Who We Are
CommerceCX Private Limited
150 Cornerstone Dr #104, Cary, NC 27519, United States
CommerceCX is a unified commerce platform and CPQ (Configure, Price, Quote) software provider. We help businesses transform their revenue lifecycle through digital transformation, CRM integration, and commerce solutions.
This Privacy Notice applies to personal data collected through our website at commercecx.com, including our contact and inquiry forms.
For all data protection inquiries, rights requests, or complaints, contact us at [email protected].
What Personal Data We Collect
We collect only the personal data you voluntarily provide when submitting an inquiry through our contact form. We do not collect payment data, health data, government IDs, or any sensitive personal data.
| Data Category | Specific Fields | How We Get It |
|---|---|---|
| Identity Data | First Name, Last Name | You provide it via the contact form |
| Professional Data | Business Email, Company Name | You provide it via the contact form |
| Inquiry Data | Project description (free text) | You provide it via the contact form |
| Technical Data | Cookies, IP address, browser type | Collected after your consent via our cookie consent tool — see Section 9 |
How We Use Your Data & Our Legal Basis
For every purpose for which we process your personal data, we identify a lawful basis as required by GDPR Article 6 and equivalent provisions under CCPA/CPRA and the DPDP Act 2023.
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Responding to your inquiry | Name, email, company, project description | Legitimate Interest / Pre-contractual steps (Art. 6(1)(b) & (f)) |
| CRM logging & internal routing | Name, email, company | Legitimate Interest (Art. 6(1)(f)) |
| Follow-up communications about our services | Name, email | Legitimate Interest / Consent where required (Art. 6(1)(f) & (a)) |
| Website analytics & improvement | Technical / cookie data | Consent (Art. 6(1)(a)) |
| Legal compliance & dispute resolution | All fields as relevant | Legal Obligation (Art. 6(1)(c)) |
International Data Transfers
CommerceCX is headquartered in USA. Our cloud infrastructure includes servers in multiple regions including India and the United States. If you are located in the European Economic Area (EEA) or the United Kingdom, your data may be transferred outside those regions.
Where such transfers occur, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) approved by the European Commission — for transfers to countries without an EU adequacy decision
- Data Processing Agreements (DPAs) — with all vendors and subprocessors
- Transfer Impact Assessments — conducted where required under applicable guidance
For transfers involving Indian residents' data, we comply with applicable cross-border transfer requirements under the Digital Personal Data Protection Act, 2023.
How Long We Keep Your Data
We do not keep your data longer than necessary. The following retention periods apply:
| Data Type | Retention Period |
|---|---|
| Contact form submissions | Up to 3 years from submission, or the duration of any resulting business relationship, based on business needs and applicable legal requirements — whichever is longer |
| Email communications | 3 years from the date of last communication |
| Legal / compliance records | As required by applicable law (typically 5–7 years) |
| Cookie / analytics data | As specified in our cookie settings — typically 13 months |
After the applicable retention period, your data is securely deleted or anonymized. You may request early deletion — see Section 7 below.
Your Rights
Depending on where you are located, you have the following rights regarding your personal data. We will respond to all valid requests within 30 days (extendable to 90 days for complex requests).
🇪🇺 Rights Under GDPR — Europe / EEA / UK
Request a copy of all personal data we hold about you (Art. 15)
Correct inaccurate or incomplete data (Art. 16)
Request deletion of your personal data — the "right to be forgotten" (Art. 17)
Receive your data in a structured, machine-readable format (Art. 20)
Ask us to pause processing in certain circumstances (Art. 18)
Object to processing based on legitimate interest or for direct marketing (Art. 21)
Withdraw consent at any time, without affecting prior processing (Art. 7(3))
Lodge a complaint with your local supervisory authority (e.g., ICO, CNIL, BfDI) (Art. 77)
🇺🇸 Rights Under CCPA / CPRA — California, USA
- Right to Know — what categories of personal data we collect and how we use it
- Right to Delete — request deletion of your personal data
- Right to Correct — correct inaccurate personal information
- Right to Opt-Out — we do not sell or share your personal data for cross-context behavioral advertising; no opt-out is currently required, but you may contact us to confirm
- Right to Limit — limit use of sensitive personal information (we do not collect any)
- Right to Non-Discrimination — we will never penalize you for exercising your rights
- Right to Browser Opt-Out — we recognize and honor browser-based opt-out signals, such as Global Privacy Control (GPC), where required by applicable law
California residents: we respond within 45 days, extendable by a further 45 days where necessary.
🇮🇳 Rights Under DPDP Act 2023 — India
- Right to Information — know what personal data we process and for what purpose
- Right to Correction and Erasure — correct inaccurate data or request deletion when the purpose is fulfilled
- Right to Grievance Redressal — raise a grievance with us and receive a timely response
- Right to Nominate — nominate another person to exercise your rights on your behalf
We acknowledge all grievances within 72 hours and resolve them within 30 days.
How to Exercise Your Rights
Email us at [email protected] with the subject line "Privacy Rights Request".
Please include: your full name, the email address you used to contact us, and a description of your request. We may verify your identity before processing.
How We Protect Your Data
In addition to our ISO 27001 certification, we implement the following technical and organizational measures to protect your personal data against unauthorized access, disclosure, alteration, or destruction:
- ISO 27001 certified — independently audited information security management system (ISMS)
- Encryption of data in transit using TLS / HTTPS
- Encryption of data at rest
- Role-based access controls — only authorized personnel can access personal data
- Audit logging — access to personal data is logged and monitored
- Regular security assessments and vulnerability scanning
- Formal incident response and business continuity procedures
- Data Processing Agreements with all vendors and subprocessors
- Annual internal security reviews and risk assessments
Children's Data
Our services are not directed at individuals under the under the age of 16 (or the applicable minimum age under local law). We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact us immediately at [email protected] and we will delete it promptly.
Changes to This Privacy Notice
We may update this Privacy Notice from time to time to reflect changes in our practices or applicable laws. When we make material changes, we will:
- Update the Last Updated date at the top of this page
- Notify you by email where we hold your contact details
- Post a notice on our website for significant changes
We encourage you to review this Privacy Notice periodically to stay informed about how we protect your data.
Contact Us
If you have any questions, concerns, or requests regarding this Privacy Notice or how we handle your personal data, please reach out:
Supervisory Authorities
- EU / EEA users: You have the right to lodge a complaint with your local data protection authority. A list of EU supervisory authorities is available at edpb.europa.eu
- UK users: You may contact the Information Commissioner's Office (ICO) at ico.org.uk
- Indian users: You may raise a grievance with our Grievance Officer (see Section 7) or contact the Data Protection Board of India once operational.
