OCXLY
Legal · Privacy

Privacy Policy

Effective: 1 June 2026 Last updated: 1 June 2026 Version: 1.0

This policy explains what data we collect, why we collect it, how we use and protect it, and what rights you have — no matter where you are in the world.

§ 01

Who We Are

OCXLY ("Object Core eXperience LaboratorY," "we," "us," or "our") is a multidimensional innovation hub registered in Kerala, India. We operate the website ocxly.com and its sub-division sites (collectively, the "Services").

For the purposes of the EU and UK General Data Protection Regulation (GDPR), OCXLY is the data controller. Our contact address for all privacy matters is:

OCXLY — Privacy Team
Email: [email protected]
Kochi, Kerala, India

This policy applies to all personal data collected through our Services, regardless of how you access them — whether by browser, mobile device, or any other means.

§ 02

Information We Collect

2.1 Information you provide directly

  • Contact information — name, email address, and any message content when you write to us via email or contact forms.
  • Account data — if you create an account on any OCXLY sub-division site, we may collect a username, email address, and password (stored only in hashed form).
  • Communication records — correspondence when you contact support, submit feedback, or participate in surveys.

2.2 Information collected automatically

  • Device and browser data — IP address, browser type and version, operating system, screen resolution, device type, and preferred language.
  • Usage data — pages viewed, time spent on each page, click patterns, scroll depth, referring URL, and exit page.
  • Approximate location — derived from your IP address (city/region level only; we do not collect precise GPS coordinates).

2.3 Cookies and similar technologies

We use cookies, local storage, and similar tracking technologies. See Section 5 for a full breakdown of cookie categories and how to manage them.

2.4 Information from third parties

We may receive aggregated, anonymised analytics data from Google Analytics (via Google Tag Manager). We do not purchase personal data from data brokers or third-party lists.

§ 03

How We Use Your Information

We process personal data only for the purposes listed below. We do not use your data for purposes incompatible with these without notifying you first.

PurposeData usedLegal basis (GDPR)
Provide and maintain our ServicesAccount data, device dataContract performance
Respond to enquiries and support requestsContact info, communicationsLegitimate interest
Understand how visitors use our siteUsage data, cookiesConsent (analytics cookies)
Improve site performance and contentAggregated usage dataLegitimate interest
Send service-related noticesEmail addressContract / legitimate interest
Comply with legal obligationsAs required by lawLegal obligation
Protect against fraud and abuseDevice data, IP addressLegitimate interest
§ 04

Legal Bases for Processing

GDPR Swiss DPA

Under the GDPR and the Swiss Federal Act on Data Protection, we rely on the following legal bases:

  • Consent (Article 6(1)(a)) — for analytics and marketing cookies. You may withdraw consent at any time via the "Cookie Settings" link in the footer.
  • Contract performance (Article 6(1)(b)) — to deliver Services you have requested (e.g., account creation, support).
  • Legitimate interests (Article 6(1)(f)) — to improve our site, protect against abuse, and communicate service updates. We balance these interests against your rights and freedoms.
  • Legal obligation (Article 6(1)(c)) — to comply with applicable laws (e.g., tax, fraud prevention).

Where we rely on legitimate interest, you have the right to object. See Section 10.

§ 05

Cookies & Tracking Technologies

When you first visit our site, a cookie consent banner asks for your choice. Non-essential cookies are blocked until you grant consent. This is implemented through Google Consent Mode v2 — meaning Google Analytics fires cookieless pings by default and only sets cookies after you opt in.

5.1 Cookie categories

CategoryPurposeDefault
EssentialCookie consent choice (localStorage key ocxly_consent_v1), calm-mode preference (ocxly_calm_v1). Required for basic site function.Always on
AnalyticsGoogle Analytics (via GTM container GTM-K2DJNCCC) — page views, session duration, bounce rate, scroll depth. Data is aggregated and anonymised.Off until consent
FunctionalStores preferences beyond essential cookies (e.g., UI states). Currently unused but reserved for future features.Off until consent
MarketingAdvertising and retargeting pixels. Not currently active on ocxly.com, but the category exists for future use.Off until consent

5.2 Managing your cookies

You can change your cookie preferences at any time by clicking "Cookie Settings" in the site footer. You can also clear all cookies via your browser settings. Note that disabling essential cookies may prevent parts of the site from functioning correctly.

5.3 Global Privacy Control (GPC)

We honour the Global Privacy Control signal. If your browser sends GPC, we automatically deny all advertising-related consent categories, even if you later click "Accept All." This is the equivalent of a "Do Not Sell or Share" signal under the CCPA.

§ 06

Data Sharing & Disclosure

We do not sell, rent, or trade your personal data. Period.

We may share data with the following categories of recipients, and only to the extent necessary:

  • Service providers — hosting providers, analytics services (Google Analytics), email services. These processors act on our instructions under binding data processing agreements.
  • Legal requirements — if required by law, court order, or governmental request, or to protect the rights, property, or safety of OCXLY, our users, or others.
  • Business transfers — if OCXLY is involved in a merger, acquisition, or asset sale, personal data may be transferred. We will notify you before your data becomes subject to a different privacy policy.

We do not share data with advertisers. Our site currently runs no advertising pixels.

§ 07

International Data Transfers

GDPR Swiss DPA

OCXLY is based in India. If you access our Services from the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, your data may be transferred to and processed in India or other countries where our service providers operate.

Where such transfers occur, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) — EU Commission-approved clauses in our contracts with processors.
  • Adequacy decisions — where the EU Commission or UK Secretary of State has recognised the destination country as providing adequate protection.
  • Supplementary measures — encryption in transit and at rest, access controls, and data minimisation.

You may request a copy of the relevant safeguards by contacting us at [email protected].

§ 08

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this policy, unless a longer retention period is required by law.

Data typeRetention period
Contact form submissions2 years from last interaction
Analytics data (Google Analytics)14 months (Google default), then auto-deleted
Cookie consent preferences12 months, then re-prompted
Server access logs90 days
Account data (sub-division sites)Until account deletion + 30-day grace period

When data is no longer needed, we securely delete or anonymise it so it can no longer be associated with you.

§ 09

Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • TLS/SSL encryption for all data in transit.
  • Encryption at rest for stored personal data.
  • Access controls limiting who within our team can view personal data.
  • Regular security reviews of our infrastructure and third-party providers.
  • Password hashing (bcrypt or equivalent) — we never store plain-text passwords.

No system is perfectly secure. If we become aware of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within the timeframes required by applicable law (72 hours under GDPR).

§ 10

Your Rights by Region

Your rights depend on where you live. Below we set out the rights available under each major framework. To exercise any right, contact us at [email protected]. We will respond within the timeframe required by your applicable law.

10.1 European Economic Area, United Kingdom & Switzerland

GDPR Swiss DPA

  • Right of access (Art. 15) — request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — correct inaccurate or incomplete data.
  • Right to erasure (Art. 17) — request deletion of your data ("right to be forgotten").
  • Right to restriction (Art. 18) — limit how we process your data in certain circumstances.
  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
  • Right to object (Art. 21) — object to processing based on legitimate interests or direct marketing.
  • Rights related to automated decision-making (Art. 22) — we do not make decisions based solely on automated processing that produce legal effects concerning you.
  • Right to withdraw consent — at any time, without affecting the lawfulness of processing based on consent before withdrawal.
  • Right to lodge a complaint — with your local supervisory authority. A list of EU Data Protection Authorities is available at edpb.europa.eu. In the UK, contact the Information Commissioner's Office (ICO).

10.2 California, United States

CCPA / CPRA

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you the following rights:

  • Right to know — request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties with whom we share it.
  • Right to delete — request deletion of personal information we have collected from you.
  • Right to correct — request correction of inaccurate personal information.
  • Right to opt out of sale or sharing — we do not sell or share (as defined by the CCPA) your personal information. If this changes, we will provide a "Do Not Sell or Share My Personal Information" link.
  • Right to non-discrimination — we will not discriminate against you for exercising your CCPA rights.
  • Authorised agents — you may designate an authorised agent to submit requests on your behalf. We may require verification of the agent's authorisation.

Categories of personal information collected (in the preceding 12 months): identifiers (IP address, email address); internet or network activity (browsing history, interactions with our site); geolocation data (approximate, city-level).

We have not sold or shared personal information in the preceding 12 months. We do not have actual knowledge that we sell or share the personal information of consumers under 16 years of age.

10.3 Brazil

LGPD

Under the Lei Geral de Proteção de Dados (LGPD), you have the right to:

  • Confirm whether we process your data and access it.
  • Correct incomplete, inaccurate, or outdated data.
  • Anonymise, block, or delete unnecessary or excessive data.
  • Request data portability to another service provider.
  • Delete data processed with your consent.
  • Know which public and private entities we have shared data with.
  • Withdraw consent at any time.
  • Lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD).

10.4 Canada

PIPEDA

Under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial legislation, you have the right to:

  • Access the personal information we hold about you.
  • Challenge the accuracy and completeness of your data and have it amended.
  • Withdraw consent for the collection, use, or disclosure of your data (subject to legal or contractual restrictions).
  • File a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.

10.5 South Africa

POPIA

Under the Protection of Personal Information Act (POPIA), you have the right to:

  • Be notified that your personal information is being collected and the purpose.
  • Request access to and correction of your personal information.
  • Request deletion or destruction of your data.
  • Object to the processing of your personal information.
  • Lodge a complaint with the Information Regulator at inforegulator.org.za.

10.6 Australia

Privacy Act 1988

Under the Australian Privacy Act and the Australian Privacy Principles (APPs), you have the right to:

  • Access the personal information we hold about you (APP 12).
  • Request correction of personal information that is inaccurate, out of date, incomplete, or misleading (APP 13).
  • Complain about a breach of the APPs.
  • Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

10.7 Other jurisdictions

If you reside in a jurisdiction with data protection laws not specifically listed above — including Singapore (PDPA), Thailand (PDPA), Japan (APPI), South Korea (PIPA), or any US state with a comprehensive privacy law (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, etc.) — you may have similar rights to access, correct, delete, and port your data. Contact us at [email protected] and we will honour your request in accordance with applicable law.

§ 11

Children's Privacy

Our Services are not directed at children under 16 (or under 13 in the United States). We do not knowingly collect personal data from children. If we learn that we have collected data from a child without appropriate parental consent, we will delete that data promptly. If you believe a child has provided us with personal data, please contact us at [email protected].

§ 12

Do Not Track & Global Privacy Control

There is no universal standard for how websites should respond to the older "Do Not Track" (DNT) browser signal. We do not currently alter our data practices in response to DNT.

However, we do honour the Global Privacy Control (GPC) signal. When your browser transmits GPC, we treat it as a legally binding opt-out of the sale or sharing of personal information (per CCPA/CPRA) and deny all advertising-related consent categories (per our Google Consent Mode v2 implementation).

§ 13

Changes to This Policy

We may update this policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page.
  • Post a notice on our homepage for a reasonable period.
  • If you have an account with us, send a direct notification by email.

We encourage you to review this policy periodically. Your continued use of our Services after any changes constitutes acceptance of the revised policy.

§ 14

Contact Us

If you have any questions about this privacy policy, wish to exercise your data rights, or want to file a complaint, please contact us:

OCXLY — Privacy Team
Email: [email protected]
Kochi, Kerala, India

We aim to respond to all privacy-related requests within 30 days. For GDPR requests, we will respond within one calendar month. For CCPA requests, we will respond within 45 days (with a possible 45-day extension if needed).