Additive Labs Pvt Ltd
Privacy Policy
How we collect, use, and protect your information
1. Introduction and Scope
Additive Labs Pvt Ltd ("Additive Labs," "we," "us," or "our") is a boutique hardware product engineering studio incorporated under the Companies Act, 2013, based in and operating from Bhopal, Madhya Pradesh, India. We provide mechanical CAD design, design for manufacturing (DFM), PCB design, firmware development, PCB assembly, product development, and on-demand manufacturing coordination to founders, startups, SMEs, and clients in India and internationally.
This Privacy Policy explains how we collect, use, disclose, and safeguard personal information when you: visit our website at additivelabs.org; submit an inquiry through our contact form or any chatbot we may activate in the future; communicate with us by email, WhatsApp, or phone; or engage us for professional engineering services.
This Policy applies to all individuals regardless of location. For EU/UK clients, additional rights apply under the GDPR and UK GDPR where applicable. For California/United States residents and individuals in other jurisdictions, additional privacy rights may apply only to the extent those laws apply to Additive Labs — see Section 12. This Policy is a notice document. Nothing in this Policy constitutes consent to data processing.
2. Who We Are — Data Controller and Privacy Contact
Data Controller:
Additive Labs Pvt Ltd, Bhopal, Madhya Pradesh, India
Email: privacy@additivelabs.org | Website: https://additivelabs.org
2.1 Privacy and Grievance Contact
Additive Labs maintains the following privacy and grievance contact for privacy-related concerns, data rights requests, and complaints. Where any statutory grievance officer requirement applies to Additive Labs, this contact will act as the designated point of contact unless otherwise notified:
Privacy and Grievance Contact — Additive Labs Pvt Ltd
Name: Mr Chandra Shekhar, Director
Email: privacy@additivelabs.org
Address: Bhopal, Madhya Pradesh, India
Acknowledgment of grievance: within 24 hours of receipt
Target resolution of grievance: within 15 days of receipt, where reasonably possible and subject to applicable law
2.2 Privacy Enquiries Response Timeline
All privacy-related enquiries sent to privacy@additivelabs.org will be acknowledged within 3 business days and fully responded to within 30 days of receipt, where reasonably possible and subject to applicable law. If we require additional time for complex requests, we will notify you within the initial response period, stating the reason for the extension.
3. Applicable Laws
Our data protection obligations may be governed by the following laws, depending on the individual, the data, and the context of processing:
- The Information Technology Act, 2000 (IT Act) and the IT (Amendment) Act, 2008 — including cyber, security, and privacy-related obligations that remain applicable
- The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) — operative rules defining sensitive personal data and requiring reasonable security practices
- The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 — where applicable to specific online activities or grievance-handling obligations
- The Digital Personal Data Protection Act, 2023 (DPDPA) and the Digital Personal Data Protection Rules, 2025 — subject to phased commencement, applicable rules, and government notifications
- The General Data Protection Regulation (EU) 2016/679 (GDPR), the UK GDPR, and applicable UK data protection law — where applicable to EU/UK data subjects
- The California Consumer Privacy Act, 2018 as amended by the California Privacy Rights Act, 2020 (CCPA/CPRA), and other international privacy laws — only where applicable to Additive Labs and the relevant individual
Where more than one privacy law applies, we aim to apply the standard that provides the individual with stronger protection, unless a specific legal rule requires otherwise.
4. Information We Collect
4.1 Information You Provide Directly
- Contact information: full name, email address, phone number, WhatsApp number
- Business information: company name, project name, job title, industry
- Project information: product description, engineering requirements, timeline, budget range
- Communication history: emails, WhatsApp messages, and all other correspondence
- Service preferences: type of service required, timeline, budget
- Referral information: how you heard about us
- Payment information: billing details for invoicing. We do not store card numbers; payment processing is by third-party processors.
4.2 Information Collected Automatically
- IP address and approximate geographic location (country/city level)
- Browser type, version, and language settings
- Operating system and device type
- Pages visited, time on page, and navigation path
- Referring URL and search terms
- Date and time of visit
4.3 Information Collected via Chatbot (Future Feature)
We do not currently operate a chatbot that collects personal data. If we activate a chatbot, we will update this Policy before launch to identify the provider, data collected, retention period, legal basis, model-training position, and opt-out options where applicable.
4.4 Information from Third Parties
- Referrals: contact details shared by someone who referred you to us
- LinkedIn and professional platforms: when you contact us through those platforms
- Cloudflare: technical security data processed to protect our website
4.5 Business Contact Data — B2B Context
Most of Additive Labs' clients are businesses, not individual consumers. When you contact us as a representative of a company or organisation, the data we collect about you (name, business email, job title) is business contact data collected in a business-to-business (B2B) context. Please note:
- Business contact data is still personal data under the IT Act 2000 and GDPR and is protected accordingly
- Business contact data remains personal data where it identifies an individual. If you contact us in a professional capacity, we process your business contact details for B2B communication, project assessment, contracting, and service delivery
- We treat all personal data — whether provided in a B2B or personal capacity — with the same standard of care described in this Policy
- If you are unsure whether your rights apply to data you have provided in a business context, please contact us at privacy@additivelabs.org and we will assess your specific situation
4.6 Special Categories of Data
We do not intentionally collect sensitive personal data including race, ethnicity, political opinions, health data, biometric data, or detailed financial account information. Please do not submit such information through our contact form or any future chatbot.
4.7 Client-Provided Third-Party Personal Data
If a Client provides personal data relating to its customers, employees, vendors, users, testers, contractors, or other third parties, the Client is responsible for ensuring it has a lawful basis, authority, notice, and any required consent to share that data with Additive Labs. Unless otherwise agreed in a separate data processing agreement, Additive Labs processes such data only as necessary to assess, scope, deliver, support, document, or invoice the requested services, or to comply with legal obligations.
5. How We Use Your Information
5.1 To Deliver Our Services
- To respond to project inquiries and assess fit
- To prepare proposals, quotations, and scoping documents
- To carry out mechanical design, PCB design, firmware development, and manufacturing coordination
- To manage project communication, documentation, and delivery
- To invoice for services rendered and manage payment
5.2 To Communicate With You
- To send inquiry confirmation and project updates
- To respond to questions and feedback
- To send important notices about services or policy changes
5.3 To Improve Our Services
- To understand how visitors use our website
- To analyse inquiry patterns and improve client communication
5.4 Legal and Compliance Purposes
- To comply with Indian law and other applicable laws
- To respond to lawful requests from authorities or courts
- To protect our rights, property, and the safety of clients and team
- To enforce our Terms of Service
5.5 What We Do Not Do
- We do not sell your personal information to any third party under any circumstances
- We do not use your information for targeted advertising or behavioural profiling
- We do not share project details with competitors or unrelated third parties
- We do not send unsolicited marketing emails
5.6 Automated Decision-Making and Profiling
Additive Labs does not use automated decision-making or profiling in any way that produces legal effects or similarly significant effects concerning you. All decisions about project acceptance, scoping, and responses are made by human team members. No automated system makes decisions about you without human review.
6. Legal Basis for Processing
6.1 Under Indian Law (IT Act 2000 / DPDPA 2023 and Applicable Rules)
Under Indian data protection law, we process personal data for lawful purposes connected with responding to inquiries, preparing proposals, performing requested services, complying with legal obligations, protecting our business, and other permitted uses. Where consent is legally required, we will obtain consent separately and specifically.
6.2 Under GDPR (EU / UK Clients)
- Contractual necessity (Article 6(1)(b)): processing necessary to enter into or perform a contract with you
- Legitimate interests (Article 6(1)(f)): improving our website, managing client relationships, protecting our business — where not overridden by your rights
- Legal obligation (Article 6(1)(c)): complying with applicable law
- Consent (Article 6(1)(a)): for specific activities where we explicitly request it
7. Disclosure of Your Information
We do not sell or rent your personal information. We may disclose your information only to the following categories of recipients on a strict need-to-know basis:
7.1 Service Providers
- Resend (resend.com, United States): email delivery. Processes name and email address where email is routed through the service, subject to its applicable service terms, data processing terms, and transfer safeguards where applicable.
- Cloudflare (cloudflare.com, United States and global infrastructure): website security, CDN, Turnstile, bot protection, and infrastructure. Processes IP address, request metadata, and security logs, subject to its applicable service terms, data processing terms, and transfer safeguards where applicable.
- Email providers (e.g., Google Workspace): team business correspondence, subject to the provider's applicable service terms, security commitments, and transfer safeguards where applicable.
- Accounting and invoicing software: invoice management and financial records.
- Chatbot service provider, if activated in the future: see Section 4.3.
7.2 Manufacturing Partners
When your project proceeds to manufacturing, we share relevant technical files (CAD files, Gerbers, BOMs) with vetted manufacturing partners. We share only what is necessary for manufacturing execution. Personal contact details are not shared with manufacturing partners unless required for direct delivery logistics.
7.3 Professional Advisors
Lawyers, accountants, and other professional advisors where necessary for advice or legal proceedings.
7.4 Legal Authorities
Government authorities, law enforcement, or courts where required by law. We will notify you where permitted.
7.5 Business Transfers
In the event of a merger, acquisition, or sale, your data may transfer to a successor entity. We will provide notice before such transfer.
8. Data Retention
8.1 Personal Data
- Inquiry records (no project): 2 years from last communication, then deleted or anonymised
- Client project records: 7 years from project completion (Indian tax law compliance)
- Invoice and financial records: 8 years (Income Tax Act 1961)
- Email and communication records: duration of business relationship plus 3 years
- Website, security, and ICT logs: retained for up to 180 days where required for cybersecurity, legal, CERT-In, dispute, or incident-response purposes, and longer only where required for an active security incident, investigation, dispute, or legal obligation. Where such retention is not required, we minimise log retention to the extent reasonably possible.
8.2 Engineering File Retention
- Active project files: retained securely for the duration of the engagement
- Post-completion: retained for 3 years to support revisions or re-orders
- After 3 years: deleted unless you request extended retention or legal obligation requires otherwise
- Deletion on request: we will delete engineering files before 3 years on written request to privacy@additivelabs.org, subject to overriding legal, contractual, tax, warranty, dispute, or legitimate business retention obligations
- Manufacturing partner copies: governed by confidentiality clauses in our agreements with those partners
- Storage: access-controlled systems; not stored on public cloud without encryption
8.3 Chatbot Data (When Activated)
We do not currently retain chatbot transcripts because no chatbot is active. If a chatbot is activated, the retention period for chat transcripts and associated metadata will be specified before launch and reflected in this Policy.
9. Data Security
- TLS/HTTPS encryption for all data transmitted between your browser and our website
- Cloudflare Turnstile on our contact form to prevent automated abuse
- Access controls restricting client data to team members who need it
- Multi-factor authentication for business accounts
- Third-party providers evaluated for security practices before engagement
- Engineering files stored in access-controlled environments, not public storage
9.1 Data Breach Notification
- CERT-In notification: where applicable, within 6 hours of becoming aware of reportable cyber incidents, per CERT-In Cyber Security Directions (April 2022)
- GDPR notification to supervisory authority: within 72 hours for EU/UK client data
- DPDPA / DPDP Rules notification: where applicable, affected individuals and the Data Protection Board of India will be notified in accordance with applicable statutory timelines and content requirements
- Individual notification: without undue delay where a breach is likely to result in significant risk or harm to your rights or interests
- Internal breach register: maintained for all breaches regardless of notification obligation
If you believe your data has been compromised, contact privacy@additivelabs.org immediately.
10. Cookies and Tracking
Our website currently uses only the following:
- Session cookies (strictly necessary): temporary, deleted when browser closes. No consent required.
- Cloudflare __cf_bm cookie (strictly necessary): bot detection and security. No consent required.
- Cloudflare Turnstile (strictly necessary): human verification on contact form. No consent required.
We do not use Google Analytics, Facebook Pixel, or any advertising or analytics tracking tools. No non-essential cookies are set without your prior consent.
10.1 Cookie Consent
All cookies currently in use on additivelabs.org are strictly necessary for security and basic website operation. Strictly necessary cookies generally do not require prior consent under applicable cookie laws. If we add any non-essential cookies, such as analytics, personalisation, advertising, or behavioural tracking cookies, we will implement a cookie consent mechanism before activating them and update this Policy accordingly.
10.2 Do Not Track Signals
Some browsers transmit "Do Not Track" (DNT) signals to websites. Our website does not currently alter its data collection practices in response to DNT signals because: (a) we do not use tracking technologies that respond to DNT; and (b) there is no legally binding standard for how websites must respond to DNT signals. If a binding DNT standard is established, we will update our practices accordingly.
11. Your Rights
11.1 Rights Under Indian Law
- Right to access a summary of personal data processed and the purposes
- Right to correct inaccurate or incomplete personal data
- Right to erasure, subject to legal retention obligations
- Right to grievance redressal through our Privacy and Grievance Contact
- Right to nominate another person to exercise rights on your behalf
11.2 Rights Under GDPR (EU / UK)
- Right of access (Article 15): obtain a copy of your personal data
- Right to rectification (Article 16): correct inaccurate data
- Right to erasure (Article 17): 'right to be forgotten' in certain circumstances
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20): receive data in structured, machine-readable format
- Right to object (Article 21): object to processing based on legitimate interests
- Right to withdraw consent (Article 7(3)): at any time without affecting prior processing
- Right not to be subject to automated decision-making (Article 22) — see Section 5.6
- Right to lodge a complaint with your local supervisory authority
11.3 How to Exercise Your Rights
Contact us at privacy@additivelabs.org with the subject line "Data Subject Request." We will verify your identity and respond within 30 days. There is no fee for exercising your rights unless requests are manifestly unfounded or excessive.
12. International Privacy Rights
Additive Labs is based in and operates from Bhopal, Madhya Pradesh, India, and serves clients in India and internationally. Privacy rights vary by jurisdiction. This Section explains how we handle international privacy rights without representing that every privacy law in every country automatically applies to Additive Labs.
12.1 EU / UK Privacy Rights
EU and UK individuals may have the rights described in Section 11.2, including rights of access, rectification, erasure, restriction, portability, objection, withdrawal of consent, and complaint to a supervisory authority. International transfers relating to EU/UK personal data are addressed in Section 14.
12.2 California / United States Privacy Notice
This subsection applies only to the extent California privacy law or other applicable United States privacy law applies to Additive Labs and to the relevant individual. Additive Labs does not sell personal information and does not share personal information for cross-context behavioural advertising.
- Right to know: where applicable, request information about categories or specific pieces of personal information collected, sources, purposes, and categories of third parties with whom information is shared
- Right to delete: where applicable, request deletion of personal information, subject to permitted exceptions such as completing transactions, security, legal obligations, and dispute handling
- Right to correct: where applicable, request correction of inaccurate personal information
- Right to opt out: Additive Labs does not sell personal information or share personal information for cross-context behavioural advertising. If this changes, we will provide an appropriate opt-out mechanism and update this Policy
- Right to non-discrimination: where applicable, we will not discriminate against you for exercising privacy rights
- Authorised agent: where applicable, you may designate an authorised agent. We may require written proof of authorisation and may verify your identity directly
To submit a California/United States privacy request, email privacy@additivelabs.org with the subject line "United States Privacy Rights Request." We will verify your identity and respond within the timeframe required by applicable law.
12.3 Other International Privacy Rights
If you are located in a jurisdiction that provides privacy rights not specifically described in this Policy, you may contact us at privacy@additivelabs.org. Where applicable law requires Additive Labs to recognise such rights, we will respond in accordance with that law. We may request information reasonably necessary to verify your identity and assess whether the relevant law applies to your request.
13. Withdrawing Consent
Where processing is based on consent, you may withdraw it at any time by:
- Emailing privacy@additivelabs.org with subject line "Withdraw Consent" specifying the processing activity
- Responding STOP or UNSUBSCRIBE to any marketing communication
- Contacting our Privacy and Grievance Contact
We will process withdrawal requests within 7 business days and confirm the action taken. Withdrawal does not affect the lawfulness of prior processing, and does not obligate us to delete data we are required to retain under law or contract.
14. International Data Transfers
Additive Labs is based in and operates from Bhopal, Madhya Pradesh, India. Because we serve clients in India and internationally, processing of your data may involve transfers outside India. Specifically:
- Resend (USA): email delivery service. Transfers, where applicable, are handled under the provider's applicable data processing terms, contractual safeguards, and transfer mechanisms.
- Cloudflare (USA and global infrastructure): website security, CDN, Turnstile, and infrastructure. Transfers, where applicable, are handled under the provider's applicable data processing terms, contractual safeguards, and transfer mechanisms.
- Google Workspace or other email provider (if applicable): email and business communication. Transfers, where applicable, are handled under the provider's applicable data processing terms, contractual safeguards, and transfer mechanisms.
For EU/UK data subjects, we rely on appropriate transfer safeguards such as Standard Contractual Clauses under GDPR Article 46(2)(c), where required, rather than general website consent. For Indian residents, we will comply with any restrictions, conditions, or government notifications applicable to international transfers under Indian data protection law.
14.1 Data Localisation
Indian data protection law may impose restrictions, conditions, or government-notified requirements on certain international transfers of personal data. Additive Labs is monitoring applicable requirements and will update its data transfer practices to comply with any localisation or transfer obligations that apply to our operations. Our current international transfers described above are made to service providers essential for our operations and are subject to appropriate contractual safeguards.
15. WhatsApp and Third-Party Messaging
We use WhatsApp for client communication. WhatsApp is operated by Meta Platforms, Inc. and is subject to Meta's separate Privacy Policy and data practices outside our control. When communicating via WhatsApp:
- Messages are stored on WhatsApp's servers as well as received by us
- Meta may process message metadata per its own Privacy Policy
- We recommend avoiding highly sensitive project information via WhatsApp
- We handle information you share with us in accordance with this Policy, but cannot control Meta's handling of the same data
For communications not subject to third-party processing, use privacy@additivelabs.org.
16. Children's Privacy
Our services are not directed at individuals under 18. We do not knowingly collect personal information from minors. If you believe we have inadvertently done so, contact privacy@additivelabs.org immediately.
17. Third-Party Links
Our website may link to LinkedIn, Instagram, and WhatsApp. This Policy does not apply to those websites. We encourage you to read their privacy policies.
18. Changes to This Policy
We may update this Policy from time to time. Material changes will be reflected in an updated "Last Updated" date. For significant changes, we will make reasonable efforts to notify active clients by email. Continued use of our services after changes constitutes acknowledgment of the updated Policy. We will not treat acknowledgment of an updated Policy as consent to new data processing activities.
19. Contact and Grievance Redressal
Privacy Enquiries and Rights Requests:
Email: privacy@additivelabs.org
Response: acknowledged within 3 business days; resolved within 30 days
Privacy and Grievance Contact:
Name: Mr Chandra Shekhar, Director
Email: privacy@additivelabs.org
Address: Bhopal, Madhya Pradesh, India
Acknowledgment: 24 hours | Target resolution: 15 days, where reasonably possible and subject to applicable law
Legal and Terms Matters:
Email: legal@additivelabs.org
Website: https://additivelabs.org
If dissatisfied with our response: EU/UK residents may complain to their local supervisory authority. Indian residents may use any escalation route available under applicable Indian data protection law.
© 2026 Additive Labs Pvt Ltd. All rights reserved. Governed by the laws of India. Operating from Bhopal, Madhya Pradesh, India.