Privacy Policy

1.1 Information You Provide Directly. We collect information that you voluntarily provide to us when you:

• (a) Submit a Contact Form: We collect your name, email address, company name, and the content of your message. This information is stored in our secure Firebase Firestore database and is used solely to respond to your inquiry;
• (b) Engage Our Services: We may collect additional information necessary to provide consulting or development services, including business information, project briefs, financial information for invoicing, and communication records;
• (c) Create an Account: For administrative users, we collect an email address and encrypted password credential;
• (d) Communicate with Us: We collect and retain records of communications including emails, WhatsApp messages, and phone call records to the extent permitted by law.

1.2 Information Collected Automatically. When you visit the Site, we and our service providers may automatically collect certain technical information, including:

• (a) Log Data: IP address, browser type and version, operating system, referring URLs, pages viewed, links clicked, and the date and time of your visit;
• (b) Device Information: Hardware model, operating system version, unique device identifiers, and mobile network information;
• (c) Usage Data: Information about how you use the Site, including which sections you visit, how long you spend on each page, and navigation patterns;
• (d) Cookies and Similar Technologies: We use cookies and similar tracking technologies to collect and store certain information. See Section 8 for details.

1.3 Information from Third Parties. We may receive information about you from third-party sources, including business partners, analytics providers, and advertising networks. We may combine this information with information we already have about you, subject to applicable law.

1.4 Sensitive Information. We do not intentionally collect special categories of sensitive personal data (such as racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data) through the Site. If you choose to share such information with us in the course of an engagement, we will handle it with heightened care in accordance with applicable law.

2.1 Primary Purposes. We use the information we collect for the following primary purposes:

• (a) To respond to your inquiries, contact form submissions, and communications;
• (b) To provide, operate, maintain, and improve our Services;
• (c) To process and fulfill engagements, including invoicing and delivery of Work Product;
• (d) To send transactional and service-related communications, including confirmations, technical notices, and support messages;
• (e) To verify your identity and administer accounts;
• (f) To monitor and analyze usage trends to improve user experience and Site functionality.

2.2 Marketing Communications. With your prior consent where required by applicable law, we may use your contact information to send you marketing communications about our services, case studies, methodologies, and other content we believe may be of interest to you. You may opt out of marketing communications at any time by following the unsubscribe instructions contained in the email or by contacting us directly.

2.3 Legal and Compliance Purposes. We may use your information to comply with applicable legal obligations, respond to lawful requests from public authorities (including law enforcement), enforce our Terms of Service, protect the rights, property, or safety of MellowKraft, our users, or the public, and investigate potential violations of our policies.

2.4 Aggregated and Anonymized Data. We may aggregate and anonymize personal data such that it can no longer be used to identify you, and use such aggregated or anonymized data for research, analytics, benchmarking, and the improvement of our services, without limitation.

3.1 Lawful Bases. If you are located in the European Economic Area (EEA) or the United Kingdom, our processing of your personal data is subject to the General Data Protection Regulation (GDPR) or the UK GDPR, as applicable. We rely on the following legal bases for processing your personal data:

• (a) Contractual Necessity (Article 6(1)(b) GDPR): Processing is necessary for the performance of a contract to which you are party or to take steps at your request prior to entering into a contract;
• (b) Legitimate Interests (Article 6(1)(f) GDPR): Processing is necessary for the purposes of the legitimate interests pursued by us, except where such interests are overridden by your interests or fundamental rights and freedoms;
• (c) Consent (Article 6(1)(a) GDPR): Where you have provided your explicit consent to the processing of your personal data for one or more specific purposes, including marketing communications;
• (d) Legal Obligation (Article 6(1)(c) GDPR): Processing is necessary for compliance with a legal obligation to which we are subject.

3.2 Withdrawing Consent. Where our processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. To withdraw consent, please contact us using the details in Section 15.

4.1 Service Providers. We share personal information with third-party vendors and service providers that perform services on our behalf, including but not limited to:

• (a) Google Firebase / Google Cloud: We use Firebase Authentication and Cloud Firestore for user authentication and database storage. Google's privacy policy governs data processed by Firebase. Firebase infrastructure may process and store data in servers located outside India;
• (b) Cloudflare, Inc.: Our website is hosted and delivered via Cloudflare Pages and the Cloudflare CDN, which processes connection metadata including IP addresses for DDoS protection and performance optimization;
• (c) Communication Providers: We use email service providers and Meta Platforms, Inc. (WhatsApp) to facilitate communications. WhatsApp Business communications are subject to Meta's Privacy Policy.

4.2 Business Transfers. If MellowKraft is involved in a merger, acquisition, reorganization, sale of all or substantially all of its assets, or bankruptcy or insolvency proceeding, your personal information may be transferred as part of such transaction. We will notify you via email and/or a prominent notice on the Site if such a transaction results in a material change to this Privacy Policy.

4.3 Legal Requirements. We may disclose your personal information where required to do so by law, government authority, or pursuant to legal process, including in response to a court order, subpoena, or government demand. We will use reasonable efforts to notify you of such required disclosure to the extent permitted by law.

4.4 Protection of Rights. We may disclose information to protect and defend the rights, property, or safety of MellowKraft, its users, or others, including exchanging information with other companies and organizations for fraud protection and credit risk reduction.

4.5 No Sale of Personal Data. We do not sell, rent, or trade your personal information to third parties for their independent commercial use or marketing purposes.

5.1 Retention Periods. We retain personal information for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, and reporting obligations, and as described in this Privacy Policy. Specific retention periods include:

• (a) Contact Form Submissions: Retained for a minimum of three (3) years from the date of submission, or longer if an active commercial relationship develops from the inquiry;
• (b) Client Engagement Records: Retained for a minimum of seven (7) years from the conclusion of the engagement, as required for financial and legal recordkeeping obligations;
• (c) Website Log Data: Retained for a period of up to ninety (90) days by our hosting and CDN providers, after which they are automatically purged;
• (d) Authentication Credentials: Retained for the duration of the account's existence plus a period of one (1) year following account deletion.

5.2 Deletion Requests. To request deletion of your personal data, please see Section 6.3 of this Privacy Policy. We will respond to deletion requests within thirty (30) days, subject to applicable legal retention obligations.

6.1 Access and Portability. You have the right to request access to the personal information we hold about you and to receive a copy of such information in a structured, commonly used, and machine-readable format. To make such a request, please contact us using the information in Section 15.

6.2 Correction. You have the right to request correction of any inaccurate or incomplete personal information we hold about you. We will use commercially reasonable efforts to correct the information promptly upon verification of your identity and the accuracy of the correction requested.

6.3 Deletion ("Right to be Forgotten"). Subject to applicable law, you may request that we delete the personal information we hold about you. We will comply with such requests unless retention of such data is required for compliance with a legal obligation, the establishment, exercise, or defense of legal claims, or other legitimate purposes permitted under applicable law.

6.4 Restriction of Processing. In certain circumstances, you have the right to request that we restrict the processing of your personal information, for example, while the accuracy of data is being contested or where processing is unlawful.

6.5 Objection to Processing. Where we process your personal information based on our legitimate interests, you have the right to object to such processing. We will cease such processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where processing is necessary for legal claims.

6.6 Marketing Opt-Out. You may opt out of receiving marketing communications from us by clicking the "unsubscribe" link in any email we send, or by contacting us directly. Please note that even after opting out of marketing communications, you will continue to receive transactional or service-related messages.

6.7 Complaints. If you believe that we have not complied with your data protection rights, you have the right to lodge a complaint with the relevant data protection supervisory authority in your jurisdiction. For Indian residents, this may include the Data Protection Board of India once established under the Digital Personal Data Protection Act, 2023.

7.1 Security Measures. We implement and maintain appropriate technical and organizational security measures designed to protect the personal information we collect against unauthorized access, disclosure, alteration, and destruction. These measures include:

• (a) Transport Layer Security (TLS/HTTPS) encryption for all data transmitted between your browser and our servers;
• (b) Firebase Firestore security rules restricting database read and write access based on authentication state;
• (c) Firebase Authentication with email/password for administrative access;
• (d) Cloudflare's enterprise-grade DDoS protection and network security;
• (e) Restricted access to production systems on a need-to-know basis.

7.2 No Absolute Security. While we use commercially reasonable efforts to protect your personal information, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your personal information. If you have reason to believe that your interaction with us is no longer secure, please contact us immediately.

7.3 Data Breach Notification. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and where feasible within seventy-two (72) hours of becoming aware of the breach, to the extent required by applicable law.

8.1 What Are Cookies. Cookies are small text files that are placed on your device when you visit a website. They are widely used to make websites work more efficiently, to provide business and marketing information, and to personalize your experience. We use both "session" cookies (which expire when you close your browser) and "persistent" cookies (which remain on your device until deleted).

8.2 Types of Cookies We Use.

• (a) Strictly Necessary Cookies: These cookies are essential for the operation of the Site and cannot be switched off. They include cookies that enable Firebase Authentication sessions and CSRF protection;
• (b) Performance and Analytics Cookies: These cookies allow us to count visits and understand how visitors interact with the Site, so that we can measure and improve its performance;
• (c) Functional Cookies: These cookies enable the Site to provide enhanced functionality and personalization, such as remembering your preferences.

8.3 Managing Cookies. Most web browsers are set to accept cookies by default. You can usually modify your browser settings to decline cookies if you prefer. However, please note that disabling cookies may affect the functionality of certain parts of the Site, including authentication features. Instructions for managing cookies in common browsers can be found at the respective browser's support documentation.

8.4 Do Not Track. Some browsers include a "Do Not Track" (DNT) feature that signals to websites you visit that you do not want to have your online activity tracked. Our Site does not currently respond to DNT signals because a uniform technological standard for DNT has not yet been established.

9.1 Cross-Border Transfers. MellowKraft is operated from India. However, some of our service providers (including Google Firebase and Cloudflare) may process or store your data in countries other than India, including the United States and European Union member states. These countries may have data protection laws that differ from those of India.

9.2 Safeguards. Where personal data is transferred outside of India, we ensure that appropriate safeguards are in place to protect your personal data, including relying on standard contractual clauses or other transfer mechanisms as required by applicable law. By using the Services, you consent to the transfer of your personal information to countries outside your country of residence, including countries that may not provide the same level of data protection as your home country.

10.1 Age Restriction. The Services are not directed to, intended for, or designed to attract individuals under the age of eighteen (18). We do not knowingly collect personal information from persons under the age of eighteen (18). If we learn that we have inadvertently collected personal information from a child under age 18, we will take steps to delete the information as soon as reasonably possible.

10.2 Parental Notification. If you are a parent or guardian and believe that your child has provided us with personal information without your consent, please contact us at the details in Section 15, and we will take steps to remove such information from our systems.

11.1 Applicability. To the extent applicable, MellowKraft will comply with the Digital Personal Data Protection Act, 2023 (DPDPA) and any rules, regulations, or guidelines issued thereunder by the Government of India or the Data Protection Board of India.

11.2 Data Fiduciary Obligations. As a Data Fiduciary under the DPDPA, MellowKraft will: (a) process personal data only for lawful purposes as specified in this Privacy Policy; (b) implement appropriate security safeguards; (c) notify the Data Protection Board and affected data principals in the event of a personal data breach in the manner prescribed; (d) erase personal data when the purpose for which it was collected is no longer being served; and (e) publish the business contact information of a person who can answer on behalf of MellowKraft any question raised by a data principal about the processing of personal data.

11.3 Data Principal Rights. As a data principal under the DPDPA, you have the right to: (a) obtain information about processing of your personal data; (b) request correction and erasure of your personal data; (c) nominate a person to exercise rights on your behalf in the event of your death or incapacity; and (d) grieve any act or omission of MellowKraft in violation of the DPDPA by filing a complaint with the Data Protection Board of India.

12.1 External Links. The Site may contain links to third-party websites, platforms, and services that are not owned or controlled by MellowKraft. This Privacy Policy applies only to information collected by or through the Site. We have no control over and assume no responsibility for the privacy practices, content, or policies of any third-party sites or services. We encourage you to review the privacy policies of every site you visit.

12.2 Embedded Content. The Site may include embedded content from third-party services such as Google Fonts and CDN providers. These services may collect data about you including your IP address and browser information. Their use of such data is governed by their respective privacy policies.

13.1 Applicability. If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) may provide you with additional rights regarding our use of your personal information.

13.2 Categories Collected. In the preceding twelve (12) months, we may have collected the following categories of personal information: identifiers (name, email address, IP address); internet or other electronic network activity information (browsing history on our Site); and commercial information (records of services purchased or considered).

13.3 California Rights. California residents have the right to: (a) know about personal information collected, disclosed, or sold; (b) delete personal information collected; (c) opt-out of the sale or sharing of personal information (we do not sell personal information); (d) non-discrimination for exercising CCPA rights; and (e) correct inaccurate personal information. To exercise these rights, contact us as described in Section 15.

14.1 Right to Update. We reserve the right to update or change this Privacy Policy at any time. The date of the most recent revision is indicated at the top of this document. If we make material changes to how we treat our users' personal information, we will notify you by posting a notice on the Site and, where we have your email address, by sending you an email notification.

14.2 Review of Updates. We encourage you to periodically review this Privacy Policy to stay informed about how we are protecting your information. Your continued use of the Site after we make changes to this Privacy Policy will be deemed your acceptance of those changes.

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, or if you wish to exercise any of the rights described in this Policy, please contact our Privacy Team through any of the following channels:

To protect your privacy and security, we may take reasonable steps to verify your identity before granting access to, correcting, or deleting your personal information.