Introduction to Innowell Engineering International Pvt Ltd
INNOWELL Engineering International Pvt Ltd operates through an integrated corporate structure that includes specialized internal service divisions to ensure comprehensive project delivery and technical excellence. Our internal technology and IT infrastructure services are managed through dedicated subsidiaries and affiliated entities which is named as Jupiter Brother (JB) within our corporate group, enabling us to maintain complete control over data security, service quality, and operational efficiency.
All IT infrastructure, proprietary software platforms (including ENTHIRAN and INAKKAM), cloud computing services, and technical support systems are managed internally through our corporate group entities. This integrated approach ensures seamless service delivery, enhanced data security, and continuous innovation in our consulting methodologies.
The policy is applicable to all Innowell associates, whether full time or contracted, subsidiaries and affiliated entities within our corporate group, business contacts, customers or vendors. Innowell ensures that its business partners and vendors comply with this Policy and applicable legal and regulatory compliance standards through appropriate contractual agreements.
1. Purpose
This Data Use Policy outlines how the company collects, uses, protects, and manages data. We are committed to maintaining the confidentiality, integrity, and security of all information across our entire corporate group and internal service divisions.
This policy is further intended to ensure strict adherence to the Digital Personal Data Protection Act, 2023 (India), the Information Technology Act, 2000, and where applicable, international frameworks including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
2. Scope
This policy applies to all data collected, processed, stored, or shared by INNOWELL Engineering International and its internal service divisions, whether through our websites, communications, services, or business operations.
This scope also extends to data collected through indirect means, including public sources, affiliated business partners, and lawful third-party providers, provided such collection is in compliance with applicable laws and conducted across our corporate group entities.
3. What Data We Collect
The company may collect the following categories of data:
Personal Identifiable Information (PII): Name, email, phone number, address, company name, and job title.
Business Data: Project requirements, specifications, correspondence, and contractual documents.
Financial Data: Billing address, payment details, tax information.
Technical Data: IP address, browser type, device information, access logs (if you use our online platforms).
Support Data: Emails, call logs, or chat transcripts from service interactions.
Project Performance Data: System performance metrics, energy efficiency data, compliance reports, and post-implementation feedback for service enhancement purposes.
We may also collect data from publicly available sources, professional networks, subcontractors, and government databases where legally permissible, and such data shall be treated with the same level of protection as directly collected data.
3.1. Sensitive Personal Data
In certain circumstances, we may process sensitive personal data categories including:
Health and Safety Data: Medical certificates, emergency contact information, and workplace safety records for site access and compliance
Government-Issued Identifiers: Professional licenses, permits, and certifications required for engineering services
Biometric Data: Access control systems for secure facilities (with explicit consent)
Location Data: GPS coordinates for site surveys and project locations
All sensitive personal data processing is conducted with appropriate legal safeguards, explicit consent where required, and enhanced security measures.
3.2. Data Sources
Data may be collected from:
Direct interactions through our platforms, communications, and meetings
Public records and professional databases
Client referrals and business partners
Subcontractors and project collaborators (with appropriate agreements)
Government agencies and regulatory bodies
Professional networking platforms and industry databases
4. How We Use Data
We use data for legitimate business purposes, including:
To fulfill service requests, contracts, or orders.
To communicate about projects, updates, and inquiries.
To issue invoices, process payments, and maintain financial records.
To provide comprehensive technical support through our internal IT service divisions for platform access, system maintenance, and troubleshooting.
To enhance the quality, efficiency, and relevance of our consulting services, we may analyze data to identify areas for improvement in our design methodologies, technical solutions, project delivery processes, and client support systems. This includes optimizing system performance, tailoring design recommendations to client-specific needs, and streamlining communication to ensure more responsive and effective service.
In addition, anonymized or pseudonymized data may be aggregated for benchmarking, predictive analysis, and industry trend evaluation, which enhances our ability to provide superior engineering insights and commercially advantageous recommendations for clients.
Internal Service Integration and Data Processing
As part of our integrated service delivery model, data may be processed across our internal service divisions and corporate group entities to:
Ensure seamless access to our proprietary platforms (ENTHIRAN and INAKKAM) through our internal IT infrastructure services.
Provide technical support, system maintenance, and platform upgrades through our specialized internal teams.
Enable secure data backup, cloud storage management, and cybersecurity monitoring across our corporate infrastructure.
Facilitate internal research and development activities aimed at improving service delivery methodologies.
Support quality assurance processes and performance optimization across all service touchpoints.
Use of Data for Training and Development
As part of our continuous commitment to excellence and innovation in MEP (Mechanical, Electrical, and Plumbing) consulting services, we may use certain data for internal training and professional development purposes across our corporate group and specialized internal divisions. This practice is carried out under strict confidentiality and in compliance with applicable data protection laws, such as the Information Technology Act, 2000, and the Digital Personal Data Protection (DPDP) Act, 2023.
Specifically:
Design Insights & Case Studies
Project data, such as system specifications, design challenges, energy usage metrics, and post-implementation feedback, may be anonymized and used to create internal case studies. These case studies help our engineering teams and internal service divisions better understand real-world applications, optimize system integration strategies, and improve overall design accuracy.
Skill Development & Technical Training
Select data may be used in technical training modules across our internal teams and service divisions to help junior engineers and project managers gain exposure to a variety of building typologies, load conditions, and performance issues. This enables hands-on learning that is grounded in actual project experience.
AI-Assisted Learning & Tool Enhancement
Project data, once anonymized or pseudonymized, may also contribute to the training of AI-based tools and predictive modeling systems developed and maintained by our internal technology divisions. These tools assist our team in performing faster simulations, energy modeling, and compliance checks—ultimately elevating the standard of service we offer.
Knowledge Sharing Across Teams
Lessons learned from completed projects, based on structured data, may be incorporated into internal best-practice libraries accessible to our entire corporate group and internal service divisions. This supports cross-functional learning and ensures consistency in quality across all client engagements.
Client Confidentiality & Consent
All data used for training purposes is handled with the utmost respect for client confidentiality across all divisions within our corporate structure. Data is either anonymized or used only after obtaining appropriate consent, in line with our privacy policy and legal obligations.
5. Internal Data Sharing Within Corporate Group
To ensure efficient service delivery and maintain the highest standards of technical excellence, data may be shared internally within our corporate group entities and specialized service divisions. This internal sharing is conducted under:
Strict confidentiality agreements and internal data protection protocols
Role-based access controls ensuring data is accessible only to authorized personnel with legitimate business needs.
Comprehensive audit trails and monitoring systems
Unified data security standards across all internal divisions
By engaging our services, you acknowledge and accept the Company’s Terms and Conditions as well as the provisions outlined in our Privacy Policy including internal data processing across our corporate group for service delivery optimization.
6. Legal Basis for Data Processing
We process data based on the following specific legal grounds under applicable data protection laws:
6.1 Consent-Based Processing:
Customer’s explicit consent for marketing communications
Consent for processing across our corporate group for enhanced service delivery
Consent for using anonymized data for research and development purposes
6.2 Contract Performance:
Fulfillment of consulting agreements and service contracts
Project delivery through our internal specialized teams
Payment processing and financial record maintenance
6.3 Legitimate Business Interests:
Internal service optimization and quality enhancement
Security monitoring and fraud prevention
Professional development and training activities (using anonymized data)
Business continuity and disaster recovery
6.4 Legal and Regulatory Compliance:
Compliance with professional engineering standards
Regulatory reporting requirements
Legal retention obligations
Health and safety compliance across all corporate group entities
6.5 Vital Interests:
Protection of life, health, or safety in emergency situations
Critical infrastructure protection
7. Data Storage and Security
Data is securely stored in a protected, encrypted cloud environment managed through our internal IT infrastructure divisions in accordance with industry best practices and applicable data protection regulations. Select data elements—such as design requirements, system performance metrics, and feedback from completed projects—may be utilized to train and refine proprietary AI-driven tools and models developed and maintained by our internal technology teams. The purpose of this is to enhance our ability to deliver optimized MEP design solutions that are not only cost-effective and tailored to the unique needs of each client, but also technically robust, energy-efficient, and environmentally sustainable. These AI-enhanced capabilities enable us to provide more accurate simulations, better load forecasting, efficient system sizing, and integrated sustainability strategies, ultimately improving the overall quality and performance of our consulting services for all clients, including yourself.
Data shall be securely stored in protected systems across our internal infrastructure network with stringent access controls, ensuring compliance with internationally recognized data protection frameworks. We implement:
Data encryption (in transit and at rest) across all internal systems and divisions
Secure access controls with unified authentication across corporate group entities.
Firewalls and intrusion detection systems monitored by our internal cybersecurity teams
Periodic security audits conducted across all internal divisions and service entities
Access to data is restricted to authorized personnel within our corporate group with a business need to know.
7.1 Technical Safeguards:
Advanced encryption standards (AES-256) for data at rest and in transit
Multi-factor authentication for all system access
Network segregation and zero-trust architecture
Regular vulnerability assessments and penetration testing
Automated threat detection and incident response systems
7.2 Administrative Controls:
Role-based access control with principle of least privilege
Regular access reviews and user provisioning/deprovisioning
Background verification for personnel with data access
Confidentiality agreements for all staff and contractors
Data classification scheme with corresponding protection levels
7.3 Physical Security:
Secured data centers with biometric access controls
Environmental monitoring and disaster recovery systems
Secure disposal procedures for end-of-life equipment
Visitor access controls and activity logging
Backup storage in geographically separated locations
7.4 Monitoring and Compliance:
Continuous security monitoring and log analysis
Regular compliance audits and assessments
Key performance indicators for data protection
Executive reporting on security posture and incidents
Third-party security certifications and validations
8. Data Sharing and Disclosure
We do not sell data. We may share data only:
Within our corporate group and internal service divisions under strict confidentiality and security protocols
With trusted third-party service providers (e.g., IT support, payment processors) under binding agreements
With legal or regulatory authorities, if required by law
Within our corporate group, if applicable, under strict confidentiality terms
All third-party vendors and internal service divisions are contractually obligated to protect data in accordance with this policy and relevant regulations.
9. Data Retention
We retain data across our corporate group and internal divisions only as long as necessary to fulfill the purposes outlined in this policy or as required by applicable law, typically for:
Project duration plus legal retention period
Financial records: minimum of 8 years (as per accounting standards)
Customer support logs: 1–3 years, depending on context
Internal training and development data: As required for continuous service improvement, subject to anonymization protocols
10. Customer Rights
Depending on your jurisdiction (e.g., GDPR, CCPA, DPDP Act 2023), you may have the following rights:
Access your data processed across our corporate group
Request correction or deletion from all internal systems and divisions, subject to applicable legal retention requirements
Restrict or object to processing including internal processing for service enhancement where legally permissible
Withdraw consent at any time affecting all internal data processing activities based on consent
Request data portability in a structured, commonly used format
Object to automated decision-making including profiling activities
Service Continuity and Essential Data: To ensure continuity of engineering services and compliance with professional standards, we may retain certain project-related data necessary for:
Ongoing maintenance and support obligations
Regulatory compliance and professional liability requirements
Safety and structural integrity considerations
Legal retention requirements under applicable laws
Such retention will be limited to data strictly necessary for these purposes and will remain subject to all security and confidentiality provisions of this policy.
Requests can be submitted to our Data Protection Authority (see Section 20).
11. International Data Transfers
If data is transferred outside the country of origin including transfers within our international corporate group entities, such transfers are conducted in accordance with applicable data protection laws and include appropriate safeguards such as:
Adequacy decisions recognized by relevant data protection authorities
Standard Contractual Clauses or equivalent transfer mechanisms
Binding corporate rules within our corporate group
Explicit consent for specific transfers where required
Additional security measures commensurate with transfer risks
12. Policy Updates
This Policy may be revised, amended, or updated periodically, and any material changes shall be duly communicated to customers through appropriate channels. Updates will be posted on our website or shared via email. Continued use of our services indicates acceptance of the updated terms including any modifications to internal data processing practices.
Material changes will be communicated at least 30 days in advance where required by applicable law, and we will seek renewed consent where necessary for processing based on consent.
13. Third-Party Vendor and Partner Management
13.1 Vendor Selection and Onboarding:
Comprehensive due diligence including privacy and security assessments
Contractual Data Processing Agreements (DPAs) with all data processors
Vendor certification requirements and compliance validation
Regular security questionnaires and risk assessments
Background checks and financial stability verification
13.2 Ongoing Vendor Management:
Quarterly compliance monitoring and performance reviews
Annual security audits and penetration testing requirements
Incident response coordination and breach notification procedures
Service level agreements with privacy and security metrics
Regular contract reviews and renewal processes
13.3 Data Processor Categories: We may share data with the following categories of processors:
Cloud infrastructure and hosting providers
IT support and maintenance service providers
Professional services firms (legal, accounting, consulting)
Marketing and customer communication platforms
Analytics and business intelligence providers
Payment processing and financial services providers
13.4 International Vendor Compliance:
Adequacy decisions and appropriate safeguards for international transfers
Standard Contractual Clauses or equivalent transfer mechanisms
Regular compliance monitoring for cross-border data flows
Vendor data localization requirements where applicable
Termination procedures and data return/deletion protocols
14. Data Breach Notification Protocol
In the event of a confirmed or reasonably suspected data breach across any part of our corporate group or internal divisions, the Company shall promptly initiate incident response procedures. Affected customers and competent regulatory authorities shall be notified without undue delay, in compliance with the Digital Personal Data Protection Act, GDPR, CCPA, and other applicable regulations. Notifications shall specify the nature of the breach, categories of data affected, potential risks, and remedial measures being taken.
14.1 Breach Response Timeline:
Internal detection and assessment: Within 24 hours
Regulatory notification: Within 72 hours (where required)
Customer notification: Without undue delay, typically within 72 hours
Public disclosure: As required by applicable law and materiality thresholds
14.2 Notification Content:
Nature and scope of the personal data breach
Categories and approximate number of data subjects affected
Likely consequences of the breach
Measures taken or proposed to address the breach
Contact information for further inquiries
15. Employee Training and Accountability
All employees and contractors across our corporate group and internal service divisions with access to data shall undergo mandatory data protection and cybersecurity training at least annually. Compliance with such training shall be monitored, and violations of this policy shall be subject to disciplinary action, up to and including termination of employment or contract.
15.1 Training Components:
Data protection law fundamentals and updates
Company-specific privacy policies and procedures
Security awareness and incident response
Customer rights and request handling procedures
International transfer requirements and safeguards
15.2 Accountability Measures:
Regular assessment and certification of training completion
Performance metrics inclusion in employee evaluations
Incident reporting and lessons learned integration
Continuous improvement based on regulatory changes
Executive oversight and governance reporting
16. Data Minimization and Purpose Limitation
The Company shall adhere to the principles of data minimization and purpose limitation across all internal divisions and corporate group entities, ensuring that only data strictly necessary for lawful and legitimate purposes is collected and processed. Any processing beyond the originally intended purposes shall require renewed consent or a lawful basis duly documented.
16.1 Data Collection Standards:
Purpose specification before data collection
Relevance and necessity assessment for each data element
Regular review of data collection practices
Automated data retention and deletion procedures
Privacy by design implementation in new systems
16.2 Purpose Limitation Safeguards:
Clear documentation of processing purposes
Regular compatibility assessment for new uses
Consent refresh mechanisms for purpose changes
Data subject notification for material changes
Legal basis reassessment and documentation
17. Record of Processing Activities (RoPA)
In alignment with global best practices and regulatory requirements, the Company maintains comprehensive Records of Processing Activities covering all corporate group entities, documenting:
17.1 Processing Inventory:
Categories of personal data processed for each business function
Specific processing purposes and lawful bases
Data retention schedules by category and purpose
Categories of recipients and third-party processors
International transfer mechanisms and safeguards
17.2 Data Flow Mapping:
Data collection points and sources
Internal sharing protocols within corporate group
Third-party integrations and vendor relationships
Data storage locations and access controls
17.3 Risk Assessment Documentation:
Privacy impact assessments for high-risk processing
Security measures by data category and processing purpose
Breach response procedures and escalation protocols
Regular compliance monitoring and audit results
17.4 Regulatory Compliance:
Jurisdiction-specific processing requirements
Cross-border transfer compliance documentation
Data subject rights fulfillment procedures
Regulatory correspondence and audit trail
This record shall be made available to supervisory authorities upon lawful request and updated regularly to reflect changes in processing activities.
18. Data Subject Complaint and Grievance Redressal
The Company shall maintain a formal grievance redressal mechanism enabling customers to raise complaints regarding the processing of their personal data across any part of our corporate structure. Complaints shall be acknowledged and addressed within statutory timelines, and escalation mechanisms shall be available in the event of unresolved disputes.
18.1 Complaint Process:
Multiple submission channels (email, phone, web portal)
Acknowledgment within 48 hours of receipt
Investigation and response within 30 days (or as required by law)
Escalation procedures for unresolved complaints
Documentation and tracking of all complaints
18.2 Resolution Mechanisms:
Direct resolution through privacy office
Management escalation for complex issues
External mediation services where appropriate
Regulatory authority referral information
Appeals process for disputed resolutions
19. Data Protection Impact Assessments (DPIAs)
For high-risk processing activities, including large-scale processing of sensitive personal data or deployment of AI-driven decision-making tools across our internal technology divisions, the Company shall conduct Data Protection Impact Assessments. These DPIAs shall evaluate risks, mitigation strategies, and compliance measures, ensuring that privacy risks are proactively identified and managed across our entire corporate group.
19.1 DPIA Triggers:
Large-scale processing of sensitive personal data
Automated decision-making with legal effects
Systematic monitoring of public areas
New technology implementation with privacy implications
Cross-border data transfers to non-adequate countries
19.2 DPIA Process:
Risk identification and assessment methodology
Stakeholder consultation and input collection
Mitigation strategy development and implementation
Ongoing monitoring and review procedures
Regular updates based on operational changes
20. Contact Information
For questions, concerns, or data-related requests, please write to [email protected].
Response Timeline: Standard inquiries within 5 business days, rights requests within 30 days
21. Website Privacy and Cookie Management
21.1 Website Data Collection: When you visit our websites, we may collect:
Technical information (IP address, browser type, operating system)
Usage data (pages visited, time spent, click patterns)
Communication preferences and form submissions
Geographic location data (for service personalization)
21.2 Cookie Usage: We use cookies and similar technologies for:
Essential website functionality and security
Performance analytics and service improvement
Marketing personalization (with consent)
User preference storage and session management
21.3 Third-Party Integrations: Our websites may integrate with third-party services including:
Analytics platforms (Google Analytics, with anonymization)
Customer relationship management systems
Social media plugins and sharing tools
Live chat and customer support platforms
21.4 User Controls: You can control cookie preferences through:
Browser settings and privacy controls
Our cookie consent management platform
Opt-out mechanisms for marketing cookies
Direct contact with our privacy office for specific requests
For detailed information about our cookie usage, please refer to our separate Cookie Policy available on our website.
22. Jurisdiction-Specific Provisions
22.1 India (DPDP Act 2023) Compliance:
Data processing limited to specified purposes with explicit consent
Data localization requirements for critical personal data
Breach notification within 72 hours to Data Protection Board
Designated Grievance Officer for Indian residents
Consent withdrawal mechanisms and data portability rights
22.2 European Union (GDPR) Compliance:
Lawful basis documentation for all processing activities
Data Protection Impact Assessments for high-risk processing
Data Protection Authority appointment and contact details
Right to lodge complaints with supervisory authorities
Standard Contractual Clauses for international transfers
22.3 California (CCPA/CPRA) Compliance:
Detailed privacy notice with collection and sharing disclosures
Consumer rights including deletion, correction, and opt-out
Non-discrimination provisions for privacy rights exercise
Verified request procedures and identity verification
Third-party data sharing limitations and opt-out mechanisms
22.4 Other Jurisdictions: For residents of other jurisdictions with specific data protection laws, additional rights and protections may apply. Please contact our Data Protection Authority for jurisdiction-specific information and rights exercise procedures.
Document Control:
Classification: Internal & External Publication
Review Frequency: Annual or as required by regulatory changes
Next Review Date: September 2026
Approval Authority: Chief Privacy Officer and Legal Counsel
Distribution: All employees, website publication, customer communication