Privacy Policy

FactoryTrace ("we", "us", or "our") operates the website factorytrace.com and provides an end-to-end manufacturing traceability platform that helps businesses track products, components, and materials across the entire supply chain — from raw material intake to finished goods dispatch (collectively, the "Services") — to manufacturers and enterprises across India and internationally.

This Privacy Policy explains how we collect, use, store, share, and protect personal information and manufacturing data when you visit our website or use our Services. It is drafted in compliance with the Digital Personal Data Protection Act, 2023 (DPDPA), the IT (SPDI) Rules 2011, and, where applicable, the General Data Protection Regulation (GDPR).

Please read this Policy carefully. If you do not agree with its terms, please stop using our website and Services.

1. Who We Are & How to Contact Us

FactoryTrace is a manufacturing traceability technology company registered in India. We provide the following Services to manufacturers, industrial enterprises, and supply chain businesses:

• End-to-end product traceability from raw material to finished goods and customer delivery
• Batch and lot tracking, serialisation, and barcode/QR code/RFID label generation
• Work-in-progress (WIP) tracking across production stages and workstations
• Quality control checkpoint management, inspection records, and non-conformance logging
• Defect tracking, root cause analysis, and product recall management
• Inventory visibility and warehouse management across facilities
• Regulatory compliance documentation for ISO, BIS, GMP, FSSAI, and other standards
• ERP, MES, and third-party system integration via APIs
• Analytics dashboards for yield, rejection rates, and supply chain performance

For all privacy-related matters, please contact our Grievance Officer (see Section 17).

2. Scope of This Policy

This Privacy Policy applies to:

• Visitors to our website factorytrace.ai
• Business clients and organisations that subscribe to our manufacturing traceability Services
• Employees, operators, contractors, or authorised representatives of our clients who access our platform, dashboards, or mobile applications
• Third parties whose personal data (e.g., supplier contacts, operator IDs) may be entered into the platform as part of supply chain or production records

This Policy does not apply to third-party websites linked from our website (see Section 15).

3. Information We Collect

3.1 Information You Provide Directly

We collect information you voluntarily provide when you:

• Fill in a contact, demo-request, or inquiry form — name, email address, phone number, company name, job title, and message content.
• Register for or use our software platform — account credentials, billing details, and organisation information.
• Subscribe to newsletters or marketing communications — email address and preferences.
• Contact our support team — communication records and support ticket content.

3.2 Manufacturing & Traceability Data (Platform Clients)

As a core part of our Services, we process the following categories of manufacturing and supply chain data on behalf of our clients:

• Raw material and component records: supplier details, batch/lot numbers, purchase order references, and material certifications
• Production records: work orders, bill of materials (BOM), routing steps, workstation assignments, and operator sign-offs
• Quality inspection data: test results, inspection reports, non-conformance records, and corrective action logs
• Finished goods data: serial numbers, product labels, dispatch records, and delivery destinations
• Inventory data: stock levels, warehouse locations, movement logs, and expiry/shelf-life records
• Traceability events: scan logs, barcode/QR/RFID read records, timestamps, and location tags

Where operator or employee data is captured as part of production records, this may include:

• Operator IDs or names linked to production steps or quality inspections
• Login and activity logs within the platform dashboard
• Digital sign-offs and approval records for quality and compliance workflows

3.3 Automatically Collected Website Data

• Log data: IP address, browser type, operating system, referring URL, pages visited, and time/date of visits.
• Device information: Hardware model, unique device identifiers, and mobile network information.
• Usage data: Features used, configuration settings, and interaction patterns within our platform.
• Cookies and similar technologies: See Section 8 for full details.

3.4 Information from Third Parties

We may receive information about you from business partners, analytics providers, or publicly available sources, which we may combine with other information we hold.

4. How We Use Your Information

4.1 Service Delivery

• Configuring and operating the traceability platform for your production environment
• Recording and managing batch, lot, and serial number traceability across your supply chain
• Enabling quality control workflows, inspection management, and non-conformance tracking
• Providing forward and backward traceability — from raw material to end customer and back
• Supporting product recall management by rapidly identifying and isolating affected batches
• Delivering analytics, compliance reports, and supply chain performance insights as contracted

4.2 Business Operations

• Processing and responding to demo requests, inquiries, and support tickets
• Creating and managing user accounts, processing billing, and fulfilling contractual obligations
• Sending transactional communications: account alerts, invoices, and service notices
• Sending marketing communications where you have provided consent — you may opt out at any time

4.3 Security & Fraud Prevention

• Supporting clients' security operations and investigation of incidents
• Detecting and preventing fraud, abuse, and unauthorised access
• Assisting law enforcement or regulatory authorities when lawfully required

4.4 Product Improvement (Anonymised Only)

• Improving AI model accuracy using anonymised and aggregated data only
• Analysing usage trends and developing new features

5. Legal Basis for Processing

5.1 Under India's DPDPA 2023

• Consent: Where individuals have given free, specific, informed, and unambiguous consent — particularly for biometric data and sensitive personal information.
• Legitimate Uses: Processing necessary for a lawful purpose including contractual obligations, employment, legal compliance, and safety.
• Legal Obligation: Processing required to comply with Indian law or court orders.

5.2 Under GDPR (for EU/UK Clients or Data Subjects)

• Contract Performance: Processing necessary to fulfil a contract with you or take pre-contractual steps at your request.
• Legitimate Interests: Processing for fraud prevention, improving Services, and direct marketing to existing customers.
• Consent: Where you have given clear, specific consent (e.g., subscribing to newsletters or accepting non-essential cookies).
• Legal Obligation: Processing necessary to comply with EU/UK legal requirements.

5.3 Client Responsibility

Clients deploying our traceability Services are independently responsible for identifying and maintaining a valid legal basis for processing any personal data (such as operator identities or supplier contacts) entered into the platform, including conducting Data Protection Impact Assessments (DPIAs) where required by applicable law.

6. Data Sharing & Disclosure

We do not sell, rent, or trade your personal data or video footage. We may share data only in the following limited circumstances:

6.1 With Client Authorised Users

Traceability records, production data, and analytics are shared only with the Client's designated authorised users as configured in the role-based access control settings of the dashboard.

6.2 With Service Providers / Subcontractors

We share data with trusted third-party vendors who assist us in delivering our Services, including cloud hosting providers, payment processors, email delivery platforms, analytics providers, and customer-support tools. All such providers are bound by contractual obligations to use data only as instructed by us.

6.3 With Law Enforcement & Regulatory Bodies

We may disclose traceability records or personal data to law enforcement, courts, regulatory authorities (such as BIS, FSSAI, or customs bodies), or government agencies when required by law, court order, or in response to a valid governmental request.

6.4 Business Transfers

If FactoryTrace is involved in a merger, acquisition, or sale of business assets, Client data may be transferred as part of that transaction. We will notify Clients before their data becomes subject to a different privacy policy.

6.5 Protection of Rights

We may disclose information where necessary to investigate, prevent, or take action regarding potential violations of our policies, suspected fraud, or threats to the safety of any person.

6.6 With Your Consent

We may share your data with third parties for any other purpose with your explicit prior written consent.

7. Data Retention

We retain personal data for as long as necessary to fulfil the purposes described in this Policy, unless a longer retention period is required by law.

7.1 Manufacturing & Traceability Data

• Batch and lot records: Retained for the duration of the subscription plus any additional period required by your industry's regulatory obligations (e.g., minimum 2 years for FSSAI-regulated products, 5 years for medical devices or automotive components).
• Quality inspection and non-conformance records: Retained for the active subscription period plus 3 years, or as required by applicable standards such as ISO 9001 or GMP.
• Operator activity and audit logs: 12 months from the date of the activity, or longer if required for regulatory compliance.
• Inventory and stock movement records: Duration of active subscription plus 2 years.
• Product recall records: Minimum 5 years from the date of recall closure.

7.2 Client & Account Data

• Account and contract data: Duration of contract plus 7 years for legal and accounting compliance.
• Support communications: 3 years from closure of ticket.
• Marketing data: Until you withdraw consent or opt out.
• Website analytics data: Anonymised and aggregated within 26 months.

8. Cookies & Tracking Technologies

8.1 What We Use

Our website uses cookies and similar technologies to distinguish you from other users, remember your preferences, analyse traffic, and improve your experience.

8.2 Types of Cookies

• Strictly Necessary: Essential for website functionality (session management, security tokens). These cannot be disabled.
• Analytics: Help us understand how visitors interact with our website. We use anonymised or aggregated data only.
• Functional: Enable enhanced functionality such as remembering language or region preferences.
• Marketing: Used to deliver relevant advertisements. Set only with your explicit consent.

8.3 Your Choices

When you first visit our website, a cookie consent banner allows you to accept or decline non-essential cookies. You can update your preferences at any time via the cookie settings link in our website footer.

9. Data Security

We implement industry-standard technical and organisational measures to protect your personal data:

• Encryption in transit: TLS 1.2 / 1.3 for all video streams and data communications
• Encryption at rest: AES-256 for all data stored in cloud infrastructure
• Role-based access controls (RBAC) and multi-factor authentication (MFA)
• Regular vulnerability assessments and penetration testing
• Intrusion detection systems and network monitoring
• Physical access controls for server rooms and data centres
• Employee training on data privacy, security best practices, and incident handling
• Formal incident response procedures and breach notification processes

In the event of a data breach, we will notify the affected Client within 72 hours and notify the relevant regulatory authority as required by applicable law.

10. International Data Transfers

FactoryTrace's primary data processing and storage infrastructure is located within India. In cases where subcontractor arrangements involve data centres outside India:

• We ensure that appropriate contractual safeguards are in place — including Standard Contractual Clauses (SCCs).
• We rely on adequacy decisions, binding corporate rules, or other legally recognised transfer mechanisms where applicable.
• Clients will be notified of any cross-border transfer arrangements that apply to their data.

11. Your Rights

11.1 Rights Under India's DPDPA 2023

• Right to Access: Request a summary of personal data being processed and the purposes of processing.
• Right to Correction & Erasure: Request correction of inaccurate data or erasure of data no longer required.
• Right to Grievance Redressal: Lodge a complaint with FactoryTrace's Grievance Officer (Section 17) or the Data Protection Board of India.
• Right to Nominate: Nominate another individual to exercise rights on your behalf in the event of death or incapacity.

11.2 Additional Rights Under GDPR (EU/UK Clients)

• Right to Restriction: Request that we limit how we use your data in certain circumstances.
• Right to Portability: Receive your data in a structured, machine-readable format.
• Right to Object: Object to processing based on legitimate interests or for direct-marketing purposes.
• Right to Withdraw Consent: Withdraw consent at any time without affecting the lawfulness of prior processing.
• Right Against Automated Decisions: Not be subject to solely automated decisions producing significant legal effects.
• Right to Lodge a Complaint: With your local supervisory authority.

11.3 How to Exercise Your Rights

To exercise any of these rights, please contact our Grievance Officer using the details in Section 17. We will respond within 30 days.

12. Sensitive & Operational Data

Certain categories of data processed through our platform require heightened care, including employee-linked production records and proprietary manufacturing data. Where our Services involve such data, FactoryTrace will:

• Process operator and employee data only to the extent necessary to deliver traceability and quality management functionality.
• Ensure all manufacturing and operational data is encrypted at rest and in transit at all times.
• Not share proprietary production data, trade secrets, or formulation records with any third party except as strictly necessary for Service delivery.
• Delete operator-linked personal data within 30 days of service termination or upon written instruction from the Client.
• Maintain an audit log of all data access and processing activities, available to the Client on request.

13. Client Data Obligations

Clients who deploy FactoryTrace's traceability platform are the Data Fiduciary / Data Controller for all manufacturing, supply chain, and employee data entered into the system. Clients are solely responsible for:

• Ensuring the accuracy, completeness, and authenticity of all traceability and production records submitted to the platform.
• Informing employees and operators whose personal data (e.g., names, IDs, sign-offs) is captured in the system.
• Obtaining any consents required by applicable law for processing employee or operator data in the context of production monitoring.
• Maintaining appropriate access controls within your organisation to prevent unauthorised data entry or modification.
• Complying with all applicable product safety, labelling, regulatory reporting, and data protection obligations in your industry and jurisdiction.
• Handling individual access and erasure requests for any personal data entered into the platform on behalf of your employees or supply chain partners.

14. Children's Privacy

Our Services are not directed to children under the age of 18 (as defined under the DPDPA 2023). We do not knowingly collect personal data directly from children under 18. If you believe we have inadvertently collected personal information from a child, please contact our Grievance Officer immediately.

15. Third-Party Links

Our website may contain links to third-party websites, plug-ins, and applications. We do not control those websites and are not responsible for their privacy practices. We encourage you to read the privacy notice of every website you visit.

16. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Post the updated Policy on factorytrace.ai with a revised "Last Updated" date.
• Notify existing clients via email or dashboard notification at least 30 days prior to material changes taking effect.
• For changes required by law, notification will be given as soon as reasonably practicable.

Your continued use of our website or Services after the effective date of any updated Policy constitutes your acceptance of the revised terms.

17. Grievance Officer & Complaints

In accordance with the Digital Personal Data Protection Act, 2023 and the IT (SPDI) Rules 2011, FactoryTrace has appointed a Grievance Officer to address privacy concerns and data protection complaints.

We aim to acknowledge all privacy-related requests within 48 hours and respond fully within 30 days.

If you are dissatisfied with our response, you have the right to escalate your complaint to:

• Data Protection Board of India (once constituted under DPDPA 2023) — for Indian residents
• The Information Commissioner's Office (ICO) — for UK residents
• The relevant EU data protection supervisory authority — for EU residents