1. Overview

Truvixx ("we," "us," or "our") is a background verification and risk intelligence platform operated by Truvixx Technologies Private Limited, a company incorporated under the Companies Act, 2013, with its registered office in India. We provide identity verification, employment history checks, criminal record searches, education authentication, address verification, and related due-diligence services to enterprise clients ("Clients") and their authorised end users ("Data Subjects").

This Privacy Policy explains how we collect, process, store, share, and protect personal data when you visit our website, use our platform, or when our Clients submit your data for a verification check. It is framed in compliance with the Digital Personal Data Protection (DPDP) Act, 2023, the Information Technology Act, 2000, and applicable rules thereunder.

Truvixx acts as a Data Processor when processing verification data on behalf of enterprise Clients (the Data Fiduciaries). We act as a Data Fiduciary in our own right for data collected directly from website visitors, registered users, and job applicants.

By accessing our platform or consenting to a verification check initiated by a Truvixx Client, you acknowledge that you have read and understood this policy.

2. Information We Collect

2.1 Data You Provide Directly

Name, email address, and phone number when you register for a platform account or contact us.
Company name, designation, and business email when you sign up as an enterprise Client.
Payment and billing information (processed by our PCI-DSS compliant payment partners — we do not store raw card data).
Communications you send us via our contact form, email, or live chat.

2.2 Verification Data Submitted by Clients

When a Client initiates a background check on a Data Subject, the following categories of personal data may be collected and processed:

Identity information: Full name, date of birth, gender, father's name, Aadhaar number (masked), PAN number, passport number, voter ID.
Employment information: Previous employer names, job titles, dates of employment, reporting manager details, UAN (EPFO).
Education information: Institution name, degree, roll number, year of passing, certificate images.
Address information: Current and permanent residential addresses, address proof documents.
Criminal and legal information: Court case numbers, FIR details (sourced from public court records and databases).
Biometric data: Selfie photographs and liveness detection outputs for identity verification workflows (processed with explicit consent).
Vehicle and licence data: Driving licence number, vehicle registration number, challan details (for driver verification checks).

2.3 Automatically Collected Data

IP address, browser type, operating system, and device identifiers.
Pages visited, time spent, referral URLs, and click-stream data.
API request logs including endpoint, timestamp, response codes, and Client identifier.
Cookies and similar tracking technologies — see our Cookies Policy for full details.

2.4 Data From Third-Party Sources

Government and statutory databases: UIDAI (Aadhaar), Income Tax Department (PAN), MoRTH/Sarathi (DL), Vahan (RC), EPFO, GSTN, MCA/ROC.
Judiciary databases: District court, High Court, and Supreme Court public records.
Regulatory watchlists: SEBI, RBI, IRDAI, and ED databases.
UGC-DEB, DigiLocker, and Academic Bank of Credits for education verification.

3. How We Use Your Information

3.1 Service Delivery

Performing background verification checks as instructed by our enterprise Clients.
Generating structured, audit-ready verification reports.
Providing API access and dashboard functionality to registered Clients.
Processing payments and issuing invoices for our services.

3.2 Compliance and Legal Obligations

Complying with obligations under the DPDP Act 2023, IT Act 2000, and applicable sector-specific regulations.
Maintaining audit trails and records as required by law or by our Clients' regulated industries.
Responding to lawful requests from courts, government authorities, or law enforcement.

3.3 Platform Improvement

Analysing aggregate, anonymised usage data to improve accuracy, speed, and coverage of our verification services.
Conducting security monitoring and fraud detection on our systems.
Debugging, testing, and improving our machine learning models using anonymised datasets only.

3.4 Communications

Sending transactional emails — verification reports, account alerts, invoices.
Sending service updates, regulatory change notices, and product announcements to registered Clients (with opt-out available).
Responding to enquiries submitted via our contact form or support channels.

We do not use personal data submitted for verification purposes for any marketing, profiling, or analytics activities. Verification data is used solely for the purpose for which it was collected.

4. Data Sharing & Disclosure

4.1 Authorised Data Sharing

We share personal data only in the following limited circumstances:

With Clients: Verification results and reports are shared with the enterprise Client that initiated the check. Clients are contractually bound to handle this data in accordance with applicable data protection law.
With authorised data sources: We query government and public databases (UIDAI, EPFO, MoRTH, etc.) to fulfil verification requests. Only the minimum data required for each query is transmitted.
With sub-processors: We engage vetted third-party service providers for cloud hosting, email delivery, and payment processing. All sub-processors are bound by data processing agreements aligned with DPDP Act obligations.

4.2 Legal Disclosures

We may disclose personal data when required by:

A court order, tribunal direction, or other lawful judicial process.
A directive from a competent government authority or law enforcement agency under Indian law.
Our legal counsel, solely for the purpose of obtaining legal advice, under strict confidentiality.

4.3 What We Do Not Do

We do not sell personal data to third parties.
We do not share personal data with advertisers, data brokers, or marketing platforms.
We do not share verification data across separate Client accounts.
We do not use verification data to train commercial AI models without explicit, separately obtained consent.

5. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this policy, or as required by law.

Data Category	Retention Period	Basis
Verification reports (client-initiated)	7 years from report date	Legal / audit requirement
Biometric / liveness data	30 days from processing	Minimum necessary
Aadhaar / PAN query logs (masked)	5 years	IT Act & UIDAI guidelines
Platform account data	Duration of account + 2 years	Contractual obligation
Website usage & analytics	13 months (rolling)	Legitimate interest
API access logs	2 years	Security & audit
Support communications	3 years	Service quality
Payment records	8 years	Taxation law

When the retention period expires, data is securely deleted or irreversibly anonymised in accordance with our Data Deletion Standard. Clients may request earlier deletion of their verification data subject to contractual terms and legal hold obligations.

6. Your Rights Under the DPDP Act 2023

The Digital Personal Data Protection Act, 2023 grants Data Principals (individuals whose data is processed) the following rights, which you may exercise by contacting our Data Protection Officer at privacy@truvixx.com:

6.1 Right to Access

You have the right to obtain a summary of the personal data Truvixx holds about you and the purposes for which it is being processed.

6.2 Right to Correction and Erasure

You may request correction of inaccurate or incomplete personal data, and in certain circumstances, request erasure of your data. Note that erasure may be limited where we have a legal obligation to retain the data.

6.3 Right to Grievance Redressal

If you have a grievance relating to the processing of your personal data, you may contact our Grievance Officer. If your grievance remains unresolved, you may approach the Data Protection Board of India once established under the DPDP Act 2023.

6.4 Right to Nominate

You have the right to nominate an individual who may, in the event of your death or incapacity, exercise your rights under this section.

6.5 Right to Withdraw Consent

Where processing is based on your consent (e.g., biometric data for identity verification), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

Where a verification check was initiated by an enterprise Client, your rights in relation to that check should primarily be exercised with the Client (the Data Fiduciary). Truvixx, acting as a Data Processor, will assist the Client in responding to your request within the statutory timeframe.

7. Security Measures

We implement a defence-in-depth security architecture to protect personal data from unauthorised access, loss, alteration, or disclosure:

7.1 Encryption

All data in transit is protected using TLS 1.3 with strong cipher suites.
Data at rest is encrypted using AES-256, including database storage and backup archives.
Sensitive fields (Aadhaar numbers, PAN numbers) are additionally tokenised or masked at the application layer.

7.2 Access Controls

Role-based access control (RBAC) ensures employees access only the data necessary for their job function.
All access to production systems requires multi-factor authentication (MFA).
Privileged access is logged, monitored, and subject to quarterly access reviews.

7.3 Infrastructure and Operations

Our platform is hosted on ISO 27001-certified cloud infrastructure within India.
We conduct annual third-party penetration tests and internal vulnerability assessments quarterly.
A 24×7 security operations function monitors for anomalous access patterns and data exfiltration.
We maintain a documented Incident Response Plan with defined RTO and RPO targets.

7.4 Employee Practices

All Truvixx employees sign confidentiality agreements covering personal data.
Mandatory data protection training is completed on joining and annually thereafter.
Employees who handle verification data are themselves subject to background screening.

Despite our best efforts, no system is completely impenetrable. In the event of a personal data breach affecting your rights, we will notify the relevant authorities and affected individuals as required under the DPDP Act 2023.

8. Cross-Border Data Transfers

Truvixx processes and stores all verification data within India, on cloud infrastructure located in Indian data centres. We do not transfer verification data outside India except where:

Required by law or a lawful government direction.
Explicitly authorised by the relevant enterprise Client under a separate Data Transfer Agreement compliant with applicable law.
Necessary for the specific request of the Data Principal with their explicit consent.

Our sub-processors that provide ancillary services (e.g., transactional email, support ticketing) may process limited platform metadata outside India. In all such cases, we ensure equivalent data protection standards apply through contractual safeguards.

9. Children's Privacy

Truvixx's services are directed solely at enterprises and business professionals. We do not knowingly collect personal data from individuals under the age of 18. Our platform is not designed for use by minors, and our enterprise contracts require Clients to ensure that any individual whose data is submitted for verification has attained the age of majority.

If you believe that a minor's personal data has been submitted to our platform without lawful basis, please contact privacy@truvixx.com immediately and we will take steps to delete that data.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. When we make material changes, we will:

Update the "Last updated" date at the top of this page.
Notify registered Clients via email at least 30 days before the changes take effect.
Display a prominent notice on our platform dashboard for a period of 30 days.

Your continued use of the Truvixx platform after the effective date of the updated policy constitutes your acceptance of the changes. If you do not agree with a material change, you may terminate your account in accordance with our Terms of Service.

11. Contact Our Data Protection Officer

For any questions, requests, or concerns regarding this Privacy Policy or our data processing practices, please contact:

Data Protection Officer — Truvixx.

Email: privacy@truvixx.com

Response time: Within 48 hours for general enquiries; 72 hours for formal rights requests.

Grievance Redressal: Complaints unresolved within 30 days may be escalated to the Data Protection Board of India.

We take all data protection enquiries seriously and are committed to resolving them promptly, transparently, and in accordance with applicable law.