Privacy Policy | NOTOXIC Universe

At NOTOXIC® Universe, we are committed to protecting your privacy and ensuring transparency in how we collect, use, and safeguard your personal information. This Privacy Policy explains our practices in compliance with the General Data Protection Regulation (GDPR), the India Digital Personal Data Protection Act (DPDP), and other applicable data protection laws.

1. Information We Collect

We collect information necessary to provide our services, process transactions, and enhance your experience across the NOTOXIC® Universe platform. We follow the principle of data minimization, collecting only what is necessary for specified purposes.

1.1 Personal Information

Name, email address, phone number, and shipping address
Account credentials and authentication data (encrypted and hashed)
Payment information (processed securely through Razorpay; card data never stored on our servers)
Date of birth (for age verification and membership eligibility)
Government-issued identification (for B2B and rental services; stored securely and deleted after verification)
Billing address and tax identification numbers (for GST compliance)
Profile photographs (optional, for account personalization)

1.2 Special Categories of Personal Data

We may process special categories of personal data only with your explicit consent or as required by law:

Biometric Data: If you enable biometric authentication (fingerprint, face recognition), biometric templates are stored locally on your device and encrypted. We do not store raw biometric data on our servers. Biometric authentication is optional and can be disabled at any time.
Health-Related Data: For OneSea products designed for babies and children, we may collect health-related preferences (allergies, sensitivities) with explicit parental consent. This data is used solely for product safety recommendations and is stored securely with enhanced protection.
Demographic Data: Age, gender, location (optional, for personalization and analytics). You can opt out of providing this information.

1.3 Transaction Information

Order history, purchase details, and payment records
Rental agreements and security deposit information
Membership subscription details, tier information, and credit balances
Plan C return records, credit transactions, and circular economy contributions
B2B order approvals, purchase orders, and corporate account details
Customization requests and special order requirements
GST invoices and tax compliance records

1.4 Usage and Technical Data

Device information, IP address, browser type, operating system, and device identifiers
Website usage patterns, pages visited, time spent, clickstream data, and interaction data
Cookies, pixel tags, web beacons, and similar tracking technologies (see Cookie Policy)
Location data (with your explicit consent, for delivery optimization and localized content)
Search queries and product browsing history
App usage data (if using mobile applications)
Error logs and performance metrics (anonymized)

1.5 Automated Decision-Making and Profiling Data

We use AI and machine learning algorithms to personalize your experience. This includes:

Purchase behavior patterns and preferences analysis
Product recommendation scores and personalization metrics
User segmentation data (e.g., "frequent buyer", "sustainability-focused")
Predictive analytics for inventory and demand forecasting
Fraud detection and risk assessment scores
Personalization scores based on engagement, preferences, and purchase history

Your Rights: You have the right to object to automated decision-making and request human review. You can opt out of personalized recommendations in your account settings. See Section 4.7 for details.

1.6 Impact and Sustainability Data

Environmental impact metrics (water saved, CO₂ avoided, toxins reduced)
Plan C participation and circular economy contributions
Membership tier progression and badge achievements
Sustainability assessment results and certifications
Carbon footprint calculations and offset records

1.7 Content and Communications

Customer service communications, support tickets, and chat transcripts
Community posts, reviews, ratings, and user-generated content
Event registrations, participation data, and feedback
Newsletter subscriptions and marketing communication preferences
Social media interactions (if you connect social accounts)
Referral program participation and affiliate tracking

1.8 Service-Specific Data

B2B Services: Company details, tax IDs, authorized signatories, credit terms, purchase order history, and corporate billing information
Rental Services: Rental history, security deposit records, damage assessments, return condition reports, and rental preferences
Membership Programs: Membership tier, credit balances, usage history, renewal dates, and benefit utilization
Plan C Returns: Return history, credit issuance, product condition assessments, and circular economy impact metrics

2. Purpose and Lawful Basis of Processing

We process your personal data based on the following lawful bases under GDPR and DPDP Act. We only process data for specified, explicit, and legitimate purposes (purpose limitation principle).

2.1 Contractual Necessity

Processing necessary to perform our contract with you:

Processing and fulfilling orders across all brands (NOTOXIC® Earth, Sustainable Clothing™, etc.)
Managing rental agreements, security deposits, and return processing
Providing membership services, tier benefits, and credit management
Facilitating Plan C returns, credit processing, and circular economy transactions
Delivering products and services as agreed in terms of service
Processing B2B orders, approvals, and corporate account management
Handling customizations and special order requirements
Account management, authentication, and access control

2.2 Legitimate Interests

Processing necessary for our legitimate interests (balanced against your rights):

Improving platform functionality, user experience, and service quality
Preventing fraud, abuse, and ensuring platform security
Analyzing usage patterns to enhance services and develop new features
Managing customer relationships, support, and dispute resolution
Business analytics and reporting (using anonymized data where possible)
Network and information security monitoring
Direct marketing (where you have not opted out; see Section 2.3 for consent-based marketing)
Debt collection and payment recovery

2.3 Consent

Processing based on your explicit, informed consent (which you can withdraw at any time):

Marketing communications, promotional emails, and newsletters
Non-essential cookies, tracking technologies, and analytics
Location data for personalized services and delivery optimization
Participation in community events, programs, and user research
Sharing data with marketing partners and third-party advertisers
Biometric authentication (optional feature)
Health-related data collection (for OneSea products)
Social media integration and sharing

Withdrawing Consent: You can withdraw consent at any time through your account settings, email preferences, or by contacting us. Withdrawal does not affect the lawfulness of processing before withdrawal.

2.4 Legal Obligations

Processing necessary to comply with legal obligations:

Tax compliance, GST invoice generation, and financial record-keeping
Regulatory reporting and audit requirements
Responding to legal requests, court orders, and government inquiries
Compliance with consumer protection laws and product safety regulations
Age verification and preventing sales to minors
Anti-money laundering and fraud prevention obligations

2.5 Vital Interests

Processing necessary to protect vital interests (rare circumstances):

Emergency medical situations requiring health data disclosure
Preventing serious harm to individuals or public safety

3. Cookie and Tracking Permissions

We use cookies and similar technologies to enhance your experience. You can manage your cookie preferences at any time through our Cookie Consent Manager.

3.1 Essential Cookies

Required for platform functionality. These cannot be disabled.

3.2 Analytics Cookies

Help us understand how visitors interact with our platform. Data is anonymized.

3.3 Marketing Cookies

Used to deliver personalized advertisements and track campaign effectiveness. Requires your explicit consent.

For detailed information, please see our Cookie Policy.

4. Your Data Protection Rights

You have comprehensive rights regarding your personal data under GDPR, DPDP Act, and other applicable laws. We are committed to facilitating the exercise of these rights.

4.1 Right of Access (GDPR Article 15, DPDP Section 11)

You have the right to obtain:

Confirmation of whether we process your personal data
Access to your personal data and a copy of the data
Information about processing purposes, categories of data, recipients, retention periods
Information about your rights and how to exercise them
Source of data (if not collected directly from you)
Existence of automated decision-making and profiling

How to Exercise: Submit a request to [email protected] with subject "Data Access Request". We will respond within 30 days (GDPR) or as per DPDP timelines.

4.2 Right to Rectification (GDPR Article 16, DPDP Section 12)

You can request correction of inaccurate or incomplete data:

Update your account information directly through your account settings
Request correction of any inaccurate data we hold
Request completion of incomplete data

We will correct data without undue delay and notify relevant third parties where applicable.

4.3 Right to Erasure / Right to be Forgotten (GDPR Article 17, DPDP Section 13)

You can request deletion of your personal data in the following circumstances:

Data is no longer necessary for the original purpose
You withdraw consent and there is no other legal basis
You object to processing and there are no overriding legitimate grounds
Data has been unlawfully processed
Data must be erased to comply with legal obligations

Limitations: We may retain data where required by law (e.g., tax records for 7 years), for legal claims, or for legitimate business interests (e.g., fraud prevention). We will inform you of any such limitations.

4.4 Right to Restrict Processing (GDPR Article 18)

You can request restriction of processing in certain circumstances:

You contest the accuracy of data (while we verify)
Processing is unlawful and you oppose erasure
We no longer need the data but you need it for legal claims
You have objected to processing (while we assess your objection)

When processing is restricted, we will only store the data and process it with your consent, for legal claims, or to protect rights of others.

4.5 Right to Data Portability (GDPR Article 20)

You can receive your personal data in a structured, commonly used, and machine-readable format:

Data provided by you or generated through your use of our services
Data processed by automated means based on consent or contract
Format: JSON, CSV, or other standard formats as requested
Includes: Profile data, transaction history, preferences, and usage data

How to Exercise: Request data portability through your account settings or email [email protected] with subject "Data Portability Request". We will provide data within 30 days in a portable format.

4.6 Right to Object (GDPR Article 21)

You can object to processing based on legitimate interests or for direct marketing:

Direct Marketing: You can opt out of marketing communications at any time through email preferences, account settings, or unsubscribe links. We will stop processing for marketing immediately upon objection.
Legitimate Interests: You can object to processing based on legitimate interests. We will stop processing unless we demonstrate compelling legitimate grounds that override your interests.
Profiling: You can object to automated decision-making and profiling (see Section 4.7).

4.7 Rights Related to Automated Decision-Making and Profiling (GDPR Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects or significantly affect you:

Product Recommendations: Our AI-powered recommendation engine uses automated processing. You can opt out of personalized recommendations in account settings. You can always browse products manually without algorithmic influence.
Fraud Detection: We use automated fraud detection. If your account is flagged, you can request human review and explanation of the decision.
Credit Scoring: For membership credits and B2B credit terms, automated scoring may be used. You can request human review of credit decisions.
Your Rights: Request human intervention, express your point of view, contest the decision, and obtain an explanation of the logic involved.

How to Exercise:Contact us to request human review or opt out of automated decision-making in your account settings under "Privacy & Personalization".

4.8 Right to Withdraw Consent (GDPR Article 7, DPDP Section 6)

Where processing is based on consent, you can withdraw consent at any time:

Withdrawal is as easy as giving consent
Withdrawal does not affect lawfulness of processing before withdrawal
You can withdraw through account settings, email preferences, or by contacting us
We will stop processing based on consent immediately upon withdrawal

4.9 DPDP Act Specific Rights (India)

Under the India Digital Personal Data Protection Act, 2023, you have additional rights:

Right to Access Summary: Request a summary of personal data processed and activities undertaken with respect to such data
Right to Correction and Erasure: Similar to GDPR rights, with specific timelines as per DPDP Act
Right to Grievance Redressal: File complaints with our Grievance Officer (see Section 11)
Right to Nominate: Nominate another individual to exercise your rights in case of death or incapacity

For detailed DPDP compliance information, see our DPDP Act Compliance Statement.

4.10 How to Exercise Your Rights

To exercise any of these rights:

Online: Use your account settings dashboard for common requests (profile updates, marketing preferences, data download)
Email: Send a request to [email protected] or [email protected] with the subject line indicating the right you wish to exercise
Verification: We may request identity verification to protect your data
Response Time: We will respond within 30 days (GDPR) or as per applicable law timelines. Complex requests may take up to 60 days with notification.
No Fee: Requests are generally free. We may charge a reasonable fee for manifestly unfounded or excessive requests.

5. Data Retention and Deletion

We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy, comply with legal obligations, resolve disputes, and enforce our agreements. We follow the principle of storage limitation.

5.1 Retention Periods by Data Category

Account Data: Retained while your account is active. After account closure, retained for 3 years for legal, audit, and fraud prevention purposes, then securely deleted.
Transaction Records: Retained for 7 years as required by tax and financial regulations (GST Act, Income Tax Act). Includes invoices, payment records, and order history.
Marketing Data: Retained until consent is withdrawn, account is closed, or you opt out. We remove you from marketing lists immediately upon opt-out.
Rental Records: Retained for 5 years after last rental transaction for liability and dispute resolution purposes.
B2B Records: Retained for 7 years after contract termination for legal and audit compliance.
Support Communications: Retained for 2 years after ticket resolution for quality assurance and training purposes.
Biometric Data: If collected, retained only while biometric authentication is enabled. Deleted immediately upon disabling or account closure.
Health Data: Retained only as long as necessary for product safety purposes (typically until product is no longer in use or account is closed).
Impact Metrics: Retained in anonymized form indefinitely for historical reporting and analysis (no longer personal data once anonymized).
Security Logs: Retained for 1 year for security monitoring and incident investigation, then securely deleted.
Cookie Data: Retained according to cookie-specific retention periods (see Cookie Policy). Session cookies deleted when session ends.

5.2 Factors Affecting Retention

Retention periods may be extended in the following circumstances:

Ongoing legal proceedings or disputes requiring data retention
Active investigations or regulatory inquiries
Legal obligations requiring extended retention (e.g., tax records)
Legitimate business interests (e.g., fraud prevention, warranty claims)

5.3 Secure Deletion

When data is no longer needed, we securely delete it using:

Secure deletion methods that prevent recovery
Physical destruction of storage media when decommissioned
Deletion from backups within backup retention periods
Verification of deletion completion

5.4 Your Right to Request Deletion

You can request deletion of your data at any time (subject to legal obligations). See Section 4.3 for details on the Right to Erasure.

6. Data Sharing and Third-Party Disclosures

We share your data only with trusted partners and service providers necessary to deliver our services. We do not sell your personal data. All third parties are contractually bound to protect your data and use it only for specified purposes.

6.1 Payment Processors

Razorpay: Payment processing, card tokenization, and fraud detection. Payment card data is never stored on our servers. Razorpay is PCI-DSS compliant.Privacy Policy
UPI Providers: For UPI payments, data is shared with your bank and UPI service provider (e.g., Google Pay, PhonePe) as per their privacy policies.

6.2 Logistics and Delivery Partners

Shipping Providers: We share delivery information (name, address, phone number, order details) with logistics partners including but not limited to:
- Domestic courier services (India Post, Blue Dart, Delhivery, etc.)
- International shipping providers (DHL, FedEx, etc.)
- Last-mile delivery partners
Warehouse Partners: Order fulfillment centers receive order and inventory data necessary for processing and shipping.

6.3 Cloud and Infrastructure Services

Cloudinary: Media storage and image processing. Data processing agreement in place.Privacy Policy
Hosting Providers: Cloud infrastructure providers (e.g., AWS, Google Cloud, Vercel) host our platform. All providers have data processing agreements and security certifications.
Database Services: Managed database services with encryption at rest and in transit.
CDN Providers: Content delivery networks for performance optimization.

6.4 Analytics and Performance Monitoring

Web Analytics: We use analytics services (e.g., Google Analytics, custom analytics) that receive anonymized or pseudonymized usage data. IP addresses are anonymized where possible.
Performance Monitoring: Error tracking and performance monitoring services receive technical data (error logs, performance metrics) in anonymized form.
User Behavior Analytics: Aggregated and anonymized data for understanding user patterns and improving services.
PostHog:Product analytics platform that receives pseudonymized event data (page views, feature usage, anonymized session recordings) to help us understand how the platform is used and where it can be improved. Data is processed under PostHog's privacy terms.PostHog Privacy Policy

6.5 Marketing and Advertising Partners

Consent Required: We only share data with marketing partners with your explicit consent:

Email Marketing: Email service providers (e.g., SendGrid, Mailchimp) for sending marketing communications (only if you have consented).
Social Media Advertising: If you connect social media accounts or interact with our social content, data may be shared with social platforms (Facebook, Instagram, etc.) for advertising purposes (with consent).
Retargeting: Advertising networks may receive pseudonymized data for retargeting campaigns (with consent, opt-out available).
Affiliate Partners: Referral program data shared with affiliate tracking services.

Opt-Out: You can opt out of marketing data sharing in your account settings or email preferences. See Section 7 for marketing opt-out mechanisms.

6.6 Business Partners and Service Providers

Twilio: Communications platform used to send transactional SMS and WhatsApp messages (order confirmations, OTPs, shipping updates). Receives phone numbers and message content strictly for the purpose of delivery. Twilio is GDPR / DPDP compliant and acts as our data processor.Twilio Privacy Policy
Customer Support: Helpdesk and support platforms receive support ticket data and communications for customer service purposes.
B2B Partners: For B2B services, we may share company information with authorized business partners as per corporate agreements.
Vendor Partners: NOTOXIC® Earth vendors and suppliers receive order and fulfillment data necessary for product delivery.
Professional Services: Legal, accounting, and consulting firms may receive data for compliance and advisory purposes under confidentiality agreements.

6.7 Legal and Regulatory Disclosures

We may disclose data when required by law or to protect rights:

In response to court orders, subpoenas, or legal processes
To comply with government requests and regulatory requirements
To protect our rights, property, or safety, or that of users or others
In connection with legal proceedings or investigations
To enforce our terms of service and policies
To prevent fraud, abuse, or illegal activities

6.8 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will notify you of such transfers and ensure the acquiring entity continues to protect your data in accordance with this policy.

6.9 Data Processing Agreements

All third-party service providers are required to:

Sign data processing agreements (DPAs) that comply with GDPR and DPDP requirements
Implement appropriate technical and organizational security measures
Use data only for specified purposes and not for their own purposes
Notify us of any data breaches
Delete or return data upon termination of services
Comply with applicable data protection laws

7. WhatsApp and Messaging Communications

When you register for Build From Zero or other NOTOXIC programs and explicitly opt in to WhatsApp updates by checking the consent box at registration, we send you transactional and time-sensitive messages through the WhatsApp Business Platform (Meta). This section describes what we send, why, and how to revoke.

7.1 What WhatsApp Messages You Receive

Welcome confirmation immediately after registration
Brand DNA reminder 24 hours after registration if the questionnaire is incomplete
Brand DNA result immediately after scoring (qualified or under-review status)
Session card when you qualify for the live cohort
Pre-session reminders at T-24h and T-1h before your scheduled live session
No-show recovery 5 minutes after session start if attendance is not yet marked
Post-session 1:1 booking 24 hours after the session

All WhatsApp messages are pre-approved UTILITYtemplates under Meta's Business Platform policies. We do not send promotional or marketing messages via WhatsApp under this opt-in. All messages relate directly to your active Build From Zero participation.

7.2 Data We Share with Meta to Enable Messaging

Your phone number (E.164 format) — required to address the message
Your first name — used as a template variable in message body
Your Build From Zero stage (e.g. Brand DNA pending, qualified, attended) — determines which template fires
Your session timing and status when applicable

Meta processes this data under its WhatsApp Business Platform Terms and Privacy Policy, including storage of message metadata for delivery and audit purposes. We do not share personal information beyond what is strictly necessary to deliver the specific message.

7.3 Lawful Basis

Your explicit consentat registration (unchecked-by-default opt-in checkbox) is the lawful basis under DPDP (India), GDPR (EEA), and Meta's Business Messaging Policy. We record the timestamp of consent (whatsappOptInAt) on your registration row and store it for the duration of your active participation plus seven years for audit compliance.

7.4 How to Revoke Consent

Reply STOP to any NOTOXIC WhatsApp message — Meta blocks further sends from our number to yours immediately
Email [email protected] requesting WhatsApp opt-out — we record revocation within 48 hours
Block our WhatsApp number directly in your WhatsApp app — Meta enforces the block on its end

Revoking WhatsApp consent does not affect your active Build From Zero registration. Email updates continue (until separately unsubscribed) and you retain full access to your progress page.

8. Marketing Communications and Opt-Out Mechanisms

We respect your preferences regarding marketing communications. You have full control over how and when we contact you for marketing purposes.

7.1 Types of Marketing Communications

Product updates, new launches, and brand announcements
Promotional offers, discounts, and special deals
Newsletters with sustainability insights and impact stories
Event invitations and community updates
Personalized product recommendations
Abandoned cart reminders

7.2 How to Opt Out

You can opt out of marketing communications through multiple channels:

Account Settings:Navigate to "Settings > Email Preferences" and toggle marketing communications off
Email Unsubscribe:Click the "Unsubscribe" link in any marketing email. You will be unsubscribed immediately.
Email Request: Send an email to [email protected] with subject "Unsubscribe from Marketing"
Cookie Preferences: Disable marketing cookies through our Cookie Consent Manager

Service Communications: Note that opting out of marketing does not affect essential service communications (order confirmations, shipping updates, account security alerts, etc.).

7.3 Preference Management

You can manage granular preferences:

Choose specific types of communications (e.g., product updates but not promotions)
Set frequency preferences (daily, weekly, monthly)
Select preferred communication channels (email, SMS, push notifications)
Opt out of specific brands or product categories

Preferences can be updated at any time in your account settings.

8. Security Practices

We implement industry-standard security measures and follow security best practices to protect your data from unauthorized access, disclosure, alteration, and destruction.

8.1 Technical Security Measures

Encryption: Data encrypted in transit using TLS 1.3/SSL and at rest using AES-256. All sensitive data fields are encrypted.
Secure Authentication: Passwords are hashed using bcrypt with salt. We support multi-factor authentication (MFA) for enhanced account security.
Biometric Security: Biometric data (if enabled) is stored locally on your device using device secure enclaves. We never store raw biometric data on our servers.
Network Security: Firewalls, intrusion detection systems, and DDoS protection.
Secure APIs: API endpoints use authentication tokens, rate limiting, and input validation to prevent abuse.

8.2 Organizational Security Measures

Access Controls: Role-based access control (RBAC) with principle of least privilege. Employees and contractors only access data necessary for their roles.
Employee Training: Regular security awareness training and data protection training for all staff.
Background Checks: Security screening for employees with access to sensitive data.
Confidentiality Agreements: All employees and contractors sign confidentiality and data protection agreements.

8.3 Security Monitoring and Incident Response

Security Monitoring: 24/7 security monitoring, threat detection, and anomaly detection.
Regular Security Audits: Third-party security assessments, penetration testing, and vulnerability scanning conducted regularly.
Incident Response Plan: Documented procedures for detecting, responding to, and recovering from security incidents.
Security Logging: Comprehensive audit logs of access, modifications, and security events.

8.4 Data Minimization and Retention

No Toxic Data Philosophy: We do not collect unnecessary data or retain data beyond required periods. We follow data minimization principles.
Data Anonymization: Where possible, we anonymize or pseudonymize data for analytics and research purposes.
Secure Deletion: When data is no longer needed, it is securely deleted using industry-standard data destruction methods.

8.5 Compliance and Certifications

Regular compliance audits for GDPR, DPDP, and other applicable regulations
Security certifications and standards compliance (ISO 27001, SOC 2 where applicable)
Third-party vendor security assessments

Your Role: You also play a role in security. Use strong passwords, enable MFA, keep your account credentials confidential, and report suspicious activity immediately.

9. Data Breach Notification

In the unlikely event of a data breach that may affect your personal data, we have procedures in place to detect, contain, and notify affected individuals and authorities.

9.1 Our Breach Response Procedures

Immediate Containment: Upon detection, we immediately contain the breach to prevent further unauthorized access.
Assessment: We assess the scope, nature, and potential impact of the breach.
Remediation: We take steps to remediate the breach and prevent recurrence.
Documentation: We document the breach, response actions, and lessons learned.

9.2 Notification to Authorities

GDPR (EU): We notify the relevant supervisory authority within 72 hours of becoming aware of a breach that poses a risk to rights and freedoms.
DPDP Act (India): We notify the Data Protection Board within 72 hours if the breach may cause harm to data principals.
Other Jurisdictions: We comply with breach notification requirements in all applicable jurisdictions.

9.3 Notification to Affected Individuals

We will notify you without undue delay if a breach is likely to result in a high risk to your rights and freedoms. Notification will include:

Description of the nature of the breach
Categories and approximate number of data subjects and records concerned
Likely consequences of the breach
Measures taken or proposed to address the breach and mitigate its effects
Contact information for our Data Protection Officer or Grievance Officer
Recommendations for steps you can take to protect yourself

9.4 Notification Methods

Email to your registered email address
In-app notifications for active users
Public notice on our website if the breach affects a large number of users
Direct communication for high-risk breaches

9.5 What You Should Do

If you receive a breach notification:

Review the information provided carefully
Follow any recommended security steps (e.g., change passwords, enable MFA)
Monitor your accounts for suspicious activity
Report any suspicious activity to us immediately
Consider placing fraud alerts with credit bureaus if financial data was affected

10. International Data Transfers

Your data may be processed outside India and the European Economic Area (EEA) by our service providers and partners. We ensure adequate safeguards are in place to protect your data in accordance with applicable data protection laws.

10.1 Transfer Mechanisms

Standard Contractual Clauses (SCCs): We use European Commission-approved Standard Contractual Clauses for transfers from the EEA to countries outside the EEA.
Data Processing Agreements: All international partners sign comprehensive data processing agreements that include GDPR and DPDP-compliant safeguards.
Adequacy Decisions: Where applicable, we rely on adequacy decisions recognizing certain countries as providing adequate data protection.
Binding Corporate Rules: For intra-group transfers, we implement binding corporate rules where applicable.

10.2 Countries Where Data May Be Processed

Your data may be processed in the following countries (non-exhaustive list):

India (primary data processing location)
United States (cloud infrastructure, analytics services)
European Union (if using EU-based services)
Other countries where our service providers operate (with appropriate safeguards)

10.3 Safeguards and Your Rights

Regardless of where your data is processed:

Your data protection rights remain the same
We maintain the same level of data protection through contractual safeguards
You can request information about where your data is processed
You can object to certain transfers (subject to legal limitations)

11. Children's Privacy

NOTOXIC® Universe is not intended for children under 18 years of age. We do not knowingly collect personal information from children without appropriate parental or guardian consent.

11.1 Age Verification

We require age verification during account creation
Users must be at least 18 years old to create an account
We may request proof of age for certain services (e.g., rental services)

11.2 OneSea Products for Children

For OneSea products designed for babies and children:

Parent or guardian consent is required for account creation and purchases
We collect minimal data necessary for product safety and recommendations
Health-related preferences (allergies, sensitivities) are collected only with explicit parental consent and used solely for safety purposes
Parents/guardians can access, modify, or delete their child's data at any time

11.3 If We Discover Child Data

If we discover that we have collected personal information from a child under 18 without appropriate consent:

We will immediately delete the information from our systems
We will notify the parent or guardian if contact information is available
We will take steps to prevent future collection from that child

If you believe we have collected data from a child, please contact us immediately at [email protected] with subject "Child Data Removal Request".

12. Data Anonymization and Pseudonymization

We use data anonymization and pseudonymization techniques to protect privacy while enabling analytics and research.

12.1 Anonymized Data

We anonymize data by removing all personally identifiable information
Anonymized data cannot be linked back to individuals
Used for analytics, research, and reporting purposes
Anonymized data is not subject to data protection rights (as it is no longer personal data)

12.2 Pseudonymized Data

We pseudonymize data by replacing identifiers with pseudonyms
Pseudonymized data can be re-identified using a key (stored separately and securely)
Used for personalization and analytics while maintaining privacy
Pseudonymized data remains personal data and is subject to data protection rights

12.3 Aggregated Data

We create aggregated statistics and reports that do not identify individuals:

Environmental impact metrics (e.g., "Our community saved 1M liters of water")
Product popularity statistics
Market research and trend analysis
Business performance metrics

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational, legal, or regulatory reasons.

13.1 How We Notify You of Changes

Material Changes: For material changes (e.g., new data uses, new sharing practices), we will:
- Send an email notification to your registered email address
- Display a prominent notice on our website and in our app
- Provide at least 30 days' notice before changes take effect (where feasible)
Non-Material Changes:For minor updates (e.g., clarifications, formatting), we will update the "Last updated" date and may post a notice on our website.

13.2 Reviewing Changes

We encourage you to review this Privacy Policy periodically. The "Last updated" date at the top indicates when this policy was last revised.

13.3 Your Continued Use

Your continued use of our services after changes to this Privacy Policy constitutes acceptance of the updated policy. If you do not agree with the changes, you may:

Close your account
Stop using our services
Contact us to discuss your concerns

If you have questions about changes, please contact us at [email protected].

14. Data Protection Officer (DPO) and Grievance Officer

We have appointed a Data Protection Officer (for GDPR compliance) and a Grievance Officer (for DPDP Act compliance) to handle privacy inquiries, data subject requests, and complaints.

14.1 Contact Information

Data Protection Officer / Grievance Officer
NOTOXIC® Universe
Email: [email protected]
General Inquiries: [email protected]

14.2 How to Contact

When contacting us, please include:

Subject line: "Privacy Request", "Data Protection Inquiry", or "DPDP Grievance"
Your name and contact information
Description of your request or concern
Account information (if applicable) for verification purposes

14.3 Response Times

We aim to respond to all inquiries within 30 days
Complex requests may take up to 60 days (we will notify you if extended)
Urgent matters (e.g., data breaches) are prioritized

14.4 Right to Lodge Complaints

You have the right to lodge a complaint with your local data protection authority if you believe your rights have been violated:

EU/EEA: Contact your local supervisory authority. A list is available at EDPB Members
India: Contact the Data Protection Board (once established under DPDP Act) or the relevant authority as notified by the government
Other Jurisdictions: Contact your local data protection or privacy authority

We encourage you to contact us first to resolve any concerns, but you are not required to do so.

15. Additional Information and Resources

15.1 Related Policies

Cookie Policy - Detailed information about cookies and tracking technologies
Terms & Conditions - Platform usage terms and conditions
DPDP Act Compliance Statement - India-specific data protection compliance
GDPR Statement - EU-specific data protection information

15.2 Data Processing Register

We maintain a record of our data processing activities as required by GDPR Article 30. You can request information about specific processing activities by contacting our DPO.

15.3 Questions and Feedback

We welcome your questions, feedback, and suggestions about this Privacy Policy and our data practices. Your input helps us improve transparency and data protection.

16. Contact Us

For questions about this Privacy Policy, our data practices, or to exercise your rights, please contact us:

NOTOXIC® Universe
Email: [email protected]
Data Protection Officer: [email protected]

We are committed to protecting your privacy and will respond to all inquiries promptly and transparently.