Loading...
Privacy

Privacy Policy

Version 1.0 Effective 26 June 2026 Last updated 26 June 2026
Section 1

Overview, Scope & Statutory Applicability

This Privacy Policy (the “Policy”) is issued by Xtrius Consulting Services Private Limited (“Xtrius”, the “Company”, “we”, “us”, or “our”), a company incorporated under the Companies Act, 2013, with its registered office at Ghatkesar, Hyderabad, Telangana, India. Xtrius owns and operates ColdIQ™, a proprietary, cloud-based Warehouse Management System (WMS) platform and Progressive Web Application (PWA) designed for cold-storage and bonded-warehouse operations.

This Policy is established in accordance with the Digital Personal Data Protection Act, 2023 (the “DPDP Act”), the Information Technology Act, 2000, and the rules framed thereunder. It provides clear and conspicuous notice of how digital personal data is collected, stored, processed, and protected, and of the mechanisms through which Data Principals may exercise their statutory rights.

This Policy governs the processing of personal data relating to: (a) Tenant organisations and their Authorised Users who access the ColdIQ platform; (b) Data Principals whose personal information is uploaded to or generated within the platform by Tenant organisations, including employees, depositors, and third-party warehouse contacts; and (c) external stakeholders, including visitors to the Company’s website and individuals who initiate formal communication with the Company.

Statutory roles

  • Data Processor — Xtrius processes operational, warehouse, and depositor data entered into the platform by the Tenant strictly on the Tenant’s documented instructions, for delivery of the WMS Service.
  • Data Fiduciary — the Tenant organisation is the primary Data Fiduciary for all personal data relating to its depositors, employees, and logistics contacts, and is solely responsible for establishing a valid lawful basis and obtaining the necessary consents from Data Principals.
  • Limited Data Fiduciary — Xtrius acts as a Limited Data Fiduciary solely for the identifiers, authentication credentials, and business-contact information of the Tenant’s primary contacts and Authorised Users, as needed to maintain account integrity and platform security.
Section 2

Categories of Personal Data We Process

The Company adheres to the principle of data minimisation, collecting only the digital personal data required for the “Permitted Purpose” of service delivery, account security, and statutory compliance.

  • Authorised User account & authentication data — full legal name, professional role or job title, business email address, business telephone number (where provided voluntarily), and login credentials (passwords undergo one-way cryptographic hashing and are never stored in plaintext). We also keep audit and activity logs, including login/logout timestamps and a record of actions performed in the production environment for security auditing.
  • Tenant organisational identifiers & statutory data — legal entity name, registered office address, primary billing contact details, and a valid GSTIN (a mandatory prerequisite for generating statutory-compliant invoices).
  • Tenant-managed operational & third-party data — for which the Tenant is the Data Fiduciary and the Company is the Data Processor: depositor/client contacts (names, telephone numbers, email addresses), logistics metadata (vehicle registration numbers and driver identifiers for gate entries), and the names of warehouse personnel recorded in operational task logs or cycle-count reports.
  • Financial record-keeping & invoicing metadata — invoice particulars (amounts, dates, PO numbers) and payment acknowledgements (whether an invoice has been marked “paid”, the amount received, and the outstanding balance).
  • Technical telemetry & service metadata — IP addresses (used primarily for security logging and geographic access restrictions), browser type and version, device identifiers, and aggregated, non-personally-identifiable usage metrics.

Excluded identifiers. In alignment with high-risk data-minimisation protocols, the Company does not collect, process, or store Aadhaar numbers, Permanent Account Numbers (PAN), or other government-issued individual identifiers. The Company is not a payment aggregator; it does not process financial transactions, hold escrow funds, or integrate with payment gateways. All actual remittances occur via bank transfer external to the Service.

To be finalized by counsel — KYC identifiers vs the Excluded-Identifiers claim

The platform’s optional client/depositor KYC fields offer Aadhaar / PAN / Ration-Card identifiers entered by the Tenant (Tenant-managed Data-Processor data, above) — which the Service stores. This must be reconciled with the “Excluded identifiers” statement: either that exclusion is to be scoped to the Company’s own (Data-Fiduciary) account data, or the optional KYC processing of government-issued identifiers must be expressly disclosed here. Pending counsel.

Section 3

Purposes & Lawful Grounds for Processing

In accordance with Sections 4 and 7 of the DPDP Act, 2023, the Company processes personal data strictly for the identified “Permitted Purposes”:

  • Provision and operation of ColdIQ — processing of Authorised User account data, operational warehouse records, and service telemetry to deliver the core WMS, on the basis of Contractual Necessity (acceptance of the EULA constitutes valid consent for performance of the Agreement).
  • Statutory billing & tax compliance — use of Tenant identifiers (including GSTIN), billing-contact information, and transactional metadata to generate statutory-compliant invoices and maintain auditable payment acknowledgements, on the basis of Contractual Necessity and the Legal Obligations under Indian tax laws (the Central Goods and Services Tax Act, 2017).
  • Authentication & access integrity — processing of unique identifiers, hashed credentials, and security audit logs to manage secure sessions and enforce Role-Based Access Control (RBAC), on the basis of Contractual Necessity and the Legitimate Use of system security.
  • Technical support & incident remediation — processing of account details, usage logs, and support correspondence to resolve tickets under the SLA, on the basis of Contractual Necessity.
  • Security monitoring & fraud mitigation — processing of technical metadata (including IP addresses and access-event logs) to detect and prevent malicious interference, on the basis of Legitimate Use.
  • Mandatory regulatory compliance — processing and, where required, disclosure of personal data to comply with valid court orders, subpoenas, or statutory mandates from competent Indian authorities, on the basis of Legal Obligation.
  • Service optimisation & analytics — use of aggregated, de-identified, or anonymised telemetry to inform platform enhancements, on the basis of Legitimate Use, processed so that individuals cannot be practicably re-identified.

Withdrawal of consent. In compliance with Section 6 of the DPDP Act, Data Principals may withdraw consent at any time. Withdrawal may affect the Company’s ability to continue providing certain features; processing will cease immediately unless a separate lawful basis — such as a legal obligation to retain records for statutory tax purposes — mandates continued retention.

Section 4

Data Residency & Cross-Border Transfers

Notwithstanding the Company’s incorporation and primary operations within India, the primary production databases, application infrastructure, and all digital personal data processed via ColdIQ are hosted on secured cloud infrastructure located in Singapore.

Residency notice

This arrangement constitutes a cross-border transfer of personal data under Section 16 of the DPDP Act, 2023. By accepting the EULA and using the Service, the Tenant (as the primary Data Fiduciary) authorises this transfer and represents that it has obtained, or shall obtain, valid, informed, and affirmative consent from its Data Principals for the processing of their data in Singapore.

The Company ensures the Singapore-based infrastructure affords protection at least as stringent as that mandated by the DPDP Act, including: adherence to Singapore’s Personal Data Protection Act (PDPA); cloud providers maintaining ISO 27001 and/or SOC 2 Type II certifications; and AES-256 full-disk encryption at rest with TLS 1.2 or higher (with Perfect Forward Secrecy) in transit.

Onward transfers. Data stored in Singapore shall not be transferred to any further jurisdiction except (i) as mandated by the applicable laws of India or Singapore; (ii) with the Tenant’s express prior written consent; or (iii) where the Data Principal has provided explicit, informed consent. Where required by regulatory notification, or if Singapore’s adequacy status is modified by the Central Government of India, the parties shall execute Standard Contractual Clauses (SCCs) or supplementary addendums. Limited technical metadata (Authorised User login identifiers and support-ticket correspondence) may be processed in other jurisdictions strictly to provide global technical support.

Section 5

Data Retention & Secure Destruction

Digital personal data is retained only for as long as required to fulfil the Permitted Purpose for which it was collected, or as mandated by the statutory requirements of India.

Retention periods

Authorised User account data and operational / warehouse data are retained for the duration of the active subscription plus ninety (90) days following account closure or contract termination, after which they are securely purged or irreversibly anonymised.

Financial, invoice, and billing records generated on the basis of the Tenant’s GSTIN are preserved for seven (7) years to meet statutory tax obligations, taking precedence over individual erasure requests.

Security and access logs are retained for a minimum of one (1) year; support correspondence for three (3) years after ticket closure. Aggregated, anonymised analytics may be retained indefinitely where no individual can be re-identified.

Erasure. The Tenant may request erasure of operational data at any time by writing to the Grievance Officer (Section 9). Once the applicable retention period expires or a valid erasure request is processed, data is destroyed using industry-standard firmware-based erasure or physical-destruction methods so that it cannot be practicably reconstructed. Statutory record-keeping duties (particularly GST and tax compliance) take precedence over individual deletion requests.

Section 6

Data Sharing & Sub-Processing

The Company does not sell, rent, lease, or trade digital personal data to any third party for marketing, advertising, or commercial-profiling purposes.

To operate ColdIQ, the Company engages specialised third-party Sub-processors for: cloud infrastructure and hosting (primarily within Singapore); transactional communications (system alerts, authentication tokens, statutory invoices); and operational reliability (error-monitoring and diagnostic logging). In accordance with Section 8 of the DPDP Act, the Company executes written agreements with each Sub-processor imposing data-protection obligations equivalent to or more restrictive than this Policy and the associated Data Processing Agreement, and remains fully and vicariously liable for its Sub-processors.

A current list of authorised Sub-processors is available to the Tenant on request. The Company will give at least thirty (30) days’ prior written notice of any intended addition or replacement of a Sub-processor, during which the Tenant may reasonably object on data-protection or security grounds.

Compelled disclosure. The Company may disclose personal data where mandated by a valid court order, subpoena, or lawful request from a competent Indian authority (including the Data Protection Board of India or law-enforcement agencies). Where legally permissible, the Company will give the Tenant prompt written notice of the demand so it can seek a protective order or other remedy.

Section 7

Information Security & Breach Management

The Company maintains a formal security-management programme of Technical and Organisational Measures (TOMs) designed to ensure the confidentiality, integrity, and availability of all personal data, intended to meet or exceed accepted industry standards for SaaS providers. In fulfilment of Section 8 of the DPDP Act, these include:

  • Data encryption — TLS 1.2 or higher (targeting TLS 1.3) with Perfect Forward Secrecy in transit; AES-256 full-disk encryption at rest in production.
  • Identity & access management — provisioning by the Principle of Least Privilege, with mandatory RBAC and Multi-Factor Authentication (MFA) for all administrative and privileged access.
  • Auditability & logging — immutable security-event logs of successful and unsuccessful login attempts and sensitive-data access, retained for at least one (1) year.
  • Vulnerability management — regular security assessments, including annual third-party penetration testing and frequent vulnerability scanning. Production is deployed on ISO 27001-certified cloud infrastructure located in secured facilities in Singapore.
Breach notification

On confirmation of a Personal Data Breach likely to result in harm, the Company initiates its Incident Response Protocol to lock down affected systems, and notifies the Tenant (as Data Fiduciary) without undue delay and no later than twenty-four (24) hours after becoming aware. Consistent with Section 8(6) of the DPDP Act, the Company assists in ensuring the Data Protection Board of India and affected Data Principals are notified within seventy-two (72) hours of breach confirmation.

Section 8

Your Rights as a Data Principal

In accordance with Chapter III of the DPDP Act, 2023, every Data Principal whose personal data the Company processes has the following rights:

  • Right to access & information — to obtain a summary of the personal data being processed, a description of the processing, and the identities of other Data Fiduciaries or Processors with whom it has been shared.
  • Right to correction & completion — to have inaccurate data rectified, incomplete data completed, and out-of-date identifiers updated.
  • Right to erasure — to have personal data deleted once it is no longer required for the Permitted Purpose, subject to the Company’s statutory retention obligations under Indian tax and GST laws.
  • Right to grievance redressal — to register a complaint about any act or omission that violates the DPDP Act or this Policy.
  • Right to nominate — to nominate another individual to exercise these rights in the event of death or incapacity.

If you are Tenant personnel (an employee, contractor, or contact of a Tenant organisation), the Tenant is your primary Data Fiduciary and your requests must be directed to the Tenant’s designated privacy representative; the Company, as Data Processor, provides reasonable technical assistance to the Tenant. To exercise any right directly, submit a written request to the Grievance Officer (Section 9); the Company may require identity verification before processing the request. The Company acknowledges a rights request within twenty-four (24) hours and provides a resolution or status update within thirty (30) days.

Section 9

Grievance Redressal & Contact

In accordance with Section 11(4) of the DPDP Act, 2023, and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, the Company has established a formal mechanism for the expeditious redressal of grievances relating to the processing of personal data. Any Data Principal or User may exercise statutory rights or register a complaint by writing to the designated Grievance Officer:

Grievance Officer — Xtrius Consulting Services Private Limited
Name
[To be finalized by counsel]
Designation
Grievance Officer
Organisation
Xtrius Consulting Services Private Limited
Registered address
Ghatkesar, Hyderabad, Telangana, India
Email
[To be finalized by counsel]
Response
Acknowledgement within 24 hours; resolution or status update within 30 days.

Regulatory recourse. If you are not satisfied with the Grievance Officer’s resolution, or if your grievance is not addressed within the stipulated timeline, you have the statutory right to lodge a complaint with the Data Protection Board of India, once constituted and operational under the DPDP Act, 2023.

Section 10

Cookie Policy & Service Telemetry

ColdIQ, including its web interface and PWA, uses “cookies” and similar locally-stored technical identifiers (collectively, “Cookies”) to ensure security, support the user experience, and gather aggregated performance metrics. The Company uses the following categories:

  • Strictly necessary Cookies — essential for the core operation of the platform: secure session management, user authentication, and RBAC enforcement. These are first-party and, by default, session-only (ephemeral); where you select the optional “remember me” at sign-in, a persistent first-party authentication cookie is retained for up to thirty (30) days. They cannot be disabled while you are signed in.
  • Functional & preference Cookies — retain configurations such as language and dashboard display settings, with a retention period of up to twelve (12) months; they may be managed or disabled through your browser, though doing so may degrade the experience.
  • Analytical & performance telemetry — first-party, aggregated, de-identified data on platform utilisation and feature performance, used strictly for the Legitimate Use of service optimisation; these identifiers persist for up to twelve (12) months and are subject to the opt-out below.

You may refuse or delete Cookies through your browser’s privacy settings, and you may opt out of non-essential analytical Cookies by writing to the Grievance Officer. In accordance with the Company’s data-minimisation protocols:

  • No Third-Party Advertising — the Company does not use advertising Cookies or pixel tags for commercial profiling.
  • No Sale of Metadata — technical usage data is never sold or shared with third-party data brokers for marketing purposes.
  • No Cross-Site Tracking — the Service does not track your activity on third-party websites or external applications.

Because the platform sets only first-party functional Cookies and de-identified first-party analytics — and no third-party advertising or cross-site tracking Cookies — cookie use is disclosed in this Policy and no cookie-consent banner is shown.

Section 11

Children’s Data

ColdIQ is a specialised business-to-business (B2B) utility intended exclusively for organisations and their authorised personnel. The Service is not directed toward, nor intended for access by, individuals under eighteen (18) years of age. The Company does not knowingly solicit, collect, or process personal data from any Data Principal under 18 and, in accordance with Section 9 of the DPDP Act, provides no features that process children’s data in a manner likely to cause detrimental effect. If you believe the Company has inadvertently collected a minor’s data, notify the Grievance Officer; on verification the Company will permanently erase such data from its production environments and backups within the prescribed timelines.

Section 12

Changes to this Policy

The Company may modify, amend, or replace this Policy to reflect changes in platform functionality, emerging security threats, or evolving statutory requirements. For a Material Change — one that significantly alters the lawful basis for processing, data residency, or Data Principal rights — the Company will give the Tenant’s registered billing contact at least fourteen (14) days’ prior notice by electronic communication. The current version is always accessible via the ColdIQ dashboard and the Company’s official URL. Continued use of the Service after an update’s effective date constitutes acceptance of the revised Policy; if you disagree, you must cease use and initiate account deactivation.

Section 13

Governing Law & Dispute Resolution

This Policy and all matters arising out of or relating to the processing of personal data are governed by, and construed in accordance with, the laws of the Republic of India. Subject to the mandatory arbitration provisions of the Master Services Agreement and the EULA, the parties submit to the exclusive jurisdiction of the competent courts at Hyderabad, Telangana, India. This Policy is supplemental to, and must be read with, the MSA, SOW, and EULA; in the event of an irreconcilable conflict with the data-protection provisions of the MSA, the terms of the MSA (and its Data Processing Addendum) take precedence.

Error