EZExecute Privacy Policy

Important Notice

Plain-language summary: EZExecute acts in two roles. It is a data fiduciary for its own business operations, and a processor where it handles customer-controlled document data only on customer instructions.

This Privacy Policy explains how EZExecute collects, uses, stores, discloses, transfers, safeguards, and otherwise processes personal data in connection with the Services.

Who We Are and Scope

Plain-language summary: This policy covers website users, customers, signers, invitees, and support interactions.

For website visitor data, account administration, billing, product analytics, support, fraud prevention, service security, marketing, and EZExecute's own legal compliance, EZExecute generally acts as an independent data fiduciary or controller.

For customer-uploaded documents and workflow data processed only on behalf of business customers under their instructions, EZExecute generally acts as a data processor, service provider, or equivalent downstream processing role.

If a signed data processing agreement or master services agreement applies, that agreement prevails over this Policy for the covered processing.

Categories of Personal Data

Plain-language summary: EZExecute processes only the data categories reasonably needed to operate the platform and customer workflows.

We may process identity data, contact data, credentials, authentication data, business and employment details, KYC or verification data, payment and billing data, device and technical data, transaction and workflow metadata, signatures and signature-related data, document content, communications records, support records, marketing preferences, and legally required compliance records.

Document content may include personal data about third parties whose information is uploaded by a customer. In those cases, the customer remains responsible for the lawfulness of the upload and the relevant notices and permissions.

Sources of Personal Data

Plain-language summary: Data comes from you, your organization, other users, platform use, and service providers.

We collect personal data directly from you, from your employer or organization, from another user who invites you into a workflow, from the documents you upload or sign, from our verification and payment partners, from integrations, from public or licensed business-information sources, and from your use of the Services.

We may also generate inferred data such as workflow history, service usage patterns, and risk indicators for security, support, and product integrity.

Purposes of Processing and Legal Grounds

Plain-language summary: EZExecute uses data to provide the service, secure it, and comply with law.

We process personal data to create and administer accounts; authenticate users; conduct KYC, KYB, fraud-prevention, and sanctions-related checks; route and complete execution workflows; generate audit trails and completion records; provide support; process payments; maintain resilience, backups, and security; improve our products; communicate service updates; enforce contracts; and comply with legal obligations.

Where required by Indian law, we rely on consent supported by a clear notice. We may also process personal data where a lawful purpose or a permitted lawful use applies, including where a data principal voluntarily provides data for a specified purpose and has not indicated refusal.

Where and to the extent GDPR, UK GDPR, CCPA, or similar laws apply, we will rely on the legal bases or role allocations required by those laws and any applicable supplemental notice.

Identity Verification and KYC

Plain-language summary: Verification may use several methods, depending on risk and law.

We may use email and mobile verification, OTP, liveness detection, device and network analysis, sanctions screening, document verification, selfie matching, business-registry checks, payment-instrument validation, DigiLocker or equivalent e-document checks, Aadhaar-based methods where lawfully available and expressly selected, and other commercially reasonable verification tools.

Where an Aadhaar-based or equivalent identity method is used, EZExecute aims to minimize collection and retention and to keep only the data or references reasonably needed for verification, evidence, fraud prevention, and legal compliance.

We may refuse or pause a workflow if identity, authority, or lawfulness cannot be satisfactorily verified.

How We Share Personal Data

Plain-language summary: EZExecute shares data only within operational, legal, and contractual boundaries.

We may share personal data with affiliates, cloud and storage vendors, support vendors, communication providers, identity verification providers, KYC and fraud vendors, payment processors, analytics providers, insurers, advisers, auditors, acquirers in a corporate transaction, regulators, law-enforcement bodies, tribunals, courts, and others where disclosure is reasonably necessary to provide the Services, protect rights, or comply with law.

We may also share status information, workflow records, completion records, and related metadata with the customer or account owner that initiated the workflow.

We require relevant service providers and sub-processors to operate under written confidentiality, security, and restriction terms appropriate to the nature of the processing.

Processor and Sub-Processor Commitments

Plain-language summary: Where EZExecute acts for a customer, it follows the customer's instructions within legal and practical limits.

To the extent EZExecute processes personal data on behalf of a business customer, EZExecute will process that personal data only on the documented instructions of the customer, unless otherwise required by law.

EZExecute will implement reasonable technical and organizational safeguards appropriate to the processing, will ensure relevant confidentiality obligations, and will provide reasonable assistance with rights requests, compliance inquiries, and incident management where commercially feasible and legally appropriate.

Unless a signed agreement provides otherwise, the customer authorizes EZExecute to use sub-processors. EZExecute may maintain a sub-processor list on its website or make it available on request.

Storage Location and Cross-Border Transfers

Plain-language summary: Data may be stored in India and elsewhere, subject to law and contract.

Personal data may be stored and processed in India and in other jurisdictions where EZExecute, its affiliates, or approved service providers maintain operations or infrastructure, subject to applicable law.

EZExecute may transfer personal data outside India where such transfer is lawful and reasonably necessary for service delivery, support, resilience, security, or group operations.

If a customer needs a specific storage region or residency commitment, that commitment must be expressly stated in a signed order form or data processing agreement.

Security Measures

Plain-language summary: EZExecute uses a reasonable-security framework, not a promise of perfect security.

EZExecute maintains technical and organizational safeguards designed to protect personal data against unauthorized access, disclosure, misuse, alteration, and loss. These may include encryption in transit, encryption or equivalent protection at rest where appropriate, least-privilege access control, logs and monitoring, change control, backups, vulnerability management, vendor due diligence, and incident response procedures.

No platform can guarantee absolute security. Users remain responsible for credential security, endpoint hygiene, and lawful workflow configuration.

Data Retention

Plain-language summary: Data is retained only for as long as necessary, subject to legal and operational exceptions.

EZExecute retains personal data for as long as necessary for the relevant purpose, contract performance, fraud prevention, support, evidence preservation, analytics, and compliance with law, tax, accounting, audit, limitation, and legal-hold requirements.

Unless a longer period is required by law or agreed in writing, EZExecute may retain account, billing, and contractual records for the applicable limitation and audit period; security and service logs for the period reasonably required for security and legal compliance; workflow evidence and completion records for the period communicated in product settings or contract terms; and backups for the ordinary backup cycle.

Where EZExecute processes personal data on behalf of a customer, it will delete or return the relevant data after termination and the end of any stated retrieval period, unless retention is required for law, fraud investigation, unresolved disputes, legal hold, or backup integrity.

Cookies and Similar Technologies

Plain-language summary: EZExecute uses essential and analytics technologies and may offer additional controls where law requires.

EZExecute and its vendors may use cookies, SDKs, pixels, local storage, session tokens, and similar technologies to run the Services, remember preferences, authenticate sessions, prevent fraud, measure performance, understand usage, and support product improvement and, where permitted, marketing.

You may manage such technologies through browser or device settings, but some features may not work properly if essential technologies are disabled.

Marketing Communications

Plain-language summary: Operational messages are mandatory; promotional messages are optional where law requires.

EZExecute may send account, billing, security, transaction, and legal notices that are necessary for the operation of the Services.

Where permitted, EZExecute may also send newsletters, event updates, product announcements, and promotional communications. You may opt out of non-essential marketing by using the unsubscribe mechanism, in-product preferences, or the contact details below.

Children's Data

Plain-language summary: The default position is adult-only use.

The Services are not directed to children and are not intended for use by anyone under eighteen years of age except where a lawful workflow specifically requires processing under adult control and with verifiable consent as required by law.

EZExecute does not knowingly undertake tracking, behavioural monitoring, or targeted advertising directed at children where prohibited by law.

If EZExecute learns that it processed a child's personal data without the required legal basis or consent, it may suspend the relevant account or workflow and take appropriate deletion or restriction steps.

Data Subject Rights

Plain-language summary: The policy follows the Indian rights framework and routes processor-side requests appropriately.

Subject to applicable law and role allocation, you may have rights to access information about your personal data, seek correction, completion, updating or erasure, withdraw consent, seek grievance redressal, nominate a representative, object to certain processing, request portability, or make other legally available requests.

If EZExecute processes personal data only on behalf of a business customer, EZExecute may direct your request to that customer or ask you to contact that customer directly.

EZExecute may verify identity before acting on a request and may refuse or limit requests where legally permitted, including where retention is required for legal compliance, fraud prevention, security, backups, or the establishment, exercise, or defence of legal claims.

Personal Data Breach Response

Plain-language summary: EZExecute will investigate, contain, and notify where law requires.

If EZExecute becomes aware of a personal data breach affecting personal data under its control, it will take commercially reasonable steps to contain, assess, investigate, and remediate the incident.

Where required by applicable law, EZExecute will notify affected individuals, customers, regulators, or authorities in the legally required form and timeframe.

Where EZExecute acts as a processor for a business customer, EZExecute will notify the relevant customer without undue delay after becoming aware of a confirmed incident affecting customer-controlled personal data, subject to the need to verify the incident, prevent further harm, preserve evidence, and comply with law-enforcement restrictions.

International Supplemental Position

Plain-language summary: This is an India-first policy; non-Indian supplements are added when actually needed.

EZExecute is designed as an India-first legal and privacy framework. If EZExecute actively targets users in the European Economic Area, the United Kingdom, California, or another jurisdiction with separate privacy obligations, EZExecute may publish additional supplemental notices, transfer terms, or data processing addenda.

Unless such a supplemental notice or signed contract expressly states otherwise, this Policy does not represent that EZExecute is currently subject to every non-Indian privacy regime worldwide.

Contact and Updates

Plain-language summary: EZExecute may update the policy and will provide contact details for privacy matters.

EZExecute may update this Privacy Policy from time to time. The revised version will be posted with a revised effective date. Where required by law, additional notice or fresh consent will be provided.

For privacy questions, requests, or complaints, contact: sidhant@eznotary.in