Privacy Policy

Last updated: 30 June 2026 · Effective date: 27 April 2026

Language / भाषा: English हिंदी

At a glance

Contents
  1. Who we are (the Data Fiduciary / Controller)
  2. What this policy covers
  3. Personal data we collect
  4. Why we collect it (purposes)
  5. Lawful basis under DPDP Act, GDPR & other regimes
  6. How long we keep your data
  7. Who we share data with (sub-processors)
  8. International transfers
  9. Your rights and how to exercise them
  10. DPDP Act §5–§6 notice (India residents)
  11. California, US state & "Do Not Sell or Share"
  12. Children's data
  13. Cookies and tracking technologies
  14. Defence-export inquiry notice
  15. Security measures
  16. Personal-data-breach notification
  17. Grievance Officer and complaints
  18. Changes to this policy
  19. Contact

1. Who we are (the Data Fiduciary / Controller)

Motley Exim Co. ("MECo", "we", "us", "our") is the Data Fiduciary for purposes of the Digital Personal Data Protection Act, 2023 (the "DPDP Act") and the Data Controller for purposes of the EU General Data Protection Regulation 2016/679 ("GDPR") and the UK GDPR / Data Protection Act 2018 (the "UK GDPR"). Founded as Carris Coatings in 1986; incorporated as Motley Exim Co. in 1999.

Legal nameMotley Exim Co.
Registered officeB-70/56, D.S.I.D.C. Sheds, Lawrence Road, New Delhi 110035, India
IEC0599007079
GSTIN07AAFFM5045C1ZM
SectorDefence camouflage and fire-suppression manufacturing & export
Primary contactinfo@motleyexim.com · +91 93101 11792
Grievance Officer (DPDP §13)See /grievance-officer/
EU / UK Article 27 representativeNot appointed (we do not target EU/UK consumer markets; defence procurement contacts are B2B). If you require an Article 27 representative for a specific engagement, contact us.

2. What this policy covers

This policy applies to personal data processed by MECo in connection with:

This policy does not cover personal data processed by third-party websites linked from motleyexim.com, our customers' systems, or sub-suppliers' systems — each of which has its own privacy notice.

3. Personal data we collect

3.1 Information you provide directly

3.2 Information collected automatically

3.3 What we do NOT collect

4. Why we collect it (purposes)

  1. Respond to your inquiry — reply, prepare quotations, share product literature, schedule meetings.
  2. Pre-contract and contract performance — verify identity, prepare and execute contracts, fulfil orders, ship goods, raise invoices, follow up on warranty.
  3. Defence-export compliance — classify the proposed export under SCOMET (DGFT — Appendix 3 to Schedule 2 of ITC(HS)), screen the buyer / end-user / beneficial owner against the four sanctions lists (UN 1267 Consolidated, US OFAC SDN, EU consolidated, India DGFT denied entity), prepare and process licence applications, obtain end-use certificates and post-shipment end-use verification cooperation.
  4. Statutory, fiscal and regulatory obligations — comply with the FTDR Act 1992, Customs Act 1962, FEMA 1999, Companies Act 2013, Income-tax Act 1961, GST law, IT Act 2000, DPDP Act, and equivalent laws of receiving jurisdictions.
  5. Site security and abuse prevention — rate limiting, bot detection, fraud prevention, breach detection, audit logging.
  6. Site improvement — understand which content is useful, where users drop off, which products attract interest — only on a consented, privacy-respecting basis.
  7. Legal claims and dispute resolution — establish, exercise or defend legal claims; respond to lawful demands by Indian or foreign authorities.

5. Lawful basis under DPDP Act, GDPR & other regimes

We rely on the following lawful bases. Where more than one applies, the strictest controls.

Processing activityDPDP Act §6 / §7GDPR Art 6
Replying to inquiries; preparing quotations§6 Consent & §7(a) for the performance of a contractArt 6(1)(b) contract / pre-contract
Order fulfilment, invoicing, warranty§7(a) contract performanceArt 6(1)(b) contract performance
SCOMET classification, sanctions screening, EUC§7(c) compliance with lawArt 6(1)(c) legal obligation
Tax, customs, FEMA, Companies Act compliance§7(c) compliance with lawArt 6(1)(c) legal obligation
Site security, fraud prevention, abuse mitigation§7(g) legitimate uses (specified)Art 6(1)(f) legitimate interest
Analytics cookies, marketing emails (where applicable)§6 ConsentArt 6(1)(a) consent
Defending or asserting legal claims§7(g) legitimate usesArt 6(1)(f) legitimate interest

6. How long we keep your data

CategoryRetention periodReason
Personal IP-address logs14 days, then auto-deletedLimit exposure; aggregate counts retained for security analytics
Inquiry records (no contract)2 years from last contactRe-engagement window; statutory limitation periods
Customer correspondence (contract concluded)5 years from contract endIndian Companies Act 2013 §128, Sale of Goods Act, dispute window
Order, invoice and shipping records8 years from financial year endIncome-tax Act 1961 §44AA + GST Act compliance
Defence-export licence applications, EUCs, EUVs, sanctions screensGreater of 5 years (FT (Regulation) Rules 1993 r.12) or 7 years internal policyFTDR Act / Customs / regulator audit
CookiesStrictly necessary: session; analytics & consent record: up to 6 monthsTighter than CNIL 13-month maximum; user re-consent prompt at expiry
Backups30 days rollingDisaster recovery; deletion requests honoured at next backup cycle

When the relevant retention period expires, we delete or irreversibly anonymise the data, except where ongoing litigation, investigation, or legal obligation requires longer retention.

7. Who we share data with (sub-processors)

We share personal data only with sub-processors under written contracts. Each sub-processor's purpose, jurisdiction, and safeguard mechanism is listed below.

Sub-processorPurposeRegion of processingSafeguard
Hostinger International Ltd.Web and email hostingSingapore (primary), with global failoverEU SCC + DPA; ISO 27001-aligned controls
Cloudflare, Inc.CDN, DDoS mitigation, WAF, edge cachingGlobal edge; HQ United StatesEU SCC + DPA; ISO 27001 / SOC 2 Type II
Google LLC (Analytics 4 + Tag Manager)Aggregate site analytics — consented only; IP-anonymisation enabledUnited States (with EU/India region preferences where supported)EU SCC + DPF (where applicable); Google Ads Data Processing Terms
Google LLC (reCAPTCHA v3)Invisible anti-bot / abuse protection on web forms (security risk-scoring of submissions)United StatesEU SCC + DPF (where applicable); Google reCAPTCHA Terms
ipinfo.io (Ipinfo, Inc.)Coarse IP geolocation (country / city / ISP) on form submissions — inquiry-source analytics, routing, and sanctions-destination cross-checkUnited StatesEU SCC + DPA
Meta Platforms, Inc. — WhatsApp BusinessOptional inbound messaging from prospective buyersGlobal (Meta data centres)WhatsApp Business Terms; SCC where applicable
Indian Customs / DGFT / DPB / MEA / income-tax / GSTNStatutory disclosures — not a "processor" but a recipient under §7(c)IndiaStatutory authority; lawful demand only
External professional advisers (legal, audit, tax, banking)Specific mandates as requiredIndia (primary)Professional duty of confidentiality + written engagement

We do not sell, rent or trade personal data. We do not share data with advertising networks, data brokers, or political organisations.

8. International transfers

Your personal data may be transferred outside India when our sub-processors operate from other jurisdictions (see section 7). We protect those transfers through one or more of the following:

If you would like a copy of the SCCs in place for a specific transfer, please contact our Grievance Officer.

9. Your rights and how to exercise them

You have the following rights as a Data Principal under DPDP Act §11 / a Data Subject under GDPR, regardless of where you are located. Where a regime grants a right that another does not, we apply the more protective standard.

RightWhat it meansStatutory source
Access & summary of processingReceive confirmation we hold your data and a summary of processingDPDP §11(1)(a); GDPR Art 15
Correction, completion, updatingHave inaccurate or incomplete data correctedDPDP §12(2); GDPR Art 16
Erasure ("right to be forgotten")Have your data deleted where lawfully requiredDPDP §12(3); GDPR Art 17
Withdraw consentWithdraw any consent you previously gave; processing already done remains lawfulDPDP §6(4); GDPR Art 7(3)
NominateNominate another individual to exercise rights on your behalf in case of incapacityDPDP §14
PortabilityReceive personal data in a structured, commonly used, machine-readable formatGDPR Art 20
Restriction / objectionLimit processing or object to legitimate-interest-based processingGDPR Arts 18, 21
Not be subject to automated decision-makingIncluding profiling that produces legal or similarly significant effectsGDPR Art 22
Grievance redressFile a grievance with our Grievance OfficerDPDP §13; IT Rules 2021 r.4(8)
Lodge a complaint with a supervisory authorityIndia: Data Protection Board of India (§18). EU: your national DPA. UK: ICO. US: state Attorney General.DPDP §18; GDPR Art 77

How to exercise: email info@motleyexim.com with subject "Data Principal Request" or write to our Grievance Officer. We will acknowledge within 24 hours and resolve within 15 days (or such other period as the law specifies). We may need to verify your identity before acting; we will not use the verification information for any other purpose.

10. DPDP Act §5–§6 notice (India residents)

If you are a Data Principal located in India at the time you provide your personal data to us, the following statements are given to you under DPDP Act §5 read with §6.

11. California, US state & "Do Not Sell or Share"

If you are a California resident, the California Consumer Privacy Act / California Privacy Rights Act (CCPA / CPRA) provides you with additional rights. Other US states (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, etc.) provide broadly analogous rights.

Do Not Sell or Share My Personal Information: We do not "sell" personal information for monetary value, nor do we "share" it for cross-context behavioural advertising as those terms are defined under California law. We honour the Global Privacy Control (GPC) browser signal: when received, we treat it as a valid opt-out request from any future sale or sharing. To exercise CCPA / CPRA rights, contact info@motleyexim.com.

12. Children's data

motleyexim.com is a B2B defence-procurement website. It is not directed to anyone under the age of 18, and we do not knowingly collect personal data from children. If you become aware that a child has provided personal data through our website or to our staff, please contact our Grievance Officer; we will promptly delete the data unless we are required to retain it for a specific legal purpose. The protections in DPDP Act §9 (children and persons with disabilities) and GDPR Art 8 (children's consent) are strictly observed.

13. Cookies and tracking technologies

The full inventory of cookies, their purposes, durations and third parties is set out in our Cookie Policy. In summary:

You can withdraw cookie consent at any time via the cookie-banner re-opener, or by clearing cookies in your browser.

14. Defence-export inquiry notice

If you contact MECo about a potential defence export, additional processing applies because of the SCOMET-controlled nature of our products:

This processing is necessary to comply with Indian and international export-control law and is grounded in DPDP §7(c) (legal compliance) and GDPR Art 6(1)(c) (legal obligation).

15. Security measures

We continuously review controls against the security-compliance baseline used across our project portfolio (rate limiting, RLS where applicable, IDOR protection on authenticated routes, secrets in environment variables only).

16. Personal-data-breach notification

In the event of a personal-data breach, we will:

17. Grievance Officer and complaints

Our designated Grievance Officer is Tejasvi Shedha (Business Development Executive). For complaints, data-principal rights requests, content takedown notices and other grievances, write to evolve@motleyexim.com with the subject line "Grievance — Attention Grievance Officer". Full scope, response timelines and escalation paths are at /grievance-officer/.

You may also lodge a complaint directly with the Data Protection Board of India (DPDP §18), your national EU / UK supervisory authority, or your state Attorney General (US), without contacting us first.

18. Changes to this policy

We may update this policy as our practices, sub-processor list, or applicable law evolves. Material changes will be flagged at the top with an updated date and may be communicated via the cookie consent banner re-prompt or, where appropriate, by direct notice to active customers. Continued use of motleyexim.com after a material change constitutes acceptance of the updated policy to the extent permitted by law; for changes that require fresh consent under DPDP §6 or GDPR Art 7, we will request consent again.

19. Contact

Data protection inquiries / Data Principal Requests:

Email: info@motleyexim.com — subject line "Data Principal Request"

Grievances (DPDP §13 / IT Rules 2021 r.4(8)): Tejasvi Shedha, Business Development Executive — evolve@motleyexim.com — full process at /grievance-officer/

Phone: +91 93101 11792

Office: B-70/56, D.S.I.D.C. Sheds, Lawrence Road, New Delhi 110035, India

Office hours: Monday to Saturday, 09:30–18:30 IST (excluding public holidays)

This policy does not constitute legal advice. It is intended to satisfy the disclosure obligations of the Digital Personal Data Protection Act, 2023 (notice under §5 read with §6); the EU GDPR Articles 13–14; the UK GDPR; and the California CCPA / CPRA, as in force on the date stated above. It is reviewed periodically and after any material regulatory change.