Privacy Policy.

1. Who we are

This Privacy Policy is published by XServ Labs, a software studio headquartered in Hyderabad, Telangana, India ("XServ Labs", "we", "us", "our"). It applies to:

• Our website at xservlabs.com
• Our current products, including Traxium (fleet management at traxium.in, mobile apps, WhatsApp Business) and Praxate (CCTV workforce intelligence)
• Any future product, software, or service launched under the XServ Labs umbrella — this policy applies by default to all XServ Labs products unless that specific product publishes its own, more specific privacy notice that supersedes this one
• Our communications with you through email, phone, WhatsApp Business, web forms, and other channels

Future products: when we launch a new product, we'll list it here within a reasonable time. If the new product needs additional data types or processing not covered here, we'll publish a product-specific addendum and notify active customers. Until then, this policy is the default applicable notice for any XServ Labs product.

For privacy questions, data access requests, or to delete your data, email hello@xservlabs.com.

2. What data we collect

2.1 Information you give us directly

• Contact form & enquiries: name, work email, company, phone, message, and whether you want an NDA before discussions.
• Account information (Traxium / Praxate): name, email, phone, business name, GSTIN, address, and role/title.
• Operational data (Traxium): vehicle registration numbers, driver names, customer names, route details, GPS coordinates, fuel readings, trip and invoice data — provided by you to operate the platform.
• Operational data (Praxate): face enrollment images and attendance records — provided by you and your employees during enrollment with consent.
• Project briefs: content you share during scoping calls, written briefs, NDAs, and similar.

2.2 Information collected automatically

• Analytics: page visits, time on page, source (referrer), device type, anonymized IP address, and basic geographic location (city/country). We use Google Analytics 4 (with IP anonymization enabled) and Microsoft Clarity (for heatmaps and session replays). Clarity may record session-level interactions on our website.
• Server logs: standard HTTP logs (timestamps, requested URLs, user agent) retained by our hosting providers.
• Cookies and similar: Strictly necessary cookies for site functionality, and analytics cookies (with the protections described above).

2.3 Information we receive from third parties

• WhatsApp Business (Meta): When you message us on WhatsApp, Meta provides us with your WhatsApp phone number, profile name (if visible), and the contents of your message. We are not WhatsApp; data sent through WhatsApp is subject to WhatsApp's own privacy policy.
• Form processor: When you submit our contact form, Formspree processes the submission and forwards it to us. See Formspree's privacy policy.
• Payment processors: If you pay us, our payment provider (e.g. Razorpay, Stripe, or bank gateways) processes payment data on our behalf — we never see card details directly.

3. How we use your data

We use the data above to:

• Respond to your enquiries and provide scoping calls
• Deliver and operate the services you signed up for (Traxium, Praxate, custom development)
• Send service-related notifications (e.g. Traxium delay alerts, account changes, invoices) — including via WhatsApp Business if you opted in
• Send transactional emails (e.g. password resets, contract documents)
• Improve our products and services (using aggregated, anonymized analytics)
• Comply with legal obligations under Indian and applicable foreign law (GST records, statutory retention, regulator response)
• Detect and prevent fraud, abuse, and security incidents

We do not sell your data to third parties. We do not use your data to train AI models that are sold to others. We do not run marketing profiling or behavioural advertising against our users.

4. Our legal basis for processing (DPDP Act & GDPR)

For visitors in India, we process personal data under the Digital Personal Data Protection Act, 2023 (DPDP Act). For visitors in the EU/UK, we process under GDPR / UK GDPR. Our bases:

• Consent — when you tick a consent box (e.g. for face-based attendance enrollment in Praxate, or when you opt in to WhatsApp notifications).
• Performance of a contract — when we deliver Traxium, Praxate, or custom development services to you.
• Legitimate interest — for responding to enquiries, analytics, security monitoring, and improving our products. We balance these interests against your rights.
• Legal obligation — for tax, accounting, and regulator-mandated retention.

5. Sharing data with third parties

We share personal data with the following categories of recipients, only as needed:

Recipient	Purpose	Where they process data
Meta (WhatsApp Business)	Delivering messages to/from you on WhatsApp; service notifications (Traxium alerts)	Globally per Meta data residency policy
Amazon Web Services (AWS)	Hosting Traxium and our other cloud services	Mumbai (ap-south-1) region for Indian customer data
GitHub (Microsoft)	Hosting the xservlabs.com website (GitHub Pages)	USA
Google Analytics 4 (Google)	Website analytics — IP anonymization enabled, no ad personalization signals	Per Google data residency; primarily EU/US
Microsoft Clarity	Heatmap and session replay analytics	Per Microsoft data residency
Formspree	Processing contact form submissions and routing them to us	USA
Email providers (e.g. Google Workspace, Zoho Mail)	Sending and receiving emails to/from you	Per the provider's region
Accountants, auditors, legal advisors	Statutory compliance, tax, audit, dispute	India
Government, regulators, courts	When required by law (GST, RBI, court orders, statutory inspections)	India

All of these recipients are required by contract (or by law) to use the data only for the purpose we share it for, and to apply appropriate security measures.

6. International transfers

Some of our processors are based outside India. When we transfer personal data abroad, we rely on the provider's standard contractual safeguards, the destination's data protection regime (e.g. EU adequacy, UK adequacy), and our own contractual controls. For payment data and other regulated data, we keep processing within India where required.

7. How long we keep your data

• Enquiry data (contact form, emails): up to 3 years from last contact, then deleted.
• Active customer account data: for the duration of the contract plus 7 years (to meet Indian tax and statutory retention).
• Traxium operational data (trips, invoices): as long as you operate the account; after closure, retained 7 years for tax/audit then deleted.
• Praxate face enrollment data: until you (or the employee) withdraws consent or leaves your organisation, then deleted within 30 days.
• Analytics data: Google Analytics retention is 14 months; Microsoft Clarity is 90 days. Aggregated analytics may be retained indefinitely.
• WhatsApp Business messages: retained for 5 years for service quality and dispute resolution, then deleted.
• Backups: may exist for up to 90 days after deletion as part of standard disaster-recovery practice, then overwritten.

8. Your rights

Under the DPDP Act, GDPR, and other applicable laws, you have the right to:

• Access — request a copy of the personal data we hold about you
• Correction — ask us to correct inaccurate data
• Deletion — ask us to delete your data (subject to lawful retention obligations)
• Withdraw consent — for any processing that relied on consent
• Object — to processing based on legitimate interest, where you have grounds
• Portability — receive your data in a structured, machine-readable format
• Grievance redressal — escalate unresolved concerns to our Grievance Officer (below) or to the Data Protection Board of India

To exercise any right, email hello@xservlabs.com with proof of identity. We respond within 30 days (often within 7).

9. WhatsApp Business — additional notice

We use the official WhatsApp Business API (provided by Meta) for service notifications and customer communications. By messaging us on WhatsApp or by opting in to WhatsApp notifications:

• You consent to receive messages from us on WhatsApp related to your enquiry or your service (e.g. Traxium trip alerts).
• Your messages are routed through Meta's infrastructure and are subject to WhatsApp's Business Policy and privacy policy.
• You can opt out of WhatsApp messages from us at any time by replying STOP to any of our messages, or by emailing hello@xservlabs.com.
• Opting out of WhatsApp does not affect other communications (email, in-app notifications).

10. Children

Our services are for businesses and adults. We do not knowingly collect personal data from anyone under 18. Where Praxate or Traxium is used at sites that include minors (e.g. school campuses), the customer (school) is responsible for parental consent — and we provide the technical controls and DPA support needed to honour that obligation.

11. Security

We use appropriate technical and organisational measures to protect personal data, including:

• Encryption in transit (HTTPS/TLS 1.3) and at rest for sensitive data
• Role-based access control with audit logging
• Secrets management via AWS Secrets Manager and similar; no secrets in code or repos
• Annual penetration testing and security review
• Documented incident response procedures with 72-hour breach notification commitment under the DPDP Act

No system is perfectly secure. If you believe your account or data may have been compromised, contact hello@xservlabs.com immediately.

12. Changes to this policy

We may update this policy from time to time. Material changes will be announced at least 14 days in advance via email (to active customers) and via a notice on this page. The "Effective" date at the top of this policy will reflect the version in force.

13. Contact

If you're not satisfied with our response, you may approach the Data Protection Board of India (once operational under the DPDP Act). For EU/UK visitors, your local supervisory authority remains available.