Your data, handled with care

IKAN (talent mobility) is the data fiduciary (under DPDP) and data controller (under GDPR) for the personal data described here. We provide relocation and global-mobility services and operate this portal for four populations: assignees being relocated and their families, corporate relocation-management clients (RMCs), external vendors, and our own staff.

Where your employer or an RMC instructs us to manage a relocation, they act as the data fiduciary / controller for that mandate and we act as their processor; we also act as a fiduciary in our own right for platform security, billing, and statutory record-keeping. Reach us at privacy@ikan.co.in.

We collect only what a relocation actually requires. By category:

Identity & contact

Name, email, phone, photograph, employer, role, the corporate client (RMC) sponsoring your move.

Relocation documents

Passport, visa, immigration filings, Aadhaar, PAN, and other government IDs you or your case team upload — for you and your accompanying family members.

Move logistics

Origin and destination addresses, lease and tenancy documents, household-goods inventories, shipment and itinerary details, school and healthcare information for dependents.

Financial

Bank and payout details (vendors), invoices, expense and budget-approval records, settlement amounts.

Interaction

Messages, tasks, approvals, and emails AIRA drafts on your behalf; voice transcripts when you use the voice agent; in-app notifications.

Technical

IP address, device and browser metadata, authentication session, audit-log events, and — with your consent — error diagnostics and analytics.

Several of these are special-category / sensitive data under DPDP and GDPR (government identifiers, financial details, and any health information for dependents). We apply heightened access controls to them — see Security.

Every processing activity is tied to a lawful basis:

• Contract / legitimate use (DPDP §6–7)

  Delivering the relocation services you, your employer, or the sponsoring RMC engaged us for.

• Legal obligation

  Immigration, tax, KYC, and statutory record-keeping requirements in India and destination jurisdictions.

• Consent

  Optional analytics and diagnostic cookies, voice processing, and any processing beyond the relocation mandate. Consent is granular and withdrawable.

• Legitimate interests (GDPR Art. 6(1)(f))

  Securing the platform, preventing fraud and abuse, and improving service quality — balanced against your rights.

• Coordinating your move end-to-end — immigration, housing, schooling, healthcare, shipping, and settling-in.
• Validating documents: AIRA checks passport expiry, visa coverage, and apostille presence, and flags missing or incorrect uploads.
• Drafting emails, authorisation letters, and approvals in your voice for you to review and send.
• Answering questions and turning requests into ops tasks through the case-aware voice agent.
• Processing vendor payouts and corporate billing.
• Keeping the platform secure, auditable, and reliable, and meeting our legal obligations.

AIRA acts autonomously only where confident, and routes sensitive actions through human review. We do not sell your personal data, and we do not use it to train third-party foundation models.

We share data only with vetted sub-processors who act on our instructions under data-processing agreements. We do not share your data with advertisers or data brokers. Our current processors:

We may also disclose data to your employer or sponsoring RMC (as part of the relocation mandate), to government authorities where legally required (immigration, tax, KYC), and to professional advisers under confidentiality.

Your data is stored primarily in Mumbai, India (AWS ap-south-1) via Supabase, with edge delivery from Vercel’s Mumbai region. Because relocation is inherently international, some processing happens outside India — email delivery, AIRA inference, and error diagnostics may run in the United States or the EU.

For those transfers we rely on standard contractual clauses, the recipient’s adequacy status, and data-processing agreements, consistent with DPDP §16 and GDPR Chapter V. India and destination-country transfers required to deliver your move (e.g. sharing a visa file with a destination immigration agent) are made on the contract basis described above.

• Active case data is kept for the duration of your relocation and your relationship with us.
• Statutory records (immigration, tax, KYC, financial) are retained for the period the relevant law requires — typically up to 8 years.
• AIRA reasoning traces are retained for 90 days, then purged.
• Audit logs rotate on the 1st of each month per our retention schedule.
• Voice transcripts are kept only as long as needed to action your request, then deleted.

When data is no longer needed and no legal hold applies, we delete or irreversibly anonymise it.

Under DPDP and GDPR you have the rights below. Wherever supported, you can exercise them yourself in-product — signed-in users can request an export or erasure directly, and we fulfil it through our DSAR pipeline (the /api/dsar endpoint), which produces a downloadable, machine-readable bundle of your data and processes deletions.

• Access

  A copy of the personal data we hold about you.

• Export / portability

  A machine-readable bundle of your data, generated in-product.

• Rectification

  Correction of inaccurate or incomplete data.

• Erasure

  Deletion of your data where we have no overriding legal basis to retain it.

• Restriction

  Pause processing while a dispute or correction is resolved.

• Objection

  Object to processing based on legitimate interests.

To exercise a right, use the in-product privacy controls once signed in, or email privacy@ikan.co.in. We respond within 30 days (and acknowledge sooner). You also have the right to nominate another individual to exercise these rights on your behalf (DPDP §14), and to complain to the Data Protection Board of India or your local supervisory authority.

Data is encrypted in transit (TLS 1.3) and at rest (AES-256). Every database table is protected by Row Level Security, service-role keys never touch user-facing routes, and access follows least-privilege — staff only see the surfaces their role requires. Sensitive mutations (lease drafts, invoices, identity actions) route through multi-reviewer governance so no one person can act alone. See the trust center for our full posture.

Relocations often include children. Where we process a dependent’s data — school records, passports, health information — we do so on the instruction and consent of the accompanying parent or guardian, and we apply the same heightened protections as for sensitive data. We never use a child’s data for tracking, profiling, or targeted advertising, consistent with DPDP §9.

As required by DPDP 2023 and the IT Rules, you can raise any privacy concern with our Grievance Officer, who will respond within statutory timelines:

We may update this notice as our services, processors, or legal obligations change. Material changes will be notified in-product and the “last updated” date above will move. Questions about this notice or how we handle your data: privacy@ikan.co.in.

Related: Terms of service · Cookie policy · Trust center