Privacy Policy

Indoteh Technologies Ltd. (“Indoteh,” “we,” “us,” or “our”) is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you visit our website at indoteh.com, use our platform, or interact with our services (collectively, the “Services”).

This policy is provided in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”) where applicable. We encourage you to read this Privacy Policy carefully. By accessing or using our Services, you acknowledge that you have read and understood this policy.

For the purposes of data protection legislation, we act as a data controller in relation to the personal data we collect and process through our Services. We are committed to ensuring that your personal data is processed lawfully, fairly, and in a transparent manner.

The data controller responsible for your personal data is:

If you have any questions or concerns about our processing of your personal data, or if you wish to exercise any of your data protection rights, please contact our Data Protection Officer (DPO) at dpo@indoteh.com.

We collect and process the following categories of personal data in accordance with Article 13 and Article 14 of the GDPR:

3.1 Personal Data You Provide

• Account Information: Name, email address, company name, job title, phone number, and billing address when you create an account or subscribe to our Services
• Communication Data: Content of messages, enquiries, and correspondence when you contact us via email, contact forms, or customer support channels
• Payment Data: Payment card details, billing information, and transaction history processed through our secure payment processor; we do not store complete payment card numbers on our servers
• Profile Data: Preferences, settings, feedback, survey responses, and any other information you voluntarily provide

3.2 Usage Data

• Technical Data: IP address, browser type and version, operating system, device identifiers, screen resolution, time zone settings, and language preferences
• Interaction Data: Pages visited, features used, click patterns, session duration, referral URLs, search queries within the platform, and navigation paths
• Log Data: Server logs, access timestamps, error logs, and API usage records

3.3 Analytical Data

• Platform Analytics: Custom dashboards, saved queries, analytical configurations, watchlists, and alert preferences you create within the platform
• Uploaded Data: Datasets, files, and data you upload or input into the Services for analytical processing

3.4 Cookies and Tracking Technologies

We use cookies, web beacons, pixels, and similar tracking technologies to collect information about your browsing activities on our website. For comprehensive details on the cookies we use and how to manage your preferences, please refer to our Cookie Policy.

In accordance with Article 6 of the GDPR, we process your personal data on the following legal bases:

4.1 Consent (Article 6(1)(a) GDPR)

Where you have given clear, specific, and informed consent for us to process your personal data for a particular purpose, such as receiving marketing communications, newsletters, or enabling non-essential cookies. You have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

4.2 Contractual Necessity (Article 6(1)(b) GDPR)

Processing is necessary for the performance of a contract to which you are party, or to take steps at your request prior to entering into a contract. This includes creating and managing your account, providing our analytical services, processing payments, and delivering customer support.

4.3 Legitimate Interest (Article 6(1)(f) GDPR)

Processing is necessary for the purposes of our legitimate interests, provided such interests are not overridden by your fundamental rights and freedoms. Our legitimate interests include: improving and optimising our Services, ensuring network and information security, preventing fraud, conducting analytics to understand how our Services are used, and direct marketing to existing customers for similar products and services.

4.4 Legal Obligation (Article 6(1)(c) GDPR)

Processing is necessary for compliance with a legal obligation to which we are subject, such as tax reporting, financial record-keeping, and responding to lawful requests from public authorities.

We use your personal data for the following purposes:

• Service Delivery: To create and manage your account, provide and maintain our analytical platform, process your transactions, and deliver the features and functionality of the Services
• Personalisation: To personalise your experience, tailor content and analytical dashboards to your preferences, and provide relevant recommendations
• Communication: To send you service-related notifications, account updates, security alerts, technical notices, and respond to your enquiries and support requests
• Analytics and Improvement: To analyse usage patterns, monitor platform performance, diagnose technical issues, and improve the quality and functionality of our Services
• Marketing: To send you promotional communications about our products, services, and events where you have consented or where we have a legitimate interest to do so; you may opt out at any time
• Security and Fraud Prevention: To detect, prevent, and address fraud, abuse, security breaches, and technical issues, and to protect the rights, property, and safety of Indoteh and our users
• Legal Compliance: To comply with applicable laws, regulations, legal processes, and governmental requests

We do not sell your personal data. We may share your personal data with the following categories of third parties, only to the extent necessary and in compliance with applicable data protection laws:

• Service Providers: Trusted third-party companies that perform services on our behalf, including cloud hosting (e.g., Amazon Web Services, Google Cloud Platform), payment processing (e.g., Stripe), email delivery, analytics, and customer support tools. These providers are contractually bound to process your data only as directed by us and in accordance with this Privacy Policy
• Business Transfers: In connection with a merger, acquisition, reorganisation, sale of assets, or bankruptcy, your personal data may be transferred as part of the business assets, subject to the commitments made in this Privacy Policy
• Legal Requirements: When required by law, subpoena, court order, or governmental regulation, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, the safety of others, investigate fraud, or respond to a government request
• With Your Consent: We may share your information for any other purpose disclosed to you at the time of collection or with your explicit consent

All third-party service providers are required to implement appropriate technical and organisational measures to ensure the security and confidentiality of your personal data. We enter into data processing agreements (DPAs) in accordance with Article 28 of the GDPR with all processors who handle personal data on our behalf.

Your personal data may be transferred to, stored, and processed in countries outside the United Kingdom and the European Economic Area (EEA). When we transfer your personal data internationally, we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including:

• Transfers to countries that have been deemed to provide an adequate level of data protection by the UK Government or the European Commission (adequacy decisions under Article 45 GDPR)
• Standard Contractual Clauses (SCCs) approved by the European Commission or the UK Information Commissioner’s Office (Article 46(2)(c) GDPR)
• Binding Corporate Rules for transfers within our corporate group (Article 47 GDPR)
• Your explicit consent for specific transfers where no other safeguard is available (Article 49(1)(a) GDPR)

You may request a copy of the safeguards we have put in place for international data transfers by contacting our DPO at dpo@indoteh.com.

We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, in accordance with the data minimisation principle under Article 5(1)(e) of the GDPR. Our retention periods are determined based on the following criteria:

• Account Data: Retained for the duration of your active account and for a period of 30 days following account closure to allow for account recovery, after which it is deleted or anonymised
• Transaction Data: Retained for seven (7) years from the date of the transaction, as required by applicable tax and accounting laws
• Usage Data: Retained in identifiable form for up to twenty-four (24) months, after which it is aggregated or anonymised for analytical purposes
• Marketing Data: Retained until you withdraw your consent or opt out of marketing communications, plus a suppression period to ensure your preference is honoured
• Communication Records: Support correspondence and enquiries are retained for up to three (3) years for quality assurance and dispute resolution

When personal data is no longer necessary for its original purpose or any legal retention obligation, we will securely delete or irreversibly anonymise it.

Under the GDPR and applicable data protection laws, you have the following rights in relation to your personal data. You may exercise any of these rights by contacting our Data Protection Officer at dpo@indoteh.com:

• Right of Access (Article 15 GDPR): You have the right to request confirmation of whether we process your personal data and to obtain a copy of that data, along with information about the purposes of processing, the categories of data concerned, and the recipients
• Right to Rectification (Article 16 GDPR): You have the right to request correction of inaccurate personal data and to have incomplete data completed
• Right to Erasure (Article 17 GDPR): You have the right to request deletion of your personal data where there is no compelling reason for its continued processing, including when the data is no longer necessary for its original purpose, you withdraw consent, or you object to processing
• Right to Data Portability (Article 20 GDPR): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance
• Right to Object (Article 21 GDPR): You have the right to object to processing of your personal data based on our legitimate interests. Where you object to processing for direct marketing purposes, we will cease processing immediately
• Right to Restriction (Article 18 GDPR): You have the right to request restriction of processing of your personal data where you contest its accuracy, the processing is unlawful, we no longer need the data but you require it for legal claims, or you have objected to processing pending verification of our legitimate grounds
• Right to Withdraw Consent: Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal

We will respond to your request within one (1) month of receipt. This period may be extended by two (2) further months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within one month of receipt of the request. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) or your local supervisory authority if you believe your data protection rights have been violated.

In accordance with Article 22 of the GDPR, we inform you that our platform utilises automated processing, including machine learning algorithms and neural network architectures, to generate market analytics, predictions, and insights. These automated processes operate on market data and do not produce legal effects or similarly significant effects on individuals.

We do not use automated decision-making, including profiling, in a way that produces legal effects concerning you or similarly significantly affects you, without your explicit consent or where it is necessary for the performance of a contract. Where automated processing is used for personalisation of the Services (such as tailored dashboard recommendations), you have the right to request human intervention, express your point of view, and contest the decision.

Our Services are not directed to individuals under the age of 18, and we do not knowingly collect personal data from children. In accordance with Article 8 of the GDPR regarding conditions applicable to a child’s consent, if we become aware that we have inadvertently collected personal data from a child under the age of 16 (or the applicable age of digital consent in their jurisdiction) without verifiable parental consent, we will take steps to delete such information from our records as promptly as possible.

If you are a parent or guardian and you believe that your child has provided us with personal data, please contact us at dpo@indoteh.com so that we can take the necessary steps.

In accordance with Article 32 of the GDPR, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data in transit (TLS 1.3) and at rest (AES-256)
• Regular security assessments, penetration testing, and vulnerability scanning of our infrastructure
• Strict access controls and role-based permissions, ensuring that only authorised personnel can access personal data on a need-to-know basis
• Multi-factor authentication (MFA) for administrative access to systems containing personal data
• Continuous monitoring, logging, and alerting for suspicious activities and security incidents
• Regular staff training on data protection, information security, and incident response procedures
• Documented incident response and data breach notification procedures in accordance with Articles 33 and 34 of the GDPR

While we strive to protect your personal data, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security but are committed to maintaining and continuously improving our security posture.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by updating the “Last updated” date at the top of this page and, where appropriate, by sending you a notification by email or through the platform.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your data. Your continued use of the Services after the posting of changes constitutes your acceptance of such changes. If you do not agree with any changes, you should discontinue use of the Services and request deletion of your personal data.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

You have the right to lodge a complaint with the Information Commissioner’s Office (ICO) or your local data protection supervisory authority if you believe that your personal data has been processed in violation of applicable data protection laws.