Privacy Notice — Privly

Introduction

This Privacy Notice is published by Privly (Privly, referred to as "we", "us", or "our"). It explains what personal data we collect about you, why we collect it, and how we use, protect, and share it. Please read this notice carefully before using our products or services.

We collect, use, store, and share your personal data in accordance with the Digital Personal Data Protection Act, 2023 ("the Act") and the Digital Personal Data Protection Rules, 2025. This notice is version 1.0 and is effective from 20 March 2026.

This notice applies to all personal data we collect through our website at https://privly.in, our mobile applications, and any products or services we provide to you. It does not apply to websites or services run by third parties, even if you reach them through a link on our platform.

Definitions

In this notice, the following terms have the meanings given to them in the Digital Personal Data Protection Act, 2023:

**Personal Data** means any information that relates to you as an individual and by which you can be identified, directly or indirectly.

**Data Principal** means you — the individual to whom the personal data belongs. Where the Data Principal is a child, the term also covers their parent or lawful guardian acting on their behalf.

**Data Fiduciary** means any person or organisation that decides the purpose and means by which personal data is processed. Privly is the Data Fiduciary for the personal data described in this notice.

**Data Processor** means any person or organisation that processes personal data on behalf of a Data Fiduciary, under a written contract.

**Consent** means your free, specific, informed, unconditional, and unambiguous agreement — given through a clear affirmative action — to the processing of your personal data for a stated purpose. You may withdraw your consent at any time.

**Processing** means any operation performed on your personal data, including collection, recording, storage, use, sharing, or deletion.

Personal Data We Collect

When you sign up, make a purchase, or otherwise use our services, you provide us with personal data about yourself. The types of personal data we collect include: email address, company name, payment card details, full name, and mobile phone number.

To set up and administer your account, we collect your name, work email address, company name, job title, and country. You and your team members may also add content, data, and configuration settings — including API credentials — through our platform; we refer to this as your service data and it belongs to you.

When you visit our website or use our app, we automatically collect technical information about your device and connection. This includes your IP address, device type and model, operating system version, browser type and language, and the date and time of each visit.

How We Use Your Personal Data

We use your name, email address, and contact details to create and manage your account, send you important notices such as password resets and renewal reminders, and allow you to sign in securely. We do not use these details to contact you for marketing purposes unless you have separately consented to that.

When you contact us for help, we use the information you provide — including your name, contact details, and a description of your issue — to respond to your request and resolve your concern. We may retain a record of our interactions to improve the quality of our support.

We may process and retain your personal data where we are required to do so by applicable law, regulation, court order, or government authority. This includes retaining financial records for tax purposes, responding to lawful requests from public authorities, and complying with sector-specific regulations that apply to our business.

We use personal data such as your IP address, device information, and activity logs to protect our platform from fraud, unauthorised access, and abuse. This helps us detect suspicious activity, investigate potential security incidents, and keep your account safe.

We analyse aggregated and anonymised data about how you use our platform — such as features used and time spent — to understand what is working well and where we can improve. Where possible, we anonymise this data so that it can no longer be linked back to you as an individual.

We use your account and usage data to provision and maintain your access to our services, measure your usage against your subscription plan, generate invoices, and provide technical support when you contact us. Service data you store within our platform is processed only on your instruction and for no other purpose.

With your separate consent, we use your contact details and purchase history to send you promotional messages, offers, and updates about our products and services through the following channels: email_marketing and promotional_offers. You can withdraw this consent at any time and we will stop sending you marketing communications.

We use automated technologies, including artificial intelligence and machine learning, to process your personal data for the following purposes: personalization. No decision that significantly affects you is made by automated means alone — a human review is always available, and you may request one by contacting us.

Lawful Basis for Processing

For most of the personal data we collect, the lawful basis for processing is your consent, which you give when you create an account, make a purchase, or accept this notice before using our services. You may withdraw your consent at any time — see the Withdrawing Your Consent section for how to do so.

In certain situations, we may process your personal data without consent where this is permitted as a lawful use under Section 7 of the Digital Personal Data Protection Act, 2023. These situations include: complying with a legal obligation or court order, responding to a medical emergency that threatens your life or safety, processing data in connection with your employment with us, and performing functions required by law to be carried out in the public interest.

Sharing Your Data with Third Parties

We share your personal data with third parties only where necessary to provide our services, comply with a legal obligation, or protect our legitimate interests. In all cases, we share only the minimum personal data required for the stated purpose. We do not sell, rent, or transfer your personal data to any third party for their own commercial use.

The service providers we use to operate our business — such as companies that host our servers, process payments, send communications, or provide analytics — are Data Processors (service providers who process personal data on our behalf) under the Digital Personal Data Protection Act, 2023. We appoint each service provider under a written contract that requires them to process your personal data only on our instruction and for no other purpose. We remain responsible for how your data is handled by our service providers.

We may disclose your personal data to government bodies, courts, law enforcement agencies, or regulatory authorities when required by applicable law, a court order, or a lawful direction issued by a competent authority. We will disclose only the minimum amount of personal data necessary to comply with the requirement, and where we are legally permitted to do so, we will inform you of any such disclosure.

We use Vercel to host our platform and store your personal data on secure cloud infrastructure. Vercel processes your data only on our instruction and under a data processing agreement that prohibits any use of your data for its own commercial purposes.

We share your payment and transaction details with Razorpay, our payment processing partner, to process your purchases, issue refunds, and prevent fraud. We do not store your full payment card number — payment data is processed and secured by Razorpay in accordance with applicable industry security standards.

We use Resend to send you transactional messages — such as order confirmations, password resets, and service notifications — and, where you have separately consented, marketing communications. Resend processes your name, email address, and communication preferences only to deliver messages on our behalf.

When your organisation uses our platform and provides us with personal data belonging to its own users or employees, we process that data only as a Data Processor acting on your organisation's instruction. Your organisation remains the Data Fiduciary responsible for that personal data — including for providing appropriate notice to, and obtaining consent from, its own Data Principals. Our Data Processing Agreement, available on request, sets out the terms of this arrangement in full.

Data Storage and International Transfers

We store and process personal data on servers located in outside_india. This means that some of your personal data may be transferred to and processed in United States by our infrastructure and service providers, including Vercel. We only transfer personal data to countries that are not restricted by the Central Government under Section 16 of the Digital Personal Data Protection Act, 2023. All such transfers are subject to appropriate safeguards: [TRANSFER SAFEGUARDS]. Regardless of where your data is processed, we apply the same protections described in this notice.

Security Safeguards

We protect your personal data using appropriate technical and organisational security measures, including encryption of data in transit and at rest, access controls that restrict personal data to authorised personnel only, and regular security assessments and employee training. No method of transmission or storage is completely secure, and we cannot guarantee absolute security, but we continuously review and improve our safeguards to address new and emerging threats.

If you believe your personal data has been compromised, or if you become aware of a suspected security incident involving our services, please report it to us immediately at privacy@privly.in so that we can investigate and take appropriate action.

Data Retention and Deletion

We keep your personal data only for as long as is necessary for the purpose for which it was collected, or for as long as is required or permitted by applicable law. Once a purpose is fulfilled and there is no legal reason to retain the data, we erase it or anonymise it so that it can no longer be linked to you.

Where deletion is carried out automatically at the end of a scheduled retention period, we will notify you by email 48 hours before your account data is due to be deleted, giving you the opportunity to contact us before the deletion takes effect. We retain records of our processing activities for a minimum period of 1 year as required by the Digital Personal Data Protection Rules, 2025.

Personal Data Breach Notification

If we become aware that your personal data has been affected by a breach — such as unauthorised access, accidental disclosure, or loss — we will notify you without delay. Our notification will be in plain language and will describe the nature of the breach, the personal data affected, the likely consequences, the steps we have taken or intend to take to address it, and a contact point where you can ask questions or seek assistance. We will also notify the Data Protection Board of India as required by the Digital Personal Data Protection Act, 2023.

Your Rights as a Data Principal

You have the right to ask us to confirm whether we hold your personal data and, if so, to provide you with a summary of the personal data we hold about you, the purposes for which we process it, and the names of the Data Processors we have engaged to process it on our behalf.

You have the right to ask us to correct personal data we hold about you that is inaccurate, incomplete, or out of date. You also have the right to ask us to erase your personal data when it is no longer needed for the purpose for which it was collected, or when you have withdrawn your consent and we have no other lawful basis to retain it.

You have the right to raise a grievance with us about the way we have collected, used, shared, or stored your personal data. We will acknowledge your grievance promptly and provide a substantive response within the period stated in the Grievance Officer section of this notice.

You have the right to nominate another person to exercise your rights under the Digital Personal Data Protection Act, 2023 in the event of your death or incapacity. To register or update a nomination, please write to us using the contact details in the Grievance Officer section of this notice.

You have the right to withdraw your consent to our processing of your personal data at any time. Withdrawing your consent does not affect the lawfulness of any processing we carried out while your consent was in place. See the Withdrawing Your Consent section of this notice for how to withdraw and what happens when you do.

If you are not satisfied with how we have handled your grievance, you have the right to file a complaint with the Data Protection Board of India. See the Complaints to the Data Protection Board section of this notice for how to do this.

To exercise any of the rights described in this section, please send your request by email to privacy@privly.in. We may ask you to verify your identity before we act on your request, to ensure we do not disclose or delete another person's data in error.

We will respond to your request within 30 of receiving it. If your request is particularly complex or we have received a large number of requests at the same time, we will notify you and keep you informed of the extended timeline.

Complaints to the Data Protection Board

If you are not satisfied with our response to a grievance, or if we fail to respond within the prescribed period, you have the right to file a complaint with the Data Protection Board of India — the independent statutory authority established under the Digital Personal Data Protection Act, 2023 to adjudicate complaints from Data Principals. Before filing a complaint with the Board, you must first raise your grievance with us using the contact details in the Grievance Officer section of this notice and allow us the opportunity to respond. Once our response period has elapsed, you may file your complaint through the Board's official portal; details of the complaint process are available from the Ministry of Electronics and Information Technology at meity.gov.in.

Withdrawing Your Consent

You can withdraw your consent to our processing of your personal data at any time. We will make withdrawing your consent as simple as it was to give it — your ability to withdraw will not be conditional on completing additional steps, providing justifications, or agreeing to other terms.

To withdraw your consent, use privacy@privly.in. Your withdrawal will take effect promptly — we will stop processing your personal data for the purpose to which your consent applied and will send you a written confirmation.

Withdrawing your consent may affect your access to our services in certain cases. Service may be discontinued. Where you withdraw consent only for non-essential processing — such as marketing communications or analytics — your access to our core services will not be affected.

Children's Data

Our services are intended for persons aged 18 and above. We do not knowingly collect personal data from individuals under the age of 18. If we become aware that we have inadvertently collected personal data from a person under 18, we will delete it promptly. If you believe we hold personal data belonging to a minor, please contact us at the details in the Grievance Officer section of this notice.

Marketing and Promotional Communications

With your separate consent, we send promotional messages, offers, and updates about our products and services through the following channels: email. Marketing consent is always separate from your consent to use our services — you can opt out at any time using the following methods: email. Opting out of marketing will not affect your access to our services or the transactional messages we send you, such as order confirmations and service notifications.

Links to Third-Party Websites

Our platform may contain links to websites, apps, or services operated by third parties. We have no control over the content, privacy practices, or security of those external services, and this notice does not apply to them. We recommend that you read the privacy notice of any third-party service before you submit personal data to it.

Changes to This Privacy Notice

We may update this notice from time to time. If we make changes that materially affect how we use your personal data, we will notify you before the changes take effect — by email, by an in-app notification, or by a prominent notice on our website at https://privly.in. Changes that involve a new or different purpose of processing will require your fresh consent before we proceed. This notice is version 1.0 and is effective from 20 March 2026.

Grievance Officer / Contact Person

For any questions, concerns, or complaints about this notice or our data practices, or to exercise any of your rights under the Digital Personal Data Protection Act, 2023, please contact our designated Grievance Officer: Jay Kanakiya, Founder — Email: privacy@privly.in, Phone: +919819984770, Postal Address: 601/59 Gokul, 60 Feet Road, Ghatkopar East, Mumbai 400077.

We will acknowledge your grievance within 72 hours of receipt and provide a substantive response within 30. If your grievance is particularly complex, we will notify you of any extended timeline and the steps we are taking to resolve your concern.