Privacy Policy
How we collect, use, and protect your personal information
This Privacy Policy ("Policy") describes how Combily Private Limited ("Company", "we", "us", or "our") collects, uses, shares, and protects your personal information when you use our websites, applications, and services (collectively, the "Services"). This Policy applies to information we collect when you visit our website at www.combily.com, create an account, subscribe to a plan, or otherwise interact with us.
By accessing or using our Services, you acknowledge that you have read and understood this Policy. If you do not agree to this Policy, please do not use our Services.
1. Who We Are
Combily Private Limited is a company incorporated under the laws of Sri Lanka. We operate Combily, a value-added SaaS platform that provides AI-powered text, image, voice, video, and code generation services through its applications, extensions, and web-based tools, using third-party AI infrastructure and models.
For the purposes of GDPR and UK GDPR, we are the data controller for the personal data you provide to us.
Data Controller Contact:
Combily Private Limited
Email: info@combily.com
Website: www.combily.com
2. Information We Collect
2.1 Information You Provide Directly
- Account Information: Name, email address, and password when you register
- Payment Information: Billing details processed through our Payment Processors. We do not directly store your credit card number, bank account details, or other sensitive financial information — this is handled entirely by our Payment Processors.
- User Content: Prompts, queries, messages, uploaded files, and other inputs you provide to the Services ("Input"), and any resulting AI-generated content ("Output")
- Communications: Information you provide when you contact us for support, submit feedback, or participate in surveys
2.2 Information Collected Automatically
- Device Information: Browser type, operating system, device identifiers, screen resolution
- Usage Data: Pages visited, features used, interactions with the Services, timestamps, session duration
- Log Data: IP addresses, referral URLs, access times, error logs
- Cookie Data: See Section 8 for details on our use of cookies and similar technologies
2.3 Information from Third Parties
- Payment Processors: Transaction confirmations, subscription status, and billing metadata from our Payment Processors
- Authentication Providers: If you sign in through a third-party service (e.g., Google), we receive your name and email address from that provider
3. How We Use Your Information
We use the information we collect for the following purposes:
| Purpose | Description |
|---|---|
| Service Delivery | To provide, operate, and maintain the Services, including processing your AI requests and generating Output |
| Account Management | To create and manage your account, authenticate your identity, and process subscription changes |
| Payment Processing | To facilitate billing and payment through our Payment Processors |
| Communication | To send transactional emails, service updates, security alerts, support responses, and (with your consent) marketing communications |
| Safety & Security | To detect, investigate, and prevent fraud, abuse, and security incidents; to enforce our Terms of Use and Usage Policy |
| Improvement | To analyse usage patterns, diagnose technical issues, and improve the quality, reliability, and features of our Services |
| Legal Compliance | To comply with applicable laws, regulations, legal processes, or enforceable government requests |
4. Legal Basis for Processing (EEA/UK)
If you are located in the European Economic Area (EEA) or the United Kingdom (UK), our legal bases for processing your personal data under GDPR and UK GDPR are:
| Legal Basis | Processing Activity |
|---|---|
| Performance of Contract (Art. 6(1)(b)) |
Providing the Services, managing your account, processing payments, delivering AI-generated Output |
| Legitimate Interests (Art. 6(1)(f)) |
Improving our Services, ensuring platform security, preventing fraud and abuse, analytics and usage reporting |
| Consent (Art. 6(1)(a)) |
Sending marketing communications, setting non-essential cookies |
| Legal Obligation (Art. 6(1)(c)) |
Tax compliance, responding to lawful government requests, data breach notification obligations |
Where we rely on Legitimate Interests, we conduct a balancing test to ensure your rights and interests do not override our interests. You can request details of this assessment by contacting us.
5. Sharing & Disclosure
We do not sell your personal data for monetary consideration. In limited circumstances, our use of certain analytics or marketing technologies (if enabled) may be considered "sharing" under some privacy laws (including the California CPRA). Where applicable, you can opt out using our Do Not Sell / Do Not Share mechanism.
5.1 Payment Processors
We share necessary billing information with our Payment Processors to process payments and manage subscriptions.
5.2 AI Service Providers
To provide AI features, your Input is transmitted to third-party AI providers through API intermediaries. See Section 6 for details.
5.3 Infrastructure & Hosting Providers
We use third-party hosting, cloud, and infrastructure providers to operate the Services. These providers process data on our behalf under data processing agreements.
5.4 Legal & Safety Disclosures
We may disclose information if required by law, subpoena, court order, or government request, or if disclosure is necessary to: (a) protect the safety of any person; (b) protect the Company's rights and property; (c) investigate fraud or respond to enforcement requests; or (d) enforce our Terms of Use.
5.5 Business Transfers
If the Company is involved in a merger, acquisition, reorganisation, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you of any change in ownership or use of your personal data.
5.6 With Your Consent
We may share your information for any other purpose with your explicit consent.
6. Third-Party AI Providers
Important: Combily does not own, train, or host any AI models. We provide a value-added interface that routes your requests to third-party AI providers.
When you use the Services, your Input is transmitted to selected third-party AI providers via secure API connections in order to generate Output. We work with multiple providers across different modalities — including text, image, voice, video, and code generation. The specific providers we use may change over time as we evaluate quality, reliability, and safety.
No training on your content: Where third-party AI providers offer configurable controls to disable training or limit data retention (e.g., "zero data retention" or "no training" modes), we configure our integrations to opt out of such training on your behalf. We do not authorise any third-party AI provider to use your Input or Output for model training purposes. However, as we do not own, host, or control the infrastructure of third-party AI providers, we cannot guarantee how providers process data on their own systems. Each provider is governed by its own terms, data policies, and regulatory obligations. We encourage you to review the applicable provider's policies where relevant.
What we share with AI providers:
- Your Input (prompts, messages, uploaded content) necessary to generate Output
- Technical parameters (model selection, generation settings)
Safety screening: To protect users and prevent abuse, we may run automated safety checks on certain prompts (for example, AI generation requests). These checks may include platform rules (e.g., blacklist matching) and third-party moderation classifiers. For moderation checks, we may transmit the prompt text (or a portion of it) to a moderation service to assess whether it violates our policies. We also log limited moderation metadata (such as a prompt snippet, category, action taken, and IP address) for security, audit, and enforcement purposes.
What we do not share with AI providers:
- Your name, email address, or account information
- Your payment or billing information
- Your IP address or device information
AI providers may process Input to generate Output and to perform security, abuse prevention, and reliability operations. We encourage you to review the relevant provider policies for additional details. We are not responsible for the practices of third-party AI providers, but we contractually require appropriate safeguards where applicable.
7. International Data Transfers
Your personal information may be transferred to and processed in countries other than your country of residence, including the United States and other jurisdictions where our service providers operate. These countries may have data protection laws that differ from those of your country.
7.1 EEA/UK Transfers
When transferring personal data outside the EEA or UK, we rely on the following safeguards:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- UK International Data Transfer Agreement (IDTA) or UK Addendum to SCCs where applicable
- Adequacy decisions, where the European Commission or UK Secretary of State has determined that a country provides an adequate level of data protection
You may request a copy of the relevant transfer safeguards by contacting us at info@combily.com.
7.2 Canadian PIPEDA Transfers
For users in Canada, we ensure that any international transfer of personal information provides a comparable level of protection as required under PIPEDA. Transfers to third parties are governed by contractual obligations requiring adequate safeguards.
8. Cookies & Tracking Technologies
We use cookies and similar technologies to operate the Services, remember your preferences, and understand how you interact with the platform.
8.1 Categories of Cookies
| Category | Purpose | Required? |
|---|---|---|
| Strictly Necessary | Authentication, session management, security, CSRF protection | Yes |
| Functional | Remembering your preferences (e.g., theme, language) | No |
| Analytics | Understanding usage patterns to improve our Services | No |
| Marketing | Measuring marketing effectiveness and supporting conversion tracking (where enabled) | No (not currently enabled) |
8.2 Managing Cookies
You can control non-essential cookies through your browser settings. Most browsers allow you to refuse cookies, delete existing cookies, or alert you when a cookie is being set. Note that disabling cookies may affect the functionality of the Services.
Where required by law, we provide a cookie consent banner that lets you choose between accepting optional analytics or using essential cookies only. Your cookie preference may be stored on your device (for example, using local storage) so we can remember your choice.
We may introduce additional categories of optional cookies (such as marketing/conversion tracking) in the future. If we do, we will update this Policy and, where required by law, request your consent before setting those non-essential cookies.
9. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes described in this Policy, unless a longer retention period is required or permitted by law.
| Data Type | Retention Period |
|---|---|
| Account Information | Duration of your account plus 30 days after deletion request |
| Conversation History (Input/Output) | We maintain up to 20 active chats per account for performance and usability. If you create additional chats beyond this limit, older chats may be automatically archived. You can delete chats at any time. Deleted chats are soft-deleted first and are scheduled to be permanently purged (including messages) after 30 days, unless we must retain certain data for legal, security, or billing reasons. |
| AI Usage Logs (prompts/outputs, token/cost and performance metrics) | Stored in our database for operational needs and billing verification, then archived and removed from the database on a rolling basis (typically after 60 days). Archived logs are access-restricted and retained only as long as necessary for security, compliance, audits, and dispute resolution. |
| Safety & Moderation Logs | Retained as needed to detect abuse, enforce our policies, and maintain platform security (for example, storing a prompt snippet, category, and enforcement action). We may delete or anonymise these logs when they are no longer needed, including as part of account deletion workflows, subject to legal obligations. |
| Payment & Billing Records | 7 years after the transaction (legal/tax compliance) |
| Server Logs & IP Addresses | Retained for a limited period necessary for security monitoring, troubleshooting, and abuse prevention (periods may vary by log type) |
| Support Communications | Retained for as long as necessary to provide support, handle disputes, and comply with legal obligations (for example, during and after a ticket is resolved) |
| Analytics Data | Aggregated and anonymised; retained indefinitely |
When personal data is no longer needed, we will securely delete or anonymise it. If deletion is not immediately possible (e.g., due to backup systems), the data will be isolated and protected from further processing until deletion is completed.
10. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:
- Encryption of data in transit using TLS/SSL
- Hashed and salted passwords (bcrypt)
- Access controls and role-based permissions for internal systems
- Regular security assessments and monitoring
- Secure hosting infrastructure with industry-standard protections
No method of electronic transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee absolute security.
Data Protection Officer
Given the nature and scale of our current processing activities, Combily has not appointed a formally named Data Protection Officer (DPO) at this time. Personnel responsible for data protection matters may change from time to time as the Company grows and evolves.
Where applicable law requires the designation of a DPO — for example, under Article 37 of the EU GDPR — we will appoint one and publish their name and contact details in this Policy. In the meantime, all data protection enquiries, rights requests, and supervisory authority correspondence can be directed to:
Data Protection Contact:
Combily Private Limited
Email: info@combily.com
Subject Line: Data Protection Enquiry
Upon request, we will provide the name, role, and direct contact details of the individual(s) currently responsible for data protection matters within the Company, in order to comply with any applicable legal or regulatory requirement.
Data Protection Impact Assessments
We conduct Data Protection Impact Assessments (DPIAs) where our processing activities are likely to result in a high risk to the rights and freedoms of individuals, as required under GDPR Article 35 and equivalent provisions in other applicable data protection laws. This includes assessments for:
- Processing that involves new technologies or novel uses of personal data
- Large-scale processing of special categories of data
- Systematic monitoring or profiling that may significantly affect individuals
- Processing involving automated decision-making with legal or similarly significant effects
- Integration of new third-party AI providers or significant changes to data flows
Our DPIAs evaluate the necessity and proportionality of processing, identify and assess risks, and determine appropriate safeguards and mitigation measures. Where a DPIA indicates that processing would result in a high risk that we cannot sufficiently mitigate, we will consult the relevant supervisory authority before proceeding.
We review and update our DPIAs periodically, and whenever there are material changes to the processing operations they cover.
11. Your Privacy Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data. To exercise any of these rights, contact us at info@combily.com.
11.1 Rights Under EU GDPR & UK GDPR
- Right of Access: Request a copy of the personal data we hold about you
- Right to Rectification: Request correction of inaccurate or incomplete data
- Right to Erasure ("Right to Be Forgotten"): Request deletion of your data, subject to legal exceptions
- Right to Restrict Processing: Request that we limit how we process your data in certain circumstances
- Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format
- Right to Object: Object to processing based on legitimate interests or for direct marketing
- Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time
- Right to Lodge a Complaint: You have the right to file a complaint with your local data protection authority
11.2 Rights Under California CCPA / CPRA
If you are a California resident, you have additional rights under the California Consumer Privacy Act (as amended by the California Privacy Rights Act):
- Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, the purposes of collection, and the categories of third parties with whom we share data
- Right to Delete: Request deletion of personal information collected from you
- Right to Opt-Out of Sale: We do not sell your personal information. If this changes, we will provide an opt-out mechanism.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
- Right to Correct: Request correction of inaccurate information
- Right to Limit Use of Sensitive Personal Information: Where applicable, request that we limit the use of sensitive personal information to what is necessary
You may designate an authorised agent to make requests on your behalf. We may require verification of identity and authorisation.
11.3 Rights Under Canadian PIPEDA
If you are a Canadian resident, you have the following rights:
- Right of Access: Request access to your personal information
- Right to Correction: Request that we correct inaccurate or incomplete information
- Right to Withdraw Consent: Withdraw consent for the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions
- Right to Complain: You may file a complaint with the Office of the Privacy Commissioner of Canada
11.4 Sri Lanka (Personal Data Protection Act)
If you are in Sri Lanka, you may have rights under Sri Lanka's Personal Data Protection law, including the right to request access to, correction of, or deletion of personal data, and to object to or restrict certain processing (as applicable). To make a request, contact us at info@combily.com. We will respond within the timelines required by applicable law.
11.5 Rights Under Brazil LGPD
If you are located in Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD — Law No. 13,709/2018), including:
- Confirmation & Access: Confirm whether we process your personal data and request access to it
- Correction: Request correction of incomplete, inaccurate, or outdated personal data
- Anonymisation, Blocking, or Deletion: Request anonymisation, blocking, or deletion of unnecessary, excessive, or noncompliant data
- Data Portability: Request portability of your personal data to another service provider
- Deletion: Request deletion of personal data processed with your consent
- Information about Sharing: Obtain information about public and private entities with which we have shared your data
- Consent Withdrawal: Withdraw consent at any time, with effects going forward
- Right to Complain: You may file a complaint with Brazil's Autoridade Nacional de Proteção de Dados (ANPD)
11.6 Rights Under Australia Privacy Act
If you are located in Australia, you have rights under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), including:
- Access: Request access to personal information we hold about you (APP 12)
- Correction: Request correction of personal information that is inaccurate, out-of-date, incomplete, irrelevant, or misleading (APP 13)
- Anonymity/Pseudonymity: Where practicable, interact with us without identifying yourself or by using a pseudonym
- Right to Complain: You may lodge a complaint with the Office of the Australian Information Commissioner (OAIC)
11.7 Rights Under India DPDP Act
If you are located in India, you have rights under the Digital Personal Data Protection Act, 2023 (DPDP Act), including:
- Right to Access: Obtain a summary of your personal data being processed and the processing activities undertaken
- Right to Correction & Erasure: Request correction of inaccurate or misleading data, completion of incomplete data, updating of outdated data, and erasure of data no longer necessary for the purpose for which it was collected
- Right to Grievance Redressal: Contact our designated grievance officer for resolution of concerns
- Right to Nominate: Nominate another individual to exercise your rights in case of death or incapacity
- Right to Complain: You may file a complaint with the Data Protection Board of India
11.8 Rights Under Japan APPI
If you are located in Japan, you have rights under the Act on the Protection of Personal Information (APPI), including:
- Disclosure: Request disclosure of retained personal data we hold about you
- Correction: Request correction, addition, or deletion of inaccurate retained personal data
- Suspension of Use: Request that we cease using or delete your retained personal data if it is being handled in violation of the APPI, or is no longer necessary
- Suspension of Third-Party Provision: Request that we stop providing your retained personal data to third parties in certain circumstances
- Right to Complain: You may file a complaint with the Personal Information Protection Commission (PPC) of Japan
11.9 Rights Under South Korea PIPA
If you are located in South Korea, you have rights under the Personal Information Protection Act (PIPA), including:
- Access: Request access to your personal information
- Correction & Deletion: Request correction or deletion of your personal information
- Suspension of Processing: Request suspension of the processing of your personal information
- Right to Damages: Seek damages for violations of your privacy rights under PIPA
- Right to Complain: You may file a complaint with the Personal Information Protection Commission (PIPC) of South Korea
11.10 Rights Under China PIPL
If you are located in the People's Republic of China, to the extent the Personal Information Protection Law (PIPL) applies to our processing activities, you may have rights including:
- Right to Know & Decide: Be informed about and have the right to decide on the processing of your personal information, and to restrict or refuse processing (except where laws or regulations provide otherwise)
- Access & Copy: Access and obtain copies of your personal information from us
- Correction & Completion: Request correction or completion of inaccurate or incomplete personal information
- Deletion: Request deletion of your personal information where the processing purpose has been achieved, is no longer necessary, you withdraw consent, or we have processed it in violation of the law
- Portability: Request transfer of your personal information to another handler under conditions specified by the Cyberspace Administration of China (CAC)
- Automated Decision-Making: Right to refuse decisions made solely through automated processing that have a significant impact on your rights and interests
- Right of Deceased Persons: Close relatives may exercise certain rights regarding the personal information of deceased individuals
Where cross-border transfers of personal information involve users in mainland China, we aim to conduct such transfers consistently with applicable PIPL requirements, which may include security assessments, standard contractual arrangements, or certifications as required by the CAC.
11.11 Rights Under UAE Federal Decree-Law No. 45 of 2021
If you are located in the United Arab Emirates, you have rights under Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, including:
- Access: Request access to your personal data
- Correction: Request rectification of inaccurate, incomplete, or outdated data
- Restriction & Cessation: Request restriction or cessation of processing in certain circumstances
- Objection: Object to decisions based solely on automated processing
- Right to Complain: You may lodge a complaint with the UAE Data Office
11.12 Rights Under Qatar Law No. 13 of 2016
If you are located in Qatar, you have rights under Law No. 13 of 2016 Concerning Personal Data Privacy (as applicable), including the right to access your personal data, request correction or deletion, and object to processing. Complaints may be directed to the relevant authority within the Ministry of Transport and Communications.
11.13 Rights Under Pakistan & Bangladesh
If you are located in Pakistan, your rights relating to the processing of personal data are governed by the Personal Data Protection Act, 2025 (or any successor legislation), and any rules issued thereunder. If you are located in Bangladesh, comprehensive data protection legislation is currently evolving. In both jurisdictions, we aim to process your personal data consistently with applicable local requirements and the protections described in this Policy. To exercise any rights or raise a concern, please contact us at info@combily.com.
11.14 Exercising Your Rights
We will respond to verifiable requests within 30 days (or as required by applicable law). If we need more time, we will inform you and explain the reason. We may need to verify your identity before processing requests. There is no charge for exercising your rights, unless requests are manifestly unfounded or excessive.
12. Children's Privacy
The Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18 (or a higher applicable age in your jurisdiction, including 16 under GDPR and 13 under COPPA).
If we become aware that we have collected personal information from a child without appropriate parental consent, we will take immediate steps to delete that information. If you believe we may have collected information from a child, please contact us at info@combily.com.
13. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will:
Regulatory Notification: Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required under GDPR Article 33.
- Affected Individuals: We will notify you without undue delay if the breach is likely to result in a high risk to your rights and freedoms (GDPR Art. 34)
- Canadian Requirements: We will notify the Office of the Privacy Commissioner of Canada and affected individuals as soon as feasible if the breach creates a real risk of significant harm (PIPEDA Breach of Security Safeguards Regulations)
- California Requirements: We will notify affected California residents in accordance with California Civil Code §§ 1798.29 and 1798.82
Notifications will include: the nature of the breach; types of data affected; likely consequences; measures taken or proposed to address the breach; and contact information for further enquiry.
14. Regional Disclosures
As an interface layer that connects users to third-party AI providers via API, our data protection obligations may differ from those of providers who directly host or train AI models. The following disclosures reflect our commitment to align our data handling practices with applicable requirements to the extent they apply to our service model and operational capabilities.
14.1 Sri Lanka (Personal Data Protection Act, No. 9 of 2022)
Combily Private Limited is incorporated and operates from Sri Lanka. As our home jurisdiction, Sri Lanka's data protection framework is of primary relevance to our operations.
Sri Lanka enacted the Personal Data Protection Act, No. 9 of 2022 ("PDPA"), which establishes a comprehensive legal framework for the protection of personal data. The PDPA is being implemented in phases, with the Data Protection Authority of Sri Lanka overseeing its enforcement. To the extent the PDPA and any regulations issued thereunder are in effect and applicable to our processing activities, we aim to align our data handling practices with its requirements, including:
- Lawful Processing: We aim to process personal data based on lawful grounds recognised under the PDPA, including consent, contractual necessity, legitimate interests, and compliance with legal obligations
- Purpose Limitation: Personal data is collected only for specified, explicit, and legitimate purposes and is not further processed in a manner incompatible with those purposes
- Data Minimisation & Accuracy: We aim to collect only the personal data that is adequate, relevant, and limited to what is necessary, and take reasonable steps to keep it accurate and up to date
- Storage Limitation: Personal data is retained only for as long as necessary to fulfil the purposes for which it was collected, after which it is securely deleted or anonymised
- Security Safeguards: We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction
- Cross-Border Transfers: Where personal data is transferred outside Sri Lanka (including to third-party AI providers), we aim to ensure that adequate safeguards are in place as contemplated by the PDPA
- Data Subject Rights: Subject to the PDPA's provisions, individuals may have the right to access, rectify, erase, restrict processing of, and obtain portability of their personal data. We aim to facilitate the exercise of these rights upon verifiable request
As the PDPA's phased implementation progresses and additional regulations or guidelines are issued by the Data Protection Authority, we will continue to review and update our practices to align with any new requirements. For data protection enquiries, rights requests, or concerns, contact us at info@combily.com.
14.2 European Economic Area (EEA) & United Kingdom
If you are in the EEA or UK, the data controller for your personal information is Combily Private Limited. You have the right to lodge a complaint with your local supervisory authority. For the UK, this is the Information Commissioner's Office (ICO). For the EEA, contact your national data protection authority.
14.3 California, United States
We do not sell personal information, and we have not sold personal information in the preceding 12 months. We do not use or disclose sensitive personal information beyond the purposes permitted by the CCPA/CPRA.
Categories of personal information collected in the prior 12 months: identifiers (name, email, IP address); commercial information (purchase history); internet/electronic network activity (usage data, logs); inferences drawn from other categories.
14.4 Canada
We collect, use, and disclose personal information only with your knowledge and consent (express or implied, as appropriate) and only for purposes that a reasonable person would consider appropriate in the circumstances. You may withdraw consent at any time. Our Privacy Officer can be reached at info@combily.com.
14.5 Brazil (LGPD)
If you are located in Brazil, we aim to process your personal data consistently with the Lei Geral de Proteção de Dados (LGPD). We rely on the following legal bases for processing: your consent; the performance of a contract; compliance with legal obligations; the exercise of rights in judicial, administrative, or arbitration proceedings; the protection of your or a third party's life or physical safety; and our legitimate interests, provided they do not override your fundamental rights and freedoms.
We do not transfer your personal data to countries or international organisations that do not provide an adequate level of data protection under the LGPD unless appropriate safeguards are in place — such as standard contractual clauses approved by Brazil's Autoridade Nacional de Proteção de Dados (ANPD) or your specific and informed consent for the transfer. You may contact the ANPD to exercise regulatory rights or file a complaint.
14.6 Australia (Privacy Act 1988)
If you are located in Australia, we implement measures designed to align with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). We collect personal information only when it is reasonably necessary for our functions and activities. Where we disclose personal information to overseas recipients (including AI service providers), we take reasonable steps to ensure the APPs continue to apply to that information. If you believe we have breached an APP, you may lodge a complaint with us first and, if unsatisfied, with the Office of the Australian Information Commissioner (OAIC).
14.7 India (DPDP Act 2023)
If you are located in India, we aim to process your personal data consistently with the Digital Personal Data Protection Act, 2023 (DPDP Act). We obtain consent before collecting personal data (unless processing is for a legitimate use permitted by law), ensure data is processed only for stated purposes, and implement reasonable security safeguards. You have the right to contact our Grievance Officer with any concerns regarding the processing of your personal data. Contact details for our designated Grievance Officer are available upon request at info@combily.com. You may also file a complaint with the Data Protection Board of India.
14.8 Japan (APPI)
If you are located in Japan, we handle your personal information in a manner consistent with the Act on the Protection of Personal Information (APPI) as amended. We specify and publicly announce the purposes for which we use personal information and do not handle it beyond what is necessary for those purposes. Before providing personal data to a third party located outside Japan, we take appropriate measures as required under the APPI, including confirming the foreign country's data protection regime and the recipient's safeguards. You may lodge a complaint with the Personal Information Protection Commission (PPC) of Japan.
14.9 South Korea (PIPA)
If you are located in South Korea, we aim to process your personal information consistently with the Personal Information Protection Act (PIPA). We inform you of the purpose and scope of personal information collection and obtain your consent before processing. Personal information is retained only for the period necessary to achieve the purposes for which it was collected and is securely destroyed thereafter. Where we transfer personal information overseas, we aim to do so consistently with PIPA requirements, including appropriate contractual safeguards. You may lodge a complaint with the Personal Information Protection Commission (PIPC) of South Korea.
14.10 China (PIPL)
We do not currently target our Services specifically at residents of the People's Republic of China. To the extent the PIPL applies to our processing activities, we aim to handle personal information consistently with its requirements — including informing you of the purpose, method, and scope of processing, and facilitating consent for cross-border data transfers where required. Where cross-border transfers are applicable, we aim to conduct them consistently with PIPL requirements, which may include security assessments by the Cyberspace Administration of China (CAC), certification by an accredited institution, or execution of standard contracts formulated by the CAC. If and when our operations extend more broadly to users in the PRC, we will implement additional compliance measures as required by applicable law. If you wish to exercise your rights or have concerns about our data practices, please contact us at info@combily.com.
14.11 United Arab Emirates (Federal Decree-Law No. 45 of 2021)
If you are located in the UAE, we aim to process your personal data consistently with Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data and its implementing regulations. We collect and process personal data based on a lawful purpose, ensure transparency, and apply appropriate technical and organisational measures to protect your data. Where we transfer personal data outside the UAE, we aim to ensure an adequate level of protection as required by the law or obtain your consent. You may lodge a complaint with the UAE Data Office.
14.12 Qatar (Law No. 13 of 2016)
If you are located in Qatar, we aim to process your personal data consistently with Law No. 13 of 2016 Concerning Personal Data Privacy and any applicable regulations issued by the Compliance and Data Protection Department under the Ministry of Transport and Communications. We process personal data only for specified, explicit, and legitimate purposes and do not retain data longer than necessary. Complaints may be directed to the relevant regulatory authority.
14.13 Pakistan (Personal Data Protection Act, 2025)
If you are located in Pakistan, we aim to process your personal data consistently with the Personal Data Protection Act, 2025 (or any successor legislation) and any rules or regulations issued thereunder. We collect personal data only for lawful purposes, ensure appropriate security safeguards, and facilitate your rights to access, correct, and request deletion of personal data. You may raise a complaint with the relevant supervisory authority designated under the Act.
14.14 Bangladesh
Bangladesh is in the process of developing comprehensive data protection legislation. In the interim, we process personal data of users located in Bangladesh consistently with the protections described in this Policy and any applicable local laws — including the Digital Security Act 2018 and the Information and Communication Technology Act 2006 (as amended) to the extent they govern the processing of personal data. As Bangladesh's data protection framework develops, we will update this section to reflect any new legal requirements.
15. Changes to This Policy
We may update this Privacy Policy from time to time. When we make changes, we will revise the "Last Updated" date at the top of this page. If we make material changes, we will notify you via email at the address associated with your account or through a prominent notice on our Services.
We encourage you to review this Policy periodically to stay informed about how we protect your information. Continued use of the Services after changes become effective constitutes your acceptance of the updated Policy.
16. Contact Us
If you have any questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about how we handle your data, please contact us:
Combily Private Limited
Privacy & Data Protection Inquiries
Email: info@combily.com
Website: www.combily.com
Our physical address is available upon request for official correspondence.
We aim to respond to all enquiries within 30 days.