Privacy Policy

Tristack Technologies LLP ("we", "us", "our"), operator of ScanShield, acts as the data controller for personal data collected through this platform. We process personal data in accordance with applicable data protection law, including the Digital Personal Data Protection Act, 2023 (India) ("DPDP Act"), and, to the extent applicable, the General Data Protection Regulation ("GDPR").

This policy applies to data collected via scanshield.tristack.tech, including registration, scanning activity, payment, and support interactions. It does not apply to third-party websites we may link to.

We collect the following categories of personal and operational data:

We process your data on the following legal bases:

• Contract performance: providing scan services, processing credit transactions, managing your account, generating and storing reports.
• Legitimate interest: fraud prevention and abuse detection, security monitoring, system health telemetry, improving the platform.
• Legal obligation: responding to law enforcement requests, maintaining financial records, cooperating with regulatory inquiries.
• Consent: sending marketing or product update emails (you may opt out at any time via the unsubscribe link in each email).

We do not use your scan data to train machine learning models or to build advertising profiles. Scan reports are stored encrypted and are never shared with third parties except as described below.

We engage the following sub-processors who may handle your personal data. Each is bound by appropriate data processing agreements and security standards:

We do not sell your personal data to any party, ever.

Your data is stored in Neon-hosted PostgreSQL databases hosted in AWS data centres. Data at rest is encrypted using AES-256. Data in transit is protected by TLS 1.2+ on all connections between your browser, our application servers, and our database.

Passwords are hashed with bcrypt (cost factor ≥ 10) and are never stored in plain text or transmitted after initial creation. API keys for scanner machines are stored as bcrypt hashes. Scan reports stored as JSONB in the database inherit the same encryption at rest.

We implement role-based access controls ensuring that user data is only accessible to the account owner and authorised administrative staff. Administrative access is logged in an immutable audit log.

We will not share your personal data with third parties except:

• With sub-processors listed above, strictly to operate the Service
• When required by applicable law, court order, or government authority
• To protect the rights, property, or safety of the Company, our users, or the public
• In connection with a merger, acquisition, or sale of assets — in which case you will be notified
• With your explicit consent

We retain your personal data for as long as your account is active and as reasonably necessary to provide the Service. Specific retention periods:

• Account data: until account deletion + 90 days for backup purge cycles
• Scan reports: 12 months from scan completion, then soft-deleted; permanently purged after a further 30 days unless you request earlier deletion
• Payment records: 7 years as required by Indian financial regulation
• Audit logs: 2 years for security and compliance purposes
• IP address logs: 90 days

You may request deletion of your account and data at any time. We will fulfil deletion requests within 30 days, subject to legal retention obligations above.

Depending on your jurisdiction and applicable law, you have the following rights with respect to your personal data. To exercise any right, contact us at hello@tristack.tech:

We will respond to rights requests within 30 days (extendable by a further 30 days for complex requests, with notice). We may request identity verification before processing your request.

We use the following cookies:

• next-auth.session-token — Essential, HttpOnly, Secure: authentication JWT. Required for platform access. Expires after 30 days of inactivity or when you sign out.
• next-auth.csrf-token — Essential: CSRF protection. Session-scoped.

We do not currently use third-party analytics, advertising cookies, or tracking pixels. If this changes, we will update this policy and provide appropriate consent mechanisms.

The Service is not directed to or intended for use by persons under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a minor, please contact us immediately and we will delete such data without delay.

Your data may be processed outside India (e.g., by Neon on AWS, or by Vercel's edge network). We ensure that such transfers are protected by appropriate safeguards, including standard contractual clauses or adequacy decisions as applicable. By using the Service, you consent to the transfer of your data to countries outside India for the purposes described in this policy.

Under the Digital Personal Data Protection Act, 2023 (India), we recognise your rights as a "Data Principal" and our obligations as a "Data Fiduciary". We process your personal data lawfully, fairly, and transparently. We collect only the data necessary for the stated purposes (data minimisation) and implement reasonable security safeguards.

Our designated Data Protection Officer (DPO) can be reached at hello@tristack.tech. You may raise a grievance with the DPO, and we will respond within the timelines prescribed by the DPDP Act.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users without undue delay (and in any case within 72 hours of becoming aware of the breach where required by law) and report to relevant data protection authorities as required.

If you discover or suspect a security vulnerability in our platform, please report it responsibly to hello@tristack.tech. We commit to acknowledging responsible disclosures within 48 hours.

We may update this Privacy Policy periodically. Material changes will be communicated via email to your registered address and/or a prominent notice on the platform at least 14 days before the change takes effect. The "Last updated" date at the top of this page reflects the most recent revision. We encourage you to review this policy periodically.