Privacy Policy
Last updated: 30 June 2026 · Effective date: 27 April 2026
At a glance
- We are Motley Exim Co. (IEC 0599007079, GSTIN 07AAFFM5045C1ZM) — founded as Carris Coatings in 1986; incorporated as Motley Exim Co. in 1999.
- We collect contact details and inquiry information when you write to us, plus IP and basic technical data when you visit motleyexim.com.
- We do not sell, rent or trade your personal data. We do not run advertising-network trackers and do not retarget visitors.
- Hosting is in India / Singapore (Hostinger) with global edge caching by Cloudflare. Optional analytics (Google Analytics 4, IP-anonymised) only fires if you accept the consent banner. International transfers are protected by Standard Contractual Clauses.
- Cookies expire in 6 months (tighter than CNIL's 13-month maximum). IP-address logs are auto-deleted after 14 days.
- You have full access, correction, erasure and consent-withdrawal rights under India's DPDP Act 2023, the EU / UK GDPR, and the California CCPA / CPRA. Our Grievance Officer is Tejasvi Shedha — evolve@motleyexim.com.
- Who we are (the Data Fiduciary / Controller)
- What this policy covers
- Personal data we collect
- Why we collect it (purposes)
- Lawful basis under DPDP Act, GDPR & other regimes
- How long we keep your data
- Who we share data with (sub-processors)
- International transfers
- Your rights and how to exercise them
- DPDP Act §5–§6 notice (India residents)
- California, US state & "Do Not Sell or Share"
- Children's data
- Cookies and tracking technologies
- Defence-export inquiry notice
- Security measures
- Personal-data-breach notification
- Grievance Officer and complaints
- Changes to this policy
- Contact
1. Who we are (the Data Fiduciary / Controller)
Motley Exim Co. ("MECo", "we", "us", "our") is the Data Fiduciary for purposes of the Digital Personal Data Protection Act, 2023 (the "DPDP Act") and the Data Controller for purposes of the EU General Data Protection Regulation 2016/679 ("GDPR") and the UK GDPR / Data Protection Act 2018 (the "UK GDPR"). Founded as Carris Coatings in 1986; incorporated as Motley Exim Co. in 1999.
| Legal name | Motley Exim Co. |
|---|---|
| Registered office | B-70/56, D.S.I.D.C. Sheds, Lawrence Road, New Delhi 110035, India |
| IEC | 0599007079 |
| GSTIN | 07AAFFM5045C1ZM |
| Sector | Defence camouflage and fire-suppression manufacturing & export |
| Primary contact | info@motleyexim.com · +91 93101 11792 |
| Grievance Officer (DPDP §13) | See /grievance-officer/ |
| EU / UK Article 27 representative | Not appointed (we do not target EU/UK consumer markets; defence procurement contacts are B2B). If you require an Article 27 representative for a specific engagement, contact us. |
2. What this policy covers
This policy applies to personal data processed by MECo in connection with:
- Visits to motleyexim.com and any sub-pages or staging environments under our control;
- Sales, RFP, sample-request, document-request and help-and-support inquiries submitted through our website forms or by email, WhatsApp, or telephone;
- Pre-contractual and contractual engagement with prospective and existing customers, suppliers, and partners;
- Recruitment correspondence (where applicable); and
- Compliance-driven processing required by Indian customs, export-control, tax, anti-money-laundering and corporate law.
This policy does not cover personal data processed by third-party websites linked from motleyexim.com, our customers' systems, or sub-suppliers' systems — each of which has its own privacy notice.
3. Personal data we collect
3.1 Information you provide directly
- Identification — full name, salutation, designation / role.
- Organisation — company / agency / unit name, country, industry vertical (military, paramilitary, government, OEM, distributor).
- Contact — work email, phone or WhatsApp number, postal / shipping address.
- Inquiry detail — product interest, application, indicative quantity, technical specifications you choose to share, attachments.
- Defence-export-specific (only when relevant) — declared end-use, end-user identity, end-use country, intended deployment region, sanctions self-attestation.
- Free-text — anything else you include in a message.
3.2 Information collected automatically
- IP address — logged on every form submission for fraud prevention, abuse mitigation, and sanctions-list cross-checking. We use ipinfo.io to derive country, region, city, ASN and ISP. Personal-IP-only retention: 14 days; aggregated counts retained longer.
- Browser and device — user-agent (browser type, version, operating system), screen resolution, language preference.
- Page view metrics — pages viewed, time on page, click-stream within the site, referring URL, search keywords (when shared by the search engine), via Google Analytics 4 / Tag Manager — only after you accept the cookie banner.
- Cookies and similar technologies — see our Cookie Policy for the full inventory.
3.3 What we do NOT collect
- We do not knowingly collect special category data (DPDP Act — sensitive data; GDPR Art 9 — sensitive personal data) such as health, biometrics, racial / ethnic origin, religion, sexual orientation, political opinion or trade union membership. If you submit such data in a free-text field, we do not solicit it and we will request that you do not.
- We do not knowingly collect data from children — see section 12.
- We do not buy, scrape, or aggregate personal data from third-party sources for marketing.
4. Why we collect it (purposes)
- Respond to your inquiry — reply, prepare quotations, share product literature, schedule meetings.
- Pre-contract and contract performance — verify identity, prepare and execute contracts, fulfil orders, ship goods, raise invoices, follow up on warranty.
- Defence-export compliance — classify the proposed export under SCOMET (DGFT — Appendix 3 to Schedule 2 of ITC(HS)), screen the buyer / end-user / beneficial owner against the four sanctions lists (UN 1267 Consolidated, US OFAC SDN, EU consolidated, India DGFT denied entity), prepare and process licence applications, obtain end-use certificates and post-shipment end-use verification cooperation.
- Statutory, fiscal and regulatory obligations — comply with the FTDR Act 1992, Customs Act 1962, FEMA 1999, Companies Act 2013, Income-tax Act 1961, GST law, IT Act 2000, DPDP Act, and equivalent laws of receiving jurisdictions.
- Site security and abuse prevention — rate limiting, bot detection, fraud prevention, breach detection, audit logging.
- Site improvement — understand which content is useful, where users drop off, which products attract interest — only on a consented, privacy-respecting basis.
- Legal claims and dispute resolution — establish, exercise or defend legal claims; respond to lawful demands by Indian or foreign authorities.
5. Lawful basis under DPDP Act, GDPR & other regimes
We rely on the following lawful bases. Where more than one applies, the strictest controls.
| Processing activity | DPDP Act §6 / §7 | GDPR Art 6 |
|---|---|---|
| Replying to inquiries; preparing quotations | §6 Consent & §7(a) for the performance of a contract | Art 6(1)(b) contract / pre-contract |
| Order fulfilment, invoicing, warranty | §7(a) contract performance | Art 6(1)(b) contract performance |
| SCOMET classification, sanctions screening, EUC | §7(c) compliance with law | Art 6(1)(c) legal obligation |
| Tax, customs, FEMA, Companies Act compliance | §7(c) compliance with law | Art 6(1)(c) legal obligation |
| Site security, fraud prevention, abuse mitigation | §7(g) legitimate uses (specified) | Art 6(1)(f) legitimate interest |
| Analytics cookies, marketing emails (where applicable) | §6 Consent | Art 6(1)(a) consent |
| Defending or asserting legal claims | §7(g) legitimate uses | Art 6(1)(f) legitimate interest |
6. How long we keep your data
| Category | Retention period | Reason |
|---|---|---|
| Personal IP-address logs | 14 days, then auto-deleted | Limit exposure; aggregate counts retained for security analytics |
| Inquiry records (no contract) | 2 years from last contact | Re-engagement window; statutory limitation periods |
| Customer correspondence (contract concluded) | 5 years from contract end | Indian Companies Act 2013 §128, Sale of Goods Act, dispute window |
| Order, invoice and shipping records | 8 years from financial year end | Income-tax Act 1961 §44AA + GST Act compliance |
| Defence-export licence applications, EUCs, EUVs, sanctions screens | Greater of 5 years (FT (Regulation) Rules 1993 r.12) or 7 years internal policy | FTDR Act / Customs / regulator audit |
| Cookies | Strictly necessary: session; analytics & consent record: up to 6 months | Tighter than CNIL 13-month maximum; user re-consent prompt at expiry |
| Backups | 30 days rolling | Disaster recovery; deletion requests honoured at next backup cycle |
When the relevant retention period expires, we delete or irreversibly anonymise the data, except where ongoing litigation, investigation, or legal obligation requires longer retention.
7. Who we share data with (sub-processors)
We share personal data only with sub-processors under written contracts. Each sub-processor's purpose, jurisdiction, and safeguard mechanism is listed below.
| Sub-processor | Purpose | Region of processing | Safeguard |
|---|---|---|---|
| Hostinger International Ltd. | Web and email hosting | Singapore (primary), with global failover | EU SCC + DPA; ISO 27001-aligned controls |
| Cloudflare, Inc. | CDN, DDoS mitigation, WAF, edge caching | Global edge; HQ United States | EU SCC + DPA; ISO 27001 / SOC 2 Type II |
| Google LLC (Analytics 4 + Tag Manager) | Aggregate site analytics — consented only; IP-anonymisation enabled | United States (with EU/India region preferences where supported) | EU SCC + DPF (where applicable); Google Ads Data Processing Terms |
| Google LLC (reCAPTCHA v3) | Invisible anti-bot / abuse protection on web forms (security risk-scoring of submissions) | United States | EU SCC + DPF (where applicable); Google reCAPTCHA Terms |
| ipinfo.io (Ipinfo, Inc.) | Coarse IP geolocation (country / city / ISP) on form submissions — inquiry-source analytics, routing, and sanctions-destination cross-check | United States | EU SCC + DPA |
| Meta Platforms, Inc. — WhatsApp Business | Optional inbound messaging from prospective buyers | Global (Meta data centres) | WhatsApp Business Terms; SCC where applicable |
| Indian Customs / DGFT / DPB / MEA / income-tax / GSTN | Statutory disclosures — not a "processor" but a recipient under §7(c) | India | Statutory authority; lawful demand only |
| External professional advisers (legal, audit, tax, banking) | Specific mandates as required | India (primary) | Professional duty of confidentiality + written engagement |
We do not sell, rent or trade personal data. We do not share data with advertising networks, data brokers, or political organisations.
8. International transfers
Your personal data may be transferred outside India when our sub-processors operate from other jurisdictions (see section 7). We protect those transfers through one or more of the following:
- EU Standard Contractual Clauses (SCCs) in the European Commission's 2021 form;
- UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs, where data of UK residents is involved;
- EU–US Data Privacy Framework (DPF) certification by the relevant US recipient, where available;
- Transfer Impact Assessments for high-risk corridors;
- Indian DPDP Act §16 compliance — transfers to such countries as the Central Government has not restricted by notification.
If you would like a copy of the SCCs in place for a specific transfer, please contact our Grievance Officer.
9. Your rights and how to exercise them
You have the following rights as a Data Principal under DPDP Act §11 / a Data Subject under GDPR, regardless of where you are located. Where a regime grants a right that another does not, we apply the more protective standard.
| Right | What it means | Statutory source |
|---|---|---|
| Access & summary of processing | Receive confirmation we hold your data and a summary of processing | DPDP §11(1)(a); GDPR Art 15 |
| Correction, completion, updating | Have inaccurate or incomplete data corrected | DPDP §12(2); GDPR Art 16 |
| Erasure ("right to be forgotten") | Have your data deleted where lawfully required | DPDP §12(3); GDPR Art 17 |
| Withdraw consent | Withdraw any consent you previously gave; processing already done remains lawful | DPDP §6(4); GDPR Art 7(3) |
| Nominate | Nominate another individual to exercise rights on your behalf in case of incapacity | DPDP §14 |
| Portability | Receive personal data in a structured, commonly used, machine-readable format | GDPR Art 20 |
| Restriction / objection | Limit processing or object to legitimate-interest-based processing | GDPR Arts 18, 21 |
| Not be subject to automated decision-making | Including profiling that produces legal or similarly significant effects | GDPR Art 22 |
| Grievance redress | File a grievance with our Grievance Officer | DPDP §13; IT Rules 2021 r.4(8) |
| Lodge a complaint with a supervisory authority | India: Data Protection Board of India (§18). EU: your national DPA. UK: ICO. US: state Attorney General. | DPDP §18; GDPR Art 77 |
How to exercise: email info@motleyexim.com with subject "Data Principal Request" or write to our Grievance Officer. We will acknowledge within 24 hours and resolve within 15 days (or such other period as the law specifies). We may need to verify your identity before acting; we will not use the verification information for any other purpose.
10. DPDP Act §5–§6 notice (India residents)
If you are a Data Principal located in India at the time you provide your personal data to us, the following statements are given to you under DPDP Act §5 read with §6.
- Identity of the Data Fiduciary: Motley Exim Co., as detailed in section 1 above.
- Personal data sought: the categories described in section 3.
- Purposes of processing: as listed in section 4.
- Manner of exercising rights: as set out in section 9; you may approach our Grievance Officer at any time.
- Manner of complaint to the Board: the Data Protection Board of India under DPDP Act §18, in the manner prescribed by the DPDP Rules in force from time to time.
- Consent: where we rely on consent, your consent is free, specific, informed, unconditional, and unambiguous; you may withdraw it at any time without affecting the lawfulness of prior processing. Withdrawal of consent for processing tied to ongoing contract performance may, however, affect our ability to deliver the contracted goods or services.
- Language: this notice is published in English and in Hindi (हिंदी) — Hindi being a language specified in the Eighth Schedule to the Constitution of India. The Hindi version is provided for accessibility; in case of any conflict the English version prevails. A version in any other Eighth-Schedule language will be made available on written request to the Grievance Officer.
- Significant Data Fiduciary: as of the date of this notice, MECo has not been notified by the Central Government as a Significant Data Fiduciary under DPDP Act §10. If notified, additional obligations (DPO, audit, DPIA) will apply and this notice will be updated.
11. California, US state & "Do Not Sell or Share"
If you are a California resident, the California Consumer Privacy Act / California Privacy Rights Act (CCPA / CPRA) provides you with additional rights. Other US states (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, etc.) provide broadly analogous rights.
- Right to know the categories and specific pieces of personal information collected about you, the sources, purposes, and recipients.
- Right to delete personal information (subject to exceptions for statutory retention obligations).
- Right to correct inaccurate personal information.
- Right to opt out of "sale" or "sharing" for cross-context behavioural advertising.
- Right to limit use of sensitive personal information.
- Right to non-discrimination for exercising your rights.
Do Not Sell or Share My Personal Information: We do not "sell" personal information for monetary value, nor do we "share" it for cross-context behavioural advertising as those terms are defined under California law. We honour the Global Privacy Control (GPC) browser signal: when received, we treat it as a valid opt-out request from any future sale or sharing. To exercise CCPA / CPRA rights, contact info@motleyexim.com.
12. Children's data
motleyexim.com is a B2B defence-procurement website. It is not directed to anyone under the age of 18, and we do not knowingly collect personal data from children. If you become aware that a child has provided personal data through our website or to our staff, please contact our Grievance Officer; we will promptly delete the data unless we are required to retain it for a specific legal purpose. The protections in DPDP Act §9 (children and persons with disabilities) and GDPR Art 8 (children's consent) are strictly observed.
13. Cookies and tracking technologies
The full inventory of cookies, their purposes, durations and third parties is set out in our Cookie Policy. In summary:
- Strictly necessary cookies are set on every visit (security, consent state, load balancing); these do not require consent.
- Analytics cookies are set only after you click "Accept" on our consent banner. We honour the Global Privacy Control signal as an opt-out.
- We do not use marketing, advertising, or retargeting cookies.
You can withdraw cookie consent at any time via the cookie-banner re-opener, or by clearing cookies in your browser.
14. Defence-export inquiry notice
If you contact MECo about a potential defence export, additional processing applies because of the SCOMET-controlled nature of our products:
- We may screen the buyer entity, end-user entity, beneficial owners holding 10% or more, freight forwarder, financial intermediary and consignee against the four mandatory sanctions lists (UN 1267 Consolidated, US OFAC SDN, EU consolidated, India DGFT denied entity), plus UK HMT and other lists as appropriate.
- Sanctions-screening evidence is retained as part of the export-licence record for the period set out in section 6.
- For licence applications under FTDR Act §11 read with FTP 2023 Chapter 10, we will share the data you provide with the Inter-Ministerial Working Group (IMWG) of DGFT and other ministries reviewing the application.
- Sample documents (IEC certificate, GST certificate, sample EUC) are released only after sanctions-screening of the requesting party.
- By submitting a defence-export inquiry, you represent that you, your principal, the named end-user, and the intended end-use are not on any of the lists referenced above and that the inquiry is made with lawful authority.
This processing is necessary to comply with Indian and international export-control law and is grounded in DPDP §7(c) (legal compliance) and GDPR Art 6(1)(c) (legal obligation).
15. Security measures
- HTTPS (TLS 1.2+) on all public pages; HSTS header enabled.
- Cloudflare WAF and DDoS mitigation in front of every request.
- Rate limiting on all form endpoints; honeypot and timing-token bot detection.
- Server-side validation and sanitisation of all form input.
- Email transit secured via TLS where the receiving server supports it.
- Encrypted backups; 30-day rolling retention; restricted access on a need-to-know basis.
- Internal access logging and audit trails.
- Vendor sub-processors selected from those holding ISO 27001, SOC 2 Type II or equivalent certifications.
We continuously review controls against the security-compliance baseline used across our project portfolio (rate limiting, RLS where applicable, IDOR protection on authenticated routes, secrets in environment variables only).
16. Personal-data-breach notification
In the event of a personal-data breach, we will:
- Notify the Data Protection Board of India under DPDP Act §8(6) and the Rules in force, in the manner and within the period prescribed.
- Notify EU and UK supervisory authorities within 72 hours where the breach is likely to result in risk to data-subject rights (GDPR Art 33).
- Notify affected Data Principals / Data Subjects without undue delay where the breach is likely to result in high risk (GDPR Art 34, DPDP §8(6) read with the Rules).
- Cooperate with any post-breach investigation by the regulator, lawful authority, and any affected processor or controller.
17. Grievance Officer and complaints
Our designated Grievance Officer is Tejasvi Shedha (Business Development Executive). For complaints, data-principal rights requests, content takedown notices and other grievances, write to evolve@motleyexim.com with the subject line "Grievance — Attention Grievance Officer". Full scope, response timelines and escalation paths are at /grievance-officer/.
You may also lodge a complaint directly with the Data Protection Board of India (DPDP §18), your national EU / UK supervisory authority, or your state Attorney General (US), without contacting us first.
18. Changes to this policy
We may update this policy as our practices, sub-processor list, or applicable law evolves. Material changes will be flagged at the top with an updated date and may be communicated via the cookie consent banner re-prompt or, where appropriate, by direct notice to active customers. Continued use of motleyexim.com after a material change constitutes acceptance of the updated policy to the extent permitted by law; for changes that require fresh consent under DPDP §6 or GDPR Art 7, we will request consent again.
19. Contact
Data protection inquiries / Data Principal Requests:
Email: info@motleyexim.com — subject line "Data Principal Request"
Grievances (DPDP §13 / IT Rules 2021 r.4(8)): Tejasvi Shedha, Business Development Executive — evolve@motleyexim.com — full process at /grievance-officer/
Phone: +91 93101 11792
Office: B-70/56, D.S.I.D.C. Sheds, Lawrence Road, New Delhi 110035, India
Office hours: Monday to Saturday, 09:30–18:30 IST (excluding public holidays)
This policy does not constitute legal advice. It is intended to satisfy the disclosure obligations of the Digital Personal Data Protection Act, 2023 (notice under §5 read with §6); the EU GDPR Articles 13–14; the UK GDPR; and the California CCPA / CPRA, as in force on the date stated above. It is reviewed periodically and after any material regulatory change.
