Privacy Policy

TrueFio ("TrueFio," "we," "us," or "our") is a software-as-a-service ("SaaS") platform operated by TrueFio Technologies, a company incorporated under the laws of India. Our platform enables direct-to-consumer ("D2C") brands and advertising agencies to measure their TRUE Return on Ad Spend by accounting for real-world costs including Return to Origin ("RTO"), Cash on Delivery ("COD") failures, shipping expenses, payment gateway fees, and other operational overheads that traditional ad platforms do not factor into their reported metrics.

This Privacy Policy describes how we collect, use, store, share, and protect your personal data and business information when you access or use our website, application, APIs, and related services (collectively, the "Services"). This policy applies to all users of TrueFio, including brand owners, agency administrators, team members, and any individuals who interact with our Services.

We are committed to complying with the Digital Personal Data Protection Act, 2023 (DPDP Act) of India, the Information Technology Act, 2000 and its associated rules, and, where applicable, the General Data Protection Regulation (EU) 2016/679 (GDPR). By using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with any part of this Privacy Policy, you should not use our Services.

1. Information We Collect

We collect several categories of information to provide, improve, and secure our Services. The types of information we collect depend on how you interact with TrueFio and which features you use.

1.1 Personal Information

When you create an account or interact with our Services, we may collect the following personal information:

• Identity Information: Your full name, email address, phone number, and profile photograph (if provided via Google OAuth).
• Authentication Credentials: Hashed passwords (we never store plaintext passwords), one-time passwords (OTPs) for two-factor authentication, OAuth tokens from Google sign-in, and session identifiers.
• Contact Information: Email addresses and phone numbers used for account recovery, notifications, and billing communications.
• Role and Permissions Data: Your role within a company workspace (owner, admin, member, viewer), team assignments, and feature-level permissions.

1.2 Business and Company Information

To deliver our core analytics service, we collect information about your business:

• Company Profile: Company name, business type (brand or agency), industry category, website URL, and company logo.
• Billing Information: GST Identification Number (GSTIN), billing address, subscription plan details, payment history, invoice records, and Razorpay customer identifiers. We do not directly store credit card or debit card numbers; all payment processing is handled by Razorpay.
• Team Information: Names and email addresses of team members invited to your workspace, their roles, and activity timestamps.

1.3 Advertising Platform Data

When you connect your advertising accounts, we retrieve data from these platforms via their official APIs:

• Meta (Facebook/Instagram) Ads Data: Campaign names, ad set names, ad creative details, spend amounts, impressions, clicks, conversions, cost-per-result metrics, audience targeting parameters, and attribution data from the Meta Marketing API.
• Google Ads Data: Campaign performance metrics, keyword-level data, Performance Max (PMax) campaign insights, Shopping campaign data, ad group performance, cost data, and conversion tracking information from the Google Ads API.

1.4 E-Commerce and Store Data

When you connect your Shopify store, we access the following through the Shopify API:

• Order Data: Order IDs, order values, product details (names, SKUs, quantities, prices), order statuses (fulfilled, cancelled, refunded), discount codes applied, shipping costs charged, and timestamps.
• Product Data: Product catalog information including titles, variants, prices, inventory levels, and product categories.
• Customer Data: We access aggregated order data but do not store individual end-customer personal information (such as customer names or delivery addresses) from your Shopify store. We process order-level data for analytics purposes only.

1.5 Logistics and Shipping Data

When you connect your Shiprocket account, we retrieve:

• Shipment Data: Shipment IDs, tracking statuses, courier partner details, RTO (Return to Origin) statuses, delivery confirmation timestamps, and shipping cost breakdowns.
• RTO Analytics Data: Return reasons, pincode- level delivery success rates, courier performance metrics, and COD remittance information.

1.6 Usage and Device Information

We automatically collect certain technical information when you use our Services:

• Device Information: Browser type and version, operating system, device type (desktop, mobile, tablet), screen resolution, and language preferences.
• Usage Data: Pages visited, features used, time spent on each page, click patterns, search queries within the application, dashboard customisation preferences, and error logs.
• Network Information: IP address (anonymised after collection), referring URLs, and general geographic location (city-level, derived from IP).
• Activity Logs: Timestamps of logins, API calls, data exports, integration connections and disconnections, and administrative actions taken within your workspace.

2. How We Collect Information

2.1 Direct Collection

We collect information directly from you when you:

• Register for an account or sign in via Google OAuth.
• Complete your company profile and onboarding steps.
• Subscribe to a plan or update your billing information.
• Invite team members to your workspace.
• Contact our support team or submit feedback.
• Configure alert thresholds, notification preferences, or dashboard settings.

2.2 Collection via APIs and Integrations

When you authorise a third-party integration, we use official OAuth 2.0 flows and API endpoints to retrieve data:

• Meta Marketing API: We request read-only access to your ad accounts via Facebook Login. Data is synced periodically based on your subscription plan.
• Google Ads API: We request read-only access to your Google Ads accounts via Google OAuth 2.0. Keywords, campaigns, and performance data are synced on a scheduled basis.
• Shopify API: We connect via Shopify OAuth and request access to orders, products, and relevant store data using scoped permissions.
• Shiprocket API: We connect using your API credentials (token-based authentication) to retrieve shipment and logistics data.
• Razorpay: Payment processing data flows through Razorpay's PCI-DSS compliant infrastructure. We receive webhook notifications for subscription events and payment confirmations.

2.3 Cookies and Local Storage

We use a minimal set of cookies and browser storage mechanisms:

• Authentication Cookie: An httpOnly, Secure cookie containing your encrypted refresh token. This cookie is essential for maintaining your authenticated session and cannot be accessed by client-side JavaScript.
• Local Storage: We store non-sensitive user preferences in your browser's localStorage, such as theme preference (light/dark mode), sidebar collapse state, and dashboard layout preferences.

2.4 Self-Hosted Analytics

We use self-hosted analytics infrastructure to understand how our Services are used. We do not use third-party tracking services such as Google Analytics, Facebook Pixel, Hotjar, or similar tools. All analytics data is stored on our own servers and is never shared with third-party advertising or analytics companies.

3. How We Use Your Information

We use the information we collect for the following specific purposes:

1. Providing Core Analytics: Calculating your TRUE ROAS by combining advertising spend data with actual order, RTO, shipping, COD, and payment gateway cost data to show you the real profit generated by each campaign, ad set, and individual advertisement.
2. Attribution Modeling: Matching ad platform conversions to actual Shopify orders and tracking them through the fulfilment lifecycle to determine which orders were actually delivered and profitable.
3. RTO and COD Analysis: Analysing return-to- origin patterns, pincode-level delivery success rates, and COD failure rates to help you identify problematic regions and reduce losses.
4. Campaign Performance Reporting: Generating dashboards, reports, and visualisations that show campaign- level, ad-set-level, and ad-level performance with real cost adjustments.
5. Product-Level Profitability: Calculating per-product and per-SKU profitability by factoring in product costs, shipping costs, return rates, and advertising attribution.
6. AI-Powered Recommendations: Processing your anonymised performance data through artificial intelligence models to generate actionable recommendations for campaign optimisation, budget allocation, and audience targeting.
7. Alert and Notification Services: Monitoring your configured thresholds (e.g., ROAS dropping below a target, RTO rate exceeding a limit) and sending timely email or in-app notifications.
8. Funnel Analysis: Tracking the journey from ad click to order placement to delivery to help you understand where drop-offs occur in your sales funnel.
9. Account Authentication and Security: Verifying your identity during login, managing sessions, enforcing two-factor authentication, detecting suspicious login attempts, and maintaining audit logs.
10. Billing and Subscription Management:Processing subscription payments, generating invoices with applicable GST (18%), managing plan upgrades and downgrades, and communicating billing-related information.
11. Team and Access Management: Facilitating team invitations, managing role-based access controls, and maintaining activity logs for accountability within your workspace.
12. Agency-Client Management: Enabling agencies to manage multiple client brands within a single workspace, including cross-brand reporting and client-level data isolation.
13. Data Export and Reporting: Enabling you to export your data in PDF, Excel, and ZIP formats as permitted by your subscription plan.
14. Customer Support: Responding to your support requests, troubleshooting technical issues, and providing guidance on platform usage.
15. Service Improvement: Analysing aggregated usage patterns to improve our platform's features, user interface, performance, and reliability.
16. Communication: Sending transactional emails (password resets, OTPs, billing receipts), product updates, and feature announcements. You may opt out of non-essential communications at any time.
17. Legal Compliance: Maintaining records as required under Indian tax laws, responding to lawful government requests, and fulfilling our obligations under applicable data protection regulations.

4. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data to third parties for marketing purposes. We share your information only in the following limited circumstances:

4.1 Third-Party Service Providers (Sub-Processors)

We engage the following categories of service providers who process data on our behalf:

• Payment Processing: Razorpay Software Private Limited processes all payment transactions. Razorpay is PCI-DSS Level 1 compliant and processes payments in accordance with RBI regulations. We share your email, name, and subscription details with Razorpay to facilitate billing.
• Cloud Infrastructure: Our servers and databases are hosted on secure cloud infrastructure with data centres located in India. All data is encrypted at rest and in transit.
• Email Delivery: We use transactional email services to deliver OTPs, password reset links, billing receipts, and alert notifications. Only the minimum required information (email address and message content) is shared with these providers.
• AI Model Providers: For our AI-powered recommendation and chat features, anonymised and aggregated data may be processed by third-party AI providers (see Section 10 for details).

4.2 Advertising and E-Commerce Platforms

When you authorise integrations, data flows bidirectionally according to the permissions you grant. We primarily read data from these platforms and do not write back or modify your ad campaigns, Shopify store, or logistics settings. The data retrieved is governed by the respective platform's own terms of service and privacy policies:

• Meta Platforms, Inc. (Meta Ads API)
• Google LLC (Google Ads API, Google OAuth)
• Shopify Inc. (Shopify Admin API)
• Bigfoot Retail Solutions Pvt. Ltd. (Shiprocket API)

4.3 Agency Access to Client Data

If you use TrueFio as an agency, you may access data belonging to your client brands within your agency workspace. This access is governed by your agreement with your clients. TrueFio provides the technical infrastructure for multi-tenant data isolation but is not responsible for the contractual relationship between agencies and their clients. See Section 11 for more detail.

4.4 Legal Requirements

We may disclose your information if required to do so by law or in response to:

• A valid court order, subpoena, or legal process served on TrueFio Technologies.
• Requests from law enforcement or government agencies under applicable Indian law, including the Information Technology Act, 2000 and the DPDP Act, 2023.
• Situations where we believe disclosure is necessary to protect our rights, your safety, the safety of others, investigate fraud, or respond to a government request.

4.5 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership or uses of your personal data, as well as any choices you may have regarding your information.

5. Data Security

We implement comprehensive technical and organisational measures to protect your data:

5.1 Encryption

• In Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS). API communications with third-party services also use encrypted channels.
• At Rest: Our PostgreSQL databases employ encryption at rest for all stored data. Sensitive fields such as API tokens and OAuth refresh tokens are additionally encrypted at the application level before storage.
• Passwords: User passwords are hashed using bcrypt with a minimum cost factor, ensuring that even in the unlikely event of a database breach, plaintext passwords cannot be recovered.

5.2 Access Controls

• Role-Based Access Control (RBAC): Within each company workspace, access to data and features is governed by assigned roles (owner, admin, member, viewer). Each role has specific permissions that limit what data can be viewed, modified, or exported.
• Tenant Isolation: Every database query includes company-level isolation (tenant ID filtering) to ensure that one company's data is never accessible to another company, even in the event of a software defect.
• Two-Factor Authentication (2FA): We offer OTP-based two-factor authentication for an additional layer of account security.
• Session Management: Sessions are managed using secure, httpOnly cookies with configurable expiry. Inactive sessions are terminated automatically.

5.3 Infrastructure Security

• Monitoring: We maintain real-time monitoring of our infrastructure for anomalous activity, unauthorised access attempts, and system health indicators.
• Backups: Database backups are performed regularly and stored in encrypted form. Backup restoration procedures are tested periodically.
• Rate Limiting: API endpoints are protected by rate limiting to prevent brute-force attacks, credential stuffing, and denial-of-service attempts.

5.4 Incident Response

In the event of a data breach or security incident, we will:

• Investigate and contain the incident as quickly as possible.
• Notify affected users within 72 hours of becoming aware of the breach, as required under the DPDP Act and GDPR (where applicable).
• Notify the Data Protection Board of India and/or relevant supervisory authorities as required by law.
• Provide clear information about the nature of the breach, data potentially affected, and steps being taken to mitigate the impact.
• Document the incident and remediation steps taken for regulatory compliance and future prevention.

6. Data Retention and Deletion

6.1 Retention Periods

We retain your business and analytics data based on your active subscription plan:

Note: The above retention periods apply to synced business data (ad metrics, orders, shipments, etc.). Account-level data (your profile, billing records, and audit logs) is retained for as long as your account exists, plus any additional period required by Indian tax and accounting laws (typically 7–8 years for financial records).

6.2 Cache Data

We use Redis as an in-memory cache to improve application performance. Cached data is transient, automatically expires based on configured TTL (time-to-live) values, and is not used as a primary data store. Cache data is not backed up and is cleared when the cache service restarts.

6.3 Account Deletion

You may request deletion of your account and associated data at any time by:

• Using the account deletion feature in your Settings page.
• Emailing our support team at the contact details provided in Section 15.
• Contacting our Grievance Officer as detailed in Section 16.

Upon receiving a verified deletion request, we will:

• Delete or anonymise all personal data within 30 days.
• Remove all synced business data (ad metrics, order data, shipment data) permanently.
• Revoke all third-party API tokens and OAuth connections.
• Retain only the minimum data required by law (e.g., billing records for tax compliance) in an anonymised or archived form.
• Send you a confirmation email once the deletion process is complete.

Please note that deletion is irreversible. We recommend exporting your data before submitting a deletion request.

7. Your Rights

7.1 Rights Under the DPDP Act, 2023 (India)

As a Data Principal under the Digital Personal Data Protection Act, 2023, you have the following rights:

• Right to Access: You have the right to obtain a summary of your personal data being processed by us, along with information about the processing activities, the identities of all Data Processors and Data Fiduciaries with whom your data has been shared, and any other information as may be prescribed.
• Right to Correction and Erasure: You have the right to request correction of inaccurate or misleading personal data, completion of incomplete personal data, updating of personal data, and erasure of personal data that is no longer necessary for the purpose for which it was collected.
• Right to Grievance Redressal: You have the right to lodge a complaint with our Grievance Officer (see Section 16) and, if unsatisfied, to approach the Data Protection Board of India.
• Right to Nominate: You have the right to nominate another individual who can exercise your rights in the event of your death or incapacity.
• Right to Withdraw Consent: Where processing is based on your consent, you may withdraw consent at any time. Withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

7.2 Rights Under the GDPR (EU/EEA Users)

If you are located in the European Union or European Economic Area and our Services are subject to the GDPR, you additionally have the following rights:

• Right of Access (Article 15): You may request a copy of your personal data in a structured, commonly used, and machine-readable format.
• Right to Rectification (Article 16): You may request correction of inaccurate personal data.
• Right to Erasure (Article 17): You may request deletion of your personal data, subject to certain legal exceptions.
• Right to Restriction (Article 18): You may request restriction of processing in certain circumstances.
• Right to Data Portability (Article 20): You may request to receive your data in a portable format or have it transmitted to another controller.
• Right to Object (Article 21): You may object to processing based on legitimate interests, including profiling.
• Right Regarding Automated Decision Making (Article 22): You have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significant effects concerning you.

To exercise any of these rights, please contact us using the details provided in Sections 15 and 16. We will respond to your request within 30 days (or such shorter period as required by applicable law).

8. Cookies and Tracking Technologies

8.1 Cookies We Use

We use a minimal number of cookies, all of which are essential for the functioning of our Services:

8.2 Local Storage

We use the browser's localStorage API to store non-sensitive user preferences:

• Theme Preference: Your selected display mode (light or dark).
• UI State: Sidebar collapse state, last selected dashboard tab, and similar interface preferences.
• Onboarding Progress: Tracking which onboarding steps you have completed so you are not asked to repeat them.

localStorage data never leaves your browser and is not transmitted to our servers.

8.3 No Third-Party Trackers

We do not embed third-party tracking pixels, advertising cookies, social media widgets, or any other third-party tracking technologies in our application. We do not participate in cross-site tracking, behavioural advertising, or data broker networks.

9. Third-Party Integrations

Our Services integrate with several third-party platforms. Each integration involves specific data flows and is governed by both our Privacy Policy and the respective platform's own policies.

9.1 Meta (Facebook/Instagram) Ads

• Connection Method: Facebook Login with OAuth 2.0.
• Data Accessed: Ad account details, campaign structures, performance metrics (spend, impressions, clicks, conversions), and attribution data.
• Access Level: Read-only. We do not create, modify, or delete your ad campaigns.
• Data Use: Solely for calculating TRUE ROAS and providing campaign analytics within TrueFio.
• Compliance: We comply with the Meta Platform Terms and Meta Developer Policies, including data use restrictions and the requirement to delete data upon user disconnection.

9.2 Google Ads

• Connection Method: Google OAuth 2.0.
• Data Accessed: Campaign performance data, keyword-level metrics, Performance Max insights, Shopping campaign data, and conversion data.
• Access Level: Read-only.
• Data Use: Exclusively for providing advertising performance analytics and TRUE ROAS calculations.
• Compliance: We comply with the Google Ads API Terms of Service, Google API Services User Data Policy, and the Limited Use Requirements.

9.3 Shopify

• Connection Method: Shopify OAuth with scoped permissions.
• Data Accessed: Orders (ID, value, status, line items, discounts, shipping costs), products (title, variant, price, inventory), and store configuration.
• Access Level: Read-only. We do not modify your store, products, or orders.
• Data Use: For matching orders to ad conversions, calculating true order profitability, and tracking fulfilment outcomes.
• Customer PII: We do not store end-customer personally identifiable information from Shopify (no customer names, emails, phone numbers, or addresses). Order data is processed in aggregate for analytics.
• Compliance: We comply with Shopify's Partner Program Agreement and API License and Terms of Use.

9.4 Shiprocket

• Connection Method: Token-based API authentication.
• Data Accessed: Shipment details, tracking statuses, RTO information, courier assignments, and delivery outcomes.
• Access Level: Read-only.
• Data Use: For RTO analysis, pincode-level delivery insights, shipping cost calculations, and TRUE ROAS computation.

9.5 Razorpay

• Connection Method: Server-side integration with Razorpay API.
• Data Flow: Subscription creation, payment verification, invoice generation, and webhook notifications for payment events.
• Sensitive Data Handling: All payment card data is processed directly by Razorpay and never touches our servers. Razorpay is PCI-DSS Level 1 certified.

9.6 Google OAuth

• Purpose: Enabling single sign-on (SSO) for account creation and login.
• Data Received: Name, email address, and profile photograph from your Google account.
• Compliance: We adhere to Google's OAuth 2.0 policies and do not request more scopes than necessary.

You may disconnect any third-party integration at any time through the Connections page in your TrueFio dashboard. Upon disconnection, we will cease syncing new data from that platform. Previously synced data will be retained according to your plan's retention policy (see Section 6) unless you specifically request its deletion.

10. AI and Automated Decision Making

10.1 AI-Powered Features

TrueFio uses artificial intelligence to enhance your experience with the following features:

• Campaign Recommendations: AI models analyse your campaign performance patterns to suggest budget reallocation, audience adjustments, and creative strategies.
• AI Chat Assistant: An interactive chat feature that allows you to ask questions about your data in natural language and receive intelligent responses.
• Anomaly Detection: Automated systems that flag unusual changes in your metrics (e.g., sudden RTO spikes, unusual cost increases).
• Predictive Analytics: Forecasting tools that use historical data to project future performance trends.

10.2 AI Data Processing

To power these features, your data may be processed by third-party AI model providers, including:

• Anthropic (Claude): For natural language processing and recommendation generation.
• OpenAI (GPT models): For conversational AI features and data analysis.
• Google (Gemini): For advanced analytical capabilities.

10.3 Data Anonymisation for AI

Before sending any data to third-party AI providers, we take the following protective measures:

• Anonymisation: Personal identifiers (names, email addresses, company names) are removed or replaced with generic identifiers before transmission.
• Aggregation: Where possible, data is aggregated so that individual-level records are not exposed.
• No Training: We use API-based access to these AI models with configurations that prevent your data from being used to train or improve the AI provider's models (where such options are available from the provider).
• Transient Processing: Data sent to AI providers is processed in real-time and is not retained by the provider beyond the immediate request-response cycle (per the provider's enterprise API terms).

10.4 No Solely Automated Decisions

TrueFio does not make any decisions that produce legal effects or similarly significant effects on you based solely on automated processing. All AI outputs are presented as recommendations and insights for your consideration. You retain full control over all business decisions, and no automated action is taken on your ad accounts, store, or logistics systems based on AI output.

11. Agency and Multi-Tenant Data

11.1 Agency Mode

TrueFio offers an agency mode that allows advertising agencies and marketing consultants to manage multiple client brands within a single workspace. When operating in agency mode:

• Each client brand's data is logically isolated within the platform using row-level security and company-scoped database queries.
• Agency administrators can view and analyse data across their client brands for consolidated reporting purposes.
• Individual team members can be granted access to specific client brands based on their role and assignment.

11.2 Agency Responsibilities

If you are an agency using TrueFio to manage client data:

• You are responsible for obtaining appropriate consent or authorisation from your clients before connecting their ad accounts, stores, and logistics platforms to TrueFio.
• You must ensure that your use of client data through TrueFio complies with your agreements with those clients and applicable data protection laws.
• You are responsible for managing team member access to client data and ensuring that only authorised personnel can view each client's information.
• Upon termination of a client relationship, you should disconnect that client's integrations and, if appropriate, request deletion of their data.

11.3 Data Isolation

TrueFio employs strict multi-tenant data isolation:

• Every database table includes a company identifier, and all queries are scoped to the authenticated company context.
• Row-level security (RLS) policies are enforced at the database level to provide defence-in-depth against data leakage between tenants.
• API responses are filtered to include only data belonging to the requesting company, regardless of any application-level errors.
• Cached data in Redis is namespaced by company identifier to prevent cross-tenant cache pollution.

12. International Data Transfers

TrueFio primarily stores and processes data within India. However, certain data may be transferred outside India in the following circumstances:

• Third-Party API Calls: When syncing data with Meta, Google, Shopify, and Shiprocket, API requests are sent to servers operated by these platforms, which may be located outside India (primarily in the United States).
• AI Processing: When your anonymised data is processed by AI model providers (Anthropic, OpenAI, Google), this processing may occur on servers outside India.
• Payment Processing: Razorpay may process certain payment-related data on international infrastructure.

Where data is transferred outside India, we ensure that:

• Transfers comply with the provisions of the DPDP Act, 2023 and any rules or notifications issued by the Central Government of India regarding permissible jurisdictions for data transfer.
• Our agreements with sub-processors include data protection obligations that are substantially equivalent to or stricter than those imposed on us under Indian law.
• For EU/EEA users, transfers are conducted in compliance with GDPR Chapter V, including the use of Standard Contractual Clauses (SCCs) where applicable.
• Only the minimum necessary data is transferred, and wherever possible, data is anonymised or aggregated before transfer.

13. Children's Privacy

TrueFio is a business-to-business SaaS platform designed for use by business owners, marketing professionals, and agency teams. Our Services are not intended for, directed at, or designed to attract individuals under the age of 18.

We do not knowingly collect personal data from children under 18 years of age. If we become aware that we have inadvertently collected personal data from a child under 18, we will take immediate steps to delete such data from our systems and terminate the associated account.

In accordance with the DPDP Act, 2023, we will not process the personal data of a child (defined as an individual under the age of 18) without verifiable consent from the child's parent or lawful guardian. If you are a parent or guardian and believe that your child has provided personal data to TrueFio without your consent, please contact us immediately using the details in Section 15.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other operational reasons. When we make material changes:

• We will update the "Last updated" date at the top of this page.
• For significant changes that materially affect how we process your personal data, we will notify you by email (sent to the email address associated with your account) at least 15 days before the changes take effect.
• We will also display a prominent notice within the TrueFio application upon your next login.
• Where required by law (including under the DPDP Act), we will obtain your renewed consent before processing your data under the updated terms.

We encourage you to review this Privacy Policy periodically. Your continued use of our Services after the effective date of any changes constitutes your acceptance of the revised Privacy Policy.

15. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, you may contact us through any of the following channels:

• Email: privacy@truefio.com
• General Support: support@truefio.com
• Mailing Address:
  TrueFio Technologies
  [Registered Office Address]
  India

We aim to respond to all privacy-related enquiries within 7 business days. For formal data subject access requests or deletion requests, we will respond within the timeframes required by applicable law (generally 30 days).

16. Grievance Officer

In accordance with the Information Technology Act, 2000 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, as well as the Digital Personal Data Protection Act, 2023, we have appointed a Grievance Officer to address your concerns regarding data processing:

If you are not satisfied with the resolution provided by our Grievance Officer, you have the right to:

• File a complaint with the Data Protection Board of India as constituted under the DPDP Act, 2023.
• For EU/EEA users: Lodge a complaint with your local Supervisory Authority under the GDPR.
• Seek remedies available under the Information Technology Act, 2000 and any other applicable Indian laws.

17. Legal Basis for Processing

17.1 Under the DPDP Act, 2023

We process your personal data based on the following lawful grounds under the DPDP Act:

• Consent: You provide explicit consent when you create an account, connect integrations, and agree to this Privacy Policy. You may withdraw consent at any time.
• Legitimate Uses: Certain processing is permitted without consent as "legitimate uses" under the Act, including processing necessary for the performance of a contract (providing the subscribed Services), compliance with Indian law, and responding to medical emergencies.

17.2 Under the GDPR (for EU/EEA Users)

For users subject to the GDPR, we rely on the following legal bases:

• Consent (Article 6(1)(a)): For the collection of data through third-party integrations and for AI processing of your data.
• Contract Performance (Article 6(1)(b)): For processing necessary to provide the Services you have subscribed to.
• Legitimate Interests (Article 6(1)(f)): For analytics, security monitoring, fraud prevention, and service improvement, where our legitimate interests are not overridden by your rights and freedoms.
• Legal Obligation (Article 6(1)(c)): For processing required to comply with Indian tax, accounting, and regulatory requirements.

18. Definitions

For the purposes of this Privacy Policy, the following terms shall have the meanings set out below:

• "Data Fiduciary" means TrueFio Technologies, being the entity that determines the purpose and means of processing personal data, as defined under the DPDP Act, 2023.
• "Data Principal" means you, the individual to whom the personal data relates, as defined under the DPDP Act, 2023.
• "Data Processor" means any entity that processes personal data on behalf of TrueFio Technologies, including our sub-processors listed in this policy.
• "Personal Data" means any data about an individual who is identifiable by or in relation to such data, as defined under the DPDP Act, 2023.
• "Processing" means any operation or set of operations performed on personal data, including collection, storage, use, sharing, and deletion.
• "TRUE ROAS" means the real return on ad spend calculated by TrueFio after accounting for RTO, COD failures, shipping costs, payment gateway fees, and other actual operational costs.
• "Services" means the TrueFio platform, website, APIs, dashboards, reports, and all related features and functionalities.