Privacy Policy
How we collect, use, and protect your personal data
Last updated: March 2026
1. Introduction & Scope
CodeMax IT Solutions Pvt Ltd ("CodeMax", "Company", "we", "us", or "our") is committed to protecting the privacy and security of your personal data. This Privacy Policy describes the categories of personal data we collect, the purposes for which we process it, the legal bases for processing, the third parties with whom we share it, and the rights available to you.
This Privacy Policy applies to all personal data collected through our website at cdmx.in (the "Website"), our contact and demo request forms, newsletter subscription, live chat, and any other interactions with CodeMax, including enquiries made by email or telephone. It does not apply to data processing activities governed by separate data processing agreements between CodeMax and its Clients for the provision of Products and Services.
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined by the GDPR (Article 4(1)) and the DPDPA 2023 (Section 2(t)).
- "Processing" means any operation performed on personal data, including collection, recording, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
- "Data Subject" / "Data Principal"means the individual to whom personal data relates (termed "Data Subject" under GDPR and "Data Principal" under DPDPA).
- "Data Controller" / "Data Fiduciary"means the entity that determines the purposes and means of processing personal data (termed "Data Controller" under GDPR and "Data Fiduciary" under DPDPA).
- "Data Processor" / "Data Processor" means an entity that processes personal data on behalf of the Data Controller / Data Fiduciary.
3. Data Controller Information
For the purposes of the GDPR and the DPDPA 2023, the Data Controller (Data Fiduciary) is:
CodeMax IT Solutions Pvt Ltd
CIN: U72200GA2015PTC007728
GSTIN: 30AAGCC2045J1Z3
Office No A-201, 202, 2nd Floor, Asian Pinnacle,
Behind Bank of India, Fatorda, Goa 403602, India
Email: [email protected]
Phone: +91 (832) 297 6020
4. Categories of Personal Data Collected
| Category | Data Elements | Source |
|---|---|---|
| Contact Data | Full name, email address, phone number, company name, job title, country | Contact forms, demo requests, email correspondence |
| Technical Data | IP address, browser type and version, operating system, device type, screen resolution, time zone, language preference | Automatically collected via server logs and cookies |
| Usage Data | Pages visited, referral URLs, session duration, click patterns, navigation paths | Analytics cookies and tracking technologies |
| Communication Data | Chat transcripts, email content, form submission content, communication preferences | Live chat (Crisp), email, contact/demo forms |
| Marketing Data | Newsletter subscription status, email engagement metrics (opens, clicks), advertising identifiers, consent records | Newsletter sign-up, marketing cookies, consent management |
5. How We Collect Personal Data
We collect personal data through the following methods:
- Direct interactions: When you submit a contact form, request a demo, subscribe to our newsletter, use our live chat, or correspond with us by email or telephone.
- Automated technologies: When you interact with the Website, we automatically collect Technical Data and Usage Data through cookies, server logs, and similar technologies. For details on the specific cookies we use, please refer to our Cookie Policy.
- Third-party sources: We may receive Technical Data from analytics providers (Google Analytics), advertising networks (Meta), and our CDN provider (Cloudflare).
6. Purposes & Legal Basis for Processing
| Purpose | Data Categories | Legal Basis (GDPR) | Legal Basis (DPDPA) |
|---|---|---|---|
| Responding to enquiries and providing customer support | Contact, Communication | Contractual necessity (Art. 6(1)(b)) | Consent / Legitimate use |
| Processing demo requests and service enquiries | Contact, Communication | Pre-contractual steps (Art. 6(1)(b)) | Consent |
| Sending marketing communications and newsletters | Contact, Marketing | Consent (Art. 6(1)(a)) | Consent |
| Website analytics and performance improvement | Technical, Usage | Consent (Art. 6(1)(a)) for cookies; Legitimate interest (Art. 6(1)(f)) for aggregated analytics | Consent |
| Advertising measurement and retargeting | Technical, Marketing | Consent (Art. 6(1)(a)) | Consent |
| Website security, fraud prevention, and bot management | Technical | Legitimate interest (Art. 6(1)(f)) | Legitimate use |
| Compliance with legal and regulatory obligations | All categories as required | Legal obligation (Art. 6(1)(c)) | Compliance with law |
7. Cookies & Tracking Technologies
We use cookies and similar tracking technologies on our Website. Essential cookies are set automatically; non-essential cookies (analytics and marketing) are activated only after you provide explicit consent via our cookie consent banner. For a comprehensive inventory of the cookies we use, their purposes, providers, and retention periods, please refer to our Cookie Policy.
You may withdraw your consent or update your cookie preferences at any time via the “Cookie Preferences” link in the Website footer. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.
8. Third-Party Data Processors
We engage the following third-party service providers to process data on our behalf. Each processor is contractually bound to handle your data in accordance with applicable data protection regulations and only for the purposes specified below.
| Processor | Purpose | Data Processed | Data Location | Privacy Policy |
|---|---|---|---|---|
| Google Analytics (GA4) | Website analytics and visitor behavior insights | Technical Data, Usage Data | United States | View |
| Meta (Facebook Pixel) | Advertising performance measurement and retargeting | Technical Data, Marketing Data | United States | View |
| Crisp | Live chat support and customer communication | Contact Data, Communication Data | European Union | View |
| Brevo | Email newsletter delivery and subscriber management | Contact Data, Marketing Data | European Union | View |
| Cloudflare | CDN, DDoS protection, bot management, and web analytics | Technical Data | Global (edge network) | View |
| StaticForms | Contact and demo request form submission handling | Contact Data, Communication Data | United States | View |
We do not sell or rent your personal data to any third party. We share personal data with the processors listed above solely for the purposes described and under appropriate contractual safeguards.
9. International Data Transfers
CodeMax operates from India and serves clients across the European Union, United Kingdom, United States, and Israel. Your personal data may be transferred to and processed in countries outside your country of residence, including India and the United States.
Where personal data is transferred from the European Economic Area (EEA) or the United Kingdom to a country that has not received an adequacy decision from the European Commission, we implement appropriate safeguards, including:
- Standard Contractual Clauses (SCCs):We rely on the European Commission's Standard Contractual Clauses adopted pursuant to GDPR Article 46(2)(c) as the primary transfer mechanism for EEA-to-third-country transfers.
- UK International Data Transfer Agreement (IDTA): For transfers from the UK, we use the UK IDTA or the UK Addendum to the EU SCCs, as applicable.
- Supplementary measures: We conduct transfer impact assessments and implement technical and organisational measures, including encryption in transit and at rest, pseudonymisation, and access controls, to ensure that transferred data receives a level of protection substantially equivalent to that guaranteed within the EEA.
Our cloud infrastructure is hosted in data centres located in India and the European Union, with security measures aligned to our ISO 27001:2022 certification.
10. Data Retention Schedule
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. The following table sets out our standard retention periods:
| Data Category | Retention Period | Basis for Retention |
|---|---|---|
| Contact form submissions | 24 months from submission | Legitimate interest in follow-up |
| Demo request data | 24 months from submission | Pre-contractual steps |
| Newsletter subscriber data | Until consent is withdrawn | Consent |
| Live chat transcripts | 12 months from conversation | Legitimate interest in service improvement |
| Website analytics data | 26 months (GA4 default) | Consent for cookies; legitimate interest for aggregated data |
| Server access logs | 90 days | Security and fraud prevention |
| Consent records | Duration of processing + 3 years | Legal obligation (accountability under GDPR Art. 5(2)) |
At the expiry of the applicable retention period, personal data is securely deleted or anonymised in accordance with our data destruction procedures under our ISO 27001:2022 ISMS.
11. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. Our security controls are governed by our Information Security Management System (ISMS), which is certified to ISO 27001:2022 by DNV.
Key security measures include:
- Encryption of data in transit (TLS 1.2+) and at rest
- Role-based access controls and the principle of least privilege
- Regular vulnerability assessments and penetration testing
- Security incident response procedures with defined escalation paths
- Employee security awareness training
- Regular internal and external audits by DNV
For further details on our information security practices, please refer to our ISMS Policy.
Notwithstanding the above, no method of electronic transmission or storage is completely secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security.
12. Your Rights Under the GDPR (EEA & UK Data Subjects)
If you are located in the European Economic Area (EEA) or the United Kingdom, the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR afford you the following rights in relation to your personal data:
- Right of Access (Article 15): You have the right to obtain confirmation as to whether we are processing your personal data and, if so, to obtain a copy of that data together with information about the purposes, categories, recipients, retention periods, and your rights.
- Right to Rectification (Article 16): You have the right to obtain the rectification of inaccurate personal data and, having regard to the purposes of the processing, to have incomplete personal data completed.
- Right to Erasure (Article 17): You have the right to obtain the erasure of your personal data where (a) the data is no longer necessary for the purposes for which it was collected, (b) you withdraw consent and there is no other legal basis, (c) you object and there are no overriding legitimate grounds, (d) the data has been unlawfully processed, or (e) erasure is required to comply with a legal obligation. This right does not apply where processing is necessary for exercising the right of freedom of expression, compliance with a legal obligation, reasons of public interest in the area of public health, or the establishment, exercise, or defence of legal claims.
- Right to Restriction of Processing (Article 18): You have the right to obtain the restriction of processing where (a) you contest the accuracy of the data (for a period enabling us to verify accuracy), (b) processing is unlawful and you oppose erasure, (c) we no longer need the data but you require it for legal claims, or (d) you have objected to processing pending verification of whether our legitimate grounds override yours.
- Right to Data Portability (Article 20): Where processing is based on consent or contractual necessity and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller without hindrance.
- Right to Object (Article 21): You have the right to object at any time to the processing of your personal data based on legitimate interests (Article 6(1)(f)), including profiling based on that provision. We shall cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defence of legal claims. Where personal data is processed for direct marketing purposes, you have the right to object at any time, and we shall cease processing for that purpose without exception.
- Right Not to Be Subject to Automated Decision-Making (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except where such processing is necessary for a contract, authorised by law, or based on explicit consent.
- Right to Withdraw Consent: Where processing is based on consent (Article 6(1)(a) or Article 9(2)(a)), you have the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.
To exercise any of these rights, please contact us at [email protected]. We will respond to your request without undue delay and in any event within one (1) month of receipt, subject to extension by a further two (2) months where necessary, taking into account the complexity and number of requests (Article 12(3)). There is no fee for exercising your rights unless requests are manifestly unfounded or excessive.
13. Your Rights Under the DPDPA 2023 (Indian Residents)
If you are a resident of India, the Digital Personal Data Protection Act, 2023 ("DPDPA") affords you the following rights as a Data Principal:
Data Fiduciary Obligations
As a Data Fiduciary under the DPDPA, CodeMax IT Solutions Pvt Ltd processes your digital personal data in a manner that is lawful, fair, and transparent. We process personal data only for legitimate purposes that have been clearly communicated to you, and we implement adequate security safeguards in accordance with Section 8 of the DPDPA.
Your Rights as a Data Principal
- Right to Access (Section 11): You have the right to obtain a summary of the personal data being processed and the processing activities undertaken with respect to your data.
- Right to Correction (Section 12): You have the right to request the correction of inaccurate or misleading personal data, the completion of incomplete data, and the updating of personal data that is no longer current.
- Right to Erasure (Section 12): You have the right to request the erasure of personal data that is no longer necessary for the purpose for which it was collected, subject to any legal retention obligations applicable to us.
- Right to Grievance Redressal (Section 13): You have the right to raise a grievance regarding the processing of your personal data. We shall acknowledge your grievance and provide a resolution within the timelines prescribed under the DPDPA and its rules.
- Right to Nominate (Section 14): You have the right to nominate another individual to exercise your Data Principal rights on your behalf in the event of your death or incapacity.
To exercise any of your rights under the DPDPA, please contact us at [email protected].
14. Children's Privacy
Our Website and Services are not directed at children under the age of 18. We do not knowingly collect personal data from children. Under the GDPR, the processing of personal data of a child below the age of 16 (or lower age as specified by EU Member State law, but not below 13) requires consent from the holder of parental responsibility. Under the DPDPA 2023, processing of personal data of a child (under 18) requires verifiable consent from the parent or lawful guardian.
If we become aware that we have collected personal data from a child without the requisite parental consent, we will take steps to delete such data promptly. If you believe that a child has provided us with personal data, please contact us at [email protected].
15. Automated Decision-Making & Profiling
CodeMax does not use automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you on the Website. Any automated processing we undertake (such as website analytics) is used for aggregated insights and does not result in individual decisions or profiling that would have legal or similarly significant effects.
Where any of our Products (such as Orion or Nova) incorporate automated decision-making functionality, the use of such features by our Clients is governed by the separate data processing agreement and service terms between CodeMax and the Client. In such cases, the Client, as the Data Controller, is responsible for ensuring compliance with GDPR Article 22 and the relevant provisions of the DPDPA.
16. Data Protection Officer
For all queries, concerns, or requests relating to data protection, GDPR compliance, DPDPA compliance, or the exercise of your data subject rights, please contact our Data Protection Officer:
Data Protection Officer
CodeMax IT Solutions Pvt Ltd
Office No A-201, 202, 2nd Floor, Asian Pinnacle,
Behind Bank of India, Fatorda, Goa 403602, India
Email: [email protected]
17. Complaints
If you are not satisfied with our response to your data protection enquiry or believe that our processing of your personal data infringes applicable data protection law, you have the right to lodge a complaint with the relevant supervisory authority:
- India: You may file a complaint with the Data Protection Board of India once it is constituted and operational under the DPDPA 2023.
- European Union: You have the right to lodge a complaint with the supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement (GDPR Article 77). A list of EEA supervisory authorities is available at edpb.europa.eu.
- United Kingdom: You may lodge a complaint with the Information Commissioner's Office (ICO).
We encourage you to contact us first to allow us the opportunity to address your concern before escalating to a supervisory authority.
18. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our processing activities, legal requirements, or business practices. Any changes will be posted on this page with an updated "Last updated" date.
Where changes materially affect how we process your personal data, we will take appropriate steps to inform you, which may include a prominent notice on the Website or direct communication by email. Where required by applicable law, we will seek renewed consent before implementing material changes.
19. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us:
CodeMax IT Solutions Pvt Ltd
CIN: U72200GA2015PTC007728
GSTIN: 30AAGCC2045J1Z3
Office No A-201, 202, 2nd Floor, Asian Pinnacle,
Behind Bank of India, Fatorda, Goa 403602, India
Phone: +91 (832) 297 6020
Email: [email protected]
Website: cdmx.in