Privacy Policy

Foctta Technologies Private Limited ("Foctta", "we", "us", or "our") operates the FOCTTA privacy compliance platform, accessible at foctta.com and its associated services (collectively, the "Service").

This Privacy Policy describes how we collect, use, disclose, and protect your personal data when you visit our website, use our platform, or interact with us in any capacity. We are committed to protecting your privacy and handling your data with transparency — after all, privacy compliance is what we do.

By using our Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our Service.

When you create an account or are invited to the platform, we collect:

• Full name and email address
• Organization name and industry
• Role and job title
• Authentication credentials (managed via AWS Cognito)

We automatically collect certain information when you use our Service:

• IP address and approximate geographic location (country-level)
• Browser type, operating system, and device information
• Pages visited, features used, and timestamps of activity
• API request metadata (endpoints called, response codes, latency)

As a data processor, we store and process data that our customers ("Data Fiduciaries" under DPDPA, "Data Controllers" under GDPR) upload to the platform. This includes consent records, grievance/DSAR details, processing activity records, and audit logs. This data is owned and controlled by our customers. We process it solely on their instructions and in accordance with our Data Processing Agreement.

When you contact us via email, contact forms, or support channels, we collect the content of your communications along with your name and contact details.

We use your personal data for the following purposes:

• Service delivery: To provide, maintain, and improve the FOCTTA platform and its features.
• Authentication and security: To verify your identity, manage access controls, and protect against unauthorized access.
• Communication: To send service notifications, security alerts, support responses, and product updates.
• Analytics: To understand how our platform is used, identify performance issues, and improve user experience.
• Legal compliance: To comply with applicable laws, regulations, and legal processes.
• Business operations: To manage billing, enforce our terms of service, and prevent fraud or abuse.

We process your personal data under the following lawful bases:

• Contract performance: Processing necessary to provide the Service you have subscribed to (GDPR Art. 6(1)(b); DPDPA S.7 deemed consent).
• Legitimate interest: Analytics, security monitoring, and platform improvement (GDPR Art. 6(1)(f)).
• Consent: Marketing communications and optional cookies (GDPR Art. 6(1)(a); DPDPA S.6).
• Legal obligation: Data retention required by tax, accounting, or regulatory requirements (GDPR Art. 6(1)(c); DPDPA S.8).

We do not sell your personal data. We share data only in the following circumstances:

• Service providers: We use third-party providers for infrastructure (AWS), authentication (AWS Cognito), email delivery, and payment processing. These providers are bound by Data Processing Agreements.
• Legal requirements: We may disclose data when required by law, court order, or government authority, including the Data Protection Board of India.
• Business transfers: In the event of a merger, acquisition, or asset sale, your data may be transferred as part of the transaction, with prior notice.
• With your consent: We may share data for purposes you have explicitly consented to.

We implement robust security measures to protect your data:

• AES-256-GCM encryption at rest for all sensitive data
• TLS 1.3 encryption for all data in transit
• PostgreSQL Row-Level Security (RLS) for database-enforced tenant isolation
• AWS KMS envelope encryption for credentials and secrets
• SHA-256 hash-chained, append-only audit trail for tamper evidence
• Role-Based Access Control (RBAC) with 5 predefined roles and 100+ permissions
• Regular penetration testing and security assessments

While we implement industry-leading security controls, no system is completely immune to threats. We promptly investigate and respond to any suspected security incidents.

We retain your data according to the following schedule:

• Account data: For the duration of your account plus 90 days after closure.
• Audit logs: 7 years in compliance with DPDPA and GDPR record-keeping requirements. Archived to WORM storage after 12 months.
• Usage analytics: Aggregated and anonymised data retained indefinitely. Identifiable usage data retained for 24 months.
• Customer-managed data: Retained according to your subscription terms and deleted within 30 days of account termination or upon request.
• Communication records: Retained for 36 months for support quality and dispute resolution purposes.

As a Data Principal under the Digital Personal Data Protection Act, 2023, you have the right to:

• Access a summary of your personal data and processing activities
• Correct inaccurate or incomplete personal data
• Erase your personal data (subject to legal retention requirements)
• Nominate another individual to exercise your rights
• Lodge a grievance with us or escalate to the Data Protection Board of India

We will respond to DPDPA requests within 90 calendar days.

If you are in the European Economic Area, you have the right to:

• Access your personal data (Art. 15)
• Rectification of inaccurate data (Art. 16)
• Erasure / right to be forgotten (Art. 17)
• Restriction of processing (Art. 18)
• Data portability (Art. 20)
• Object to processing (Art. 21)
• Withdraw consent at any time (Art. 7)
• Lodge a complaint with your local supervisory authority

We will respond to GDPR requests within 30 calendar days, extendable by 60 days for complex requests.

If you are a California resident, you have the right to:

• Know what personal information is collected and how it is used
• Delete your personal information
• Opt-out of the sale of personal information (we do not sell your data)
• Non-discrimination for exercising your rights
• Correct inaccurate personal information
• Limit the use of sensitive personal information

We will respond to CCPA requests within 45 calendar days.

We use cookies and similar technologies to provide functionality, analyse usage, and improve your experience. For detailed information about the cookies we use and how to manage them, please see our Cookie Policy.

Your data may be transferred to and processed in countries outside your jurisdiction. We ensure appropriate safeguards are in place for all cross-border transfers:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Data Processing Agreements with all sub-processors
• Compliance with DPDPA cross-border transfer restrictions as prescribed by the Central Government

Our Service is designed for business use and is not directed to children under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@foctta.com and we will promptly delete it.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting a notice on our website or sending an email to your registered address at least 30 days before the changes take effect.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of any changes constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us: