Mittal Safety Works Private Ltd (“Company,” “we,” “us,” or “our“), a company incorporated under the Companies Act, 2013, with CIN U25933DL2024PTC428415, operating the Indcare brand, owns and operates www.mittalsafetyworks.com (the “Website“). We are committed to protecting the privacy and personal data of every individual who visits, browses, or interacts with our Website.

This Privacy Policy describes how we collect, use, store, share, and protect your personal data. It is governed by and compliant with Indian law, including the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000 and its Rules, and the Consumer Protection Act, 2019. Please read this Policy carefully before using the Website.

1. Who We Are

For the purposes of the DPDP Act, 2023, Mittal Safety Works Private Ltd is the Data Fiduciary in respect of the personal data collected through this Website.

2. Scope of This Policy

This Policy applies to:

• All visitors to the Website, whether or not they are registered users.
• Business representatives, procurement officers, dealers, and distributors who interact with us through the Website.
• Individuals who contact us via the Website contact or enquiry forms, email, or WhatsApp.

This Policy does not apply to third-party websites linked from our Website. Those websites have their own privacy policies and we are not responsible for their practices.

3. Personal Data We Collect

a. Data You Provide Directly

• Identity data — your name, company name, designation.
• Contact data — email address, phone number, city, state, and PIN code.
• Enquiry data — product type, quantities, delivery location, and any other details you include in a quotation request or contact form.
• Communication data — the content of messages, feedback, complaints, and correspondence you send us.
• Account data — username and encrypted password if you register on our Website.

b. Data Collected Automatically

• Technical data — IP address, browser type, operating system, device type, screen resolution, and referring URL.
• Usage data — pages visited, time spent on pages, links clicked, and navigation paths through the Website.
• Cookie data — session tokens, analytics identifiers, and preference cookies. See Section 9 for full details.

c. Sensitive Personal Data

We do not intentionally collect sensitive personal data as defined under the IT (Reasonable Security Practices and Sensitive Personal Data or Information) Rules, 2011 — including financial passwords, physical and mental health information, biometric data, sexual orientation, or medical records. If you inadvertently include such data in a message or form, we will delete it and not use it for any purpose other than to notify you that such data cannot be processed.

4. How We Use Your Personal Data

We process your personal data only for the purposes for which it was collected and only to the extent necessary for those purposes:

• To respond to your product enquiries and bulk quotation requests promptly.
• To process and manage dealer, distributor, and vendor registration enquiries.
• To send you relevant product information, safety footwear catalogues, and industry updates — only where you have consented or have an existing business relationship with us.
• To administer your account if you have registered on the Website.
• To improve the Website, diagnose technical problems, and analyse usage patterns.
• To verify your identity and prevent fraudulent or unauthorised use of the Website.
• To comply with applicable Indian law, judicial orders, and regulatory requirements.
• To maintain internal business records and communicate with you regarding our business relationship.

We will not use your data for automated profiling, behavioural advertising, or any decision-making that produces legal effects without human review.

5. Legal Basis for Processing (DPDP Act, 2023)

The Digital Personal Data Protection Act, 2023, requires a valid legal basis for processing personal data. We rely on the following:

• Consent (Section 6, DPDP Act) — when you submit a contact form, request a quote, or sign up for communications, you provide free, specific, informed, and unambiguous consent. You may withdraw this consent at any time by writing to legal@mittalsafetyworks.com, without affecting the lawfulness of processing before withdrawal.
• Legitimate use (Section 7, DPDP Act) — for processing necessary to perform a contract or pre-contractual steps (responding to your enquiry), for compliance with Indian law, for protecting the vital interests of any person, and for our legitimate business interests in Website security and fraud prevention.

6. Disclosure and Sharing of Personal Data

We do not sell, rent, or trade your personal data. We disclose personal data only in the following circumstances:

• Technology service providers — Amazon Web Services (AWS) for website hosting and email delivery via SES (data processed under AWS Data Processing Addendum); Google LLC for Analytics (anonymised). These processors are bound by contractual obligations to process data only on our instructions, maintain confidentiality, and implement appropriate security measures.
• Authorised regional dealers — if your enquiry requires fulfilment by an authorised Indcare dealer in your region, we may share your name, contact number, and product requirement with that dealer. We will inform you before doing so and limit sharing to only what is necessary.
• Professional advisers — solicitors, accountants, auditors, and insurers who are bound by professional confidentiality obligations.
• Legal and regulatory authorities — when required by a court order, direction from a government authority, or under the obligations of any applicable Indian law, including the DPDP Act, IT Act, or GST Act.
• Corporate transactions — in the event of a merger, acquisition, restructuring, or sale of the Company, personal data may be transferred to the successor entity, subject to equivalent data protection obligations. You will be notified of such a transfer in advance.

We will not disclose your personal data to any third party for their own marketing purposes.

7. Cross-Border Data Transfers

Our Website is hosted on Amazon Web Services infrastructure primarily in the Asia Pacific (Mumbai) — ap-south-1 region. Some service providers (including Google Analytics) may process data in other jurisdictions.

Where personal data is transferred outside India, we ensure that the transfer is subject to adequate safeguards — including contractual clauses and processor agreements — in accordance with the requirements that will apply under the rules to be notified under the DPDP Act, 2023. Until such rules are notified, we apply standard data processing agreements with international processors.

8. Data Retention

We retain personal data only for as long as is necessary for the purpose it was collected, or as required by law:

• Enquiry and contact data — retained for 3 years from the date of last interaction, unless an ongoing business relationship requires longer retention.
• Account data — retained for the duration of your account and for 1 year after account closure.
• Analytics data — anonymised and aggregated; retained for up to 26 months per Google Analytics defaults, with identifiable data retained for no more than 14 months.
• Legal, financial, and tax records — retained for 8 years as required under the Companies Act, 2013, GST Act, and Income Tax Act, 1961.
• Communication records — retained for 3 years for dispute resolution purposes.

At the end of the applicable retention period, personal data is securely deleted or rendered irreversibly anonymous.

9. Cookies and Tracking Technologies

Cookies are small data files placed on your device. We use the following categories:

• Strictly necessary cookies — session management, security tokens, and login state. These cannot be disabled as the Website cannot function without them. No personal data beyond session identifiers is stored.
• Analytics cookies — Google Analytics 4 (GA4) uses cookies to collect anonymised information about how visitors use the Website. GA4 does not identify individual users. You may opt out at any time using the Google Analytics Opt-out Browser Add-on or by disabling cookies in your browser settings.
• Preference cookies — may be used to remember your preferences (e.g., language or display settings). These are not currently deployed on this Website.

We do not use advertising, tracking, or third-party marketing cookies. You can control cookie settings through your browser. Disabling strictly necessary cookies may impair Website functionality.

10. Security Measures

We implement technical and organisational security measures appropriate to the risk involved in processing your personal data:

• TLS/HTTPS encryption for all data in transit between your browser and our servers.
• AWS security groups, network firewalls, and encrypted storage at rest.
• Application-level security controls including OWASP-aligned HTTP security headers.
• Access controls limiting data access to authorised personnel only, on a need-to-know basis.
• Regular security assessments, malware scanning, and log monitoring.
• Periodic review and update of security practices in response to new threats.

Despite these measures, no method of electronic transmission or storage is completely secure. In the event of a personal data breach that is likely to result in risk to your rights, we will notify you and, where required, the Data Protection Board of India, within the timeframes prescribed under the DPDP Act, 2023.

11. Your Rights Under Indian Law

As a Data Principal under the DPDP Act, 2023, you have the following rights in relation to your personal data:

• Right to access (Section 11) — you may request a summary of the personal data we hold about you and the processing activities being carried out.
• Right to correction and erasure (Section 12) — you may request correction of inaccurate or incomplete data, and erasure of personal data that is no longer necessary for the purpose it was collected, subject to our legal retention obligations.
• Right to grievance redressal (Section 13) — you have the right to have your grievances related to the exercise of these rights addressed by our Grievance Officer within the timeframe prescribed.
• Right to nominate (Section 14) — you may nominate another individual to exercise your rights in the event of your death or incapacity.
• Right to withdraw consent — you may withdraw consent at any time for any processing based on consent, without affecting the lawfulness of prior processing.

To exercise any of these rights, write to our Grievance Officer at legal@mittalsafetyworks.com. We will acknowledge receipt within 48 hours and respond substantively within 30 days. If you are dissatisfied with our response, you may approach the Data Protection Board of India (once constituted under the DPDP Act) or seek remedies under any other applicable Indian law.

12. Grievance Redressal

In accordance with the Information Technology Act, 2000 and IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, we have designated a Grievance Officer:

13. Children’s Data

This Website is intended exclusively for business and professional users aged 18 years and above. We do not knowingly collect, process, or store personal data of children under 18. If you believe that a child has provided personal data to us, please write immediately to legal@mittalsafetyworks.com and we will take prompt steps to delete such data. Under the DPDP Act, 2023, we will not process children’s data without verifiable parental consent.

14. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or business operations. When we make material changes, we will update the “Last Updated” date at the top of this page and, where the changes are significant, notify registered users by email. We encourage you to review this Policy each time you visit the Website. Your continued use of the Website after the updated Policy is posted constitutes your acceptance of the changes.

15. Contact and Grievance Officer