This is the full Privacy Policy. For a plain-language overview of how Terriqon protects your field data, see Data Protection and PII Stripping.
1. Our Role: Data Fiduciary and Data Processor
Terriqon operates in two distinct privacy roles depending on the category of data involved. Data Fiduciary / Controller — Account and Website Data: When Terriqon collects personal data about you directly — such as your name, email address, and payment details provided when you sign up for a Terriqon account — Terriqon acts as the Data Fiduciary under the India Digital Personal Data Protection Act, 2023 (“DPDP Act”) and as the Data Controller under the EU General Data Protection Regulation (“GDPR”). Terriqon determines the purposes and means of processing this data. Data Processor — Customer Field Data: When your organisation uses the Terriqon platform to collect, store, and process field data about third parties (such as beneficiaries, survey respondents, or programme participants), Terriqon acts as a Data Processor on your instructions. Your organisation is the Data Fiduciary / Data Controller for that data. Terriqon processes it only to provide the platform services you have requested, in accordance with your instructions and applicable data processing agreements.2. Personal Data We Collect
Account and Organisation Data
When you register for a Terriqon account or manage an organisation on the platform, we collect:- Full name and email address of account holders and invited users
- Organisation name and country
- User roles assigned within the platform (Admin, Manager, Field Officer)
- Authentication credentials (passwords stored as salted hashes; we never store plaintext passwords)
- Profile information provided voluntarily
Field Data
Field data is submitted by your Field Officers using forms your organisation creates and deploys. Terriqon stores this data on your behalf as Data Processor. The categories of personal data in field submissions depend entirely on the forms you design. Common categories in field programmes include names, locations, case references, responses to survey questions, uploaded files, audio recordings, and signatures. Terriqon does not examine or use this data for any purpose other than providing the platform to you.Billing Data
When you subscribe to a paid Terriqon plan, billing is handled by our payment processor, Stripe. Terriqon receives and retains:- Subscription tier and status
- Billing contact name and email
- Country and postal code (for tax purposes)
- Last four digits of your payment card and card type (for display purposes only)
Website and Marketing Data
When you visit terriqon.com or interact with Terriqon marketing content, we may collect:- IP address and approximate location (country/region level)
- Browser type, operating system, and device type
- Pages visited, referrer URL, and session duration
- Email address if you sign up for marketing communications
Support Communications
When you contact Terriqon through the in-app support chat (Crisp) or by email, we collect the content of those communications, your name and email address, and any information you choose to provide to help resolve your query. Support conversations are retained to enable follow-up and to improve our support quality.3. How We Use Personal Data, and Our Legal Basis
| Purpose | Legal Basis (India DPDP Act) | Legal Basis (EU/EEA GDPR) |
|---|---|---|
| Providing and operating the Terriqon platform | Consent / Legitimate use | Performance of a contract (Art. 6(1)(b)) |
| Processing payments and managing subscriptions | Legitimate use | Performance of a contract (Art. 6(1)(b)) |
| Sending transactional emails (account, security, billing) | Legitimate use | Performance of a contract / Legitimate interests (Art. 6(1)(b)/(f)) |
| Sending product and marketing emails | Consent | Consent (Art. 6(1)(a)) |
| Product analytics and platform improvement | Legitimate use | Legitimate interests (Art. 6(1)(f)) |
| Providing customer support | Legitimate use | Legitimate interests (Art. 6(1)(f)) |
| Complying with legal obligations | Legal obligation | Legal obligation (Art. 6(1)(c)) |
| Detecting and preventing fraud and abuse | Legitimate use | Legitimate interests (Art. 6(1)(f)) |
4. AI Processing and Privacy Safeguards
Terriqon offers AI-powered programme reports generated from aggregated field submission data. Before any field data is passed to AI processing components, Terriqon runs an automated PII stripping pipeline that removes personal identifiers. The pipeline:- Excludes all fields tagged with a sensitivity classification of
personally identifiableorrestricted - Always strips GPS coordinates and all precise geolocation data, regardless of tagging
- Excludes structural field types known to carry personal data: free text, names, phone numbers, device and subscriber IDs, case IDs, file uploads, audio recordings, and signatures
- Applies pattern-matching to detect and exclude national identification numbers, passport numbers, bank account numbers, and payment card numbers
- Records a redaction manifest in the organisation’s audit log documenting every exclusion
5. Sub-Processors
Terriqon engages the following sub-processors to deliver the platform. Each is bound by data processing agreements ensuring data is handled with appropriate safeguards.| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing and subscription billing | United States / Ireland |
| Railway | Application hosting and backend infrastructure | United States |
| Cloudflare | Content delivery network, DDoS protection, DNS | United States (global network) |
| PlanetScale | Managed relational database hosting | United States |
| Amazon Web Services | Application hosting and object storage | United States |
| ZeptoMail | Transactional email delivery | United States |
| Loops | Product and marketing email communications | United States |
| Crisp | Customer support live chat | France / European Union |
| PostHog | Product usage analytics | United States / European Union |
6. Cross-Border Data Transfers
Terriqon is incorporated in India and its primary users include organisations operating in India, the EU/EEA, and other jurisdictions. Your data may be processed by sub-processors located in the United States, France, and other countries outside your own jurisdiction. Where personal data originating from the EU/EEA is transferred to countries not recognised by the European Commission as providing an adequate level of protection, Terriqon relies on the European Commission’s Standard Contractual Clauses (“SCCs”) as the legal mechanism for those transfers. Where personal data originating from India is transferred internationally, Terriqon relies on the cross-border transfer provisions of the DPDP Act and applicable rules thereunder.7. Data Retention
| Category | Retention Period |
|---|---|
| Account and organisation data | Retained for as long as your account is active |
| Field data (Customer Data) | Retained for as long as your account is active |
| After full account cancellation | 30-day window for you to export data; production deletion completed within 90 days of cancellation |
| Billing and financial records | Retained for up to 8 years as required by applicable financial and tax law |
| Backup copies | Overwritten on a rolling ~90-day cycle |
| Support communications | Retained for a reasonable period to enable follow-up and quality improvement |
| Marketing email consent records | Retained until consent is withdrawn, plus a reasonable period for legal compliance |
8. Data Security
Terriqon implements the following technical and organisational security measures:- Encryption in transit: All data is transmitted over TLS-encrypted connections.
- Role-based access control: Platform users are restricted to resources within their assigned role and organisation.
- Private cloud storage: All uploaded files are stored in private (non-public) buckets and accessed exclusively through time-limited signed URLs.
- Audit logging: All access, administrative actions, report approvals, and report exports are recorded in a permanent audit log.
- Secure session management: User sessions are managed with cryptographically secure tokens that expire on inactivity and are invalidated on sign-out.
9. Your Rights
Rights under the India DPDP Act
If you are a data principal under the DPDP Act, you have the right to:- Access: Obtain a summary of personal data Terriqon holds about you and how it is processed.
- Correction: Request correction of inaccurate or incomplete personal data.
- Erasure: Request erasure of personal data where retention is no longer necessary for the original purpose, subject to legal retention obligations.
- Withdraw consent: Where processing is based on consent, withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
- Grievance redressal: Lodge a grievance with Terriqon’s Grievance Officer (see Section 15).
- Nomination: Nominate a person to exercise your rights in the event of your death or incapacity.
Rights under the EU/EEA GDPR
If you are a data subject under the GDPR, you have the right to:- Access (Art. 15): Obtain a copy of your personal data and information about how it is processed.
- Rectification (Art. 16): Request correction of inaccurate personal data.
- Erasure / Right to be Forgotten (Art. 17): Request deletion of your personal data in certain circumstances.
- Portability (Art. 20): Receive your personal data in a structured, machine-readable format.
- Restriction of processing (Art. 18): Request that we limit how we process your data in certain circumstances.
- Objection (Art. 21): Object to processing based on legitimate interests.
- Withdraw consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.
- Lodge a complaint: File a complaint with a supervisory authority in your EU member state.
10. Cookies and Tracking Technologies
Terriqon uses cookies and similar technologies on terriqon.com and within the Terriqon platform. Some cookies are strictly necessary for the platform to function; others are optional and used for analytics and support. For a complete description of the cookies we use, how to manage your preferences, and how to opt out, please see the Cookies Policy.11. Children’s Data
Terriqon is a business-to-business platform intended for use by organisations and their employees or authorised representatives. Terriqon does not knowingly collect personal data directly from individuals under the age of 18. If you believe that a child’s personal data has been submitted to Terriqon without appropriate authorisation, please contact us at support@terriqon.com so we can take appropriate action.12. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, Terriqon will:- Notify affected customers within 48 hours of confirming the breach
- Notify relevant supervisory authorities as required by applicable law (including the Data Protection Board of India under the DPDP Act and relevant EU supervisory authorities under the GDPR)
- Provide information about the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed to address the breach and mitigate its effects
13. EU Representative and Data Protection Officer
Terriqon does not currently have a formal EU Representative or a designated Data Protection Officer. Where GDPR obligations require a representative or DPO, we will update this policy accordingly. In the meantime, EU/EEA data subjects may direct all privacy inquiries to support@terriqon.com.14. Changes to This Policy
Terriqon may update this Privacy Policy from time to time to reflect changes in our practices, platform features, or applicable law. When we make material changes, we will:- Update the effective date and version number at the top of this page
- Notify active account holders by email or in-platform notification