Privacy Policy

Privacy Policy

Last Updated: November 2, 2025

This Privacy Policy explains how Advanced Structures India Pvt. Ltd. (ASI) collects, uses, discloses, and protects personal data when you use the xcPEP should costing platform and the xcPROC cost input database.
This policy should be read together with our Terms of Service at tos.xcpep.com and our Data Processing Addendum (DPA) at tos.xcpep.com. Security and data handling information is available at trust.xcpep.com.
If you have questions, you can contact us at support@xcpep.com for general matters or infosec@xcpep.com for privacy and security matters.

1. Who We Are

This service is provided by Advanced Structures India Pvt. Ltd. (ASI), an India based company. We provide software services to businesses, not to consumers. We process personal data primarily on behalf of our business customers.

2. Scope

This policy applies to:

  • users who log in to xcPEP
  • customer personnel whose details are entered into xcPEP
  • customer personnel who contact us for support
  • visitors who access service related resources hosted by ASI
    This policy does not apply to websites or services that we do not control. If your organization uses xcPEP, your employer or your organization may have its own privacy or data handling rules. In many cases your organization is the controller of your personal data and ASI acts as a processor or service provider.

3. Categories of Personal Data We Collect

3.1 Data You or Your Organization Provide

  • account and profile data such as name, business email address, designation, company name
  • login related data such as username or SSO identifier
  • support communications and attachments you send to support@xcpep.com
  • configuration and reference information that your organization enters into xcPEP as part of its costing work

3.2 Data Collected Automatically

When you use xcPEP or xcPROC we may collect:

  • usage data about the features you use, time of access, and performance metrics
  • device and browser data such as IP address, browser version, operating system, and time zone
  • event logs and security logs for auditing and incident investigation

We collect this to secure the service, to troubleshoot, and to improve performance.

3.3 Customer Data Inside xcPEP

Your organization controls what business data is entered into xcPEP. In most cases this is product and cost data and will not contain personal data. If your organization chooses to put personal data into Customer Data, that personal data will be processed according to our DPA as a processor or service provider.

We do not mix your organization’s xcPEP data with xcPROC data. Customer data in xcPEP is owned by the customer. xcPROC data is researched and owned by ASI.

3.4 Data We Derive or Generate

We may create and retain audit records, usage metrics, and other derived data about how authorized users access and use the services. We generate this data to secure the services, to operate them at scale, to investigate incidents, and to improve performance. This derived data is ASI’s data, but we will not use it to identify individuals for marketing or advertising.

4. How We Use Personal Data

We use personal data for these purposes:

  • to provide, operate, and maintain xcPEP and xcPROC
  • to create and manage user accounts
  • to provide support and respond to tickets and emails
  • to secure the services, including monitoring for abuse or unauthorized access
  • to improve the services, including understanding which features are used
  • to send important administrative or service messages
  • to meet legal and contractual obligations
  • to monitor, detect, prevent, and investigate security incidents, fraud, abuse of APIs, or violations of our Acceptable Use Policy
  • to create aggregated or de-identified information for service analytics and service improvement, provided such information does not identify an individual or customer

We do not sell or share personal data as those terms are used in CCPA/CPRA.

5. Legal Bases and Roles

5.1 When We Are a Processor or Service Provider

Most of the time we process personal data on behalf of our customers who are the controllers or businesses. In that case we follow the customer’s documented instructions as stated in our DPA.

5.2 When We Are a Controller

In some cases ASI decides how to process personal data, for example for service logs, security, and billing. For those activities we rely on:

  • our legitimate interests in providing and securing a B2B service
  • our need to perform a contract with your organization
  • our need to comply with law

5.3 Customer Instructions Control

Where ASI processes personal data on behalf of a customer organization, ASI will act on the instructions of that organization. If an individual user makes a request that conflicts with the customer organization’s instructions or access to the service, ASI may refer the request back to the customer organization.

6. Disclosure to Third Parties

We may share personal data with:

  • our hosting and infrastructure providers and other Sub-processors listed at trust.xcpep.com
  • our professional advisors where needed for legal, compliance, or accounting purposes
  • government or law enforcement authorities if required by applicable law

We require our Sub-processors to protect personal data to a level no less protective than this policy and our DPA. We do not permit our Sub-processors to sell personal data.

7. International Transfers

We are based in India and we may process personal data in India or in other locations where our Sub-processors operate, as listed at trust.xcpep.com. Where the applicable Order Form specifies a data residency or hosting location that ASI offers, we will follow that configuration.
For customers subject to GDPR who transfer personal data from the EEA, the DPA incorporates the European Commission Standard Contractual Clauses.
For customers subject to CCPA/CPRA, we act as a service provider and will use personal information only to provide the services or as otherwise permitted by CCPA/CPRA.

8. Data Retention

We keep personal data for as long as needed to provide the services, to comply with our legal obligations, to resolve disputes, and to enforce our agreements.
When your organization’s subscription ends, Customer Data is handled according to the Terms of Service and the DPA. Typically we will make Customer Data available for export for a limited period and then delete it from active systems and from backups in the ordinary course of our backup cycles.
We may keep minimal records such as billing records, audit logs, and security logs for a longer period if required by law or to demonstrate service delivery.

9. Security

We use technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include access controls, encryption where appropriate, secure development practices, monitoring, and incident response.
A current description of our security controls and our current compliance documents is provided at trust.xcpep.com.
If we become aware of a personal data breach that affects Customer Data, we will notify the customer organization without undue delay in line with our DPA. ASI may use service and security logs, including user identifiers and IP addresses, to detect and respond to abuse or violations of our Acceptable Use Policy.

10. Your Privacy Rights

Because we provide a B2B service, most rights requests should be made to your employer or the organization that is the customer. We will support that organization as described in our DPA.
If GDPR applies, individuals may have rights of access, rectification, erasure, restriction, portability, and objection.

We value your privacy and your rights as a data subject and have therefore appointed Prighter Group with its local partners as our privacy representative and your point of contact for the following regions:

  • European Union (EU)

Prighter gives you an easy way to exercise your privacy-related rights (e.g. requests to access or erase personal data). If you want to contact us via our representative, Prighter or make use of your data subject rights, please visit the following website: click here.

If you believe we have not addressed your privacy concerns adequately, you have the right to lodge a complaint with the relevant supervisory authority:

India: Data Protection Authority (when established under DPDP Act)
European Union: Your local supervisory authority as listed: here
United Kingdom: Information Commissioner’s Office (ICO) – click here
California: California Privacy Protection Agency (CPPA) – click here

Response Timeline: We respond to privacy requests within 30 days (or as required by applicable law)
Verification: We may require identity verification to protect your personal information

If CCPA/CPRA applies, individuals may have rights to know, to delete, and to not be discriminated against for exercising those rights. We do not sell personal information.
If we receive a request directly that clearly relates to a customer account, we will forward it to the customer.
Requests can be sent to infosec@xcpep.com and we will explain whether we can act directly or whether you should contact your organization.
Where ASI cannot reasonably identify the individual as an authorized user of a customer organization, or where fulfilling the request would adversely affect ASI’s legal obligations or the rights of others, ASI may decline the request and will explain why.

11. Cookies and Similar Technologies

Our service may use cookies or similar technologies to maintain sessions, improve security, and understand usage. Because xcPEP is an authenticated business application, cookies are usually essential for operation. If you block cookies, some parts of the service may not work.
If we use analytics, it will be for service improvement and security and not for advertising.
We do not use cookies or similar technologies in the services for third-party behavioral advertising.

12. Children’s Data

Our services are intended for business users only. We do not knowingly collect personal data from children. If you believe a child’s data has been entered into the service, contact infosec@xcpep.com and we will work with the customer to address it.

13. Third Party Links

Service documentation or portals may contain links to other sites. We are not responsible for the privacy practices of those sites. Review their policies before providing personal data.

14. Changes to this Policy

We may update this Privacy Policy to reflect changes in the services or in applicable law. Updated versions will be posted at tos.xcpep.com with a new date. If changes are material, we will provide notice through the service or by email to the customer’s registered contact. Continued use of the services after the effective date means you accept the updated policy.

15. Contact

For support and general questions: support@xcpep.com
For privacy and security questions, incident reports, or data protection requests: infosec@xcpep.com