Privacy Policy

How Volvenix collects, uses, shares, and protects personal data when you use volvenix.com from anywhere in the world. Volvenix is operated as a fully autonomous system; the data-handling described here is implemented in the platform's automated pipeline. Where requirements differ across jurisdictions, we follow the stricter standard.

  • May 26, 2026 Effective date
  • India Governing law
  • 8 frameworks DPDP · GDPR · UK GDPR · CCPA …
🇮🇳 DPDP Act 2023 🇪🇺 GDPR 🇬🇧 UK GDPR 🇺🇸 CCPA/CPRA 🇨🇦 PIPEDA 🇧🇷 LGPD 🇸🇬 PDPA 🇦🇺 Privacy Act
1 — Data controller / data fiduciary

Who's responsible for your data.

Volvenix is the Data Fiduciary under the DPDP Act 2023 and the Data Controller under GDPR and UK GDPR. This Policy shall be governed by and construed in accordance with the laws of India. Our Grievance Officer / DPO can be reached at [email protected].

2 — Personal data we collect

What we hold, where it comes from, and what we do not store raw.

A. Data you provide directly

  • Account registration: name, email address, optional phone number.
  • Social / OAuth login: profile data from Google, GitHub, Apple, LinkedIn, X (Twitter), or Facebook — email, profile picture, provider user ID, scopes granted.
  • Tool claims: business name, business email, business URL, optional documentation, DNS TXT record value.
  • Reviews & comments: text content you voluntarily submit when these surfaces become available.
  • Contact form: name, email, message content (auto-deleted after 24 months via the gdpr_purge cron).
  • Newsletter: email address and subscription preferences.

B. Data collected automatically

  • Usage data: pages visited, tools viewed, searches, links clicked, time on page.
  • Device data: browser type, OS, screen resolution, language preference.
  • IP address — stored as a one-way SHA-256 hash with salt. Raw IP is never persisted anywhere in the database (verified across affiliate_clicks, audit_log, consents, and data_requests — all carry a 64-char hex ip_hash, no raw column).
  • Affiliate click data: which affiliate links were clicked and conversion events (consent-gated where required).
  • Session tokens: stored in secure, HTTP-only, SameSite=Strict cookies. Not accessible via JavaScript.

C. Data from third parties

  • OAuth providers (Google, GitHub, Apple, LinkedIn, X, Facebook): verified email, profile picture, provider-specific user ID.
  • Google Analytics 4 (GA4) & Google Tag Manager (GTM): aggregated, anonymized traffic and engagement data. Loaded only after analytics consent is given.
  • Cloudflare: anonymized page performance, edge cache metrics, and DDoS protection telemetry.
  • Affiliate networks: anonymized conversion and revenue attribution events only — no raw user identifiers shared.

D. Third-party service providers

  • Google Fonts & Fontshare (Indian Type Foundry): Font delivery CDNs. Your browser's IP address may be transmitted to these services when loading fonts. No tracking cookies are set by these services.
  • DataForSEO: Search engine ranking and keyword data. We send only our own domain name; no user personal data is shared.
  • Resend: Transactional email delivery (account verification, password reset, OTP). Receives recipient email address for sending only.
  • Twilio (planned): SMS delivery for phone-based OTP. Integration is wired but not yet activated in production. Today, all OTP flows use email via Resend.
3 — Legal bases for processing

Mapped to GDPR Art. 6, DPDP §7, and equivalents.

For CCPA/CPRA (California): we do not "sell" or "share" personal information as defined under California law. California residents have additional rights set out in Section 9.

4 — How we use your data

Specific purposes only.

  • Account management: registration, login (password + social OAuth), MFA (TOTP via authenticator apps), session management, email-based OTP for password reset.
  • Service delivery: tool recommendations, saved bookmarks, comparison history, dashboard personalisation.
  • Affiliate tracking: attributing commissions for clicks and conversions (consent-gated where required).
  • Tool claims: verifying vendor ownership via email domain match, DNS TXT record, or manual review.
  • Analytics: understanding usage to improve rankings, search quality, and content (consent-gated).
  • Communications: account alerts, OTP codes, password reset, and optional newsletter (opt-in only).
  • Security: CSRF token validation, rate limiting, audit logging, anomaly detection.
  • Legal compliance: responding to data subject requests, regulatory inquiries, court orders.
5 — Consent management

Three categories you control independently.

We maintain a consent record for each user by category: analytics, marketing / affiliate tracking, and personalisation. Each consent record is stamped with the user-agent and a hashed IP for proof-of-consent under GDPR Art. 7(1). You can update preferences at any time via Account Settings → Privacy or via the cookie consent banner. Withdrawing consent does not affect the lawfulness of processing before withdrawal.

6 — Data sharing

We do not sell or "share" your personal data for advertising.

We do not sell your personal data. We do not share personal data for cross-context behavioural advertising. We share data only under these limited circumstances:

  • Service providers: cloud hosting, transactional email, error monitoring — all bound by written data processing agreements (DPAs).
  • Affiliate networks: anonymized, hashed click and conversion data for commission processing only. No personal identifiers are shared.
  • Law enforcement / regulators: when required by a valid court order, subpoena, or government authority. We will notify affected users where legally permitted.
  • Business transfers: in the event of a merger or acquisition, users will receive at least 30 days' notice and the right to delete their data before transfer.
  • With your explicit consent: any other sharing will only occur with your prior, specific, informed consent.
7 — International data transfers

India-operated; appropriate safeguards across borders.

Volvenix is operated from India. Your data may be transferred to and processed in countries outside your country of residence, including India, the United States, and EU member states, where our infrastructure and service providers operate.

For transfers from the EU/EEA and UK to countries not covered by an adequacy decision (including India, which does not yet have an EU adequacy decision), we apply appropriate safeguards including Standard Contractual Clauses (SCCs) — Commission Implementing Decision (EU) 2021/914 — and UK International Data Transfer Agreements (IDTAs) where applicable. Copies of relevant safeguards are available on request at [email protected].

For other jurisdictions: we apply equivalent contractual protections consistent with applicable local law, including PIPEDA for Canadian users, APP 8 for Australian users, and LGPD Chapter V mechanisms for Brazilian users.

8 — Data retention

How long each category lives.

What happens when you delete your account

Volvenix follows a delete-the-person, keep-the-knowledge model. When an account is deleted, we immediately remove your personal information — email, name, phone, avatar, preferences and IP hashes — revoke all active sessions, disable the account, and remove your public profile and username. Within 30 days, cron/gdpr_purge.php completes the erasure: bookmarks, sessions and authentication codes are permanently deleted, reviews are anonymised, and audit entries are detached from your identity.

Public contributions — such as accepted AI tool submissions — may remain on Volvenix as anonymised community content to preserve the integrity of the directory. This keeps the catalogue complete, search rankings stable, and the tools you contributed available to everyone. Such contributions are no longer associated with your identity.

9 — Your rights — by region

Access, correction, erasure, portability, withdrawal, objection.

We honour the following rights for all users globally, subject to applicable local law. To submit a request, email [email protected] with your user ID (if known) and the specific right you wish to exercise. We will verify your identity before processing.

Statutory response window: 30 days under GDPR Art. 12(3) and equivalent provisions; 72 hours for urgent DPDP Act matters. We meet these windows directly — there is no human review backlog because requests are routed to the founder's privacy desk.

10 — Supervisory authorities & complaints

Where to escalate if you're unhappy with our response.

You have the right to lodge a complaint with your local data protection authority:

11 — Cookies

Four categories; one is always-on; three need consent.

Manage cookie preferences via the consent banner or Account Settings → Privacy. Disabling non-essential cookies does not affect core Site functionality.

12 — Children's privacy

Minimum 13; higher where local law requires.

Volvenix does not knowingly collect personal data from children under 13, or under the applicable digital consent age in their jurisdiction (e.g. 16 in certain EU member states). If we become aware of such collection, we will delete the data promptly. Parents or guardians who believe their child has provided personal data should contact [email protected] immediately.

13 — Security

The controls running today.

  • TLS 1.2+ encryption in transit for all connections to the Site.
  • bcrypt password hashing via PHP password_hash() defaults.
  • SHA-256 + salt IP hashing at collection — no raw IP persisted anywhere.
  • TOTP-based MFA via authenticator apps (Google Authenticator, Authy, 1Password, etc.); the secret is encrypted at rest.
  • CSRF token validation on every state-changing request.
  • HTTP-only, SameSite=Strict session cookies — not accessible to JavaScript.
  • Role-based access control (RBAC) on admin surfaces.
  • Partitioned audit logging covering every authenticated action.

We will notify affected users of a data breach within 72 hours of becoming aware of it, where required by applicable law (GDPR Art.33/34, DPDP Act, PIPEDA, etc.).

14 — Changes to this policy

We post updates with a revised "Effective date".

We may update this Policy at any time. We will notify registered users via email and post the updated Policy with a revised "Effective date" at the top of this page. For material changes, we will provide at least 15 days' advance notice and, where required by law, seek fresh consent.

15 — Grievance officer & contact

One address; statutory response windows.

Under the DPDP Act 2023, GDPR, and other frameworks, you may contact:

  • Grievance Officer / DPO: [email protected]
  • Response time: within 30 days for all requests; 72 hours for urgent DPDP Act matters.

Also see:

Terms cover the contract you accept when using the Site; the Disclaimer covers affiliate links + AI content; the Vendor Data Policy covers tool-listing data sources and the claim flow.