Privacy Policy

1. Who we are

Emithran Technologies Private Limited is registered in India and operates the Emithran manufacturing intelligence platform available at emithran.in and related subdomains. Our platform serves procurement professionals, cost engineers, supply chain managers, and operations teams at manufacturing companies globally, with a primary focus on India, Southeast Asia, and the United Kingdom.

For the purposes of applicable data protection law, Emithran is the data controller for personal data collected through our website and platform. Where we process personal data on behalf of business customers, we act as a data processor under the terms of our Data Processing Agreement.

2. Personal Data we collect

The personal data we collect depends on how you interact with Emithran. We have categorised users into three groups:

a. Platform Users

Platform Users are individuals who create an account and use the Emithran platform directly - engineers, procurement managers, cost analysts, and supply chain professionals.

Personal Data we collect:

• Account information: full name, work email address, job title, and department
• Authentication data: hashed passwords and two-factor authentication credentials
• Profile information: profile photo and LinkedIn URL (both optional)
• Usage data: features accessed, BOM analyses created, reports generated, and session activity logs
• Communications: support requests, in-platform messages, and feedback submissions
• Payment data: billing address and invoice details - card numbers are processed by our payment provider and never stored on Emithran servers

How we use this data:

• To provision and maintain your platform account
• To deliver the should-cost, BOM validation, and supplier intelligence features you request
• To send transactional emails such as password resets and invoice notifications
• To improve platform functionality through aggregated and anonymised usage analytics
• To comply with legal and regulatory obligations

b. Business Users

Business Users are organisations that contract with Emithran to provide platform access to their teams. This section also applies to administrators and authorised representatives of those organisations.

Personal Data we collect:

• Organisation details: company name, registered address, and company identification number
• Contact persons: name, work email, phone number, and role of the primary and billing contacts
• KYB information: where required by applicable law or partner programmes - business registration documents and beneficial ownership information
• Contractual records: signed agreements, purchase orders, and formal correspondence

c. Website Visitors

Visitors are individuals who browse emithran.in and related pages without creating an account.

Personal Data we collect:

• Device and browser data: IP address, browser type, operating system, and screen resolution
• Interaction data: pages visited, time spent, referring URLs, and clicks
• Form submissions: name and email submitted through contact, demo, or newsletter forms
• Cookie data: as described in our Cookies Policy

3. How we use Personal Data

• Service delivery - to operate the platform, process analyses, and deliver reports you request
• Account management - to create and manage accounts, handle authentication, and administer workspaces
• Customer support - to respond to enquiries, troubleshoot issues, and provide technical assistance
• Product improvement - to analyse usage patterns, identify bugs, and develop features based on aggregated data
• Marketing communications - to send newsletters, product updates, and event invitations where you have opted in or where we have a legitimate interest
• Security and fraud prevention - to detect and prevent unauthorised access, fraud, and illegal activity
• Legal compliance - to meet obligations under applicable law including tax, anti-money-laundering, and data protection requirements
• Business operations - for auditing, financial reporting, and operational planning

4. How we share Personal Data

We do not sell your personal data. We share it only as described below.

• Service providers - we engage third-party providers for cloud hosting (AWS), payment processing (Stripe), email delivery (Resend), analytics, and customer support tools. Each operates under strict data processing agreements with Emithran.
• Workspace administrators - if you use Emithran through a Business User workspace, your activity data within that workspace may be visible to the workspace administrator.
• Legal obligations - we may disclose data to law enforcement, regulatory bodies, or courts when required by law, court order, or to protect our legal rights and those of our users.
• Business transfers - in the event of a merger, acquisition, or asset sale, personal data may be transferred to the successor entity under equivalent privacy protections and with notice to affected users.
• With your consent - for any other sharing not described above, we will seek your explicit consent in advance.

5. Legal bases for processing

Where the GDPR, UK GDPR, or equivalent legislation applies, we process personal data on the following legal bases:

• Contract performance - processing necessary to deliver the services you have subscribed to or requested under our Terms of Service
• Legal obligation - processing required to comply with applicable law including tax, financial reporting, and anti-fraud obligations
• Legitimate interests - processing for platform security, fraud prevention, product improvement, and B2B marketing where our interests are not overridden by your rights
• Consent - for marketing emails and optional analytics cookies. You may withdraw consent at any time without affecting the lawfulness of prior processing.

6. Your rights and choices

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access - request a copy of the personal data we hold about you
• Rectification - correct inaccurate or incomplete personal data
• Erasure - request deletion of your personal data, subject to legal retention obligations
• Restriction - request that we limit how we process your data while a dispute is under review
• Data portability - receive your personal data in a machine-readable format and transfer it to another service
• Objection - object to processing based on legitimate interests, including profiling for direct marketing
• Opt out of marketing - unsubscribe from marketing emails at any time via the unsubscribe link in any email or by contacting us at [email protected]

To exercise any right, email [email protected]. We will respond within 30 days, or within the period required by applicable law. We may need to verify your identity before acting on your request.

7. Retention

We retain personal data for as long as necessary to fulfil the purposes for which it was collected, or as required by law.

• Account data is retained for the duration of your active subscription, plus 90 days after closure to allow for reactivation - after which it is deleted or anonymised
• Financial and invoicing records are retained for 7 years under the Income Tax Act 1961 and applicable foreign tax obligations
• Support and communications records are retained for 3 years after the last interaction
• Website analytics data is retained for 26 months in aggregated form
• Fraud-monitoring data may be retained for up to 5 years

When data is no longer required, we securely delete it or anonymise it such that it can no longer be attributed to you.

8. Security

We implement industry-standard technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or disclosure:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access controls limiting data access to authorised personnel
• Regular security assessments and penetration testing
• Multi-factor authentication on all production systems
• Incident response procedures with notification protocols compliant with GDPR and DPDPA obligations

While we take reasonable precautions, no system is completely secure. If you believe your account has been compromised, contact us immediately at [email protected].

9. International Data Transfers

Emithran is headquartered in India. Primary data processing infrastructure is located in AWS data centres in the Mumbai (ap-south-1) region. Certain service providers or support team members may process data from other jurisdictions.

When personal data is transferred outside India or the European Economic Area, we implement appropriate safeguards including:

• Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EEA
• The UK International Data Transfer Agreement (IDTA) for transfers from the United Kingdom
• Adequacy decisions where applicable

You may request a copy of the applicable transfer mechanism by emailing [email protected].

10. Children's Privacy

The Emithran platform is a B2B enterprise service designed for use by adults in professional settings. We do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently received data from a minor, please contact us and we will delete it promptly.

11. Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify registered users by email and display a prominent notice on our website at least 14 days before the changes take effect.

The “Last updated” date at the top of this policy reflects the most recent revision. Continued use of the platform after the effective date of any update constitutes acceptance of the revised policy.

12. Jurisdiction-Specific Provisions

India

Emithran processes personal data in accordance with the Digital Personal Data Protection Act 2023 (DPDPA) and associated rules. As a Data Fiduciary, we maintain a record of processing activities and appoint a Consent Manager where required by the rules. You have the right to nominate a representative for the exercise of your rights in the event of your death or incapacity.

To raise a grievance under the DPDPA, contact our Grievance Officer at [email protected]. Grievances will be acknowledged within 48 hours and resolved within 30 days. If you remain dissatisfied, you may approach the Data Protection Board of India.

EEA and United Kingdom

If you are located in the European Economic Area or the United Kingdom, you have rights under the GDPR or UK GDPRrespectively and may lodge a complaint with your local supervisory authority - the Information Commissioner’s Office (ICO) for UK residents, or the relevant national authority for EEA residents.

Our EU GDPR representative can be reached at [email protected].

United States

For California residents, under the California Consumer Privacy Act (CCPA) as amended by the CPRA, you have the right to know, delete, and opt out of the sale or sharing of personal information. We do not sell personal information as defined under the CCPA. To submit a CCPA request, email [email protected]with “CCPA Request” in the subject line.

For Virginia, Colorado, and Connecticut residents, we comply with the respective state consumer data protection laws. You have the right to access, correct, delete, and opt out of targeted advertising. Submit requests to [email protected].

Australia

For Australian residents, we comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). You have the right to access and correct personal information we hold about you. To make a complaint or access request, email [email protected]. If your complaint is not resolved to your satisfaction, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

13. Contact us

If you have questions, concerns, or data subject requests relating to this Privacy Policy, please contact us:

Related policies: Cookies Policy · Data Processing Agreement · Terms of Service