Effective Date: February 28, 2026

Global Privacy Policy

This Privacy Policy describes how Perenexa Inc. ("Perenexa", "we", "us", or "our") collects, protects, uses, and shares information gathered about you. We are committed to protecting your personal data in accordance with the Digital Personal Data Protection Act (India), GDPR (Europe), CCPA (California), and other applicable global privacy laws.

1. Definitions & Interpretation

To ensure clarity and transparency, we define the key terms used in this policy:

  • "Data Controller" (or "Data Fiduciary" under Indian Law): Refers to Perenexa Inc., the entity that determines the purpose and means of processing personal data.
  • "Data Processor": Refers to third-party services (e.g., AWS, Stripe) that process data on our behalf.
  • "Personal Data": Any information relating to an identified or identifiable natural person, including name, email, IP address, and financial details.
  • "Usage Data": Data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (e.g., duration of page visit).

2. Data We Collect

We collect data using the principle of Data Minimization. We only collect what is strictly necessary to provide our services.

2.1 Information You Provide Directly

  • Account Data: Name, email address, password (hashed), and optional profile information.
  • Billing Data: If you purchase paid services, we collect billing address and tax ID. Note: We do not store credit card numbers on our servers; they are securely tokenized by our payment processors.
  • Communication Data: Content of emails, support tickets, or feedback forms you submit to us.

2.2 Information Collected Automatically

  • Log Data: Internet Protocol (IP) address, browser type, browser version, pages visited, time and date of visit.
  • Device Telemetry: Device type (mobile/desktop), operating system, and screen resolution to optimize UI rendering.
  • Security Metadata: Login timestamps, failed login attempts, and password reset requests (used strictly for security auditing).

3. Lawful Basis for Processing

Under GDPR and equivalent global laws, we process your data under the following lawful bases:

Purpose Lawful Basis
Account Creation & Service Delivery Performance of Contract
Fraud Prevention & Security Legitimate Interest
Billing & Invoicing Legal Obligation
Marketing (Newsletters) Explicit Consent

4. How We Use Data

We do not sell your data. We use your personal data strictly for:

  • Service Provision: To operate, maintain, and provide the features of the Perenexa ecosystem.
  • Authentication: To verify your identity via multi-factor authentication (2FA) and prevent unauthorized access.
  • Communications: To send transactional emails (password resets, invoices) and, with your consent, product updates.
  • Legal Compliance: To comply with applicable laws, legal processes, or government requests.

4 A. Automated Decision-Making & Profiling

Perenexa does not engage in automated decision-making that produces legal or similarly significant effects concerning users.

We do not use algorithmic profiling for credit scoring, employment screening, or behavioral advertising. Security-related automated processes (such as detecting suspicious login attempts) are used solely for fraud prevention and system protection.

5. Data Sharing & Disclosure

We engage trusted third-party service providers ("Processors") to perform functions and provide services to us. These providers adhere to strict data protection obligations:

  • Cloud Infrastructure: AWS / DigitalOcean (Data storage and compute).
  • Payment Processing: Stripe / Razorpay (Payment processing and fraud detection).
  • Transactional Email: Postmark / AWS SES (Delivery of system emails).

Corporate Transactions: If Perenexa is involved in a merger, acquisition, or asset sale, your Personal Data may be transferred. We will provide notice before your Personal Data is transferred and becomes subject to a different Privacy Policy.

6. Data Retention Policy

We retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy.

  • Active Accounts: Retained for the lifetime of your account.
  • Deleted Accounts: Account data is soft-deleted immediately and permanently purged from backups within 30 days.
  • Financial Records: Retained for 7 years as required by tax laws (e.g., GST Act in India, IRS in USA).
  • Access Logs: Retained for 90 days for security auditing, then overwritten.

6 A. Legal Holds & Regulatory Retention

Notwithstanding our standard retention timelines, we may retain Personal Data for longer periods where required to:

  • Comply with legal obligations or regulatory investigations.
  • Enforce our agreements or resolve disputes.
  • Protect against fraud or abuse.
  • Preserve evidence under litigation hold.

Backup systems may retain encrypted archival data for limited additional periods before automatic overwrite.

7. Security Infrastructure

We employ enterprise-grade security measures designed to protect your data from unauthorized access, disclosure, alteration, and destruction.

Encryption

Data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption.

Access Control

Strict Role-Based Access Control (RBAC) ensures only authorized personnel can access data.

Vulnerability Scanning

Regular automated scanning of code and infrastructure for known vulnerabilities.

2-Factor Auth

Mandatory 2FA for administrative access to production environments.

7 A. Data Breach Notification & Incident Response

Perenexa maintains a formal incident response program designed to identify, contain, investigate, and remediate data security incidents.

In the event of a Personal Data Breach, we will:

  • Investigate and assess the scope and impact of the breach.
  • Take immediate steps to mitigate ongoing risk.
  • Notify affected users without undue delay where legally required.
  • Notify relevant supervisory authorities within 72 hours where required under GDPR Article 33.
  • Document the breach and corrective actions taken.

Notifications will include a description of the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed to address the breach.

8. International Data Transfers

Your information may be transferred to — and maintained on — computers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ.

If you are located in the European Economic Area (EEA), please note that your data is processed in the United States and India. We rely on the European Commission's Standard Contractual Clauses (SCCs) and adequacy decisions to ensure a legitimate legal basis for such transfers.

8 A. Subprocessors & Data Processing Agreements

We engage third-party subprocessors to assist in delivering our services. All subprocessors are contractually bound by Data Processing Agreements (DPAs) requiring confidentiality, security safeguards, and compliance with applicable data protection laws.

Where required under GDPR, we implement Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms.

We reserve the right to update our subprocessors as our infrastructure evolves. Material changes to subprocessors will be reflected in this Privacy Policy.

9. Cookies & Tracking Technologies

No Non-Essential Cookies Used

We maintain a strict "Essential Only" policy. We do not use third-party advertising cookies, cross-site tracking pixels, or non-essential analytics cookies that require consent under the ePrivacy Directive or GDPR.

We strictly use only "Strictly Necessary" cookies required for the website to function securely. These do not require user consent under applicable laws. Specifically, we use:

  • Session Cookie: Identifies your unique session so you remain logged in as you navigate pages.
  • XSRF-TOKEN: Prevents Cross-Site Request Forgery (CSRF) attacks to secure your forms.
  • Two-Factor Cookie: Remembers your browser (if selected) to avoid repeated 2FA challenges.

By using our Service, you acknowledge the use of these essential technical cookies.

10. Your Rights (Global)

Regardless of your location, Perenexa grants all users the following rights:

  • Right to Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Correct inaccurate or incomplete data.
  • Right to Erasure: Request deletion of your account and associated data.
  • Right to Portability: Receive your data in a structured, commonly used format (JSON/CSV).
  • Right to Withdraw Consent: Withdraw consent for marketing communications at any time.

10 A. Right to Lodge a Complaint

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the right to lodge a complaint with your local data protection supervisory authority if you believe we have violated applicable data protection laws.

We encourage users to contact us first so we can attempt to resolve concerns amicably.

11. California Privacy Rights (CCPA/CPRA)

For residents of California:

  • Right to Know: You may request details about the categories of personal information we have collected.
  • Right to Delete: You may request the deletion of your personal information.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

"Do Not Sell" Disclosure: We do not sell your personal information to third parties. We do not share your personal information for cross-context behavioral advertising.

11 A. Additional U.S. State Privacy Rights

Residents of Virginia, Colorado, Connecticut, and other U.S. states with enacted privacy laws may have additional rights, including:

  • Right to confirm whether we process your personal data.
  • Right to access, correct, or delete personal data.
  • Right to opt-out of targeted advertising or profiling.
  • Right to appeal denied privacy requests.

We apply a uniform privacy standard to all users regardless of jurisdiction.

12. India Compliance (DPDP Act 2023)

Perenexa Inc. acts as a Data Fiduciary. In accordance with the Digital Personal Data Protection Act, 2023, Indian Data Principals have the right to access, correct, erase, and nominate a representative in the event of death or incapacity.

We process data based on Consent or for Legitimate Uses as defined in the Act. You may manage your consent via your account settings or by contacting our Grievance Officer.

13. Children's Privacy

Our Service does not address anyone under the age of 18 ("Children"). We do not knowingly collect personally identifiable information from anyone under the age of 18. If you are a parent or guardian and you are aware that your child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from children without verification of parental consent, we take steps to remove that information from our servers.

13 A. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in legal requirements, technical infrastructure, or business practices.

Material changes will be communicated via:

  • Email notification to registered users.
  • Prominent notice within the Service.
  • Updated effective date at the top of this page.

Continued use of the Service after changes become effective constitutes acceptance of the revised Privacy Policy.

14. Contact & Grievance Redressal

If you have any questions about this Privacy Policy, please contact us at privacy@perenexa.com.

Grievance Officer (India)

In accordance with the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023, the contact details of the Grievance Officer are provided below:

Mr. Darshan

Grievance Officer

Perenexa Inc.

Ahmedabad, Gujarat, India

grievance@perenexa.com