Arrowhead
1. Scope
Arrowhead (AH Live Private Limited, "Arrowhead," "we," "our," or "us") is a Software-as-a-Service(SaaS) provider that delivers AI-powered voice automation, productivity analytics, and knowledge-management solutions (collectively, the "Services").
This Privacy Statement describes how we collect, use, disclose, and protect Personal Data relating to:
Employees & Contractors
anyone engaged by Arrowhead inside or outside India, including current and former employees, directors, interns, and third-party workers (collectively "Employees").
End-Customers & End-Users
natural persons who interact with our Services through our enterprise clients (collectively "Customers").
Where required, additional notices or contractual data-processing agreements (DPAs) may supplement this Statement
2. Definitions
Personal Data
Any information that identifies or can reasonably be linked to an individual.
Sensitive Personal Data
Personal Data that is subject to heightened protection under law (e.g., financial information, health data, biometric identifiers, government IDs)
Processing
Any operation performed on Personal Data (collection, storage, use, disclosure, deletion, etc.).
Controller / Processor
For Employee data, Arrowhead acts as Controller. For Customer data, Arrowhead typically acts as Processor on behalf of our enterprise client, who is the Controller.
3. Categories of Personal Data We Collect
3.1. Employee & Contractor Data
Identifiers
Name, email, phone, emergency contact, address, date of birth, gender, citizenship, government IDs, photographs.
Employment Information
Job title, department, employee ID, supervisor, start/end dates, contract type, compensation & benefits, leave records, training records, performance evaluations, disciplinary records.
Financial Data
Salary details, bank account number, tax identifiers, reimbursement records.
Health & Safety
Occupational health declarations, disability accommodations, workplace incident reports, CCTV footage, access-badge logs.
IT & Usage Data
Corporate device IDs, log-in credentials, access logs, email/communication metadata, IP addresses
3.2.Customer Data Collected Through the Services
Identifiers
Name (if provided in conversation), mobile phone number (stored only when provided or fetched via secure on-demand API from the client) and other identifiers as needed based on usecase.
Interaction Content
Call audio recordings, transcripts, tool-invocation parameters, user selections (e.g., preferred slot, product, or service).
Transactional & Device Metadata
Call timestamps, duration, routing information, bot/agent IDs, browser or telephony headers, IP address, device type.
We collect only the minimum data required to fulfill the purposes set out below.
4. Legal Bases for Processing
Employees
Performance of employment contract; compliance with labour, tax, and social-security law; Arrowhead's legitimate interests (e.g., network security); and, where required, consent (e.g., use of photos for marketing)
Customers
Performance of our client contract (service delivery); compliance with legal obligations; Arrowhead's legitimate interests in service quality, fraud prevention, and security; consent where required by law (e.g., voice recording notices)
5. Purposes of Collection & Use
Employee & Contractor Purposes (non-exhaustive)
Workforce administration (hiring, onboarding, payroll, benefits, performance, promotion, termination).
Corporate governance, budgeting, and financial reporting.
IT account provisioning, authentication, and security monitoring.
Health & safety, access-control, and premises security (including CCTV).
Compliance with statutory obligations (tax, social security, immigration, ESOP, whistle-blower investigations).
Investigation of misconduct, fraud, or legal claims.
Customer Purposes (non-exhaustive)
Delivering the contracted voice AI or automation workflow (e.g., scheduling a call, completing a purchase, routing to a human agent).
Generating and storing audio & transcript logs to enable quality assurance, dispute resolution, and regulatory compliance
Arrowhead does not sell Customer Personal Data or use it for marketing unrelated to the contracted Services.
6. Disclosure Practices
Internal Functions
HR, Finance, IT, Legal, Security teams with role-based access.
Enterprise Clients (Controllers)
Access to Customer interaction data generated through their own end-users, via secure dashboards or APIs.
Service Providers/ Sub-processors
Cloud hosting, telephony platforms, payroll vendors, benefits administrators, email & collaboration tools—each bound by confidentiality and data-processing agreements.
Regulators & Authorities
Responding to lawful requests, audits, or court orders
Corporate Transactions
Mergers, acquisitions, or asset transfers, subject to non-disclosure and continuation of protections.
Sensitive Personal Data is shared only on a strict need-to-know basis and, where mandated, with additional safeguards or contractual clauses.
7. Security Measures
Arrowhead maintains a layered security program aligned with ISO 27001 and the Indian Digital Personal Data Protection Act (DPDP 2023):
Encryption
AES-256 at rest, TLS 1.2+ in transit; customer name and phone numbers and PII data are encrypted at application level additional using AES-GCM.
Access Control
SSO (mandatory for all internal Arrowhead systems; customer-facing SSO available as an opt-in), MFA, least-privilege IAM roles, segregation of duties, and quarterly access reviews
Network & Infrastructure Security
AWS Guard Duty, Inspector, and Macie; Web Application Firewall (WAF) on public endpoints; VPC segmentation.
Monitoring & Logging
Centralised SIEM, immutable audit logs, anomaly detection, 24×7 alerting.
Secure Development Lifecycle
Code reviews, dependency scanning, container image hardening, staged rollouts.
Business Continuity & DR
Automated backups, point-in-time RDS snapshots, cross-region replication, validated recovery playbooks.
Vendor Management
Third-party risk assessments, contractual security requirements, and right-to-audit clauses.
Dedicated Single-Tenant Deployments
For customers requiring complete isolation, Arrowhead provisions and operates a dedicated AWS account exclusively for the client. Arrowhead maintains administrative control while granting the customer read-only auditor access for transparency. This option may be subject to additional costs depending on the contractual arrangement.
8. International Data Transfers
India Data Residency
Customers that require data to remain in-country may opt for storage exclusively in AWS ap-south-1 (Mumbai/BOM). All primary and backup copies stay within Indian territory.
Singapore/Malaysia Data Residency
For customers based in Malaysia and Singapore who require local data residency, Arrowhead offers storage in AWS Asia Pacific regions – either Singapore (ap-southeast-1) or Kuala Lumpur (ap-southeast-5), based on customer preference or regulatory requirements. All data, backups, and metadata remain within the selected region.
Employee Data
Employee data is normally stored in India. Limited cross-border transfer (e.g., into global HR SaaS tools) is subject to adequacy findings or SCCs plus encryption.
Transfer Mechanisms
Any cross-border transfers rely on:
Adequacy decisions under applicable privacy laws; or
Contractual safeguards such as Standard Contractual Clauses (SCCs) augmented by end-to-end encryption.
9. Data Subject Rights
Subject to local law, Employees and Customers may have rights to:
10. Data Retention
Employee records
7 years after termination (or longer if required by labour or tax law).
Customer call recordings & transcripts
Till contract term, configurable per client contract. Post contract termination data is deleted upon customer request or per compliance.
Security & access logs
12 months for operational logs; up to 7 years for forensic or legal hold.
When retention expires, data is securely deleted or irreversibly anonymised.
11. Updates to This Statement
We review this Statement annually or whenever material changes occur to our Processing activities or applicable law. We will notify Employees and Clients of significant updates via email