Privacy Policy

1. Introduction

Daxfo Technology Pvt. Ltd. (“Daxfo”, “we”, “us”, or “our”) is a private limited company incorporated under the Companies Act, 2013, with its principal place of business located at Perungudi, Chennai, Tamil Nadu, India. Daxfo is engaged in providing enterprise-grade ERP and technology consulting services, with a special focus on implementing, customizing, and supporting Microsoft Dynamics 365 Finance and Operations solutions for businesses globally.

This Privacy Policy (“Policy”) outlines the way Daxfo collects, uses, processes, stores, discloses, and protects the personal data of individuals who interact with our websites, services, platforms, and applications (collectively referred to as the “Services”).

Daxfo is committed to maintaining the confidentiality, integrity, and security of your personal information and ensuring full compliance with applicable data protection laws and regulations, including:

The Digital Personal Data Protection Act, 2023 (India) (“DPDP Act”)
The General Data Protection Regulation (GDPR) of the European Union
Other relevant global privacy frameworks, where applicable

This Policy applies to all users, customers, service recipients, vendors, employees, and any other individuals whose personal data we may collect or process in connection with our Services.

By accessing or using our Services, you acknowledge that you have read, understood, and agreed to the terms of this Privacy Policy. If you do not agree with this Policy, please refrain from using our Services.

2. Types of Data Collected

2.1 Personally Identifiable Information (PII)

Full name
Company or organization details
Email address
Mobile number or telephone number
Postal address (including country and location)
Job title and business contact information
Any other information voluntarily submitted through forms or correspondence

We do not collect sensitive personal information such as biometric data, health data, or religious beliefs.

2.2 Device and Usage Data

IP address
Device type and operating system
Browser type and version
Geographic location (approximate)
Access time and duration
Referring websites or sources
Clickstream data and page visits

2.3 Financial and Transactional Data

Transaction history
Invoice numbers
Purchase orders
Basic billing details

We do not collect or store sensitive financial data such as credit/debit card details or bank account credentials.

2.4 Behavioural and Analytical Data

User preferences and settings
In-app navigation and interaction data
Click behaviour and search queries
Time spent on pages or modules

2.5 Marketing and Communication Data

Email preferences
Response data to emails and campaigns
Subscription or un-subscription history
Feedback or survey responses

3. Purpose of Data Collection and Processing

3.1 Service Delivery and Contractual Performance

Providing Microsoft Dynamics 365 Finance and Operations consulting and implementation
Managing client relationships, service requests, and project communications
Facilitating onboarding, customizations, integrations, support, and maintenance
Responding to inquiries, service requests, or troubleshooting tickets

3.2 Marketing and Promotional Communication

Sending newsletters, service updates, or promotional content
Conducting feedback surveys, webinars, or events
Recommending relevant products or services based on your preferences

3.3 Customer Support and Grievance Redressal

Respond to customer queries and support requests
Manage user grievances or technical concerns raised via our support portal
Improve our customer service operations

3.4 Analytics and Platform Optimization

Analyzing service usage and identifying usage trends
Diagnosing errors, bugs, or performance bottlenecks
Optimizing interface design and platform usability

3.5 Legal Compliance and Regulatory Obligations

To comply with applicable laws, court orders, or government directives
To establish, exercise, or defend our legal rights
To enforce our Terms of Use, service agreements, or other legal obligations

3.6 Security and Fraud Prevention

Detect, investigate, and prevent security breaches, fraud, or misuse
Maintain the integrity and confidentiality of our systems
Protect against unauthorized access or data leaks

4. Legal Basis for Processing Personal Data

Under the Digital Personal Data Protection Act, 2023 (“DPDP Act”), we process your personal data based on specific legal bases that justify the collection, use, storage, and disclosure of your personal data. These legal bases ensure that your data is processed lawfully, fairly, and in a manner that respects your rights under Indian law. Below are the primary legal grounds upon which we rely:

4.1.1 Consent

We process your personal data based on your free, specific, informed, unconditional, and unambiguous consent. Consent is obtained prior to the collection and processing of your personal data and may be withdrawn by you at any time.
Consent is granular (i.e., given separately for each purpose of processing).
You are provided with a notice detailing the nature of data being collected, its purpose, and the processing involved.
Consent is not bundled with other agreements or terms and can be revoked through a simple and accessible mechanism.
No personal data is processed without your prior consent, unless permitted under other legal bases specified in the DPDP Act.

Examples of Consent-Based Processing:

Sending marketing communications via WhatsApp, email, or SMS.
Collecting behavioural analytics data using tracking technologies.
Processing data for personalized advertising or promotional campaigns.

4.1.2 Performance of a Contract

We process personal data when it is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering such a contract. This includes:

Creating and managing your account.
Processing your orders, payments, and deliveries.
Providing customer support and responding to service requests.
Managing your transaction history, wishlist, and order preferences.

Note: Refusal to provide necessary data may affect our ability to deliver services or fulfil contractual obligations.

4.1.3 Compliance with Legal Obligations

We may process your personal data to comply with statutory and regulatory obligations, including obligations under:

Taxation, consumer protection, and e-commerce laws.
Law enforcement or judicial orders.
Governmental directives or data retention requirements.

Such processing is mandatory, and consent is not required when processing is necessary for compliance with the law.

4.1.4 Legitimate Use (Legitimate Interests)

The DPDP Act allows processing of personal data for certain legitimate uses, provided it is reasonable to expect such processing, and it does not override your rights and freedoms. We may rely on this legal basis for purposes such as:

Preventing fraud and ensuring the security of our systems and services.
Conducting audits, operational analysis, and internal reporting.
Improving service delivery and user experience.
Providing support services and resolving technical issues.
Carrying out corporate transactions such as mergers, acquisitions, or restructuring.

Where data is processed under legitimate use, safeguards are implemented to minimize risks, and transparency is maintained regarding the nature and extent of processing.

4.1.5 Public Interest and Emergencies

In rare circumstances, we may process personal data for reasons of public interest or to respond to emergency situations, such as:

Protecting the life or safety of any individual during a disaster or public health crisis.
Responding to lawful governmental or regulatory requests made in the interest of public welfare or national security.

4.1.6 Grievance Redressal and Compliance Oversight

In accordance with the DPDP Act, we have appointed a Grievance Officer and implemented processes to address any concerns regarding the processing of your personal data.
We also maintain accountability measures including record-keeping, periodic audits, and compliance reviews to ensure ongoing legal compliance.

4.2 Under GDPR (European Union)

For users subject to the GDPR, our legal bases for processing your personal data include:

Consent (Article 6(1)(a)): You have given explicit consent to the processing of your personal data for specific purposes, such as marketing communications or analytics. You have the right to withdraw your consent at any time.
Contractual Necessity (Article 6(1)(b)): Processing is necessary to fulfil our contractual obligations to you, such as providing products or services that you have requested.
Legal Obligation (Article 6(1)(c)): Processing is necessary for compliance with legal obligations to which we are subject.
Legitimate Interests (Article 6(1)(f)): Processing is necessary for our legitimate interests or those of a third party, provided these are not overridden by your fundamental rights and freedoms. Our legitimate interests include improving our services, fraud prevention, and securing our platform.
Public Interest (Article 6(1)(e)): Where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.

4.3 Special Categories of Data (GDPR – Article 9)

We do not intentionally collect or process any special categories of personal data (such as health information, biometric data, or data revealing racial or ethnic origin), unless explicitly required for the Services and with your explicit consent or as permitted by law.

4.4 Data Subject Rights

You have specific rights regarding your personal data, including the right to access, rectify, erase, restrict processing, object to processing, and data portability, subject to applicable law. If processing is based on your consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

5. Methods of Data Collection

Daxfo Technology Pvt. Ltd. collects personal data through various direct and automated means, depending on your interactions with our Services. The sources and methods include:

5.1 Data Provided Directly by You

Filling out contact or inquiry forms on our website
Requesting a product demo or consultation
Submitting resumes or job applications
Signing contracts or service agreements
Subscribing to newsletters or marketing communications
Communicating with us via email, phone, or support portal

This data may include your name, contact details, organization name, professional background, and communication content.

5.2 Data Collected Automatically

IP address and geographic location
Browser and device information
Access times, session duration, and pages visited
Clickstream patterns and system logs
Cookies and similar tracking technologies

We use this data for performance optimization, analytics, security, and personalized user experiences.

5.3 Data Collected via Third-Party Integrations

Microsoft Azure or Dynamics 365 APIs
CRM tools and analytics platforms
Calendar and meeting scheduling software
Third-party contact importers (with your consent)

These integrations are governed by respective privacy agreements, and we ensure appropriate safeguards before collecting or processing such data.

5.4 Data Collected Through Social Media or Referrals

Basic profile data shared via those platforms
Engagement metrics for social campaigns
Information from referral partners or shared links

All such data collection is subject to the privacy settings you have enabled on those external platforms.

5.5 In-App Activities and Preferences

Your in-app settings and user preferences
Usage logs and performance metrics
Actions taken within the application (e.g., module access, saved data)

This information helps personalize your experience and optimize service performance.

6. Data Storage, Retention, and Deletion

Daxfo Technology Pvt. Ltd. is committed to storing personal data responsibly, retaining it only for as long as necessary, and ensuring secure deletion protocols. This clause outlines our data lifecycle management practices.

6.1 Data Storage

Cloud-based servers, hosted by secure third-party providers, with encrypted connections (e.g., HTTPS/SSL/TLS)
In-house databases, maintained with restricted access and monitored access controls

Storage decisions are based on technical feasibility, operational needs, data sensitivity, and jurisdictional requirements.

6.2 Data Retention Period

Unless a longer retention period is required by law, we retain personal data for a period of five (5) years from the date of last interaction or completion of the contractual engagement.

Client project data is retained for at least 5 years for audit, compliance, or re-engagement needs
Inquiries, resumes, and communications may be retained for up to 5 years for operational reference or legal purposes

6.3 Data Deletion and Disposal

Once personal data has reached the end of its retention period or upon valid user request (in accordance with applicable rights), it will be securely deleted or anonymized.

Permanent deletion from cloud and local systems
Overwriting or reformatting of drives containing obsolete data
Secure deletion tools to eliminate recoverability

All disposal procedures are documented and, where applicable, audited.

6.4 Data Backup and Recovery

Encrypted backups are regularly performed and stored in secured environments
Only authorized personnel have access to backup systems
Data recovery protocols are in place for system failures or disasters, aligned with our internal Business Continuity Plan (BCP)

6.5 Data Breach Protocol

Immediate isolation of affected systems
Investigation and assessment of breach scope
Notification to affected users (as outlined in Clause 9)
Remedial action and patch deployment
Documentation and audit trail for regulatory compliance

7. Data Security and Protection

Daxfo Technology Pvt. Ltd. implements a robust framework of technical, organizational, and administrative safeguards to protect your personal data against unauthorized access, loss, alteration, or disclosure. Our security protocols are designed to ensure compliance with applicable laws and industry standards.

7.1 Technical Security Measures

End-to-end encryption using industry-standard protocols such as SSL/TLS and HTTPS
Firewall protection, intrusion detection, and prevention systems
Multi-factor authentication (MFA) and role-based access controls (RBAC)
Secure software development lifecycle (SDLC) for internal systems
Regular security patching and vulnerability assessments

7.2 Organizational Security Measures

Employee confidentiality agreements and periodic cybersecurity training
Access limitation policies based on job role and necessity
Audit logs for system and data access
Data classification and handling procedures

Only authorized personnel are granted access to personal data on a strict need-to-know basis.

7.3 Data Breach Management

Immediate containment measures are initiated
The breach is analyzed, and the scope of affected data is determined
Affected users and regulatory authorities (if applicable) are notified in accordance with Clause 9
A root cause analysis is conducted, and a remediation plan is implemented
The event is logged, and lessons learned are integrated into future safeguards

7.4 Third-Party Security Measures

Cloud service providers and storage vendors are vetted for compliance with GDPR, DPDP Act, and international standards such as ISO/IEC 27001
Data processing agreements (DPAs) are signed incorporating adequate safeguards
Appropriate data access controls, incident response protocols, and encryption practices are maintained

7.5 Compliance Principles

Data Minimization: Collect only what is required for the stated purpose
Integrity and Confidentiality: Prevent unauthorized or accidental access and alteration
Accountability: Maintain records of processing and regularly audit internal practices
User Empowerment: Enable individuals to exercise control over their personal data

8. Data Access and Sharing

Daxfo Technology Pvt. Ltd. exercises strict control over access to personal data and ensures that any sharing or transfer of such data complies with relevant privacy laws and is subject to appropriate safeguards.

8.1 Internal Access to Data

Authorized personnel with a defined business need (e.g., service delivery, technical support)
Employees or contractors bound by confidentiality obligations and trained in data protection practices
Role-based access controls (RBAC) that limit access to data based on the principle of least privilege

All internal access is logged and subject to regular audits.

8.2 Data Sharing with Third Parties

Daxfo does not share personal data with third-party processors such as marketing agencies, payment processors, or advertising platforms at present. If such third-party engagements arise in the future, we will:

Enter into legally binding Data Processing Agreements (DPAs)
Ensure that third parties maintain adequate security standards
Limit the data shared to only what is necessary
Inform users transparently and obtain consent where required

8.3 International Data Transfers

During business, personal data may be transferred to our offices or partners located outside India, including the United States. We ensure that:

Transfers comply with the DPDP Act, 2023, and GDPR (Chapter V) as applicable
Safeguards such as Standard Contractual Clauses (SCCs), inter-company agreements, or contractual assurances are in place
Data subjects retain their rights irrespective of the location of processing

8.4 Data Subject Access Controls

Access the data we hold about you
Request correction, deletion, or restriction of processing
Export your data in a structured format
Object to certain uses of your data, including for direct marketing

These rights are further detailed under Clause 10: Your Rights.

8.5 Prohibition on Unauthorized Data Sharing

We do not sell or lease personal information to third parties
Monitor and restrict data flow through internal policies and controls
Immediately investigate any suspected unauthorized sharing and take remedial action

9. Data Breach Notification

Daxfo Technology Pvt. Ltd. takes data breaches seriously and has implemented a formal incident response and notification framework to mitigate risks and protect affected individuals and stakeholders.

9.1 Definition of a Data Breach

A data breach refers to any unauthorized or unlawful access, disclosure, alteration, loss, destruction, or compromise of personal data, whether accidental or intentional. This includes hacking or cyberattacks, unauthorized access or misuse by internal personnel, data leakage due to human error or system failure, and theft or loss of devices or storage media containing personal data.

9.2 Breach Detection and Reporting Timeline

The incident is escalated internally within 24 hours to the designated response team
A preliminary assessment is completed to evaluate the scope, sensitivity, and impact
Root cause analysis and containment measures are initiated immediately
All such incidents are documented, and actions are tracked

9.3 Notification Content

If a data breach impacts your rights or freedoms, we will provide a transparent and prompt notification outlining:

The nature and scope of the breach
Categories of personal data affected
Possible consequences and risks
Measures taken or proposed to address the breach
Instructions for you to mitigate any potential harm
Contact information for further assistance

9.4 Methods of Notification

Email or registered communication
Website pop-up or banner (for mass-scale breaches)
Notification to India’s Data Protection Board (DPB) or the relevant Data Protection Authority in other jurisdictions (e.g., EU DPA under GDPR)

9.5 Mitigation and Remedial Measures

Isolate compromised systems
Reset credentials or access keys
Apply security patches and close vulnerability points
Cooperate with cybersecurity experts for threat eradication
Monitor affected systems for further anomalies
Where necessary, offer support such as identity theft protection, free credit monitoring, or remedial action to mitigate user impact

9.6 Record-Keeping and Audit

All security incidents, including near-misses and confirmed breaches, are logged and maintained for audit purposes for a minimum of 5 years
Reviewed periodically to strengthen preventive controls
Shared with auditors, regulators, or clients upon legitimate request

9.7 Accountability and User Support

Daxfo maintains a dedicated internal team for incident response and breach handling
If you suspect misuse or breach of your personal data, please report it immediately via our support portal or contact channels listed in Clause 13
We will respond promptly and transparently to all inquiries related to data security incidents

10. Your Rights

Daxfo Technology Pvt. Ltd. is committed to upholding the privacy rights of all individuals whose personal data we collect or process. Depending on your jurisdiction (India, EU, etc.), you may exercise the following rights in accordance with applicable data protection laws.

10.1 Right to Access (Right to Know)

Confirm whether we hold your personal data
Request details about the nature, categories, purpose, source, and recipients of such data
Obtain a copy of the personal data undergoing processing

10.2 Right to Correction (Rectification)

Request us to correct inaccurate or outdated personal data or complete incomplete data, especially where such inaccuracies may impact your rights or services provided

10.3 Right to Erasure (Right to Be Forgotten)

Request deletion of your personal data when the data is no longer necessary, consent is withdrawn and there is no other legal ground, the data has been unlawfully processed, or when required to comply with a legal obligation

10.4 Right to Data Portability

Request your data in a structured, machine-readable format
Transmit the data to another service provider, where feasible and applicable

This right applies only to data processed based on your consent or contract, using automated means.

10.5 Right to Restrict Processing

Limit the processing of your data when you contest the data’s accuracy, processing is unlawful but you request restriction instead of deletion, data is no longer needed but is required for legal claims, or you object to processing and verification is pending

10.6 Right to Object

Object to processing of your data based on legitimate interests
Object to use of data for direct marketing purposes
Object to profiling or analytical processing based on your data (not currently conducted by Daxfo)

10.7 Right to Withdraw Consent

Withdraw your consent at any time where processing is based on your consent. This will not affect the lawfulness of processing based on consent before its withdrawal

10.8 Right to Lodge a Complaint

Lodge a complaint with the Data Protection Board of India (DPBI) under the DPDP Act, or with a relevant Data Protection Authority (DPA) in your jurisdiction (e.g., under GDPR)
We encourage you to contact us first, and we will do our best to resolve your concerns promptly

10.9 Right to Nominate (DPDP Act – India)

Nominate another individual who can exercise your data rights on your behalf in the event of death or incapacity
Update your nominee’s details through written request to our support team

10.10 Exercising Your Rights

Submit a request via our support portal or by contacting us through the details provided in Clause 13
We will acknowledge your request within 7 working days and act upon it within 30 days, subject to legal and verification requirements
Proof of identity or authorization may be required for verification before acting on your request

11. Cookies and Tracking Technologies

Daxfo Technology Pvt. Ltd. uses cookies and similar tracking technologies to enhance your user experience, improve website performance, and support analytics and marketing functionalities in a privacy-compliant manner.

11.1 What Are Cookies?

Cookies are small text files stored on your device when you visit a website. These files collect information about your browsing behaviour and preferences, allowing websites to function efficiently and recognize users on subsequent visits.

11.2 Types of Cookies We Use

Strictly Necessary Cookies: Essential for website navigation, account access, and secure transactions
Functionality Cookies: Remember your preferences, such as language and location settings
Analytics Cookies: Help us analyze how users interact with the website (e.g., Google Analytics)
Marketing Cookies: Track user activity across websites to display relevant advertisements and measure ad effectiveness

11.3 Tracking Technologies We Use

Web beacons (pixel tags)
Device identifiers
Session tracking and local storage

These tools collect data such as browser type, pages visited, time spent, click patterns, and IP addresses to enhance functionality and analytics.

11.4 Third-Party Cookies

Some cookies may be placed by third-party services integrated into our site (e.g., analytics or embedded content providers). These third parties may collect data directly and independently, governed by their own privacy policies.

11.5 Managing and Controlling Cookies

Adjust your browser settings to reject or delete cookies
Use in-browser privacy extensions
Manage consent through our website’s cookie banner or cookie settings panel

Disabling certain cookies may impact your user experience or limit access to some features.

11.6 Consent to Cookies

We obtain explicit consent for non-essential cookies at your first visit
You may withdraw or modify your cookie preferences at any time by revisiting the cookie banner or settings
Your consent is stored securely and refreshed periodically as required by law

11.7 Duration of Cookies

Session cookies: Deleted automatically when you close your browser
Persistent cookies: Stored on your device for a set duration or until manually deleted

We limit cookie lifespan to only as long as necessary for their intended purpose and in line with our retention policies.

12. Cross-Border Data Transfers

Daxfo Technology Pvt. Ltd. may transfer your personal data to locations outside your country of residence, including our offices or service providers in other jurisdictions, such as the United States, to ensure efficient service delivery and operational management.

12.1 Legal Basis for International Transfers

A valid legal basis under applicable data protection laws (e.g., consent, contractual necessity, legitimate interests)
Adequate safeguards in place to protect your personal data, such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or approved data transfer mechanisms recognized under the DPDP Act, 2023, and GDPR

12.2 Data Storage and Processing Locations

India (primary operations)
The United States (Daxfo’s US office)
Other jurisdictions as necessary for business purposes

We ensure that all such locations provide an adequate level of data protection consistent with the standards set forth in applicable privacy laws.

12.3 Safeguards for Cross-Border Transfers

Encryption of data in transit and at rest
Execution of data processing agreements with third parties
Regular audits and compliance checks of data processors and sub-processors

12.4 Your Rights Regarding Data Transfers

Be informed about where and how your data is transferred and processed internationally
Request additional information on the safeguards applied to protect your data
Object to or restrict transfers in certain circumstances, as permitted by applicable laws

For exercising these rights, please refer to the contact details provided in Clause 13.

13. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us using the details below:

Daxfo Technology Pvt. Ltd.
Address: Perungudi, Chennai, Tamil Nadu, India
Email:
Phone:
Support Portal:

For exercising your data rights, submitting complaints, or any other privacy-related requests, please use the support portal or email us directly. We are committed to responding promptly and assisting you with all data privacy matters.

14. Amendments to This Policy

Daxfo Technology Pvt. Ltd. reserves the right to update or modify this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or technological advancements.

Notification of Changes: We will notify users of any significant changes to this Privacy Policy by posting a revised version on our website and, where appropriate, by sending direct notifications via email or through our support portal.
Effective Date: Each updated Privacy Policy will indicate the “Last Updated” date at the top of the document. Changes will become effective immediately upon posting unless otherwise stated.
User Responsibility: We encourage all users to periodically review this Privacy Policy to stay informed about how we collect, use, and protect personal data.
Continued Use: By continuing to use our services after amendments are posted, you accept and agree to the revised terms of this Privacy Policy.