name, work email, organization name, role.
  • Authentication data: we use passwordless magic-link sign-in for confirmed subscribers. We store the email address tied to your account and short-lived sign-in tokens. We do not store passwords for magic-link accounts.
  • Subscription and billing data: plan, billing contact, and transaction records. Card and payment-instrument details are handled by our payment processor — we do not store full card numbers on our systems. (See Section 11.)
  • Support and communications: messages you send us and our replies.

5.2 Information we collect when you use the Services

  • Customer infrastructure data. When you authorize OpsNGIN to connect to a server or system, we may access and process: system configuration and inventory, logs, metrics and telemetry, process and service state, command output, and the contents of files necessary to perform a task you have requested or authorized. The exact scope depends on the autonomy tier you configure (Approval / Trusted / Closed Loop) and the actions you permit.
  • Command and action records. We record the commands and actions OpsNGIN plans and executes on your infrastructure, classified by type (read, write, execute, install, reboot), along with their results, for audit, verification, rollback, and your own visibility.
  • Access records. Records of privileged sessions established through our access broker, including who initiated them, when, the time-to-live granted, and what was accessed.
  • Operational AI context. To operate effectively, OpsNGIN maintains working, episodic, semantic, procedural, and chronological context derived from your environment. This context is scoped to your account.

5.3 Information collected automatically on our websites

  • Usage and device data: pages viewed, referring URLs, browser and device type, and similar analytics.
  • Public pages (marketing pages) are designed to be served without setting non-essential cookies. Where we use any cookies or similar technologies, we will tell you and obtain consent where the law requires it. See Section 17.

We do not intentionally collect special-category or sensitive personal data (such as health, biometric, or financial-account data of individuals) through the operation of the Services, and we ask that you not route such data to us except where strictly necessary and lawful.

6. How we use information

We use information to:

  • Provide, operate, secure, and maintain the Services;
  • Connect to and perform the infrastructure operations you request or authorize;
  • Verify, audit, and where needed roll back actions taken on your infrastructure;
  • Authenticate you and protect accounts (magic-link sign-in, abuse and fraud prevention);
  • Provide support and respond to your requests;
  • Send service and security communications (for example, action approvals, incident alerts, billing notices, and material changes to terms);
  • Bill for and administer subscriptions;
  • Detect, investigate, and prevent security incidents, fraud, and misuse;
  • Comply with legal obligations (see Section 13).

We will only use information for purposes compatible with those above, or for a new purpose with your consent or as the law otherwise permits.

7. How OpsNGIN uses AI — and what it never does

OpsNGIN uses AI models to plan, execute, and verify infrastructure operations. We want to be unambiguous about the limits:

  • We do not use Customer Data to train, fine-tune, improve, or evaluate any AI model that is shared across customers or made available to third parties. Your infrastructure data, logs, command output, and operational context are not added to any general training or evaluation corpus.
  • Cloud model routing. For certain hard diagnostic tasks, OpsNGIN may route a request to a cloud-hosted model endpoint operated by a third party. Where this happens, the third party processes the request to return a result and is contractually restricted from using your data to train their models or for any purpose other than serving the request. The current list of such providers, if any, is published in our Sub-Processor list (Section 12). If you require that no data ever leaves OpsNGIN-controlled infrastructure, contact us about a configuration that disables cloud routing.
  • No advertising use. We do not use your infrastructure or account data for advertising, and we do not sell it.

8. AI accountability and audit logs

Because OpsNGIN acts on your infrastructure, accountability for what its AI systems do is a core part of the Services, not an afterthought.

  • We record what the AI proposes and does. OpsNGIN records the actions proposed and executed by its AI systems — including the classification of each action, the supporting evidence considered, and verification records where available.
  • You can review it. These records are made available to you through the audit logs provided by the platform, so you can see what was planned, what was executed, what it relied on, and what was verified or rolled back.
  • Human oversight by design. Your configured autonomy tier (Approval / Trusted / Closed Loop) governs whether and when an action requires human approval before it is carried out. Where optional gating of write actions is enabled for your account, the corresponding approval records are retained alongside the action.

These records exist both for your operational visibility and to support your own compliance, incident review, and audit obligations.

9. Security and encryption

Protecting the systems you trust us to operate on is the core of our business. Our measures include:

  • Encryption at rest. Customer infrastructure data and account data that we store are encrypted at rest using industry-standard encryption (for example, AES-256).
  • Encryption in transit. Connections to our Services and to your infrastructure are protected with TLS. Web traffic is served over HTTPS.
  • Brokered, least-privilege, time-bound access. Privileged access to your infrastructure is established through a hardened access broker that issues just-in-time credentials with a limited time-to-live, after which access expires automatically. We enforce least-privilege and need-to-know principles for any access by our personnel.
  • Access logging and audit. Privileged sessions and actions are logged for audit and are available for your visibility.
  • Segregation. Customer operational context is scoped and logically segregated to the relevant account.

We maintain administrative, technical, and organizational safeguards appropriate to the sensitivity of the data we handle, and we expect to pursue additional formal certifications and independent assessments as the platform matures. We will publish the status of any such certifications when available.

No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security. We maintain an incident response process and will notify affected customers and, where required, regulators of a personal-data breach in line with applicable law.

10. Human access to customer data

We are asked frequently whether OpsNGIN personnel can read customer logs and infrastructure data. Our commitment is that OpsNGIN personnel do not access Customer Data except when one of the following applies:

  • it is required to provide support you have requested;
  • it is required to investigate, contain, or remediate a security or operational issue affecting the Services or your environment;
  • it is required to comply with a valid legal obligation (see Section 13); or
  • you have explicitly authorized it.

When such access is necessary, it is limited to the minimum data and personnel needed, is granted on a least-privilege and need-to-know basis, is time-bound where possible, and is logged. Most operations are performed by the platform's automated systems without any human reading of your data.

11. Payment data

Subscription payments are processed by Stripe, a third-party payment provider. We receive confirmation of payment and limited billing details (such as the last four digits of a card and billing contact) but do not store full payment-instrument numbers on our systems. The payment provider's handling of your data is governed by its own privacy policy: https://stripe.com/privacy.

12. How we share information

We do not sell your personal data. We do not share your infrastructure or account data with any third party for that third party's own purposes, including their own marketing or model training.

We share information only in these limited situations:

  • Sub-processors that are necessary to run the Services. We rely on a small set of vendors to host, operate, and support the Services — for example, infrastructure/hosting providers, our payment processor, and any cloud model provider used for hard diagnostics (Section 7). These vendors may process data only on our instructions, only to provide their service to us, and under contractual confidentiality and data-protection obligations. Our current sub-processors are listed at: https://opsngin.ai/legal/sub-processor. We will keep this list current and provide a way to be notified of changes.
  • Within our group. Information may be processed by our affiliated operating entities in India and the UAE to deliver and support the Services, under intra-group safeguards.
  • Legal and safety reasons. We may disclose information where we reasonably believe it is required to comply with a valid legal obligation, court order, or lawful government request applicable to us or to you; to enforce our agreements; or to protect the rights, safety, and security of OpsNGIN, our customers, or the public. See Section 13.
  • Business transfers. If we are involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction, subject to the protections of this policy. We will notify you of any change in control of your personal data.

We will never share your data with a recipient that is not bound to protect it to a standard consistent with this policy.

13. Compliance with local law and lawful requests

OpsNGIN serves customers in multiple countries, and we are committed to operating lawfully in each.

  • We comply with the data-protection law applicable to you. Where you are subject to a data-protection regime such as the EU/UK GDPR, India's Digital Personal Data Protection Act, the California Consumer Privacy Act/CPRA, the UAE's data-protection framework, or another applicable law, we honor the rights and obligations that law grants and imposes, to the extent it applies to our processing.
  • Lawful access requests. We disclose data to a government authority or in response to legal process only where we are legally compelled to do so and the request is valid under the law applicable to us. Where we are legally permitted, we will notify the affected customer before disclosing their data, so they can seek to challenge the request.
  • Conflicts of law. Where the laws of different jurisdictions conflict, we will seek to comply with all applicable legal obligations while implementing safeguards designed to provide a high level of protection for personal data.

This section describes our commitments; it does not, and cannot, guarantee any particular outcome of a legal proceeding.

14. Data residency

Your data may be stored and processed in one or more of the following regions, depending on the configuration of the Services and the location of our infrastructure and sub-processors:

  • United States
  • European Union
  • India
  • United Arab Emirates

Where your plan supports it, data residency options may be available so that Customer Data is stored within a specified region. If you have a residency requirement (for example, to keep data within the EU or within India), contact us at admin@opsngin.ai to discuss the options available for your plan. We will tell you the regions applicable to your account on request.

15. International data transfers

We operate from India and the UAE, and our infrastructure and sub-processors may be located in other countries. This means your data may be transferred to and processed in countries other than your own, which may have different data-protection rules.

Where we transfer personal data across borders, we put appropriate safeguards in place as required by the applicable law — for example, standard contractual clauses or another lawful transfer mechanism for transfers subject to the GDPR, and the safeguards required by India's and the UAE's frameworks. You can request information about the safeguards we use by contacting us at admin@opsngin.ai.

16. Data retention and deletion

We keep personal data only as long as needed for the purposes in this policy, including:

  • Account data: for the life of your account and for a reasonable period afterward to meet legal, tax, and audit obligations.
  • Customer infrastructure data and operational context: in line with the retention you configure for your account, or, where you do not configure it, our default operational retention schedule, which we will document.
  • Audit and access records: retained for the period needed for security, audit, and legal-defense purposes.

Deletion timelines. When you delete Customer Data or close your account, we remove the affected data from active systems within 30 days and from backups within 90 days, unless we are required to retain it to comply with a legal obligation or to resolve a dispute. After these periods, data is deleted or irreversibly anonymized. You may request deletion as described in Section 17, subject to these retention obligations.

17. Your rights and choices

Depending on where you are and the law that applies, you may have the right to:

  • Access the personal data we hold about you;
  • Correct inaccurate or incomplete data;
  • Delete your data ("right to erasure"), subject to legal-retention exceptions;
  • Restrict or object to certain processing;
  • Portability — receive your data in a portable format;
  • Withdraw consent at any time where we rely on consent;
  • Not be subject to solely automated decisions that produce legal or similarly significant effects, except as permitted by law;
  • Lodge a complaint with your data-protection authority (for example, the Data Protection Board of India, an EU supervisory authority, or the UK ICO).

To exercise any right, contact admin@opsngin.ai. We will verify your identity and respond within the timeframe the applicable law requires. We will not discriminate against you for exercising your rights.

Cookies and tracking. Our public pages are designed to minimize non-essential cookies. Where we use cookies or similar technologies that require consent, we present a consent choice and default to the most privacy-protective option (declining non-essential cookies) unless you choose otherwise. You can also control cookies through your browser settings.

Marketing communications. You can opt out of marketing emails at any time using the unsubscribe link or by contacting us. Service and security messages are not promotional and will continue while you have an account.

18. Children

The Services are intended for use by businesses and the professionals who operate their infrastructure. They are not directed to children, and we do not knowingly collect personal data from anyone under the age of majority in their jurisdiction (or under 18, whichever is higher where the law specifies a higher age). If you believe a child has provided us personal data, contact us and we will delete it.

19. Changes to this policy

We may update this policy as the Services, our practices, or the law change. When we make a material change, we will update the "Last updated" date and, where the change is significant, provide additional notice (for example, by email or an in-product notice). Your continued use of the Services after a change takes effect means you accept the updated policy.