Privacy Policy India
Privacy Policy – India (DPDP Act, 2023)
This Privacy Policy applies to XPEL India Pvt. Ltd. operating www.xpel.com/in for services offered to individuals in India. It explains how personal data is collected, used, shared, and protected in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act) and applicable rules.
Key Definitions
Data Principal: The individual to whom the personal data relates. For children, this includes their parent or lawful guardian.
Data Fiduciary: XPEL India Pvt. Ltd., which determines the purposes and means of processing personal data.
Data Processor: A third party that processes personal data on behalf of XPEL India Pvt. Ltd.
Scope and Applicability
This Policy governs digital personal data collected through www.xpel.com/in, our mobile interfaces, and customer interactions related to goods or services offered in India. It does not apply to non-personal data or personal data made publicly available by the Data Principal.
Personal Data We Collect
We may collect the following categories of personal data:
Identification and contact details: name, email address, phone number.
Postal and installation addresses.
Transaction and service data: orders, invoices, payments, warranty registrations, installation/service requests.
Device and usage data: IP address, device identifiers, cookie identifiers, analytics, approximate location.
Communications: inquiries, feedback, and correspondence with support.
For minors under 18, we process personal data only with verifiable parental or guardian consent, where required.
Purposes and Lawful Basis of Processing
We process personal data for:
Account creation and management.
Order fulfilment, deliveries, installations, and warranties.
Customer support and service communications.
Operation, security, troubleshooting, and improvement of our services and website.
Fraud prevention, abuse detection, and information security.
Compliance with Indian law and enforcement of terms.
Marketing communications with consent, which can be withdrawn at any time.
Consent
Where required under law, consent is obtained through a clear affirmative action and is specific and informed. Consent may be withdrawn as easily as it is given. Separate, verifiable parental/guardian consent is required before processing a child’s personal data.
Children’s Data
We do not knowingly profile, track, or deliver targeted advertising to children. If we become aware that a child’s data has been processed without valid consent, we will delete it upon discovery.
Data Principal Rights
Subject to applicable law, Data Principals have the right to:
Access a summary of their personal data and processing activities.
Request correction, completion, or deletion of their personal data.
Seek grievance redressal.
Nominate an individual to exercise rights in case of death or incapacity, as permitted by law.
Requests can be made using the contact information provided below. We will respond within timelines prescribed by law.
Grievance Redressal and Contact (India)
Grievance Officer: Ashutosh Wade
Email: awade@xpel.com
Address: XPEL India Pvt. Ltd., Plot No - PAP-G-28/1, Chakan Industrial Area, Phase - III, Tal- Khed, Nighoje, Pune, Dehu, Pune, Pin code - 410501
If you are dissatisfied with our response, you may escalate to the Data Protection Board of India in accordance with applicable procedures.
Data Sharing and Processing
We may share personal data with:
Service providers (hosting, payments, logistics, customer support, analytics) under contracts requiring them to act only on our instructions and implement appropriate safeguards.
Affiliates/group entities as necessary to provide India-related services.
Government authorities, regulators, or law enforcement where required under Indian law.
We do not sell personal data.
Cross-Border Transfers
If personal data is transferred outside India (for example, to group entities or service providers), such transfers will comply with the DPDP Act and any applicable government notifications or restrictions, including use of contractual safeguards where appropriate.
Data Security
We implement reasonable technical and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, or destruction, and maintain incident response procedures consistent with Indian requirements.
Personal Data Breach Notification
In the event of a personal data breach, we will notify the Data Protection Board of India and affected Data Principals as required by applicable law.
Data Retention
We retain personal data only for as long as necessary to fulfill the purposes described in this Policy or as required by Indian law. When no longer needed, we delete or anonymize personal data. Where processing is based on consent, we delete personal data upon withdrawal if no other legal basis applies.
Automated Decision-Making and Profiling
We do not make decisions that produce legal or similarly significant effects solely based on automated processing without appropriate safeguards and notice. Any marketing personalization is limited and subject to consent where required.
Cookies and Tracking Technologies
We use essential cookies necessary for site operation and, where required by law, obtain consent for non-essential cookies such as analytics or advertising cookies. Cookie preferences can be managed via our site controls or your browser settings.
Significant Data Fiduciary (If Designated)
If designated by the Central Government as a Significant Data Fiduciary, we will implement additional measures, such as appointing a Data Protection Officer, conducting data protection impact assessments, and periodic independent audits, as applicable.
Updates to This Policy
We may update this Policy to reflect changes in law or our practices. Material changes will be notified on www.xpel.com/in, and the effective date will be indicated below.Effective Date: 1st September, 2025