Privacy Policy

1. Introduction and scope

RKValidate Software Private Limited ("RKValidate", "we", "us" or "our") is a private limited company incorporated in India, with its registered office in Bengaluru, Karnataka, India. We develop and provide RKTracer, a code-coverage tool for safety-critical and embedded software, together with the related websites, downloads, evaluation builds, documentation and support services described in this policy.

This Privacy Policy applies to the personal data we process through our website at www.rkvalidate.com (the "Website") and through RKTracer-related services, including demo requests, free-trial and download requests, our chat widget, contact and support channels, and our email communications. It describes the personal data we collect, why we process it, the legal bases we rely on, who we share it with, how long we keep it, how we transfer it internationally, and the rights available to you depending on where you live.

For the purposes of EU and UK data-protection law, RKValidate acts as a "controller" of the personal data described here. Under India's Digital Personal Data Protection Act, 2023 ("DPDP Act"), RKValidate is a "Data Fiduciary", and the individual to whom personal data relates is a "Data Principal". Under the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), RKValidate is a "business".

Our products and Website are designed for a global business-to-business audience: engineering teams building embedded, automotive, aerospace, medical and industrial software in the United States, the European Economic Area (EEA), the United Kingdom, India and worldwide. Where we mention RKTracer in this policy we are describing a software development and verification tool only; nothing here should be read as a functional-safety certification of RKTracer or of any other RKValidate product.

By using the Website or contacting us, you acknowledge that you have read and understood this policy. Where applicable law requires consent for a specific processing activity, we rely on that consent as described below rather than on your general use of the Website.

2. The personal data we collect

We collect personal data that you provide directly, data that is generated automatically when you interact with the Website, and a limited amount of business information inferred from your network connection. We aim to collect only what we need for the purposes set out in Section 3. The table below summarises the categories of personal data we process, where each category comes from, and the main purposes for which we use it.

2.1 IP address, approximate location and inferred company

We want to be clear and accurate about this. Our analytics are self-hosted; we do not use Google Analytics. When you visit the Website, our analytics record your IP address and use it to derive an approximate location (country, region and city) and to infer the company or organisation associated with your network connection. We use this firmographic inference to understand which kinds of organisations are interested in RKTracer and to support business-to-business outreach at an organisation level. This processing is intended to identify a business, not to single out or track you as an individual, and it does not produce any legal or similarly significant effect about you. You can object to this processing as described in Section 9.

2.2 Sensitive data and proprietary code

We do not ask for and do not want special-category data (such as health, biometric or government-identifier data) through the Website, and we ask you not to send it. Please also avoid including proprietary or sensitive source code in chat, contact forms or support tickets unless this is expressly agreed under a confidentiality arrangement. If you choose to share such information voluntarily, you do so on the basis described in Section 3.

2.3 No automated decision-making

We do not make decisions that produce legal effects or similarly significant effects about you based solely on automated processing, and we do not carry out automated profiling of that kind. The company inference described above is used for general business-development purposes only and is not used to make automated decisions about individuals.

3. How and why we use your personal data

We use personal data to operate the Website, respond to you, provide and improve RKTracer and our services, keep our systems secure, and comply with the law. For individuals protected by the EU or UK GDPR, we must have a "lawful basis" for each purpose. The table below maps our main purposes to the GDPR lawful basis we rely on. Where we rely on legitimate interests, we have carried out a balancing assessment to confirm that our interests are not overridden by your interests or fundamental rights, and you have the right to object as described in Section 9.

Under India's DPDP Act, we generally process personal data on the basis of your consent, given by a clear affirmative action and limited to the purpose we have notified to you, or on the basis of "certain legitimate uses" recognised by that Act (for example, where you have voluntarily provided personal data for a specified purpose, or where processing is required to comply with law). Under the CCPA/CPRA, we use the personal information we collect for the business and commercial purposes described in this policy, including providing our services, communicating with you, security and fraud prevention, analytics and improvement, and the company inference described in Section 2.1.

4. Cookies and similar technologies

Cookies are small text files placed on your device. We also use related technologies, including browser localStorage and sessionStorage, to store identifiers and state. We use the following kinds of cookies and similar technologies:

• Strictly necessary and session storage. A session ID and related state that are needed for the Website to function and for your session to work correctly. These are set without consent because the Website cannot operate without them.
• Analytics and visitor identification. A persistent visitor ID and analytics identifiers used by our self-hosted analytics to recognise returning visits and measure how the Website is used, including the IP-based location and company inference described in Section 2.1.
• Chat. Storage used by our self-hosted chat widget to maintain your conversation and chat state.
• Administrative authentication. Cookies used to authenticate RKValidate staff to the administrative area of the Website. These are not set for ordinary visitors.

We are introducing a cookie consent banner so that visitors in regions where prior consent is required can accept or reject non-essential cookies and trackers at a granular level, and withdraw consent as easily as it was given. Until that banner is fully in place, we limit non-essential tracking where the law requires consent and we honour the controls described here. For individuals in the EEA and the UK, the ePrivacy rules and UK PECR generally require your prior consent before non-essential cookies or trackers are set; strictly necessary cookies do not require consent.

You can control or delete cookies through your browser settings, and most browsers allow you to refuse or remove cookies and clear local storage. You can also clear localStorage and sessionStorage for our site. Disabling certain cookies or storage may affect how parts of the Website function. Where your browser sends an opt-out preference signal such as Global Privacy Control (GPC), we treat it as a valid request to opt out of any "sale" or "share" of personal information as described in Section 9.

5. How we share information

We do not sell your personal data. We share personal data only with the categories of recipients described below, and only as needed for the purposes in this policy.

• Service providers and processors. Vendors that process personal data on our behalf and under our instructions, such as web hosting, email and IT providers, and any chat, analytics, support or customer-relationship tools we use. Our current service providers include cloud hosting and infrastructure providers, an email and communication provider, and an IP geolocation service used to derive approximate location and organization information. We do not sell or rent your personal data to anyone, and we do not share it with third parties for their own marketing or for unsolicited messaging. These providers are bound by written data-processing terms (for example, GDPR Article 28 terms where applicable) and by obligations of confidentiality and information security, and they are not permitted to use your personal data for their own purposes.
• Legal, regulatory and safety reasons. Where we are required or permitted by law, regulation, legal process or an enforceable governmental request, or where disclosure is necessary to protect the rights, property or safety of RKValidate, our users or others, or to investigate fraud or security issues.
• Business transfers. In connection with a merger, acquisition, financing, reorganisation or sale of assets, in which case personal data may be transferred as part of that transaction. We will continue to protect personal data and will notify you of any material change to how it is handled.

Categories of personal data that may be disclosed to these recipients for a business purpose include identity and contact data, lead and enquiry data, support data, chat data, website analytics and device data, inferred company data, identifiers, and email and communications data, as described in Section 2.

5.1 CCPA/CPRA "sale" and "share"

For purposes of the CCPA/CPRA, RKValidate does not "sell" personal information and does not "share" personal information for cross-context behavioural advertising. We do not exchange personal information for money, and we do not disclose personal information to third parties to serve you targeted advertising across other websites or services. Because we do not sell or share personal information in this sense, no "Do Not Sell or Share My Personal Information" exchange is taking place; even so, we honour opt-out preference signals such as GPC and treat them as a request to opt out, and you may contact us at any time to confirm your preferences. If our practices change so that any activity qualifies as a "sale" or "share", we will update this policy and provide the required opt-out mechanism. [Confirm before publishing that no advertising pixels, retargeting tags or advertising-linked analytics that could qualify as a "sale" or "share" are in use on the Website.]

6. International data transfers

RKValidate is based in India, and personal data we collect is processed in India and may be processed by our service providers in other countries. Because we serve customers worldwide, your personal data may be transferred to, stored in, or accessed from countries other than your own, where data-protection laws may differ from those in your jurisdiction.

India is not currently the subject of an EU or UK "adequacy" decision. Where we receive personal data of individuals in the EEA or the UK, those transfers into India are treated as restricted international transfers and are safeguarded under Chapter V of the GDPR. For personal data from the EEA we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914); for personal data from the UK we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, in each case supported by a transfer risk assessment and any supplementary measures we consider appropriate. Where we transfer personal data onward to service providers, we use appropriate safeguards with those providers as well.

Under India's DPDP Act, we may transfer personal data outside India except to any country or territory restricted by the Central Government. You can ask us for more information about the safeguards we use and request a copy of the relevant transfer mechanism by contacting us at info@rkvalidate.com.

7. Data retention

We keep personal data only for as long as we need it for the purposes for which it was collected, including to respond to you, provide trials and support, run our business, and comply with our legal, tax and accounting obligations or resolve disputes. When personal data is no longer needed, we delete it or anonymise it so that it can no longer be associated with you.

In setting retention periods we consider the amount, nature and sensitivity of the data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process it, whether we can achieve those purposes by other means, and any legal or regulatory requirements. As general guidance: enquiry, demo, trial and lead records are retained while we have an active relationship and for a reasonable follow-up period afterwards; support records are retained for as long as needed to provide and improve support; marketing contact records are retained until you unsubscribe or ask us to remove them; website analytics records are retained for a limited period; and chat conversations are retained for follow-up and quality purposes for a limited period. Some records may be kept longer where required to meet statutory limitation, tax or accounting obligations. If you withdraw consent or successfully request erasure, we will stop the relevant processing and delete the data unless we are required or permitted by law to retain it.

8. Information security

We implement reasonable technical and organisational measures designed to protect personal data against unauthorised or unlawful access, alteration, disclosure, loss or destruction. These measures include encryption of data in transit, access controls and authentication for our systems and administrative area, limiting access to personal data to staff who need it for their role, logging and monitoring, and contractual safeguards with the service providers who process data on our behalf.

No method of transmission over the internet or method of electronic storage is completely secure. While we work to protect your personal data using appropriate safeguards, we cannot guarantee absolute security, and you share information with us at your own risk. If we become aware of a personal data breach that affects you, we will act in accordance with applicable law, which may include notifying the relevant supervisory authority and, where required, affected individuals; under India's DPDP Act this includes intimation to affected Data Principals and to the Data Protection Board of India. If you believe your interaction with us is no longer secure, please contact us immediately using the details in Section 14.

9. Your privacy rights

The rights you have over your personal data depend on where you live and on the law that applies to you. This section sets out the rights for the EEA and the UK, the United States (including California), and India. To exercise any of these rights, please contact us at info@rkvalidate.com. We will respond within the timeframe required by applicable law. To protect your data, we may need to verify your identity before acting on a request, for example by asking you to confirm details we already hold or to respond from the email address on record; we will not use that information for any other purpose. We do not charge a fee to handle most requests, and we will not discriminate against you for exercising your rights.

9.1 EEA and UK (GDPR and UK GDPR)

If you are in the EEA or the UK, you have the following rights, subject to conditions and exemptions in the law:

• Access to the personal data we hold about you and information about how we process it (Article 15).
• Rectification of inaccurate or incomplete personal data (Article 16).
• Erasure of your personal data in certain circumstances (Article 17).
• Restriction of processing in certain circumstances (Article 18).
• Data portability for data you provided to us, where processing is based on consent or contract and carried out by automated means (Article 20).
• Objection to processing based on our legitimate interests, including the IP-to-company inference, and an absolute right to object to direct marketing, which we will always honour (Article 21).
• Rights related to automated decision-making (Article 22); as noted in Section 2.3, we do not carry out such decision-making.
• Withdraw consent at any time, where we rely on consent, without affecting the lawfulness of processing before withdrawal (Article 7(3)).

You also have the right to lodge a complaint with a supervisory authority. In the EEA you may complain to the Data Protection Authority in your country of residence, place of work or where the alleged infringement occurred. In the UK you may complain to the Information Commissioner's Office (ICO) at ico.org.uk. We would, however, appreciate the chance to address your concerns first.

RKValidate has not appointed a representative in the European Union or the United Kingdom under Article 27 of the GDPR. If you are located in the EEA or the United Kingdom, you can contact us directly about your personal data and your rights at info@rkvalidate.com, and we will respond in accordance with applicable law.

9.2 United States

Depending on your state of residence, you may have rights under US state privacy laws, including the right to know and access the personal information we have collected, the right to delete it, the right to correct inaccurate information, the right to opt out of any "sale", "sharing" or targeted advertising and certain profiling, and the right not to be discriminated against for exercising your rights. As described in Section 5.1, we do not sell or share personal information for cross-context behavioural advertising. To exercise these rights, contact us at info@rkvalidate.com; for states that provide an appeal process, you may appeal a decision by replying to our response.

Your California privacy rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the CCPA/CPRA, subject to verification and legal exceptions:

• Right to know and access the categories and specific pieces of personal information we have collected, the sources, the business or commercial purposes, and the categories of third parties to whom we disclose it.
• Right to delete personal information we have collected from you, subject to exceptions.
• Right to correct inaccurate personal information we maintain about you.
• Right to opt out of the sale or sharing of personal information. As stated in Section 5.1, we do not sell or share personal information, and we honour GPC opt-out signals.
• Right to limit the use of sensitive personal information. We do not use sensitive personal information for purposes that require us to offer this option. Any account or authentication credentials we hold for staff are used only to provide and secure our services.
• Right to non-discrimination for exercising your privacy rights.

Do Not Sell or Share My Personal Information. RKValidate does not sell or share your personal information, so there is no personal information for us to stop selling or sharing. We nonetheless recognise the Global Privacy Control (GPC) signal as a valid opt-out request. To make any CCPA/CPRA request, email info@rkvalidate.com. We will verify your request using the information we hold, and we will respond within the timeframe required by law (generally 45 days, extendable where permitted). An authorised agent may submit a request on your behalf if they provide written, signed permission from you and we can verify their authority; we may also ask you to confirm the agent's authority directly. In the categories of personal information we collect, our CCPA category mapping is, in summary: identifiers (including IP address, online identifiers, email, name), commercial information (enquiries about our products), internet or network activity (analytics and navigation data), approximate geolocation (derived from IP), professional or employment-related information (job title, company, role), and inferences (the company inference described in Section 2.1).

9.3 India (DPDP Act, 2023)

If you are a Data Principal under India's DPDP Act, you have the following rights in relation to the personal data we process about you:

• Right to access a summary of the personal data we process and the processing activities, and information about the entities with which it has been shared.
• Right to correction, completion and updating of your personal data.
• Right to erasure of your personal data where it is no longer needed for the purpose for which it was collected, unless retention is required by law.
• Right of grievance redressal through the mechanism described in Section 11.
• Right to nominate another individual to exercise your rights in the event of your death or incapacity.
• Right to withdraw consent at any time, as easily as you gave it. On withdrawal we will stop the relevant processing and erase your personal data unless retention is required by law.

You may exercise these rights by contacting us at info@rkvalidate.com or our Grievance Officer at info@rkvalidate.com. If you are not satisfied with our response, you may escalate your complaint to the Data Protection Board of India. On request, we will make this policy available in English and in the languages of the Eighth Schedule to the Constitution of India to the extent required by the DPDP rules.

10. Children's privacy

Our Website and products are intended for businesses and professional users and are not directed to children. We do not knowingly collect personal data from children. Under India's DPDP Act, a "child" is an individual under the age of 18, and we do not knowingly process a child's personal data without verifiable consent of a parent or lawful guardian. We do not undertake tracking, behavioural monitoring or targeted advertising directed at children, and we do not process children's personal data in a way that is likely to cause a detrimental effect on their well-being.

If you believe that a child has provided us with personal data, please contact us using the details in Section 14 and we will take appropriate steps to delete it.

11. Grievance Officer (India)

In accordance with India's DPDP Act and the Information Technology Act, 2000 and rules made under it, we have established a grievance redressal mechanism and designated a Grievance Officer to address questions and complaints about how we process personal data. You can contact our Grievance Officer using the details below:

We will acknowledge and respond to grievances within the timeline required by applicable law, and in any event within the period prescribed under the DPDP rules, which does not exceed 90 days. If you are not satisfied with our response, you may escalate your grievance to the Data Protection Board of India.

12. Third-party links and services

Our Website and communications may contain links to third-party websites, services or resources, including our profiles on platforms such as LinkedIn and YouTube. We provide these links for convenience, and we do not control and are not responsible for the privacy practices or content of those third parties. When you follow a link to another site or interact with a third-party platform, that third party's privacy policy and terms govern your interaction. We encourage you to review the privacy notices of any third-party services you use before providing them with personal data.

13. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements or other factors. When we make changes, we will revise the "Last updated" date at the top of this page. Where the changes are material, we will provide more prominent notice as appropriate, for example by a notice on the Website or, where we have your contact details and it is appropriate, by email. We encourage you to review this policy periodically. Your continued use of the Website after an update takes effect indicates that you have reviewed the changes, except where applicable law requires us to obtain your consent.

14. How to contact us

If you have questions about this Privacy Policy, want to exercise your rights, or wish to make a complaint, please contact us: