Privacy Policy
Effective date: 29 May 2026 · Applies to: tuskdigital.in and all Tusk Digital™ platform services
Governing framework: Indian IT Act 2000 · DPDP Act 2023 · GDPR (EU/EEA) · UK GDPR · CCPA/CPRA (California)
1. Who We Are
Tusk Digital™ (a digital services initiative of Shakthi Coir Industries) (“we”, “us”, “our”, or “Tusk Digital”) is the data controller for personal data collected through our website, marketing activities, and customer-onboarding processes. For personal data processed within a customer’s factory platform deployment, Tusk Digital acts as a data processor on behalf of the customer (the data controller).
Our principal place of business is Tamil Nadu, India. We serve clients across India, Europe, the Middle East, Southeast Asia, and other regions.
2. Data We Collect
2.1 Information You Provide Directly
- Identity data: Full name, job title, company name, department.
- Contact data: Business email address, phone number, country/region.
- Demo & inquiry data: Information provided when you request a demo, fill a contact form, or attend a webinar — including any descriptions of your manufacturing operation you voluntarily share.
- Account credentials: Usernames and hashed passwords for platform accounts.
- Correspondence: Emails, support tickets, chat transcripts.
2.2 Information Collected Automatically
- Usage data: Pages visited, features used, session duration, click-through paths, error logs.
- Device & technical data: IP address (anonymised after 90 days), browser type and version, operating system, screen resolution, referring URL.
- Cookies & similar technologies: See Section 9 for full details.
2.3 Operational / Factory Data (B2B Platform Deployments)
When your organisation deploys our Factory Operating System, we process operational data on your behalf. This typically includes machine sensor telemetry, OEE metrics, shift records, production counts, downtime logs, energy consumption readings, and maintenance histories. Such data is your proprietary operational data. We process it solely under your instructions as described in your service agreement and our Data Processing Addendum (DPA).
To the extent this operational data contains personal data (e.g., operator IDs, shift supervisors’ names linked to performance records), you as the Controller are responsible for your employees’ notice and lawful basis. Our DPA governs those obligations.
2.4 Data We Do NOT Collect
We do not knowingly collect sensitive personal data categories including health/medical data, racial or ethnic origin, religious beliefs, political opinions, trade union membership, biometric data, or financial account numbers through our standard platform services. If a specific enterprise integration requires such data, it will be governed by a separate agreement.
3. Legal Basis for Processing
We rely on the following legal bases depending on the activity:
| Processing Activity | Legal Basis |
|---|---|
| Responding to demo/contact enquiries | Pre-contractual steps / Legitimate interest |
| Providing the licensed platform service | Performance of contract |
| Sending product updates to existing customers | Legitimate interest (direct marketing to existing clients) |
| Sending marketing to prospects | Consent (where required by applicable law) |
| Analytics to improve our platform | Legitimate interest (product improvement) |
| Compliance with legal obligations | Legal obligation |
| Processing under DPA for customer deployments | Processor — on Controller’s lawful basis |
For EEA/UK data subjects, the legal bases above correspond to Article 6 of the GDPR/UK GDPR. For Indian data principals, they correspond to the Digital Personal Data Protection Act 2023 (DPDP Act).
4. How We Use Your Data
- To respond to your enquiries and schedule product demonstrations.
- To create and manage your platform account and deliver contracted services.
- To send transactional communications: onboarding instructions, service updates, security alerts, invoices.
- To send marketing communications about Tusk Digital products and features where you have consented or we have a legitimate interest as an existing customer. You can opt out at any time.
- To analyse how our platform is used in aggregate — for product improvement, not individual profiling.
- To enforce our Terms of Service and protect the security and integrity of our platform.
- To comply with applicable law, court orders, or lawful governmental requests.
- To exercise or defend legal claims.
5. Sharing and Disclosure
5.1 Service Providers (Sub-Processors)
We share data with trusted sub-processors who provide infrastructure, support, and operational services under written data processing agreements. Categories include:
- Cloud infrastructure: Servers, databases, and storage (hosted within secure data centres).
- Email and communication services: Transactional and marketing email delivery.
- Analytics platforms: Aggregated, privacy-safe usage analytics.
- Customer support tooling: Ticketing and live-chat systems.
- Security services: Intrusion detection, vulnerability scanning, DDoS protection.
An up-to-date list of sub-processors is available upon written request via our contact page.
5.2 Business Transfers
In the event of a merger, acquisition, asset sale, or corporate reorganisation, your data may be transferred as part of that transaction. We will provide notice and, where required by law, obtain consent before your data is transferred to a new controller.
5.3 Legal Requirements
We may disclose personal data to government authorities, courts, or law enforcement when required by law, court order, or legal process in India or any jurisdiction applicable to the data subject, or where necessary to protect the rights, property, or safety of Tusk Digital, our customers, or others.
5.4 What We Never Do
- We never sell your personal data to data brokers or advertising networks.
- We never share your operational factory data with competitors or third parties for their commercial purposes.
- We never allow sub-processors to use your data for their own independent purposes.
6. International Data Transfers
Tusk Digital is headquartered in India. Our team and some sub-processors operate across India, and our infrastructure may utilise cloud regions in Asia-Pacific, Europe, and the US depending on customer configuration.
When we transfer personal data of EEA or UK residents outside the EEA/UK, we use appropriate safeguards including:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- UK International Data Transfer Agreements (IDTAs) where required.
- Adequacy decisions where applicable.
Transfers of Indian residents’ personal data are governed by the DPDP Act 2023. We comply with any government-notified restrictions on cross-border data transfer.
Enterprise customers may request data residency configurations. Please contact your account manager or reach us via our contact page.
7. Data Retention
| Data Category | Retention Period |
|---|---|
| Prospect / contact enquiry data | 3 years from last meaningful interaction, or until opt-out |
| Customer account data | Duration of contract + 3 years (for audit/legal purposes) |
| Operational/factory data (processed as Processor) | As directed by the Controller (your company); default: 90 days after contract end, then deleted |
| Financial/billing records | 7 years (statutory requirement under Indian accounting law) |
| Security logs | 12 months |
| Support correspondence | 3 years from case closure |
| Website analytics (cookies) | As per Section 9 cookie table |
On expiry of the relevant retention period, data is securely deleted or irreversibly anonymised. We may retain anonymised, aggregated data indefinitely for legitimate product improvement and benchmarking purposes.
8. Security
We implement technical and organisational measures proportionate to the risk, including:
Data Breach Notification: In the event of a personal data breach, we will notify affected controllers within 72 hours of becoming aware of the breach (as required under GDPR/UK GDPR) and comply with DPDP Act 2023 notification obligations for Indian data principals. We will provide full details of the breach, its likely consequences, and remediation steps taken.
9. Cookies and Tracking Technologies
Our website uses cookies and similar technologies. We categorise them as:
| Category | Purpose | Retention | Opt-out? |
|---|---|---|---|
| Strictly Necessary | Session management, security, load balancing. Required for site function. | Session | No — essential |
| Functional | Remembering preferences (language, region, form autofill). | 12 months | Yes |
| Analytics | Aggregated page-visit statistics, conversion tracking, bounce rate analysis. No cross-site profiling. | 24 months | Yes |
| Marketing | Remarketing and ad campaign measurement (only where consent is obtained). | 90 days | Yes — consent required |
You can manage or withdraw cookie consent at any time via our Cookie Preferences panel (accessible in the site footer) or by configuring your browser. Withdrawing analytics or marketing cookies will not affect your ability to use our website.
We do not use fingerprinting or cross-site tracking techniques that circumvent browser controls.
10. Your Rights
Depending on your jurisdiction, you have the following rights:
| Right | India (DPDP Act) | EU/UK (GDPR) | California (CCPA/CPRA) |
|---|---|---|---|
| Access / Know | ✓ | ✓ | ✓ |
| Correction / Rectification | ✓ | ✓ | ✓ |
| Erasure / Deletion | ✓ | ✓ | ✓ |
| Restrict Processing | ✗ | ✓ | Partial |
| Data Portability | ✓ (limited) | ✓ | ✓ |
| Object to Processing | ✗ | ✓ | Opt-out of sale |
| Withdraw Consent | ✓ | ✓ | ✓ |
| Nominate Grievance | ✓ | ✗ | ✗ |
| Non-discrimination | ✗ | ✗ | ✓ |
| Lodge Regulatory Complaint | ✓ (Data Protection Board) | ✓ (supervisory authority) | ✓ (CA Attorney General) |
To exercise any right, submit a verifiable request via our contact page. We will respond within the timeframes required by applicable law — generally 30 days (extendable by an additional 30 days in complex cases). We will never charge you for exercising your rights. We will never discriminate against you for exercising your rights.
For B2B platform deployments, rights relating to personal data in the operational dataset should be directed to your employer (the Controller). We will refer such requests appropriately and assist your company in responding.
11. Children's Privacy
Our platform and website are intended exclusively for business professionals. We do not knowingly collect personal data from individuals under the age of 18 (or the applicable digital age of consent in their jurisdiction). If we become aware that we have inadvertently collected such data, we will delete it promptly. If you believe we hold data about a minor, please contact us via our contact page immediately.
12. Third-Party Links
Our website may contain links to third-party websites, integrations, or partner resources. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing any personal data.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in law, our practices, or our services. We will notify you of material changes by:
- Posting the revised policy on this page with an updated effective date.
- Sending an email notification to registered account holders where the change materially affects how we process their data.
- Displaying a prominent banner on our website for 30 days following a material update.
Continued use of our services after the effective date of a revised policy constitutes acceptance of the updated terms. Where applicable law requires renewed consent, we will obtain it before the new terms take effect.
14. Contact Us & Grievance Officer
For any questions, requests, or complaints regarding this Privacy Policy or our data practices:
For GDPR/UK GDPR requests, contract queries, and DPA execution:
Send us a message →Response within 72 hours on business days.
If you are an EEA/UK resident and are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority (e.g., your national Data Protection Authority or, in the UK, the ICO at ico.org.uk). Indian data principals may approach the Data Protection Board of India once operational under the DPDP Act 2023.