Legal

Privacy Policy

Effective: 10 May 2026
Version: 1.0

This Privacy Policy describes the personal data Xeeed IO Private Limited ("Xeeed IO", "we", "us", "our") collects through the website at xeeed.io (the "Website") and explains how we use, store, share, and protect it. It covers Website-related processing only.

Personal data processed in connection with our platform Subscriptions (SynergyOT, CatalystOT, or any vertical extension) or through the X3EDGE hardware family is governed by separate product privacy notices set out in the relevant Order Form, Master Services Agreement, or product documentation, and those product notices override this Privacy Policy in case of conflict for any platform or hardware-related processing. Read this together with our Cookies Policy at /cookies and our Terms of Service at /terms.

About us

Xeeed IO Private Limited, T-Hub, Knowledge City, Raidurg, Hyderabad, Telangana 500081, India. Corporate Identification Number U72900TG2021PTC147488. GSTIN 36AAACX3540R1ZU.

Under the Digital Personal Data Protection Act 2023 (the "DPDP Act"), we act as a Data Fiduciary for personal data collected through this Website.

Definitions

"Data Principal" means the natural person to whom the personal data relates (you).
"Data Fiduciary" means the person who, alone or with others, determines the purpose and means of processing personal data.
"Personal Data" means any data about an individual who is identifiable by or in relation to such data.
"Sensitive Personal Data" has the meaning given in Rule 3 of the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011.
"Process" means any operation or set of operations performed on personal data.

What personal data we collect through this Website

Identity data. Name, email, phone, company, country, role. Collected when you submit a public form on this Website (contact, demo request, hardware enquiry, partnership, MNRE newsletter, distributor application, OEM partnership, and similar).
Application data. Resume, portfolio, links, written responses. Collected when you apply for an open role or partner programme advertised on this Website.
Technical data. IP address, approximate region derived from IP, browser and device summary. Used for security and abuse prevention on the Website.
Usage data. Paths visited, referrer, aggregated daily counts. The first-party usage beacon is cookieless by default; see /cookies.

We do not collect biometric data, financial-account numbers, or government-issued identity numbers through this Website. If our products require any of these in a separate context, the collection happens outside this Website and is disclosed at the point of capture under a separate written agreement.

How we use it

Respond to enquiries you initiate through a public form on this Website.
Evaluate applications for open roles or partner programmes advertised on this Website.
Send you the MNRE compliance newsletter or other updates you have opted in to.
Operate, secure, and improve this Website, including captcha verification, abuse prevention, and aggregate usage analysis.
Comply with applicable Indian and other laws, including statutory record-keeping and lawful requests from authorities.

We do not sell your personal data, do not share it for cross-context behavioural advertising, and do not use it to train third-party machine-learning models without your explicit consent.

Lawful basis for processing

We process personal data on the lawful bases set out in Sections 6 and 7 of the DPDP Act. Where required, we obtain free, specific, informed, unconditional, and unambiguous consent before processing, and you can withdraw that consent as easily as you gave it. For certain legitimate uses identified in Section 7 (performance of a contract, compliance with a legal obligation, security of the State, and employer-related processing within the prescribed scope), we process without separate consent as that section permits.

Where the EU GDPR or UK GDPR applies to your data, we rely on Article 6(1)(a) consent, Article 6(1)(b) performance of a contract, Article 6(1)(c) legal obligation, or Article 6(1)(f) legitimate interests, as appropriate.

Where personal data is stored

Our primary cloud infrastructure is located in India (Mumbai region). Personal data collected through this Website is held on Indian servers by default.

Sub-processors (Website only)

A small number of specialised vendors support the operation of this Website. We disclose them by category rather than by name so the list stays current as our stack evolves; a current vendor list for this Website is available on request through the form below (topic: Privacy / data request).

Cloud infrastructure. Primary region in India.
Transactional email delivery. Replies to your enquiries and any newsletter you have opted in to.
Bot mitigation and captcha. Form-submission abuse prevention.
First-party usage analytics. Cookieless by default. Opt-in third-party analytics if you accept the analytics-cookie category.

Each Website vendor is bound by a written data-processing agreement that imposes confidentiality, security, and onward-transfer restrictions consistent with this policy. Sub-processors used by our platform Subscriptions or by the X3EDGE hardware are listed in the relevant product documentation, not here.

Cross-border transfers

In line with Section 16 of the DPDP Act, we may transfer personal data outside India to Website sub-processors in jurisdictions that are not restricted by notification of the Central Government. Where such a transfer involves personal data subject to the EU or UK GDPR, we rely on the European Commission Standard Contractual Clauses, the UK International Data Transfer Addendum, or another lawful transfer mechanism, and apply supplementary measures where the recipient jurisdiction warrants them.

Retention

Marketing leads and form submissions. Up to 24 months from last contact, then deleted or anonymised.
Job and partnership applications. Up to 24 months from submission, then anonymised. Longer only with your written consent.
Newsletter subscriptions. Until you unsubscribe.
Website security logs. IP, request metadata, captcha events. Up to 12 months for incident review.
Accounting records related to any Website transactions. 7 years per Indian statutory requirements (Companies Act 2013, Income-tax Act 1961, GST Act 2017).
Cybersecurity logs subject to specific Indian directions. For example, the CERT-In Directions of 28 April 2022. Retained for the period those directions require.

Your rights as a Data Principal under the DPDP Act

Right to access information about your personal data and how it is processed.
Right to correct, complete, or update inaccurate or incomplete personal data.
Right to erasure of personal data that is no longer needed for the purpose it was collected.
Right to nominate another individual to exercise your rights in the event of your death or incapacity.
Right of grievance redress through the Grievance Officer named below.
Right to withdraw consent at any time, with prospective effect only.

To exercise any of these rights for data collected through this Website, submit a request through our contact form at https://www.xeeed.io/contact and select "Privacy / data request" as the topic. We acknowledge requests within 7 days and respond substantively within 30 days. If your request relates to data processed by one of our products under a separate Order Form, please use the privacy contact identified in that Order Form. If you are not satisfied with our response on Website data, you may escalate to the Data Protection Board of India.

Your rights under the EU and UK GDPR

Where the EU or UK GDPR applies to you, you also have rights to data portability, to object to processing on legitimate-interest grounds, to restrict processing, and to lodge a complaint with your supervisory authority. In the EU this is your local Data Protection Authority; in the UK it is the Information Commissioner's Office. Use the same contact form to start an EU or UK GDPR request relating to Website data.

Your rights under the CCPA / CPRA (California)

If you are a California resident, you have rights to know what personal information we hold about you, to access and delete it, to correct inaccuracies, to limit our use of sensitive personal information, and to opt out of any sale or sharing for cross-context behavioural advertising. We do not sell or share personal information for cross-context behavioural advertising. To exercise any CCPA / CPRA right relating to Website data, use the contact form above.

Children

This Website is intended for business use by adults. We do not knowingly collect personal data from anyone under 18 years of age. Where Indian law requires verifiable parental consent for processing data of a child or a person with a disability who has a lawful guardian, we will obtain it before processing. If you believe we may hold data about a child, please contact us through the form below (topic: Privacy / data request) and we will investigate and erase it.

Cookies

See our Cookies Policy at /cookies for the full list of categories, durations, and your choices. Strictly-necessary cookies run for everyone. Analytics and marketing categories are off by default and only run if you opt in via the cookie banner.

Data security (Website)

For this Website, we follow reasonable security practices and procedures consistent with the IT (Reasonable Security Practices) Rules 2011 and the standards expected of a Data Fiduciary under the DPDP Act. Measures include encryption in transit (TLS), encryption at rest for backups, hashing of authentication secrets where used, role-based access control for our internal admin tools, audit logging of admin activity, captcha-gated public forms, and routine vulnerability triage. Security measures for our products are documented separately in the relevant product agreement.

Coordinated vulnerability disclosure

If you believe you have found a security vulnerability in this Website, please report it through our contact form (topic: Security / vulnerability report) before publishing. We aim to acknowledge within 72 hours, investigate, and remediate. We do not pursue legal action against good-faith security researchers who follow this disclosure process and act within the scope of the Information Technology Act 2000. Vulnerabilities in our products carry their own coordinated disclosure terms in the relevant product documentation.

Breach notification

If a personal-data breach affecting Website data is likely to result in risk to your rights or interests, we notify you and the Data Protection Board of India in line with the DPDP Act. Where the CERT-In Directions of 28 April 2022 apply to the incident, we report qualifying cybersecurity incidents to CERT-In within the timelines those directions prescribe. We do not make a single, fixed contractual commitment in this policy because applicable timelines vary by incident type and jurisdiction; we commit to act in line with the law that applies.

International users

This Website is operated from India. We do not target users in jurisdictions on the United Nations Security Council sanctions list, the United States Office of Foreign Assets Control sanctions list, the European Union sanctions list, or any equivalent Indian or international sanctions list. If you access this Website from elsewhere, you are responsible for compliance with the laws of your jurisdiction.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The version number and effective date at the foot of this page show when it was last revised. Material changes are highlighted at the top of this page for at least 30 days before they take effect.

Grievance Officer and Data Protection Officer

In line with the DPDP Act and the IT Act 2000, we have appointed a Grievance Officer and a Data Protection Officer for India. To minimise spam exposure of named individuals, both can be reached through our contact form at https://www.xeeed.io/contact for any matter relating to data collected through this Website. Choose the topic "Privacy / data request" for data-subject requests, or the topic "Security / vulnerability report" for security matters. We acknowledge each request within 7 days and respond substantively within 30 days. If your concern is not resolved, you may escalate to the Data Protection Board of India.

Contact

Xeeed IO Private Limited, T-Hub, Knowledge City, Raidurg, Hyderabad, Telangana 500081, India. Corporate Identification Number U72900TG2021PTC147488. GSTIN 36AAACX3540R1ZU.

Use our contact form at https://www.xeeed.io/contact for all enquiries about this Website; pick the topic that best describes your request.

Home

Legal

Privacy Policy

Effective: 10 May 2026
Version: 1.0

About us

Xeeed IO Private Limited, T-Hub, Knowledge City, Raidurg, Hyderabad, Telangana 500081, India. Corporate Identification Number U72900TG2021PTC147488. GSTIN 36AAACX3540R1ZU.

Under the Digital Personal Data Protection Act 2023 (the "DPDP Act"), we act as a Data Fiduciary for personal data collected through this Website.

Definitions

"Data Principal" means the natural person to whom the personal data relates (you).
"Data Fiduciary" means the person who, alone or with others, determines the purpose and means of processing personal data.
"Personal Data" means any data about an individual who is identifiable by or in relation to such data.
"Sensitive Personal Data" has the meaning given in Rule 3 of the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011.
"Process" means any operation or set of operations performed on personal data.

What personal data we collect through this Website

Identity data. Name, email, phone, company, country, role. Collected when you submit a public form on this Website (contact, demo request, hardware enquiry, partnership, MNRE newsletter, distributor application, OEM partnership, and similar).
Application data. Resume, portfolio, links, written responses. Collected when you apply for an open role or partner programme advertised on this Website.
Technical data. IP address, approximate region derived from IP, browser and device summary. Used for security and abuse prevention on the Website.
Usage data. Paths visited, referrer, aggregated daily counts. The first-party usage beacon is cookieless by default; see /cookies.

How we use it

Respond to enquiries you initiate through a public form on this Website.
Evaluate applications for open roles or partner programmes advertised on this Website.
Send you the MNRE compliance newsletter or other updates you have opted in to.
Operate, secure, and improve this Website, including captcha verification, abuse prevention, and aggregate usage analysis.
Comply with applicable Indian and other laws, including statutory record-keeping and lawful requests from authorities.

We do not sell your personal data, do not share it for cross-context behavioural advertising, and do not use it to train third-party machine-learning models without your explicit consent.

Lawful basis for processing

Where personal data is stored

Our primary cloud infrastructure is located in India (Mumbai region). Personal data collected through this Website is held on Indian servers by default.

Sub-processors (Website only)

Cloud infrastructure. Primary region in India.
Transactional email delivery. Replies to your enquiries and any newsletter you have opted in to.
Bot mitigation and captcha. Form-submission abuse prevention.
First-party usage analytics. Cookieless by default. Opt-in third-party analytics if you accept the analytics-cookie category.

Cross-border transfers

Retention

Marketing leads and form submissions. Up to 24 months from last contact, then deleted or anonymised.
Job and partnership applications. Up to 24 months from submission, then anonymised. Longer only with your written consent.
Newsletter subscriptions. Until you unsubscribe.
Website security logs. IP, request metadata, captcha events. Up to 12 months for incident review.
Accounting records related to any Website transactions. 7 years per Indian statutory requirements (Companies Act 2013, Income-tax Act 1961, GST Act 2017).
Cybersecurity logs subject to specific Indian directions. For example, the CERT-In Directions of 28 April 2022. Retained for the period those directions require.

Your rights as a Data Principal under the DPDP Act

Right to access information about your personal data and how it is processed.
Right to correct, complete, or update inaccurate or incomplete personal data.
Right to erasure of personal data that is no longer needed for the purpose it was collected.
Right to nominate another individual to exercise your rights in the event of your death or incapacity.
Right of grievance redress through the Grievance Officer named below.
Right to withdraw consent at any time, with prospective effect only.

Your rights under the EU and UK GDPR

Your rights under the CCPA / CPRA (California)

Children

Cookies

Data security (Website)

Coordinated vulnerability disclosure

Breach notification

International users

Changes to this Privacy Policy

Grievance Officer and Data Protection Officer

Contact

Xeeed IO Private Limited, T-Hub, Knowledge City, Raidurg, Hyderabad, Telangana 500081, India. Corporate Identification Number U72900TG2021PTC147488. GSTIN 36AAACX3540R1ZU.

Use our contact form at https://www.xeeed.io/contact for all enquiries about this Website; pick the topic that best describes your request.