Last updated: May 10, 2026 · Effective: April 29, 2026
Privacy Policy
We provide 30 days' advance notice of material changes by email to your primary account address.
This Privacy Policy describes how BreakNCo Global Private Limited ("Packets," "we," "us," or "our") collects, uses, stores, and discloses personal information when you use our website, platform, or services.
Packets is a business-to-business (B2B) compliance automation platform. The individuals whose data we most commonly process are employees and administrators of our customer organisations, not consumers acting in a personal capacity.
1. Who We Are
BreakNCo Global Private Limited
Building No.5/257A8, Suite No.188B, Heiley Offices, Basement Floor,
Pallath Square, FACT Kalamassery Rd, Kalamassery PO,
Ernakulam — 683104, Kerala, India
Email: admin@packets.build
Grievance Officer: admin@packets.build
2. Data Controller and Data Processor
Packets operates in two legal roles depending on the data being processed:
Data Controller
Account registration data, marketing analytics, and support communications. This is data we collect to run our own business. This Privacy Policy applies.
Data Processor
All compliance content you upload or generate in the platform: controls, policies, risks, evidence, vendor data, AI-generated drafts. Our Data Processing Addendum (DPA) applies, not this policy.
3. Personal Information We Collect
Information you provide
- Name, business email, phone number, company name, job title
- Account registration details
- Onboarding context: company description, industry, team size, and type of data your organisation handles (used to personalise your compliance programme via AI features)
- Compliance content you create, upload, or generate in the platform
- Support requests and correspondence
Information collected automatically
- IP address, device identifiers, browser type, operating system
- Pages viewed, in-product interactions, log and diagnostic data
- Cookie and similar technology data (see Section 6)
We use PostHog for product analytics and session recording on the platform. On packets.build we use Google Analytics 4, Google Tag Manager, Dub Analytics, LinkedIn Insight Tag, LinkedIn Conversions API, and Google Ads conversion tracking.
Information from third parties
- Identity providers: Google and Microsoft (OAuth authentication)
- CRM and communication tools used for customer operations
4. How We Use Your Information
| Purpose | GDPR basis | DPDP Act basis |
|---|---|---|
| Provide and operate the platform | Contract | Contract |
| Manage accounts and authentication | Contract / Legitimate interests | Contract |
| Send operational notices | Contract | Contract |
| Respond to support and sales enquiries | Legitimate interests | Legitimate use |
| Monitor performance and reliability | Legitimate interests | Legitimate use |
| Detect fraud and security incidents | Legitimate interests / Legal obligation | Legitimate use / Legal obligation |
| Legal compliance | Legal obligation | Legal obligation |
| Product analytics (platform) | Legitimate interests | Legitimate use |
| Marketing analytics (website) | Consent | Consent |
| AI-assisted compliance features | Contract + Consent | Contract + Consent |
5. Disclosure of Personal Information
- Subprocessors: see our Subprocessors page
- Professional advisors: legal, audit, insurance under confidentiality obligations
- Regulators and authorities: where required by law or valid governmental request
- Business transfers: in connection with a merger, acquisition, or asset sale
Packets does not sell personal information.
6. Cookies
Session authentication, CSRF protection, load balancing
Active organisation preference, UI theme
PostHog (product analytics + session recording on platform), Google Analytics 4, Dub Analytics
LinkedIn Insight Tag, LinkedIn Conversions API, Google Ads conversion tracking
Analytics and marketing cookies on packets.build are gated behind "Privacy Choices" in the footer. For full details see our Cookie Policy.
Note on session recording: PostHog records user interactions in the platform including form inputs (password fields excluded). To opt out: admin@packets.build.
7. Subprocessors
A full list of subprocessors with their purpose and data location is on our Subprocessors page. We provide 30 days' advance notice of any change.
8. AI-Enabled Processing
Infrastructure
Packets uses a proprietary agentic AI layer operated by BreakNCo, hosted in India. It uses a third-party LLM API (listed on our Subprocessors page) for inference.
What is sent to AI
May be sent: user prompts; organisational context (company type, industry, framework scope); compliance content (risk descriptions, vendor names, policy text).
Never sent: authentication credentials, payment details, or personal data of your organisation's own end-users.
AI model training
Customer data is not used to train AI models. Data sharing for training and evaluation is contractually disabled. If this changes, we will obtain explicit opt-in consent in advance.
AI-generated outputs
Provided as drafts for human review. Not legal or compliance advice.
Opting out
Contact admin@packets.build to disable AI-powered features. An AI Processing Addendum is available on request (see our DPA).
9. Data Retention
| Category | Period | Trigger |
|---|---|---|
| Account and profile data | Subscription + 90 days | Account closure |
| Compliance programme data | Subscription + 90 days | Account closure |
| Audit logs | 3 years | Log entry date |
| Evidence files (S3) | Subscription + 90 days | Account closure |
| Session data | 30 days or logout | Session end |
| Support communications | 3 years | Last interaction |
| Marketing and analytics data | 24 months | Collection date |
| Billing records | 7 years | Transaction date |
| System backups | 30-day rolling | Backup creation |
On account closure we hold data for 90 days for export, then delete all production data within 30 days and backups within a further 30 days. A deletion confirmation email is sent to the primary account address.
10. Security
We implement encryption in transit and at rest, role-based access control, MFA support, immutable audit logging, rate limiting, and DDoS protection. SOC 2 Type I and ISO 27001 certifications are in progress; GDPR compliance programme is actively being implemented. For full details see our Security page. To report a vulnerability: admin@packets.build.
11. Breach Notification
In the event of a confirmed personal data breach, we will notify affected customers within 72 hours by email to the primary account address, including the nature of the breach, data categories affected, estimated record count, consequences, and remediation steps. We will also notify the relevant regulatory authority within the prescribed timeline.
12. Cross-Border Data Transfers
The vast majority of Packets' infrastructure is in India. Application compute, AI processing, and database are all hosted in Mumbai, India. Where data is transferred to the US for AI inference and ancillary services, transfers are covered by data processing agreements with each subprocessor (see Subprocessors).
- EU/EEA: Standard Contractual Clauses (Module 2) in the DPA
- UK: UK IDTA or UK Addendum to EU SCCs in the DPA
- California (CCPA): Packets is a "Service Provider" and does not sell or share California personal information
13. Your Rights
Email admin@packets.build to exercise any right. We respond within 30 days.
| Right | Legal basis |
|---|---|
| Access: obtain a copy of your data | GDPR Art. 15; DPDP Act S.11 |
| Correction: fix inaccurate data | GDPR Art. 16; DPDP Act S.12 |
| Erasure: request deletion | GDPR Art. 17; DPDP Act S.12 |
| Restriction of processing | GDPR Art. 18 |
| Portability | GDPR Art. 20 |
| Objection to legitimate interest processing | GDPR Art. 21 |
| Withdraw consent | GDPR Art. 7; DPDP Act S.6 |
| AI opt-out: disable AI features | Section 8 of this policy |
| Lodge a complaint with a supervisory authority | GDPR Art. 77; DPDP Act S.28 |
14. Children's Privacy
Packets is not directed to children. We do not knowingly collect personal information from individuals under 18.
15. Indian Law — DPDP Act 2023
BreakNCo Global Private Limited is a Data Fiduciary under the Digital Personal Data Protection Act 2023. We also comply with the Information Technology Act 2000 and IT (SPDI) Rules 2011.
Grievance Officer: admin@packets.build. Complaints acknowledged within 48 hours, resolved within 30 days.
16. Governing Law
This policy is governed by the laws of India. EU GDPR, UK GDPR, and CCPA obligations are honoured for applicable customers as described in this policy.
17. Changes
For material changes we provide 30 days' advance notice by email. For minor updates we revise the "Last updated" date above.
18. Contact
BreakNCo Global Private Limited
Building No.5/257A8, Heiley Offices, Ernakulam — 683104, Kerala, India
Email: admin@packets.build
Dedicated aliases privacy@packets.build and security@packets.build will replace admin@packets.build before our first enterprise deployment.
Previous versions: Request v1.0 (April 29, 2026)