Privacy Policy

Effective Date: 30th March 2026 | Version 2.0

AdventSys Technologies Private Limited
www.govalidation.com · app.govalidation.net

This is a combined Privacy Policy covering:

1. visitors and prospective customers of www.govalidation.com, and
2. registered users of the GoVal platform at app.govalidation.net.

Sections marked:

• [Website only] — govalidation.com
• [Platform only] — app.govalidation.net
• (no marker) — both

1. Introduction

AdventSys Technologies Private Limited ("AdventSys", "we", "us", or "our") operates the GoVal paperless validation platform for pharmaceutical and life science companies ("GoVal", "the Platform", "the Service") accessible at app.govalidation.net and the product website at www.govalidation.com.

This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you visit our website or use the GoVal platform. We are committed to compliance with the EU General Data Protection Regulation (GDPR 2016/679), the UK GDPR, the India Digital Personal Data Protection Act 2023 (DPDP Act), and applicable data protection laws in every jurisdiction where we operate.

AdventSys Technologies is ISO 27001:2022 certified. Our information security practices are independently audited annually.

2. Data Controller

3. Scope

This policy applies to:

• Visitors to www.govalidation.com (website visitors and prospective customers)
• Individuals who submit enquiries via the website contact form, demo request, or chat
• Registered users of the GoVal SaaS platform at app.govalidation.net (cloud-hosted)
• Users of GoVal deployed on your organisation's own infrastructure (on-premise)
• Prospective customers engaging with our sales and marketing activities

4. Personal Data We Collect

4.1 Account and Identity Data [Platform only]

• Full name, job title, department
• Business email address
• Organisation name and address
• Phone number (optional)

4.2 Usage and Activity Data [Platform only]

• Login timestamps, IP addresses, session duration
• Actions performed within the platform (audit logs)
• Validation records, documents, and e-signatures created by users
• System configuration data

4.3 Technical Data [Platform only]

• Browser type and version, operating system
• Device identifiers
• Crash reports and diagnostic logs

4.4 Communication Data

• Support tickets and correspondence (email via Microsoft 365)
• Feedback and survey responses

4.5 Website Visitor Data [Website only]

• IP address, browser type, device type, referring URL
• Contact form submissions (name, email, organization, message)
• Cookie and analytics data (Google Analytics, Microsoft Clarity) — collected only after explicit cookie consent
• Website chat interactions (name, email if shared, message content, timestamps)

5. Lawful Basis for Processing (GDPR Article 6)

We process personal data only where we have a valid lawful basis:

6. Data Residency and Storage Locations [Platform only]

GoVal is committed to transparent data residency. Platform customer data is stored in the region selected at subscription:

Data is never transferred outside the assigned region except for disaster recovery purposes, under appropriate Standard Contractual Clauses (SCCs) or equivalent safeguards as required by applicable law. For regions marked "coming soon", data is hosted in India with equivalent security controls until regional infrastructure is available. Customers will be notified before any change to their data location.

6A. On-Premise Deployments

This section applies only to customers who deploy GoVal on their own infrastructure.

Where GoVal is deployed on-premise on the Customer's own infrastructure, AdventSys does not host, store, or process Customer Personal Data on its own systems. The Customer acts as both Data Controller and Data Processor for all Personal Data within the on-premise environment.

This Privacy Policy applies only to the following limited interactions between AdventSys and the Customer in on-premise deployments:

• Remote support sessions initiated by the Customer, during which AdventSys personnel may incidentally access Personal Data
• Any telemetry or diagnostic data transmitted to AdventSys systems, only where explicitly enabled by the Customer
• Any cloud-connected features or integrations explicitly activated by the Customer

AdventSys confirms that the GoVal on-premise software does not transmit Customer Personal Data to AdventSys or any third-party systems without explicit configuration and consent by the Customer. AdventSys's ISO 27001:2022 certification covers software development, support, and delivery processes applicable to on-premise deployments.

7. Data Retention

8. Your Rights Under GDPR (EU / UK Users)

If you are located in the EU or UK, you have the following rights under the GDPR:

• Right of Access (Art. 15) — request a copy of personal data we hold about you
• Right to Rectification (Art. 16) — correct inaccurate or incomplete data
• Right to Erasure (Art. 17) — request deletion ('right to be forgotten')
• Right to Restrict Processing (Art. 18) — limit how we use your data
• Right to Data Portability (Art. 20) — receive your data in a machine-readable format
• Right to Object (Art. 21) — object to processing based on legitimate interests or for direct marketing
• Right to Withdraw Consent (Art. 7(3)) — at any time, without affecting prior processing
• Right not to be subject to Automated Decision-Making (Art. 22) — GoVal does not carry out solely automated decision-making with legal or similarly significant effects

To exercise any right, contact: privacy@govalidation.com. We will respond within 30 days. You may also lodge a complaint with your local EU Data Protection Authority. A list of EU supervisory authorities is available at: edpb.europa.eu/about-edpb/about-edpb/members_en

8A. Your Rights Under the DPDP Act 2023 (India Users)

If you are located in India, under the Digital Personal Data Protection Act 2023 you have the following rights:

• Right to access information about personal data being processed
• Right to correction of inaccurate or misleading personal data
• Right to erasure of personal data no longer necessary for the purpose for which it was collected
• Right to grievance redressal — contact privacy@govalidation.com; we will respond within 30 days
• Right to nominate a person to exercise rights on your behalf in case of death or incapacity

Once the Data Protection Board of India is operationally established, you may also lodge complaints with that authority. We will update this policy accordingly.

9. Third-Party Sub-Processors

We engage the following sub-processors. All are bound by GDPR-compliant Data Processing Agreements. Customers will be notified of material changes with 30 days' notice.

10. Security Measures

AdventSys maintains ISO 27001:2022 certification and implements the following technical and organisational measures:

• Encryption at rest (AES-256) and in transit (TLS 1.2+)
• Role-based access control (RBAC) with principle of least privilege
• Multi-factor authentication (MFA) for administrative access
• Daily encrypted backups with tested restore procedures
• Annual penetration testing and vulnerability assessments
• Incident response plan with 72-hour breach notification capability (GDPR Art. 33 / Art. 34)

11. Cookies

11.1 Website — govalidation.com [Website only]

We use a cookie consent banner on www.govalidation.com. Non-essential cookies (Google Analytics, Microsoft Clarity) are only loaded after you provide explicit consent. You may withdraw consent at any time via the cookie settings link in the website footer.

A detailed Cookie Policy is available at govalidation.com/cookies-policy.

11.2 Platform (app.govalidation.net) [Platform only]

The GoVal application uses only essential session cookies required for platform authentication and operation. No advertising, tracking, or analytics cookies are used within the platform.

12. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA) or India — for example when using Google Analytics or Microsoft 365 — such transfers are covered by:

• Standard Contractual Clauses (SCCs) approved by the European Commission, as provided by Google LLC, Microsoft Corporation, and Cloudflare Inc.
• Adequacy decisions or equivalent safeguards where applicable

For platform customer data, transfers between India (primary) and Germany (DR) and vice versa are governed by appropriate SCCs included in the Data Processing Agreement (DPA) executed with each customer.

We do not transfer personal data to any country that does not provide an adequate level of protection without the appropriate safeguards in place.

13. Children's Data

GoVal is a B2B enterprise platform intended for use by professionals. We do not knowingly collect personal data from individuals under the age of 16. If you believe a minor has provided personal data, please contact privacy@govalidation.com and we will promptly delete it.

14. GoVal Platform Customers — Data Processing Agreement [Platform only]

For B2B customers subscribing to the GoVal SaaS platform, AdventSys acts as a Data Processor under GDPR Article 28. A Data Processing Agreement (DPA) governs all processing of Customer Personal Data and is executed alongside the main subscription agreement.

The DPA covers processor obligations, sub-processor management, data subject rights assistance, security measures, breach notification, audit rights, and data deletion on termination.

To request a copy of the GoVal DPA, contact: info@govalidation.com

15. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be notified to registered platform users by email and to website visitors via a prominent notice on govalidation.com, at least 30 days before taking effect. The current version is always available at govalidation.com/privacy-policy with a 'Last Updated' date.

16. Contact and Complaints

17. Acceptance

By accessing www.govalidation.com or using the GoVal platform at app.govalidation.net, you acknowledge that you have read and understood this Privacy Policy and agree to its terms.