This Privacy & Data Retention Policy ("Policy") describes how Assurd Techlabs (OPC) Private Limited collects, processes, uses, retains, discloses, and protects data pertaining to its Customers and website visitors. This Policy is published and maintained in compliance with the following applicable Indian legislation:
- The Digital Personal Data Protection (DPDP) Act, 2023 and rules notified thereunder ("DPDP Act");
- The Information Technology Act, 2000 and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011;
- The Companies Act, 2013, and rules on financial record retention;
- Applicable provisions of the Consumer Protection Act, 2019.
As an independent certification authority, Assurd is the sole entity that collects, stores, and controls personal data in connection with the Services. All Customer data flows through and is governed by Assurd systems. This Policy delineates how each category of data is handled across the full pipeline.
1. Data Fiduciary Designation and Basis of Processing
Assurd Techlabs (OPC) Private Limited is the sole Data Fiduciary as defined under Section 2(i) of the DPDP Act, 2023, in respect of all personal data collected through the Assurd platform. We process personal data on the following legal bases:
- Contractual Necessity: Processing required to fulfill the certification service agreement, including logistics coordination and billing.
- Explicit Consent: Processing of personal data for optional communications and service updates, which the Customer may withdraw at any time.
- Legitimate Purpose — Fraud Prevention and Public Interest: The permanent retention and publication of hardware telemetry data to the Assurd Global Registry by Assurd HQ, justified as a legitimate purpose for maintaining the integrity of the secondary hardware market.
- Legal Obligation: Retention of financial and transactional records as mandated by Indian corporate, tax, and financial law.
2. Categories of Data Collected
Assurd collects and processes two structurally separate categories of data:
Category A: Personal Identifiable Information ("PII")
Collected solely for the purpose of service delivery. Stored exclusively in Assurd's access-controlled, encrypted systems.
- Full legal name and email address.
- Mobile phone number.
- Physical address(es) for courier pickup and return delivery.
- Payment transaction references (not raw card or UPI credentials).
- IP address and device metadata collected through standard web server logs.
Category B: Hardware Telemetry & Forensic Records ("HTFR")
Generated through the Assurd SOP pipeline and transmitted via the Kairoscope portal. Upon validation and certificate issuance, this data is published to the public Assurd Global Registry by Assurd. This data is not "personal data" as defined under the DPDP Act, 2023, as it identifies a physical hardware component, not a natural person.
- Hardware serial number and OEM model identifier.
- VBIOS cryptographic hash and firmware validation status.
- Thermal readings, clock frequencies, memory bandwidth measurements, and power draw telemetry.
- Kairoscope performance percentile scores.
- Macro-photographic condition imagery of the hardware.
- Certification outcome (Pass, Fail, or Conditional) and the associated Forensic Report.
3. The Public Registry and the Data Separation Guarantee
The Assurd Global Registry is written to exclusively by Assurd at the point of certificate issuance. By proceeding with a certification booking and executing the Customer Condition Declaration, the Customer provides explicit, informed consent for the publication of Category B data (HTFR) to the public Registry by Assurd.
Assurd Data Separation Guarantee
Category A data (PII) is maintained in a strictly firewall-separated, access-controlled internal database operated solely by Assurd HQ, architecturally segregated from the public Registry infrastructure. No PII — including but not limited to the Customer's name, email, phone number, or address — shall ever be published to, or retrievable from, the public Assurd Global Registry. A Digital Certificate will display hardware metrics and serial number only. The identity of the Customer who submitted a given Hardware item is irretrievable by any public query.
4. Data Retention Schedule and Legal Justification
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Financial & Billing Records | Minimum 8 years | Companies Act, 2013; Income Tax Act, 1961; GST Act, 2017 |
| Customer PII (Active Account) | Duration of account activity | Contractual necessity; DPDP Act, 2023 |
| Customer PII (Post-Deletion Request) | Purged within 30 days (excluding billing artifacts) | Data Principal rights under DPDP Act, 2023, Section 12 |
| Hardware Telemetry & Forensic Records (HTFR) | Permanent — Cannot be deleted | See Section 4.1 below |
4.1 Legal Justification for Permanent Retention of HTFR
Assurd HQ is legally obligated and operationally required to retain HTFR permanently and cannot honor requests to delete or modify such records. The justifications are as follows:
- Not Personal Data: Hardware serial numbers, VBIOS hashes, and performance telemetry do not identify a natural person. They identify a physical component. As such, these records do not qualify as "personal data" under the DPDP Act, 2023, or the IT (SPDI) Rules, 2011, and the right to erasure under Section 12 of the DPDP Act does not apply.
- Fraud Prevention and Public Interest: The purpose of the Assurd Registry is to create a tamper-proof, permanent record of a hardware component's forensic history. Deletion would enable bad-faith actors to re-submit previously failed, spoofed, or fraudulently modified Hardware to obtain a clean certificate, directly undermining the anti-fraud purpose of the Registry.
- Irrevocable Consent: The Customer provided explicit, informed, and irrevocable consent for the permanent publication of HTFR at the time of booking, as a fundamental and inseverable condition of the certification service.
- Evidentiary Integrity: Registry records may constitute admissible evidence in civil or criminal proceedings relating to hardware fraud. Deletion could constitute destruction of potential evidence, which Assurd is not authorized to perform.
5. Payment and Financial Data Processing
Assurd does not store raw payment credentials — including credit card numbers, debit card numbers, CVV/CVC codes, UPI VPAs, or net banking credentials — on its own servers at any point in the transaction lifecycle. All payment processing is executed exclusively through our RBI-authorized, PCI-DSS Level 1 compliant payment gateway partner. Assurd retains only the transaction reference ID, timestamp, amount, and status necessary for billing reconciliation and statutory record-keeping.
6. Data Security Measures
Assurd implements reasonable security practices and procedures as mandated by the IT (SPDI) Rules, 2011, and the DPDP Act, 2023, including but not limited to:
- Encryption of Category A (PII) data at rest and in transit using industry-standard protocols.
- Role-based access controls ensuring that only authorized Assurd HQ personnel with a documented operational need may access PII.
- Architectural segregation between the internal PII database and the public Registry infrastructure.
- Regular security audits and vulnerability assessments of all data processing systems.
In the event of a personal data breach, Assurd shall notify the Data Protection Board of India and affected Data Principals in accordance with the notification obligations under the DPDP Act, 2023.
7. Rights of Data Principals and Grievance Redressal
Under the DPDP Act, 2023, Customers ("Data Principals") have the following rights with respect to their Category A (PII) data:
- Right to Access: To obtain a summary of the personal data held by Assurd HQ and the purposes for which it is processed.
- Right to Correction: To request correction of inaccurate or outdated personal data.
- Right to Erasure: To request deletion of Category A data, subject to overriding legal retention obligations described in Section 4.
- Right to Grievance Redressal: To have grievances addressed by the Assurd Grievance Officer within the timelines prescribed by the DPDP Act.
To exercise any of the above rights, or to lodge a grievance, please contact our designated Grievance Officer:
Grievance Officer
Assurd Techlabs (OPC) Private Limited
C23, Satya Sai Nagar, Mohan Nagar, Dhankawadi, Pune – 411043
Maharashtra, India
Email: legal@assurd.in
CIN: U95111PN20250PC247712
Grievances will be acknowledged within 48 hours and resolved within 30 days of receipt, in compliance with the DPDP Act, 2023.
8. Updates to this Policy
Assurd reserves the right to amend this Policy at any time to reflect changes in applicable law, regulatory requirements, or business practices. Material amendments will be communicated to active account holders via registered email with a minimum of thirty (30) days' notice prior to taking effect. Continued use of the Services following the effective date of any amendment constitutes acceptance of the revised Policy.