PRIVACY POLICY
Effective Date: April 16, 2025
SoapBox Software Solutions LLP
Hyderabad, Telangana, India
privacy@soapbox.cloud
1. Introduction
SoapBox Software Solutions LLP ("SoapBox", "we", "us", or "our"), a Limited Liability Partnership incorporated under the laws of India and headquartered in Hyderabad, Telangana, operates Soapbox.Cloud โ a multi-tenant, cloud-based Environment, Health & Safety (EHS) platform that will progressively expand to cover Governance, Risk & Compliance (GRC) and Environmental, Social & Governance (ESG) functions (collectively, the "Platform").
This Privacy Policy describes how we collect, use, disclose, retain, and protect personal data in connection with:
By accessing or using the Platform or our website, you confirm that you have read, understood, and agreed to this Privacy Policy. If you do not agree, you must discontinue use immediately.
๐ This Privacy Policy is aligned with the Digital Personal Data Protection Act, 2023 (DPDP Act) of India and applicable Rules framed thereunder. As our operations expand, we will update this Policy to reflect additional regulatory obligations.
2. Key Definitions
In this Privacy Policy, the following terms carry the meanings assigned to them:
Term | Meaning |
Personal Data | Any data about an individual who is identifiable by or in relation to such data, as defined under the DPDP Act, 2023. |
Sensitive Personal Data | Personal data pertaining to health and physical condition, including EHS-related incident and medical information. |
Data Fiduciary | SoapBox Software Solutions LLP, in contexts where we determine the purpose and means of processing personal data. |
Data Processor | SoapBox Software Solutions LLP, in contexts where we process personal data on behalf of a Subscriber (Tenant) who is the Data Fiduciary. |
Subscriber / Tenant | A business entity that subscribes to Soapbox.Cloud and whose employees or contractors ("End Users") access the Platform. |
End User | An individual (e.g., employee, contractor, safety officer) whose personal data is processed on the Platform pursuant to a Subscriber's account. |
Consent Manager | An entity registered with the Data Protection Board of India, where applicable, through whom consent may be managed. |
Platform | The Soapbox.Cloud SaaS application and all associated services, APIs, and integrations. |
3. Scope and Our Roles
3.1 Dual-Role Architecture
SoapBox operates under a dual-role model that depends on the nature of the data being processed:
(a) Data Fiduciary (Controller): For data collected directly by SoapBox โ such as Subscriber account information, billing data, website visitor data, and marketing preferences โ SoapBox acts as the Data Fiduciary and independently determines the purposes and means of processing.
(b) Data Processor: For personal data belonging to End Users (employees, contractors, and other personnel of a Subscriber) that is uploaded, entered, or generated through the Platform โ such as incident reports, safety records, HR data, and operational data โ SoapBox acts as a Data Processor, processing such data solely on behalf of the Subscriber (who is the Data Fiduciary for their employees' data). In such cases, the Subscriber's own privacy notices and policies govern how End Users are informed about data processing.
๐ If you are an End User whose employer (a Subscriber) has deployed Soapbox.Cloud, please also refer to your employer's privacy notice. SoapBox processes your data as directed by your employer and is not independently responsible for the Subscriber's data practices.
3.2 Geographic Scope
This Policy applies to all personal data processed by SoapBox in connection with the Platform and website, irrespective of where the data subject is located. SoapBox is currently primarily focused on serving clients in India and processes data in accordance with the DPDP Act, 2023.
4. Personal Data We Collect
4.1 Data Collected from Subscribers (Account & Billing Data)
4.2 End User Data (Processed as Data Processor on behalf of Subscribers)
The following categories of personal data may be collected and processed on behalf of Subscribers:
๐ Health-related EHS data (injury/illness/medical records) constitutes Sensitive Personal Data and is subject to heightened protections under Section 9 of the DPDP Act, 2023. Explicit consent from the Data Principal is required before processing such data, unless a legal obligation mandates processing.
4.3 Website & Platform Usage Data
5. Purposes of Processing and Legal Basis
Under the DPDP Act, 2023, personal data must be processed for a lawful purpose โ i.e., any purpose that is not expressly forbidden by law. The primary legal bases we rely on are (a) consent of the Data Principal, and (b) legitimate uses as permitted by the Act or any Rules made thereunder.
Purpose | Data Categories Used | Legal Basis |
Providing and operating the Platform | All categories | Contract / Consent |
User account creation and authentication | Identity, contact data | Consent / Contract |
EHS incident management and reporting | Incident data, health data, location | Consent / Legal obligation (EHS laws) |
Processing subscription payments | Billing, payment data | Contract |
Customer support and issue resolution | Identity, usage, incident data | Contract / Legitimate use |
Platform analytics and performance improvements | Usage/device data | Legitimate use |
Sending service/transactional notifications | Contact data | Contract |
Marketing communications (with consent) | Name, email, preferences | Explicit consent (opt-in) |
Compliance with applicable laws and regulations | As required by law | Legal obligation |
Security monitoring and fraud prevention | Usage, device, log data | Legitimate use |
6. Consent
6.1 How We Obtain Consent
Where we rely on consent as the legal basis for processing, we obtain it through clear, affirmative actions โ such as ticking an opt-in checkbox or accepting specific terms at account registration or feature activation. We do not use pre-ticked boxes or bundled consents that obscure specific processing activities.
6.2 Sensitive Personal Data
Prior to processing Sensitive Personal Data (particularly health and medical information in EHS records), SoapBox โ or the Subscriber acting as Data Fiduciary โ shall obtain explicit, specific, and informed consent from the Data Principal. Where a Subscriber is the Data Fiduciary, they are contractually required under our Data Processing Agreement to have obtained such consent from their End Users before inputting such data into the Platform.
6.3 Right to Withdraw Consent
Data Principals may withdraw consent at any time, with prospective effect, by contacting privacy@soapbox.cloud or using in-Platform opt-out features. Withdrawal of consent does not affect the lawfulness of processing based on consent prior to its withdrawal. Note that withdrawal may render certain features of the Platform unavailable.
7. Data Sharing and Disclosure
SoapBox does not sell, rent, or trade personal data to any third party for their own commercial purposes.
7.1 Within the Organisation
Personal data may be accessed by authorised SoapBox personnel (engineering, customer support, security, compliance) on a strict need-to-know basis, subject to confidentiality obligations.
7.2 Cloud Infrastructure Providers (Sub-Processors)
We use third-party cloud infrastructure providers ("Sub-Processors") to host and operate the Platform. These providers process personal data solely on our instructions and are contractually bound to maintain appropriate security and confidentiality. We are in the process of finalising our primary cloud hosting arrangement and will update this Policy and our Sub-Processor list accordingly. All Sub-Processors will be required to meet data protection standards equivalent to or higher than those required by the DPDP Act.
7.3 Payment Processors
Billing and payment transactions are handled by certified payment gateway providers who are independently responsible for the security of payment card data under PCI-DSS. SoapBox does not store full card numbers or CVV data.
7.4 Legal and Regulatory Disclosures
We may disclose personal data if required to do so by law, court order, or a direction from a government authority or regulator, including for the purposes of national security or law enforcement. We will, where legally permissible, notify affected parties of such requests.
7.5 Business Transfers
In the event of a merger, acquisition, restructuring, or sale of all or part of SoapBox's business, personal data may be transferred to the successor entity, subject to equivalent privacy protections. Affected individuals will be notified as required by applicable law.
8. Data Retention
We retain personal data for no longer than is necessary for the purposes for which it was collected, or as required by applicable law, whichever is longer. Our general retention principles are:
Data Category | Retention Period |
Subscriber account data | Duration of subscription + 3 years after termination (for legal/audit purposes) |
End User EHS incident & health data | As directed by the Subscriber / as required by applicable EHS laws (typically 5โ10 years) |
Payment and billing records | 7 years (as required under Indian tax and accounting laws) |
Usage logs and analytics | 12 months from collection |
Marketing consent records | 3 years from last interaction or until consent is withdrawn |
Website cookies | As specified in the Cookie Notice (see Section 9) |
Upon expiry of the retention period, personal data is securely deleted or anonymised in a manner that precludes re-identification.
9. Cookies and Tracking Technologies
Our website and Platform use cookies and similar technologies (web beacons, pixel tags, session storage) to enhance user experience, maintain sessions, and understand usage patterns.
Cookie Type | Purpose | Consent Required? |
Strictly Necessary | Login sessions, security tokens, load balancing | No (essential) |
Functional / Preference | Language settings, UI preferences | Yes |
Analytics | Understanding page visits, feature usage, error tracking | Yes |
Marketing | Tracking ad performance, retargeting (if applicable) | Yes (explicit) |
When you first visit our website, a cookie consent banner will be displayed. You may accept all cookies, select specific categories, or decline non-essential cookies. You can also manage or withdraw cookie preferences at any time via your browser settings or our cookie preference centre. Note that disabling certain cookies may impair Platform functionality.
10. Data Security
SoapBox implements appropriate technical and organisational security measures to protect personal data against unauthorised access, disclosure, alteration, destruction, or accidental loss. Our security practices include, but are not limited to:
Notwithstanding the above, no electronic system is completely secure. In the event of a personal data breach that is likely to result in harm to Data Principals, SoapBox will notify the Data Protection Board of India and affected individuals as required under the DPDP Act, 2023, within the prescribed timelines.
11. Rights of Data Principals
The DPDP Act, 2023 confers the following rights on Data Principals (individuals whose personal data is processed). You may exercise these rights by contacting us at privacy@soapbox.cloud:
Right | What it means for you |
Right to Information | You have the right to know what personal data we hold about you, the purposes for which it is processed, and the identities of any parties with whom it has been shared. |
Right to Correction & Completion | You may request correction of inaccurate, misleading, or out-of-date personal data, or completion of incomplete data. |
Right to Erasure | You may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected (subject to overriding legal or statutory retention obligations). |
Right to Grievance Redressal | You have the right to lodge a grievance with SoapBox's Grievance Officer regarding any processing of your personal data. We will respond within the period prescribed by the DPDP Act and Rules. |
Right to Nominate | You may nominate another individual to exercise your rights in the event of your death or incapacity. |
Right to Withdraw Consent | Where processing is based on consent, you may withdraw it at any time with prospective effect (see Section 6.3). |
๐ If you are an End User of a Subscriber's deployment, your primary data rights should be exercised with your employer (the Subscriber / Data Fiduciary). SoapBox will assist Subscribers in responding to such requests as required under our Data Processing Agreement.
12. Children's Data
The Platform is designed for use by business organisations and their employees. Soapbox.Cloud is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data of children. If we become aware that we have inadvertently collected personal data of a minor, we will take immediate steps to delete such data. If you believe we may have collected such data, please contact us at privacy@soapbox.cloud.
13. Marketing Communications
We will only send you marketing, promotional, or newsletter communications if you have given us your explicit prior consent (opt-in) at the time of registration, subscription, or through our website. Each marketing communication will contain a clear and easy unsubscribe mechanism.
Transactional and service-related communications (e.g., invoice confirmations, security alerts, system notifications, product updates material to your use of the Platform) are not subject to opt-out as they are necessary for service delivery.
To manage your marketing preferences or unsubscribe, click the "Unsubscribe" link in any marketing email or contact us at privacy@soapbox.cloud.
14. Cross-Border Data Transfers
SoapBox's cloud hosting infrastructure is yet to be finalised. Where personal data is stored or processed in servers located outside India, SoapBox will ensure that such transfers are made only to countries or jurisdictions that have been notified by the Central Government of India as permitting cross-border data transfer, or under such other conditions as may be prescribed under the DPDP Act, 2023 and applicable Rules. We will update this section once our hosting arrangement is confirmed.
In the interim, and pending the Central Government's notification of permissible geographies, SoapBox will endeavour to host personal data of Indian residents within India. Contractual safeguards and data processing agreements will be put in place with all cross-border Sub-Processors.
15. Grievance Redressal and Contact
15.1 Grievance Officer
In accordance with the Information Technology Act, 2000 and the DPDP Act, 2023, SoapBox has designated a Grievance Officer who may be contacted for any privacy-related concerns, requests, or complaints:
Grievance Officer
SoapBox Software Solutions LLP
Hyderabad, Telangana, India
Email: privacy@soapbox.cloud
Response Time: Within 30 days of receipt of grievance
15.2 Data Protection Board of India
If you are not satisfied with our response to your grievance, you have the right to lodge a complaint with the Data Protection Board of India, once constituted and operational under the DPDP Act, 2023. Details of the Board will be updated in this Policy as they become available.
16. Changes to This Privacy Policy
SoapBox reserves the right to update or amend this Privacy Policy from time to time to reflect changes in law, our business practices, or the Platform's features. When we make material changes, we will:
Your continued use of the Platform or website after the effective date of the updated Policy constitutes your acknowledgement of the changes.
17. Governing Law and Jurisdiction
This Privacy Policy and any disputes arising out of or in connection with it shall be governed by and construed in accordance with the laws of India. Any disputes shall be subject to the exclusive jurisdiction of the competent courts in Hyderabad, Telangana, India.
This Privacy Policy was last reviewed and approved by SoapBox Software Solutions LLP in April 2025.
For any queries: privacy@soapbox.cloud | www.soapbox.cloud