Skip to main content

Privacy Policy

Effective Date: May 2026

1. Introduction

This Privacy Policy describes how DMSJoy (operated by Xillentech Software Private Limited, the legal entity behind the product) collects, uses, stores, and protects personal data of individuals who interact with our website at dmsjoy.com, who request a demo or contact us, or who use our Dealer Management System product (the "Service").

We act as a Data Controller (or, in jurisdictions that use the term, a Data Fiduciary) for personal data we collect directly (website visitors, demo requests, marketing leads) and as a Data Processor for personal data processed on behalf of our customers (vehicle data, customer data, service records entered into the DMSJoy product by OEM and dealer staff). This policy is written to comply with the major privacy regulations that apply to our customers — including the EU/UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act / CPRA (CCPA), India's Digital Personal Data Protection Act, 2023 (DPDP), and similar regimes (e.g., LGPD in Brazil, PIPEDA in Canada). Specific regional rights are summarised below.

2. Information We Collect

2.1 Website visitors

When you visit dmsjoy.com, we collect basic technical information through analytics cookies — including IP address, browser type, device type, pages viewed, and referring URL. We do not collect personally identifying information automatically.

2.2 Demo requests and marketing forms

When you submit our demo request form, we collect the information you provide: full name, company / OEM name, email address, country / region (optional), number of dealerships, vehicle types of interest, and any free-text message. This information is used only to respond to your enquiry and to communicate with you about DMSJoy.

2.3 Product users

When OEM and dealership staff use the DMSJoy product, the platform processes data including (but not limited to) vehicle records (VIN, motor and battery serials), customer records (name, contact, identity-verification artifacts where required by local subsidy programs), service histories, warranty claims, financial transactions, and operational telemetry. This data is owned by the OEM or dealer customer who licenses DMSJoy; we process it as their Data Processor under a Data Processing Agreement.

3. How We Use Information

We use the information we collect for the following purposes:

  • To respond to demo requests, sales enquiries, and support requests
  • To provide, maintain, and improve the Service
  • To communicate product updates, security notices, and material changes to this policy
  • To analyse aggregate website usage for product and marketing improvements
  • To meet legal, regulatory, and contractual obligations
  • To detect and prevent fraud, abuse, or unauthorised access

We do not sell, rent, or trade your personal data. We do not use the data of OEM or dealer customers' end-customers for our own marketing.

4. Legal Bases for Processing (GDPR / UK GDPR)

For individuals in the EU, UK, or other jurisdictions where it applies, we rely on the following legal bases:

  • Consent — for analytics cookies, marketing communications, and optional form fields.
  • Contract — to deliver the Service to customers under a signed Order Form.
  • Legitimate interests — to operate the website, prevent fraud, and improve the product, balanced against your rights.
  • Legal obligation — to comply with applicable law, including tax and accounting requirements.

5. Data Storage, Residency, and Security

DMSJoy supports configurable regional data residency. Customer data is stored in the region(s) the customer selects, in line with their regulatory requirements (e.g., EU regions for GDPR-bound customers, US regions for US-based customers, Indian regions for DPDP-bound customers). All data is encrypted at rest using AES-256 and in transit using TLS 1.3. Access to production systems is restricted to authorised engineering personnel via multi-factor authentication and role-based access controls. Every administrative action is logged with user identity, timestamp, and IP address. Automated daily backups are retained for thirty (30) days. Our disaster recovery objectives are RPO under one hour and RTO under four hours.

We are pursuing ISO 27001 and SOC 2 Type II certification. Our security practices meet these standards today; formal certification is in progress.

6. Your Rights

Depending on the privacy regulation that applies to you, you may have the following rights, all of which DMSJoy supports:

  • Right to access — obtain a copy of the personal data we hold about you
  • Right to correction / rectification — correct inaccurate or outdated data
  • Right to erasure / "right to be forgotten" — request deletion of personal data we hold
  • Right to restrict processing — limit how we process your data in certain circumstances
  • Right to data portability — receive your data in a structured, machine-readable format
  • Right to object — to processing based on legitimate interests, including direct marketing
  • Right to withdraw consent — at any time where processing is based on consent
  • Right to opt out of "sale" or "sharing" of personal information (CCPA / CPRA)
  • Right to non-discrimination for exercising your privacy rights (CCPA / CPRA)
  • Right to grievance redressal through our designated officer (DPDP Act)
  • Right to nominate a representative in case of incapacity or death (DPDP Act)

To exercise any of these rights, email us at hello@dmsjoy.com. We will respond within the time limits prescribed by the applicable regulation (typically 30–45 days).

7. Breach Notification

In the event of a personal data breach, we will notify the relevant supervisory authority and (where required) affected individuals within the timelines prescribed by the applicable regulation — typically 72 hours under GDPR / DPDP Act, and as soon as reasonably practicable under CCPA and other regimes.

8. Cookies

dmsjoy.com uses a small number of analytics cookies (Google Analytics 4) to understand aggregate site usage. These cookies do not personally identify you. We do not use advertising or third-party tracking cookies. You can disable cookies in your browser settings without losing access to the website's content.

9. Third-Party Services

We rely on a small number of trusted third-party service providers to operate our website and product. These include:

  • Google Analytics — for aggregate website usage analytics
  • Cloud hosting providers — for product hosting in your selected region
  • Email service providers — for transactional and marketing email delivery

Each provider is governed by a Data Processing Agreement that requires them to handle data in line with our security and privacy commitments, including Standard Contractual Clauses (SCCs) where cross-border transfers occur.

10. International Data Transfers

Where personal data is transferred across borders — for example, between our engineering offices in the USA, UK, Canada, UAE, and India for support purposes — we rely on appropriate safeguards including Standard Contractual Clauses (for EU/UK transfers), adequacy decisions where applicable, and equivalent mechanisms under other regulations. Our customer data residency commitments are maintained regardless of where support occurs.

11. Data Retention

We retain demo request data for 24 months after the last meaningful interaction, unless you ask us to delete it earlier. Website analytics data is retained for 14 months. Product data is retained for the duration of your customer agreement and for 90 days after termination, after which it is deleted unless a longer retention period is required by law.

12. Children's Privacy

DMSJoy is a business-to-business product. We do not knowingly collect personal data from individuals under the age of 18 (or the equivalent age threshold in your jurisdiction). If you believe we have collected such data inadvertently, please contact us and we will delete it.

13. Changes to This Policy

We may update this policy from time to time as the law evolves and as our practices improve. Material changes will be communicated via email to active customers and via a prominent notice on dmsjoy.com at least 30 days before they take effect. The "Effective Date" at the top of this page is updated whenever the policy is revised.

14. Contact

For privacy-related queries, including requests to exercise your rights, contact our designated privacy officer:

If you are not satisfied with our response, you may file a complaint with the supervisory authority in your jurisdiction (e.g., your local Data Protection Authority in the EU/UK, the California Privacy Protection Agency, the Data Protection Board of India, or the equivalent authority where you reside).

15. Effective Date

This policy is effective from May 2026.