This Privacy Policy describes how RingSafe Trust ("we", "us", the "Service") collects, uses, and shares personal data when you use our vendor risk management platform at trust.ringsafe.in.
Who we are
RingSafe Trust is operated by RingSafe (the "Company") — a cybersecurity consultancy founded in 2024 by Manish Garg and based in India. Contact: trust@ringsafe.in.
Personal data we collect
- Account data: email address, name, company name, role.
- Workspace data: vendor records, questionnaire responses, uploaded documents (these are your customers' data — see "Customer Data" below).
- Usage data: IP address, browser type, device type, pages visited, action timestamps.
- Billing data: managed by Razorpay; we receive only a payment-status token.
Customer Data (your vendor records)
When you input vendor information into the Service, you are the Data Fiduciary (DPDP) / Controller (GDPR). RingSafe Trust acts as the Data Processor. We process Customer Data only on your documented instructions, do not access it for any purpose other than providing the Service, and apply the security safeguards described in our Security section.
How we use personal data
- Provide, maintain, and improve the Service.
- Authenticate users via magic-link emails.
- Send service-related communications (questionnaire emails, breach alerts, billing receipts).
- Detect and prevent abuse, fraud, and security incidents.
- Comply with legal obligations.
Lawful basis (DPDP / GDPR)
We process personal data based on (a) contract — to deliver the Service you have signed up for; (b) consent — for marketing communications, where applicable; (c) legitimate interest — for security, fraud prevention, and product improvement, balanced against your rights; (d) legal obligation — where required by applicable law.
Where we store data
Primary storage is in Singapore (AWS ap-southeast-1) via Supabase. Pro-plan customers may request India region (AWS ap-south-1) storage for sectoral compliance. Backups are encrypted and stored in the same region as the primary copy.
Sub-processors
We use the following sub-processors:
- Supabase (Postgres + Auth + Storage) — Singapore
- Vercel (application hosting) — global edge
- Resend (transactional email) — US/EU
- Razorpay (payments) — India
- Cloudflare (DNS + CDN) — global edge
The current sub-processor list is published at /security and 30-day notice is given before adding new sub-processors.
Data retention
- Account data: retained while your account is active, plus 30 days after cancellation.
- Customer Data: retained while your subscription is active. Hard-deleted 30 days after cancellation unless you request earlier deletion.
- Audit log entries: retained 12 months for compliance evidence.
- Billing records: retained for 7 years per Indian tax law.
Your rights
Subject to applicable law (DPDP Act 2023, GDPR), you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate or incomplete data.
- Request erasure (subject to legal retention obligations).
- Restrict or object to certain processing.
- Receive your data in a portable format.
- Withdraw consent (where processing is consent-based).
- Lodge a complaint with the Data Protection Board of India or your local supervisory authority.
To exercise any of these rights, email trust@ringsafe.in. We respond within 30 days.
Breach notification
If we suffer a personal data breach, we will notify affected customers without undue delay and, where required, within 72 hours of becoming aware. Our breach notification template is available in your dashboard under Settings → Compliance.
Children
The Service is not intended for individuals under 18. We do not knowingly collect data from children.
Changes
We may update this Policy. Material changes will be communicated via email at least 14 days before they take effect. The current version is always at trust.ringsafe.in/privacy.
Contact
For privacy questions: trust@ringsafe.in. For grievance redressal under DPDP Act 2023: same address; we respond within 30 days.