Dvika Logo

Legal

Privacy Policy

This Privacy Policy provides a group-wide framework for how data is collected, processed, stored, retained, and protected across the Dvika Ecosystem.

Dvika Next-Gen Tech Solutions (“Company,” “we,” or “our”) is a corporate group that encompasses multiple brands and subsidiaries, including Dvika, Voltrax, and any future platforms, services, or applications operated by or on behalf of the group (collectively, “Dvika Ecosystems”). This Privacy Policy establishes a comprehensive, group-wide framework that sets forth the principles and standards governing the collection, use, processing, storage, retention, and protection of personal, sensitive, and proprietary information.

The Policy is designed to ensure compliance with all applicable data protection and privacy laws, including but not limited to:

  • The Digital Personal Data Protection Act, 2023 (DPDP Act), which governs lawful data processing, consent, user rights, data fiduciary obligations, cross-border transfers, and breach notification protocols within India.;
  • The Information Technology Act, 2000, and associated rules on reasonable security practices and sensitive personal data or information;
  • The General Data Protection Regulation (GDPR), as applicable to relevant cross-border data flows and international operations;
  • Other relevant domestic and international data protection, cybersecurity, and privacy-related laws and regulations.

This unified Privacy Policy applies to all personal and proprietary data collected or processed in connection with the Company and any of its subsidiaries or affiliated platforms. It sets the overarching standards of data governance, safeguards user rights, delineates data protection responsibilities across the group, and establishes mechanisms for incident response and regulatory compliance.

Users and stakeholders are directed to consult the specific privacy policies published by the subsidiaries Dvika and Voltrax, or any other current or future platforms, features, or services operated under the Company, which supplement and operationalize this Policy with detailed practices tailored to the particular services and jurisdictions involved.

Definitions

For this Privacy Policy and the Services provided within the Dvika Ecosystem, the following terms shall have the meanings assigned to them below:

  • “Anonymization” refers to the process of irreversibly transforming Personal Data into a form where the Data Principal or individual cannot be identified, even when combined with other information, ensuring the data is no longer "Personal Data" under applicable law.
  • “Applicable Law” means all mandatory laws, statutes, and regulations relating to data protection and privacy in force from time to time in the jurisdictions where the Services are provided, including but not limited to the Digital Personal Data Protection Act, 2023 (India), the Information Technology Act, 2000, and the GDPR (where applicable).
  • “Customer Data” or “User Content” refers to all proprietary data, documents, files, and information uploaded, processed, or stored by the Customer or its authorized users within the Services.
  • “Data Fiduciary” (as defined under the DPDP Act) refers to any person who alone or in conjunction with others determines the purpose and means of processing of personal data. In this context, the Company or its subsidiaries act as Data Fiduciaries for account data, and as Data Processors for Customer Data.
  • “Data Principal” refers to the individual to whom the personal data relates.
  • “De-identification” means the removal of direct identifiers (such as names or ID numbers) so that an individual cannot be identified without the use of additional information kept separately.
  • “Dvika Ecosystem” refers collectively to Dvika Next-Gen Tech Solutions and its subsidiaries, including but not limited to Voltrax (Business Operations) and Dvika LawTech (Legal Innovation).
  • “Feedback” refers to any suggestions, feature requests, or comments voluntarily provided by the User regarding the performance or improvement of the Services, excluding any Personal Data contained therein.
  • “Personal Data” means any data about an individual who is identifiable by or in relation to such data, including "Sensitive Personal Data" as defined by applicable regulations (e.g., financial information, biometrics, or passwords).
  • “Personal Data Breach” means any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of, or loss of access to, personal data that compromises the confidentiality, integrity, or availability of such data.
  • “Processing” in relation to personal data, means a wholly or partly automated operation or set of operations performed on personal data, such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure, or destruction.
  • “Subprocessor” refers to any third-party service provider (including cloud infrastructure providers like Hostinger, Contabo, or Cloud Minister) engaged by the Company to process Personal Data or Customer Data on its behalf to facilitate the delivery of the Services.

Scope

This Privacy Policy serves as the primary framework governing data protection across the Dvika Ecosystem. It establishes the baseline standards for all subsidiaries and platforms operated by the Company.

The Company acknowledges that specific platforms and services may require distinct data processing practices based on the nature of the service, industry requirements, or applicable regulatory obligations. Accordingly, in the event of any conflict, inconsistency, or ambiguity between privacy-related documents, the following order of precedence shall apply:

  • Data Protection Addendum (DPA) - Any Data Protection Addendum or equivalent data processing agreement expressly executed between the Company and a business or enterprise Customer shall have the highest priority and shall govern the data processing activities applicable to that specific contractual engagement.
  • Privacy Policy - This Privacy Policy sets forth the overarching, group-wide data protection principles, governance standards, and baseline compliance framework applicable across all Company platforms and subsidiaries.

Users and Customers are directed to review the applicable platform-specific privacy policies, which supplement and operationalize this Master Privacy Policy. Such platform-specific policies provide detailed, service-level data processing disclosures, including, without limitation, third-party integrations, infrastructure arrangements, and jurisdictional or regional data residency practices relevant to the specific services utilized

Reference to Subsidiaries

The Company operates as a corporate group comprising multiple subsidiaries and affiliated platforms, including Dvika, Voltrax, and any future platforms or services developed by or on behalf of the Company (collectively, “Dvika Ecosystems”).

This Privacy Policy establishes broad, overarching privacy principles, standards, and compliance frameworks applicable across the group. While it provides a comprehensive, unified approach to data privacy, specific operational practices - including user rights, data collection and processing activities, data retention, third-party sharing, international data transfers, breach notification, grievance redressal mechanisms, and other platform-specific commitments - are detailed in the individual privacy policies of the respective subsidiaries and platforms, including Dvika, Voltrax, and any future services under Dvika Ecosystems.

Core Data Privacy and Security Principles

The Company is committed to maintaining the highest standards of data integrity, confidentiality, and security across all its platforms, subsidiaries, and services, including Dvika, Voltrax, and any future platforms (“Dvika Ecosystems”). Our principles are designed to provide a secure, transparent, and compliant environment for the collection, processing, storage, and dissemination of personal, sensitive, and proprietary data.

Implementation of Robust Technical and Organizational Controls

  • We shall employ industry-leading technical safeguards such as encryption for data in transit and at rest, multi-factor authentication, secure storage protocols, and intrusion detection systems.
  • Organizational controls include internal policies, mandatory staff training, access controls based on least privilege, and regular security audits.
  • Continuous monitoring, vulnerability assessments, and incident response procedures shall be adopted to detect and mitigate threats proactively.

Strict Confidentiality Obligations

  • All personnel, contractors, affiliates, vendors, and third-party partners are bound by confidentiality obligations to prevent unauthorized access, disclosure, or misuse of data.
  • Confidentiality agreements and data processing agreements shall be enforceable to ensure compliance across the group.

Respecting Data Subject Rights

  • Data subjects (individuals whose data is processed) shall retain rights, including access to their data, correction of inaccuracies, deletion, objection to processing, and grievance redressal mechanisms.
  • Transparent information regarding data processing activities shall be provided through clear privacy notices and user communication channels.

Lawful, Fair, and Transparent Processing

  • All data shall be processed lawfully, fairly, and transparently, aligned with the purposes explicitly disclosed in subsidiary policies.
  • Data collection shall be limited to what is necessary for legitimate and specified purposes, with processes that comply with applicable laws, such as the Digital Personal Data Protection Act, 2023 (DPDP Act).

Prompt Detection, Reporting, and Remediation

  • Data security incidents, breaches, or unauthorized disclosures shall be detected early through continuous monitoring.
  • Prompt reporting to the Data Protection Officer (DPO), regulators, and affected individuals, as mandated by law, shall be carried out within prescribed timelines.
  • Post-incident investigations, root cause analysis, and remediation measures shall be diligently executed to prevent recurrence and minimize harm.

Data Minimization and Purpose Limitation

  • Collect only the data necessary for specified, explicit, and legitimate purposes.
  • Use data strictly in accordance with the purposes disclosed at the point of collection, avoiding any re-purposing without explicit consent or legal basis.

Accountability and Ongoing Compliance

  • The Company shall maintain detailed records of processing activities to demonstrate accountability.
  • Regular audits, risk assessments, staff training, and policy reviews shall be conducted to ensure ongoing compliance with data protection laws and best practices.

Roles and Responsibilities

Effective data privacy governance at the Company depends on the clear definition and execution of roles and responsibilities across various organizational units. The following key roles are central to privacy compliance, data breach management, and ongoing security governance within the Company and its subsidiaries, such as Dvika, Voltrax, or any other current or future platforms, features, or services operated under the Company.

Data Protection Officer (DPO)

  • Serves as the primary privacy compliance officer overseeing the implementation and maintenance of data protection policies in alignment with applicable laws, including the DPDP Act, GDPR (where applicable), and other relevant regulations.
  • Informs, advises, and trains the Company’s employees and contractors about their data protection obligations and privacy best practices.
  • Monitors compliance through audits, risk assessments, and data protection impact assessments (DPIAs).
  • Acts as the liaison between the Company and regulatory authorities, coordinating responses to data protection inquiries or investigations.
  • Handles data subject rights requests and manages internal incident reporting related to personal data.
  • Ensures documentation of processing activities and maintains privacy records for regulatory purposes.

Incident Response Team (IRT)

  • Responsible for rapidly investigating, containing, and mitigating data breaches or security incidents involving personal or sensitive data.
  • Coordinates response actions with IT Security, Legal, and Compliance teams to ensure effective incident management.
  • Works under the oversight of the DPO to ensure regulatory notifications and internal reporting are timely and compliant.

IT Security Team

  • Implements and maintains technical controls and safeguards to protect data confidentiality, integrity, and availability.
  • Conducts ongoing monitoring, vulnerability assessments, and forensic investigations as part of breach responses.
  • Supports system restoration and prevention of recurrence following security incidents or breaches.

Legal and Compliance Teams

  • Provide legal advice related to data privacy and cybersecurity laws applicable to the Company’s operations.
  • Assist in regulatory reporting, contract management with data processors or third parties, and policy review.
  • Support the DPO in ensuring adherence to statutory obligations and best practices.

GDPR / Indian Data Protection Statement

We process personal data in accordance with applicable data protection laws, including the Digital Personal Data Protection Act, 2023 (India) (“DPDP Act”) and, where relevant, the General Data Protection Regulation (EU) 2016/679 (“GDPR”). Personal data is processed only for lawful purposes, including: (i) performance of a contract or provision of requested services; (ii) compliance with legal and regulatory obligations; (iii) legitimate business interests that do not override individual rights; and (iv) consent, where expressly required.

We collect and use personal data strictly for specified, explicit, and legitimate purposes. Data is retained only for as long as necessary to fulfil those purposes or as required by applicable laws. Individuals have the right to access, correct, update, erase, or restrict the processing of their personal data. Under GDPR, additional rights apply, including the right to data portability and the right to object to certain types of processing. Requests relating to these rights will be addressed in accordance with the timelines and procedures prescribed under the DPDP Act and GDPR. Where personal data is transferred outside India or the EU/EEA, such transfers are carried out in accordance with applicable law, including adequacy decisions, contractual safeguards, or other lawful transfer mechanisms. We implement technical and organizational measures designed to protect personal data against unauthorized access, loss, alteration, disclosure, or other unlawful processing. Processing may be undertaken to meet obligations under the DPDP Act, GDPR, and other applicable laws, including responding to regulatory authorities, law-enforcement requests, audit requirements, or dispute-resolution processes.

For international or NRI users, the Company’s obligations are limited to the specific data processing activities and security measures outlined in this Policy. Use of the platform from outside India constitutes the user's explicit acknowledgment that their data will be processed in accordance with Indian law, and the Company shall not be liable for non-compliance with regional local laws beyond the protections explicitly stated herein

GDPR and Cross-Border Data Supplement

This Section applies to Personal Data of data subjects located in the European Union, European Economic Area, United Kingdom, or Switzerland, where such processing is subject to Regulation (EU) 2016/679 (General Data Protection Regulation), the UK GDPR, or applicable Swiss data protection laws (“EU Data”), including where such data is processed by the Company or its affiliates in India or other jurisdictions.

For processing activities relating to Indian residents and non-EU data subjects, the primary governing law is the Digital Personal Data Protection Act, 2023 (“DPDP Act”), subject to the applicability of any other mandatory data protection laws. This Section does not exclude or override the application of GDPR where it is mandatorily applicable Law.

Where Dvika processes EU Data on behalf of a customer or business user, such processing is carried out in accordance with documented instructions provided by the relevant data controller and for purposes connected to the provision of the Company’s services. Dvika implements appropriate technical and organizational measures designed to protect EU Data against unauthorized or unlawful processing, accidental loss, destruction, or damage, consistent with the requirements of Article 32 of the GDPR.

Dvika maintains procedures designed to support compliance with applicable GDPR obligations, including cooperation in relation to personal data breach notifications, data protection impact assessments, and regulatory inquiries, where required by law. Engagement of subprocessors for the processing of EU Data is subject to contractual safeguards and oversight mechanisms intended to ensure a level of data protection consistent with applicable data protection laws.

Where EU Data is transferred outside the European Union or United Kingdom, such transfers are carried out using lawful transfer mechanisms recognized under applicable data protection laws, including approved Standard Contractual Clauses or other valid safeguards, where required. Detailed cross-border transfer arrangements, controller-processor obligations, audit rights, and allocation of responsibilities are governed exclusively by a separate Data Processing Agreement or service agreement executed between the Company and the relevant customer.

GDPR obligations apply only to processing activities that fall within the material and territorial scope of the GDPR and do not extend to data processing activities governed exclusively by other applicable data protection laws.

Contractors and Affiliates

  • They are required to adhere strictly to the Company's data protection policies and confidentiality agreements.
  • Must immediately report any suspected or confirmed personal data breaches or security vulnerabilities through designated reporting channels.
  • Participate in mandatory privacy training and awareness programs.

Disclosure of Data to Third-Party Subprocessors

To provide our Services effectively, the Company (the "Data Fiduciary/Controller") utilizes third-party service providers, known as subprocessors, to perform various data processing activities.

By using our Services, you acknowledge that we may engage subprocessors to process Personal Data on your behalf. These subprocessors are strictly limited to processing data in accordance with our documented instructions and for the specific purposes outlined in our service agreements.

We maintain a rigorous vetting process for all subprocessors. We ensure that:

  • Each subprocessor is bound by a Data Processing Addendum (DPA) that mandates a level of data protection no less than that required by applicable laws, including the DPDP Act 2023 and GDPR.
  • Subprocessors must implement appropriate technical and organizational measures to ensure the confidentiality and integrity of your data.

We are committed to transparency. If we intend to appoint a new subprocessor or replace an existing one, we will update our Public Subprocessor List. You may subscribe to receive proactive email notifications regarding these changes by visiting our Subscription Portal or emailing info@dvika.com

Where Personal Data is transferred to a subprocessor located outside of India, we ensure that such transfers comply with all cross-border transfer restrictions, permitted jurisdictions, or conditions prescribed by the Government of India from time to time under Section 16 of the DPDP Act, 2023. In the absence of specific government notifications, we implement Standard Contractual Clauses (SCCs) or equivalent data-sharing agreements with our global partners to ensure that the data recipient maintains a level of protection at least as stringent as that required under Indian law

Subprocessor Management

The Customer provides a general written authorization for Voltrax to engage Subprocessors. Voltrax remains responsible for the acts and omissions of its Subprocessors as required by applicable data protection laws. Each Subprocessor is bound by written agreements providing data protection standards no less protective than those in this DPA.

Voltrax operates a standardized, multi-tenant cloud platform and retains sole and absolute discretion over the selection or replacement of Subprocessors. The Customer acknowledges they have no right to veto, intervene in, or dictate these choices.

Notwithstanding, Voltrax may appoint a Subprocessor immediately and without prior notice to prevent service outages, mitigate security incidents, or comply with legal mandates. Voltrax will update the Subprocessor records post-facto.

For more detailed information regarding specific data handling practices, please refer to the Brand-specific Data Protection Addendum (DPA).

Subprocessor Liability & Risk Allocation

The Customer acknowledges that Subprocessors (including APIs or other third-party services) are independent entities. The Company does not exercise control over their internal governance, physical facilities, or fundamental system architecture. The Company’s liability regarding Subprocessors is strictly limited to:

  • Performing reasonable due diligence at the time of onboarding;
  • Ensuring that the Subprocessor is bound by a Data Processing Agreement (DPA) reflecting the core security principles of this Agreement; and
  • Providing the Subprocessor with clear, documented instructions for data handling.

To the maximum extent permitted by applicable law:

  • The Company is not liable for data incidents, service outages, or compliance failures that originate solely within a Subprocessor’s environment;
  • The Company does not guarantee the 100% availability of any third-party Subprocessor. If a global cloud region goes offline, the Company will assist in recovery but is not liable for upstream failures; and
  • Any failure by a Subprocessor due to natural disasters, war, or large-scale internet routing failures shall be considered a Force Majeure event.

Data Breach Notification and Management

The Company maintains a comprehensive and structured data breach notification and management procedure to ensure the timely and transparent handling of personal data breaches. The objective of this procedure is to minimize harm to affected individuals, meet legal requirements, and uphold stakeholder trust.

Breach Identification and Internal Escalation

All employees, contractors, and relevant personnel are required to promptly report any suspected or actual data breaches through designated internal channels. The Incident Response Team (IRT), in coordination with IT Security and the Data Protection Officer (DPO), assesses and classifies the breach for severity, scope, and impact.

Regulatory Notification

In the event of a Personal Data Breach, the Company shall notify the relevant supervisory authorities and affected individuals without undue delay and within the timeframes required under applicable law, taking into account the nature, scope, and severity of the breach and any regulatory guidance or directions. Where a specific timeline is mandated by applicable law (such as the 72 (Seventy Two) hour notification requirement under the GDPR), the Company shall comply with such requirement to the extent applicable. subject to applicable law and specific regulatory directions. This unified timeline ensures compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act) and provides a consistent protection standard across all Dvika Ecosystems subsidiaries.

CERT-In Compliance: This commitment provides a consistent protection standard across all Dvika Ecosystem subsidiaries (including Voltrax, Dvika LawTech, or any other future features), ensuring that incident response is centralized and professionally managed regardless of which platform or sub-feature is affected. This centralization allows for a more robust, cross-platform security analysis during any incident investigation.

Unified Protection Standard: This commitment provides a consistent protection standard across all Dvika Ecosystem subsidiaries (including Voltrax and Dvika LawTech or any other future features), ensuring that incident response is centralized and professionally managed regardless of which platform is affected.

User Notification - Affected individuals will be informed about the breach through clear, concise, and accessible communication channels, detailing the nature of the breach, potential impacts, steps taken by the Company to mitigate damage, and recommended actions to protect themselves.

Documentation and Record Keeping - The Company maintains thorough records of all reported breaches, investigations, notifications, remedial actions, and follow-ups. These records are retained securely in accordance with legal and regulatory requirements.

Incident Management and Remediation - The IRT leads incident containment, eradication of threats, system restoration, and coordinates with relevant departments to prevent recurrence. Post-incident reviews include root cause analysis, policy review, and staff training enhancements to strengthen data security posture.

Oversight and Compliance - The Data Protection Officer oversees compliance with breach notification laws and coordinates with regulatory authorities as needed. The Company ensures harmonization of breach management with sectoral and cybersecurity regulations, such as CERT-In reporting obligations.

Data Retention and User Rights

The Company adopts a strict data retention policy consistent with statutory and regulatory obligations to ensure personal and proprietary data is retained only for as long as necessary to fulfill legitimate business, legal, or compliance purposes.

Data Retention

Personal data shall be retained strictly for the duration necessary to fulfill the specific purposes for which it was collected or as mandated by applicable law or consent withdrawal. Data retention periods will be determined based on the nature of the data, contractual obligations, regulatory requirements, and business needs. Upon cessation of the retention period or withdrawal of consent, personal data shall be securely deleted or anonymized in a manner that prevents re-identification. Where retention is legally required for audit, dispute resolution, or regulatory enforcement, data may be retained in accordance with such mandates.

User Rights

Data subjects (users) have full rights to:

  • Access their personal data processed by the Company.
  • Request correction or amendment of inaccurate or incomplete data.
  • Request erasure or deletion of personal data where retention is no longer necessary or lawful.
  • Lodge complaints or grievances with the Data Protection Officer (DPO) or designated grievance redressal mechanisms.

Specific Data Subject Rights

Certain data subject rights described herein apply only where expressly mandated by applicable law, including under regulations such as the General Data Protection Regulation (GDPR), and may not be available in all jurisdictions, including India under the Digital Personal Data Protection Act, 2023. Accordingly, the right to Object to or restrict processing shall apply solely to the extent such rights are provided under applicable law.

Exercising Rights

Users are encouraged to exercise their data protection rights via the relevant Privacy Policies provided by Dvika, Voltrax, or any other platforms operated by the Company. Assistance in exercising these rights can also be obtained by contacting the Company’s Data Protection Officer (DPO) through the official channels.

User Content Ownership and Feedback

While you retain ownership of Your Content, any voluntary suggestions, improvements, or ideas you provide regarding the Services are classified as "Feedback." You grant the Company a non-exclusive, perpetual, irrevocable, and royalty-free license to use and commercialize such Feedback without restriction. Notwithstanding the above, our use of Feedback is strictly subject to applicable data protection laws. The Company will not publish any Personal Data or Confidential Information contained within Feedback. Any Feedback used for internal development, performance optimization, or feature enhancement will be strictly de-identified or anonymized to ensure that no individual or entity remains identifiable.

Ongoing Policy Review and Updates

The Company recognizes the dynamic nature of legal, technological, and operational environments affecting data privacy and protection. To maintain robust compliance and effective governance, this Privacy Policy is subject to periodic review and updates.

  • The Privacy Policy shall be reviewed at least annually to ensure alignment with evolving statutory requirements such as the Digital Personal Data Protection Act, 2023 (DPDP Act), Information Technology Act, 2000, and relevant international privacy frameworks.
  • Reviews may also be triggered by significant technological advancements, security incidents, regulatory guidance updates, or organizational changes affecting data processing operations.
  • Amendments, updates, or modifications to this Policy will be communicated transparently via the Company’s official corporate website, internal portals, or through direct notifications to stakeholders and users, where feasible.
  • Continued use of the Company services after publication of policy updates constitutes acceptance of the revised terms. Users are advised to periodically review the Policy to stay informed of current practices and rights.
  • The Company’s Data Protection Officer (DPO) and Compliance teams coordinate the review process, engaging relevant stakeholders and legal counsel as necessary to ensure comprehensive updates.

Contact Us

For any questions, concerns, or requests related to data privacy, personal data processing, user rights, or grievance redressal, users and stakeholders may contact the Data Protection Officer (DPO) of the Company:

  • Email Id - info@dvika.com.
  • Website - Website: https://dvika.com/
  • Registered Address - 1674/3, Krishna Reddy Layout, Block 3, HBR Layout, Bengaluru, Karnataka 560043

The DPO serves as the primary point of contact for data protection matters, including the exercise of data subject rights, complaint handling, and liaison with regulatory authorities under the Digital Personal Data Protection Act, 2023 (DPDP Act).

Contact details will be maintained on the Company’s official website and communicated in privacy notices to ensure easy accessibility and transparency for all users.

Note:

This Privacy Policy provides the high-level governance framework for data protection and privacy applicable across the Company and its subsidiaries. However, all users, clients, partners, and stakeholders are strongly advised to refer to the specific privacy policies published by the subsidiaries Dvika, Voltrax, or any other current or future platforms, features, or services under the Company’s enterprise. These subsidiary policies contain the detailed, operative provisions, user rights, processing practices, and compliance measures specific to each service and jurisdiction, thereby supplementing and operationalizing this Privacy Policy. In the event of a conflict between this Privacy Policy and a specific Data Protection Addendum (DPA) executed by a subsidiary, the terms of the subsidiary DPA shall take precedence regarding the specific data residency and processing timelines promised to that subsidiary's customers

If you believe something here needs updating, email info@dvika.com.