Privacy Policy

This Privacy Policy describes how Volvenix ("we," "our," "us") collects, uses, shares, and protects personal data when you use volvenix.com from anywhere in the world. It is designed to comply with the frameworks shown above. Where requirements differ across jurisdictions, we follow the stricter standard. By using the Site, you acknowledge this Policy. Where consent is required by applicable law, we will ask for it explicitly.

1. Data Controller / Data Fiduciary

Volvenix is the Data Fiduciary under the DPDP Act 2023 and the Data Controller under GDPR and UK GDPR.

Governing law: This Policy shall be governed by and construed in accordance with the laws of India.

Grievance Officer / DPO: [email protected]

2. Personal Data We Collect

A. Data You Provide Directly

• Account registration: name, email address, optional phone number.
• Social / OAuth login: profile data from Google, GitHub, or Apple (email, profile picture, provider user ID).
• Tool claims: business name, business email, business URL, optional documentation.
• Reviews & comments: text content you voluntarily submit.
• Contact form: name, email, message content (auto-deleted after 24 months).
• Newsletter: email address and subscription preferences.

B. Data Collected Automatically

• Usage data: pages visited, tools viewed, searches, links clicked, time on page.
• Device data: browser type, OS, screen resolution, language preference.
• IP address — stored as a one-way SHA-256 hash with salt. Raw IP is never persisted.
• Affiliate click data: which affiliate links were clicked and conversion events (consent-gated where required).
• Session tokens: stored in secure, HTTP-only, SameSite=Strict cookies. Not accessible via JavaScript.

C. Data from Third Parties

• OAuth providers: verified email, profile picture, provider-specific user ID.
• Analytics providers: aggregated, anonymized traffic and engagement data.
• Affiliate networks: anonymized conversion and revenue attribution events only.

3. Legal Bases for Processing

Legal Basis	Purpose	Framework References
Consent	Analytics, marketing cookies, affiliate tracking, newsletter, personalization.	GDPR Art.6(1)(a) · UK GDPR · DPDP S.7 · CCPA · LGPD Art.7(I)
Contract	Account creation, authentication, MFA, claim management, service delivery.	GDPR Art.6(1)(b) · DPDP S.7 · PIPEDA · LGPD Art.7(V)
Legitimate Interests	Fraud detection, abuse prevention, security monitoring, product improvement.	GDPR Art.6(1)(f) · UK GDPR · LGPD Art.7(IX)
Legal Obligation	Responding to lawful data requests, audit logging, compliance.	GDPR Art.6(1)(c) · DPDP S.7 · applicable local law

For CCPA/CPRA (California): we do not "sell" or "share" personal information as defined under California law. California residents have additional rights set out in Section 9.

4. How We Use Your Data

• Account management: registration, login (password + social OAuth), MFA (TOTP), session management, OTP-based password reset.
• Service delivery: tool recommendations, saved bookmarks, comparison history, dashboard personalization.
• Affiliate tracking: attributing commissions for clicks and conversions (consent-gated where required).
• Tool claims: verifying vendor ownership via email domain match, DNS TXT record, or manual admin review.
• Analytics: understanding usage to improve rankings, search quality, and content (consent-gated).
• Communications: account alerts, OTP codes, password reset, and optional newsletter (opt-in only).
• Security: CSRF token validation, rate limiting, audit logging, anomaly detection.
• Legal compliance: responding to data subject requests, regulatory inquiries, court orders.

5. Consent Management

We maintain a consent record for each user by category: analytics, marketing / affiliate tracking, and personalisation. You can update preferences at any time via Account Settings > Privacy or via the cookie consent banner. Withdrawing consent does not affect the lawfulness of processing before withdrawal.

6. Data Sharing

We do not sell your personal data. We do not share personal data for cross-context behavioural advertising. We share data only under these limited circumstances:

• Service providers: cloud hosting, transactional email, error monitoring — all bound by written data processing agreements (DPAs).
• Affiliate networks: anonymized, hashed click and conversion data for commission processing only. No personal identifiers are shared.
• Law enforcement / regulators: when required by a valid court order, subpoena, or government authority. We will notify affected users where legally permitted.
• Business transfers: in the event of a merger or acquisition, users will receive at least 30 days' notice and the right to delete their data before transfer.
• With your explicit consent: any other sharing will only occur with your prior, specific, informed consent.

7. International Data Transfers

Volvenix is operated from India. Your data may be transferred to and processed in countries outside your country of residence, including India, the United States, and EU member states, where our infrastructure and service providers operate.

For transfers from the EU/EEA and UK: where we transfer data to countries not covered by an EU or UK adequacy decision (including India, which does not yet have an EU adequacy decision), we apply Standard Contractual Clauses (SCCs) as approved by the European Commission (2021/914), and UK International Data Transfer Agreements (IDTAs) where applicable. Copies of relevant safeguards are available on request at [email protected].

For other jurisdictions: we apply equivalent contractual protections consistent with applicable local law, including PIPEDA for Canadian users, APP 8 for Australian users, and LGPD Chapter V mechanisms for Brazilian users.

8. Data Retention

Data Type	Retention Period
Account data	Retained while active + 30 days after verified deletion request
Session tokens	Expire on logout or session timeout
Contact messages	24-month TTL — auto-deleted
Audit logs	12-month rolling window
API usage logs	Partitioned quarterly; retained 2 years
Consent records	Minimum 3 years (DPDP Act requirement)
Affiliate click data	13 months to support annual reporting
Deleted account data	Purged within 30 days of deletion

9. Your Rights — By Region

We honor the following rights for all users globally, subject to applicable local law. Submit a request via /account/data-request or email [email protected]. We respond within 30 days (72 hours for urgent DPDP requests).

Right	Description	Available Under
Access / Know	Request a copy of personal data we hold.	All regions
Correction	Correct inaccurate or incomplete data.	All regions · DPDP S.12 · GDPR Art.16
Erasure / Deletion	Request deletion of personal data.	All regions · DPDP S.13 · GDPR Art.17 · CCPA
Portability	Receive data in structured, machine-readable format.	GDPR Art.20 · UK GDPR · LGPD
Withdraw Consent	Withdraw consent for any consent-based processing.	All regions
Opt-Out of Sale/Sharing	We do not sell data. No opt-out needed.	CCPA/CPRA
Objection	Object to processing based on legitimate interests.	GDPR Art.21 · UK GDPR · LGPD
Nomination	Nominate another to exercise rights on your behalf.	DPDP Act S.14
Non-Discrimination	No penalty for exercising privacy rights.	CCPA/CPRA · all regions

10. Supervisory Authorities & Complaints

You have the right to lodge a complaint with your local data protection authority:

Region	Authority
India	Data Protection Board of India (DPDP Act 2023). Contact our Grievance Officer at [email protected] first.
EU / EEA	Your local EU Data Protection Authority. Find yours at edpb.europa.eu.
United Kingdom	Information Commissioner's Office (ICO) — ico.org.uk
United States (CA)	California Privacy Protection Agency (CPPA) — cppa.ca.gov
Canada	Office of the Privacy Commissioner — priv.gc.ca
Brazil	ANPD — gov.br/anpd
Australia	OAIC — oaic.gov.au

11. Cookies

Category	Purpose	Consent Required
Strictly Necessary	Session auth, CSRF protection, consent state.	No — always active
Analytics	Page views, searches, click events.	Yes (EU, UK, Brazil, CA)
Affiliate / Marketing	Affiliate link attribution and conversion tracking.	Yes (EU, UK, Brazil)
Personalization	Tool recommendations, recently viewed.	Yes (EU, UK users)

Manage cookie preferences via the consent banner or Account Settings > Privacy. Disabling non-essential cookies does not affect core Site functionality.

12. Children's Privacy

Volvenix does not knowingly collect personal data from children under 13, or under the applicable digital consent age in their jurisdiction (e.g. 16 in certain EU member states). If we become aware of such collection, we will delete the data promptly. Parents or guardians who believe their child has provided personal data should contact [email protected] immediately.

13. Security

We implement: TLS 1.2+ encryption in transit; bcrypt password hashing; SHA-256 + salt hashed IP addresses; TOTP-based multi-factor authentication; CSRF token validation; HTTP-only SameSite=Strict session cookies; role-based access control (RBAC); and partitioned audit logging. We will notify affected users of a data breach within 72 hours of becoming aware of it where required by applicable law (GDPR Art.33/34, DPDP Act, PIPEDA, etc.).

14. Changes to This Policy

We may update this Policy at any time. We will notify registered users via email and post the updated Policy with a revised "Last Updated" date. For material changes, we will provide at least 15 days' advance notice and, where required by law, seek fresh consent.

15. Grievance Officer & Contact

Under the DPDP Act 2023, GDPR, and other frameworks, you may contact:

Grievance Officer / DPO: [email protected]
Response time: within 30 days for all requests; 72 hours for urgent DPDP matters.

Also see: Terms of Service  ·  Disclaimer  ·  Vendor Data Policy