Privacy Policy

InfriaX Inc. ('InfriaX', 'we', 'us', or 'our') is a global technology and venture studio providing services including — but not limited to — mobile application development (iOS and Android), web application development, SaaS product development, digital marketing (including Google Ads, Meta Ads, and programmatic advertising), cybersecurity services, cloud infrastructure, UI/UX design, branding, business strategy, and all related digital services ('Services'). This Privacy Policy applies to: (i) visitors to our website at infriax.com; (ii) clients, partners, and prospective clients who engage with our Services; (iii) end users of applications and platforms built or operated by InfriaX; (iv) individuals who interact with any digital product, advertisement, or communication originating from InfriaX. By using our website or Services, you acknowledge that you have read, understood, and agree to the practices described in this Policy.

Controller Information

InfriaX Inc. is the data controller responsible for your personal data processed through our corporate website and direct client services. Where InfriaX develops, deploys, or operates digital products on behalf of clients, InfriaX may act as a data processor. In such cases, the client entity is the data controller and InfriaX processes data pursuant to a Data Processing Agreement ('DPA'). For questions about which role applies to your situation, contact privacy@infriax.com.

2.1 Information You Provide Directly

When you interact with InfriaX — including contacting us, applying for a partnership, requesting a quote, or entering into a service agreement — we may collect: your full name; email address and phone number; company name, registration number, and business address; role or job title; project brief, business requirements, and technical specifications; financial information required for billing and invoicing; messages, files, and correspondence you send us; identity verification documents where required by law or contract; and any other information you voluntarily share with us.

2.2 Information Collected Automatically (Website)

When you visit our website, we automatically collect: IP address and derived geolocation (country/region level); browser type, version, and language settings; device type, operating system, and screen resolution; pages visited, time on page, scroll depth, and click paths; referring URLs and search keywords; session identifiers and interaction logs; and cookie and tracking technology data as described in our Cookie Policy.

2.3 Information Collected via Mobile Applications

Where InfriaX develops or operates mobile applications (iOS and Android), those applications may collect — subject to user permissions and the specific app's privacy notice: device identifiers (IDFA on iOS, Android Advertising ID, or their privacy-preserving equivalents); device model, OS version, and carrier; push notification tokens; precise or approximate GPS location (only where the app function requires it and the user grants permission); camera and microphone access (only where the app function requires it and the user grants permission); contacts, calendars, or health data (only where the app function requires it and the user grants permission); app usage analytics and crash reports; and in-app purchase and subscription data processed through Apple App Store or Google Play billing systems. Each mobile application we develop contains its own specific privacy notice aligned with Apple App Store and Google Play data safety requirements.

2.4 Information Collected via SaaS & Web Platforms

For SaaS products and web platforms built or operated by InfriaX, we may collect: account registration information (name, email, password hash); user-generated content uploaded or created within the platform; usage logs and feature interaction data; API keys and integration credentials (stored encrypted); team and organisational structure data; subscription and billing data processed via third-party payment processors; and support tickets and communications.

2.5 Advertising & Marketing Data

When we run advertising campaigns on behalf of clients, or market our own Services through platforms such as Google Ads, Google Analytics, Meta (Facebook/Instagram) Ads, LinkedIn Campaign Manager, TikTok Ads, and programmatic display networks, we may process: advertising identifiers and cookie-based pseudonymous identifiers; conversion events and attribution data; audience segments derived from interest and behavioural signals (as determined by the advertising platform); retargeting lists and customer match data (hashed email addresses); and campaign performance metrics. This data is processed in accordance with the terms and data policies of each advertising platform. We do not receive raw personally identifiable information from advertising platforms unless you have separately provided it.

2.6 Security & Penetration Testing Engagements

Where InfriaX provides cybersecurity assessments, penetration testing, vulnerability management, or related security services, we may access — under strict written authorisation and defined scope — system logs, network traffic captures, application data, and infrastructure configurations belonging to our clients. All such data is handled under a separate Security Engagement Agreement, retained only as long as necessary to produce deliverables, and destroyed thereafter. Security engagement data is never used for any purpose other than the contracted assessment.

2.7 Information from Third Parties

We may receive information about you from: LinkedIn and other professional networks (when you interact with our content or request contact); referral partners who introduce potential clients; publicly available business directories and corporate registries; credit and identity verification services; and analytics, enrichment, and CRM integration providers.

We use the information we collect for the following purposes: (a) Service Delivery — to provide, manage, and improve our development, marketing, security, and consulting services; to communicate project progress, deliverables, and technical updates; to operate and maintain SaaS platforms and mobile applications. (b) Business Operations — to assess and process partnership and client applications; to generate quotes, invoices, and contracts; to manage accounts receivable and payable; to conduct due diligence. (c) Marketing & Communications — to send you relevant information about our services where permitted; to run advertising campaigns across digital channels; to analyse the performance of marketing activities; to personalise content and recommendations. (d) Analytics & Product Improvement — to understand how our website and digital products are used; to identify and fix bugs and performance issues; to develop new features and services. (e) Security & Fraud Prevention — to detect, prevent, and investigate security incidents, fraud, or misuse; to conduct authorised security assessments and penetration tests for clients. (f) Legal Compliance — to comply with applicable laws and regulations globally; to respond to lawful requests from public authorities; to establish, exercise, or defend legal claims.

Legal Bases for Processing (GDPR / UK GDPR)

Where the General Data Protection Regulation (EU GDPR) or UK GDPR applies, we rely on the following legal bases: Contract Performance (Article 6(1)(b)) — processing necessary to enter into or perform a service or engagement agreement with you. Legitimate Interests (Article 6(1)(f)) — improving our services, direct marketing to existing contacts, fraud and security monitoring, analytics — where such interests are not overridden by your rights. Consent (Article 6(1)(a)) — marketing communications to new contacts, non-essential cookies, processing of special category data where applicable. Legal Obligation (Article 6(1)(c)) — compliance with tax, financial, anti-money-laundering, and other applicable laws. Where we process data under Legitimate Interests, you may object at any time by contacting privacy@infriax.com.

Additional Legal Bases (Global)

For residents of California (CCPA/CPRA), we do not sell or share personal information for cross-context behavioural advertising without the right to opt out as described in Section 9. For residents of Brazil (LGPD), we process data based on the equivalent legal bases set out in Article 7 of the LGPD. For residents of Canada (PIPEDA/provincial laws), we process data based on consent and other permitted purposes. For residents of Singapore (PDPA), Thailand (PDPA), South Africa (POPIA), UAE (PDPL), India (DPDP Act), South Korea (PIPA), and other jurisdictions, we comply with applicable local requirements. Contact privacy@infriax.com to request jurisdiction-specific information.

We do not sell your personal data. We do not share your personal data for third-party advertising purposes without your consent or a valid legal basis. We may share your information with the following categories of recipients, all of whom are bound by appropriate data protection obligations:

4.1 Service Providers & Sub-Processors

We engage trusted third-party service providers to support our operations, including: cloud infrastructure and hosting providers (e.g. AWS, Google Cloud, Microsoft Azure); project management and collaboration platforms; customer relationship management (CRM) software; email and communication platforms; payment processors (for billing); analytics and business intelligence tools; advertising technology platforms (Google Ads, Meta Ads Manager, etc.); video conferencing and productivity tools; cybersecurity tools and monitoring services; and legal, accounting, and compliance advisors. All service providers are engaged under appropriate data processing agreements and are prohibited from using your data for any purpose other than providing services to InfriaX.

4.2 Clients (Where InfriaX Acts as Processor)

Where InfriaX develops or operates a product on behalf of a client and processes end-user data as a data processor, data is shared with the client (the data controller) as required to deliver the contracted service. The client's privacy policy governs the end user's relationship with the client.

4.3 Advertising Platforms

For marketing and advertising activities — including Google Ads, Meta Ads, LinkedIn Ads, TikTok Ads, and similar — we may share hashed customer match data, pixel-based events, and conversion data with those platforms in accordance with their terms and applicable law. These platforms process data under their own privacy policies. We maintain appropriate consent mechanisms and opt-out rights where required.

4.4 Legal & Regulatory Authorities

We may disclose personal data to government authorities, regulators, law enforcement agencies, or courts where required by law, to protect the rights, property, or safety of InfriaX, our clients, or the public, or to comply with a valid legal process.

4.5 Business Transfers

In the event of a merger, acquisition, financing, reorganisation, bankruptcy, or sale of all or part of our assets, your personal data may be transferred to the successor entity. We will notify you of any such transfer and any choices you may have.

4.6 International Transfers

InfriaX operates globally and your data may be transferred to and processed in countries outside your country of residence, including the United States, United Kingdom, European Union member states, Singapore, and Sri Lanka. Where data is transferred outside the European Economic Area (EEA) or UK, we rely on: EU Standard Contractual Clauses (SCCs); the UK International Data Transfer Agreement (IDTA); adequacy decisions of the European Commission or UK Secretary of State; or other approved transfer mechanisms. You may request a copy of the applicable transfer mechanism by contacting privacy@infriax.com.

We use cookies and similar technologies (pixels, web beacons, local storage, SDKs) on our website and in our digital products. A full description of the cookies we use, their purposes, and how to manage them is set out in our Cookie Policy at infriax.com/cookie-policy. In summary: Essential Cookies are strictly necessary to operate our website and cannot be disabled. Analytics Cookies help us understand how visitors interact with our site — we anonymise data where possible and use privacy-respecting configurations. Marketing & Advertising Cookies enable us and our advertising partners to serve relevant ads and measure campaign performance — these are only set where you have given consent or where a legitimate interest applies. You can manage your cookie preferences at any time via the cookie settings banner on our website or through your browser settings.

We retain personal data only for as long as necessary for the purposes for which it was collected, to fulfil our contractual obligations, and to comply with applicable legal requirements. Our standard retention periods are as follows: Website enquiry and contact form data — 3 years from last contact. Client and partner data — duration of the engagement plus 7 years for legal, accounting, and audit purposes. Financial and invoice records — minimum 7 years or as required by applicable tax law. Employee and contractor records — duration of engagement plus applicable statutory period. Marketing data — until you unsubscribe or withdraw consent, or 2 years of inactivity, whichever is sooner. Security engagement data — 90 days post-delivery of final report, then securely destroyed. Mobile app usage analytics — 26 months, unless a longer period is required by the applicable app's business purpose. After retention periods expire, data is securely deleted or irreversibly anonymised. Where retention is required by law, data is restricted from active use and archived securely.

Rights Under GDPR / UK GDPR (EEA & UK Residents)

You have the right to: Access — obtain a copy of the personal data we hold about you. Rectification — correct inaccurate or incomplete data. Erasure ('Right to be Forgotten') — request deletion of your data in certain circumstances. Restriction — restrict processing while a dispute is resolved. Portability — receive your data in a structured, machine-readable format. Objection — object to processing based on legitimate interests or for direct marketing at any time. Withdrawal of Consent — withdraw consent at any time without affecting the lawfulness of prior processing. Lodge a Complaint — file a complaint with your national supervisory authority (e.g. the ICO in the UK, or your EU member state's DPA).

Rights Under CCPA / CPRA (California Residents)

California residents have the right to: Know what personal information we collect, use, disclose, or sell. Delete personal information we have collected. Correct inaccurate personal information. Opt out of the sale or sharing of personal information. Limit the use of sensitive personal information. Non-discrimination for exercising any of these rights. To submit a California privacy request, contact privacy@infriax.com with the subject line 'California Privacy Request'. We will respond within 45 days as required.

Rights in Other Jurisdictions

Residents of Brazil, Canada, Singapore, South Africa, UAE, India, South Korea, Thailand, Australia, and other jurisdictions with applicable privacy laws have similar rights under their respective laws. We honour all valid privacy rights requests regardless of jurisdiction. Contact privacy@infriax.com to submit a request and specify your country of residence.

How to Exercise Your Rights

To exercise any privacy right, contact us at privacy@infriax.com. We will respond within 30 days (or the applicable statutory period for your jurisdiction). We may need to verify your identity before processing your request to protect your data from unauthorised access. We will not discriminate against you for exercising your privacy rights.

InfriaX implements a comprehensive set of technical and organisational security measures to protect personal data, including: encryption of data in transit using TLS 1.2 or higher; encryption of sensitive data at rest; role-based access controls and least-privilege principles; multi-factor authentication for internal systems; regular vulnerability assessments and penetration testing; incident response procedures and breach notification processes; employee security awareness training; background checks for personnel with access to sensitive data; secure software development lifecycle (SDLC) practices for all products we build; and contractual security obligations imposed on all sub-processors. We maintain a formal Information Security policy aligned with industry standards including ISO 27001 principles and OWASP guidelines. No method of transmission over the internet or electronic storage is 100% secure. While we use commercially reasonable and industry-appropriate measures, we cannot guarantee absolute security. In the event of a data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and relevant supervisory authorities as required by applicable law.

InfriaX does not sell personal information for monetary consideration. For purposes of CCPA/CPRA, we may share certain identifiers (such as cookie IDs and advertising identifiers) with advertising technology partners for cross-context behavioural advertising. California residents have the right to opt out of this sharing. To opt out, you may: (a) use the 'Do Not Sell or Share My Personal Information' link in the footer of our website; (b) configure your browser to send a Global Privacy Control (GPC) signal, which we honour automatically; or (c) contact us at privacy@infriax.com. We do not knowingly sell or share the personal information of minors under 16 years of age.

Our corporate website and direct Services are not directed to children under the age of 13 (or 16 where required by applicable law, including under the GDPR). We do not knowingly collect personal data from children without verifiable parental consent. For mobile applications or platforms we develop that are intended for or may attract child users, we implement appropriate age-gating, parental consent mechanisms, and data minimisation practices in compliance with COPPA (US), the UK Children's Code, and equivalent local regulations. If you believe we have inadvertently collected personal data from a child without appropriate consent, please contact us immediately at privacy@infriax.com and we will take steps to delete such information promptly.

Applications developed by InfriaX and published to the Apple App Store or Google Play Store comply with: Apple's App Store Review Guidelines and App Privacy requirements, including App Privacy Labels (Nutrition Labels) accurately disclosing data collection practices. Google Play's Data Safety section requirements, accurately disclosing data collected, shared, and whether data is optional or required, as well as security practices. Platform-specific consent requirements for tracking (including Apple's App Tracking Transparency (ATT) framework and equivalent Google requirements). Age rating and content classification requirements. Where InfriaX develops an app on behalf of a client for App Store or Google Play distribution, the client is responsible for ensuring the accuracy of their app's privacy disclosures. InfriaX will provide accurate data collection documentation for all components we develop.

Our website and digital products may contain links to or integrations with third-party websites, services, and platforms — including payment gateways, social media platforms, advertising networks, analytics services, and developer tools. We are not responsible for the privacy practices or content of those third-party services. We encourage you to review the privacy policies of any third party you interact with through our products. Where we integrate third-party services into products we develop for clients, we disclose those integrations and assist clients in meeting their disclosure obligations.

We may send you marketing communications about our services, industry insights, and company news where: (a) you have opted in to receive such communications; (b) you are an existing client or contact and have not opted out, and we have a legitimate interest in communicating with you; or (c) applicable law otherwise permits. Every marketing email we send includes an unsubscribe link. You may also unsubscribe by contacting us at privacy@infriax.com. We process opt-outs promptly and within no more than 10 business days. Transactional communications (invoices, project updates, security alerts) are not subject to marketing opt-outs and will continue as necessary to manage your engagement with us.

We may update this Privacy Policy from time to time to reflect changes in our services, technology practices, or applicable law. We will post the updated policy on this page with a revised 'Last updated' date at the top. For material changes that significantly affect your rights or how we process your data, we will provide additional notice — such as a prominent website banner, email notification to registered users, or in-app notification. Your continued use of our website or services after the effective date of any update constitutes your acceptance of the revised policy. We encourage you to review this policy periodically.

For questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Privacy Team at: privacy@infriax.com. For GDPR-related enquiries or to contact our Data Protection representative: legal@infriax.com. For general enquiries: infriax.com/contact. We aim to respond to all privacy enquiries within 5 business days and within the applicable statutory response period for formal rights requests. If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority in your country.