0MRADE

xc0mrade@root

Loading0%

0MRADE

xc0mrade@root

Loading0%

Privacy Policy

Xc0mrade Technologies Private Limited Version 2026.04 — Effective: April 3, 2026

Need Help?

privacy@xc0mrade.com

grievance@xc0mrade.com

Our Promise

“Built in India, for India. We never sell your data. We collect only what we need.”

Who We Are

Xc0mrade Technologies Private Limited (CIN: U62099BR2025PTC079540), registered in Bihar, India, operates the vulnerability marketplace platform accessible at https://xc0mrade.com(the “Platform”). We connect Security Researchers with Organizations to find and fix security vulnerabilities through structured programs.

Our Commitment

We process your data responsibly under the Digital Personal Data Protection Act (DPDP), 2023, the Information Technology Act, 2000, and applicable RBI and CERT-In guidelines.

1. Data Collection

1.1 Account Registration

When you create an account we collect your name or display handle, email address, password (hashed), and your chosen role (Security Researcher or Organization).

WHY: To create and manage your account, authenticate your identity, and provide role-appropriate access.

1.2 Profile & Onboarding

Researchers provide bio, skills, and avatar. Organizations provide company name, website, and industry.

WHY: To personalize your experience, match researchers with programs, and display the leaderboard.

1.3 KYC Verification Data

Security Researchers wishing to receive Rewards must complete KYC verification (Aadhaar, Passport, or Voter ID, PAN card).

WHY: Mandatory under the PMLA 2002 and RBI guidelines. We use Razorpay to process data.

RETENTION: Records are kept for 5 years minimum. Cannot be deleted on request during this period.

1.4 Vulnerability Reports & Sketches

We collect report titles, targets, severity, reproduction steps, and Sketches created using the Sketcher tool.

WHY: To facilitate disclosure. Accepted reports are transferred to the relevant Customer organization.

IMPORTANT: Reports may contain incidental third-party data. Researchers must minimize and report this.

2. How We Use Data

Platform operation

Identity verification

Security & fraud prevention

Legal compliance (CERT-In)

Reputation scoring

Communications

3. Legal Basis

Under DPDP Act 2023, we use:

ConsentContract performanceLegal obligationLegitimate interests

4. Data Sharing and Processors

We share personal data only where necessary for service delivery, legal compliance, or security operations.

Razorpay: payment processing, payout workflows, and KYC facilitation.

Supabase: database, authentication, and secure storage infrastructure.

Vercel: hosting, edge delivery, and application runtime services.

Each processor operates under contractual data processing obligations covering purpose limitation, security safeguards, breach notification, and data return/deletion obligations at termination.

5. Data Security

TLS 1.2+ encryption in transit
AES-256 encryption at rest
PCI-DSS compliant partner (Razorpay)
Row-Level Security (RLS) in DB
Multi-Factor Authentication (MFA)
Isolated storage buckets for reports

6. Data Retention

Type	Period	Legal Basis
KYC Documents	5 years min	PMLA 2002
Financial Records	7 years	Income Tax 1961
IT Logs	180 days	CERT-In 2022
Accepted Reports	5 years	Contractual

Note: Right to Erasure is limited by legal retention. We will pseudonymize identity where deletion is prohibited.

7. Your Rights (DPDP 2023)

Right to Access

Summary of held personal data.

Right to Correction

Correction of inaccurate data.

Right to Erasure

Deletion subject to Section 6.

Right to Grievance

Timely redressal (see Section 9).

Right to Nominate

Nominate another in case of death.

Right to Withdraw

Withdraw consent anytime.

8. International Data Transfers

We design our infrastructure to prioritize Indian data residency for Indian users. Where third-party processors are used, Xc0mrade enforces contractual localization and protection requirements.

Cross-border transfers, if any, are carried out only in accordance with applicable DPDP requirements and to jurisdictions permitted by the Central Government.

9. Grievance Officer

Appointed Officer

Vivek Singh — Founder

grievance@xc0mrade.com

Timeframe

Ack: 24h | Resolve: 7d

10. Personal Data Breach Notification

In the event of a personal data breach affecting your data, Xc0mrade will notify affected Data Principals and the Data Protection Board of India within 72 hours of becoming aware of the breach, in accordance with applicable DPDP Rules.

Notifications include, where reasonably available at the time of reporting: (i) the nature of the breach, (ii) likely consequences, and (iii) mitigation/remedial measures taken.

11. Cookies and Tracking

We use essential cookies for authentication and session security, along with limited analytics/operational telemetry to improve platform reliability and performance.

You can manage browser cookie controls. Disabling essential cookies may prevent login or core platform usage.

12. Automated Processing and Human Review

Certain researcher ranking outcomes are algorithmically calculated (for example, Sketch Score and P-Tier progression inputs). See GCU section 13 and Schedule A for scoring criteria.

High-stakes tier decisions (including key promotions/demotions) are subject to human review.

0MRADE

xc0mrade@root

Loading0%

Privacy Policy

Xc0mrade Technologies Private Limited Version 2026.04 — Effective: April 3, 2026

Need Help?

privacy@xc0mrade.com

grievance@xc0mrade.com

Our Promise

“Built in India, for India. We never sell your data. We collect only what we need.”

Who We Are

Our Commitment

We process your data responsibly under the Digital Personal Data Protection Act (DPDP), 2023, the Information Technology Act, 2000, and applicable RBI and CERT-In guidelines.

1. Data Collection

1.1 Account Registration

When you create an account we collect your name or display handle, email address, password (hashed), and your chosen role (Security Researcher or Organization).

WHY: To create and manage your account, authenticate your identity, and provide role-appropriate access.

1.2 Profile & Onboarding

Researchers provide bio, skills, and avatar. Organizations provide company name, website, and industry.

WHY: To personalize your experience, match researchers with programs, and display the leaderboard.

1.3 KYC Verification Data

Security Researchers wishing to receive Rewards must complete KYC verification (Aadhaar, Passport, or Voter ID, PAN card).

WHY: Mandatory under the PMLA 2002 and RBI guidelines. We use Razorpay to process data.

RETENTION: Records are kept for 5 years minimum. Cannot be deleted on request during this period.

1.4 Vulnerability Reports & Sketches

We collect report titles, targets, severity, reproduction steps, and Sketches created using the Sketcher tool.

WHY: To facilitate disclosure. Accepted reports are transferred to the relevant Customer organization.

IMPORTANT: Reports may contain incidental third-party data. Researchers must minimize and report this.

2. How We Use Data

Platform operation

Identity verification

Security & fraud prevention

Legal compliance (CERT-In)

Reputation scoring

Communications

3. Legal Basis

Under DPDP Act 2023, we use:

ConsentContract performanceLegal obligationLegitimate interests

4. Data Sharing and Processors

We share personal data only where necessary for service delivery, legal compliance, or security operations.

Razorpay: payment processing, payout workflows, and KYC facilitation.

Supabase: database, authentication, and secure storage infrastructure.

Vercel: hosting, edge delivery, and application runtime services.

Each processor operates under contractual data processing obligations covering purpose limitation, security safeguards, breach notification, and data return/deletion obligations at termination.

5. Data Security

TLS 1.2+ encryption in transit
AES-256 encryption at rest
PCI-DSS compliant partner (Razorpay)
Row-Level Security (RLS) in DB
Multi-Factor Authentication (MFA)
Isolated storage buckets for reports

6. Data Retention

Type	Period	Legal Basis
KYC Documents	5 years min	PMLA 2002
Financial Records	7 years	Income Tax 1961
IT Logs	180 days	CERT-In 2022
Accepted Reports	5 years	Contractual

Note: Right to Erasure is limited by legal retention. We will pseudonymize identity where deletion is prohibited.

7. Your Rights (DPDP 2023)

Right to Access

Summary of held personal data.

Right to Correction

Correction of inaccurate data.

Right to Erasure

Deletion subject to Section 6.

Right to Grievance

Timely redressal (see Section 9).

Right to Nominate

Nominate another in case of death.

Right to Withdraw

Withdraw consent anytime.

8. International Data Transfers

We design our infrastructure to prioritize Indian data residency for Indian users. Where third-party processors are used, Xc0mrade enforces contractual localization and protection requirements.

Cross-border transfers, if any, are carried out only in accordance with applicable DPDP requirements and to jurisdictions permitted by the Central Government.

9. Grievance Officer

Appointed Officer

Vivek Singh — Founder

grievance@xc0mrade.com

Timeframe

Ack: 24h | Resolve: 7d

10. Personal Data Breach Notification

Notifications include, where reasonably available at the time of reporting: (i) the nature of the breach, (ii) likely consequences, and (iii) mitigation/remedial measures taken.

11. Cookies and Tracking

We use essential cookies for authentication and session security, along with limited analytics/operational telemetry to improve platform reliability and performance.

You can manage browser cookie controls. Disabling essential cookies may prevent login or core platform usage.

12. Automated Processing and Human Review

Certain researcher ranking outcomes are algorithmically calculated (for example, Sketch Score and P-Tier progression inputs). See GCU section 13 and Schedule A for scoring criteria.

High-stakes tier decisions (including key promotions/demotions) are subject to human review.