Privacy Policy
1. Identity and Contact
Data Fiduciary: Sudo Automations Private Limited, a company incorporated under the Companies Act, 2013, India
Email: hello@heysudo.xyz
Website: https://heysudo.xyz
For all data protection queries and grievances, contact our Grievance Officer (see Section 13).
2. Scope
This Privacy Policy applies to personal data collected through:
- The Sudo AI home assistant at heysudo.xyz
- WhatsApp-based interactions via the Sudo bot
- Voice-enabled devices paired to your Sudo account
It does not apply to third-party services you connect to Sudo (e.g., Google Calendar), which have their own privacy policies.
3. Definitions (DPDPA 2023)
Under the Digital Personal Data Protection Act, 2023:
- Data Principal: You — the individual whose personal data is processed
- Data Fiduciary: Sudo Automations Private Limited — the entity determining the purpose and means of processing
- Personal Data: Any data about an identified or identifiable individual
- Processing: Collection, storage, use, sharing, disclosure, or deletion of personal data
- Consent Manager: A registered entity through whom you may give, manage, review, and withdraw consent (where applicable under notified DPDPA rules)
4. Basis for Processing and Consent
4.1 Consent (DPDPA 2023, Section 6)
Where we rely on your consent, we will:
- Present a clear, plain-language notice before collection specifying: (a) the categories of personal data to be collected, (b) the specific purpose, (c) the manner of use, and (d) your right to withdraw consent at any time
- Obtain your explicit, informed, free, and unambiguous consent — consent will never be bundled with acceptance of Terms as a condition of service where separate consent is required by law
- Maintain verifiable records of consent as required by applicable law and rules notified under the DPDPA 2023
- Allow you to withdraw consent at any time; withdrawal will not affect the lawfulness of prior processing but may affect your ability to use certain features. To withdraw consent, email our Grievance Officer at asis@heysudo.xyz stating which consent you wish to withdraw
- Maintain verifiable records of every consent given, including the date, time, and scope of consent, as required under the DPDPA 2023 and applicable rules
4.2 Legitimate Uses Without Consent (DPDPA 2023, Section 7)
We may process personal data without consent where necessary for:
- Performance of a contract you have entered into (account creation, service delivery)
- Compliance with a judgment, decree, or order under Indian law
- Compliance with any other law for the time being in force
- Responding to a medical emergency involving a threat to life or immediate risk of harm
- Processing data you have manifestly made public
5. What We Collect
| Category | Examples | Purpose |
|---|---|---|
| Account data | Name, email, profile picture, Google account identifier | Authentication, account management |
| Family roster | Names, relationships, ages/birthdays, avatars, phone numbers | Personalisation, household management |
| Device data | Device IDs, pairing codes, network status, firmware version | Pairing, diagnostics, software updates |
| Conversations | Chat messages, voice transcripts, instructions, AI responses | Providing the AI assistant service |
| Integration data | OAuth tokens, minimum calendar/service data | Third-party service connectivity |
| Operational data | Server logs, error reports, IP addresses, technical metadata | Security, debugging, service reliability |
What we do not collect or retain:
- Raw audio after a session ends (audio is transcribed in real time and discarded immediately)
- Sensitive personal data (as defined under the DPDPA 2023) unless explicitly consented to
We do not sell your personal data. We do not use the contents of your conversations or your Google user data to train generalised AI or machine-learning models.
6. Google API Services
Sudo’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements:
- We request only the OAuth scopes necessary for the features you enable
- Google user data is used only for user-facing features; it is not used for advertising
- We do not transfer Google user data to third parties except as necessary to provide features you request, subject to applicable law
- Human access to Google user data is limited to: (a) your affirmative consent, (b) security investigations, or (c) compliance with applicable law
7. How We Use Personal Data
We use personal data to:
- Operate, deliver, and improve the Sudo service
- Manage your integrations with connected third-party services
- Pair and update devices associated with your account
- Detect and prevent fraud, abuse, and security incidents
- Communicate account updates, policy changes, and legal notices
- Comply with legal obligations under Indian law and court orders
8. Sharing and Subprocessors
We share personal data with the following categories of recipients on a strict need-to-know basis:
| Subprocessor Category | Purpose |
|---|---|
| Infrastructure / database providers (e.g., Supabase) | Backend hosting and data storage |
| AI model / LLM routing providers (e.g., OpenRouter) | Generating AI assistant responses |
| Voice and communication providers (e.g., LiveKit, Twilio) | Voice calling and WhatsApp messaging |
| Speech-to-text providers | Real-time audio transcription |
| Email and hosting services | Service notifications and delivery |
We enter into data processing agreements with each subprocessor. A current list of subprocessors is available upon request at hello@heysudo.xyz.
We do not share your personal data with third parties for their own marketing, advertising, or commercial purposes.
Legal disclosures: We may disclose personal data when required by Indian courts, regulatory authorities, or law enforcement agencies, to the extent mandated by applicable law. Where legally permissible, we will attempt to notify you of such disclosure.
9. Cross-Border Data Transfers
Sudo Automations Private Limited is incorporated in India. Your personal data may be processed by our subprocessors in other countries, including the United States and the European Union.
In compliance with the Digital Personal Data Protection Act, 2023 (Section 16) and applicable rules:
- Cross-border transfers are made only to countries or territories that the Central Government of India notifies as permitting adequate protection for personal data, or
- Where no such notification applies, transfers are subject to standard contractual clauses or equivalent contractual safeguards with subprocessors, or other transfer mechanisms recognised under applicable Indian law
Where Indian law or applicable sector-specific regulations mandate that specific categories of data be retained within India (e.g., RBI data localisation for financial data), we will ensure local storage and processing for those categories.
By using the Sudo service, you acknowledge that your personal data may be transferred to, stored in, and processed in jurisdictions outside India.
10. Retention
| Data Type | Retention Period |
|---|---|
| Account records | Duration of active account, plus 90-day archival period after deletion |
| Conversation history | Retained for service continuity; deletable by user (30-day backup propagation) |
| Raw audio | Not retained beyond the live session (discarded post-transcription) |
| Device and operational logs | Rolling 90-day window |
| Integration tokens | Retained while integration is active; deleted upon disconnection or account deletion |
| Backups | Deleted or anonymised within 90 days of account deletion |
We retain personal data no longer than necessary for the purposes for which it was collected, consistent with our legal obligations under the DPDPA 2023.
11. Children’s Data
The Sudo service is designed for account holders who are 18 years of age or older. You may add minor family members to your household account as secondary users.
By adding a minor household member, you confirm that:
- You are the parent or legal guardian of that minor
- You consent, on behalf of the minor, to Sudo processing the minor’s name, age, relationship, avatar, and conversations solely for the purpose of operating the household AI assistant
- You will supervise the minor’s use of the service
We do not knowingly collect personal data directly from minors without verifiable parental or guardian consent. If we become aware that we have collected personal data from a minor without appropriate consent, we will take prompt steps to delete that data. Please notify us at hello@heysudo.xyz if you believe we hold such data.
12. Your Rights as a Data Principal (DPDPA 2023)
To exercise any right, contact our Grievance Officer (Section 13).
12.1 Right to Access Information (Section 11)
You may request: (a) a summary of the personal data we hold about you; (b) a description of the processing activities carried out on your data; (c) identities of Data Fiduciaries and processors to whom your data has been disclosed.
12.2 Right to Correction, Completion, and Erasure (Section 12)
You may request: (a) correction of inaccurate or misleading personal data; (b) completion of incomplete personal data; (c) erasure of personal data no longer necessary for the purpose for which it was collected, or where you withdraw consent. Erasure requests may not apply where retention is required by law or court order.
How to request erasure: Email our Grievance Officer at asis@heysudo.xyz with the subject line “Data Erasure Request — [Your Name]”. We will acknowledge within 48 hours and process the request within 30 days, subject to any legal retention obligations.
12.3 Right of Grievance Redressal (Section 13)
You may raise a grievance with our Grievance Officer about any act or omission related to processing of your personal data. We will acknowledge within 48 hours and resolve within 30 days.
12.4 Right to Nominate (Section 14)
You may nominate another individual to exercise your data rights in the event of your death or incapacity. To register a nominee, contact hello@heysudo.xyz.
12.5 Right to Withdraw Consent
You may withdraw any consent previously given. Withdrawal does not affect the lawfulness of prior processing. Withdrawal of consent for core service functions may prevent continued service delivery.
12.6 Right to Complain to the Data Protection Board of India
If your grievance is not resolved to your satisfaction, you may file a complaint with the Data Protection Board of India once it is constituted and operational. We will publish updated contact details for the Board as they become available.
13. Grievance Officer
In accordance with Section 13 of the Digital Personal Data Protection Act, 2023, we have designated the following Grievance Officer for data protection queries and complaints:
Asis Panda
Grievance Officer, Sudo Automations Private Limited
Email: asis@heysudo.xyz
Website: https://heysudo.xyz
Response time: Acknowledgement within 48 hours; resolution within 30 days
You may contact the Grievance Officer to:
- Raise a data protection grievance or complaint
- Withdraw any consent previously given to Sudo for processing your personal data
- Request erasure or deletion of your personal data
- Request a summary of the personal data held about you
- Exercise any other right available to you under the DPDPA 2023
If your grievance is not resolved within 30 days, you may escalate to the Data Protection Board of India (once constituted), or to an appropriate consumer forum or civil court as applicable.
14. Security
We implement the following technical and organisational measures:
- TLS encryption for all data in transit
- Encryption of secrets and credentials at rest
- Per-user credential scoping and access controls
- Per-family compute isolation to prevent cross-account data access
- Audit logging for privileged data access
- Regular review and improvement of our security practices
In the event of a personal data breach reasonably likely to result in harm to Data Principals, we will notify affected individuals and the Data Protection Board of India as required by applicable law.
15. Changes to This Policy
We will post material changes to this Privacy Policy at https://heysudo.xyz/privacy with an updated effective date. For significant changes, we will provide advance notice via email or in-app notification. Continued use of the service after the updated effective date constitutes acceptance of the revised policy.
16. Contact
Sudo Automations Private Limited
Email: hello@heysudo.xyz
Website: https://heysudo.xyz
This Privacy Policy was last reviewed by the CLO on 1 June 2026.