Privacy Policy
Effective date: 8 June 2026. Last updated: 8 June 2026.
This Privacy Policy explains how VXQN Technologies Pvt. Ltd. (“VXQN”, “we”, “us”) collects, uses, shares and protects personal data in connection with the VXQN commerce-operations platform (the “Service”), our website vxqn.in, and our APIs. It is designed to comply with India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”), the Information Technology Act, 2000 and its SPDI Rules, the European Union and UK General Data Protection Regulation (“GDPR”), the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), and comparable data-protection laws worldwide. Security controls referenced here are described in our Trust Center.
1. Our two roles: controller and processor
VXQN is a business-to-business platform, and our obligations depend on whose data is involved:
- As a processor / Data Processor — for the personal data contained in our customers’ commerce operations (for example, the names, addresses and phone numbers of their shoppers inside orders, shipments and returns). Here the customer (the brand) is the Data Fiduciary / controller and decides why and how that data is processed; VXQN processes it only on the customer’s documented instructions to provide the Service. This processing is governed by our Data Processing Agreement (“DPA”), available on request.
- As a controller / Data Fiduciary — for data about the users of VXQN (our customers’ staff who log in), our billing contacts, prospects who contact us, and visitors to our website.
This policy primarily describes our practices as a controller. Where we act as a processor, the relevant brand’s own privacy notice governs how shopper data is collected, and our handling is bound by the DPA.
2. Personal data we collect
Account & user data
- Identity and contact details (name, work email, phone, role, employer).
- Authentication data (hashed credentials, MFA factors, session and device information).
- Preferences, in-product settings and support correspondence.
Customer operational data (processed on our customers’ behalf)
- Order records mirrored from Shopify (line items, financial breakdown, customer name, shipping address, contact number).
- Shipping and tracking data exchanged with courier partners (AWB numbers, pickup, scan and delivery events).
- Exception, returns, QC, refund and COD-reconciliation records, and the operator actions taken on them.
Billing data
- Wallet balances, usage metering (orders shipped), invoices, GST details and payment-method tokens. VXQN does not store full card numbers — payments are handled by our payment gateway.
Technical & usage data
- IP address, browser/device data, log files, approximate location derived from IP, feature usage and diagnostics.
- Cookies and similar technologies on our website (see “Cookies” below).
3. How we use personal data
- To provide, operate, secure and improve the Service and our website.
- To authenticate users, prevent fraud and abuse, and maintain the audit trail.
- To meter usage and process billing (including the ₹2-per-order wallet model).
- To provide support, send service and security communications, and respond to enquiries.
- To comply with legal obligations and enforce our Terms of Service.
- With consent where required, to send product updates and marketing (you can opt out at any time).
We do not sell personal data, and we do not use customer operational data to train shared or third-party AI models. Any tenant-scoped model tuning happens only with that customer’s explicit written authorisation.
4. Legal bases for processing
Where the GDPR applies, we rely on: performance of a contract (to deliver the Service), legitimate interests (security, fraud prevention, service improvement, B2B communications — balanced against your rights), consent (optional analytics cookies and marketing), and legal obligation (tax, accounting, lawful requests). Where the DPDP Act applies, we process personal data on the basis of consent or a permitted legitimate use, and as a processor strictly on the Data Fiduciary’s instructions.
5. Cookies and similar technologies
Our website uses strictly-necessary cookies to function and, only with your consent, optional analytics cookies to understand and improve usage. You can accept or reject optional cookies via our cookie banner and change your choice at any time by clearing site data. We honour browser “Global Privacy Control” signals where required by law.
6. How we share personal data
We share personal data only as needed and under appropriate safeguards:
- Subprocessors that help us run the Service (hosting, edge/CDN, courier and commerce integrations, billing, communications). The current list and their regions are published in our Trust Center; each is bound by data-protection terms.
- Our customers — operational data is made available to the relevant brand’s authorised users.
- Legal and safety — to comply with law, lawful requests, or to protect rights, safety and security; we assess and, where lawful, notify of such requests.
- Business transfers — in connection with a merger, acquisition or asset sale, subject to this policy.
7. International data transfers
VXQN is India-first: the substantive personal data in your operations is stored and processed in India (DigitalOcean, blr1 / Bangalore). A limited set of subprocessors process some data outside India — for example, Cloudflare handles edge routing and CDN globally, and certain operational tooling (such as analytics or transactional messaging) may run abroad. Under the DPDP Act, such transfers are permitted except to countries the Government of India restricts. Where we transfer personal data internationally we apply a lawful safeguard — for EEA/UK data, the European Commission’s Standard Contractual Clauses with the UK Addendum and supplementary measures; for other regions, the mechanism their law requires. The current subprocessors and their regions are listed in our Trust Center, and a DPA is available on request.
8. Data retention
We retain personal data only as long as necessary for the purposes above, then delete or anonymise it. The specific retention periods for customer operational data — including how long it is kept after an account closes and when it is deleted or returned — are set out in the customer’s agreement and Data Processing Agreement, and we process that data according to the customer’s documented instructions. Account and billing records, audit logs and similar records are kept for as long as needed to run the Service and to meet our legal, tax and accounting obligations, after which they are deleted or anonymised.
9. How we protect data
We apply technical and organisational measures appropriate to the risk, including multi-tenant row-level isolation, AES-256-GCM encryption at rest with per-tenant keys, encryption in transit, least-privilege access, MFA, and an immutable audit trail. See the Trust Center for details and our certification roadmap. No method of transmission or storage is perfectly secure, but we work to protect your data and to notify you of breaches as required by law.
10. Your rights
Subject to your jurisdiction and applicable exemptions, you may have the right to: access your personal data; correct or update it; erase it; restrict or object to processing; data portability; withdraw consent; and not be subject to unlawful automated decision-making. To exercise rights, contact us using the details below; where we act as a processor, we will refer your request to the relevant customer (Data Fiduciary) and assist them.
India (DPDP Act, 2023)
Data Principals may seek access, correction, completion, updating and erasure of personal data, may nominate another person to exercise rights in the event of death or incapacity, and may raise grievances with our Grievance Officer (below) before approaching the Data Protection Board of India.
If the Government designates VXQN a Significant Data Fiduciary, we will undertake the additional obligations that designation carries — including appointing a Data Protection Officer based in India, and conducting periodic data-protection impact assessments and independent audits.
EEA & UK (GDPR)
You may lodge a complaint with your local supervisory authority. We do not require you to do so before contacting us, and we’d welcome the chance to resolve concerns first.
California (CCPA/CPRA)
California residents may request to know, delete and correct personal information, and to opt out of “sale” or “sharing” of personal information. VXQN does not sell or share personal information as those terms are defined. We will not discriminate against you for exercising your rights.
11. Children’s data
The Service is a business tool and is not directed to children, and VXQN does not knowingly collect children’s personal data directly. Consistent with the DPDP Act, we do not undertake tracking, behavioural monitoring or targeted advertising directed at children.
Personal data of individuals under 18 may incidentally appear within the order, shipping or returns records a brand processes through VXQN. For that shopper data the brand is the Data Fiduciary and is responsible for obtaining any verifiable consent of a parent or lawful guardian that the DPDP Act requires; VXQN processes it solely on the brand’s documented instructions. If you believe a child’s data has reached us in error, contact us and we will delete it.
12. Grievance Officer & contact
For privacy questions, requests or complaints:
- Grievance / Data Protection Officer: VXQN Grievance Officer, dpo@vxqn.in
- General privacy: privacy@vxqn.in
- Postal: VXQN Technologies Pvt. Ltd., 1010 – 10th Floor, CyberCity IT Park, Uttran, Surat, Gujarat, India — CIN: [to be added]
We respond to verified requests within the timeframes required by applicable law.
13. Changes to this policy
We may update this policy from time to time. Material changes will be notified through the Service or by email, and the “Last updated” date above will change. Continued use of the Service after an update constitutes acceptance of the revised policy where permitted by law.