Privacy Policy

Last updated: 5/5/2026

Draft for review. This policy is a working draft pending review by qualified legal counsel. It will be updated to its final form before any production sign-ups outside the closed beta. If you have questions about how your data is handled today, email vivek@ecind.net.

1. Who we are

HazWTrack (“HazWTrack”, “we”, “us”) operates a Software-as-a-Service (SaaS) platform that helps Indian organisations manage hazardous-waste compliance under the Hazardous and Other Wastes (Management and Transboundary Movement) Rules, 2016 (“HW Rules 2016”). For the purposes of India's Digital Personal Data Protection Act, 2023 (“DPDP Act”), HazWTrack is a Data Fiduciary in respect of personal data of account holders, employees of customer organisations, and other end users of the platform.

2. Personal data we collect

2.1 Information you provide

• Account data: name, work email, phone number, organisation name and address, role/job title, password (stored as a one-way hash by our authentication provider).
• Operational data you enter into the platform: facility details, waste records, manifests (sender/transporter/receiver names, authorisation numbers, vehicle details), storage logs, signatures, attached documents, and audit-trail metadata. Some of this data is required by HW Rules 2016 itself.
• Communication data: support tickets, emails, chat messages and any feedback you send us.
• Payment data: billing address and GSTIN. Card and bank-account details are collected and processed exclusively by our payment processor, Razorpay (see Section 6).

2.2 Information we collect automatically

• Technical data: IP address, browser type and version, device and operating-system identifiers, timezone, language preference.
• Usage data: pages visited, features used, click events, session duration, error logs, performance metrics.
• Cookies and similar technologies: see Section 9 below.

2.3 Information from third parties

• Authentication providers (e.g. Google, Microsoft) if you choose to sign in via single sign-on — limited to your name, email and a stable identifier.
• Payment processor: confirmation of successful subscription charges, chargeback notices and refund events from Razorpay.

3. Why we process your data (purposes)

We process personal data for the following specified, lawful purposes:

• Providing the service: creating and authenticating your account, rendering the dashboard, generating regulatory forms (Forms 1, 3, 4, 10 etc. per HW Rules 2016), sending compliance alerts.
• Billing: charging your subscription fees, issuing GST invoices, recovering chargebacks, processing refunds.
• Support: responding to questions, resolving incidents, investigating bugs.
• Security and integrity: detecting fraud, preventing abuse, maintaining audit trails, monitoring for unauthorised access.
• Legal compliance: complying with HW Rules 2016, the DPDP Act, the Goods and Services Tax laws, the Information Technology Act, 2000 and rules made under it, and any binding order from a court, regulator or government authority.
• Product improvement: aggregated and de-identified analytics to understand how the platform is used and where to invest.

4. Lawful basis for processing

Under the DPDP Act we rely on the following grounds:

• Consent (Section 6 of the DPDP Act): when you sign up for an account, when you opt into optional analytics or communication channels, and when a customer organisation invites you to join its workspace.
• Legitimate uses (Section 7 of the DPDP Act): for processing required to comply with a legal obligation, to provide a service you have voluntarily requested, for employer-employee relationships within a customer organisation, and for the maintenance of public order.

5. Data residency and storage

Your data is stored on Google Cloud Platform infrastructure in the asia-south1 (Mumbai) region. Daily backups remain within India. We do not currently transfer personal data outside India. If we ever need to do so we will update this policy and obtain any consent or notification required by the DPDP Act before any such transfer.

6. Sharing your data

We do not sell personal data. We share data only as follows:

• Sub-processors who help us run the service:
  • Google Cloud Platform / Firebase — hosting, database, file storage, authentication, push notifications.
  • Razorpay — subscription billing, card and bank-account processing, GST invoicing.
  • Email and notification providers — transactional email delivery (e.g. password resets, expiry alerts).
  • Analytics providers (Google Analytics 4, PostHog) — de-identified usage analytics for product improvement.
  • Support tools — when you contact us, we route your message to a support helpdesk system.
  Each sub-processor is contractually required to handle your data only on our instructions and to apply security safeguards comparable to ours.
• Within your organisation: if you are an employee or contractor using a customer-controlled workspace, your activity is visible to authorised administrators of that organisation.
• To regulators and authorities: when you explicitly export and submit a regulatory form (e.g. Form 4 to your State Pollution Control Board), or where compelled by a binding legal process.
• Business transfers: in a merger, acquisition, financing or sale of assets, in which case we will give you advance notice and the acquirer will be bound by this policy or an equivalent one.

7. Retention

• Active accounts: data is retained for as long as you maintain an account.
• After cancellation: you can export your data from the dashboard for 90 days after cancellation, after which we delete or irreversibly anonymise it, except as set out below.
• Statutory retention: certain records (manifests, Form 3 / Form 4 entries, audit trail) must be retained under HW Rules 2016 and the Income-tax Act for prescribed periods. We retain those records for the legally required minimum.
• Backups: backups are retained for up to 30 days and then permanently deleted in line with backup-rotation schedules.

8. Security

We apply reasonable security safeguards as required by Section 8(5) of the DPDP Act and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, including:

• Encryption in transit (TLS 1.2 or higher) and at rest.
• Tenant isolation: every customer organisation's data sits behind its own access-control rules; cross-org access is never possible without an explicit grant.
• Tamper-evident audit trail on every record (who changed what, when).
• Two-factor authentication for organisation administrators.
• Role-based access control inside our team; production access is limited and logged.
• Regular security reviews, dependency patching and penetration testing.

No system is perfectly secure. If a personal data breach occurs we will notify the Data Protection Board of India and affected Data Principals in the manner and within the timelines required by the DPDP Act.

9. Cookies and similar technologies

We use a small number of cookies and browser-storage entries:

• Strictly necessary: session, authentication, security. These cannot be disabled without breaking the service.
• Analytics: Google Analytics 4 and PostHog set first-party cookies (_ga, ph_*) to measure how the site and product are used. You can opt out by enabling Do Not Track in your browser, blocking third-party storage, or using a consent-management tool we provide.

You can delete cookies at any time using your browser's settings. If you do, you may need to sign in again.

10. Your rights as a Data Principal

Under Sections 11 to 14 of the DPDP Act you have the following rights:

• Right of access: a summary of personal data we hold about you and the purposes for which it is processed.
• Right to correction and erasure: correction of inaccurate or misleading data, and erasure of data that is no longer needed for the purpose for which it was collected (subject to statutory retention obligations).
• Right to grievance redressal: to escalate any complaint to our Grievance Officer (Section 13).
• Right to nominate: to nominate another individual to exercise your rights in case of death or incapacity.
• Right to withdraw consent: where processing is based on consent, you may withdraw it at any time; withdrawal does not affect lawfulness of prior processing.

To exercise any of these rights, email vivek@ecind.net. We aim to respond within thirty (30) days.

11. Children

HazWTrack is a B2B service intended for adults acting in a professional capacity. We do not knowingly collect personal data of any child under 18 years of age. If you believe a child has provided us personal data, please contact us and we will delete it.

12. Changes to this policy

We may update this policy from time to time. Material changes will be notified by email to account administrators and through an in-product banner at least fifteen (15) days before they take effect. The “Last updated” date at the top reflects the current version.

13. Contact

General privacy questions: vivek@ecind.net

Grievance Officer (Section 8(9), DPDP Act):
Name: To be appointed before public launch.
Email: vivek@ecind.net

You also have the right to lodge a complaint with the Data Protection Board of India once it becomes operational.