Privacy Policy

1. Scope

This Privacy Policy applies to information we collect from:

• Visitors of dexcost.io and docs.dexcost.io.
• Account holders who register for and use Dexcost via app.dexcost.io.
• Developers and applications that integrate the Dexcost SDK or call api.dexcost.io.
• Individuals who contact us at any of our published email addresses.

This Privacy Policy does not apply to the privacy practices of third parties whose websites or services may be linked from the Service.

2. Information we collect

We collect only what we need to operate the Service, bill you correctly, secure your account, and comply with the law.

Account information you provide. When you create an account or sign up for a paid plan, we collect your name, work email address, company name, billing address, country — for invoicing and tax purposes — and, for Indian businesses, your GSTIN. Card details and bank account numbers are collected and stored directly by our payment processor, Razorpay, and never reach our servers in raw form (see “Sub-processors” below).

SDK and usage metadata. When you instrument your application with the Dexcost SDK, the SDK sends metadata about each AI or external service call to our ingestion API. This includes timestamps, endpoint identifiers, HTTP response codes, AI model identifiers (provider, model name), token counts (input, output, cached), the unit cost computed by our pricing engine, and any customer or project identifiers and tags you attach. The SDK is designed to never transmit prompt content, AI model response content, or end-user personally identifiable information that flows through your AI calls.

Dashboard usage data. When you sign in to app.dexcost.io, we log pages viewed, IP address, approximate geolocation, browser, OS, and session identifiers, for security, debugging, and product analytics.

Support communications. If you contact support@dexcost.io, billing@dexcost.io, legal@dexcost.io, or hello@dexcost.io, we retain the message for a reasonable period to assist you and to keep a record of our communications.

3. Information we DO NOT collect

We deliberately do not collect:

• Prompt content sent to AI providers.
• AI model response content returned to your application.
• End-user PII passed through your AI calls (the SDK transmits metadata only).
• Credit card or bank account numbers in raw form (handled by our payment processor).

This separation is part of the product’s design: Dexcost measures cost and usage, not conversation content.

4. How we use your information

We use the information we collect to:

• Operate, maintain, and improve the Service.
• Compute usage and costs, generate invoices, and process payments.
• Provide customer support and respond to your enquiries.
• Detect, prevent, and address fraud, security incidents, and abuse.
• Comply with legal obligations, including tax law and the DPDP Act.
• Produce aggregated, anonymised analytics that do not identify any individual or customer.

We do not use customer data to train AI models. Your metadata is used to compute and present your costs to you — it is not fed back into model training pipelines, our own or any third party’s.

5. Legal basis for processing

We process personal data on the following bases, as applicable under the DPDP Act and other laws:

• Contract: to provide the Service that you have signed up for.
• Consent: for optional features such as analytics cookies and marketing communications.
• Legitimate interest: for security monitoring, product improvement, and fraud prevention.
• Legal obligation: to comply with tax, accounting, and other statutory requirements.

6. Sub-processors

To deliver the Service, we share limited data with carefully selected sub-processors. Our sub-processors are bound by written agreements that require them to protect your data at least to the standard we maintain.

We will update this list when we add or change a sub-processor.

7. Data retention

Retention windows scale with your subscription tier:

• Free tier: event-level usage data retained for 3 months.
• Pro tier: event-level usage data retained for 6 months.
• Growth tier: event-level usage data retained for 12 months.
• Enterprise tier: event-level usage data retained for the period specified in your Order Form or written agreement.

Billing and tax records are retained for 7 years as required by the Indian Companies Act, 2013 and the Income Tax Act, 1961, irrespective of subscription tier. Account-identifying information is retained while your account is active and for a reasonable wind-down period after cancellation.

8. Your rights under the DPDP Act

Subject to the Digital Personal Data Protection Act, 2023 and other applicable laws, you have the right to:

• Access the personal data we hold about you.
• Correct information that is inaccurate or out of date.
• Erase your account and associated personal data (subject to retention required by law).
• Restrict or object to certain processing.
• Withdraw consent at any time where processing is based on consent.
• Portability — receive your data in a commonly used, machine-readable format.
• Grievance redressal — lodge a complaint with our Grievance Officer (see Section 13) or with the Data Protection Board of India.

To exercise any of these rights, email legal@dexcost.io with the subject line “Privacy Request”. We respond within 30 days.

9. International data transfers

Our primary application infrastructure runs in AWS us-east-1 (United States). When you use the Service, you consent to the transfer of your data outside of India for the purposes described in this Privacy Policy. We rely on contractual safeguards with our sub-processors, including data-protection terms equivalent to or stronger than the standard contractual clauses used under the GDPR framework, and on the data-protection commitments of our hosting providers. As and when the Government of India notifies specific cross-border transfer mechanisms under the DPDP Act, we will update our practices accordingly. We monitor sub-processor compliance regularly and will notify you of any material change in data residency or transfer mechanisms.

10. Security

We protect your data with a defence-in-depth approach:

• In transit: TLS 1.2 or higher for all SDK, API, and dashboard traffic.
• At rest: AES-256 encryption for the primary database and event store.
• Access control: role-based access for Dexcost staff, with audit logging of administrative actions.
• Operational: vulnerability scanning, dependency review, and least-privilege deployment practices.
• Incident response: in the event of a breach involving personal data, we will notify affected users and the Data Protection Board of India within the timelines required by the DPDP Act.

No method of transmission or storage is perfectly secure; we cannot guarantee absolute privacy, but we work hard to protect it. We conduct periodic security assessments and review access logs continuously to detect potential anomalies and unauthorised access.

We separately apply the following organisational and personnel measures. Every Dexcost team member completes mandatory data-protection and security training when they join and refresher training each year, with a particular focus on phishing resistance, secure credential handling, and the principle of least privilege. Production credentials, API keys, and database secrets are stored in an encrypted secrets manager, rotated on a defined schedule, and are accessible only to a narrow on-call rotation. Background verification is performed for personnel granted access to production systems. We follow industry guidance such as the OWASP Top 10 and the CIS Benchmarks when hardening application code and cloud infrastructure, and we maintain documented runbooks for the incident classes we have rehearsed. Independent penetration testing is conducted on a periodic basis by qualified third parties, and our internal change-management process requires peer review and automated testing for all production-affecting changes. Where a vendor or sub-processor accesses your data on our behalf, we contractually require equivalent or stronger security obligations before access is granted, and we revoke that access promptly when it is no longer required.

11. Cookies and tracking

dexcost.io and app.dexcost.io use a small set of cookies and similar technologies:

• Essential cookies are required for authentication and security and cannot be turned off.

We do not currently deploy analytics or functional cookies. If we add them in the future, we will update this policy and obtain your consent before loading any non-essential cookie.

12. Children

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal data from anyone under 18. If you believe we have collected information from a minor, please contact legal@dexcost.io.

13. Grievance Officer and contact

For any questions, concerns, or rights requests related to this Privacy Policy, please contact:

• Grievance Officer: Mathan Sivavel
• Email: legal@dexcost.io
• Subject: “Privacy Request” or “Grievance Officer”
• Postal: Grievance Officer, Dexwox Innovations Private Limited, No. 8C, Senthooran Colony, 1st Street, Madipakkam, Chennai – 600091, Tamil Nadu, India

We acknowledge grievances within 3 business days and aim to resolve them within 30 days.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be announced via in-product notice or email at least 30 days before they take effect. The “Last Updated” date at the top of this page tells you when this policy was most recently revised. Continued use of the Service after the effective date of a change constitutes acceptance of the updated policy.