Privacy Policy
How Volvenix collects, uses, shares, and protects personal data when you use volvenix.com from anywhere in the world. Volvenix is operated as a fully autonomous system; the data-handling described here is implemented in the platform's automated pipeline. Where requirements differ across jurisdictions, we follow the stricter standard.
- May 26, 2026 Effective date
- India Governing law
- 8 frameworks DPDP · GDPR · UK GDPR · CCPA …
Who's responsible for your data.
Volvenix is the Data Fiduciary under the DPDP Act 2023 and the Data Controller under GDPR and UK GDPR. This Policy shall be governed by and construed in accordance with the laws of India. Our Grievance Officer / DPO can be reached at [email protected].
What we hold, where it comes from, and what we do not store raw.
A. Data you provide directly
- Account registration: name, email address, optional phone number.
- Social / OAuth login: profile data from Google, GitHub, Apple, LinkedIn, X (Twitter), or Facebook — email, profile picture, provider user ID, scopes granted.
- Tool claims: business name, business email, business URL, optional documentation, DNS TXT record value.
- Reviews & comments: text content you voluntarily submit when these surfaces become available.
- Contact form: name, email, message content (auto-deleted after 24 months via the gdpr_purge cron).
- Newsletter: email address and subscription preferences.
B. Data collected automatically
- Usage data: pages visited, tools viewed, searches, links clicked, time on page.
- Device data: browser type, OS, screen resolution, language preference.
- IP address — stored as a one-way SHA-256 hash with salt. Raw IP is never persisted anywhere in the database (verified across affiliate_clicks, audit_log, consents, and data_requests — all carry a 64-char hex ip_hash, no raw column).
- Affiliate click data: which affiliate links were clicked and conversion events (consent-gated where required).
- Session tokens: stored in secure, HTTP-only, SameSite=Strict cookies. Not accessible via JavaScript.
C. Data from third parties
- OAuth providers (Google, GitHub, Apple, LinkedIn, X, Facebook): verified email, profile picture, provider-specific user ID.
- Google Analytics 4 (GA4) & Google Tag Manager (GTM): aggregated, anonymized traffic and engagement data. Loaded only after analytics consent is given.
- Cloudflare: anonymized page performance, edge cache metrics, and DDoS protection telemetry.
- Affiliate networks: anonymized conversion and revenue attribution events only — no raw user identifiers shared.
D. Third-party service providers
- Google Fonts & Fontshare (Indian Type Foundry): Font delivery CDNs. Your browser's IP address may be transmitted to these services when loading fonts. No tracking cookies are set by these services.
- DataForSEO: Search engine ranking and keyword data. We send only our own domain name; no user personal data is shared.
- Resend: Transactional email delivery (account verification, password reset, OTP). Receives recipient email address for sending only.
- Twilio (planned): SMS delivery for phone-based OTP. Integration is wired but not yet activated in production. Today, all OTP flows use email via Resend.
Mapped to GDPR Art. 6, DPDP §7, and equivalents.
| Legal Basis | Purpose | Framework References |
|---|---|---|
| Consent | Analytics, marketing cookies, affiliate tracking, newsletter, personalisation. | GDPR Art.6(1)(a) · UK GDPR · DPDP S.7 · CCPA · LGPD Art.7(I) |
| Contract | Account creation, authentication, MFA, claim management, service delivery. | GDPR Art.6(1)(b) · DPDP S.7 · PIPEDA · LGPD Art.7(V) |
| Legitimate interests | Fraud detection, abuse prevention, security monitoring, product improvement. | GDPR Art.6(1)(f) · UK GDPR · LGPD Art.7(IX) |
| Legal obligation | Responding to lawful data requests, audit logging, compliance. | GDPR Art.6(1)(c) · DPDP S.7 · applicable local law |
For CCPA/CPRA (California): we do not "sell" or "share" personal information as defined under California law. California residents have additional rights set out in Section 9.
Specific purposes only.
- Account management: registration, login (password + social OAuth), MFA (TOTP via authenticator apps), session management, email-based OTP for password reset.
- Service delivery: tool recommendations, saved bookmarks, comparison history, dashboard personalisation.
- Affiliate tracking: attributing commissions for clicks and conversions (consent-gated where required).
- Tool claims: verifying vendor ownership via email domain match, DNS TXT record, or manual review.
- Analytics: understanding usage to improve rankings, search quality, and content (consent-gated).
- Communications: account alerts, OTP codes, password reset, and optional newsletter (opt-in only).
- Security: CSRF token validation, rate limiting, audit logging, anomaly detection.
- Legal compliance: responding to data subject requests, regulatory inquiries, court orders.
Three categories you control independently.
We maintain a consent record for each user by category: analytics, marketing / affiliate tracking, and personalisation. Each consent record is stamped with the user-agent and a hashed IP for proof-of-consent under GDPR Art. 7(1). You can update preferences at any time via Account Settings → Privacy or via the cookie consent banner. Withdrawing consent does not affect the lawfulness of processing before withdrawal.
We do not sell or "share" your personal data for advertising.
We do not sell your personal data. We do not share personal data for cross-context behavioural advertising. We share data only under these limited circumstances:
- Service providers: cloud hosting, transactional email, error monitoring — all bound by written data processing agreements (DPAs).
- Affiliate networks: anonymized, hashed click and conversion data for commission processing only. No personal identifiers are shared.
- Law enforcement / regulators: when required by a valid court order, subpoena, or government authority. We will notify affected users where legally permitted.
- Business transfers: in the event of a merger or acquisition, users will receive at least 30 days' notice and the right to delete their data before transfer.
- With your explicit consent: any other sharing will only occur with your prior, specific, informed consent.
India-operated; appropriate safeguards across borders.
Volvenix is operated from India. Your data may be transferred to and processed in countries outside your country of residence, including India, the United States, and EU member states, where our infrastructure and service providers operate.
For transfers from the EU/EEA and UK to countries not covered by an adequacy decision (including India, which does not yet have an EU adequacy decision), we apply appropriate safeguards including Standard Contractual Clauses (SCCs) — Commission Implementing Decision (EU) 2021/914 — and UK International Data Transfer Agreements (IDTAs) where applicable. Copies of relevant safeguards are available on request at [email protected].
For other jurisdictions: we apply equivalent contractual protections consistent with applicable local law, including PIPEDA for Canadian users, APP 8 for Australian users, and LGPD Chapter V mechanisms for Brazilian users.
How long each category lives.
| Data Type | Retention Period |
|---|---|
| Account data | Retained while active + 30 days after verified deletion request |
| Session tokens | Expire on logout or session timeout |
| Contact messages | 24-month TTL — auto-deleted by cron/gdpr_purge.php |
| Audit logs | 12-month rolling window |
| API usage logs | Partitioned quarterly; retained 2 years |
| Consent records | Minimum 3 years (DPDP Act requirement) |
| Affiliate click data | 13 months to support annual reporting |
| Deleted account data | Purged within 30 days of deletion |
What happens when you delete your account
Volvenix follows a delete-the-person, keep-the-knowledge model. When an account is deleted, we immediately remove your personal information — email, name, phone, avatar, preferences and IP hashes — revoke all active sessions, disable the account, and remove your public profile and username. Within 30 days, cron/gdpr_purge.php completes the erasure: bookmarks, sessions and authentication codes are permanently deleted, reviews are anonymised, and audit entries are detached from your identity.
Public contributions — such as accepted AI tool submissions — may remain on Volvenix as anonymised community content to preserve the integrity of the directory. This keeps the catalogue complete, search rankings stable, and the tools you contributed available to everyone. Such contributions are no longer associated with your identity.
Access, correction, erasure, portability, withdrawal, objection.
We honour the following rights for all users globally, subject to applicable local law. To submit a request, email [email protected] with your user ID (if known) and the specific right you wish to exercise. We will verify your identity before processing.
| Right | Description | Available Under |
|---|---|---|
| Access / Know | Request a copy of personal data we hold. | All regions |
| Correction | Correct inaccurate or incomplete data. | All regions · DPDP S.12 · GDPR Art.16 |
| Erasure / Deletion | Request deletion of personal data. | All regions · DPDP S.13 · GDPR Art.17 · CCPA |
| Portability | Receive data in structured, machine-readable format. | GDPR Art.20 · UK GDPR · LGPD |
| Withdraw consent | Withdraw consent for any consent-based processing. | All regions |
| Opt-out of sale/sharing | We do not sell data. No opt-out needed. | CCPA/CPRA |
| Objection | Object to processing based on legitimate interests. | GDPR Art.21 · UK GDPR · LGPD |
| Nomination | Nominate another to exercise rights on your behalf. | DPDP Act S.14 |
| Non-discrimination | No penalty for exercising privacy rights. | CCPA/CPRA · all regions |
Statutory response window: 30 days under GDPR Art. 12(3) and equivalent provisions; 72 hours for urgent DPDP Act matters. We meet these windows directly — there is no human review backlog because requests are routed to the founder's privacy desk.
Where to escalate if you're unhappy with our response.
You have the right to lodge a complaint with your local data protection authority:
| Region | Authority |
|---|---|
| India | Data Protection Board of India (DPDP Act 2023). Contact our Grievance Officer at [email protected] first. |
| EU / EEA | Your local EU Data Protection Authority. Find yours at edpb.europa.eu. |
| United Kingdom | Information Commissioner's Office (ICO) — ico.org.uk |
| United States (CA) | California Privacy Protection Agency (CPPA) — cppa.ca.gov |
| Canada | Office of the Privacy Commissioner — priv.gc.ca |
| Brazil | ANPD — gov.br/anpd |
| Australia | OAIC — oaic.gov.au |
Four categories; one is always-on; three need consent.
| Category | Purpose | Consent Required |
|---|---|---|
| Strictly necessary | Session auth, CSRF protection, consent state. | No — always active |
| Analytics | Page views, searches, click events. | Yes (EU, UK, Brazil, CA) |
| Affiliate / marketing | Affiliate link attribution and conversion tracking. | Yes (EU, UK, Brazil) |
| Personalisation | Tool recommendations, recently viewed. | Yes (EU, UK users) |
Manage cookie preferences via the consent banner or Account Settings → Privacy. Disabling non-essential cookies does not affect core Site functionality.
Minimum 13; higher where local law requires.
Volvenix does not knowingly collect personal data from children under 13, or under the applicable digital consent age in their jurisdiction (e.g. 16 in certain EU member states). If we become aware of such collection, we will delete the data promptly. Parents or guardians who believe their child has provided personal data should contact [email protected] immediately.
The controls running today.
- TLS 1.2+ encryption in transit for all connections to the Site.
- bcrypt password hashing via PHP
password_hash()defaults. - SHA-256 + salt IP hashing at collection — no raw IP persisted anywhere.
- TOTP-based MFA via authenticator apps (Google Authenticator, Authy, 1Password, etc.); the secret is encrypted at rest.
- CSRF token validation on every state-changing request.
- HTTP-only, SameSite=Strict session cookies — not accessible to JavaScript.
- Role-based access control (RBAC) on admin surfaces.
- Partitioned audit logging covering every authenticated action.
We will notify affected users of a data breach within 72 hours of becoming aware of it, where required by applicable law (GDPR Art.33/34, DPDP Act, PIPEDA, etc.).
We post updates with a revised "Effective date".
We may update this Policy at any time. We will notify registered users via email and post the updated Policy with a revised "Effective date" at the top of this page. For material changes, we will provide at least 15 days' advance notice and, where required by law, seek fresh consent.
One address; statutory response windows.
Under the DPDP Act 2023, GDPR, and other frameworks, you may contact:
- Grievance Officer / DPO: [email protected]
- Response time: within 30 days for all requests; 72 hours for urgent DPDP Act matters.
Also see:
Terms cover the contract you accept when using the Site; the Disclaimer covers affiliate links + AI content; the Vendor Data Policy covers tool-listing data sources and the claim flow.