Coventra LLP ("Coventra", "Company", "we", "us", "our") is committed to protecting the privacy, security, and integrity of all personal data entrusted to us. This Privacy Policy ("Policy") explains how we collect, use, store, share, and protect your personal data when you access or use the Coventra platform, website (www.coventra.com), and associated software-as-a-service ("SaaS") tools (collectively, the "Platform"). This Policy applies to all users of the Platform, including individuals, business representatives, and authorised personnel accessing the Platform on behalf of a company or entity. By accessing or using the Platform, you acknowledge that you have read, understood, and agree to the terms of this Policy.
This Policy has been prepared to comply with the following laws and regulations:
| Detail | Information |
|---|---|
| Entity Name | Coventra LLP |
| Nature | Limited Liability Partnership, registered in India |
| Platform / Website | www.coventra.com and associated SaaS tools |
| Parent Entity | NuCov FaciliTrade (Principal Consultant: Dr. Joshua Jesudoss Ebenezer) |
| Registered / Principal Office | B/504, Hermes Atrium, Sector 11, C.B.D Belapur, Navi Mumbai - 400614, Maharashtra, India |
| Privacy Contact Email | [email protected] |
| Grievance Officer Email | [email protected] (DPDP Act) |
| DPO Contact | [email protected] (GDPR - EU/EEA Users) |
| Support Email | [email protected] |
This Policy applies to:
This Policy does not apply to third-party websites or services linked from our Platform. We encourage you to review the privacy policies of any external sites you visit.
| Category | Data Points | Collection Method |
|---|---|---|
| Identity | Full name; Date of birth (where required); Designation or job title | Registration form |
| Contact Details | Email address; Phone or mobile number; Business address; Mailing address | Registration / profile update |
| Authentication | Username; Password (hashed and salted); OTP records (log only, not stored); Security responses | Account creation |
| Category | Data Points | Collection Method |
|---|---|---|
| Company Details | Company or entity name; Type of business entity; Industry or sector; Registered office address | Onboarding form |
| Tax and Regulatory Identifiers | GSTIN; PAN; IEC; MSME / Udyam Registration Number; AEO Reference Number (if applicable) | Onboarding and verification |
| Customs and Trade Data | HS codes and product descriptions; Import/export history; SOP documents; Compliance status data | User submission and AI processing |
Under Rule 3 of the IT (SPDI) Rules, 2011, the following categories are treated as Sensitive Personal Data or Information and are subject to heightened protection:
We do NOT collect biometric data, health or medical data, religious beliefs, sexual orientation, or political opinions, unless specifically required for a particular service and separately disclosed at the time of collection.
| Purpose | Data Categories Used | Legal Basis (GDPR / DPDP) |
|---|---|---|
| Account registration and authentication (OTP) | Name, email, phone, password | Contract; Consent (OTP) |
| Business identity verification (KYB) | PAN, GSTIN, IEC, MSME | Legal obligation; Contract |
| Provision of AEO application processing and SaaS tools | All business and regulatory data | Contract performance |
| AI/ML-driven SOP generation and compliance automation | Business data, HS codes, trade data | Contract; Legitimate interest |
| Auto-population via government API integrations | Regulatory IDs and linked portal data | Explicit consent |
| Platform security and fraud prevention | Technical data, usage logs | Legitimate interest; Legal obligation |
| Service communications (alerts, updates, notifications) | Email, phone number | Contract; Consent |
| Analytics and platform improvement | Technical and usage data (anonymised) | Legitimate interest |
| Legal and regulatory compliance | All relevant data as required | Legal obligation |
| Marketing communications | Email, phone number | Explicit opt-in consent |
In accordance with Section 6 of the Digital Personal Data Protection Act, 2023, we process personal data only after obtaining free, specific, informed, unconditional, and unambiguous consent from the Data Principal, unless processing falls within a legitimate use provision under the Act.
Consent is obtained:
You have the right to withdraw consent at any time by writing to [email protected] or using the in-platform consent management settings. Withdrawal of consent will not affect the lawfulness of processing carried out prior to withdrawal. However, withdrawal may affect your ability to use certain features of the Platform that depend on such processing.
For users accessing the Platform from within the European Economic Area, we rely on the following lawful bases under Article 6 of the GDPR:
| Lawful Basis | Application |
|---|---|
| Article 6(1)(a) - Consent | Marketing communications, optional analytics, and third-party government portal integrations |
| Article 6(1)(b) - Contract | Registration, account management, and delivery of Platform services you have requested |
| Article 6(1)(c) - Legal Obligation | Where Indian law, EU law, or other applicable regulation requires data processing or retention |
| Article 6(1)(f) - Legitimate Interests | Platform security, fraud prevention, analytics, and internal administration, subject to a balancing test confirming that your fundamental rights and freedoms are not overridden |
Coventra does not sell, rent, or trade your personal data to any third party. We may share data only in the following defined circumstances:
| Category of Recipient | Purpose | Safeguards Applied |
|---|---|---|
| Cloud infrastructure and hosting providers | Data storage; server operations | Data processing agreements; encryption in transit and at rest |
| SMS and OTP gateway providers | OTP delivery; SMS alerts | Minimum data transfer; provider DPA in place |
| Email service providers | Transactional and service emails | Provider DPA; data minimisation applied |
| Analytics providers | Platform usage analytics | Anonymised or aggregated data; provider DPA |
| Payment processors | Subscription fee processing | PCI-DSS compliant; card data not stored by Coventra |
| Government portals (GSTN, DGFT, CBIC) | API integrations when user-authorised | User-initiated; governed by respective government platform policies |
| Legal advisors and auditors | Legal advice; statutory audit | Bound by professional confidentiality obligations |
| Government and regulatory authorities | Compliance with law; court orders; regulatory directions | Only to the extent required by applicable law |
| Business successors | Merger, acquisition, or restructuring | Data protection obligations carried forward; users notified in advance where possible |
Under Section 16 of the Digital Personal Data Protection Act, 2023, personal data may be transferred outside India only to countries or territories notified by the Central Government as permissible jurisdictions for cross-border data transfers. Where we use cloud infrastructure or third-party service providers located outside India, such transfers are effected only to notified or permitted jurisdictions. We will update this Policy if the list of permitted jurisdictions changes.
We maintain contractual safeguards, including data processing agreements, with all international sub-processors.
Where your personal data is transferred outside the European Economic Area, we ensure that appropriate safeguards are in place, including:
You may request a copy of the applicable safeguards by writing to [email protected].
As a Data Principal under the Digital Personal Data Protection Act, 2023, you have the following rights:
| Right | Description and How to Exercise |
|---|---|
| Right to Access (Section 11) | You may obtain a summary of personal data processed by us and the processing activities carried out. Submit a written request to [email protected]. |
| Right to Correction and Updation (Section 12) | You may request correction of inaccurate or outdated personal data, and completion of incomplete data. Update via your account settings or write to us. |
| Right to Erasure (Section 12) | You may request erasure of your personal data where the purpose for which it was collected has been fulfilled or where consent has been withdrawn. Note: certain data may be retained under applicable law. |
| Right to Withdraw Consent (Section 6) | You may withdraw consent for processing based on consent at any time. Withdrawal does not affect the lawfulness of prior processing. |
| Right to Grievance Redressal (Section 13) | You have the right to timely resolution of any grievance relating to our processing of your data. Contact the Grievance Officer (see Part H). |
| Right to Nominate (Section 14) | You may nominate another individual to exercise your rights in the event of your death or incapacity. Submit nomination details to [email protected]. |
If you are located in the European Economic Area, you have the following rights under Articles 15 to 22 of the GDPR:
| Right | Description |
|---|---|
| Right of Access (Art. 15) | Obtain confirmation of whether your data is processed and receive a copy of your personal data along with supplementary information. |
| Right to Rectification (Art. 16) | Request correction of inaccurate personal data and completion of incomplete data. |
| Right to Erasure / Right to be Forgotten (Art. 17) | Request deletion of your data where it is no longer necessary, where consent is withdrawn, or where processing is unlawful. |
| Right to Restriction of Processing (Art. 18) | Request restriction of processing in certain circumstances, for example while accuracy of data is being contested. |
| Right to Data Portability (Art. 20) | Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another data controller. |
| Right to Object (Art. 21) | Object to processing based on legitimate interests or direct marketing at any time. |
| Rights in Relation to Automated Decision-Making (Art. 22) | Not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects, unless you have given explicit consent or it is necessary for a contract. |
| Right to Lodge a Complaint (Art. 77) | Lodge a complaint with the supervisory authority in your EU member state if you believe we have infringed your rights under the GDPR. |
To exercise any of the rights described in this Part, please contact us as follows:
| Request Type | Contact Details |
| DPDP Act rights and general privacy requests | [email protected] |
| GDPR rights requests (EU/EEA users) | [email protected] |
| Formal grievances under the DPDP Act | [email protected] |
Response timelines:
We may need to verify your identity before processing your request. We will not charge a fee unless a request is manifestly unfounded or excessive.
Coventra implements commercially reasonable and legally required security measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. Our security practices include, but are not limited to:
| Security Measure | Description |
|---|---|
| Encryption in Transit | All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher (HTTPS). |
| Encryption at Rest | Sensitive data stored on our servers is encrypted at rest using AES-256 or equivalent industry-standard encryption. |
| Access Controls | Role-based access controls ensure that only authorised personnel can access personal data on a strict need-to-know basis. |
| Multi-Factor Authentication | MFA is available and encouraged for all user accounts. |
| Audit Logging | All access to personal data is logged and monitored for anomalous activity. |
| Vendor Security | All third-party service providers are contractually required to maintain appropriate security standards. |
| Penetration Testing | Regular security assessments and penetration tests are conducted to identify and remediate vulnerabilities. |
| Staff Training | All staff with access to personal data receive training on data protection obligations and security best practices. |
Our security practices are designed to comply with the information security standards prescribed under the IT (SPDI) Rules, 2011, including IS/ISO/IEC 27001 or equivalent internationally recognised security standards.
We retain personal data only for as long as necessary to fulfil the purposes described in this Policy or as required by applicable law:
| Category of Data | Retention Period |
|---|---|
| Account and registration data | Duration of the account, plus 3 years after account closure (for legal and tax compliance) |
| Business and regulatory data (GSTIN, PAN, IEC) | As required by Indian tax, customs, and trade laws (generally 5 to 7 years from the relevant transaction) |
| AEO application data | Duration of AEO certification plus the applicable statutory period under Customs laws |
| Transaction and financial records | As required under applicable financial and tax laws, typically 8 years |
| Technical logs and access logs | 12 months from creation, unless required longer for security or legal purposes |
| Marketing consent records | Until consent is withdrawn, plus 1 year thereafter |
| Dispute and litigation records | Until final resolution of the dispute, plus the applicable limitation period |
Upon expiry of the applicable retention period, personal data is securely deleted or irreversibly anonymised. Where anonymised data is retained for analytics, it is no longer considered personal data under applicable law.
DPDP Act Compliance (Section 8(7)): In accordance with Section 8(7) of the DPDP Act, Coventra will erase personal data where: (a) the specified purpose for which it was collected has been served; and (b) retention is no longer necessary for any legitimate use or legal obligation.
In the event of a personal data breach, Coventra will:
| Cookie Type | Purpose and Opt-Out Status |
|---|---|
| Strictly Necessary Cookies | Essential for the Platform to function, including session management, authentication, and security cookies. Cannot be disabled without impacting Platform functionality. |
| Functional Cookies | Remember your preferences such as language and display settings to enhance your experience. May be disabled via cookie settings. |
| Analytics Cookies | Collect aggregated and anonymised data about how you use the Platform to help us improve performance and user experience. Opt-in where required by applicable law. |
| Performance Cookies | Monitor Platform speed and performance for operational improvements only. |
Coventra does not use advertising or behavioural targeting cookies. You may manage your cookie preferences through our Cookie Consent Manager accessible via the Platform footer, or through your browser settings. Disabling strictly necessary cookies may prevent you from using certain features of the Platform.
The Coventra Platform is intended for use by business professionals and entities. It is NOT directed at individuals under the age of 18.
DPDP Act (Section 9): We are prohibited from processing personal data of children, defined as individuals under 18 years of age, without verifiable parental consent. Our Platform does not offer services directed at minors. We rely on users' agreement to our Terms of Service confirming they are 18 years of age or older.
GDPR (Article 8): Where consent is the applicable lawful basis, the consent of a child under 16 is valid only if given or authorised by a person holding parental responsibility. Our Platform does not offer services to individuals under 18.
If we become aware that we have inadvertently collected personal data from a minor, we will take immediate steps to delete such data.
Our AI/ML-powered tools, including SOP generation, AEO readiness scoring, and compliance gap analysis, are designed as decision-support tools. They do not make final legal or compliance determinations without human oversight.
Where the Platform provides automated assessments or recommendations:The Platform may contain links to third-party websites or integrate with external government portals and services including GSTN, DGFT, and CBIC. Coventra is not responsible for the privacy practices, security, or content of such third-party sites or services. We recommend that you review the applicable privacy policies before authorising any third-party integration or following any external link.
Coventra will send marketing or promotional communications to you only where we have obtained your explicit, separate, and opt-in consent. You may withdraw this consent at any time by:
Withdrawal of marketing consent will not affect your receipt of service-related and transactional communications, which are necessary for the operation of your account.
Coventra has designated a Data Protection Officer ("DPO") who may be contacted by EU/EEA users in respect of any matter relating to the processing of their personal data under the GDPR.
| Detail | Information |
|---|---|
| Role | Data Protection Officer (DPO) |
| [email protected] | |
| Scope | GDPR enquiries, EU/EEA Data Subject Rights requests, and GDPR complaints |
| Response Time | Within one calendar month, extendable by two further months for complex requests with prior notice |
In accordance with Section 13 of the Digital Personal Data Protection Act, 2023, Coventra LLP has appointed a Grievance Officer to address complaints and grievances relating to the processing of personal data.
| Detail | Information |
|---|---|
| Name | Ajay David |
| Role | Grievance Officer, Coventra LLP |
| [email protected] | |
| Postal Address | B/504, Hermes Atrium, Sector 11, C.B.D Belapur, Navi Mumbai - 400614, Maharashtra, India |
| Acknowledgement Timeline | Within 5 business days of receipt of grievance |
| Resolution Timeline | Within the period prescribed under the DPDP Act and applicable rules thereunder |
If you are not satisfied with the resolution provided by the Grievance Officer, you have the right to escalate your complaint to the Data Protection Board of India, once it is constituted and operational under the DPDP Act, 2023.
Once constituted and operational, the Data Protection Board of India will be the competent adjudicatory authority under the DPDP Act, 2023. Details of the Board and complaint procedures will be published by the Ministry of Electronics and Information Technology (MeitY) and will be updated in this Policy as available.
If you are an EU/EEA user and you consider that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement. A list of EU supervisory authorities is available at the European Data Protection Board website: https://edpb.europa.eu
We may update this Policy from time to time to reflect changes in our practices, legal obligations, or Platform features. When we make material changes, we will:
Your continued use of the Platform after the effective date of a revised Policy constitutes your acceptance of the updated terms to the extent permitted by applicable law. If you do not agree with the updated Policy, you should discontinue use of the Platform and contact us to close your account.
The following table summarises key processing activities carried out by Coventra LLP, in compliance with the transparency requirements of Articles 13 and 14 of the GDPR and the notice requirements of the DPDP Act, 2023.
| Processing Activity | Data Categories | Legal Basis |
|---|---|---|
| Account Registration and Authentication | Identity, contact, authentication data; OTP delivery logs | Contract; Consent (OTP) |
| Business Verification (KYB) | GSTIN, PAN, IEC, MSME; business address; entity type | Legal obligation; Contract |
| AEO Application Processing (AI/ML) | All business and regulatory data; HS codes; SOPs; compliance data | Contract; Consent |
| Government API Integration (GSTN, DGFT, CBIC) | Regulatory identifiers and linked portal data | Explicit consent at point of authorisation |
| Platform Analytics | Technical and usage data (anonymised) | Legitimate interest |
| Security and Fraud Prevention | IP address, device data, log data | Legitimate interest; Legal obligation |
| Service Communications | Email address, phone number | Contract |
| Marketing Communications | Email address, phone number | Explicit opt-in consent |
| Legal and Regulatory Compliance | All data as required by applicable law | Legal obligation |
| Cookie Type | Purpose and Duration | Can Be Disabled? |
|---|---|---|
| Session Cookie (strictly necessary) | Maintains login session; expires at end of session | No - essential for Platform function |
| CSRF Token (strictly necessary) | Protects against cross-site request forgery; session duration | No - essential for security |
| Preference Cookie (functional) | Stores language and display preferences; 1 year | Yes - via cookie manager |
| Analytics Cookie | Aggregated usage analytics; up to 2 years | Yes - opt-in where required by law |
| Performance Cookie | Platform load time and performance monitoring; 30 days | Yes - via cookie manager |
| Term | Definition |
|---|---|
| Personal Data / Personal Information | Any data about an individual that identifies or can identify them, directly or indirectly. Under the DPDP Act: "any data about an individual who is identifiable by or in relation to such data." Under the GDPR: "any information relating to an identified or identifiable natural person." |
| Data Fiduciary (DPDP Act) | Any person who alone or in conjunction with other persons determines the purpose and means of processing personal data. Coventra LLP is the Data Fiduciary for the purposes of the DPDP Act in respect of Indian users. |
| Data Controller (GDPR) | The natural or legal person that determines the purposes and means of processing personal data. Coventra LLP is the Data Controller for EU/EEA users under the GDPR. |
| Data Principal / Data Subject | The individual to whom the personal data relates. Referred to as "Data Principal" under the DPDP Act and "Data Subject" under the GDPR. |
| Processing | Any operation or set of operations performed on personal data, including collection, storage, use, disclosure, sharing, transfer, erasure, or destruction. |
| Consent | A clear, affirmative, and unambiguous indication by the Data Principal of their agreement to the processing of their personal data for a specified purpose. Must be free, specific, informed, and capable of withdrawal. |
| SPDI | Sensitive Personal Data or Information as defined under Rule 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. |
| Data Breach | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. |
| Legitimate Use (DPDP Act) | Specific non-consent based grounds for processing personal data permitted under Section 7 of the DPDP Act, 2023, including purposes related to the State, legal proceedings, medical emergencies, and employment. |
| Data Processor / Data Processor (DPDP) | Any person who processes personal data on behalf of a Data Fiduciary or Data Controller, in accordance with their instructions. |