Privacy & Data Policy
Last updated: 1 May 2025
This Privacy & Data Sharing Policy explains how Eva Excelsior Solutions Pvt Ltd ("Eva Excelsior", "We", "Us", "Our") collects, processes, stores, shares, and protects personal data and business data of Users of the Global eTrade Portal. This Policy complies with the Digital Personal Data Protection Act, 2023 (India), the General Data Protection Regulation (EU) 2016/679, the UK GDPR, the California Consumer Privacy Act (CCPA) 2018, and all other applicable data protection laws.
1. Data Controller Identity
Eva Excelsior Solutions Pvt Ltd is the Data Fiduciary (under DPDP Act 2023) and Data Controller (under GDPR/UK GDPR) in respect of personal data processed through the Portal.
Registered Office: 402, ZB Laxuria, 49 Nutanbharat Society, Alkapuri, Vadodara, Gujarat – 390007
CIN: U51909GJ2020PTC113823 | GSTIN: 24AAFCE9179C1ZL
2. Data Collected
2.1 Personal Data Collected from Individual Users
- Identity Data: Full legal name, date of birth, government-issued ID numbers (Aadhaar, PAN, Passport, Driver's Licence), nationality.
- Contact Data: Email address, mobile number, postal address, and country of residence.
- eKYC Data: Biometric verification data (facial recognition hash — not stored as raw image), digital identity verification results.
- Financial Data: Bank account details, SWIFT/IBAN, AD code, payment instrument details (tokenised and encrypted).
- Transaction Data: Records of all transactions, bids, orders, trade documents, compliance filings, and communications on the Portal.
- Technical Data: IP address, device identifier, browser type, operating system, cookie identifiers, usage logs, and session data.
- Communications Data: Messages, enquiries, and documents exchanged between Users through the Portal's messaging system.
2.2 Business Data Collected from Entities
- Corporate identity documents: Certificate of Incorporation, Memorandum of Association, Partnership Deed.
- Tax registration: PAN, GSTIN, IEC, RCMC, or foreign equivalents (VAT, EIN, Company Registration Number).
- KYB data: Beneficial ownership information, director/officer details, UBO declarations.
- Trade data: Product listings, export/import records, shipping documents, LC/BG details, customs filings.
- Financial statements: Where submitted for trade finance facilitation purposes.
2.3 Automatically Collected Data
- Log files, API call records, clickstream data, search queries, and interaction data within the Portal.
- Cookie data: Session cookies (essential), preference cookies (functional), analytics cookies (opt-in), and advertising cookies (opt-in).
3. Legal Basis for Processing
Eva Excelsior processes personal data on the following legal bases, with the corresponding retention periods:
- Account registration & eKYC/KYB — Contract performance; Legitimate Interest; Consent (biometric) — retained 5 years post account closure.
- Transaction processing — Contract performance; Legal obligation — retained 8 years (Companies Act / Income Tax).
- Customs/DGFT compliance filing — Legal obligation (Customs Act, FEMA) — retained 10 years.
- Trade finance facilitation — Contract performance; Legitimate Interest — retained 8 years (NI Act / RBI guidelines).
- Sanctions & AML screening — Legal obligation (PMLA, FEMA) — retained 10 years (PMLA/FATF requirement).
- Marketing communications — Consent (withdrawable) — until consent withdrawn or 3 years.
- Platform analytics & improvement — Legitimate Interest — retained 2 years (anonymised thereafter).
- Fraud detection & security — Legitimate Interest; Legal obligation — retained 7 years.
- Dispute resolution & litigation — Legal obligation; Legitimate Interest — retained for duration of dispute + 3 years.
4. Data Sharing — With Whom We Share Your Data
4.1 Sharing with Trading Counterparties
To facilitate transactions, certain business data (company name, contact name, country, product interests, and trade documents) is shared with counterparty Users with whom You are engaged in a transaction. Eva Excelsior will NOT share sensitive personal financial data, eKYC/KYB documents, or AML screening results with trading counterparties.
4.2 Sharing with Regulatory Authorities
Eva Excelsior will share data with competent regulatory and law enforcement authorities as required by law, including Indian customs authorities (ICEGATE/CBIC), DGFT, Reserve Bank of India, Financial Intelligence Unit – India (FIU-IND), Enforcement Directorate, and foreign regulatory authorities pursuant to valid legal process.
4.3 Sharing with Service Providers (Data Processors)
Eva Excelsior engages third-party service providers who process data on our behalf under data processing agreements imposing GDPR/DPDP-equivalent obligations, including cloud hosting providers, eKYC/KYB verification partners, payment gateway and banking partners (PCI DSS compliant), sanctions screening database providers, analytics and fraud detection providers, and logistics partners.
4.4 Cross-Border Data Transfers
The Portal by its nature involves cross-border data flows. Eva Excelsior implements the following safeguards:
- EU/EEA: Standard Contractual Clauses (EU Commission Decision 2021/914).
- UK: UK International Data Transfer Addendum (IDTA).
- USA: Standard Contractual Clauses; EU-U.S. Data Privacy Framework compliance where applicable.
- Other countries: Contractual safeguards; adequacy assessment; data localisation where mandated by local law.
- Indian Users: Personal data of Indian data principals is stored in India-based servers.
5. Data Subject / Data Principal Rights
5.1 Rights under Indian DPDP Act 2023
- Right to access information about personal data processed (Section 11).
- Right to correction and erasure of inaccurate or incomplete personal data (Section 12).
- Right to grievance redressal within 30 days (Section 13).
- Right to nominate a nominee to exercise rights in the event of death or incapacity (Section 14).
5.2 Rights under GDPR / UK GDPR (EU & UK Users)
- Right of access (Article 15 GDPR): Obtain a copy of your personal data.
- Right to rectification (Article 16): Correct inaccurate personal data.
- Right to erasure — 'right to be forgotten' (Article 17): Subject to legal retention obligations.
- Right to restriction of processing (Article 18).
- Right to data portability (Article 20): Receive your data in a structured, machine-readable format.
- Right to object (Article 21): Object to processing based on legitimate interest.
- Right not to be subject to automated decision-making (Article 22).
5.3 Rights under CCPA (California Users)
- Right to know what personal information is collected, used, shared, or sold.
- Right to delete personal information.
- Right to opt-out of the sale or sharing of personal information.
- Right to non-discrimination for exercising CCPA rights.
- Right to correct inaccurate personal information (CPRA amendment).
To exercise any data right, submit a written request to dpo@evaexcelsior.com with your full name, account email, description of the right you wish to exercise, and proof of identity. Eva Excelsior will respond within 30 days (DPDP) / one month (GDPR) / 45 days (CCPA).
6. Cookies & Tracking Technologies
The Portal uses the following categories of cookies:
- Strictly Necessary Cookies: Required for Portal functionality, session management, and security. Cannot be disabled.
- Functional Cookies: Remember your preferences and settings. Can be disabled without affecting core functionality.
- Analytics Cookies: Collect anonymised usage data to improve the Portal. Require opt-in consent.
- Marketing / Targeting Cookies: Track browsing activity for targeted trade intelligence and marketing. Require explicit opt-in consent.
You can manage cookie preferences through the Cookie Consent Manager accessible from the Portal's footer.
7. Data Security
Eva Excelsior implements the following technical and organisational security measures:
- Encryption: All data in transit is encrypted using TLS 1.2 or higher. All data at rest is encrypted using AES-256.
- Access Controls: Role-based access control (RBAC); principle of least privilege; MFA for all system administrators.
- Data Minimisation: Only the minimum data necessary for the stated purpose is collected and retained.
- Security Audits: Annual penetration testing and quarterly vulnerability assessments by accredited security firms.
- ISO 27001 Framework: Eva Excelsior implements an ISO 27001-aligned Information Security Management System (ISMS).
- PCI DSS Compliance: Payment card data is handled in a PCI DSS-compliant environment; Eva Excelsior does not store raw card data.
7.1 Data Breach Response
In the event of a personal data breach, Eva Excelsior will: (a) contain the breach immediately upon detection; (b) notify the Data Protection Board of India within 72 hours; (c) notify affected EU/UK data subjects within 72 hours if the breach is likely to result in high risk; (d) notify affected Users of the breach and remedial actions taken.
8. Data Localisation Compliance
Eva Excelsior recognises and complies with mandatory data localisation requirements in the following jurisdictions:
- India: Critical personal data of Indian citizens is stored exclusively on servers located in India, in compliance with RBI Payment System Data Storage directions and DPDP Act Section 16.
- Russia: Personal data of Russian citizens is stored in Russian-territory servers per Federal Law FZ-242.
- China: Personal data of Chinese citizens is subject to PIPL 2021 and Cybersecurity Law 2017.
- Indonesia: Personal data processed in accordance with Government Regulation No. 71/2019 (GR71).
- Vietnam: Personal data stored in Vietnam where required under the Cybersecurity Law 2018.
- EU/EEA: Personal data of EU data subjects is stored in EEA-based data centres or transferred with SCCs.
9. Trade Data Confidentiality
Eva Excelsior recognises that trade data including buyer-seller identities, transaction values, product specifications, and supply chain information constitutes commercially sensitive information. Eva Excelsior commits to:
- Not selling, licensing, or commercially exploiting identifiable trade transaction data without the express written consent of the relevant Users.
- Sharing only aggregated and anonymised trade intelligence data (market reports, sector trends, volume statistics) without individual User identification.
- Maintaining trade document confidentiality — trade documents are accessible only to the parties to the relevant transaction and authorised regulatory agencies.
- Preventing cross-transaction data leakage.
10. Children's Data
The Portal is not directed at individuals under the age of eighteen (18). Eva Excelsior does not knowingly collect personal data from minors. If You believe that a minor has provided personal data to Eva Excelsior, please contact dpo@evaexcelsior.com immediately and Eva Excelsior will promptly delete such data.
11. Updates to This Privacy Policy
Eva Excelsior reserves the right to update this Privacy Policy periodically to reflect changes in applicable law, business practices, or technology. Material changes will be notified to Registered Users via email and in-Portal notification at least 30 days before the effective date. Continued use of the Portal after the effective date constitutes acceptance of the updated Privacy Policy.
12. Contact & Complaints
Data Protection Officer / Grievance Officer: info@evaexcelsior.com
General Privacy Enquiries: info@evaexcelsior.com
Postal Address: DPO, Eva Excelsior Solutions Pvt Ltd, 402, ZB Laxuria, 49 Nutanbharat Society, Alkapuri, Vadodara, Gujarat – 390007, India
EU Users may lodge a complaint with their national supervisory authority. Indian Users may escalate complaints to the Data Protection Board of India once established under DPDP Act 2023. California Users may file complaints with the California Privacy Protection Agency (CPPA).