Privacy Policy
Privacy Policy
Last Updated: February 2026
HyGOAT ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the H2Global Screening Tool (H2GS) and any related services.
1. Data Controller
HyGOAT is operated by Ekavikalp Private Limited, a company registered in India.
- Email: privacy@hygoat.in
2. EU Representative (GDPR Article 27)
We are in the process of appointing an EU-based representative under GDPR Article 27. Until this appointment is formalised, data subjects in the European Union may contact us directly at privacy@hygoat.in for any data protection inquiries.
This section will be updated once the appointment is complete.
3. Information We Collect
3.1 Anonymous Session Data
The H2Global Screening Tool is designed for anonymous use. No account registration is required.
- Session ID: A randomly generated identifier stored in your browser's session storage. This links your screening progress across page visits.
- No login or identity verification is performed.
3.2 Company and Project Information (Optional, Unvalidated)
During the screening process, you may voluntarily provide:
- Company name, country, and contact details (name, email, phone)
- Hydrogen production capacity, methods, and technology specifications
- RFNBO compliance parameters, emissions data, and renewable energy sources
Important: These fields are optional. We do not verify or validate the information you provide. You may enter placeholder or fictitious data if you prefer not to disclose real company details. The screening results are based entirely on the data you supply and are only as accurate as your inputs.
3.3 Usage Data
- Pages visited and features used within the screening tool
- Device information and browser type
- IP address (used for security purposes; not linked to your session data)
3.4 Payment Data
If you purchase a paid report:
- Transaction records (amount, date, currency, status)
- Payment method type (card numbers are never stored by us — they are handled entirely by our payment processor)
- Invoice and receipt information
- Promo code usage (if applicable)
4. Legal Basis for Processing
For Users in the European Economic Area (GDPR)
| Purpose | Legal Basis | GDPR Article |
|---|---|---|
| RFNBO screening and report generation | Consent | Art. 6(1)(a) |
| Providing paid services and reports | Contract performance | Art. 6(1)(b) |
| Payment processing | Contract performance | Art. 6(1)(b) |
| Compliance with legal obligations | Legal obligation | Art. 6(1)(c) |
| Platform security and fraud prevention | Legitimate interest | Art. 6(1)(f) |
For Users in India (DPDP Act 2023)
We process personal data in accordance with India's Digital Personal Data Protection Act, 2023 (DPDP Act). Where required, we obtain your consent before processing personal data. You have the right to withdraw consent, request correction, and request erasure of your personal data under the DPDP Act.
For All Other Users
We process your data based on consent (provided when you use the screening tool and accept these terms) and as necessary to perform the services you request.
5. How We Use Your Information
We use the information we collect to:
- Provide the H2Global Screening Tool and generate compliance reports
- Calculate RFNBO compliance scores and gap analysis
- Process payments for paid report tiers via Razorpay
- Communicate with you about your screening results (only if you provide contact details)
- Comply with applicable legal and tax obligations
- Maintain platform security and prevent misuse
- Generate anonymized aggregate statistics to improve our services
6. Automated Decision-Making
The H2Global Screening Tool uses automated processing to calculate:
- RFNBO Compliance Score: A score from 0-100 based on your production parameters, renewable energy sources, temporal correlation, and GHG emissions data
- Tier Classification: Automatic categorization (Tier 1-3 or Non-Compliant) based on your compliance score
- Gap Analysis: Identification of blocking, major, and minor compliance gaps
Your Rights: Under GDPR Article 22, you have the right to:
- Obtain human intervention in the screening
- Express your point of view about the automated decision
- Contest the decision
To exercise these rights, contact us at privacy@hygoat.in.
7. Anonymous Session Tracking
The H2Global Screening Tool uses session-based tracking:
- Session ID: A unique identifier generated when you start a screening
- Storage: Session ID is stored in your browser's session storage
- Purpose: Links your screening progress across page visits
- Duration: Sessions expire after 30 days of inactivity
- No Personal Data: Anonymous sessions do not require or store personal information unless voluntarily provided in screening forms
You can delete your session data by clearing your browser's storage.
8. How We Share Your Information
8.1 Payment Processor
- Razorpay: Processes all payments. Razorpay is an RBI-regulated payment gateway based in India. Payment card details are handled entirely by Razorpay and are never stored on our servers. Razorpay's privacy policy applies to payment data they process: https://razorpay.com/privacy/.
8.2 Infrastructure Providers
Your data is hosted on the following services:
- MongoDB Atlas: Database hosting (India)
- AWS Lightsail: Application hosting (India)
These providers act as data processors under applicable data protection law.
8.3 Regulatory Bodies
We may share information with government or regulatory authorities where required by law.
8.4 Third-Party Verifiers
We may share your data with independent third-party verifiers to facilitate certification processes, only with your explicit consent.
9. International Data Transfers
Important Notice for All Users:
Your data is processed and stored in India. If you are located outside India, your data will be transferred to India for processing.
For EU/EEA users: India is not recognized by the European Commission as providing an adequate level of data protection under GDPR. Our infrastructure providers (MongoDB Atlas, AWS) maintain Standard Contractual Clauses (SCCs) approved by the European Commission for lawful data transfers. By using this service and providing consent, you acknowledge and agree to your data being transferred to and processed in India under these safeguards.
For Indian users: Your data is processed in India in accordance with the Digital Personal Data Protection Act, 2023 (DPDP Act) and applicable rules.
For all other users: By using this service, you consent to your data being processed in India.
10. Data Security and Cybersecurity
10.1 Security Measures
We implement the following technical and organisational measures to protect your data:
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher
- Encryption at rest: Database storage is encrypted at rest using AES-256
- Access controls: Role-based access controls and authentication for all administrative access
- Infrastructure security: Hosted on AWS with network-level security controls
- Session isolation: Anonymous screening sessions are isolated from one another
10.2 Data Breach Notification
In the event of a personal data breach:
- EU/EEA users: We will notify the relevant Data Protection Authority within 72 hours of becoming aware of a breach that is likely to result in a risk to your rights and freedoms, as required by GDPR Article 33. Where the breach is likely to result in a high risk, we will also notify affected individuals without undue delay (GDPR Article 34).
- Indian users: We will notify the Data Protection Board of India and affected individuals as required by the DPDP Act, 2023. Under CERT-In directions (2022), we will report cybersecurity incidents to CERT-In within 6 hours of becoming aware of a breach.
- All users: We maintain an incident response procedure and will take immediate steps to contain and remediate any breach.
While we have taken reasonable steps to secure your information, no security measures are perfect or impenetrable.
11. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Anonymous screening data (unpaid) | 30 days after last activity | Session cleanup |
| Paid screening data | 1 years from generation | Service delivery and support |
| Payment records and invoices | 7 years from transaction date | Tax and accounting obligations under Indian law |
| Assessment reports (PDFs) | 1 years from generation | Service delivery and support |
After the applicable retention period, data is permanently deleted or irreversibly anonymized. You may request earlier deletion at any time (see Section 12).
12. Your Data Protection Rights
Depending on your location and applicable law (including GDPR and the DPDP Act), you may have the following rights:
- Access: Request a copy of the data we hold about you
- Rectification: Request correction of inaccurate data
- Erasure: Request deletion of your data
- Restriction: Request restriction of processing
- Portability: Request your data in a machine-readable format (Strategic tier includes JSON export)
- Objection: Object to processing based on legitimate interest
- Withdrawal: Withdraw consent at any time
Delete My Data
The simplest way to exercise your rights:
- For screening data: Use the "Delete My Data" button on your screening results page. This immediately queues your session data for deletion.
- For any other request: Email privacy@hygoat.in with your request. We will respond within 30 days.
For unpaid assessments, deletion removes all data. For paid assessments, company-identifiable information is anonymized while payment records are retained for the legally required 7-year period.
13. Cookies and Tracking
Current state: The H2Global Screening Tool does not use analytics cookies, marketing cookies, or third-party tracking scripts. We use only:
- Session storage: For anonymous screening session tracking (essential for tool functionality)
- Essential cookies: Required for platform operation (e.g., CSRF protection)
No data is shared with advertising networks or analytics platforms. A formal cookie consent mechanism will be implemented in a future update. We will update this section when that mechanism is in place.
14. Screening Tool Disclaimer
The H2Global Screening Tool provides an indicative compliance screening based on self-reported data and publicly available regulatory information. It is important to understand:
- The screening results are not a substitute for professional legal, regulatory, or investment advice
- The results do not constitute a formal audit, certification, or verification of RFNBO compliance
- The screening does not guarantee eligibility for H2Global tenders or any other procurement process
- All results are based on the data you provide — we do not independently verify your inputs
- Regulatory requirements may change; our tool reflects requirements as understood at the time of screening
You should engage qualified legal counsel, certification bodies, and technical advisors before making decisions based on screening results.
15. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website with a revised "Last Updated" date. Changes affecting consent-based processing will require renewed consent where applicable.
16. Complaints
If you believe your data protection rights have been violated:
- EU/EEA users: You have the right to lodge a complaint with your local Data Protection Authority (DPA). Find your DPA at: https://edpb.europa.eu/about-edpb/about-edpb/members_en
- Indian users: You may file a complaint with the Data Protection Board of India under the DPDP Act, 2023.
- All users: Contact us first at privacy@hygoat.in — we will make every effort to resolve your concern.
17. Contact Us
If you have any questions about this Privacy Policy, please contact us at:
- Email: privacy@hygoat.in
- EU Representative: Appointment in progress (contact privacy@hygoat.in)
- Entity: Ekavikalp Private Limited, India