Privacy Policy — TrustMark

Last updated: 11 July 2026 · Effective from: 11 July 2026

1. Who we are

TrustMark is a digital due-diligence service operated by Innovexsis Consulting Pvt. Ltd. ("Innovexsis", "we", "us", "our"), a DPIIT-recognized entity registered in India. Under the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the DPDP Rules, 2025, Innovexsis acts as the Data Fiduciary for personal data processed through TrustMark.

Grievance / Data Protection contact: grievance@daretolaw.com

2. Whose data we process

  • Requesters: individuals who create an account and commission a verification.
  • Subjects: the individual(s) being verified, who provide their own consent independently via a dedicated, token-gated consent flow before any verification begins.
  • Secondary subjects: family members included under the Complete or Elite tiers, each separately and independently consented.

3. What we collect

  • Identity data — name, masked Aadhaar / Virtual ID status, PAN verification status, DOB, photograph
  • Contact data — phone number, email
  • Education & employment data — degree, institution, employer, designation
  • Public-record data — court case listings, public social-media posts, public professional profiles
  • Payment data — transaction ID, amount, status (via Razorpay; we do not store card / UPI credentials)
  • Consent & audit data — timestamps, IP, device/browser metadata, OTP logs

We do not collect full/raw Aadhaar numbers, private messages, call records, banking passwords, or any data obtained through unauthorized access to any account or device.

4. Why we process this data (purpose limitation)

Solely to: (a) authenticate consent, (b) run the specific verification checks the Requester has paid for and the Subject has separately consented to, (c) generate the PDF report, (d) process payment, (e) comply with legal obligations, (f) prevent fraud and misuse of the platform. We do not use Subject data for advertising, unrelated profiling, or sale to third parties under any circumstance.

5. Legal basis

Processing is based on explicit, free, specific, informed, and unambiguous consent given by the Data Principal via an affirmative digital act (OTP verification + granular per-scope toggle), in accordance with Section 6 of the DPDP Act. Consent can be withdrawn at any time (see Section 9).

6. How consent works

Every Subject is shown a separate, plain-language consent toggle for each verification scope — identity / education / employment / litigation / social media / financial / visual — never a single bundled "I agree" checkbox. The exact consent text shown is logged and time-stamped for each scope, satisfying our burden-of-proof obligation under Section 6(10) of the DPDP Act.

7. Data sharing

  • Licensed KYC / BGV API vendors — for identity/education verification, under data-processing agreements
  • Razorpay — for payment processing only
  • WhatsApp Business Platform / Meta — for OTP and notification delivery
  • Empanelled advocates — only where the Requester separately books a consultation and chooses to share
  • Marketplace field-verification partners — only where the Requester opts into the Field add-on

8. Retention

Case data (including verification results and the generated report) is retained for a maximum of 180 days after case closure, after which sensitive fields are automatically purged. Audit and consent logs are retained separately for statutory recordkeeping.

9. Your rights as a Data Principal

You have the right to:

  • Access a summary of the personal data we hold about you
  • Correction / erasure of personal data
  • Withdraw consent (which stops future processing; already-completed processing remains valid)
  • Nominate another individual to exercise these rights on your behalf
  • File a grievance with our Grievance Officer, and if unresolved, with the Data Protection Board of India

10. Security safeguards

Encryption at rest and in transit, row-level access controls on all case-related tables, role-based admin access, and a documented breach-notification process — any personal data breach will be reported to the Data Protection Board of India and affected individuals within the DPDP-mandated timeline.

11. Children's data

TrustMark is not intended for use by, or in respect of, any individual under 18. If we become aware that a Subject is a minor, the case is terminated and all associated data purged immediately.

12. Changes to this policy

We will notify Requesters and Subjects of material changes and require fresh consent where the change affects the purpose or scope of processing.

13. Contact

Innovexsis Consulting Pvt. Ltd. · trustmark@daretolaw.com · grievance@daretolaw.com