HomeGovernancePrivacy
Governance · Privacy

Privacy Policy

How TREPINSTAREWARDS PRIVATE LIMITED collects, uses, shares, and protects personal data in connection with the TrusCodes platform and the TrusCodes website.

EntityTREPINSTAREWARDS PRIVATE LIMITED
CINU74999TN2025PTC000000
DPIIT RecognitionDIPP205805
Registered OfficeChennai, Tamil Nadu, India
PlatformTrusCodes — product authentication platform
Websitetruscodes.com
Effective Date21 April 2026
Version1.0

1. Scope and applicability

This Privacy Policy explains how TREPINSTAREWARDS PRIVATE LIMITED (“TrusCodes”, “we”, “us”, “our”) processes personal data in connection with the TrusCodes website at truscodes.com (the “Website”) and the TrusCodes product authentication platform and its solution modules including BrandShield, CertiSure, LabAssured, GeoGuard, TracePro, and Engage (collectively, the “Platform”).

This Policy is written to support our obligations under the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), the Digital Personal Data Protection Act, 2023 (India) (“DPDP Act”), and any other applicable data-protection laws in jurisdictions where we offer the Website or Platform.

Where we act as a “data controller” under GDPR, a “business” under CCPA/CPRA, or a “data fiduciary” under the DPDP Act, this Policy governs the processing. Where we act as a “data processor” or “service provider” on behalf of an enterprise customer, the customer’s own privacy notice applies to end-user data and our processing is governed by the Data Processing Addendum executed with that customer.

2. Definitions

“Personal data” means any information relating to an identified or identifiable natural person. “Processing” means any operation performed on personal data, including collection, storage, use, disclosure, and deletion. “Data subject” means the individual to whom personal data relates. References to “sub-processor”, “data fiduciary”, “data processor”, “data principal”, and “significant data fiduciary” bear the meanings given to them under applicable law.

3. Categories of personal data we process

We process the following categories of personal data, depending on how you interact with us:

3.1 Website visitors

  • Identifiers provided voluntarily through contact, demo, or pilot-request forms — name, business email, organisation, role, country, and free-text inputs.
  • Technical identifiers collected by our servers and permitted cookies — IP address, browser type and version, device type, operating system, referring URL, pages visited, time stamps, and interaction events.
  • Communication content — the body of any email, support request, or message you send us.

3.2 Enterprise customers and their authorised users

  • Account and administrator identifiers — name, business email, role, organisational affiliation, authentication credentials, and audit-trail entries of actions taken in the Platform.
  • Commercial and billing information — contractual contact details, purchase orders, invoices, and payment instruments (held by payment processors; we do not store full card numbers).
  • Support and service records — tickets, correspondence, investigation notes, and the outputs of security and anomaly-detection systems.

3.3 End users of customer deployments (typically processed on behalf of our customers)

  • Device and scan metadata produced when a TrusCodes-enabled product is scanned — timestamp, approximate location where consented, scan outcome, lifecycle state, and reason codes.
  • Limited identity attributes where the customer’s deployment requires them — for example, a verified mobile number in certain Engage configurations or an authenticated actor credential in TracePro custody events.

In these cases, we act as the customer’s processor. We process this data only on the customer’s documented instructions and in accordance with the governing Data Processing Addendum.

4. Purposes and lawful bases

We process personal data only for specified, explicit, and legitimate purposes, and only where we have a lawful basis. The principal purposes, and the GDPR / DPDP Act lawful bases on which we rely, are as follows.

4.1 Providing the Website and responding to enquiries

Basis (GDPR Art. 6(1)): performance of a contract (where you have requested information or a service), legitimate interests in operating and securing our Website, and consent where required by applicable law.

4.2 Providing and operating the Platform

Basis (GDPR Art. 6(1)): performance of a contract with the customer; legitimate interests in platform security, fraud prevention, audit logging, and service integrity. Under the DPDP Act, consent or a legitimate use specified in the Act.

4.3 Platform security, anomaly detection, and audit-ledger integrity

Basis: legitimate interests (Art. 6(1)(f)); compliance with legal obligations (Art. 6(1)(c)); and, under the DPDP Act, the legitimate use of preventing and investigating fraud and maintaining the security of our systems. We maintain an append-only SHA-256 hash-chained audit ledger of verification events and administrator actions. Ledger entries are retained for the periods specified in Section 8.

4.4 Communications, marketing, and business development

Basis: consent (Art. 6(1)(a)) for direct marketing to individuals where required; legitimate interests for business-to-business outreach to enterprise contacts who have interacted with us or a recognised peer organisation. Under the DPDP Act, consent-based processing for marketing with withdrawable consent.

4.5 Legal, regulatory, and dispute defence

Basis: compliance with legal obligations (Art. 6(1)(c)); the establishment, exercise, or defence of legal claims (Art. 9(2)(f) where any special-category data is involved); and the equivalent legitimate uses under the DPDP Act.

5. How we collect personal data

We collect personal data directly from you (through forms, emails, and account activity), automatically through our Website and Platform (through cookies, similar technologies, and server logs), from our customers (where we process end-user data on their behalf), and from lawful third-party sources such as enrichment providers for business contacts and authorised screening services for fraud and sanctions checks.

6. Disclosure and sharing

We disclose personal data only in the circumstances below, and only to the extent necessary for the purpose described:

  • To our sub-processors and service providers under written contracts imposing confidentiality, security, and data-protection obligations (see our Data Processing Addendum and Sub-Processor List).
  • To enterprise customers whose deployments you interact with (where we act as processor on their behalf).
  • To our professional advisers, auditors, and insurers under professional confidentiality obligations.
  • To law-enforcement authorities, regulators, or courts where required by applicable law, valid legal process, or where disclosure is necessary to protect rights, safety, or property.
  • To an acquirer, merger counterparty, or successor entity in the event of a corporate transaction, subject to confidentiality and continuity of protection.

We do not sell personal data in the ordinary meaning of that term. For CCPA/CPRA purposes, we do not “sell” or “share” personal information for cross-context behavioural advertising. Under the DPDP Act, we act as a data fiduciary or data processor and share personal data only in accordance with the permitted grounds.

7. International transfers

TrusCodes is headquartered in Chennai, India. Personal data may be transferred to, and processed in, jurisdictions outside your country of residence, including India.

For transfers of personal data originating in the European Economic Area, the United Kingdom, or Switzerland to countries outside those jurisdictions that are not the subject of an adequacy decision, we rely on the European Commission’s Standard Contractual Clauses (Module 2 or Module 3 as applicable) together with appropriate supplementary measures, including the technical safeguards described in Section 9. A copy of the SCCs and our transfer impact assessment summary is available on request to privacy@truscodes.com.

For transfers of personal data from India under the DPDP Act, we transfer personal data only to destinations not restricted by the Central Government, and we maintain equivalent safeguards at the destination through contractual controls and sub-processor oversight.

8. Data retention

We retain personal data for no longer than necessary for the purposes described in this Policy. Retention periods are set against the following baselines and are reviewed annually.

  • Website enquiry and form submissions — retained for up to 24 months from last interaction, unless an ongoing customer relationship requires longer retention.
  • Customer account and authentication records — retained for the duration of the customer relationship and for up to 7 years after termination, to support audit, regulatory, and dispute-defence obligations.
  • Audit-ledger entries (verification events, administrator actions, anomaly signals) — retained for up to 7 years to preserve audit-defensibility, subject to customer-specified retention periods in the governing Data Processing Addendum.
  • Marketing contact records — retained until consent is withdrawn or, for legitimate-interests processing, until objection, with suppression records kept to honour opt-outs.
  • Financial and tax records — retained as required by applicable Indian, EU, and other tax and corporate-law obligations.

9. Security

We maintain technical and organisational measures designed to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. Core measures include:

  • Encryption of personal data in transit (TLS 1.2 or higher) and at rest (AES-256 with time-segmented rotating key pool providing forward secrecy for cryptographic identities).
  • Append-only SHA-256 hash-chained audit ledger for verification events and administrator actions, designed so retroactive alteration produces a detectable chain break.
  • Per-brand physical database isolation so that one customer’s production data cannot be read from another customer’s environment.
  • Role-based access controls with least-privilege defaults, credential authentication at every state transition for custody events, and mandatory multi-factor authentication for administrative access.
  • Continuous anomaly detection against the event stream, with alerting and exception-handling procedures.
  • Tamper-evident physical label embodiments that complement the digital controls described above.
  • Vendor-risk assessment for sub-processors, documented in the Sub-Processor List, and contractual flow-down of the security, confidentiality, and data-protection obligations we ourselves owe.

No security measure is absolute. In the event of a personal-data breach that is likely to result in a risk to data subjects, we will notify the relevant supervisory authority within 72 hours of becoming aware (where GDPR or equivalent applies) and affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

10. Your rights

Subject to applicable law and to the exceptions specified in that law, you have the following rights in respect of personal data we hold about you. Where we act as a processor on behalf of an enterprise customer, we will direct your request to the controller or assist the controller in responding to it.

10.1 Rights under the GDPR and UK GDPR

  • Right of access — to obtain confirmation of whether we process your personal data and, if so, a copy.
  • Right to rectification — to have inaccurate personal data corrected.
  • Right to erasure (“right to be forgotten”) — where the lawful bases in Art. 17 apply.
  • Right to restriction of processing — where Art. 18 applies.
  • Right to data portability — for personal data you have provided to us, where Art. 20 applies.
  • Right to object — including to processing based on legitimate interests and to direct marketing.
  • Right to withdraw consent at any time, without affecting the lawfulness of processing carried out on the basis of consent before withdrawal.
  • Right to lodge a complaint with a supervisory authority.

10.2 Rights under CCPA / CPRA

  • Right to know the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of recipients.
  • Right to delete personal information we have collected from you, subject to statutory exceptions.
  • Right to correct inaccurate personal information.
  • Right to limit the use of sensitive personal information to purposes permitted by the statute.
  • Right to opt-out of the sale or sharing of personal information (as defined by the statute). We do not sell or share personal information for cross-context behavioural advertising.
  • Right to non-discrimination for exercising any of the above rights.

10.3 Rights under the DPDP Act

  • Right to information about personal data processing.
  • Right to correction and erasure of personal data.
  • Right of grievance redressal (see Section 12).
  • Right to nominate another individual to exercise your rights in the event of death or incapacity.

To exercise any right above, contact privacy@truscodes.com with sufficient detail to identify the data you refer to. We will respond within the timeframes required by applicable law — within one month under GDPR (extendable by two further months where necessary) and within 45 days under CCPA/CPRA (extendable by a further 45 days with notice).

11. Children

The Website and Platform are not directed to children under the age of 18. We do not knowingly collect personal data of children. Under the DPDP Act, processing of the personal data of children is subject to verifiable parental consent. If you believe we have inadvertently collected such data, contact privacy@truscodes.com and we will take steps to delete it.

12. Grievance officer and data-protection contacts

For the purposes of the Information Technology Act, 2000 and the DPDP Act, our Grievance Officer is the first point of contact for any concerns regarding the processing of personal data.

i
Grievance Officer — TREPINSTAREWARDS PRIVATE LIMITED, Chennai, Tamil Nadu, India. Email: grievance@truscodes.com. We will acknowledge any complaint within 48 hours and provide a substantive response within the period prescribed by applicable law.

For all other privacy enquiries, data-subject requests, and requests for the Standard Contractual Clauses or transfer impact assessment summary, contact privacy@truscodes.com.

13. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or in applicable law. We will post the updated Policy on the Website with a revised effective date. Where the change is material, we will provide additional notice — for example, by email to account administrators — prior to the change taking effect.

14. Governing law and jurisdiction

This Policy is governed by the laws of India, without prejudice to the mandatory local-law rights granted to data subjects under GDPR, UK GDPR, CCPA/CPRA, and other applicable privacy regimes. Nothing in this Policy limits those mandatory rights.

Document control: Privacy Policy version 1.0, effective 21 April 2026. Owner: Grievance Officer, TREPINSTAREWARDS PRIVATE LIMITED.

Privacy questions

Need a data-subject request or DPA?

Privacy enquiries route to our Grievance Officer for response within statutory timeframes.

Contact privacy team View Data Processing Addendum