Policies

MachineMax

Privacy Policy

What does this Privacy Notice cover?

This privacy notice provides information regarding the processing of your personal data when usingMachineMax services (“MachineMax” or “we”) whether as:
  1. a Machine Max customer
  2. a MachineMax supplier, business partner or stakeholders and/or investor;
  3. a visitor to a MachineMax website (“Website” or “MachineMax Website”); and/or
  4. a user of the MachineMax Application or other accessory or linked applications(“MachineMax Apps”).
Applicable privacy laws and our role:
- Depending on where you are located and how you interact with us, this Privacy Notice is intended to address applicable requirements under the UK GDPR, EU GDPR, the UK Data Protection Act 2018, and, where applicable, India’s Digital Personal Data Protection Act, 2023 (“DPDPA”) and rules made under it.
- Where the GDPR applies, MachineMax acts as a controller for the personal data described in this Privacy Notice, unless we state otherwise. Where the DPDPA applies, MachineMax acts as a Data Fiduciary for digital personal data for which we determine the purpose and means of processing. Where we process personal data only on behalf of a customer under that customer’s instructions, we act as a processor or Data Processor.

This notice explains what personal data is processed, for which purposes, how long we hold the personal data for, how to access and update your personal data, as well as the options you have regarding your personal data and where to go for further information. For information about personal data processed byMachineMax in relation to individuals who are current or former employees, interns or individual contractors as well as dependents listed as emergency contacts of MachineMax employees (staff), please refer to the internal Employee Privacy Notice.

Special Notice – children’s personal data

- Our services are not intended for children. If you are under 16 years old, or under 18 years old where India’s DPDPA applies, please do not send us your personal data unless your parent or lawful guardian does so on your behalf or gives any required consent.
- Where the DPDPA applies, we will not knowingly process a child’s personal data without verifiable consent from the parent or lawful guardian where required. We will not knowingly undertake tracking or behavioural monitoring of children or targeted advertising directed at children where prohibited by applicable law.

What personal data do we process?

We process personal data from and in relation to individuals who are, or who work for or on behalf of orwho are shareholders in our business customers, suppliers, business partners, stakeholders, visitors to our Website and/or investors in the following categories:
  • Private contact information (such as name, postal or e-mail address, and phone number) only if necessary;
  • Business contact and other information (such as job title, department, name of organization and your dealings with MachineMax on behalf of yourself or the relevant business customer, supplier, business partner and/or investor);
  • Information that we obtain through your use of MachineMax services and/or MachineMaxApplications - we will also collect information about how and where you use yourMachineMax applications or purchase MachineMax services and products. Such information may include electronic device information, IP addresses, log information, browser type and preferences, location information, online identifiers to enable ‘cookies’ and similar technologies.
In addition, in order to comply with legal and regulatory obligations, to protect MachineMax’s assets and employees/contractors and specifically to ensure that MachineMax can comply with trade control, anti-money laundering and/or bribery and corruption laws and other regulatory requirements, we carry out screening on existing business counter parties and potential business counter-parties pre-contract and on a periodic basis post-contract. This screening includes individuals such as directors, officers, sole traders, shareholders and key stakeholders of our current and potential counter parties. This screening takes place against publicly available, or government issued sanctions lists and media sources.

This data may include personal data regarding suspected and actual criminal behaviour, criminal records or proceedings regarding criminal or unlawful behaviour but only for the purposes of ensuring MachineMax compliance with legal and regulatory obligations and/or to the extent permitted or required by local law.

The screening does not result in any automated decision making in relation to the counter parties or potential counter parties.
Who is responsible for any personal data collected?
MachineMax Limited, a company registered in The United Kingdom with registered number 11322220 whose registered office is at Shell Centre, SE1 7NA, London, United Kingdom.

Privacy contact:
- For questions about this Privacy Notice, our processing of personal data, or to exercise privacy rights, you may contact us at info@machinemax.com.
- Where applicable, your request will be routed to the appropriate privacy contact, Data Protection Officer, or grievance redressal contact.
For what purposes do we process the personal data?
We process personal data covered by this Privacy Notice for the following purposes:
(or for a secondary purpose where it is closely related, for example such as storing or deleting it).
  • Business execution including researching, developing and improving products or services; concluding and executing agreements with customers, suppliers and business partners; recording and settling services, products and materials to and from MachineMax; managing relationships and marketing such as maintaining and promoting contact with existing and prospective customers, account management, customer service, and development, execution and analysis of market surveys and marketing strategies
  • Organisation and management of the business including financial management, asset management, mergers, de mergers, acquisitions and divestitures, implementation of controls, management reporting, analysis, internal audits and investigations.
  • Health, safety and security including protection of an individual’s life or health, occupational health and safety, protection of MachineMax and staff, authentication of individual status and access rights; or
  • Legal and/or regulatory compliance including compliance with legal or regulatory requirements including litigation and defence of claims.
  • or for a secondary purpose where it is closely related, such as:
  • storing, deleting or anonymising personal data;
  • fraud prevention, audits, investigations, dispute resolution or insurance purposes, litigation and defence of claims; or statistical, historical or scientific research.
Communication and marketing
You may receive offers on behalf of the relevant business customer, supplier or business partner. On all occasions you will be given the opportunity to use the unsubscribe functionality through the different digital channels we use to interact with you.
What are the legal bases for processing the personal data?
The personal data covered by this Privacy Notice is only processed:
  • in order to take steps at the request of an individual prior to entering into a contract;
  • where it is necessary to comply with a legal or regulatory obligation to which MachineMax is subject to;
  • where it is necessary for the purposes of the legitimate interests pursued by MachineMax, except where such interests are overridden by the interests or fundamental rights and freedoms of the individual/s; or
  • (only if legally required) with the explicit consent of the individual.
In those cases where processing is based on consent, and subject to applicable local law which provides otherwise, you have the right to withdraw your consent at any time. This will not affect the validity of the processing prior to the withdrawal of consent.

Where India’s DPDPA applies, we process digital personal data only for a lawful purpose and on the basis of consent or another permitted use under applicable law. Where processing is based on consent, you may withdraw consent at any time by contacting us at info@machinemax.com or through any consent-management mechanism we make available. Withdrawal of consent will not affect the lawfulness of processing carried out before withdrawal.
How do we protect personal data?
We have implemented technology and policies with the objective of protecting your privacy from unauthorised access and improper use. In particular, we may use encryption for some of our services, we apply authentication and verification process for access to MachineMax services and we regularly test, assess and evaluate the effectiveness of our security measures.

Personal data breach notification: If we become aware of a personal data breach, we will assess it and notify affected individuals, regulators, customers, and/or other relevant parties where required by applicable law and contractual obligations. Where GDPR applies, we will notify the competent supervisory authority where required by law and notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms. Where the DPDPA applies, we will notify the Data Protection Board of India and affected Data Principals in the form and manner required by applicable law.
Who will we share the personal data with?
The personal data covered by this Privacy Notice is exclusively processed for the purposes referred to above and will only be shared on a strict need to know basis with:
  • Authorized third party agents, service providers and/or subcontractors of MachineMax;
  • A competent public authority, government, regulatory or fiscal agency where it is necessary to comply with a legal or regulatory obligation to which MachineMax is subject to or as permitted by applicable local law.
  • Companies which control MachineMax or other companies within such group of companies, to the extent such transfer is necessary for the purposes of meeting regulatory requirements at group level and/or provision of services by the group companies to MachineMax.
Where we engage third-party service providers, agents, subcontractors, or Data Processors to process personal data on our behalf, we require them to process personal data only for authorised purposes, under appropriate contractual, confidentiality, security, and data protection obligations.
Interacting with MachineMax through social media
If you choose to interact with MachineMax through social media on a MachineMax administered social media page such LinkedIn, your personal data (such as your name, your profile picture and the fact that you are interested in MachineMax) will be visible to all visitors of your personal webpage depending on your privacy settings on the relevant social media platform and will also be visible to MachineMax. You can delete any information that you share on these sites at any time through your relevant social media platform’s account. MachineMax does not track your activity across the different social media sites that you use. If you send a message to MachineMax via any messenger service on a social media platform, these messages are held for no longer than one month after receipt. Please contact MachineMax if you wish to make a request that you are unable to action yourself and which relates to a MachineMax SocialMedia Page - see the section below ‘Your rights in relation to your personal data’.Additionally and to the extent MachineMax is jointly responsible with a social media platform of aMachineMax Social Media Page, MachineMax will have access through the social media platform to aggregated data providing statistics and insights that help to understand the types of actions you take onMachineMax Social Media Pages. For more information on how your personal data are processed on those social media platforms, including any targeted advertising that you may receive, please refer to your privacy settings accessible through your relevant social media platform’s account.
Transfers of personal data
Where the personal data has been transferred to authorized third parties located outside of your country(including outside of the European Economic Area) we take organizational, contractual and legal measures to ensure that your personal data is exclusively processed for the purposes mentioned above and that adequate levels of protection have been implemented in order to safeguard your personal data. You can request more information about the applicable data transfer mechanisms by contacting info@machinemax.com .
Where GDPR applies and personal data is transferred outside the UK, EEA, or other applicable jurisdiction, we rely on an applicable adequacy decision, standard contractual clauses, the UK International Data Transfer Agreement or UK Addendum, or another lawful transfer mechanism.
Where the DPDPA applies, transfers of digital personal data outside India will be carried out subject to applicable restrictions, requirements, or government notifications under Indian law.

What are the consequences of not providing personal data?
Personal data gathered by MachineMax for these processes either directly or indirectly is required in order to:
  • Fulfil legal requirements and/or which is required for entering into a contract with a counterparty and continuing to contract with that counterparty
  • Maintain contact with Business customers, suppliers and business partners.
  • A competent public authority, government, regulatory or fiscal agency where it is necessary to comply with a legal or regulatory obligation to which Machine Max is subject to or as permitted by applicable local law.
Failure to provide us with the information required will negatively affect our ability to communicate with you, or our ability to enter into a contract with a counterparty or continuing to contract with a counterparty.
How long do you hold any personal data for?
Any personal data that is required for the purposes of conclusion and execution of agreements with business customers, suppliers and business partners or for considering bids or tenders will be held during the duration of the contractual relationship and up to 15 years after. Data related the screening against publicly available or government issued sanctions lists and media sources is held for no longer than 15years after it was first gathered.
In all cases information may be held for a) a longer period of time where there is a legal or regulatory reason to do so (in which case it will be deleted once no longer required for the legal or regulatory purpose) or b) a shorter period where the individual objects to the processing of their personal data and there is no longer a legitimate purpose to retain it.
We retain personal data only for as long as reasonably necessary for the purposes described in this Privacy Notice, unless a longer retention period is required or permitted by law, contract, audit, tax, accounting, regulatory, dispute-resolution, security, or legitimate business requirements.
Where the DPDPA applies, and unless retention is necessary for compliance with law, we will erase digital personal data when the Data Principal withdraws consent or when it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier.
Your rights in relation to your personal data
Subject to applicable law and any legal limitations, you may have the following rights in relation to your personal data.

GDPR Privacy Rights to Data Subjects

Where the EU GDPR or UK GDPR applies, you have certain rights as a data subject. These rights may include:
Right to access
You have the right to request access to your personal data and to obtain a copy of the personal data we hold about you, together with supplementary information about how we process it.

Right to rectification
You have the right to ask us to correct inaccurate personal data or complete incomplete personal data that we hold about you.

-Right to erasure / right to be forgotten
You have the right to ask us to delete or remove your personal data where it is no longer necessary for the purpose for which it was collected or processed, or where another legal ground for erasure applies.

-Right to restrict processing
You have the right to ask us to restrict the processing of your personal data in certain circumstances.

-Right to data portability
You have the right to receive personal data that you have provided to us in a structured, commonly used, machine-readable format, and to request that we transmit that data to another controller where technically feasible and legally required.

-Right to object to processing
You have the right to object to processing of your personal data where we rely on legitimate interests as the legal basis for processing. You also have the right to object at any time to processing of your personal data for direct marketing purposes, including related profiling.

-Right not to be subject to solely automated decision-making
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except where permitted by applicable law.

-Right to withdraw consent
Where we process your personal data based on consent, you have the right to withdraw your consent at any time. Withdrawal of consent will not affect the lawfulness of processing carried out before withdrawal.

-Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with your local data protection supervisory authority if you believe that our processing of your personal data infringes applicable data protection law.

DPDPA Privacy Rights to Data Principals

Where India’s Digital Personal Data Protection Act, 2023 applies, you have certain rights as a Data Principal. These rights may include:
Right to access information about personal data
You have the right to obtain information about your personal data being processed by us, including a summary of the personal data being processed and processing activities, where required by applicable law.

Right to correction, completion, updating, and erasure
You have the right to request correction of inaccurate or misleading personal data, completion of incomplete personal data, updating of personal data, and erasure of personal data, subject to applicable legal requirements and retention obligations.

Right to withdraw consent
Where we process your personal data based on consent, you have the right to withdraw your consent at any time by contacting us or through any consent-management mechanism we make available. Withdrawal of consent will not affect the lawfulness of processing carried out before withdrawal.

Right to grievance redressal
You have the right to submit a grievance regarding our processing of your personal data. We will respond to grievances in accordance with applicable law.

Right to approach the Data Protection Board of India
If your grievance is not resolved through our grievance redressal process, you may have the right to approach the Data Protection Board of India in the manner provided under applicable law.

Right to nominate
You have the right to nominate another individual to exercise your rights in the event of your death or incapacity, in accordance with applicable law.
To exercise your rights, please contact info@machinemax.com and provide enough information for us to verify your identity and process your request.
Who can you contact if you have a query, concern or complaint about your personal data?
If you have any issues, queries or complaints regarding the processing of your personal data please contact us at info@machinemax.com and we will facilitate the communication channel to the Chief Privacy Officer(Data Protection Officer).

If you are unsatisfied with the handling of your personal data by MachineMax, then you have the right to lodge a complaint to your own data protection authority or the Dutch Data Protection Authority whose address is Prins Clauslaan 60, 2595 AJ The Hague, Netherlands. Please visit https://autoriteitpersoonsgegevens.nl/en for more information.
Cookies and similar technologies
MachineMax may use cookies and similar technologies that aim to collect and store information when you visit MachineMax website. This is to enable MachineMax to identify your internet browser and collect data on your use of our website, which pages you visit, the duration of your visits and identify these when you return so that we improve your experience when visiting our website(s). You can control and set your cookies preferences by setting your browser settings – for more information, please refer to the CookiePolicy at https://machinemax.com/cookie-policy.
Changes to this Privacy Notice
This Privacy Notice was last updated on 08 June 2026.

Version: 2.0
Effective date: 08 June 2026.
Last reviewed: 08 June 2026.
Policy owner: Mohindar Singh
Approved by: Nikhil Kumar Aremanda
Approval date: 08 June 2026.
Published location: MachineMax Privacy Policy page
Previous version: 1.0 – 25 November 2021
Summary of changes: Updated GDPR and DPDPA rights, lawful processing, children's data, breach notification, processor obligations, international transfers, retention, and version-control details.