Privacy and Data Security Policy

Envito Events Private Limited

Last updated: 13 April 2026

Envito Events Private Limited (“Envito”, “we”, “our”, or “us”) respects your privacy and is committed to handling personal data responsibly. This Privacy and Data Security Policy (the “Policy”) describes how we collect, use, share, and protect personal data when you access or use our website https://www.envito.ai/ and our AI-powered guest relations and event-management services, including our WhatsApp-based AI concierge (collectively, the “Services”).

This Policy is drafted in accordance with applicable Indian laws, including the Digital Personal Data Protection Act, 2023 (and the rules made thereunder, as and when notified), the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.


1. Definitions

Capitalised terms used in this Policy carry the meanings ascribed to them under the Digital Personal Data Protection Act, 2023, including (without limitation):

  • Personal Data means any data about an individual who is identifiable by or in relation to such data.
  • Data Principal means the individual to whom the personal data relates (and, in the case of a child, the parent or lawful guardian).
  • Data Fiduciary means any person who, alone or with others, determines the purpose and means of processing of personal data.
  • Data Processor means any person who processes personal data on behalf of a Data Fiduciary.
  • Host means an event organiser, host, or corporate client that creates an Envito account and uses the Services.
  • Guest means an attendee, invitee, or other person who interacts with the Services.
  • Point of Contact (POC) means an individual designated by a Host to coordinate aspects of an event.
  • Board means the Data Protection Board of India constituted under the DPDP Act.

2. Who We Are

Envito provides AI-enabled guest experience and event coordination solutions for social events (including weddings and private celebrations) and corporate events. Our Services allow Hosts to engage with Guests through automated and assisted AI interactions, primarily via WhatsApp.

3. Our Privacy Commitments

Envito makes the following commitments to its Hosts, Guests, and POCs:

  • No advertising business model. Envito is a subscription-based business. We do not, and will not, fund the Services through advertising revenue, and we do not monetise personal data through advertising of any kind.
  • No sale of personal data. We do not sell, rent, or trade personal data to any third party.
  • No third-party advertising trackers. We do not embed third-party advertising networks or behavioural surveillance trackers in the Services.
  • No use of customer data to train public AI models. Personal data of Hosts, Guests, and POCs is not used to train public or generalised AI foundation models (see Section 6).
  • No unsolicited marketing. We do not use personal data of Hosts, Guests, or POCs for unsolicited marketing or promotional communications.

4. Scope of This Policy

This Policy applies to:

  • Visitors to our website;
  • Hosts and corporate clients using our Services;
  • Guests, attendees, and POCs who interact with our AI concierge or are referenced in event data uploaded to the Services.

5. Personal Information We Collect

We collect personal data directly from Hosts, Guests, and POCs, and indirectly where Hosts upload or share data relating to third parties for the purposes of event coordination. With respect to personal data uploaded by a Host about Guests, attendees, or other third parties, Envito acts as a Data Processor and processes such data solely on the documented instructions of the Host (who is the Data Fiduciary in respect of that data).

5.1 Data Collected from Hosts

Hosts may create accounts and upload or manage data necessary for organising and managing events. Such data typically includes:

  • Name, phone number, email address;
  • Login authentication details (Envito uses mobile OTP-based authentication; see Section 13);
  • Event details including event name, dates, venues, schedules, and accommodation information;
  • Guest lists, guest categorisation, and RSVP-related information;
  • Details of organizing team/host POCs and assigned roles;
  • Family and relationship details (where relevant to the event);
  • Free-text notes, comments, and operational instructions.

Hosts represent and warrant that they have obtained all consents and authorisations required under applicable law from individuals whose personal data they upload, and that such individuals have been informed that their personal data may be processed, stored, and analysed by Envito (including through AI-enabled systems) in accordance with this Policy.

5.2 Data Collected from Guests and Host POCs

When Guests or Host POCs interact with our AI concierge through WhatsApp or other supported channels, Envito may collect:

  • Chat messages and interactions with the AI concierge;
  • Travel details, booking confirmations, and itineraries (if voluntarily shared);
  • Photos, documents, and other media voluntarily shared through chat;
  • Preferences and other information voluntarily shared during conversations.

5.3 AI-Derived and Inferred Data

Envito’s AI systems may generate and store inferred data based on interactions, including language preferences, communication style, and stated or inferred preferences. Such inferred data is used solely for service delivery, personalisation, and improvement of the Services.

5.4 Automatically Collected and System Data

  • Usage logs, timestamps, and interaction metadata;
  • Device, browser, and IP-related information;
  • Aggregate analytics collected through tools such as Google Analytics.

6. Use of Artificial Intelligence

Our Services are powered by AI systems that automate Guest communication and personalise event-related interactions. Chat histories are processed and stored to enable the AI to understand context and generate appropriate responses. AI-generated outputs (such as automated replies, summaries, and inferred preferences) are stored as part of the Service records.

Envito does not use personal data of Hosts, Guests, or POCs to train public or generalised AI foundation models. Where third-party large language model service providers are engaged to power the AI concierge, they are contractually restricted from retaining or using such data to train their models. Envito does not deploy AI to make legally significant decisions about individuals on a solely automated basis.

A limited number of authorised Envito personnel, under confidentiality obligations and on a need-to-know basis, may review AI outputs for the purposes of quality assurance, error correction, and product improvement. Such reviews are subject to role-based access controls.

7. Purpose and Legal Basis for Processing

We process personal data for the following purposes:

  • To provide and operate the Services;
  • To facilitate communication between Hosts and Guests;
  • To automate and improve Guest interactions using AI;
  • To manage accounts, billing, and customer support;
  • To improve our website, Services, and AI features;
  • To comply with applicable law and respond to lawful requests from public authorities.

Processing is carried out on the basis of one or more of the following grounds: performance of a contract; free, specific, informed, unconditional, and unambiguous consent of the Data Principal (including WhatsApp opt-ins consistent with Meta platform policies); or other legitimate uses recognised under the DPDP Act, 2023.

8. Consent and Communications

Envito initiates communications with Data Principals only after obtaining the consents required under applicable law and the WhatsApp Business Platform policies.

A Data Principal may withdraw consent at any time by replying with a stop-word/phrase on the WhatsApp conversation (such as “STOP”), or by using opt-out controls available in the Host dashboard (where applicable). Withdrawal of consent does not affect the lawfulness of processing carried out before such withdrawal.

As stated in Section 3, Envito does not use personal data of Hosts, Guests, or POCs for unsolicited marketing or promotional communications.

9. Data Retention

Long-term retention of event and chat data is integral to the value of Envito’s Services (for example, to enable historical insights and continuity across events). We retain personal data only for as long as reasonably necessary for the purposes set out in this Policy and in accordance with the following general timelines:

  • While a Host account is active: data relating to the account, events, Guests, and AI-derived insights is retained;
  • After account closure: data is generally deleted from active databases within ninety (90) days of closure;
  • Backups: data deleted from active databases is purged from backups within approximately one hundred and eighty (180) further days;
  • Anonymised or aggregated data (which cannot identify any individual) may be retained beyond these periods for analytics, research, and service improvement.

Retention timelines may be extended where required to comply with applicable law, to defend legal claims, or for other lawful purposes.

10. Sharing of Personal Data

We share personal data only where reasonably necessary and with parties that we believe maintain appropriate confidentiality and security measures. Categories of recipients include:

  • Service providers and vendors supporting our infrastructure, communications, payments, and analytics;
  • Professional advisers, auditors, or consultants under confidentiality obligations;
  • Government authorities or regulators where required by law (see Section 15).

As of the last-updated date of this Policy, the categories of sub-processors engaged by Envito include cloud hosting providers (primarily Amazon Web Services in India), messaging platform providers (Meta Platforms, Inc., for the WhatsApp Business Cloud API), third-party large language model service providers, and analytics providers. This list may evolve from time to time as our vendor footprint changes.

11. International and Cross-Border Data Transfers

Envito’s primary data storage is located in India. Certain limited processing (such as AI inference by third-party service providers) may occur in jurisdictions outside India. Envito will honour any restrictions notified by the Central Government under Section 16 of the DPDP Act, including any list of countries to which personal data may not be transferred.

12. Cookies and Tracking

Envito uses cookies and similar technologies on its website for purposes including session management, security, language preferences, and aggregate analytics (such as Google Analytics). Envito does not set third-party advertising cookies on its website. You may disable cookies through your browser settings; certain features of the website may not function correctly if you do so.

13. Data Security

Envito implements reasonable technical and organisational security safeguards designed to protect personal data against unauthorised or unlawful access, use, modification, disclosure, loss, or destruction, consistent with the requirements of Section 8(5) of the DPDP Act. Such safeguards currently include, among others:

  • Hosting on Amazon Web Services (AWS) infrastructure, primarily within AWS’s Asia Pacific (Navi Mumbai) region in India;
  • Logical network segmentation through Virtual Private Cloud (VPC) configurations, security groups, and firewall rules on AWS;
  • Industry-standard encryption protocols for personal data in transit, and encryption of personal data at rest;
  • Encryption keys managed through AWS Key Management Service (AWS KMS);
  • Mobile OTP-based authentication for Host account access;
  • Session management controls, including session timeouts, secure session tokens, and invalidation of sessions upon logout or credential changes;
  • Role-based access controls and need-to-know access for Envito personnel, with periodic review;
  • Confidentiality undertakings and background verification for Envito employees and contractors prior to being granted access to production systems;
  • Cloudflare-based protection, including a Web Application Firewall (WAF) and distributed denial-of-service (DDoS) mitigation;
  • A vulnerability management process under which identified security issues are tracked, prioritised, and remediated within timelines appropriate to the risk;
  • Periodic security audits of our infrastructure through AWS Security Hub;
  • Periodic encrypted backups of production data;
  • Defences against common application-layer attacks such as script injection.

Envito continues to evolve and strengthen its security posture as the Services grow.

If you believe you have identified a security issue in our Services, please write to us at contact@envito.ai. We will review the report in good faith and respond within a reasonable period.

14. Children’s Data

Envito’s Services are designed for use by adults (eighteen years of age and older). Account creation and direct use of the Services are restricted accordingly.

Envito recognises that, in the ordinary course of event coordination, Hosts may upload personal data relating to minors (for example, names of children of Guests attending a wedding or family event). Where this occurs, Envito processes such data solely as a Data Processor, on the instructions of the Host and in accordance with this Policy. Hosts represent and warrant that they have obtained the consent of the parent or lawful guardian of any minor whose personal data is uploaded to the Services, to the extent required by applicable law (including Section 9 of the DPDP Act, 2023).

Envito does not knowingly engage in behavioural monitoring of, or targeted advertising directed at, children. If you believe that personal data of a minor has been provided to Envito without appropriate parental or guardian consent, please write to the Grievance Officer set out in Section 21, and Envito will take reasonable steps to delete such data.

15. Disclosures to Government and Law Enforcement

Envito may disclose personal data where required to comply with a binding legal obligation, judicial order, or lawful request from a public authority. Where lawfully permitted, Envito will review the request for validity and may notify the affected Data Principal or Host before making any disclosure.

16. Business Transfer

If Envito undergoes a merger, acquisition, financing, reorganisation, sale of assets, or other corporate transaction, personal data held by Envito may be transferred to the successor or acquiring entity. In such an event, Envito will require the successor entity to honour the commitments made in this Policy with respect to personal data so transferred.

17. Anonymised and Aggregated Data

Envito may anonymise or aggregate personal data such that it can no longer be associated with any identifiable individual, and may use such data for analytics, benchmarking, research, service improvement, and reporting. Anonymised or aggregated data is not treated as personal data under this Policy.

18. Your Rights as a Data Principal

Subject to and in accordance with the DPDP Act, 2023, a Data Principal whose personal data is processed by Envito has the following rights:

  • Right to access information (Section 11 of the DPDP Act) — to obtain a summary of personal data processed and processing activities, and the identities of recipients with whom personal data has been shared;
  • Right to correction and erasure (Section 12 of the DPDP Act) — to seek correction of inaccurate or misleading data, completion of incomplete data, updating, and erasure of personal data that is no longer necessary, subject to lawful exceptions;
  • Right to grievance redressal (Section 13 of the DPDP Act) — to register a grievance with Envito’s Grievance Officer; if the grievance is not satisfactorily resolved, to approach the Data Protection Board of India;
  • Right to nominate (Section 14 of the DPDP Act) — to nominate another individual to exercise rights under the DPDP Act in the event of death or incapacity;
  • Right to withdraw consent — where consent is the basis for processing, at any time, as set out in Section 8.

Requests to exercise any of these rights may be sent to the Grievance Officer at the contact details in Section 21. Envito will endeavour to respond substantively within thirty (30) days of receipt, subject to verification of identity and any reasonable extension required to address the request.

19. Your Responsibilities (Shared Responsibility)

Security and privacy are a shared responsibility. While Envito takes responsibility for the security of the Services it operates, Hosts and other users also play an important role in protecting the personal data within their accounts. We ask Hosts in particular to:

  • Safeguard mobile OTPs and login credentials, and not share account access with unauthorised individuals;
  • Keep registered mobile numbers, email addresses, and POC details accurate and up to date;
  • Obtain and document the consents required under applicable law from Guests and other individuals whose personal data is uploaded to the Services;
  • Use the access controls and role-based permissions made available in the Host dashboard to grant access only to authorised team members;
  • Promptly notify Envito at contact@envito.ai of any suspected unauthorised access to their account, lost devices, or other security concerns;
  • Use the Services in accordance with applicable law and the Terms of Service.

Envito is not responsible for security failures attributable to a Host’s or user’s failure to follow these responsibilities.

20. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, our Services, or applicable law. Any changes will be posted on our website with an updated “Last updated” date.

21. Grievance Redressal and Contact Information

In accordance with the DPDP Act, 2023 and the Information Technology Act, 2000, Envito has appointed a Grievance Officer to address concerns and complaints relating to the processing of personal data.

Grievance Officer: Mr. Piyush Aggarwal

Email: contact@envito.ai

Address: House No. 70, Block A, Pocket 1, Sector 6, Near Ahideya Chowk, Naharpur, Delhi – 110085, India

The Grievance Officer will endeavour to acknowledge complaints promptly and resolve them within thirty (30) days of receipt, in accordance with the timelines that may be prescribed under the DPDP Rules. If your grievance is not satisfactorily resolved, you have the right to register a complaint with the Data Protection Board of India.

22. Frequently Asked Questions

The following short answers are provided as a convenience to Hosts and other users. They are summaries only and do not replace the detailed terms set out elsewhere in this Policy; in case of any inconsistency, the relevant section prevails.

Q. Where is our data stored?

Primarily in India, on Amazon Web Services infrastructure. Limited processing (such as AI inference) may occur in jurisdictions outside India through our third-party LLM service providers. See Sections 11 and 13.

Q. Do you use our chat data to train AI models?

No. Personal data of Hosts, Guests, and POCs is not used to train public or generalised AI foundation models. Where third-party LLM service providers are engaged, they are contractually restricted from retaining the data or using it to train their models. See Sections 3 and 6.

Q. Who within Envito can see Guest chat messages?

Access to Guest chat messages and other personal data is restricted to authorised Envito personnel on a need-to-know basis, under confidentiality obligations and role-based access controls, primarily for service delivery, customer support, and quality assurance of AI outputs. See Sections 6 and 13.

Q. Are WhatsApp messages encrypted?

WhatsApp messages exchanged between Guests and the Envito AI concierge are protected by the transport-layer security provided by WhatsApp. Once received via the WhatsApp Business Cloud API, messages are stored by Envito and encrypted at rest using AES-256.

Q. Do you sell or share our data with advertisers?

No. Envito does not sell personal data and does not allow third-party advertising networks or surveillance trackers to operate within the Services. See Section 3.

Q. How long do you keep our data after we close our account?

Generally, personal data is deleted from active databases within ninety (90) days of account closure, and purged from backups within approximately one hundred and eighty (180) further days. Anonymised or aggregated data may be retained beyond these periods. See Section 9.

Q. How can a Guest stop receiving messages from the AI concierge?

A Guest may reply with a stop-word on the WhatsApp conversation (such as “STOP”) or write to the Grievance Officer to withdraw consent. See Section 8.

Q. Our guest list includes minors. Is that allowed?

Yes, in the ordinary course of event coordination, Hosts may upload personal data relating to minors (for example, the names of children of Guests). Envito processes such data only as a Data Processor on the Host’s instructions. The Host is responsible for obtaining parental or guardian consent to the extent required by law. See Section 14.

Q. What happens if there is a data breach or security incident?

Envito will follow the requirements of the DPDP Act, 2023 (and the rules made thereunder) in relation to notification of the Data Protection Board and affected Data Principals. Hosts will also be informed where the incident affects their account or the personal data they have uploaded.

Q. Who do I contact for a privacy concern or data deletion request?

Please write to the Grievance Officer, Mr. Piyush Aggarwal, at contact@envito.ai. See Section 21.