Privacy Policy

For account administration, website operation, security, analytics, legal compliance, and service management data, [Insert legal entity name], [Insert registered address], is the controller under the GDPR and the Data Fiduciary under India's Digital Personal Data Protection Act, 2023.

For CRM records, workspace content, mailbox data, documents, scheduling data, transcripts, platform accounts, webhook payloads, and other data submitted or configured by customers,Praxistructures generally acts as a processor, service provider, contractor, or Data Processor on behalf of the workspace customer. The workspace customer determines the purposes and means of that processing.

Privacy requests may be sent to privacy@studio.tarth.in. Security reports may be sent to security@studio.tarth.in.

We collect and process the following categories of information, depending on how you use the Service:

• Account data: email, hashed password, display name, first and last name, avatar URL, company, position, phone, website, bio, email verification status, account status, and timestamps.
• Authentication and security data: sessions, JWT metadata, refresh-token family metadata, password reset tokens, email verification tokens, account deletion tokens, IP address, user agent, failed login count, lockout status, audit logs, API key metadata, key prefixes, last-used timestamps, and last-used IP address.
• Workspace data: workspace names, slugs, descriptions, logos, tags, member roles, invitations, ownership transfers, API/MCP access, and workspace settings.
• CRM and sales data: contacts, companies, deals, activities, notes, tags, lifecycle stages, lead sources, lead statuses, addresses, social links, phone numbers, revenue fields, funding stage, close dates, tasks, meeting records, and metadata.
• Marketing data: posts, revisions, approvals, schedules, briefs, assets, platform handles, distribution settings, reactions, engagement threads, comments, authors, statuses, and publishing workflow metadata.
• Mailbox and email data: mailbox connection settings, encrypted credentials, OAuth tokens, email headers, subjects, sender and recipient addresses, message bodies, stripped message text, drafts, sent mail, attachments, sync status, and unsubscribe URLs.
• Documents and files: uploaded files, file names, MIME types, file sizes, folder structure, storage keys, file versions, and links to contacts, companies, or deals.
• Scheduling and calendar data: event types, availability schedules, booking attendee and guest name, email, phone, timezone, booking answers, meeting URLs, free/busy blocks, calendar provider event IDs, iCal feed tokens, workflow templates, and cancellation or rescheduling metadata.
• Integration data: encrypted Fireflies API keys, meeting transcript IDs, attendees, transcript segments, summaries, encrypted Bright Data API keys, scrape job IDs and results, Google and Microsoft OAuth data, and webhook endpoint URLs, secrets, payloads, response bodies, and delivery logs.
• Device, cookie, and analytics data: cookie consent state, page visits, browser and device signals, pages viewed, referrers, feature interaction events, and analytics identifiers where analytics consent is granted.

Praxistructuresdoes not intentionally require health data, biometric data, genetic data, precise geolocation, government identifiers, financial account credentials, children's data, racial or ethnic origin, religious or philosophical beliefs, union membership, sex life, sexual orientation, or similar sensitive information to operate ordinary accounts.

Because the Service includes free-text CRM fields, documents, mailbox sync, booking answers, transcripts, engagement logs, and integrations, customers or users may choose to submit data that is sensitive under GDPR Article 9, CPRA, U.S. state privacy laws, India DPDP/SPDI rules, HIPAA, GLBA, or other laws. Customers are responsible for providing required notices, obtaining consent or another lawful basis, and configuring the Service lawfully before uploading or routing such data.

The Service is not intended to process protected health information under HIPAA or nonpublic personal information regulated by GLBA unless Praxistructures has signed a separate written agreement, including any required business associate agreement or financial-services security addendum.

We collect personal data directly from users, workspace administrators, invited members, public booking attendees, customer-connected mailboxes and calendars, third-party integrations authorized by the customer, public or customer-provided sources used for enrichment, API and MCP clients, webhook systems, browser/device signals, and service providers that support security and platform operations.

We process personal data for the following purposes:

• Providing, operating, maintaining, and improving the Service.
• Creating accounts, authenticating users, and managing secure sessions.
• Managing workspaces, invitations, roles, permissions, and ownership transfers.
• Operating CRM, marketing, document, mailbox, scheduling, transcript, API, MCP, and webhook features.
• Sending transactional emails, booking messages, reminders, verification emails, and account notices.
• Protecting the Service against fraud, abuse, unauthorized access, spam, and security incidents.
• Maintaining audit logs, enforcing terms, resolving disputes, and complying with law.
• Using optional analytics to understand aggregate product usage where valid consent has been granted.

For GDPR purposes, legal bases may include contract performance, legitimate interests, consent, legal obligation, and customer instructions where we act as processor. We do not rely on legitimate interests for non-essential cookies or analytics where opt-in consent is required by ePrivacy law.

For India DPDP purposes, processing is based on consent, legitimate uses permitted by law, user-requested services, legal compliance, and customer instructions where we act as Data Processor. Consent may be withdrawn through the product, by contacting us, or through a legally recognized consent manager where available.

We use strictly necessary cookies and local storage to provide the Service. These include authentication cookies such as tarth.access and tarth.refresh, application preference cookies such as sidebar_state, route continuity cookies such as lastVisitedPage, encrypted Redux persistence, and cookie consent storage.

We use Google Analytics and Microsoft Clarity only after you grant analytics consent. Analytics storage, ad storage, ad user data, and ad personalization are denied by default. We do not use advertising cookies or enable Google signals for advertising personalization.

You may accept or reject optional analytics through the cookie banner or cookie settings control. Where legally required, we honor Global Privacy Control and comparable universal opt-out signals as an opt-out from optional analytics, sale, sharing, and targeted advertising.

We disclose personal data in the following circumstances:

• To workspace members according to workspace roles and permissions configured by the workspace owner or admin.
• To service providers and subprocessors that host, store, transmit, secure, analyze, or support the Service.
• To customer-authorized integrations such as Google, Microsoft, Fireflies, Bright Data, Resend, mailbox servers, and customer-configured webhook endpoints.
• To API clients, MCP clients, and AI agents authorized by a customer or user through credentials or OAuth flows.
• To professional advisers, courts, regulators, law enforcement, or government authorities where legally required or necessary to protect rights, safety, and security.
• In connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to appropriate confidentiality and notice where required.

We do not sell personal data for money. We do not use Customer Data to train foundation models unless expressly agreed in writing. A current production subprocessor register will be maintained at [insert subprocessor URL] and may include infrastructure, database, object storage, email delivery, analytics, and integration providers.

Praxistructures may process personal data in India, the United States, the European Economic Area, and other locations where we or our service providers operate. For EEA, UK, and Swiss data, we rely on adequacy decisions, Standard Contractual Clauses, the UK IDTA or Addendum, transfer impact assessments, and supplementary safeguards where required.

For India, cross-border transfers will comply with DPDP Act Section 16 and any government-notified restrictions. Customers are responsible for ensuring their own transfer basis for Customer Data they upload, sync, scrape, or route through third-party integrations.

We retain personal data only as long as necessary for the purposes described in this Policy, unless a longer period is required for legal, tax, accounting, security, dispute, or compliance purposes.

• Account data is retained while the account is active and then deleted or anonymized after deletion, subject to legal holds.
• Sessions expire after their configured lifetime and expired or revoked sessions are pruned.
• Audit logs are retained for the configured period, currently 90 days by default unless extended for security or legal reasons.
• CRM, mailbox, document, marketing, transcript, booking, webhook, and workspace data are retained until deleted by the customer, account holder, or workspace owner, or until the workspace is terminated.
• Backups may persist for up to [30 to 90] days before deletion from backup systems.
• Webhook delivery logs and job logs are retained for debugging, reliability, and security for [insert retention period].

Some deletion requests may be fulfilled by deletion, de-identification, or restriction depending on the data type, our role, legal obligations, backup cycles, and customer instructions.

We use administrative, technical, and organizational safeguards designed to protect personal data, including TLS, bcrypt password hashing, hashed API keys, HTTP-only SameSite cookies, AES-256-GCM encryption for secrets and OAuth credentials, private object storage with presigned URLs, role-based access control, audit logging, rate limiting, token rotation, account lockout, and workspace isolation.

No system can be guaranteed secure. Users and customers are responsible for protecting passwords, API keys, webhook secrets, mailbox credentials, OAuth apps, and third-party accounts connected to the Service.

Depending on your jurisdiction and our role, you may request access, confirmation of processing, correction, completion, updating, deletion, restriction, portability, objection, withdrawal of consent, limitation of sensitive data use, opt-out of sale, sharing, targeted advertising, or certain profiling, appeal of a denied request, and non-discrimination for exercising privacy rights.

EU, UK, and Swiss individuals may exercise rights under GDPR Articles 15 to 22 and may lodge a complaint with a supervisory authority. California residents may exercise CCPA/CPRA rights, including rights to know, delete, correct, opt out of sale or sharing, limit sensitive personal information, and avoid discrimination. Residents of Virginia, Colorado, Connecticut, Utah, Texas, and other applicable U.S. states may exercise rights under their state privacy laws, including appeal rights where available.

India Data Principals may request access to processing information, correction, completion, updating, erasure, grievance redressal, withdrawal of consent, and nomination of another person to exercise rights in the event of death or incapacity.

Submit requests to privacy@studio.tarth.in. We may verify your identity before fulfilling a request. If your request concerns Customer Data controlled by a workspace customer, we may direct the request to that customer or support the customer in responding.

The Service is intended for business users who are at least 18 years old. We do not knowingly collect personal data from children under 13 in the United States, children under the applicable GDPR member-state digital consent age, or children under 18 in India without legally required verifiable parental or guardian consent.

Customers must not use booking forms, CRM records, mailbox sync, documents, transcripts, or integrations to intentionally collect children's data unless they have obtained all legally required consents and have a written agreement withPraxistructures covering that processing.

Praxistructures provides APIs and MCP access for customer-authorized automation. We do not make solely automated decisions that produce legal or similarly significant effects about individuals. Customers must not usePraxistructures, APIs, MCP clients, or connected AI agents for high-risk decisions involving employment, credit, housing, insurance, education, healthcare, criminal justice, essential services, or similar areas unless they independently satisfy all applicable laws, including GDPR Article 22 and the EU AI Act where applicable.

We will assess suspected personal data breaches and notify affected customers, regulators, and individuals as required by GDPR, the DPDP Act and rules, U.S. state breach notification laws, and our contractual obligations. Customers must promptly notify us of suspected credential compromise, unauthorized API use, webhook compromise, or unauthorized access to Customer Data.

We may update this Policy to reflect changes in law, technology, subprocessors, or the Service. Material changes will be notified through the Service, email, or another legally appropriate method. Where consent is required for a new processing activity, we will request consent.