Privacy Policy
Transparent Data Practices Built on Global Privacy Standards
Introduction
Xotiv Technologies Pvt Ltd (“Xotiv,” “we,” “our,” or “us”) is a global technology consulting, software engineering, AI services, and digital transformation company registered under the laws of India. We are committed to protecting the privacy, security, and confidentiality of all personal information we process as part of our websites, services, products, and client engagements.
This Privacy Policy explains how we collect, use, store, share, and protect personal data in compliance with:
- GDPR (EU & UK General Data Protection Regulation)
- CCPA & CPRA (California)
- India Digital Personal Data Protection Act (DPDP)
- SOC 2 Trust Service Criteria
- HIPAA (for healthcare-related services)
- ISO 27001/27701 privacy and security controls
- Other applicable global data protection frameworks
This policy applies to:
- Visitors to our websites
- Clients and representatives
- Candidates and contractors
- Users of our software and SaaS products
- Staff augmentation resources
- Partners and vendors
By using our services, you agree to the terms of this Privacy Policy.
Definitions
To support clarity and compliance, key terms are defined as follows:
Personal Data: Any information relating to an identified or identifiable natural person.
Processing: Any operation performed on personal data — collection, storage, use, transfer, deletion.
Controller: Entity determining the purposes and means of processing personal data.
Processor: Entity processing personal data on behalf of a controller.
Sensitive Personal Data: Health, biometric, financial, geolocation, or protected category information.
DPO: Data Protection Officer or designated privacy contact (privacy@xotiv.com).
Personal Data We Collect
We collect personal data in several contexts:
A. Data You Provide Directly
- Name, job title, company, country
- Email address, phone number
- Login credentials
- Billing & invoicing information
- Project details and requirements
- Resumes, portfolios, background details (candidates)
B. Data We Collect Automatically
- IP address
- Device identifiers
- Browser information
- Location (approximate, non-GPS)
- Session logs, page interactions
- Analytics & behavior patterns
- Cookies and tracking data
C. Data Received from Third Parties
- Recruitment partners
- Business partners & marketplaces
- Background check vendors
- Advertising networks
- Public databases & LinkedIn
D. Sensitive Data (Processed Only When Required)
Used only for regulated industries (healthcare, BFSI):
- Health information (HIPAA-compliant systems only)
- Government IDs for staffing compliance
- Financial information
- Access credential logs
We do NOT sell personal data.
Legal Basis for Processing
We process personal data based on the following lawful grounds:
GDPR Legal Basis
- Contractual necessity — providing services to you or your employer
- Legitimate interest — business operations, security, fraud prevention, analytics
- Consent — marketing, cookies, optional services
- Legal obligation — compliance, taxation, regulatory filings
DPDP Act Legal Basis
- Consent and legitimate uses described under DPDP Section 7
CCPA / CPRA Compliance
- We do not “sell” personal data
- We do not share data for cross-context behavioral advertising
HIPAA
When operating as a Business Associate, we follow:
- Minimum Necessary Rule
- PHI protection and access controls
- Signed Business Associate Agreements (BAAs)
Purpose of Processing
We use your data for the following purposes:
- Delivering software development & consulting services
- Providing AI, cloud, and DevOps solutions
- Managing client accounts and projects
- Screening, onboarding, and managing talent
- Improving website and product performance
- Sending updates, insights, alerts, and marketing communication
- Conducting security monitoring and fraud prevention
- Complying with legal, regulatory, and contractual obligations
Data Retention
We retain personal data based on:
- Business necessity
- Legal / regulatory requirements
- Client contractual terms
- Industry standards
Retention timelines:
| Data Type | Retention Duration |
|---|---|
| Client project data | 7 years (or as per contract) |
| Candidate data | 3 years or until consent withdrawn |
| Website data (cookies / logs) | 12–24 months |
| Billing & contracts | 7–10 years |
| Health / HIPAA data | As per BAA terms |
Data Sharing & Disclosures
We share personal data only with:
A. Internal Teams
- Engineering & delivery teams
- Recruitment teams
- Security & compliance teams
B. External Third Parties
- Infrastructure providers (AWS, Azure, Google Cloud)
- CRM & marketing systems (HubSpot, Salesforce)
- Analytics platforms
- Background verification agencies
- Payment processors
- Legal & compliance advisors
- Subcontractors authorized by clients
All third parties undergo SOC 2–aligned vendor risk assessment.
C. Legal, Regulatory & Security Disclosures
We may disclose personal data:
- When required by law or court order
- To prevent security threats, fraud, or harm
- To enforce contractual terms
No data is sold under any circumstances.
International Data Transfers
As a global IT provider, we process data in:
- India
- United States
- European Union
- UAE
- Singapore
We ensure lawful international transfers via:
- GDPR Standard Contractual Clauses (SCCs)
- Data Processing Agreements (DPAs)
- HIPAA Business Associate Agreements (BAAs)
- ISO 27001 security controls
- Regional compliance frameworks
Security Measures
Xotiv implements enterprise-grade security including:
- SOC 2–aligned security controls
- ISO 27001 / 27701 compliant processes
- End-to-end encryption (TLS 1.2+)
- Zero Trust access policies
- Firewalls and intrusion detection systems
- Endpoint protection and EDR tools
- Identity and access management (MFA, RBAC)
- Secure software development lifecycle (DevSecOps)
- Annual vulnerability scans and penetration tests
- Data minimization & anonymization
We follow the HIPAA Security Rule for healthcare engagements.
Cookie & Tracking Policy
We use:
- Essential cookies
- Functional cookies
- Analytics cookies
- Performance cookies
- Marketing and retargeting cookies
Users may manage or reject cookies at any time.
A complete Cookie Policy is available separately.
Your Rights
Depending on your region, you have the right to:
- Access personal data
- Request correction
- Request deletion / erasure
- Restrict or object to processing
- Data portability
- Withdraw consent
- Opt out of marketing
- Opt out of sale / sharing (CCPA)
- Request data processing details
Submit requests at:
Responses are provided within:
- 30 days (GDPR & DPDP)
- 45 days (CCPA / CPRA)
12. Children’s Privacy
We do not knowingly collect data from individuals below:
- 16 years (GDPR & CPRA)
- 18 years (DPDP Act)
HIPAA Compliance
For U.S. healthcare clients, we:
- Enter into a Business Associate Agreement
- Protect PHI under HIPAA Privacy & Security Rules
- Maintain audit logs, access controls & encryption
- Follow breach notification timelines
SOC 2 Compliance Alignment
We follow SOC 2 Trust Service Principles:
- Security
- Availability
- Confidentiality
- Processing Integrity
- Privacy
Including:
- Access control policies
- Logical & physical security
- Incident response
- Change management
- Vendor risk management
Data Breach Notification
We follow legally mandated timelines:
- 72 hours (GDPR)
- Without undue delay (DPDP Act)
- As per BAA (HIPAA)
- CPRA breach notification requirements
You will be informed if your data is impacted.
Data Protection Officer (Interim Contact)
We currently do not have a formally appointed DPO. Until then, all privacy and compliance inquiries may be directed to:
Changes to This Policy
We may update this policy periodically. The updated version will be posted on this page with a new “Last Updated” date.
Contact Information
Xotiv Technologies Pvt Ltd
A-152, Sector-63, Noida, U.P. – 201301, India
Tarun Kumar
India Office 
A, 152, Sector 63 Rd, Industrial Area, Sector 63, Noida, Uttar Pradesh 201309
US Office 
Canada Office