Arrowhead (AH Live Private Limited, "Arrowhead," "we," "our," or "us") is a Software‑as‑a‑Service(SaaS) provider that delivers AI‑powered voice automation, productivity analytics, andknowledge‑management solutions (collectively, the "Services").
This Privacy Statement describes how we collect, use, disclose, and protect Personal Datarelating to:
Employees & Contractors – anyone engaged by Arrowhead inside or outside India,including current and former employees, directors, interns, and third‑party workers(collectively "Employees").
End‑Customers & End‑Users – natural persons who interact with our Services through ourenterprise clients (collectively "Customers").
Where required, additional notices or contractual data‑processing agreements (DPAs) maysupplement this Statement
Personal Data : Any information that identifies or can reasonably be linked to an individual.
Sensitive Personal Data Personal : Data that is subject to heightened protection under law (e.g.,nancial information, health data, biometric identifiers, government IDs)
Processing : Any operation performed on Personal Data (collection, storage, use,disclosure, deletion, etc.).
Controller /Processor : For Employee data, Arrowhead acts as Controller. For Customer data,Arrowhead typically acts as Processor on behalf of our enterprise client, whois the Controller.
Identifiers : Name, email, phone, emergency contact, address, date of birth, gender,citizenship, government IDs, photographs.
Employment Information : Job title, department, employee ID, supervisor, start/end dates, contract type, compensation & benefits, leave records, training records, performance evaluations, disciplinary records.
Financial Data : Salary details, bank account number, tax identiers, reimbursement records.
Health & Safety : Occupational health declarations, disability accommodations, workplaceincident reports, CCTV footage, access‑badge logs.
IT & Usage Data : Corporate device IDs, log‑in credentials, access logs, email/communicationmetadata, IP addresses
Identifiers : Name (if provided in conversation), mobile phone number (stored only whenprovided or fetched via secure on‑demand API from the client) and otheridentiers as needed based on usecase.
Interaction Content : Call audio recordings, transcripts, tool‑invocation parameters, userselections (e.g., preferred slot, product, or service).
Transactional & Device Metadata : Call timestamps, duration, routing information, bot/agent IDs, browser or telephony headers, IP address, device type.Data Subject Primary Legal Bases Employees Performance of employment contract; compliance with labour, tax, and social‑security law; Arrowhead’s legitimate interests (e.g., network security);
We collect only the minimum data required to full the purposes set out below.
Employees : Performance of employment contract; compliance with labour, tax, and social‑security law; Arrowhead’s legitimate interests (e.g., network security);and, where required, consent (e.g., use of photos for marketing)
Customers : Performance of our client contract (service delivery); compliance with legal obligations; Arrowhead’s legitimate interests in service quality, fraud prevention, and security; consent where required by law (e.g., voice recording notices)
Workforce administration (hiring, onboarding, payroll, benefits, performance, promotion, termination).
Corporate governance, budgeting, and financial reporting.
IT account provisioning, authentication, and security monitoring.
Health & safety, access‑control, and premises security (including CCTV).
Compliance with statutory obligations (tax, social security, immigration, ESOP,whistle‑blower investigations).
Investigation of misconduct, fraud, or legal claims.
Delivering the contracted voice AI or automation workflow (e.g., scheduling a call, completing a purchase, routing to a human agent).
Generating and storing audio & transcript logs to enable quality assurance, dispute resolution, and regulatory compliance
Internal Functions : HR, Finance, IT, Legal, Security teams with role‑based access.
Enterprise Clients (Controllers) : Access to Customer interaction data generated through their own end‑users, via secure dashboards or APIs.
Service Providers/ Sub‑processors : Cloud hosting, telephony platforms, payroll vendors, benefits administrators, email & collaboration tools—each bound by confidentiality and data‑processing agreements.
Regulators & Authorities : Responding to lawful requests, audits, or court orders
Corporate Transactions. : Mergers, acquisitions, or asset transfers, subject to non‑disclosure and continuation of protections.
Sensitive Personal Data is shared only on a strict need‑to‑know basis and, where mandated, with additional safeguards or contractual clauses.
Arrowhead maintains a layered security program aligned with ISO 27001 and the Indian Digital Personal Data Protection Act (DPDP 2023):
1. Encryption – AES‑256 at rest, TLS 1.2+ in transit; customer name and phone numbers andPII data are encrypted at application level additional using AES-GCM.
2. Access Control – SSO (mandatory for all internal Arrowhead systems; customer‑facing SSO available as an opt‑in), MFA, least‑privilege IAM roles, segregation of duties, and quarterly access reviews
3. Network & Infrastructure Security – AWS Guard Duty, Inspector, and Macie; Web Application Firewall (WAF) on public endpoints; VPC segmentation.
4. Monitoring & Logging – Centralised SIEM, immutable audit logs, anomaly detection, 24×7alerting.
5. Secure Development Lifecycle – Code reviews, dependency scanning, container image hardening, staged rollouts.
6. Business Continuity & DR – Automated backups, point‑in‑time RDS snapshots, cross‑region replication, validated recovery playbooks.
7. Vendor Management – Third‑party risk assessments, contractual security requirements,and right‑to‑audit clauses.
8. Dedicated Single-Tenant Deployments – For customers requiring complete isolation, Arrowhead provisions and operates a dedicated AWS account exclusively for the client.Arrowhead maintains administrative control while granting the customer read-only auditor access for transparency. This option may be subject to additional costs depending on the contractual arrangement.
India Data Residency – Customers that require data to remain in‑country may opt forstorage exclusively in AWS ap‑south‑1 (Mumbai/BOM). All primary and backup copiesstay within Indian territory.
Singapore/Malaysia Data Residency – For customers based in Malaysia and Singapore who require local data residency, Arrowhead offers storage in AWS Asia Pacific regions – either Singapore (ap-southeast-1) or Kuala Lumpur (ap-southeast-5), based on customer preference or regulatory requirements. All data, backups, and metadata remain within the selected region.
Employee Data – Employee data is normally stored in India. Limited cross‑border transfer(e.g., into global HR SaaS tools) is subject to adequacy findings or SCCs plus encryption.
Transfer Mechanisms – Any cross‑border transfers rely on:
Adequacy decisions under applicable privacy laws; or
Contractual safeguards such as Standard Contractual Clauses (SCCs) augmented by end‑to‑end encryption.
Subject to local law, Employees and Customers may have rights to:
Access, correct, or delete Personal Data
Restrict or object to certain Processing
Port data to another service provider
Withdraw consent at any time (where consent is the legal basis);and
Lodge a complaint with a supervisory authority.
Requests should be sent to privacy@arrowhead.team. We respond within one month, or two months for complex cases.
Employee records : 7 years after termination (or longer if required by labour or tax law).
Customer call recordings & transcripts : Till contract term, configurable per client contract. Post contract termination data is deleted upon customer request or per compliance.
Security & access logs : 12 months for operational logs; up to 7 years for forensic or legal hold.
When retention expires, data is securely deleted or irreversibly anonymised.
We review this Statement annually or whenever material changes occur to our Processing activities or applicable law. We will notify Employees and Clients of significant updates via email
Arrowhead maintains a layered security program aligned with ISO 27001 and the Indian Digital Personal Data Protection Act (DPDP 2023):