Ashta Limited Company ("Ashta," "we," "our," or "us") operates the website located at https://ashta.ai and provides an enterprise software-as-a-service platform, including client-dedicated application environments accessible via subdomains (for example, client.ashta.ai) or customer-owned domains (collectively, the "Platform"). This Privacy Policy describes how Ashta collects, uses, discloses, and safeguards information when you visit our websites, interact with us in a business capacity, or access or use the Platform.

This Privacy Policy applies primarily to individuals located in the United States and Canada. It does not replace, and is not intended to override, the privacy notices or policies that our customers provide to their own users.

1. Scope of This Privacy Policy

This Privacy Policy applies to information collected by Ashta in connection with our marketing websites, sales and business development activities, customer onboarding, account administration, technical support, security operations, and the operation of the Platform. It does not apply to websites, products, or services that are not owned or controlled by Ashta, even if they are accessible through the Platform or integrated with it.

Where the Platform is deployed in a client-dedicated or white-labeled environment, individuals accessing that environment do so as users of the applicable customer, not as direct users of Ashta. Ashta's processing of such information is governed by its contractual commitments to that customer.

2. Data Roles and Responsibilities

Ashta operates under a hybrid data responsibility model.

Ashta acts as a data controller with respect to information that we collect and process for our own business purposes, including operating our websites, managing relationships with customers and prospects, administering accounts, providing support, processing payments, conducting marketing and communications activities, maintaining the security and integrity of our systems, and complying with legal obligations. In these contexts, Ashta determines the purposes and means of processing.

Ashta acts as a data processor with respect to all data that customers or their authorized users upload to, generate within, or otherwise process through the Platform ("Client Data"). In this context, our customers act as data controllers and determine the purposes and means of processing Client Data. Ashta processes Client Data solely on documented customer instructions, for the purpose of providing, securing, and maintaining the Platform, performing customer-configured workflows, supporting integrations, providing support and incident response, and complying with applicable law.

Individuals who access customer-branded or client-dedicated environments are users of our customers. Requests to exercise rights relating to Client Data must be directed to the applicable customer. Ashta responds to such requests only as instructed by the customer or as required by law.

3. Platform Architecture and Data Isolation

Each customer environment is provisioned using independent infrastructure resources. Client Data is not stored in shared production databases or shared application environments across customers. This architecture is designed to support strong logical and operational isolation between customer environments, including client-specific databases, segregated storage systems, scoped access controls, and environment-level audit logging. These measures are intended to reduce cross-tenant exposure and limit access to Client Data to authorized systems and personnel.

4. Sources of Information

Ashta collects information from several sources, depending on how individuals interact with us.

Information may be provided directly by individuals when they visit our websites, complete forms, subscribe to communications, request demonstrations, enter into business relationships with us, or communicate with our sales, support, or operations teams.

Information may be provided by customers or their authorized users when they configure the Platform, upload data, create user accounts, manage investor or stakeholder records, submit documents, or otherwise use Platform functionality.

Information may be generated automatically through the operation of the Platform and our websites, including through logs, audit trails, session data, device and browser data, and performance or usage analytics.

Information may also be received from third parties, including service providers that support identity verification, communications, analytics, document processing, infrastructure hosting, security, and automation, or from partners and integrations enabled by customers.

5. Categories of Information We Process

Ashta processes business and marketing information, including names, business contact details, professional and organizational information, correspondence, preferences, and information submitted through events, webinars, or inquiries.

Ashta processes website and technical information, including IP addresses, browser type, operating system, pages visited, referring URLs, timestamps, cookies, and similar tracking data.

When individuals access the Platform, Ashta processes platform identity and access information, including usernames, authentication credentials, role and permission assignments, access logs, session data, and security-related events.

Ashta processes Client Data solely on behalf of customers. Depending on how customers configure and use the Platform, Client Data may include personal and organizational information relating to investors, stakeholders, employees, or counterparties; financial and transactional information; investor accreditation and suitability data; know-your-customer and identity verification information; government-issued identification documents; contracts, reports, and operational records; communications and uploaded content; compliance records and audit logs; and prompts, outputs, and associated metadata generated through AI-assisted workflows.

Ashta does not intentionally collect or store biometric identifiers or raw bank account numbers as part of its standard Platform functionality.

6. Purposes of Processing

Ashta uses information that it controls for purposes that include operating and improving our websites and services, communicating with customers and prospects, administering accounts, providing technical and customer support, managing billing and contractual relationships, monitoring system performance, preventing fraud and abuse, conducting analytics and research to improve services, and complying with legal and regulatory obligations.

Ashta processes Client Data solely to provide and operate the Platform in accordance with customer instructions. This includes hosting and maintaining customer environments, enabling configured workflows, processing verification and document management operations, supporting authorized integrations, performing security monitoring and incident response, maintaining audit logs, and meeting applicable legal requirements.

7. Artificial Intelligence Features and Data Use

The Platform may include features that use artificial intelligence or machine learning techniques to support operational, analytical, or workflow-related functionality.

Client Data and Client Prompts are processed solely to deliver customer-requested functionality within the Platform. Client Data is not used to train generalized, shared, or cross-customer artificial intelligence models.

Ashta may use aggregated or de-identified operational metrics that do not contain Client Data to maintain, improve, and secure the Platform.

AI-assisted systems generate probabilistic outputs and may produce inaccurate, incomplete, or misleading results. Responsibility for reviewing, validating, and approving any outputs generated through the Platform rests solely with the customer.

8. Disclosure of Information

Ashta may disclose information to service providers and subprocessors engaged to support our business operations and delivery of the Platform, including providers of cloud infrastructure, hosting, communications, identity verification, document processing, analytics, security, automation, and customer support services. Such providers are authorized to process information only as necessary to perform services on our behalf and in accordance with contractual obligations.

Ashta may disclose information at the direction of customers, including where customers enable integrations or instruct Ashta to transmit Client Data to third-party services.

Ashta may disclose information where required to do so by law, regulation, legal process, or governmental request, or where necessary to protect the rights, property, or safety of Ashta, our customers, users, or others, including to investigate potential violations of law or misuse of the Platform.

Ashta may disclose information in connection with a corporate transaction, such as a merger, acquisition, financing, reorganization, or sale of assets.

Ashta does not sell personal information.

9. Data Security and Safeguards

Ashta maintains administrative, technical, and organizational measures designed to protect information against unauthorized or unlawful access, loss, alteration, and misuse. These measures include encryption of data in transit and at rest, access controls designed to enforce least-privilege principles, client-specific databases and storage systems, monitoring and alerting systems, audit logging, and restricted access to production environments.

Government identification documents and other sensitive records may be stored in client-specific, private, versioned, and access-restricted storage systems.

No method of transmission or storage is completely secure. Accordingly, Ashta cannot guarantee absolute security, but continuously evaluates and updates its safeguards.

10. Data Retention and Deletion

Ashta retains information only for as long as reasonably necessary to provide services, fulfill contractual commitments, resolve disputes, enforce agreements, and comply with legal obligations.

Client Data retention and deletion are governed by customer agreements and the customer's configuration of the Platform. Upon termination of services, Client Data may be returned or deleted in accordance with contractual requirements and applicable law.

11. International Data Processing

Information may be processed and stored in the United States, Canada, and other jurisdictions where Ashta or its service providers operate. Ashta takes steps designed to ensure that appropriate safeguards are in place when information is transferred across borders.

12. Individual Rights

Depending on jurisdiction, individuals may have rights to request access to personal information, to request correction or deletion, or to object to or restrict certain processing activities.

Requests relating to Client Data must be submitted to the relevant customer, who is responsible for responding. Requests relating to information for which Ashta acts as data controller may be directed to [email protected]. Ashta may need to verify identity before fulfilling requests.

13. California Residents

If you are a California resident, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA"), provides you with specific rights regarding your personal information. This section describes your CCPA rights and explains how to exercise those rights.

Categories of Personal Information Collected. In the preceding 12 months, Ashta may have collected the following categories of personal information: identifiers (such as name, email address, IP address); commercial information (such as records of services purchased); internet or other electronic network activity information (such as browsing history and interactions with our websites); professional or employment-related information; and inferences drawn from the above categories.

Sources and Purposes. The sources of personal information and the business and commercial purposes for which it is collected are described in Sections 4 and 6 of this Privacy Policy.

Disclosure of Personal Information. Ashta may disclose personal information to service providers and third parties as described in Section 8 of this Privacy Policy. Ashta does not sell personal information as defined under the CCPA. Ashta does not share personal information for cross-context behavioral advertising purposes.

Your Rights Under the CCPA. Subject to certain exceptions, California residents have the right to: (i) request access to the categories and specific pieces of personal information Ashta has collected; (ii) request deletion of personal information; (iii) request correction of inaccurate personal information; (iv) opt out of the sale or sharing of personal information (though Ashta does not engage in such activities); and (v) not be discriminated against for exercising CCPA rights.

Exercising Your Rights. To submit a request, please contact us at [email protected]. You may also designate an authorized agent to make a request on your behalf. Ashta will verify your identity before fulfilling your request and may require additional information to do so.

14. Canadian Privacy Rights

If you are located in Canada, the Personal Information Protection and Electronic Documents Act ("PIPEDA") and applicable provincial privacy legislation govern Ashta's collection, use, and disclosure of your personal information.

Under PIPEDA, you have the right to: (i) access your personal information held by Ashta; (ii) challenge the accuracy and completeness of your personal information and have it amended as appropriate; (iii) withdraw consent to the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions; and (iv) complain to the Office of the Privacy Commissioner of Canada if you believe Ashta has not complied with PIPEDA.

Ashta collects, uses, and discloses personal information only for purposes that a reasonable person would consider appropriate in the circumstances. We obtain meaningful consent for the collection, use, and disclosure of personal information, except where permitted or required by law to act without consent. Personal information is retained only as long as necessary to fulfill the purposes for which it was collected or as required by law.

To exercise your rights under PIPEDA or to make a privacy-related inquiry, please contact us at [email protected].

15. Marketing Communications

Individuals may opt out of receiving promotional communications from Ashta by following unsubscribe instructions in those communications or by contacting us directly. Transactional and service-related communications may still be sent.

16. Children's Information

The websites and Platform are not directed to children, and Ashta does not knowingly collect personal information from children.

17. Changes to This Privacy Policy

Ashta may update this Privacy Policy from time to time. Updates will be posted with a revised effective date. Continued use of the websites or Platform after changes become effective constitutes acceptance of the revised policy.

18. Contact Information

Privacy-related inquiries may be directed to:

[email protected]

For legal inquiries: [email protected]