India DPDP, EU/UK GDPR, US State Laws, China PIPL, Middle East
Version: 1.0
|Effective Date: 17-06-2026
|Last Updated: 17-06-2026
This Privacy Policy describes how HEFGRO ("HEFGRO", "we", "us" or "our"), operated by HEFGRO, a company incorporated under the laws of India with its registered office at Tamil Nadu, India, collects, uses, discloses, transfers, stores and otherwise processes personal data when you:
HEFGRO is a business-to-business (B2B) platform. We primarily process the personal data of individuals acting in a professional capacity (for example, directors, employees and authorised representatives of buyer and supplier organisations). Where our e-commerce showcase is used by individual consumers, the additional consumer-specific provisions of this Policy apply.
For most processing described in this Policy, HEFGRO acts as a data fiduciary / data controller (the entity that determines the purposes and means of processing). Where we process personal data inside the Business Suite on behalf of our customers (for example, their customer, vendor or employee records that they upload), we act as a data processor on their documented instructions, and the customer is the controller/fiduciary of that data.
| Role | Details |
|---|---|
| Data Controller / Data Fiduciary | HEFGRO, Tamil Nadu, India, India |
| General privacy contact | hello@hefgro.com |
| Grievance Officer (India – DPDP Act & IT Act) | hello@hefgro.com |
| Data Protection Officer (where required, e.g., GDPR Art. 37 or as a Significant Data Fiduciary in India) | hello@hefgro.com |
| EU Representative (GDPR Art. 27, if no EU establishment) | [To be appointed] |
| UK Representative (UK GDPR Art. 27, if applicable) | [To be appointed] |
This Policy applies to personal data processed in connection with the Platform, the Sourcing Services, the Business Suite, the Apps and our marketing and business operations worldwide. It applies regardless of the device or channel you use.
This Policy does not apply to:
We do not seek to collect sensitive or special categories of personal data (such as health data, religious beliefs, or biometric data). Please do not submit such data on the Platform. Government identifiers and financial data collected for KYC and payment purposes are protected with enhanced safeguards as described in Section 9.
The Platform is intended strictly for business users aged 18 or over. We do not knowingly collect personal data from anyone under 18 (or the higher age of majority in your jurisdiction). If you believe a minor has provided us personal data, contact privacy@hefgro.com and we will delete it. We do not undertake tracking, behavioural monitoring or targeted advertising directed at children, consistent with the India DPDP Act, GDPR and China PIPL requirements.
We process personal data only for the purposes below, supported by a lawful basis under applicable law. Where consent is the basis, it is requested in a free, specific, informed, unconditional and unambiguous manner with clear affirmative action, and can be withdrawn at any time as easily as it was given (Section 6 of the India DPDP Act 2023; Article 7 GDPR; Article 14 PIPL).
| Purpose | Examples | Legal Basis (GDPR / equivalent) |
|---|---|---|
| Account creation and management | Registration, login, authentication, profile management | Performance of contract; legitimate interests |
| Providing Sourcing Services | RFQ management, quote optimisation, order execution, supplier matching, delivery coordination, payment protection | Performance of contract |
| Providing the Business Suite | Hosting and processing customer-uploaded data | Performance of contract (as processor, on customer instructions) |
| Verification and onboarding | KYC, supplier vetting, sanctions/export-control screening, fraud prevention | Legal obligation; legitimate interests |
| Payments and settlements | Processing payments via licensed providers, invoicing, tax records | Performance of contract; legal obligation |
| Customer support | Responding to queries, complaints and disputes | Performance of contract; legitimate interests |
| Platform improvement and analytics | Usage analytics, performance monitoring, AI model improvement using aggregated or de-identified data | Legitimate interests; consent where required |
| AI-powered features | AI-driven quote optimisation, sourcing recommendations, market insights | Performance of contract; legitimate interests (with human oversight for significant decisions) |
| Marketing | Newsletters, product updates, event invitations | Consent; legitimate interests for existing B2B customers with opt-out |
| Safety, security and legal | Detecting fraud and abuse, enforcing terms, responding to lawful requests, establishing or defending legal claims | Legal obligation; legitimate interests |
| Corporate transactions | Due diligence in mergers, financing or restructuring under confidentiality | Legitimate interests |
India (DPDP Act 2023 and DPDP Rules 2025): We process digital personal data on the basis of (a) your consent, accompanied by a clear, itemised, standalone notice in plain language describing the personal data, the purpose, how to exercise your rights and how to complain to the Data Protection Board of India; or (b) certain legitimate uses recognised by Section 7 of the Act (for example, voluntary provision of data for a specified purpose, compliance with law, or employment-related purposes).
Anonymised and aggregated data: HEFGRO may use anonymised and aggregated data — from which neither an individual nor a specific business can be directly identified — for AI model training and improvement, demand forecasting, procurement analytics, supplier performance benchmarking, market insights and Platform optimisation. Once data is irreversibly anonymised, it is no longer personal data under applicable law. Where any jurisdiction treats de-identified data as regulated, we maintain it in de-identified form, commit not to re-identify it, and contractually require the same of recipients.
Automated decision-making: Our AI features assist sourcing and pricing decisions but do not make legal or similarly significant decisions about individuals solely by automated means. Where any such decision-making is introduced, we will provide the information, safeguards and objection/human-review rights required by Article 22 GDPR, Article 24 PIPL and analogous laws.
We do not sell personal data, and we do not share personal data for cross-context behavioural advertising as defined under US state privacy laws. We share personal data only as follows:
HEFGRO is headquartered in India and serves users globally. Your personal data may be transferred to, stored in and processed in countries other than your own, including India and the locations of our cloud and service providers. Where we transfer personal data internationally, we apply the safeguard required by the law of the originating jurisdiction:
You may request a copy of the relevant transfer safeguards by contacting privacy@hefgro.com.
We retain personal data only as long as necessary for the purposes for which it was collected, after which it is deleted or irreversibly anonymised. Retention schedule:
| Category | Retention Period |
|---|---|
| Account and profile data | Life of the account + 3 years after closure (limitation/defence of claims) |
| Transaction, Order, invoice and tax records | 8 years (India: Companies Act 2013 & GST law) or 10 years where local tax/customs law requires |
| KYC, verification and screening records | 5 years after end of relationship, or up to 10 years where applicable AML law requires |
| Payment settlement records | 10 years or as required by the payment partner's regulatory regime |
| Business Suite customer content | Duration of the customer agreement + 30-day export window, then deleted |
| Marketing and newsletter data | Until consent is withdrawn, or deleted after 24 months of inactivity |
| Support tickets and communications | 3 years after resolution |
| Server, access and security logs | 12 months minimum (DPDP Rules 2025 / CERT-In directions), maximum 24 months |
| Cookie and consent records | Duration in the Cookie Policy; consent logs kept for the period needed to demonstrate compliance |
Where the India DPDP Rules 2025 prescribe erasure following a defined period of user inactivity for specified classes of platforms, we will notify you at least 48 hours before erasure so that you can retain your account by logging in or exercising your rights.
Subject to applicable law and verification of your identity, you have the following rights. We respond within the statutory timeframe of your jurisdiction (e.g., one month under GDPR, extendable; 45 days under most US state laws; the periods prescribed under the DPDP Rules 2025 in India).
In addition: data portability; restriction of processing; objection to processing based on legitimate interests and to direct marketing; rights relating to automated decision-making; and the right to lodge a complaint with your supervisory authority (e.g., your national data protection authority or the UK ICO).
If you are a resident of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana or another state with a comprehensive privacy law: the right to know/access, correct, delete, and obtain a portable copy; the right to opt out of "sale", "sharing" and targeted advertising (HEFGRO does not sell or share personal information in these senses); the right to limit use of sensitive personal information; and the right to non-discrimination for exercising rights. You may use an authorised agent. We honour opt-out preference signals such as Global Privacy Control where legally required. Appeals of refusals may be submitted to privacy@hefgro.com and, if unresolved, to your state Attorney General.
In addition: the right to copy and transfer data, to restrict or refuse processing, to request explanation of processing rules, and rights of next of kin regarding the data of deceased users. Separate consent is obtained where PIPL requires it (e.g., sensitive personal information, cross-border transfers, or disclosure to other handlers).
Users in the UAE (including DIFC and ADGM), Saudi Arabia, Qatar and Bahrain enjoy rights of access, correction, deletion, objection/restriction and (where provided) portability under the UAE PDPL (Federal Decree-Law No. 45 of 2021), KSA PDPL, Qatar Law No. 13 of 2016 and Bahrain Law No. 30 of 2018, and may complain to the competent authority (e.g., the UAE Data Office, SDAIA in Saudi Arabia, the Qatari NCGAA/Compliance authority, or the Bahrain PDPA Authority).
How to exercise rights: Email privacy@hefgro.com or use the in-Platform settings. We may request information reasonably necessary to verify your identity and will not discriminate against you for exercising any right.
We implement reasonable and appropriate technical and organisational measures aligned with Section 8 of the India DPDP Act, Rule 6 of the DPDP Rules 2025, Article 32 GDPR and equivalent laws, including: encryption of data in transit (TLS) and sensitive data at rest; role-based access controls and least-privilege administration; multi-factor authentication for administrative access; network segregation, firewalls and intrusion monitoring; secure software development and vulnerability management; logging and monitoring with log retention as required by law; vendor security due diligence and contractual safeguards; employee confidentiality undertakings and training; and documented incident response and business continuity plans with regular backups.
Inherent risk acknowledgment: While HEFGRO implements commercially reasonable and legally required security measures, no electronic transmission or storage system can be guaranteed to be completely secure. Users acknowledge the inherent cybersecurity risks of internet-based services. This acknowledgment does not limit any liability or obligation that applicable data protection law does not permit to be limited. You are responsible for keeping your credentials confidential and for the security of devices you use to access the Platform.
If a personal data breach occurs, we will act in accordance with applicable law, including: notifying the Data Protection Board of India and affected Indian users in the form and timelines prescribed by the DPDP Rules 2025 (including intimation to affected individuals without delay, with a plain-language description, likely consequences, mitigation measures and contact details); notifying the competent supervisory authority within 72 hours where required by GDPR Article 33 and affected individuals where there is high risk; notifying CERT-In within the timelines under Indian cybersecurity directions; and complying with US state, PIPL, and Middle East breach notification regimes applicable to the affected data.
We use cookies and similar technologies as described in our Cookie Policy (available on the Platform), which explains the categories used, their purposes and durations, and how you can manage preferences, including consent for non-essential cookies in jurisdictions where required (e.g., EU ePrivacy rules) and opt-out signals in US states.
You can opt out of marketing emails at any time via the unsubscribe link, your account settings or by emailing privacy@hefgro.com. Transactional and service messages (e.g., order confirmations, security alerts, legal notices) will continue as they are necessary to provide the services. WhatsApp and SMS communications are sent in accordance with applicable telecom and consent rules, including TRAI regulations in India.
The Platform may link to third-party websites, payment gateways, app stores and social media. We are not responsible for their privacy practices. Review their policies before providing personal data.
We may update this Policy from time to time. Material changes will be notified via the Platform, email or other appropriate means before they take effect, and the "Last Updated" date will be revised. Where required by law (for example, for new purposes requiring consent), we will seek your fresh consent.
HEFGRO is a Data Fiduciary under the DPDP Act 2023. Notices and consent requests are made available in English and, on request, in the languages of the Eighth Schedule to the Constitution of India as required by Section 5(3) of the Act. Our Consent Manager integrations (if any), the contact details of our Grievance Officer, and the complaint route to the Data Protection Board of India are set out in Section 1.1 and Section 8. If HEFGRO is notified as a Significant Data Fiduciary, we will additionally appoint a Data Protection Officer based in India, conduct annual Data Protection Impact Assessments and independent audits, and comply with any data localisation directions.
The legal bases in Section 4, transfer mechanisms in Section 6 and rights in Section 8.2 apply. Our legitimate-interest assessments are documented and available on request in summary form. Complaints may be addressed to your local supervisory authority or the UK Information Commissioner's Office.
Section 8.3 sets out state-law rights. Notice at Collection (California): The categories of personal information collected are listed in Section 3; the purposes in Section 4; retention criteria in Section 7. We have not sold or shared personal information of consumers in the preceding 12 months and do not process personal information for cross-context behavioural advertising. We do not knowingly collect personal information of consumers under 16.
Where we process personal information of individuals located in mainland China, HEFGRO (or its appointed local representative) acts as the personal information handler contactable at privacy@hefgro.com. Separate consents are obtained where required by PIPL, and cross-border transfers comply with Section 6. Personal information protection impact assessments are performed for sensitive processing, cross-border transfers and entrusted processing.
Processing of personal data of users in these jurisdictions complies with the laws listed in Sections 6 and 8.5. Where HEFGRO offers services into the DIFC or ADGM, the DIFC Data Protection Law No. 5 of 2020 or ADGM Data Protection Regulations 2021 apply respectively to in-scope processing. Registration, records of processing and (where thresholds are met) DPO appointments will be completed as required by the competent authorities.
Questions, concerns, rights requests and complaints may be directed to:
HEFGRO, Attn: Privacy / Grievance Officer, Tamil Nadu, India. Email: hello@hefgro.com