Privacy Policy

Last updated: [Effective date]

This Privacy Policy explains how [Spexx Technologies legal name] ("Spexx", "we", "us") collects, uses, stores, shares, and protects personal data when you use our website and products. It is written to comply with the Digital Personal Data Protection Act, 2023 (the "DPDP Act") and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, as applicable. Please read it together with our Cookie Policy and our Data Processing Addendum.

1. Who we are

[Spexx Technologies legal name] is a company incorporated in India (CIN: [CIN], GSTIN: [GSTIN]) with its registered office at [Registered office address]. For the personal data described in this policy, Spexx acts as a Data Fiduciary under the DPDP Act, except for data we process on behalf of our business customers, where we act as a Data Processor (see Section 5).

2. What data we collect

We collect only the data we need to provide and operate our services:

• Account data. Your name, email address, phone number, password (stored in hashed form), and account preferences when you sign up or log in.
• Business and branch data. Information about the organisation, business, or branch you create or belong to, such as legal and trading names, addresses, tax identifiers, and the roles assigned to your team members.
• Usage data. Technical and activity information generated when you use our products, including IP address, device and browser type, log timestamps, pages and features accessed, and diagnostic events used for security and reliability.
• Payment metadata. We process payments through Razorpay. We receive transaction metadata such as order identifiers, payment status, amount, and the last four digits of a card or instrument. We do not store full card numbers, CVV, or banking credentials on our systems.
• Health and customer-supplied data. Where a customer uses a Spexx product to manage health records or other end-user information, that data is processed by us on the customer's behalf and under their instructions. For this data the customer is the Data Fiduciary and Spexx is the Data Processor.

3. Purposes and lawful basis

Under the DPDP Act, we process personal data on one of the following bases:

• Consent. Where you have given consent for a specific purpose, such as creating an account, receiving optional communications, or providing data for a feature you choose to use. You may withdraw consent at any time as described in Section 8.
• Legitimate use. Where processing is necessary for a purpose recognised under the DPDP Act, including providing a service you have requested, fulfilling your account and billing relationship, and meeting our legal obligations.

4. How we use it

• To create, authenticate, and manage your account.
• To provide, maintain, and improve the products and features you use.
• To process subscriptions, invoices, and payments, and to prevent billing errors and fraud.
• To keep our services secure, diagnose problems, and protect against misuse.
• To send service and transactional messages, and, with your consent, optional updates.
• To comply with applicable law and respond to lawful requests from authorities.

5. Sharing and sub-processors

We do not sell personal data. We share data only with service providers who help us run our services, under contractual safeguards and only for the purposes set out in this policy. These include payment processing (Razorpay), cloud hosting, and communications providers. Where Spexx acts as a Data Processor for a customer, our processing terms and the list of approved sub-processors are set out in our Data Processing Addendum. We may also disclose data where required by law, court order, or a valid request from a competent authority.

6. Data retention

We retain personal data only for as long as it is needed for the purposes described in this policy, or for as long as required to meet legal, accounting, or reporting obligations. When the purpose is met and there is no legal requirement to retain the data, we delete or anonymise it. For data we process on behalf of a customer, retention and deletion follow the customer's instructions and the terms of our agreement with them.

7. Security

We use reasonable security safeguards to protect personal data, including encryption in transit, access controls, hashed credentials, network isolation, audit logging, and regular review of our systems. No method of transmission or storage is completely secure, but we work to protect your data and to respond promptly to any incident. In the event of a personal data breach, we will notify the Data Protection Board of India and affected individuals as required by the DPDP Act.

8. Your rights under the DPDP Act

Subject to the conditions in the DPDP Act, you have the right to:

• Access a summary of the personal data we process about you and how we process it.
• Correct, complete, or update inaccurate or incomplete personal data.
• Erase personal data that is no longer needed for the purpose for which it was collected, subject to legal retention requirements.
• Grievance redressal through our Grievance Officer (Section 11).
• Nominate another individual to exercise your rights in the event of your death or incapacity.

You may also withdraw consent at any time. To exercise any of these rights, contact us at grievance@spexx.in. Where Spexx processes data on a customer's behalf, please direct your request to that customer, and we will support them in responding.

9. Children

Our services are intended for businesses and adult users. We do not knowingly process the personal data of a child (a person under 18 years of age) without verifiable consent from a parent or lawful guardian, as required by the DPDP Act, and we do not undertake tracking, behavioural monitoring, or targeted advertising directed at children. If you believe a child's data has been provided to us without proper consent, please contact us so we can address it.

10. International transfers and data residency

We host and process personal data in data centres located in the India region. Where any transfer outside India is necessary, we carry it out only to countries permitted under the DPDP Act and applicable notifications, and under appropriate contractual safeguards. We do not transfer personal data to any jurisdiction restricted by the Central Government.

11. Cookies

We use cookies and similar technologies to keep you signed in, remember your preferences, and understand how our services are used. You can control cookies through your browser settings. For details, see our Cookie Policy.

12. Grievance Officer

In accordance with the DPDP Act and the IT Rules, 2021, we have appointed a Grievance Officer to address questions and complaints about this policy and your personal data.

13. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our services or the law. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you. Your continued use of our services after an update means you accept the revised policy.

14. Contact

For any questions about this policy or our handling of personal data, contact us at grievance@spexx.in or write to [Spexx Technologies legal name], [Registered office address].