Privacy Policy — NxgSecure

Section 01 Who We Are

NxgSecure Technologies Private Limited (hereinafter "NxgSecure," "we," "us," or "our") is a company incorporated under the Companies Act, 2013, having its registered office in Gurugram, Haryana, India. We provide managed cybersecurity and compliance services to enterprises across India and internationally, operating as a Data Fiduciary as defined under the Digital Personal Data Protection Act, 2023 ("DPDP Act") in respect of personal data we collect directly, and as a Data Processor in respect of personal data we process on behalf of our clients.

This Privacy Policy explains what personal data we collect, why we collect it, how we use it, with whom we share it, and what rights you have as a Data Principal (i.e., the individual to whom the personal data relates). This Policy applies to personal data collected through our website, our managed services platform, our marketing communications, and any other interaction you may have with NxgSecure. It does not apply to personal data that our clients upload to the NxgSecure platform in connection with providing services to their own end-users; for that data, the applicable client's privacy policy governs.

We take privacy seriously. As a cybersecurity company, protecting data — our clients', our users', and our own — is not merely a legal obligation but a core expression of who we are. If you have any questions about this Policy, please contact our Data Protection Officer at dpo@nxgsecure.in before proceeding.

Section 02 Information We Collect

We collect personal data in the following ways and categories:

Information you provide directly:

Account and registration data: When you register for our platform or services, we collect your name, designation, business email address, company name, phone number, billing address, and GSTIN where applicable.
Lead and inquiry data: When you submit a form on our website, request a free assessment, download a resource, or contact us by email, we collect your name, email address, company, role, and the content of your message.
Payment data: Billing details including invoicing address and GST information. We do not store full credit card or bank account numbers; payment transactions are processed by PCI-DSS-compliant third-party payment processors.
Communications: Records of emails, messages, and other communications you send to us, including support tickets and customer success conversations.

Information collected automatically:

Usage and log data: IP address, browser type and version, operating system, referring URL, pages visited, time and date of visit, and session duration when you access our website or platform.
Device data: Device identifiers, hardware model, and network information.
Cookie data: Information collected through cookies and similar tracking technologies as described in Section 9.

Information from third parties: We may receive information about you from third-party sources such as business directories, LinkedIn, or partner referrals, which we combine with information we already hold to improve the relevance of our communications and service offerings. We will always ensure such collection has a lawful basis.

Section 03 How We Use Your Information

We use the personal data we collect for the following purposes:

Providing the Services: To create and manage your account, deliver the contracted cybersecurity and compliance services, communicate with you about your service, and fulfil our contractual obligations.
Customer support: To respond to your queries, troubleshoot issues, and provide technical and account support.
Billing and payments: To process invoices, manage subscriptions, and collect fees in accordance with our Terms of Service.
Security and fraud prevention: To monitor for and investigate suspicious activity, enforce our Terms of Service, and protect the security and integrity of our platform and users.
Marketing and communications: To send you information about NxgSecure's services, insights, events, and resources that we believe may be of interest to you, where you have provided consent or where we have a legitimate interest to do so. You may opt out of marketing communications at any time as described in Section 8.
Product improvement: To analyse usage patterns, conduct research, and develop and improve our Services. Where we use personal data for this purpose, we use aggregated or anonymised data wherever possible.
Legal and regulatory compliance: To comply with applicable law, respond to lawful requests from government authorities, and enforce our legal rights and agreements.

We will not use your personal data for purposes that are incompatible with those stated above without providing you with prior notice and, where required, obtaining your consent.

Section 04 Legal Basis for Processing

We process personal data only where we have a lawful basis to do so. Under the Digital Personal Data Protection Act, 2023, the primary bases on which we rely are:

Consent: Where you have freely given, specific, informed, and unambiguous consent to the processing of your personal data for a stated purpose — for example, when you subscribe to our newsletter or download a resource by submitting your details. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
Legitimate uses (lawful purpose): Where processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract — for example, delivering the managed services you have subscribed to and processing related billing.
Compliance with law: Where processing is necessary for compliance with a legal obligation — for example, retaining financial records as required under the Income Tax Act, 1961, or responding to a lawful direction from CERT-In or other competent authorities.
Legitimate interests: Where processing is necessary for purposes of our legitimate interests or those of a third party, provided those interests are not overridden by your interests or fundamental rights — for example, fraud prevention, network security monitoring, and improving our services.

For clients in the European Union or United Kingdom, we additionally rely on the corresponding grounds under the General Data Protection Regulation (GDPR) / UK GDPR, including Article 6 (lawfulness of processing) and where relevant Article 9 (processing of special categories of data). A mapping of processing activities to their respective legal bases is available upon request from our Data Protection Officer.

Section 05 Data Sharing and Third Parties

We do not sell your personal data. We do not share your personal data with third parties for their own marketing purposes. We share personal data only in the following limited circumstances:

Service providers and sub-processors: We engage trusted third-party vendors to help us deliver our Services, including cloud infrastructure providers (AWS, Microsoft Azure), email and communication platforms, CRM systems, analytics tools, and payment processors. These vendors act as data processors and are contractually bound to process personal data only on our instructions and to maintain appropriate security measures. A list of our key sub-processors is available upon request.
Professional advisors: We may share data with our lawyers, auditors, accountants, and other professional advisors where necessary for the provision of their services to us, subject to appropriate confidentiality obligations.
Business transfers: In the event of a merger, acquisition, restructuring, or sale of all or substantially all of our assets, personal data may be transferred to the acquiring entity, subject to equivalent privacy protections. We will notify affected data principals of any such transfer in accordance with applicable law.
Law enforcement and regulatory authorities: We may disclose personal data where required by applicable law, court order, or at the request of a government authority or regulator with lawful authority — including CERT-In, the Data Protection Board of India established under the DPDP Act, or any other competent authority. Where permitted by law, we will notify you of such requests.
With your consent: We may share data with third parties for other purposes with your explicit prior consent.

Where we transfer data to third parties outside India, we ensure that adequate safeguards are in place as described in Section 10.

Section 06 Data Security and Fiduciary Obligations

As a Data Fiduciary under the DPDP Act, NxgSecure is responsible for ensuring that personal data is processed in compliance with applicable law, that appropriate technical and organisational security measures are in place, and that data principals can exercise their rights effectively. We take this responsibility seriously — as a cybersecurity company, our security posture is subject to the same rigour we apply for our clients.

Our security measures include, without limitation:

Encryption of all personal data in transit using TLS 1.2 or higher, and at rest using AES-256
Role-based access controls ensuring that personal data is accessible only to personnel with a documented business need
Multi-factor authentication enforced for all internal systems containing personal data
Annual penetration testing of our platform and regular vulnerability assessments
SOC 2 Type II audited security practices, with annual renewal
ISO 27001-aligned information security management system
Documented data processing agreements with all sub-processors
Employee training on data protection and privacy at onboarding and annually thereafter

Notwithstanding these measures, no system is completely immune to security incidents. In the event of a personal data breach that is likely to result in harm to data principals, NxgSecure will notify the Data Protection Board of India and affected data principals in accordance with the timelines prescribed by the DPDP Act and its implementing rules, and in any event within seventy-two (72) hours of becoming aware of such a breach.

Section 07 Data Retention

We retain personal data for as long as necessary to fulfil the purposes for which it was collected, as described in this Policy, unless a longer retention period is required or permitted by applicable law. The following principles guide our retention practices:

Active client data: Personal data related to active service accounts is retained for the duration of the contractual relationship and for a period of three (3) years thereafter, unless a different period is specified in the applicable Order Form or required by law (e.g., financial records may be retained for up to eight (8) years under Indian tax law).
Prospect and lead data: Personal data collected from individuals who have expressed interest in our services but have not converted to clients is retained for a period of twenty-four (24) months from the last meaningful interaction. After this period, data is either deleted or anonymised.
Marketing consent records: Records of consent to receive marketing communications are retained for as long as the consent remains valid, plus a reasonable period thereafter as evidence of the consent.
Security and audit logs: System access logs and security event data are retained for a minimum of twelve (12) months in line with CERT-In directives and our own security programme requirements.
Legal hold: Where personal data is subject to a legal hold or pending litigation, it will be retained until the hold is released or the matter is resolved, regardless of the above periods.

Upon expiry of the applicable retention period, personal data is securely deleted or anonymised in accordance with our data lifecycle management procedures. You may request information about the specific retention period applicable to your data by contacting our Data Protection Officer.

Section 08 Your Rights as a Data Principal

Under the DPDP Act and, where applicable, the GDPR, you have the following rights in relation to your personal data. We will respond to all verifiable requests within thirty (30) days of receipt, unless a shorter or longer period is required by law.

Right to access: You have the right to obtain confirmation of whether we process personal data about you and, if so, to receive a summary of the personal data being processed and the purposes for which it is being processed.
Right to correction: You have the right to request correction of inaccurate or incomplete personal data we hold about you.
Right to erasure: You have the right to request the erasure of your personal data where we no longer have a lawful basis to process it, or where you have withdrawn your consent (where consent was the basis for processing). This right is subject to certain exceptions under applicable law, including where retention is required for legal compliance or the establishment, exercise, or defence of legal claims.
Right to withdraw consent: Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal. To withdraw consent to marketing communications, use the "unsubscribe" link in any marketing email or contact us at privacy@nxgsecure.in.
Right to grievance redressal: You have the right to have your grievances addressed by our Grievance Officer as described in Section 14. If you are not satisfied with our response, you may escalate your complaint to the Data Protection Board of India once the Board is constituted under the DPDP Act.
Right to nominate: Under the DPDP Act, you may nominate another individual who shall exercise your data principal rights in the event of your death or incapacity.

To exercise any of the above rights, please submit a written request to privacy@nxgsecure.in with sufficient information to verify your identity. We will not action requests where we cannot adequately verify the identity of the requesting individual, to protect against unauthorised access or disclosure.

Section 09 Cookies and Tracking Technologies

Our website uses cookies and similar technologies (such as pixel tags and web beacons) to provide functionality, analyse traffic, and improve your experience. A cookie is a small text file placed on your device by a web server when you visit a website. Cookies may be "session cookies" (deleted when you close your browser) or "persistent cookies" (stored on your device for a defined period).

We use the following categories of cookies:

Strictly necessary cookies: These are essential for the operation of our website and platform. They enable core functionality such as login authentication, session management, and security features. These cookies cannot be disabled without preventing you from using our Services.
Analytics cookies: These cookies help us understand how visitors interact with our website by collecting information about pages visited, time spent, and any errors encountered. We use this data in aggregate and anonymised form to improve our website and user experience. We use privacy-respecting analytics tools configured to minimise collection of personally identifiable information.
Functional cookies: These cookies enable enhanced functionality and personalisation, such as remembering your language preferences or region selection.
Marketing cookies: Where you have provided consent, these cookies track your visits across websites to deliver relevant advertising. We do not use aggressive retargeting or cross-site tracking without your explicit consent.

When you first visit our website, you will be presented with a cookie consent banner allowing you to accept, decline, or customise your cookie preferences. You may change your preferences at any time by clicking the "Cookie Settings" link in the footer of our website. Please note that disabling certain cookies may affect the functionality of our website. You may also control cookies through your browser settings; please refer to your browser's documentation for instructions.

Section 10 Cross-Border Data Transfers

NxgSecure primarily stores and processes personal data within India. However, in delivering our Services, we may transfer certain personal data to countries outside India — for example, where our cloud infrastructure providers operate data centres in multiple jurisdictions, or where we engage sub-processors located abroad.

Under the DPDP Act, the Government of India will notify countries to which personal data may be transferred. Until such notifications are issued, we take a risk-based approach to cross-border transfers and implement the following safeguards:

Contractual protections: We execute data processing agreements with all sub-processors that include contractual clauses requiring them to implement equivalent data protection standards to those applicable in India.
Adequacy assessments: Before transferring personal data to a new jurisdiction, we assess the adequacy of that jurisdiction's data protection framework and, where necessary, implement additional technical or organisational safeguards.
Minimisation: We minimise cross-border transfers by processing personal data in India wherever technically and commercially practicable.
GDPR standard contractual clauses: For transfers to or from EU/UK data subjects, we rely on European Commission-approved standard contractual clauses or the UK International Data Transfer Agreement as applicable.

A list of the countries to which we currently transfer personal data and the applicable safeguards is available upon written request to our Data Protection Officer.

Section 11 Children's Privacy

Our Services are designed for and directed exclusively at businesses and professionals. We do not knowingly collect personal data from individuals under the age of 18. If you are under 18, please do not submit any personal data through our website or Services.

Under the DPDP Act, NxgSecure is prohibited from processing personal data of children (defined as individuals under the age of 18) without verifiable parental or guardian consent, and from processing personal data in a manner that is detrimental to the well-being of children. As a B2B service provider whose platform is not directed at children, we do not take steps to collect data from children and do not engage in profiling of children.

If we discover or are notified that we have inadvertently collected personal data relating to a child without verifiable parental consent, we will take prompt steps to delete that data and to notify the relevant parent or guardian if feasible. If you believe we have inadvertently collected data relating to a child, please contact us immediately at privacy@nxgsecure.in.

Section 12 Security Incident Notification

Despite our extensive security controls, no system can be guaranteed free from security incidents. In the event that NxgSecure becomes aware of a personal data breach — meaning a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data processed by NxgSecure — we will take the following steps:

Containment and assessment: We will immediately activate our Incident Response Plan, contain the breach, and assess the nature, scope, and likely consequences of the incident.
Regulatory notification: Where the breach is likely to result in harm to data principals, we will notify the Data Protection Board of India within the timelines prescribed under the DPDP Act and its implementing rules. We will also comply with CERT-In mandatory reporting requirements under the Information Technology (Amendment) Act, 2008 and applicable CERT-In directions, including reporting within six (6) hours for designated incident types.
Data principal notification: Where required by the DPDP Act or where we determine in our reasonable judgement that notification is necessary to enable affected data principals to take protective action, we will notify affected data principals within seventy-two (72) hours of confirming the breach. The notification will include a description of the nature of the breach, the categories and approximate number of data principals affected, the likely consequences, and the measures we have taken or propose to take to address the breach.
Client notification: For personal data processed on behalf of clients (where NxgSecure acts as a Data Processor), NxgSecure will notify the relevant client of a confirmed breach as specified in the applicable Data Processing Agreement and in any event within seventy-two (72) hours.

To report a suspected security vulnerability in NxgSecure's systems, please contact our Security team at security@nxgsecure.in. We operate a responsible disclosure policy and will acknowledge all valid vulnerability reports within two (2) business days.

Section 13 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data processing practices, applicable law, regulatory guidance, or our Services. When we make material changes, we will:

Post the revised Policy on our website with an updated "Last updated" date
Send an email notification to the primary contact address associated with your account
Display a prominent notice within the Services platform on your next login

For material changes that require fresh consent under applicable law — for example, changes that introduce new purposes for processing or new categories of data — we will seek your consent before the revised Policy takes effect. For other material changes, we will provide at least thirty (30) days' advance notice before the revised Policy becomes effective in relation to existing data principals.

Your continued use of our website or Services after the effective date of any revision constitutes your acknowledgment of, and where applicable your consent to, the updated Policy. If you do not agree to the revised Policy, please discontinue your use of our Services and contact us to arrange deletion of your personal data in accordance with Section 8. We encourage you to review this Policy periodically. Prior versions of this Policy are archived and available upon request from our Data Protection Officer.

Section 14 Contact and Grievance Officer

If you have any questions, concerns, or complaints about this Privacy Policy or about how we process your personal data, or if you wish to exercise any of your rights described in Section 8, please contact us through the following channels:

Privacy & Data Protection: privacy@nxgsecure.in
Data Protection Officer: dpo@nxgsecure.in
Security Incidents: security@nxgsecure.in
General Enquiries: hello@nxgsecure.in

Grievance Officer (as required under the DPDP Act and IT Act, 2000):

In accordance with the Information Technology Act, 2000 and the DPDP Act, the name and contact details of the Grievance Officer of NxgSecure Technologies Private Limited are as follows:

Name: Mayank Jain
Designation: Co-Founder & CEO / Grievance Officer
Email: grievance@nxgsecure.in
Address: NxgSecure Technologies Private Limited, Sector 44, Gurugram — 122003, Haryana, India

The Grievance Officer shall acknowledge receipt of a grievance within five (5) business days and endeavour to resolve it within thirty (30) days of acknowledgement. If you are not satisfied with the resolution provided by the Grievance Officer, you may escalate your complaint to the Data Protection Board of India, once constituted pursuant to the DPDP Act, or to any other applicable regulatory authority.

Our business hours are Monday through Friday, 09:00–18:00 IST, excluding Indian national public holidays. For security incidents requiring urgent attention, our 24×7 Security Operations Centre is available at all times via the in-platform incident portal.