Privacy Policy — Salvus Industries / Zelicra

This is the company-level privacy policy for Salvus Industries and the Zelicra suite of products: SIOS, Arbiter, Sentinel, Warden and Vestige (each a “Service”, together the “Services”). Individual products may publish additional, product-specific notices — for example, Arbiter at arbiter.zelicra.com. Where a product-specific notice and this policy differ, the product-specific notice governs for that product.

This policy is provided in good faith for transparency and does not constitute legal advice.

1. Who we are

Salvus Industries (“Salvus”, “we”, “us”, “our”) is a software company based in Kerala, India. We build and operate the Zelicra suite.

Contact for any privacy or data-protection matter: hello@zelicra.com

2. Our role: controller vs processor

Our responsibilities depend on the data:

Controller — for account data, billing, website analytics and support correspondence, we decide how and why data is processed.
Processor — for the business and operational data you or your organisation enter into a product, we process it on your documented instructions. Your organisation remains the controller of that data. This is especially important for Warden (UK care providers remain the controller of their workforce/operational data) and for the records your customers appear in (e.g. invoices in Arbiter).

3. Frameworks we work within

We aim to handle personal data in line with the laws that apply to our users across the regions we serve:

EU GDPR (Regulation (EU) 2016/679)
UK GDPR and the Data Protection Act 2018
India — the Digital Personal Data Protection Act, 2023 (DPDP Act)
GCC / Kuwait — applicable national data-protection rules, including Kuwait’s CITRA Data Privacy Protection Regulation

Where any of these give you stronger rights than this policy describes, those rights apply.

4. What each product processes, and why

Across all Services we process basic account & usage data: your name and email, organisation, a securely hashed password, billing details (for paid plans), support messages, and technical logs (IP address, browser type, timestamps) used for security and to operate the Service.

Product	What it processes	Why
SIOS	Operational content, tasks/projects, and any prompts you submit to AI features; agent activity logs.	To run the operations platform and generate AI-assisted output you request (see §7).
Arbiter (GCC e-commerce)	Seller business details, invoice data (which may include the seller’s customers’ names, contact and order details), returns, complaints and compliance records.	To deliver Kuwait Decree 10/2026 and GCC e-commerce compliance tooling. We act as processor for the seller’s customer data.
Sentinel (HSE certificates)	Certificate-holder details, certificate and expiry records, and public verification data.	To issue, track and verify HSE certificates on behalf of your organisation.
Warden (UK care homes)	Workforce/operational records — staff identities, policy and training acknowledgements, and sign-off and timestamp data.	Read-and-sign and workforce-compliance for UK care providers. Processed under UK GDPR / DPA 2018 on the provider’s instructions; the provider is the controller. See §5.
Vestige (heritage SaaS, in development)	Tenant operational data per the business’s configuration.	To deliver multi-tenant operations for heritage-service businesses. Processor model.

5. Warden — UK care-home data

Note for care providers. Warden is designed for workforce and operational compliance data (staff records, policy/training acknowledgements). The care provider is the data controller; Salvus is a processor acting on your documented instructions and is subject to UK GDPR and the Data Protection Act 2018. We do not request special-category data (such as health information). Please do not upload special-category or care-recipient data unless a specific lawful basis and a data-processing agreement are in place.

6. Lawful bases

Contract — to provide the Service you signed up for.
Legitimate interests — security, fraud prevention and improving the Service.
Consent — optional communications and certain AI features, where consent applies. You may withdraw consent at any time.
Legal obligation — where the law requires processing or retention.

Where we act as processor, the controller (your organisation) is responsible for the lawful basis of the underlying data; we process only on their instructions.

7. AI features & model providers

Some Services — notably SIOS, and any feature explicitly labelled as AI — transmit limited content to third-party AI model providers to generate the output you request. Where used, Microsoft Azure OpenAI is a primary provider, configured to EU regions where available.

Our core compliance products (Arbiter, Sentinel, Warden, Vestige) store and process your records within our EU-hosted infrastructure and do not send your business data to AI providers unless you use an AI-assisted feature. Where AI processing involves a transfer outside the EU/UK, we rely on the provider’s data-protection terms and transfer safeguards (for Microsoft, this includes the EU Standard Contractual Clauses in its data-protection addendum).

8. Hosting & data residency

Application data for all Zelicra products is hosted in the European Union (Hetzner Online GmbH). AI features may involve processing by the model providers described in §7.

9. Sub-processors

We use a small number of vendors to operate the Services. We do not sell personal data.

Sub-processor	Purpose	Region
Hetzner Online GmbH	Cloud hosting & storage	European Union
Microsoft Azure (Azure OpenAI)	AI processing for SIOS & AI-labelled features	EU region where configured
Let’s Encrypt	TLS/SSL certificates	Global / EU

We keep this list current and will communicate material changes through the Service or by email.

10. Retention

Account data: retained while your account is active and for a limited period afterwards. On verified deletion request or account closure, we delete or anonymise personal data within 30 days, unless retention is required by law or to resolve a dispute.
Backups: retained on a rolling basis (approximately 30 days) and then overwritten.
Processor data: retained and deleted in line with the controller’s instructions and the applicable product agreement.

11. Sharing

We share personal data only with the sub-processors above, where required by law or regulators, or to protect the rights, property or safety of users and the public. We do not sell personal data or share it for third-party advertising.

12. Your rights

Depending on your jurisdiction (EU/UK GDPR, India DPDP Act, GCC/Kuwait), you may have rights to access, correct, delete, restrict or object to processing, to data portability, and to withdraw consent. To exercise any right, email hello@zelicra.com. We respond within the timeframe required by applicable law (for example, one month under GDPR). Where we act as a processor, we will forward your request to the relevant controller.

13. Complaints

You can contact us first at hello@zelicra.com. You may also complain to a supervisory authority:

UK: the Information Commissioner’s Office (ICO).
EU/EEA: your local data-protection supervisory authority.
India: the Data Protection Board of India (under the DPDP Act, as it becomes operational).
Kuwait/GCC: the relevant national authority (in Kuwait, CITRA).

14. Security

We use encryption in transit (TLS), access controls, securely hashed passwords, EU-hosted infrastructure and regular updates. No system is perfectly secure, and we cannot guarantee absolute security; we encourage strong, unique passwords and prompt reporting of any concern to hello@zelicra.com.

15. Children

The Services are intended for businesses and are not directed at individuals under 18. We do not knowingly collect data from children and will delete it if we learn we have.

16. Changes

We may update this policy from time to time. The “Last updated” date above reflects the latest version, and we will communicate material changes through the Service or by email.

17. Contact

Salvus Industries — Kerala, India.
Privacy & data-protection inquiries: hello@zelicra.com