PRIVACY POLICY
1. INTRODUCTION
XParth Technologies Private Limited ("XParth”, "we”, "us”, or "our”) is a cyber security and data protection services company incorporated in India under the Companies Act, 2013. We are committed to safeguarding the privacy and security of all personal information that we process in the course of providing our services. Protecting your personal data is an essential part of how we conduct our business.
This Privacy Policy explains in clear and comprehensive terms how we collect, use, store, process, and protect your personal information when you visit our website, communicate with us, or engage with any of our products or services. The policy applies to all users of our website and individuals who share information with us in any manner.
We adhere to all applicable Indian data protection and privacy laws, including the Digital Personal Data Protection Act, 2023 (DPDPA) and any rules notified thereunder. Where relevant and contractually required, we also follow international best practices for data protection.
For internal oversight, we have designated a Data Protection Officer/Privacy Compliance Officer responsible for monitoring data protection practices, responding to user queries, and ensuring compliance with this Privacy Policy. If you have any questions or wish to exercise your rights under applicable law, please refer to the contact details provided in Section 16 of this Policy.
For the purpose of this Policy, "Personal Information” refers to any information that can identify an individual directly or indirectly such as your name, phone number, email address, postal address, identification numbers, financial details, online identifiers, or any other data classified as personal under the DPDPA, 2023.
2. WHY WE COLLECT YOUR PERSONAL INFORMATION
We collect and process personal information only for lawful, specific, and clear purposes. Your data is used for one or more of the following reasons:
To manage and maintain effective communication between you and our team, including responding to queries, addressing service requests, and providing support.
To perform obligations under a contract to which you are a party, or to take steps at your request before entering into a contract, this includes interactions with clients, suppliers, consultants, and service providers.
To process and manage payments, invoicing, financial transactions, and related accounting functions.
To share information, proposals, quotes, product insights, service materials, or updates that you specifically request or that we believe may be relevant to your needs based on your interactions with us.
To ensure the security and efficient operation of our website, analyse website performance, detect technical issues, prevent misuse, and enhance user experience.
To generate internal dashboards, analyse service performance, identify usage trends, and support business decision-making while ensuring such processing adheres to data minimisation principles.
To send marketing content, promotional material, newsletters, service updates, and event information only with your consent or if you are an existing customer who has purchased similar services from us previously. You may opt out of marketing at any time.
To improve the quality of our services through staff training, internal audits, assessments, and performance reviews.
To support HR functions including employee onboarding, payroll, compliance, performance monitoring, and internal administration.
To conduct pre-employment screening, identity verification, right-to-work checks, and any other compliance-related activities required under Indian law or applicable contractual requirements.
To conduct background verification and security screening as per our internal recruitment policies and industry best practices. This may include obtaining police verification or any other legally permissible security checks to ensure that we make safe, compliant, and well-informed hiring decisions.
To conduct surveys, request feedback, and gather insights from customers, partners, or users in order to evaluate satisfaction levels, improve our services, enhance user experience, and tailor our offerings to better meet your expectations.
3. LAWFUL BASIS FOR PROCESSING PERSONAL INFORMATION
We collect and process your personal information only when permitted under applicable Indian laws, including the Digital Personal Data Protection Act, 2023 (DPDPA), and any other obligations arising under contractual or regulatory frameworks. We ensure that every processing activity is supported by a valid and clearly defined lawful basis.
We may rely on one or more of the following grounds:
Where you have voluntarily given clear and informed consent for us to process your personal information for a specific purpose. You have the right to withdraw consent at any time.
Where processing your information is required for entering into a contract with you, fulfilling contractual obligations, providing our services, or taking steps at your request before entering into an agreement.
Where processing is necessary for complying with obligations imposed by Indian laws, regulatory authorities, or government agencies. This may include tax compliance, employment laws, cybersecurity regulations, or statutory reporting requirements.
Where processing is necessary to protect your life, safety, or well-being, or the vital interests of another individual, for example, in emergency situations.
Where processing is essential for the legitimate business interests of our organisation or those of a third party, provided such interests do not override your fundamental rights, freedoms, or expectations of privacy.
To ensure fairness and transparency, whenever we rely on legitimate interests, we conduct an internal Legitimate Interest Assessment (LIA), which involves:
- Purpose Test: Determining the specific business interest behind the processing.
- Necessity Test: Assessing whether the processing is essential for the stated purpose and if a less intrusive alternative is available.
- Balancing Test: Evaluating whether your rights, freedoms, or potential impact outweigh the identified business interest.
Only when all three conditions are satisfied do we proceed with processing under this basis.
4. INFORMATION WE COLLECT AND HOW WE COLLECT IT
We may collect personal information from individuals and entities such as Clients, Customers, Service Providers, Partners, Applicants, and Website Users in various ways. This includes when you visit our website, submit a form, request information, participate in marketing activities, contact us by phone or email, interact with us through platforms like Microsoft Teams or social media channels, or use any of our products or services.
We collect data directly from you, automatically through our systems, and from third parties where lawful and relevant to our business operations.
4.1 Personal Information We May Collect
Depending on your interaction with us, we may collect, store, and process the following categories of personal information, in line with the DPDPA 2023:
- Full name
- Residential and previous addresses
- Mobile number and landline number
- Job title, role, employer details, previous employment information, and qualifications
- Identity verification details and right-to-work documentation
- Security screening information
- Email address
- Chat logs and communication records on our website or Microsoft Office 365 environment
- Fax number (if applicable)
- IP address and approximate geographic location
- Information on how you interact with our website or services, including:
- pages visited
- features accessed
- page response time
- download errors
- session duration
- scroll activity
- click patterns and hover actions
- Browser type and version
- Browser language preference
- Operating system and device type
- Time zone settings
- Communication and marketing preferences
- Transactional information relating to services purchased or used
- Payment-related information (Note: We do not store card details and comply with applicable payment security standards)
- Training or skill development information provided to or gathered from employees, partners, or trainees
To enhance marketing relevance, we may use technologies such as tracking pixels in emails. These technologies help us personalise our communications and understand your engagement levels. You may opt out of marketing communications at any time.
4.2 Special Category Personal Data
In limited and legally justified situations, we may process certain categories of personal data that are inherently more sensitive in nature. Such data requires heightened protection and is handled in accordance with Indian privacy principles, the Digital Personal Data Protection Act, 2023 (DPDPA), and international best practices. These categories may include:
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Biometric identifiers, such as photographs, videos, audio recordings, or any data used to uniquely identify an individual
- Health-related information, including physical or mental health conditions or medical history
- Information relating to a person's sexual life or sexual orientation
- Screenshots, logs, or technical artefacts generated during cybersecurity assessments, penetration tests, or vulnerability analysis that may incidentally contain personal data
- Behavioural or conduct-related information, where relevant for compliance, investigations, or employment processes
- Any other category of sensitive personal data that Indian law permits to be processed only with explicit consent
We apply additional organisational and technical safeguards when processing such sensitive data. This includes restricted access on a strict need-to-know basis, enhanced security controls, encryption, monitoring, and compliance with internal policies designed to protect privacy and prevent unauthorised use or disclosure.
4.3 Information Collected from Third Parties
We may receive personal information about you from third-party service providers, platforms, or partners that support our business operations. These may include, but are not limited to:
- Apollo.io
- ZoomInfo
- Other partners, subcontractors, verification services, or business tools used in the course of managing operations, marketing, security, recruitment, or customer relationships.
This list is indicative and may expand as our business tools evolve.
We ensure that all third-party data transfers comply with applicable Indian laws and contractual obligations.
Where information relates to alleged criminal conduct, background checks, or law enforcement-related verification, such processing will be undertaken strictly in accordance with Indian legal requirements, and only to the extent necessary for employment purposes, fraud prevention, or statutory compliance.
5. RETENTION OF PERSONAL INFORMATION
We retain your personal information only for as long as it is necessary to fulfil the purposes for which it was collected, including meeting legal, regulatory, contractual, taxation, audit, and compliance obligations under Indian law.
We may also retain data for longer periods when:
- required to defend legal claims,
- needed for internal investigations or dispute resolution,
- reasonably necessary due to potential litigation, or
- mandated under applicable statutory retention schedules.
When determining the appropriate retention duration, we consider:
- the category and sensitivity of the data,
- potential risks arising from unauthorised access or misuse,
- the original purpose of collection and whether it can be achieved through alternative means,
- legal and regulatory obligations applicable to our business operations.
Once the retention period has expired, or the data is no longer required, we securely delete, anonymise, or archive the information in accordance with our internal data retention and destruction policies.
6. SECURITY OF PERSONAL INFORMATION
We take the protection of your personal information extremely seriously and implement strong security measures to ensure your data remains safe, confidential, and protected in accordance with applicable Indian laws, including the Digital Personal Data Protection Act, 2023 (DPDPA), and recognised industry standards.
We maintain a combination of technical, organisational, and administrative safeguards designed to prevent unauthorised access, alteration, disclosure, or destruction of personal information. These measures include, but are not limited to:
- Secure server configurations, network protection mechanisms, and continuous monitoring
- Encryption of data during transmission and, where appropriate, at rest
- Use of SSL/TLS protocols for payment-related or sensitive data transmissions
- Firewalls, intrusion detection systems, endpoint protection, and vulnerability management
- Regular security assessments, penetration tests, and updates to systems and infrastructure
- Strict role-based access controls ensuring only authorised employees, contractors, or service providers who require the information for business purposes can access it
- Confidentiality obligations in all employment and vendor agreements
- Defined policies governing data usage, storage, transfer, and retention
- Multi-factor authentication and password security controls for internal systems
We process personal data strictly based on documented instructions, and only personnel with a legitimate business requirement may access such information.
We have clear internal procedures to identify, investigate, and respond to any potential data security incident. In the unlikely event of a data breach affecting personal information, we will notify affected individuals and relevant authorities as required under applicable law and contractual obligations.
All employees undergo mandatory information security and data protection training as part of their onboarding, with refresher modules conducted annually. This ensures consistent awareness of responsibilities relating to data handling and privacy protection.
Where you are provided with login credentials or choose a password to access certain secure parts of our website or services, it is your responsibility to keep such information confidential. We strongly advise that you do not share your password with anyone.
While we take every reasonable precaution to safeguard data, it is important to note that transmission of information over the internet is not fully secure. Any data you send to our website is at your own risk. However, once we receive your information, we apply strict security controls and procedures to prevent unauthorised access.
Our website may contain links to websites operated by partners, clients, service providers, or affiliates. If you choose to access these external sites, their own privacy policies will apply. We do not accept responsibility or liability for practices followed by third-party websites, and we encourage you to review their privacy terms before sharing any personal information.
We recognise that the personal information you share with us may be confidential. We do not sell, rent, or commercially distribute your personal information to third parties.
However, we may share data with our group entities, trusted service providers, or clients strictly for legitimate business purposes described in this Privacy Policy and subject to appropriate confidentiality obligations.
We remain committed to ensuring that all personal information is handled securely and responsibly throughout its lifecycle.
7. CHILDREN'S INFORMATION
We do not intentionally collect, process, or store personal information relating to children. Our services and website are designed for individuals who are legally capable of providing consent under applicable Indian laws.
If you believe that a child's personal information has been collected inadvertently, please contact us immediately using the details provided in Sections 15 and 16. Upon notification, we will promptly investigate the matter and take appropriate action, including deletion or restricted processing of such data, in accordance with legal requirements.
8. YOUR RIGHTS AS A DATA PRINCIPAL
Under the Digital Personal Data Protection Act, 2023 (DPDPA), and applicable privacy principles, you have several rights relating to your personal information. These rights support transparency and give you control over how your data is used. While some rights may be subject to limitations under law, you are generally entitled to the following:
You may request details of the personal information we hold about you and how it is being processed.
You may request corrections or updates to inaccurate, incomplete, or outdated personal information.
You may request deletion of your personal data where it is no longer required for lawful purposes, where consent has been withdrawn, or where processing is no longer justified.
Where processing is based on your consent, you may withdraw that consent at any time without affecting prior lawful processing.
You may object to the processing of your personal information for certain purposes, such as direct marketing or profiling.
You may request temporary suspension or limitation of the processing of your personal information under specific circumstances.
Where technically feasible, you may request that personal information provided to us be transferred to you or another service provider in a structured and commonly used format. This applies only to data you have directly supplied.
You have the right to request human intervention or additional review if decisions affecting you are made solely through automated processing or profiling.
We aim to respond to all verified requests within the timelines prescribed under Indian law. For guidance on exercising any of these rights, please refer to the "Additional Information” section of this Policy.
9. CONSENT
When processing activities rely on your consent, including explicit consent for sensitive personal data, you retain the right to withdraw that consent at any time. Withdrawing consent will not affect any processing that was lawfully carried out prior to your withdrawal.
If consent is withdrawn, we may not be able to provide certain services or continue our engagement. Where this occurs, we will inform you of the implications at the time of withdrawal.
10. FAILURE TO PROVIDE PERSONAL INFORMATION
There may be situations where we require certain personal information to comply with legal obligations, fulfil a contract, process your instructions, or provide specific services. If you choose not to provide information when requested, the following may occur:
- We may be unable to respond to a request, process an application, or deliver the services you expect.
- We may be prevented from entering into or continuing a contractual relationship with you.
- In some cases, regulatory or compliance obligations may prevent us from proceeding further.
Should such a situation arise, we will notify you at the relevant time and explain any impact on our ability to fulfil the engagement.
11. COOKIES
Our website uses cookies and similar tracking technologies to enhance your browsing experience, understand how you use our website, and improve the quality of our services. Cookies are small text files stored on your computer or mobile device when you access our site. These files help recognise your device, remember your preferences, and gather information about your interactions with our website.
When you visit our site, a cookie banner or notice is displayed, explaining the types of cookies we use, their purpose, and the duration for which they remain active. You are given the option to provide consent before non-essential cookies are placed on your device. You may withdraw your consent or modify your cookie preferences at any time through your browser settings.
For more detailed information on the types of cookies we use, their purpose, and how to manage them, please refer to our Cookies Policy.
12. AUTOMATED DECISION-MAKING
We do not use your personal information to make decisions that are based solely on automated processing without human involvement. All evaluations, verifications, and decisions that may affect you involve human review and oversight.
Should our practices change in the future and automated decision-making becomes necessary for certain processes, we will update this Policy and ensure compliance with applicable laws, including providing you with appropriate safeguards and the ability to request human intervention.
13. DISCLOSURE OF PERSONAL INFORMATION TO THIRD PARTIES
We may share your personal information with trusted third parties when necessary to deliver our services, operate our business, comply with contractual or legal obligations, or support marketing and administrative functions. Any third party that receives personal data from us is contractually bound to protect it, use it only for the agreed purpose, and handle it in accordance with applicable laws and our privacy standards.
Depending on the nature of your engagement with us, your data may be shared with one or more of the following categories of recipients:
- Group Entities: Other companies within our corporate group for administrative, operational, or service delivery purposes.
- Business Partners, Suppliers, and Contractors: Parties who assist in fulfilling contractual obligations or delivering services to you.
- Marketing Partners: Where you have consented to receive marketing communications, or where you are an existing customer who has purchased similar services.
- Administrative and Operational Service Providers: Entities that help us provide day-to-day operational support.
- Technology and Infrastructure Providers: IT support providers, cloud-hosting services, telecommunication providers, security service vendors, and platforms used to generate technical or penetration testing reports.
- Marketing and Public Relations Agencies
- Payment Service Providers: To process payments securely and in compliance with financial regulations.
- Recruitment and Background Verification Agencies: Including those conducting pre-employment checks, right-to-work verification, and security screenings.
- Professional Advisors: Lawyers, auditors, consultants, and other experts appointed to support legal, financial, and compliance-related functions.
- Compliance and Data Protection Personnel: Individuals or entities performing data protection duties in accordance with Indian privacy laws.
- Analytics and Search Engine Service Providers: To help improve website performance, user experience, and optimisation.
We ensure that all third parties receiving personal data handle the information responsibly and maintain confidentiality and security in line with our privacy standards.
14. CROSS-BORDER TRANSFERS OF PERSONAL INFORMATION
We may transfer and store personal information outside India when necessary for service delivery, technical operations, cloud hosting, vendor support, or other legitimate business requirements. Such transfers will always be performed in compliance with applicable Indian laws, including the Digital Personal Data Protection Act, 2023 (DPDPA), and any additional rules notified by the Government of India.
Whenever personal information is transferred outside India, we ensure that:
- The transfer is made only to countries or entities that provide an adequate level of data protection,
- The processing is carried out strictly based on our documented instructions,
- Appropriate contractual, organisational, and technical safeguards are in place, and
- Information is protected with security measures equivalent to or higher than those applied within India.
Depending on the circumstances, cross-border transfers may rely on:
- Contractual safeguards, such as Data Processing Agreements or Standard Contractual Clauses,
- Government-approved transfer mechanisms, as permitted under Indian law,
- Explicit consent where required,
- Necessity for performance of a contract, or
- Other legally recognised grounds permitted under the DPDPA.
For more details on the mechanisms or safeguards used for international transfers, you may contact us using the details provided in Section 16 of this Policy.
15. RIGHT TO COMPLAIN
We are committed to handling your personal information responsibly and transparently. If you have concerns about how we collect, use, or process your personal data, we encourage you to contact us so that we can address the issue promptly.
If you believe your data has been processed unfairly, unlawfully, or contrary to this Privacy Policy, you may submit a complaint to us through any of the following methods:
By Email (Recommended): dpo[@]xparth[.]com
By Post:
XParth Technologies Private Limited472/7 Balaji Arcade, 20th L Cross,
Ejipura, Koramangla 4th Block,
Bengaluru, India, 560095
By Phone: +91-7070703507
We will acknowledge your complaint, investigate it thoroughly, and provide a response within a reasonable time.
If you are dissatisfied with our resolution, you may have the right to escalate the matter to the Data Protection Board of India, established under the Digital Personal Data Protection Act, 2023.
Details for approaching the Board will be provided upon request or as per government notifications.
16. ADDITIONAL INFORMATION
Your trust is extremely important to us, and we are committed to maintaining full transparency in how we handle your personal information. If you have any questions that are not addressed in this Privacy Policy or if you require detailed clarification regarding any aspect of how your data is collected, used, stored, transferred, or protected, you may contact our Data Protection Officer/Privacy Officer at any time.
We encourage you to reach out if:
- You require clarification on any processing activity
- You wish to understand specific security controls and measures
- You want help exercising any of your rights
- You have concerns about data handling or privacy practices
Contact (DPO / Privacy Officer): dpo[@]xparth[.]com
We will respond to your query in a timely manner and provide additional information wherever legally permissible.
17. POLICY REVIEW AND AMENDMENTS
We review this Privacy Policy periodically to ensure it remains accurate, up-to-date, and compliant with evolving legal requirements and industry standards. This Policy may be amended or updated from time to time to reflect:
- Changes in applicable laws or regulations
- Modifications in our services, technology, or internal processes
- Updates to our data handling or security practices
- Feedback from users, clients, or regulatory authorities
The latest version of the Policy will always be available on our website and will be effective upon posting on our website. We will notify you when significant changes are made either through an updated notice on our website, through email communication, or through other appropriate methods.
Last Updated: January 1, 2026