Privacy Policy
Effective: July 2, 2026
Tracetex 360 Innovations (OPC) PVT LTD ("Tracetex," "we," "us") is committed to protecting data for our B2B SaaS customers and end consumers. This Privacy Policy (effective July 2, 2026) describes how Tracetex collects, uses, stores, and shares information across our platform (web, mobile apps, APIs) and features (Trace Basic/Growth/Enterprise subscriptions, QR/NFC product scans, Digital Product Passports, analytics, AI tools, etc.). By using Tracetex services, you consent to the data practices described herein.
Data Controller/Processor: Tracetex (India) is the Data Fiduciary (controller) for data collected in providing our platform. Customers may also act as Controllers of their own data (as described below).
1. Information We Collect
- Business and Brand Data: Company name, GST/registration numbers, contact and address info, authorized representatives and roles, brand details.
- User Account Data: Name, email, phone, credentials (passwords stored encrypted), user role and organization.
- Product/Supply-Chain Data: Brand-uploaded info per product (SKU, batch, manufacturer, materials, composition, supply-chain partners, origin, sustainability/ESG info, certifications, DPP content, product images, care instructions, etc.) used to build the Digital Product Passport.
- Consumer Scan Data: When end-consumers scan QR codes or NFC tags, we collect device/browser type, timestamp, country/region, language, and approximate location (IP-based). Precise GPS is not collected without explicit opt-in. Scan events are logged for analytics, fraud detection, and improving traceability features (no personal identity beyond device info).
- Technical/Usage Data: IP addresses, device model, operating system, browser version, session logs, error reports, cookies, analytics identifiers (e.g. Google Analytics Client IDs), crash logs.
- Payment Data: We obtain billing contact and transaction receipts. Sensitive payment details (full card/PIN) are handled directly by third-party processors; we do not store CVV, card numbers, or bank passwords.
- Support Communications: Any content you submit via customer support or feedback (may include contact info, issue details).
2. How We Use Your Data
- Service Delivery: To provide Tracetex features (product registration, DPP generation, authentication, API integration, analytics dashboards).
- Authenticity & Security: To verify product authenticity, prevent counterfeiting/fraud, secure accounts.
- Customer Support: To respond to inquiries and technical issues.
- Analytics & Improvement: Aggregate analysis to improve platform performance, functionality and develop new features (e.g. AI-based traceability insights).
- Legal Compliance: To meet legal obligations (e.g. audit logs, tax records), enforce contracts, and protect rights.
3. Subscription Plans Data Handling
Tracetex offers three subscription levels, with data practices scaled to match:
- Trace Basic: Limited data collection for basic features (product registration, simple DPP, QR codes, basic analytics). Only essential personal or product data needed to operate this plan is collected and used.
- Trace Growth: Additional data collected for advanced tracking, batch management, ESG and certification features, team collaboration, and advanced analytics. We process business performance and supply-chain data to support these functions.
- Trace Enterprise: Enterprise integrations (ERP/PLM), multi-site support, custom workflows and security controls. Enterprise agreements may include a signed Data Processing Agreement and customized terms. Enterprise-level customers may choose on-prem or VPC setups and have greater access to logs and data.
At all levels, we limit data use to what is necessary for the subscribed features.
4. Digital Product Passports (DPP)
Each product registered in Tracetex can have a unique Digital Product Passport containing product identity, manufacturing data, material and sustainability info, certifications, lifecycle history (e.g. factory, transport, retail), and end-of-life guidance. Only data explicitly provided by your brand or authorized supply-chain partners appears in the DPP. Consumers scanning QR/NFC access this data to verify authenticity and learn the product journey. Tracetex does not independently verify third-party data unless through certified integrations.
5. Cookies and Tracking
Tracetex and its service providers use cookies and similar technologies to provide core functionality and analytics:
- Essential cookies: Required for user login sessions, load balancing, security (anti-fraud), and keeping users logged in.
- Analytics cookies: Used to collect anonymized usage statistics (e.g. page views, scan counts) to improve performance and product features. Third-party analytics (e.g. Google Analytics) may set persistent identifiers; these IDs are not personally linked to user accounts.
- Preference cookies: To remember user preferences (language, dashboard settings).
- Optional/Marketing cookies: Only with consent. Used if enabled by users (e.g. for personalized newsletters or beta-feature experiments).
Users can manage cookie preferences via a consent banner or browser settings. Disabling certain cookies may limit platform functionality. (See our Cookie Policy for further details.)
GDPR Note: Per EU law, we rely on user consent for non-essential cookies and provide clear opt-in/opt-out. GDPR recitals define consent as “freely given, specific, informed, and unambiguous” by clear action.
6. Legal Bases for Processing
- Contractual necessity: Many data processing activities are needed to fulfill our service agreement (e.g. processing product data, account information, and payments to deliver Tracetex services).
- Consent: For any optional features (marketing emails, certain analytics or third-party integrations), we obtain explicit user consent. Consent can be withdrawn at any time (e.g. via account settings or email request).
- Legitimate Interests: In some cases (fraud detection, network/system security, service improvement), we rely on our legitimate business interest, balanced against user rights.
- Legal Compliance: Processing to comply with laws (tax audits, financial record-keeping, requests from law enforcement).
7. Data Sharing and Transfer
- No Sale of Personal Data: We do not sell personal data.
- Service Providers: We share data only with third-party vendors that support our services (cloud hosts, payment processors, email/SMS providers, analytics tools). Each vendor is contractually bound to confidentiality and uses data only for providing their service (per GDPR/DPDP requirements).
- Enterprise Customers: Authorized brand users see data within their organization (role-based access).
- Legal Requests: We will disclose data when required by law (e.g. subpoenas, court orders).
- Cross-Border Transfers: Tracetex operates on global cloud infrastructure (e.g. AWS/Supabase in India/EU/US). Data may be stored or processed outside India/EU. We implement appropriate safeguards (Standard Contractual Clauses or India’s Data Protection Board approvals as needed) to ensure data security in transfers. India’s DPDP Act generally prohibits export without approval, so cross-border transfers are limited and controlled as per rules.
8. Data Security
We maintain a robust information security program aligned with industry standards (ISO 27001, SOC 2). Controls include:
- Encryption: All sensitive data is encrypted in transit (HTTPS/TLS 1.2+) and at rest (AES-256 or equivalent). Communications between services use secure channels.
- Access Control: Role-based access for employees and customers; multi-factor authentication for admin accounts; principle of least privilege for systems access.
- Network Security: Firewalls, intrusion detection/prevention, VPCs or private subnets for sensitive data.
- Logging/Auditing: Detailed audit logs of system and data access. Regular reviews of access logs.
- Vulnerability Management: Regular security patching and penetration testing. Third-party penetration tests and code audits are conducted periodically.
- Backups and Disaster Recovery: Encrypted backups with frequent snapshots; stored offline/offsite. Business continuity plan includes data restoration within hours.
- Staff Training: Security training for employees, strict confidentiality agreements, and periodic policy reviews.
Despite strong measures, no system is infallible. We continuously update our controls based on emerging threats.
9. Data Retention
We retain personal and business data only as long as necessary:
- Active Accounts: Customer and product data is retained while the account is active or while needed for services.
- After Cancellation: Upon account termination, data may be deleted or anonymized within a reasonable period (e.g. 90 days) unless legal obligations require longer retention.
- Retention Schedule: As good practice, we use a documented retention schedule (per GDPR/ICO guidelines). For example: User account/profile info – retained for 3 years after account closure; Transaction/billing records – 7 years (for financial/audit compliance); System logs/analytics – 1–2 years; Email consents – 5 years; Job applications – 1 year, etc. (These are guidelines; actual periods depend on regulatory or business needs.)
- Special Laws: Certain regulations may impose minimum retention (e.g. financial or tax records in India). In such cases, we comply accordingly.
10. Data Subject Rights
Tracetex users (Data Principals) have rights under applicable laws:
- Access/Portability: You may request a copy of your personal data held by us (summary of data being processed). For enterprise customers, each user may access their account data.
- Correction/Update: You can request correction or completion of inaccurate personal data.
- Erasure: Where data processing is based on consent, you may request deletion of your personal data, unless retention is needed for legal compliance or legitimate interest.
- Consent Withdrawal: You can withdraw consent at any time (e.g. revoke marketing consent). For example, if consent was the sole basis of processing, we will cease processing that data (DPDP Sec. 8(7); DPDP Rule 6). Withdrawal does not affect data processed prior to withdrawal.
- Objection/Restriction: In some jurisdictions (EU), you can object to processing or request restriction in certain cases (e.g. direct marketing, profiling).
- Complaint: Under DPDP, you have the right to seek redress for any grievances. Contact us or the Data Protection Board if unresolved.
- California-specific: California residents have rights to know/delete their personal information, opt-out of sale (we do not sell data), and not be discriminated against for exercising these rights (as per CCPA/CPRA). We comply with such requests.
Requests should be made via support@tracetexi.in. We will respond in accordance with applicable deadlines (e.g. GDPR: one month; DPDP: within a month as per rules).
11. Children’s Data
Tracetex services are intended for business use. We do not knowingly process data of children under age 16 (or as defined by local law). If we learn we have collected a child’s data in violation, we will delete it.
12. Third-Party Services
Our platform may integrate with third-party systems (payment gateways, ERP/PLM connectors, analytics tools, email/SMS services, etc.). Each third party has its own privacy practices. We do not control their policies, so please review their terms. We only share data with them under contract and lawful basis.
13. AI & Automated Analytics
We may use AI/ML analytics to derive insights (e.g. detecting anomalies in supply chains, generating sustainability scores). AI outputs are probabilistic and meant to assist, not replace human judgment. We recommend users review AI-generated insights before making critical decisions. (See our AI Usage & Responsible AI Policy for further details.)
14. Data Breach Notification
In the event of a security breach affecting personal data:
- India (DPDP Act): We will notify the Data Protection Board and affected individuals promptly — initial notice “without delay”, with a detailed report to the Board within 72 hours.
- EU (GDPR): We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach. Affected EU users will also be informed without undue delay if there is high risk to their rights.
- California (CCPA/CPRA): We will notify California residents within 30 days of discovery of a breach, per recent California law (effective Jan 2026).
- Other Jurisdictions: We comply with any local breach laws; as best practice we aim to notify impacted users and authorities promptly (e.g. “without unreasonable delay”).
15. Play Store/App Store Compliance
Our mobile apps (if any) have privacy disclosures in line with Google/Apple requirements. We provide clear justifications for any sensitive permissions. For example, as per Google Play policy, camera and location are considered sensitive data, so we only request the camera to scan product QR/NFC codes and location (if at all) is used only for aggregated analytics. (See our Google Play & App Store Privacy Disclosure for details on each permission.)
16. Changes to Policy
We may update this Privacy Policy for legal or operational reasons. Changes will be posted on our site with an updated “Last Updated” date. Continued use after changes means acceptance. Please review this page periodically.
17. Governing Law
This policy is governed by Indian law. Any disputes (e.g. under DPDP) shall be subject to courts in West Bengal, India. EU users’ rights are preserved (GDPR, etc.), and the policy will be interpreted to comply with local laws where required.
18. Contact Information
Tracetex 360 Innovations (OPC) PVT LTD – Data Protection Officer (DPO)
Email: support@tracetexi.in (for privacy inquiries)
Address: Durgapur, West Bengal, India
By using Tracetex, you agree to this Privacy Policy. If you do not agree, please discontinue use.