Privacy Policy
Last updated: July 12, 2026
1. Introduction and Scope
This Privacy Policy explains how Magdox Private Limited (“Magdox,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal data in connection with the FDIE (Firmware Delta Intelligence Engine) marketing website, the FDIE web application, and related services (together, the “Service”). This Policy applies to visitors to our website, prospective and current customers, and authorized users of the FDIE platform acting on behalf of a customer organization.
2. Our Roles: Controller vs. Processor
Magdox acts in different roles depending on the data involved:
- As Controller: for account data (Section 4), marketing-site usage data, billing data, and other data we collect about our own customers and website visitors to operate our business, Magdox determines the purposes and means of processing and acts as the Data Controller.
- As Processor: for Customer Data (firmware images, configuration files, and any personal data incidentally contained within them) uploaded by a customer for analysis, Magdox acts solely as a Data Processor on that customer’s instructions. Our processing of Customer Data on a customer’s behalf is additionally governed by our DPA, which is available to any paid-tier customer processing personal data subject to the DPDPA or similar laws, not only Enterprise customers.
3. Data Controller Identity
- Entity: Magdox Private Limited
- Registered address: Rd No. 8, Sector - 3, Arabinda Nagar, Hindustan Cables, West Bengal - 713335, India
- Privacy contact: [email protected]
4. What Personal Data We Collect
Account data. When you sign up for FDIE or contact us, we collect information such as your name, work email address, company name, and job title.
Usage data. We automatically collect technical information when you use our website or platform, including IP address, browser type, device information, and analytics events (pages viewed, features used, timestamps).
Firmware and content data. Customers upload firmware images, configuration files, and related artifacts to the FDIE platform for analysis. This data is “Customer Data”: it belongs to the customer, is not personal data of website visitors, and is handled under the confidentiality commitments described in our Terms of Service and DPA. Where Customer Data incidentally contains personal data (for example, developer names embedded in firmware metadata), it is processed solely to provide the Service.
5. How We Use Your Data
We use personal data to:
- Provide, operate, and maintain the Service
- Process billing and manage subscriptions
- Provide customer support and respond to inquiries
- Improve and develop new features
- Send product updates, security advisories, and marketing communications (with an opt-out available in every email)
6. Why We Process Your Data
We process personal data on the following grounds:
- Contract: to provide the Service under our Terms of Service
- Consent: for optional marketing communications and non-essential cookies
- Legitimate business purposes: for security monitoring, fraud prevention, and product analytics, balanced against your rights and interests
7. Cookies and Tracking
We use cookies and similar technologies for essential site functionality. Our website currently sets only strictly necessary cookies (session management and CSRF protection) and one functional cookie (your consent preference). We do not currently set analytics or marketing cookies. See our Cookie Policy for a full breakdown of cookie categories, the specific cookies in use, and how to manage your preferences.
8. Sharing and Sub-processors
We share personal data with a limited set of service providers who help us operate the Service, each bound by appropriate confidentiality and data protection terms:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloud infrastructure provider | Application and data hosting | India (default) |
| Dodo Payments | Billing and invoicing | India |
| Email service provider | Transactional and marketing email | USA |
We do not sell personal data.
Notice of new sub-processors. Before engaging a new sub-processor that will process personal data on behalf of paid-tier customers, we will provide at least 10 days’ advance notice by posting an update to this page and, for Enterprise customers, by email to the billing or technical contact on file. If you reasonably object to a new sub-processor on data protection grounds, contact [email protected] within that notice period and we will work with you in good faith to address the objection, which may include making a commercially reasonable alternative available.
9. International Data Transfers
Where personal data is transferred outside of the jurisdiction in which it was collected, we comply with applicable cross-border data transfer requirements under the DPDPA and other applicable law, using appropriate contractual safeguards where required.
10. Data Retention
- Account data is retained for the duration of your contract with us, plus 90 days thereafter for legal and accounting purposes.
- Uploaded firmware images and analysis results are retained according to the retention policy configured by your organization’s administrators within FDIE. Where no custom retention period is configured, we retain this data for the duration of the active subscription plus 90 days, after which it is deleted unless a longer period is required by law.
- You may request deletion of your data at any time as described in Section 13.
11. Data Security Measures
We implement technical and organizational measures designed to protect personal data. See our Security and Trust page for a detailed, plain-language description of our encryption, access-control, and audit logging practices.
12. Breach Notification
In the event of a personal data breach affecting your data, we will notify affected individuals or customers without undue delay, and in any case within 72 hours of becoming aware of the breach, providing the information reasonably available to us at that time. This commitment applies to all customers and website visitors, not only those with an Enterprise DPA in place; Enterprise customers’ DPA contains additional detail on the process for Customer Data specifically.
13. Your Rights (Global)
Depending on your location, you may have rights over the personal data we hold about you, which commonly include the right to access, correct, delete, restrict or object to processing, receive your data in a portable format, and withdraw consent. The regional sections below identify the specific regime that applies to you; where more than one could apply, contact us and we will apply the more protective standard.
13.1 India (DPDPA)
See our dedicated DPDPA rights page for your rights as a Data Principal under India’s Digital Personal Data Protection Act, 2023, including how to escalate a grievance to our Grievance Officer and the Data Protection Board of India.
13.2 California and Other U.S. States
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended, may give you the right to know what personal information we have collected about you, request its deletion, correct inaccurate information, and opt out of the “sale” or “sharing” of personal information. Magdox does not sell personal information, and does not “share” personal information for cross-context behavioral advertising as those terms are defined under the CCPA. To exercise a CCPA right, contact [email protected]. We will not discriminate against you for exercising these rights. Residents of other U.S. states with comparable privacy laws may exercise analogous rights through the same contact.
13.3 How to Exercise Any of These Rights
To submit a request under any of the regimes above, contact [email protected] or use our Contact page, including your name, the email address associated with your account (if any), a description of the right you wish to exercise, and any information that helps us verify your identity.
14. Automated Analysis and Decision Support
FDIE’s compliance scores, CVE findings, and risk ratings are generated by deterministic, rule-based static analysis (not generative AI or machine learning) and are intended as decision-support information for your security and engineering teams. They are not used by Magdox to make any solely-automated decision producing legal or similarly significant effects about an individual. See Terms of Service Section 12 for the scope and limitations of this analysis.
15. Children’s Privacy
The Service is not directed at, and is not intended for use by, individuals under the age of 16. We do not knowingly collect personal data from children.
16. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via the website or by email to registered account holders. The “Last updated” date at the top of this page reflects the most recent revision. Prior versions are archived and available on request.
17. Contact
Questions about this Privacy Policy can be sent to [email protected] or via our Contact page.