Privacy Policy

The data fiduciary is Datnass Tech Pvt Ltd, a company incorporated under India law, with its registered office at 207, Amee City Center, Nana Bazar, Vallabh Vidyanagar, Anand, Gujarat 388120, India ("Datnass", "we" or "us", "our").

When you use our cloud services to store personal data, you determine the purposes and means of that processing. In this context, you act as the data fiduciary, while Datnass acts solely as a data processor, in accordance with DPDP Act.

Your data is processed exclusively on your behalf and based on your documented instructions, as outlined in the applicable service agreement and Data Processing Agreement (DPA).

We collect minimal personal data necessary to provide our services and respond to your inquiries. Below is a detailed overview of what we actually collect.

A. Data Provided Directly by You

When you contact us through our website contact form or interact with our sales team, we collect:

• Full Name: To identify and address you properly
• Business Email Address: To communicate with you (we require business email addresses and do not accept personal email domains like gmail.com, yahoo.com, etc.)
• Company Name: To understand your organizational context and needs
• IP Address: Automatically collected for rate limiting, fraud prevention, and security purposes
• Communication Content: Any additional information you choose to share when contacting our sales or support team via email or phone

Note: Our marketing website (datnass.com) does not have user registration, account creation, or payment processing. If you become a customer and use GDX Cloud or GDX OnPrem services, additional data may be collected as part of the service agreement, which will be covered under a separate Data Processing Agreement (DPA).

B. Data Collected Automatically

When you visit our website, we use privacy-focused analytics to understand general usage patterns without tracking individual users. This includes:

• Anonymized Usage Data: Page views, referrer sources, and general traffic patterns collected through our privacy-focused analytics solution
• Approximate Location: Country-level geolocation (not precise GPS location) to understand our global audience
• Browser Information: Browser type and version for compatibility purposes
• IP Address: Temporarily logged for security, fraud prevention, and rate limiting

We do NOT use traditional tracking cookies, third-party analytics (like Google Analytics), advertising cookies, or browser fingerprinting. Our analytics solution does not create persistent user profiles or track you across websites. See our Cookie Notice for more details.

C. Data Collected from Third Parties

We currently do not systematically collect personal data from third-party sources for our marketing website. However, in the future, we may receive:

• Referral Information: Contact details from business partners or resellers who recommend our services to their clients
• Public Business Information: Company information from publicly available sources to better understand enterprise inquiries

If you become a customer and use GDX Cloud services that integrate with third-party authentication providers (IdPs), that data collection will be governed by your service agreement and DPA.

We process your personal data for the purposes outlined below, based on the legitimate uses set out in the Digital Personal Data Protection Act, 2023 (DPDP Act) Section 7. Data is stored only for as long as necessary to achieve these purposes and to comply with applicable legal obligations.

Legal Basis Under Indian Law

Our processing of personal data is governed by the following Indian laws:

• Digital Personal Data Protection Act, 2023 (DPDP Act): The primary legislation governing the processing of digital personal data in India. We process data based on legitimate uses under Section 7, including performance of contracts, compliance with legal obligations, and with your consent where required.
• Information Technology Act, 2000 (IT Act): Governs electronic commerce, data protection, and cybersecurity in India. We comply with the reasonable security practices and procedures under Section 43A and the IT (Reasonable Security Practices and Procedures) Rules, 2011.
• Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021: We comply with intermediary obligations including maintaining records and responding to government requests as required.
• Companies Act, 2013: Requires retention of certain business records and financial documents for specified periods.

We share your personal data only when necessary and with trusted parties. Your data may be shared with:

• Infrastructure and Hosting Providers: Our website and backend services are hosted on secure infrastructure providers who may have access to data as part of providing hosting services.
• Email Service Providers: When you contact us through our website, your inquiry is processed and may be sent via email service providers to reach our sales team.
• Analytics Service: We use a privacy-focused analytics service (hosted on our own infrastructure) that processes anonymized website usage data. This service does not have access to personally identifiable information.
• Legal and Professional Advisors: We may share data with lawyers, accountants, and auditors as necessary for legal compliance, financial reporting, and business operations.
• Government Authorities: When required by law, court order, or valid legal request, we will disclose data to law enforcement, regulatory bodies, or judicial authorities in India.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity, subject to the same privacy protections.

We do NOT:

• Sell your personal data to third parties
• Share data with advertising networks or data brokers
• Provide data to third-party marketing companies
• Use third-party tracking or behavioral advertising services

We implement technical and organisational security measures to ensure the confidentiality, integrity, availability, and resilience of our systems, software, and services. These measures are designed in accordance with advanced security standards and are proportionate to the nature of the data processed and the specific characteristics of our offerings.

All our employees undergo continuous training on cybersecurity and personal data protection.

In particular, the measures we have adopted include, but are not limited to:

• Internal security policies: which define operational standards, responsibilities, and procedures for data protection within our services
• Access control and secure authentication: to ensure that only authorised users can access data and services, through technologies such as multi-factor authentication (MFA) and role-based access management
• Application security: ensuring that our software is designed, developed, and maintained according to best security practices, including regular audits and vulnerability testing
• Continuous monitoring: to detect suspicious or anomalous activities promptly and to take proactive action in case of incidents
• Data encryption: both in transit and at rest, to protect information from unauthorised access, even on third-party infrastructures
• Secure supplier management: selecting technology partners who comply with applicable data protection regulations and adopt appropriate security measures
• Incident management procedures: enabling us to detect, contain, and promptly notify any personal data breaches
• Regular and secure backups: carried out in protected environments, to ensure data availability and recovery in the event of loss or malfunction

Under applicable data protection laws, you have the right to exercise a range of actions concerning your personal data at any time. In particular, you can:

• Access the personal data we hold about you and obtain confirmation of whether your data is being processed, as well as a copy of the data we hold
• Request the portability of your data, receiving it in a structured, commonly used, and machine-readable format, so that you can transmit it to another controller
• Request the rectification of inaccurate data or the completion of incomplete data
• Object to the processing of your data, particularly for direct marketing purposes or where there is no overriding legitimate interest
• Restrict the processing under certain circumstances, such as during the verification of data accuracy or if you contest the lawfulness of the processing
• Request the deletion of personal data when it is no longer necessary, you have withdrawn consent, you have objected to the processing, or the data has been processed unlawfully
• Withdraw consent at any time, where the processing is based on consent, without affecting the lawfulness of processing carried out before the withdrawal
• Lodge a complaint with the competent supervisory authority, if you believe your rights under data protection laws have not been respected

To exercise any of these rights, you can contact us by emailing hello@datnass.com.

We will respond within 30 days of receiving your request. In some cases, we may need to verify your identity before we can proceed.

If, after contacting us, you believe your request has not been handled correctly, you can file a complaint with the relevant data protection authority.

We may update this Privacy Notice from time to time, for instance, to reflect regulatory changes, developments in our services, or organizational changes. In the event of significant updates, we will inform you via email or through a visible notice on our websites.

However, we encourage you to periodically review this page to stay informed about how we process your personal data.

Continued use of our Services after the updates are published will be deemed as acceptance of these changes.