PRIVACY POLICY

This Policy governs all personal data processed by the Company in the course of:

• Operating the Website, including contact forms, newsletter sign-ups, and live chat widgets
• Delivering contracted Services to Clients, including handling Client-provided data, end-user data within applications we develop, and project-related credentials
• Managing digital marketing and paid advertising campaigns on behalf of Clients, including audience data processed through advertising platforms
• Providing hosting and maintenance services, including server logs, access credentials, and database administration
• Recruitment, vendor onboarding, and B2B partnership communications

Where the Company acts as a 'Data Processor' or 'Service Provider' (processing personal data on behalf of a Client who determines the purpose and means of processing, e.g. end-user data within a Client's mobile app), a separate Data Processing Agreement (DPA') between the Company and the Client shall govern such processing, and this Policy applies supplementally. Where the Company acts as a 'Data Controller' (e.g., for Website visitors and our own marketing), this Policy applies directly.

INFORMATION WE PROVIDE DIRECTLY

• Identity Data: Full name, job title, company name, government-issued identifiers (PAN, GSTIN, Aadhaar masked reference) where required for invoicing or compliance
• Contact Data: Email address, phone number, WhatsApp number, billing and shipping address
• Financial Data: Bank account details, UPI ID, payment card tokens (processed via PCI-DSS compliant gateways — we do not store full card numbers), billing history, GST registration details
• Project Data: Business requirements, brand assets, source code, API keys, login credentials, server access tokens, design files, and other materials shared for the purpose of delivering Services
• Communications Data: Emails, call recordings (where consented), meeting notes, chat transcripts, and support tickets
• Recruitment Data: Resume/CV, work history, educational qualifications, and interview notes, for individuals applying to work with us

INFORMATION COLLECTED AUTOMATICALLY

• Device and Technical Data: IP address, browser type and version, operating system, device identifiers, screen resolution
• Usage Data: Pages visited, time spent, click patterns, scroll depth, referral source, exit pages
• Location Data: Approximate geographic location derived from IP address (country/city level only, not precise GPS unless separately consented)
• Cookies and Tracking Technologies: As detailed in our separate Cookie Policy

SPECIAL / SENSITIVE CATEGORIES OF DATA

In the course of certain engagements (e.g., healthcare or fintech client projects), we may process sensitive personal data on behalf of Clients, including:

• Financial information (bank details, transaction history, credit information) for fintech-related projects
• Health-related data for healthcare or wellness application projects
• Biometric data (e.g., fingerprint or facial recognition data) where a Client's application requires such functionality

• Consent: Where you have given clear consent for us to process your data for a specific purpose (e.g., newsletter subscription, marketing cookies)
• Contractual Necessity: Where processing is necessary to perform a contract with you or take steps prior to entering into a contract (e.g., delivering contracted Services)
• Legal Obligation: Where processing is necessary to comply with a legal or regulatory obligation (e.g., tax and accounting records)
• Legitimate Interests: Where processing is necessary for our legitimate business interests (e.g., improving our Services, fraud prevention, B2B business development), provided such interests are not overridden by your rights and freedoms

We do not sell personal information for monetary consideration. We may disclose personal information to the following categories of recipients, under appropriate confidentiality and data protection obligations:

SUB-CONTRACTORS AND FREELANCERS

We may engage freelance developers, designers, or specialist contractors to deliver specific aspects of a Project. Such individuals are bound by confidentiality agreements and granted access strictly on a need-to-know basis.

CORPORATE TRANSACTIONS

In connection with a merger, acquisition, restructuring, or sale of business assets, personal information may be transferred to the acquiring entity, subject to equivalent confidentiality protections.

LEGAL AND REGULATORY DISCLOSURES

We may disclose personal information where required by law, regulation, legal process, or governmental request, including to tax authorities, law enforcement agencies, or courts of competent jurisdiction.

MAINTAINING A LIST OF SUB-PROCESSORS

A current list of key third-party sub-processors used in connection with our Services is available upon written request to our Data Protection contact (see Section 16).

As a global technology services provider, we may transfer, store, access, or process personal information in countries outside your country of residence, including countries that may not provide the same level of data protection as your home jurisdiction.

Such transfers may occur where our employees, affiliates, subcontractors, cloud service providers, hosting providers, or other authorized service providers operate in different jurisdictions.

SAFEGUARDS FOR INTERNATIONAL TRANSFERS

Where required by applicable data protection laws, we implement appropriate safeguards to ensure that personal information transferred internationally remains adequately protected.

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Transfers to countries that benefit from an adequacy decision issued by relevant authorities
• Contractual data protection obligations imposed on service providers and business partners
• Technical and organisational security measures designed to protect personal information during transfer and storage

TRANSFER RISK MANAGEMENT

• Assessment of recipient jurisdiction data protection standards
• Vendor due diligence and security reviews
• Encryption of data in transit and at rest where appropriate
• Access controls and monitoring mechanisms
• Periodic review of international transfer arrangements

We retain personal information only for as long as necessary to fulfil the purposes described in this Policy, comply with legal obligations, resolve disputes, enforce agreements, and protect our legitimate business interests.

Retention periods vary depending on the nature of the information, applicable legal requirements, contractual obligations, and operational needs.

Upon expiry of the applicable retention period, personal data will be securely deleted or anonymised, unless a longer retention period is required by law or necessary to establish, exercise, or defend legal claims.

We implement a layered, risk-based security framework appropriate to the sensitivity of the data processed, including

ENHANCED CONTROLS FOR SENSITIVE DATA

For engagements involving financial, health, or biometric data categories, we apply additional controls including data minimisation, pseudonymisation where feasible, restricted environment access, and enhanced audit logging.

Our Website uses cookies, web beacons, and similar tracking technologies. Full details, including the categories of cookies used, their purpose, duration, and how to manage your preferences, are set out in our separate Cookie Policy, which forms part of this Privacy Policy by reference.

Our Website and Services are intended for business use by individuals who are at least 18 years of age. We do not knowingly collect personal data from children. Where our Clients build applications intended for use by minors (e.g., EdTech platforms), the Client, as Data Controller, is responsible for ensuring compliance with applicable children's privacy laws (such as COPPA in the US, or relevant provisions under DPDPA and GDPR), and we will implement technical measures as instructed by the Client's DPA to support such compliance.

RIGHTS UNDER DPDPA (INDIA)

• Right to access information about personal data processed and the processing activities
• Right to correction and completion of inaccurate or incomplete personal data
• Right to erasure of personal data once the purpose of processing is no longer being served
• Right to grievance redressal through our designated Grievance Officer
• Right to nominate another individual to exercise rights on your behalf in case of death or incapacity

RIGHTS UNDER GDPR (EEA DATA SUBJECTS)

• Right of access to your personal data (Article 15)
• Right to rectification of inaccurate data (Article 16)
• Right to erasure / 'right to be forgotten' (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object to processing based on legitimate interests or for direct marketing (Article 21)
• Right to withdraw consent at any time, without affecting the lawfulness of processing prior to withdrawal
• Right to lodge a complaint with your local Data Protection Authority

To exercise any of the above rights, please submit a verifiable request via the contact details in Section 16. We will respond within the timeframe required under applicable law (30 days under DPDPA/GDPR in most cases; 45 days under CCPA, extendable as permitted).

We do not use your personal data for automated decision-making that produces legal or similarly significant effects concerning you, except where explicitly required for fraud detection in payment processing, which is conducted by our payment gateway partners under their own published policies.

Our Website and the applications we develop for Clients may contain links to, or integrations with, third-party websites, plugins, or services (e.g., social media login, payment gateways, map services). We are not responsible for the privacy practices of such third parties, and we encourage you to review their respective privacy policies.

For engagements involving high-risk processing activities (e.g., large-scale processing of sensitive categories of data, systematic monitoring, or new technologies), we support Clients, where contracted to do so, in conducting Data Protection Impact Assessments (DPIAs) as required under GDPR Article 35 or equivalent provisions under applicable law.

We may update this Policy periodically to reflect changes in our practices, technologies, legal, or regulatory requirements. Material changes will be notified via email (where we hold your contact details) or through a prominent notice on our Website at least 15 days prior to the change taking effect, except where immediate change is required by law. The 'Last Updated' date at the top of this Policy reflects the most recent revision.

In accordance with the Information Technology Act, 2000, the DPDPA, and as a contact point for GDPR/CCPA-related queries, we have designated the following Grievance Officer / Data Protection Contact:

If you are based in the EEA and believe your data protection rights have been violated, you have the right to lodge a complaint with your local Data Protection Authority, in addition to contacting us directly.

This Privacy Policy shall be governed by and interpreted in accordance with the laws of India, without prejudice to any mandatory rights you may have under the GDPR (if you are located in the EEA) or the CCPA/CPRA (if you are a California resident), which shall apply concurrently to the extent legally required.