← Flash ai.Legal
Draft — pending legal review. This document is not yet in force.

Flash ai. — Privacy Policy

DRAFT — pending legal review. Not legal advice. Do not publish until reviewed by a qualified Indian lawyer.

Effective date: [EFFECTIVE DATE] Data Fiduciary: Flash Production Intelligence Private Limited ("Flash", "we", "us", "our") Registered office: [REGISTERED OFFICE ADDRESS] CIN: [CIN] Product: Flash ai. — a production-intelligence platform for film and creative production companies, at flashcinema.ai and app.flashcinema.ai.

This Privacy Policy explains how we collect, use, share, retain, and protect personal data, and the rights you have under India's Digital Personal Data Protection Act, 2023 (DPDP Act) and applicable rules under the Information Technology Act, 2000.


1. Who this policy covers

Flash ai. is a business-to-business platform. Production companies ("tenants" or "subscribers") license Flash to run their production operations. Personal data reaches us in two distinct roles:

  • As a Data Fiduciary — for the personal data of the people who directly use or contract with Flash: a tenant's admin users, our own account/billing contacts, and website visitors. We decide the purposes and means for this data.
  • As a Data Processor — for the personal data a tenant uploads about their crew, cast, vendors, and staff (names, contact numbers, bank details for payment, documents). Here the tenant is the Data Fiduciary and we process on their instructions under a Data Processing Agreement. Requests about that data should go to the tenant first; we assist them.

This policy describes both roles and tells you which applies.

2. Personal data we collect

Grounded in what the platform actually stores:

a) Account & identity data (we are Fiduciary) Name, email address, mobile number, role, organisation, hashed authentication credentials, and login/session metadata. Staff sign in via WhatsApp one-time passcode; admins via password.

b) Communications data (we are Fiduciary) WhatsApp phone numbers and message metadata used for notifications and one-time passcodes; email addresses and, where a tenant connects a mailbox, synced email content used to extract production and finance information.

c) Tenant-uploaded personal data (we are Processor for the tenant) On a tenant's instruction, the platform stores personal data about their people, which may include: crew and cast names and contact details, consent records, onboarding details, bank/UPI details used to make payments, salary and payment amounts, uploaded identity or contract documents, hotel/travel assignments, and vehicle logs (including location data from vehicle tracking). This is sensitive data and is protected accordingly.

d) Financial records (role depends on whose finances) Bank account and transaction data, cash entries, invoices, liabilities, payment requests, and bank statements uploaded for reconciliation. For a tenant's own company finances, the tenant is the Fiduciary and we process for them.

e) Technical data (we are Fiduciary) IP address, device/browser type, and application logs used for security, error monitoring, and uptime.

We do not run third-party advertising trackers, and we do not sell personal data.

3. Why we use it, and our lawful basis

PurposeData usedLawful basis (DPDP Act)
Provide and operate the platform for a tenanta, b, c, dPerformance of the tenant's contract; the tenant's consent as Fiduciary for their people's data
Authenticate users (OTP / password)a, bConsent; legitimate use for account security
Send operational notifications (approvals, alerts)a, bContract; consent
Extract data from uploaded documents and emails to reduce manual entryb, c, dContract; tenant instruction
Detect errors, secure the platform, prevent misuseeLegitimate use for security and safety
Comply with law (tax, accounting, court orders)c, dLegal obligation

We use AI models to process documents and answer questions within a tenant's own data (see §6). AI is used to assist users, not to make legally significant automated decisions about individuals without human review — money movement always requires human approval.

4. How we share data

We share personal data only with:

  • The tenant whose account the data belongs to, and the users they authorise.
  • Sub-processors who help run the platform, under contract and confidentiality (see the current list in the DPA — includes our hosting, database, AI, and messaging providers).
  • Authorities, when required by valid legal process, or to protect rights and safety.

We do not sell personal data or share it for third-party marketing.

5. Cross-border processing

Some sub-processors (for hosting, database, and AI) process data on servers outside India. Where this happens we rely on contractual safeguards and process such transfers in accordance with the DPDP Act and any restrictions notified by the Central Government. The current sub-processor locations are listed in the DPA.

6. AI processing

Flash uses AI models (currently from Anthropic) to read uploaded documents, draft summaries, and answer questions scoped to a tenant's own data. Prompts and the necessary data are sent to the AI provider under contract. We do not permit the provider to train foundation models on tenant data. AI outputs that touch money, external communication, or destructive actions are advisory only and require a human to approve.

7. Your rights as a Data Principal

Under the DPDP Act you have the right to:

  • Access a summary of the personal data we hold about you and how it is processed.
  • Correction and completion of inaccurate or incomplete data.
  • Erasure of your personal data where it is no longer needed and no law requires us to keep it (see §9 and the retention & erasure schedule).
  • Grievance redressal — a readily available means to raise a complaint with us (see §11).
  • Nominate another person to exercise your rights in the event of death or incapacity.
  • Withdraw consent at any time, where processing is based on consent (this does not affect processing already carried out).

If your data was uploaded by a tenant (e.g. you are crew on a production), the tenant is the Data Fiduciary. Contact them first; if you cannot reach them, contact us at the address in §11 and we will facilitate the request with the tenant.

To exercise any right, email privacy@flashcinema.ai. We will verify your identity and respond within the timelines required by law.

8. How we protect data

  • Row-Level Security isolates every tenant's data in the database, verified by automated cross-tenant leak tests.
  • Encryption in transit (HTTPS) and at rest via our hosting provider.
  • Access to production data is restricted; finance tables are limited to authorised roles.
  • Secrets are kept out of source code and scanned for on every change; human approval gates all money movement, with an audit log.
  • We maintain error monitoring and alerting to detect issues quickly.

No system is perfectly secure, but we take reasonable security safeguards as required by law.

9. How long we keep data

We keep personal data only as long as needed for the purposes above or as required by law. Statutory retention (for example, the Companies Act 2013 requirement to keep books of account for 8 years, and Income Tax record rules) can override an erasure request for financial records. The full schedule is in data-retention-erasure.md.

10. Children's data

Flash ai. is a workplace tool not directed at children. We do not knowingly collect data of persons under 18. Where a production involves a minor (e.g. a child artist), the tenant must obtain verifiable parental consent before entering that person's data, as required by the DPDP Act.

11. Grievance Officer and contact

In accordance with the DPDP Act and the Information Technology (Reasonable Security Practices) Rules, our Grievance Officer is:

[GRIEVANCE OFFICER NAME], Grievance Officer Flash Production Intelligence Private Limited [REGISTERED OFFICE ADDRESS] Email: privacy@flashcinema.ai

We will acknowledge complaints promptly and resolve them within the period required by law. If you are not satisfied, you may escalate to the Data Protection Board of India once it is operational.

12. Changes to this policy

We may update this policy. Material changes will be notified to tenants and posted at flashcinema.ai with a revised effective date.


Flash ai. is a product of Flash Production Intelligence Private Limited. OPM Cinemas is a tenant of the platform, not the operator.

Privacy Policy — Flash ai.