Create your account
Tell us about your company — you'll be the first admin.
Tell us about your company — you'll be the first admin.
© ColdIQ · Multi-tenant cold-chain platform
Version 1.0 · Effective 26 June 2026 · Xtrius Consulting Services Pvt Ltd
This End-User Licence Agreement and Terms of Service (the “Agreement”) is a legally binding contract between you (the “User” or “Tenant”) and Xtrius Consulting Services Private Limited (the “Company”). By accessing or using the Company’s web-based platform and associated software (the “Service”, ColdIQ™) in any manner, you acknowledge that you have read, understood, and agree to be bound by these Terms and the Company’s Privacy Policy. By using the Service you represent that you are at least eighteen (18) years of age and have the legal capacity and authority to bind yourself or your organisation. If you do not agree to these Terms, you are not granted a licence to use the Service and must immediately discontinue all access.
By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Agreement. Your right to access the Service is strictly conditioned on your unconditional acceptance. If you accept on behalf of a Tenant or other entity, you represent that you have the authority to bind it. You represent that you are at least eighteen (18) years of age and have full legal capacity to contract under the laws of India.
Where you act as an Authorised User on behalf of a Tenant, you additionally warrant that: you are duly authorised under a valid and subsisting MSA; the Tenant has complied with all payment and tax obligations under the MSA and applicable SOW; and your use is within the technical and usage limits of the applicable SOW.
This EULA assumes a Tenant that has executed an MSA and SOW. A self-service demo or free-trial user who signs up online has not executed an MSA/SOW, so the references in Sections 2–3 to a “valid and subsisting MSA” and SOW usage limits do not yet apply to them. A trial / demo carve-out clause (scope, duration, data-handling, and conversion terms for self-signup demo accounts) is pending counsel input and is intentionally not drafted here.
Subject to your continued compliance and prompt payment of all applicable fees under the relevant SOW, the Company grants the Tenant a revocable, non-exclusive, non-transferable, non-sublicensable, and limited licence to access and use the Service solely for the Tenant’s internal business operations during the Subscription Term. The rights are conditioned on adherence to the Usage Metrics in the SOW (authorised user counts, designated environments, geographic territories); exceeding these limits is prohibited without prior written authorisation and may incur supplemental or overage fees.
Restrictions. Except as expressly permitted or required by law, you shall not, and shall not permit any third party to: (a) sublicense, sell, resell, rent, lease, transfer, or assign the Service, or make it available to any third party; (b) modify, translate, adapt, or create derivative works; (c) reverse-engineer, decompile, disassemble, or derive the source code or internal structure; (d) frame or mirror the Service, or circumvent any security or usage-tracking mechanism; (e) use the Service to build a competitive product or conduct unauthorised benchmarking; or (f) remove or obscure any proprietary notices, trademarks, or copyright markings.
Reservation of rights. The Service is licensed, not sold. Except for the limited rights in this Section, the Company and its licensors retain all right, title, and interest in the Service and its Intellectual Property Rights. No implied licences are granted.
The Company will use commercially reasonable efforts to provide 99.9% System Uptime per calendar month on a 24×7 basis. “Excused Downtime” (scheduled maintenance; third-party infrastructure outages such as AWS or Google Cloud; Force Majeure; or the Tenant’s own acts or configurations) is excluded from the calculation.
Support incidents are acknowledged and remediated per the Service Level Targets in Annexure C. If the Company misses the 99.9% monthly target, the Tenant’s sole and exclusive remedy is a Service Credit of 5% of the monthly subscription fee for every 0.5% shortfall below target, capped at 30% of the monthly fee, applied against future invoices only (not refundable as cash). To be eligible, the Tenant must lodge a written claim within fifteen (15) days of the end of the affected month.
Scheduled maintenance is typically performed on Sundays between 02:00 and 06:00 IST; the Company endeavours to give at least forty-eight (48) hours’ notice for planned downtime expected to exceed thirty (30) minutes. Emergency maintenance for critical security vulnerabilities may be performed without prior notice, with the Company informing the Tenant as soon as practicable.
The receiving party shall hold the disclosing party’s Confidential Information in strict confidence, apply at least the same reasonable degree of care it uses for its own similar information, and use it solely to exercise its rights or perform its obligations under this Agreement. Disclosure is permitted only to Representatives (Affiliates, employees, contractors, advisors, directors) with a bona-fide need to know who are bound by confidentiality obligations at least as restrictive; the receiving party remains liable for their breaches.
These obligations do not apply to information that is or becomes public through no fault of the receiving party, was rightfully held before disclosure, is independently developed, or is rightfully obtained from a third party. If compelled by legal process, the receiving party shall give prompt written notice (where permitted) so the disclosing party may seek a protective order; nothing prevents the Company from disclosing information as mandated by the RBI, SEBI, or other competent Indian regulator. On request or termination, Confidential Information is returned or securely destroyed and destruction certified. Confidentiality obligations survive for three (3) years after termination.
You are solely responsible for the confidentiality of your authentication credentials and for all activity under your account. You agree to provide accurate registration information, log out at the end of each session, and immediately notify the Company of any suspected unauthorised access or compromise.
You shall use the Service in compliance with all applicable laws, including the DPDP Act, 2023 (for any personal data), applicable export-control and sanctions laws, and the Prevention of Corruption Act, 1988. Without prejudice to the Acceptable Use Policy (Annexure D), you shall not (and shall not facilitate any third party to): transmit malware or malicious code; engage in phishing, spoofing, or identity theft; attempt unauthorised access to systems, databases, or networks; infringe the IP, privacy, or publicity rights of others; process data unlawfully or contrary to the relevant Data Fiduciary’s instructions; conduct unauthorised benchmarking; or use bots, scrapers, or crawlers to harvest data. The Tenant remains fully and vicariously liable for the acts and omissions of its Authorised Users.
For all digital personal data processed under this Agreement, the Tenant acts as Data Fiduciary and the Company acts as Data Processor. The Tenant is solely responsible for a valid lawful basis and for obtaining consents from Data Principals. The Company processes personal data (such as names, verified mobile numbers, and email addresses) strictly for the Permitted Purpose of WMS functionality, warehouse and inventory management, GSTIN-based invoice generation, and payment-acknowledgement recording.
The Company does not collect or process Aadhaar numbers, PAN, or any government-issued tax identifier other than GSTIN, and does not process payment transactions. Processing rests on consent, contractual necessity, or legitimate use under Section 7 of the DPDP Act. Data Principals’ rights of access, correction, and erasure may be exercised via the Grievance Officer (Section 15); grievances are acknowledged within 24 hours with a formal response within the 30-day statutory timeline.
The platform’s optional client/depositor KYC fields let the Tenant enter Aadhaar / PAN / Ration-Card identifiers, which the Service stores on the Tenant’s behalf (Data-Processor role). This must be reconciled with the no-government-ID statement above and the Privacy Policy “Excluded identifiers” clause — either scope the exclusion to the Company’s own account data or disclose the optional KYC processing. Pending counsel.
The Company implements industry-standard safeguards: AES-256 encryption at rest; TLS 1.2 or higher (targeting TLS 1.3) with Perfect Forward Secrecy in transit; mandatory strong authentication and RBAC for privileged access; and regular vulnerability assessments and penetration testing under the Principle of Least Privilege.
On confirmation of a Personal Data Breach, the Company notifies the Tenant without undue delay (within 24 hours of detection) and assists in notifying the Data Protection Board of India and affected Data Principals within 72 hours, as mandated by Section 8(6) of the Act.
All digital personal data collected under this Agreement is stored and processed on secured cloud infrastructure located in Singapore. This constitutes a cross-border transfer under the DPDP Act, 2023; the Tenant acknowledges the transfer and confirms it has obtained, or shall obtain, any necessary consent from its Data Principals. No onward transfer from Singapore occurs without the Tenant’s written consent and applicable legal authority.
Retention & destruction. Personal data is retained only while it serves a legitimate business or legal purpose (e.g., financial records for 7 years). On termination, accounts and data are deactivated within fifteen (15) days and all digital personal data is permanently destroyed within sixty (60) days using firmware-based erasure so it cannot be reconstructed.
The Company and its licensors retain all right, title, and interest (including all IP Rights) in the Service and its underlying technology — WMS business logic and modules, proprietary algorithms, software code, APIs, and user interfaces. As between the parties, the Tenant retains all rights in its Tenant Data and grants the Company a worldwide, non-exclusive, royalty-free, limited licence to host, copy, transmit, display, and use Tenant Data solely to provide and maintain the Service, address technical problems, and comply with the Tenant’s instructions or law (extending to authorised Sub-processors such as AWS and Google Cloud). Any Feedback you provide is assigned to the Company (or licensed to it perpetually if assignment is ineffective). The Service may incorporate open-source components governed by their respective licences. The Company will defend the Tenant against third-party claims that the unmodified Service infringes a valid Indian patent or copyright, subject to prompt notice and the stated exclusions.
The Tenant shall pay the subscription fees, one-time implementation charges, and other costs set out in the relevant SOW or Order Summary. All fees are invoiced by the Company; actual payment collection and remittance occur entirely outside the Service. The Service records only whether an invoice has been acknowledged as paid, the amount recorded as received, and the resulting outstanding balance — it does not process, initiate, or facilitate any financial transaction or transfer.
Unless an SOW states otherwise, undisputed invoices are payable Net thirty (30) days. Overdue undisputed amounts accrue interest at 1.5% per month (compounded), or the maximum permitted rate, whichever is lower. All fees are exclusive of GST and other statutory levies, which are added at prevailing rates; the Tenant must provide a valid GSTIN to enable Input Tax Credit. The Company warrants that it is a registered taxpayer and shall file its monthly GST returns in a timely manner as required under the Central Goods and Services Tax Act, 2017, to ensure the Tenant’s ability to claim relevant tax credits. Payments are made in full without set-off or deduction, except where a deduction (e.g., TDS under the Income Tax Act, 1961) is required by law. The Company may revise fees at the start of a renewal term on at least sixty (60) days’ written notice; continued use after the effective date constitutes acceptance.
Each party warrants that it is validly existing and has the authority to enter into and perform this Agreement, and will comply with applicable laws including the DPDP Act, 2023. The Company warrants that, for ninety (90) days from initial deployment, the Service will perform in material accordance with its functional specifications; the Tenant’s sole and exclusive remedy for breach is for the Company to use commercially reasonable efforts to remediate the non-conformity.
Except for that limited warranty, the Service is provided on an “as is” and “as available” basis, with all faults and without warranty of any kind to the maximum extent permitted by law. The Company disclaims all other warranties, including implied warranties of merchantability, fitness for a particular purpose, title, and non-infringement, and does not warrant that the Service will be uninterrupted, secure, or error-free, or that all defects will be corrected within a specific timeframe except as stipulated in the SLA. Nothing excludes any right or liability that cannot lawfully be excluded under Indian law.
To the maximum extent permitted by law, neither party is liable for any indirect, incidental, special, consequential, exemplary, or punitive damages, including loss of profits, revenue, data, business interruption, or goodwill, regardless of the theory of liability and even if advised of the possibility. Subject to the exclusions below, each party’s total aggregate liability is limited to the total fees paid or payable by the Tenant in the twelve (12) months preceding the event giving rise to the claim.
The cap does not apply to: death or personal injury from gross negligence; fraud, fraudulent misrepresentation, or criminal negligence; the Tenant’s obligation to pay undisputed fees and GST; wilful misconduct or intentional breach of confidentiality; or infringement of the other party’s IP Rights. The Company is the principal employer of its personnel and bears their wages and statutory remittances; the engagement of such personnel creates no employer-employee relationship between them and the Tenant, and no right of employment in the Tenant’s organisation accrues to Company staff by virtue of this Agreement. The Tenant shall indemnify the Company (and its directors Sandeep Kumar Yadav Chowla and Venugopal Raju Lakamraju, officers, and employees) against third-party claims arising from the Tenant’s breach, misuse, infringing Tenant Data, or violation of Indian law. The Company shall indemnify the Tenant against claims that the unmodified Service infringes a registered Indian patent, copyright, or trademark, subject to prompt notice, sole control of defence, and reasonable cooperation.
This Agreement commences on the Effective Date and runs for the initial Subscription Term in the applicable SOW, then automatically renews for successive one-year periods unless either party gives written non-renewal notice at least sixty (60) days before the end of the then-current term. Either party may terminate for cause on written notice for an uncured material breach (thirty (30) days’ cure), insolvency, or cessation of business; either party may terminate for convenience on sixty (60) days’ notice (the Tenant remaining liable for accrued undisputed fees).
On termination: all licence rights revert to the Company; the Tenant ceases use and certifies revocation of credentials; the Company issues a final invoice payable within fifteen (15) days; each party returns or destroys the other’s Confidential Information; and the Company performs the statutory data purge per Section 7. Provisions that by their nature survive (Definitions, Confidentiality, Retention & Deletion, IP, Warranty Disclaimer, Limitation of Liability & Indemnity, and General Provisions) survive termination.
This Agreement is governed by the laws of the Republic of India, without regard to conflict-of-law principles. Subject to arbitration, the parties submit to the exclusive jurisdiction of the courts at Hyderabad, Telangana. The parties shall first attempt to resolve any Dispute through good-faith negotiations, escalating to senior management within ten (10) days of a written notice, with a thirty (30) day negotiation period.
If unresolved, the Dispute is referred to binding arbitration under the Arbitration and Conciliation Act, 1996, before a sole arbitrator mutually appointed (failing which, appointed by the competent court). The seat and venue are Hyderabad, Telangana, India, and the language is English. The award is final and binding; each party bears its own costs. Either party may still seek interim injunctive relief from a court to protect its Confidential Information or IP Rights. The parties continue performing their obligations during any dispute-resolution proceedings.
Force Majeure. Neither party is liable for delay or failure (other than payment) caused by events beyond its reasonable control (acts of God, fire, flood, epidemic, government action, war, civil unrest, labour disputes, or persistent telecom/internet failures); the affected party gives prompt notice and mitigates, and if the event continues beyond ninety (90) days either party may terminate the affected SOW. The Company may audit the Tenant’s compliance with usage limits on ten (10) business days’ notice, no more than once a year during normal business hours; the Company bears the audit costs, but if the audit reveals a material non-compliance (a discrepancy of 5% or more in usage fees) the Tenant shall immediately remit the underpaid fees and reimburse the Company for all reasonable audit expenses. The Tenant may not assign without consent; the Company may assign in a merger, acquisition, or sale of assets. Notices are given by hand, registered post/courier, or confirmed email. Amendments require a signed writing, except that the Company may unilaterally update these Terms for DPDP/statutory compliance on thirty (30) days’ notice (continued use = acceptance). No waiver is implied; invalid provisions are severed; this Agreement (with the MSA, SOWs, and Annexures A–D) is the entire agreement, with the order of precedence: SOW, Annexures, main body, then MSA. Electronic signatures are valid under the Information Technology Act, 2000.
In accordance with Section 11(4) of the DPDP Act, 2023, and the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, the Company has established a formal mechanism for redressing grievances about the processing of personal data and use of the Service. Any Data Principal or User may register a complaint or exercise statutory rights by writing to the designated Grievance Officer. The Company acknowledges within twenty-four (24) hours and provides a resolution or status update within thirty (30) days.
ColdIQ is a cloud-based Warehouse Management System (WMS) purpose-built for cold-storage operators, temperature-controlled logistics providers, and bonded-warehouse facilities. It manages depositor accounts, commodity inventory, storage-slot allocation, inward/outward stock movements, invoice generation, payment-acknowledgement recording, and statutory bond compliance through a unified web platform and PWA. ColdIQ is accessed entirely via a web browser; it is not a native mobile app and is not on any app store.
Core functional modules: client & commodity management; slot & space management with temperature-zone enforcement (frozen −18°C, chilled 0–4°C, ambient 8–15°C); stock & inventory control (gate entry, goods-receipt notes, delivery orders, lot/expiry tracking, stock-take); a GST-compliant billing & tariff engine (storage rent per pallet/MT/CBM/day, handling charges, e-invoice/e-way-bill via NIC API); bond & statutory compliance registers under the Customs Act, 1962 and the Warehousing (Customs) Regulations, 2016; reporting & analytics; and integrations/APIs (ERP, NIC, optional IoT temperature sensors, SMS/WhatsApp/email notifications). The Service records payment acknowledgements only and does not collect, process, or transfer funds; no Aadhaar, PAN, or other government-issued identity document is collected for billing.
Hosting & infrastructure. All data is stored and processed on ISO 27001-certified cloud infrastructure located in Singapore, constituting a cross-border transfer from India to Singapore; disaster recovery is standard (RPO 4 hours, RTO 8 hours). Three environments are provided — Development, UAT, and Production — with scope per the applicable SOW. Out of scope (unless stated in an SOW): physical cold-chain logistics; actual payment collection or fund transfers; customs brokerage; temperature-sensor hardware; and integrations with systems not listed in the module catalogue.
This DPA forms an integral part of the Agreement and governs the processing of digital personal data under the DPDP Act, 2023.
Roles & instructions. The Tenant is the Data Fiduciary and determines the purpose and means of processing, warranting a valid lawful basis (e.g., consent) for all processing. The Company is the Data Processor and processes personal data strictly on the Tenant’s documented instructions for the Permitted Purpose of service delivery, software engineering, and automated billing; the Company will inform the Tenant if, in its opinion, an instruction violates the DPDP Act.
Sub-processors. The Tenant gives a general written authorisation for the Company to engage Sub-processors (e.g., AWS, Google Cloud). The Company executes agreements imposing equivalent or more restrictive obligations, remains vicariously liable for them, maintains a list available on request, and gives at least thirty (30) days’ notice of additions or replacements (during which the Tenant may object on reasonable grounds).
Breach management. On a confirmed Personal Data Breach, the Company notifies the Tenant without undue delay and no later than twenty-four (24) hours after becoming aware, and assists in notifying the Data Protection Board of India within seventy-two (72) hours per Section 8(6). Notifications include the nature of the breach, the categories and approximate number of affected Data Principals, likely consequences, and remediation taken or proposed.
Residency & cross-border transfers. All such personal data is stored and processed on secured cloud infrastructure in Singapore — a cross-border transfer from India to Singapore under the DPDP Act, 2023, for which the Tenant, as Data Fiduciary, accepts responsibility for a valid lawful basis (including explicit consent where required). No onward transfer beyond Singapore occurs except as required by law, with the Tenant’s written authorisation, or with the Data Principal’s explicit consent; any onward transfer is subject to appropriate safeguards such as Standard Contractual Clauses (SCCs).
This SLA sets out the Company’s performance metrics and support obligations and is subject to the main Agreement and any executed SOW.
Incident response. The Company remediates incidents per the priority levels, acknowledgement SLAs, and resolution targets below; timelines run from the moment a ticket is registered through the Designated Support Portal or authenticated API endpoint, performed with industry-standard skill and care.
Uptime methodology. System Uptime = (Total Minutes in Month − Downtime Minutes) / Total Minutes in Month × 100, with 99.9% warranted per month. “Downtime Minutes” exclude scheduled maintenance and Excused Downtime (third-party infrastructure failures, Force Majeure, or Tenant acts/omissions). A four-level escalation hierarchy (Support Operations → Senior Engineering → Engineering Leadership & Account Management → Managing Director) applies, and the Company provides a Service Level Performance Report within five (5) business days after each month (actual uptime vs. target, incident volume by priority, MTTR, and any Service Credits).
This AUP establishes behavioural standards for all Users and Tenants; adherence is a material condition of the licence under Section 3. In addition to the restrictions in Section 6, you are strictly prohibited from using the Service for:
The Company may (but is not obliged to) monitor usage for compliance. Any violation is a material breach that may result in immediate suspension or termination without prior notice or liability, without prejudice to other remedies including injunctive relief.
Version 1.0 · Effective 26 June 2026 · DPDP Act, 2023
This Privacy Policy (the “Policy”) is issued by Xtrius Consulting Services Private Limited (“Xtrius”, the “Company”, “we”, “us”, or “our”), a company incorporated under the Companies Act, 2013, with its registered office at Ghatkesar, Hyderabad, Telangana, India. Xtrius owns and operates ColdIQ™, a proprietary, cloud-based Warehouse Management System (WMS) platform and Progressive Web Application (PWA) designed for cold-storage and bonded-warehouse operations.
This Policy is established in accordance with the Digital Personal Data Protection Act, 2023 (the “DPDP Act”), the Information Technology Act, 2000, and the rules framed thereunder. It provides clear and conspicuous notice of how digital personal data is collected, stored, processed, and protected, and of the mechanisms through which Data Principals may exercise their statutory rights.
This Policy governs the processing of personal data relating to: (a) Tenant organisations and their Authorised Users who access the ColdIQ platform; (b) Data Principals whose personal information is uploaded to or generated within the platform by Tenant organisations, including employees, depositors, and third-party warehouse contacts; and (c) external stakeholders, including visitors to the Company’s website and individuals who initiate formal communication with the Company.
The Company adheres to the principle of data minimisation, collecting only the digital personal data required for the “Permitted Purpose” of service delivery, account security, and statutory compliance.
Excluded identifiers. In alignment with high-risk data-minimisation protocols, the Company does not collect, process, or store Aadhaar numbers, Permanent Account Numbers (PAN), or other government-issued individual identifiers. The Company is not a payment aggregator; it does not process financial transactions, hold escrow funds, or integrate with payment gateways. All actual remittances occur via bank transfer external to the Service.
The platform’s optional client/depositor KYC fields offer Aadhaar / PAN / Ration-Card identifiers entered by the Tenant (Tenant-managed Data-Processor data, above) — which the Service stores. This must be reconciled with the “Excluded identifiers” statement: either that exclusion is to be scoped to the Company’s own (Data-Fiduciary) account data, or the optional KYC processing of government-issued identifiers must be expressly disclosed here. Pending counsel.
In accordance with Sections 4 and 7 of the DPDP Act, 2023, the Company processes personal data strictly for the identified “Permitted Purposes”:
Withdrawal of consent. In compliance with Section 6 of the DPDP Act, Data Principals may withdraw consent at any time. Withdrawal may affect the Company’s ability to continue providing certain features; processing will cease immediately unless a separate lawful basis — such as a legal obligation to retain records for statutory tax purposes — mandates continued retention.
Notwithstanding the Company’s incorporation and primary operations within India, the primary production databases, application infrastructure, and all digital personal data processed via ColdIQ are hosted on secured cloud infrastructure located in Singapore.
This arrangement constitutes a cross-border transfer of personal data under Section 16 of the DPDP Act, 2023. By accepting the EULA and using the Service, the Tenant (as the primary Data Fiduciary) authorises this transfer and represents that it has obtained, or shall obtain, valid, informed, and affirmative consent from its Data Principals for the processing of their data in Singapore.
The Company ensures the Singapore-based infrastructure affords protection at least as stringent as that mandated by the DPDP Act, including: adherence to Singapore’s Personal Data Protection Act (PDPA); cloud providers maintaining ISO 27001 and/or SOC 2 Type II certifications; and AES-256 full-disk encryption at rest with TLS 1.2 or higher (with Perfect Forward Secrecy) in transit.
Onward transfers. Data stored in Singapore shall not be transferred to any further jurisdiction except (i) as mandated by the applicable laws of India or Singapore; (ii) with the Tenant’s express prior written consent; or (iii) where the Data Principal has provided explicit, informed consent. Where required by regulatory notification, or if Singapore’s adequacy status is modified by the Central Government of India, the parties shall execute Standard Contractual Clauses (SCCs) or supplementary addendums. Limited technical metadata (Authorised User login identifiers and support-ticket correspondence) may be processed in other jurisdictions strictly to provide global technical support.
Digital personal data is retained only for as long as required to fulfil the Permitted Purpose for which it was collected, or as mandated by the statutory requirements of India.
Authorised User account data and operational / warehouse data are retained for the duration of the active subscription plus ninety (90) days following account closure or contract termination, after which they are securely purged or irreversibly anonymised.
Financial, invoice, and billing records generated on the basis of the Tenant’s GSTIN are preserved for seven (7) years to meet statutory tax obligations, taking precedence over individual erasure requests.
Security and access logs are retained for a minimum of one (1) year; support correspondence for three (3) years after ticket closure. Aggregated, anonymised analytics may be retained indefinitely where no individual can be re-identified.
Erasure. The Tenant may request erasure of operational data at any time by writing to the Grievance Officer (Section 9). Once the applicable retention period expires or a valid erasure request is processed, data is destroyed using industry-standard firmware-based erasure or physical-destruction methods so that it cannot be practicably reconstructed. Statutory record-keeping duties (particularly GST and tax compliance) take precedence over individual deletion requests.
The Company does not sell, rent, lease, or trade digital personal data to any third party for marketing, advertising, or commercial-profiling purposes.
To operate ColdIQ, the Company engages specialised third-party Sub-processors for: cloud infrastructure and hosting (primarily within Singapore); transactional communications (system alerts, authentication tokens, statutory invoices); and operational reliability (error-monitoring and diagnostic logging). In accordance with Section 8 of the DPDP Act, the Company executes written agreements with each Sub-processor imposing data-protection obligations equivalent to or more restrictive than this Policy and the associated Data Processing Agreement, and remains fully and vicariously liable for its Sub-processors.
A current list of authorised Sub-processors is available to the Tenant on request. The Company will give at least thirty (30) days’ prior written notice of any intended addition or replacement of a Sub-processor, during which the Tenant may reasonably object on data-protection or security grounds.
Compelled disclosure. The Company may disclose personal data where mandated by a valid court order, subpoena, or lawful request from a competent Indian authority (including the Data Protection Board of India or law-enforcement agencies). Where legally permissible, the Company will give the Tenant prompt written notice of the demand so it can seek a protective order or other remedy.
The Company maintains a formal security-management programme of Technical and Organisational Measures (TOMs) designed to ensure the confidentiality, integrity, and availability of all personal data, intended to meet or exceed accepted industry standards for SaaS providers. In fulfilment of Section 8 of the DPDP Act, these include:
On confirmation of a Personal Data Breach likely to result in harm, the Company initiates its Incident Response Protocol to lock down affected systems, and notifies the Tenant (as Data Fiduciary) without undue delay and no later than twenty-four (24) hours after becoming aware. Consistent with Section 8(6) of the DPDP Act, the Company assists in ensuring the Data Protection Board of India and affected Data Principals are notified within seventy-two (72) hours of breach confirmation.
In accordance with Chapter III of the DPDP Act, 2023, every Data Principal whose personal data the Company processes has the following rights:
If you are Tenant personnel (an employee, contractor, or contact of a Tenant organisation), the Tenant is your primary Data Fiduciary and your requests must be directed to the Tenant’s designated privacy representative; the Company, as Data Processor, provides reasonable technical assistance to the Tenant. To exercise any right directly, submit a written request to the Grievance Officer (Section 9); the Company may require identity verification before processing the request. The Company acknowledges a rights request within twenty-four (24) hours and provides a resolution or status update within thirty (30) days.
In accordance with Section 11(4) of the DPDP Act, 2023, and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, the Company has established a formal mechanism for the expeditious redressal of grievances relating to the processing of personal data. Any Data Principal or User may exercise statutory rights or register a complaint by writing to the designated Grievance Officer:
Regulatory recourse. If you are not satisfied with the Grievance Officer’s resolution, or if your grievance is not addressed within the stipulated timeline, you have the statutory right to lodge a complaint with the Data Protection Board of India, once constituted and operational under the DPDP Act, 2023.
ColdIQ, including its web interface and PWA, uses “cookies” and similar locally-stored technical identifiers (collectively, “Cookies”) to ensure security, support the user experience, and gather aggregated performance metrics. The Company uses the following categories:
You may refuse or delete Cookies through your browser’s privacy settings, and you may opt out of non-essential analytical Cookies by writing to the Grievance Officer. In accordance with the Company’s data-minimisation protocols:
Because the platform sets only first-party functional Cookies and de-identified first-party analytics — and no third-party advertising or cross-site tracking Cookies — cookie use is disclosed in this Policy and no cookie-consent banner is shown.
ColdIQ is a specialised business-to-business (B2B) utility intended exclusively for organisations and their authorised personnel. The Service is not directed toward, nor intended for access by, individuals under eighteen (18) years of age. The Company does not knowingly solicit, collect, or process personal data from any Data Principal under 18 and, in accordance with Section 9 of the DPDP Act, provides no features that process children’s data in a manner likely to cause detrimental effect. If you believe the Company has inadvertently collected a minor’s data, notify the Grievance Officer; on verification the Company will permanently erase such data from its production environments and backups within the prescribed timelines.
The Company may modify, amend, or replace this Policy to reflect changes in platform functionality, emerging security threats, or evolving statutory requirements. For a Material Change — one that significantly alters the lawful basis for processing, data residency, or Data Principal rights — the Company will give the Tenant’s registered billing contact at least fourteen (14) days’ prior notice by electronic communication. The current version is always accessible via the ColdIQ dashboard and the Company’s official URL. Continued use of the Service after an update’s effective date constitutes acceptance of the revised Policy; if you disagree, you must cease use and initiate account deactivation.
This Policy and all matters arising out of or relating to the processing of personal data are governed by, and construed in accordance with, the laws of the Republic of India. Subject to the mandatory arbitration provisions of the Master Services Agreement and the EULA, the parties submit to the exclusive jurisdiction of the competent courts at Hyderabad, Telangana, India. This Policy is supplemental to, and must be read with, the MSA, SOW, and EULA; in the event of an irreconcilable conflict with the data-protection provisions of the MSA, the terms of the MSA (and its Data Processing Addendum) take precedence.