1. Introduction
Driftal People Tech Solutions Private Limited (“DriftAI,” “we,” “our,” or “us”) is committed to protecting your personal information. This Privacy Statement explains how we collect, use, disclose, and safeguard data when you visit https://driftal.tech, enquire about our services, or engage with our AI-powered SAP and HR technology solutions, including People Compass and the Driffy AI agent suite.
DriftAI operates as an AI-first enterprise technology partner specialising in SAP SuccessFactors, SAP BTP, S/4HANA, and Agentic Engineering. Because our platform processes sensitive HR and workforce data on behalf of enterprise clients, we apply rigorous data protection standards aligned with the frameworks described in this Statement.
This Privacy Statement applies globally. Depending on your jurisdiction, additional rights and obligations may apply to you as described in the jurisdiction-specific sections below. By using this website or our products, you acknowledge that you have read and understood this Privacy Statement. If you do not agree, please discontinue use of our services.
NOTICE: This Privacy Statement governs both DriftAI’s website activities and its role as a data processor under enterprise client agreements. Where DriftAI processes personal data on behalf of a client organisation, the applicable Order Form and Data Processing Terms (Section 5) govern that processing.
2. Company & Contact Details
The data controller / data fiduciary for information processed through our website and marketing activities is:
| FIELD | DETAILS |
|---|---|
| Company | Driftal People Tech Solutions Private Limited |
| Registered Address | Prestige Skytech, Financial District, Hyderabad, Telangana 500032, India |
| Australian Entity | Driftal Pty Ltd (Australia) — registered in Australia |
| information@driftal.tech | |
| Phone | +91 85229 45050 |
| Website | https://driftal.tech |
| Privacy Enquiries | information@driftal.tech (Subject: Privacy Enquiry) |
3. Information We Collect
3.1 Information You Provide Directly
Contact & Enquiry Data — name, business email, phone number, job title, company name, and message content submitted via contact or demo-request forms.
Account & Engagement Data — credentials, preferences, and correspondence when you register for events, webinars, or product demonstrations.
Procurement & Contract Data — billing details, purchase-order references, and signatory information when entering into a service agreement.
3.2 Information Collected Automatically
Device & Technical Data — IP address, browser type and version, operating system, referring URL, and device identifiers.
Usage & Analytics Data — pages visited, time on site, click-path, and feature interactions, collected via cookies and similar technologies.
Log Data — server logs recording access timestamps and error reports.
3.3 Information We Receive from Enterprise Clients (Data Processor Role)
When DriftAI acts as a data processor under a service agreement, our platform may process employee and HR data on behalf of your organisation — such as employee records, job histories, career milestones, succession data, workforce classification, and HR workflow events from SAP SuccessFactors, SAP S/4HANA, and compatible HR systems.
In this capacity, DriftAI processes such data solely on the documented instructions of the enterprise client (the data controller) and in accordance with the data processing obligations in our Terms and Conditions (Section 5 of the People Compass T&C). DriftAI does not use HR data for any purpose beyond delivering the contracted services.
4. How We Use Your Information
We use personal information for the following purposes under the corresponding legal bases:
| PURPOSE | EXAMPLES | LEGAL BASIS |
|---|---|---|
| Responding to Enquiries | Demo requests, contact forms, strategy calls | Legitimate interest / Consent |
| Service Delivery | SAP implementation, BTP development, managed services | Contract performance |
| Platform Operation | Running People Compass and Driffy AI agent suite | Contract / Legitimate interest |
| Marketing & Communications | Newsletters, product updates (opt-in only) | Consent |
| Analytics & Improvement | Website performance, UX optimisation | Legitimate interest |
| Security & Fraud Prevention | Threat monitoring, access controls, incident response | Legal obligation / Legitimate interest |
| Legal & Regulatory Compliance | Tax records, audit trails, regulatory reporting | Legal obligation |
5. Cookies and Tracking Technologies
We use cookies and similar technologies to operate the site and gather analytics. Non-essential cookies are NOT set until you have given active consent via our cookie banner.
| CATEGORY | PURPOSE | CONSENT REQUIRED? |
|---|---|---|
| Strictly Necessary | Session management, security, core site functions | No |
| Performance / Analytics | Page-view counts, error logging, site-speed metrics | Yes — prior consent |
| Functional | Saved preferences, language selection | Yes — prior consent |
| Marketing / Targeting | Remarketing, conversion tracking | Yes — prior consent |
You may withdraw consent for non-essential cookies at any time by clicking “Cookie Preferences” in the site footer. This complies with the EU ePrivacy Directive (Directive 2009/136/EC) and the UK Privacy and Electronic Communications Regulations (PECR).
6. Data Sharing and Disclosure
We do not sell your personal data. We share data only in the following circumstances:
Sub-processors & Service Providers — DriftAI may engage subprocessors and service providers reasonably necessary for delivery, maintenance, security, support, analytics, communications, infrastructure, or platform operations, subject to commercially reasonable contractual protections. Key subprocessors currently engaged include:
SAP SE (SAP Business Technology Platform — cloud infrastructure for People Compass and Driffy)
Microsoft Corporation (Microsoft Azure / Azure Bot Framework — Driffy Teams channel)
Analytics platforms, CRM tools, and email-delivery providers as engaged from time to time
SAP Ecosystem — Where required to provision SAP SuccessFactors, S/4HANA, or related integrations on your behalf.
Business Transfers — In connection with any merger, acquisition, or sale of substantially all our assets, subject to equivalent privacy protections and prior written notice to affected clients (see Section 7.5 of the People Compass T&C).
Legal Requirements — When required by applicable law, court order, or government authority, or to protect the rights, property, or safety of DriftAI, our clients, or others.
With Your Consent — For any other purpose where you have given explicit consent.
7. International Data Transfers
DriftAI serves global enterprises. Your data may be transferred to and processed in countries other than your country of residence, including India, Germany (SAP SE), and Ireland/USA (Microsoft Azure). We rely on the following transfer mechanisms:
| JURISDICTION / DATA | TRANSFER MECHANISM |
|---|---|
| EU / EEA personal data | Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Decision (EU) 2021/914), incorporated into our sub-processor agreements with SAP SE and Microsoft Corporation. |
| UK personal data | UK International Data Transfer Agreements (IDTAs) or the UK Addendum to EU SCCs, as issued by the UK Information Commissioner’s Office (ICO). UK data is treated under UK GDPR (UK Data Protection Act 2018) with the UK ICO as the competent supervisory authority. |
| Indian personal data | Processed in accordance with the Digital Personal Data Protection Act, 2023 (DPDPA). Cross-border transfers subject to Central Government notification of permitted countries under DPDPA Section 16. |
| Brazilian personal data (LGPD) | Standard contractual clauses or equivalent mechanisms as recognised by Brazil’s Autoridade Nacional de Proteção de Dados (ANPD). |
| Chinese personal data (PIPL) | Standard contracts filed with the Cyberspace Administration of China (CAC), or security assessment where required by PIPL volume thresholds. |
| All other jurisdictions | Binding sub-processor agreements imposing equivalent protection standards to those applicable in the data subject’s jurisdiction, supplemented by your explicit consent where required by applicable law. |
8. Data Retention
We retain personal data only as long as necessary for the purposes described in this Statement:
| DATA CATEGORY | RETENTION PERIOD |
|---|---|
| Enquiry and marketing data | Up to 3 years from last interaction, or until consent is withdrawn — whichever is earlier. |
| Contract and billing data | 7 years following contract termination, as required by applicable tax and company law (India Companies Act 2013, s.128; equivalent in other jurisdictions). |
| Security and access logs | 12 months, unless an active security investigation requires extended retention. |
| HR / employee data (processor role) | Per the client’s documented instructions and the data processing terms in the applicable Order Form. Upon contract termination, deleted or returned within 30 days of written request. |
| Website analytics (anonymised) | Anonymised aggregate data may be retained indefinitely as it does not constitute personal data. |
Upon expiry of the applicable retention period, personal data is securely deleted or anonymised using industry-standard methods. Anonymised data is no longer subject to data protection obligations.
9. Data Security
DriftAI maintains commercially reasonable administrative, technical, and organizational safeguards intended to protect personal information against unauthorized access, disclosure, misuse, or loss. Our security programme includes:
End-to-end encryption in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).
Role-based access controls (RBAC) and the principle of least privilege.
Multi-factor authentication (MFA) for all internal systems.
Continuous security monitoring, vulnerability scanning, and periodic penetration testing.
Zero-Trust Architecture principles governing network access.
A documented incident response plan with mandatory breach-notification procedures.
People Compass connects to SAP SuccessFactors using OAuth 2.0 SAML Bearer Assertion with Principal Propagation, ensuring data access is limited to the permissions of the authenticated individual user and does not create system-level access to HR data.
No transmission over the internet can be guaranteed 100% secure. We encourage you to use strong, unique passwords and report any suspected security incidents to information@driftal.tech immediately.
DriftAI does not guarantee uninterrupted availability, error-free operation, or complete prevention of all cybersecurity incidents, unauthorized access attempts, or malicious activities.
10. Data Breach Notification
In the event of a personal data breach affecting HR data processed on behalf of an enterprise client, DriftAI will:
Notify the affected enterprise client without undue delay and in any event within 48 hours of becoming aware of the breach, to enable the client to meet its 72-hour supervisory authority notification obligation under GDPR Article 33 (where applicable).
Provide sufficient information to enable the client to assess the risk and meet its obligations under applicable law, including GDPR Articles 33–34, UK GDPR, LGPD Article 48, PDPA (Singapore) mandatory breach notification within 3 days of a ‘significant harm’ breach, and POPIA (South Africa) Regulator notification.
Cooperate fully with the client and applicable supervisory authorities in investigating and remediating the breach.
Document all breaches in our internal breach register regardless of whether notification to supervisory authorities is required.
For breaches affecting website visitor data (not HR data), DriftAI will notify affected individuals in accordance with applicable law.
11. Your Data-Subject Rights
Depending on your jurisdiction, you may have the following rights with respect to your personal data. To exercise any right, email information@driftal.tech with the subject line “Data Rights Request.” We will respond within the timeframe required by applicable law (generally 30 days for GDPR; 45 days for CCPA/CPRA; 30 days for DPDPA; 30 days for LGPD).
| RIGHT | DESCRIPTION |
|---|---|
| Access | Request a copy of the personal data we hold about you. |
| Correction / Rectification | Request correction of inaccurate or incomplete data. |
| Erasure / Deletion | Request deletion of your data where there is no overriding legal basis to retain it. |
| Restriction | Request that we restrict processing while a complaint is resolved. |
| Portability | Receive your data in a structured, machine-readable format (GDPR / UK GDPR / DPDPA / CCPA/CPRA / LGPD). |
| Objection | Object to processing based on legitimate interests or for direct marketing. |
| Withdraw Consent | Withdraw previously given consent at any time without affecting prior lawful processing. |
| Opt-Out of Data Selling/Sharing (CCPA/CPRA) | California residents: right to opt out of the sale or sharing of personal information. DriftAI does not sell personal data. CPRA sensitive personal information rights also apply. |
| Non-Discrimination | Exercising data rights will not result in any penalty, denial of service, or different pricing (CCPA/CPRA Section 1798.125). |
| Grievance Redressal (DPDPA) | Lodge a complaint with our Grievance Officer or the Data Protection Board of India once operational. |
| Correction / Erasure (LGPD) | Brazilian residents have the right to correction, anonymisation, blocking, or deletion of unnecessary or excessive data. |
| Access & Correction (PDPA) | Singapore residents may request access to and correction of personal data held by DriftAI. |
| Correction & Deletion (POPIA) | South African data subjects may request correction or deletion of personal information under POPIA Section 24. |
Identity verification may be required before processing a data rights request. We will not charge a fee for reasonable requests.
12. Jurisdiction-Specific Privacy Rights
The following supplementary provisions apply to residents of specific jurisdictions. They complement the general rights in Section 11 and prevail to the extent of any inconsistency.
12.1 European Union / EEA (GDPR — Regulation (EU) 2016/679)
The lawful basis for each processing activity is described in Section 4. Where processing is based on legitimate interests, individuals may object at any time. Where DriftAI processes special categories of data (if applicable), we rely on explicit consent or another applicable Article 9 basis. EU/EEA data subjects may lodge complaints with their national supervisory authority (e.g., the Irish DPC, the German BfDI, or the French CNIL).
12.2 United Kingdom (UK GDPR — UK Data Protection Act 2018)
UK data subjects are protected under the UK GDPR (retained EU law as modified by the Data Protection Act 2018). The UK Information Commissioner’s Office (ICO) is the competent supervisory authority. UK data is transferred using UK-specific International Data Transfer Agreements (IDTAs) or the UK Addendum to EU SCCs. UK data subjects have the same rights as EU/EEA residents described in Section 11.
12.3 California, USA (CCPA / CPRA)
California residents have rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). These rights extend to employees and contractors. DriftAI does not sell personal information. California residents may:
Request to know the categories and specific pieces of personal information collected.
Request deletion of personal information (subject to legal exceptions).
Request correction of inaccurate personal information.
Opt out of sharing of personal information for cross-context behavioural advertising.
Limit the use of sensitive personal information to permitted purposes.
Not be discriminated against for exercising CCPA/CPRA rights.
To exercise CCPA/CPRA rights: email information@driftal.tech with subject “CCPA Rights Request.” Response within 45 days.
12.4 Brazil (LGPD — Lei nº 13.709/2018)
Brazilian residents have rights under the Lei Geral de Proteção de Dados (LGPD), including access, correction, anonymisation, portability, deletion, information on sharing, and the right to revoke consent. The competent authority is the Autoridade Nacional de Proteção de Dados (ANPD). DriftAI processes Brazilian personal data on the basis of legitimate interest (website analytics), contract performance (service delivery), and consent (marketing).
12.5 China (PIPL — Personal Information Protection Law 2021)
Where DriftAI processes personal information of Chinese residents, we comply with the Personal Information Protection Law (PIPL). Consent is obtained separately and explicitly where required. Individuals may withdraw consent at any time. Cross-border transfers use mechanisms compliant with PIPL Chapter III. The Cyberspace Administration of China (CAC) is the primary regulatory authority.
12.6 Singapore (PDPA — Personal Data Protection Act 2012, as amended 2020)
Singapore residents have rights to access and correct personal data held by DriftAI. DriftAI will notify the Personal Data Protection Commission (PDPC) and affected individuals of breaches causing significant harm within 3 calendar days of assessment.
12.7 South Africa (POPIA — Protection of Personal Information Act 4 of 2013)
South African data subjects have rights under POPIA including access, correction, and deletion of personal information, and the right to object to processing. DriftAI will notify the POPIA Information Regulator of data breaches as required. To exercise POPIA rights: information@driftal.tech.
12.8 Canada (PIPEDA / Quebec Law 25)
Canadian residents are protected by the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and, for Quebec residents, by Law 25 (Law modernising legislative provisions as regards the protection of personal information, 2022). DriftAI conducts privacy impact assessments before sharing personal data outside Quebec where required under Law 25.
12.9 Australia (Privacy Act 1988 + Australian Privacy Principles)
Australian residents are protected by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). DriftAI’s Australian entity, Driftal Pty Ltd, complies with APP obligations. Australian residents may complain to the Office of the Australian Information Commissioner (OAIC) if their privacy concerns are not resolved.
12.10 India (DPDPA 2023)
Indian data principals have rights under the Digital Personal Data Protection Act, 2023 (DPDPA), including access, correction, erasure, and grievance redressal. DriftAI acts as a Data Fiduciary for website/marketing data and as a Data Processor for HR data processed on behalf of enterprise clients. Complaints may be lodged with our Grievance Officer (information@driftal.tech) and ultimately with the Data Protection Board of India once operational.
13. Artificial Intelligence & HR Data Processing
People Compass and the Driffy AI agent suite process HR data using AI and machine learning, including the People Compass Semantic Engine. The following principles govern our AI-related data processing:
EU AI Act Classification: Certain AI-enabled HR and workforce use cases may be subject to evolving AI governance laws and regulations depending on deployment context, jurisdiction, and customer configuration. DriftAI implements commercially reasonable governance, security, and operational practices intended to support evolving enterprise and regulatory expectations.
Explainability-First: Every Career Intelligence output is traceable to the underlying HR data event. DriftAI does not use personality inference, psychological profiling, emotion recognition, or biometric categorisation in any form.
No Solely Automated Employment Decisions: People Compass outputs are decision-support tools. No employment decision (promotion, termination, compensation change, or role assignment) may be made based solely on platform output, in compliance with GDPR Article 22 and EU AI Act Article 14.
Principal Propagation: Data access is scoped to the permissions of the authenticated individual user via OAuth 2.0 SAML Bearer Assertion. DriftAI implements identity-scoped and role-based access controls wherever technically feasible and commercially reasonable.
Data Minimisation: DriftAI processes only the HR data fields required to deliver the specific contracted functionality.
Worker Notification: Clients are responsible for determining and complying with applicable workforce, employment, privacy, transparency, and employee-notification obligations in their operating jurisdictions. DriftAI’s T&C requires this of all enterprise clients.
AI Processing Disclaimer: Artificial intelligence and machine-learning technologies may generate variable, probabilistic, or non-deterministic results. DriftAI does not guarantee that AI-generated insights or recommendations are complete, accurate, or appropriate for any specific workforce, employment, or operational decision.
Nothing in this Privacy Statement constitutes legal, regulatory, employment, tax, or compliance advice. Organizations should consult qualified legal and compliance professionals regarding their obligations.
14. Children’s Privacy
Our website and services are designed exclusively for business professionals and enterprise clients. We do not knowingly collect personal data from individuals under 18 years of age. In employment contexts where applicable law permits employees under 18, the enterprise client (as data controller) is responsible for ensuring compliant data processing for such individuals.
If you believe we have inadvertently collected personal data from a minor, please contact information@driftal.tech immediately and we will delete it.
15. Third-Party Links and Integrations
Our website may contain links to third-party websites and integrations with platforms including SAP, Microsoft, LinkedIn, or partner ecosystems. This Privacy Statement does not apply to those third-party services. DriftAI is not responsible for the privacy practices of third-party platforms. We recommend reviewing their respective privacy policies before providing personal data to them.
16. Changes to This Privacy Statement
We may update this Privacy Statement to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by posting the updated Statement on our website with a revised Effective Date and version number. For significant changes affecting your rights, we will provide additional notice by email (where we hold your address) or via a prominent site banner at least 30 days before the changes take effect.
Continued use of our website or services after the effective date of an updated Statement constitutes your acceptance of the changes. Clients under active Order Forms will not be subject to materially adverse changes until renewal.
17. Contact Us & Grievance Redressal
For any questions, concerns, or requests relating to this Privacy Statement or the processing of your personal data, please contact:
| FIELD | DETAILS |
|---|---|
| Privacy Contact | Driftal People Tech Solutions Private Limited |
| information@driftal.tech | |
| Phone | +91 85229 45050 |
| Postal Address | Prestige Skytech, Financial District, Hyderabad, Telangana 500032, India |
| Website | https://driftal.tech |
If you are an EU/EEA data subject and believe your rights under the GDPR have been violated, you have the right to lodge a complaint with your local supervisory authority. UK data subjects may complain to the ICO (ico.org.uk). If you are an Indian data subject and your grievance is not resolved to your satisfaction, you may approach the Data Protection Board of India once operational.