Scribble Data logo
Menu Close icon Schedule a Demo

PRIVACY POLICY

Effective Date: 15 August 2022

Last Updated: [February 2026]

This privacy policy (“Policy”) explains how Scribble Data Private Limited or any of its affiliates or subsidiaries (“Scribble Data”, “We”, “Us”, “Our”) processes Personal Data collected from You in accordance with the Digital Personal Data Protection Act, 2023 (DPDP Act) and DPDP Rules, 2025.

IMPORTANT UPDATES FOR DPDP ACT COMPLIANCE

This Privacy Policy has been updated to comply with India’s Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025. Key changes include:

  • Enhanced consent management procedures
  • Data breach notification protocols (72-hour reporting)
  • Expanded Data Principal rights and grievance mechanisms
  • Multilingual privacy notice availability

1. DEFINITIONS

Terms not specifically defined herein shall have the meaning ascribed thereto in the License Agreement, Service Agreement, or the DPDP Act, 2023.

1.1. “Data Fiduciary” means any person who alone or in conjunction with others determines the purpose and means of processing of Personal Data. Scribble Data acts as a Data Fiduciary when collecting Personal Data as described in Section 2.

1.2. “Data Principal” means the individual to whom the Personal Data relates. In this Policy, “You” and “Your” refer to Data Principals.

1.3. “Data Processor” means any person who processes Personal Data on behalf of a Data Fiduciary.

1.4. “Personal Data” means any data about an individual who is identifiable by or in relation to such data.

1.5. “Processing” means any operation or set of operations performed on Personal Data, including collection, recording, organization, storage, adaptation, use, disclosure, or erasure.

1.6. “Data Protection Board” means the Data Protection Board of India established under Section 18 of the DPDP Act.

2. PERSONAL DATA COLLECTED BY US

2.1. Data You Provide Directly:

  1. a) Account Information: When You purchase a license or subscription to Scribble Products, We collect Your name, email address, billing address, phone number, and authentication information.
  2. b) Website Interactions: When You submit forms, provide feedback, participate in surveys, or use interactive features on Our Website(s).
  3. c) Event Participation: Contact information collected when You attend webinars, seminars, or visit Our office.
  4. d) Employment Applications: Resume and related information when You apply for positions with Us.

2.2. Data We Collect Automatically:

  1. a) Technical Information: Device type, operating system, IP address when You use Scribble Products or visit Our Website(s).
  2. b) Cookies and Similar Technologies: As described in Section 10 (Cookie Policy).

2.3. Data from Third Parties: We may receive Personal Data from business partners, social media platforms, marketing databases, and single sign-on services, but only where We have verified that these third parties have appropriate legal basis to share Your data with Us.

3. LEGAL BASIS FOR PROCESSING AND CONSENT

3.1. DPDP Act Compliance (Indian Residents):

Under the DPDP Act, We process Your Personal Data on the following legal bases:

  1. a) Consent: For most processing activities, We obtain Your free, specific, informed, unconditional, and unambiguous consent through clear affirmative action.
  2. b) Legitimate Uses: As permitted under Section 7 of the DPDP Act, including:
  • Performance of contracts and service delivery
  • Compliance with legal obligations
  • Prevention and detection of fraud
  • Employment-related processing

3.2. How We Obtain Consent:

When We collect Your Personal Data, We provide a clear privacy notice that includes:

  • Description of Personal Data being collected
  • Purpose for which data will be processed
  • How You can exercise Your rights (access, correction, erasure)
  • How to withdraw consent
  • How to file complaints with the Data Protection Board

3.3. Right to Withdraw Consent:

You may withdraw Your consent at any time by:

  • Contacting Our Privacy Officer at privacy@scribbledata.io
  • Using the consent management tools provided in Your account settings
  • Clicking ‘unsubscribe’ links in marketing communications

Upon withdrawal, We will cease processing Your Personal Data for that purpose, except where We have a legal obligation to retain it.

3.4. Children’s Data:

We do not knowingly collect Personal Data from children under 18 years of age without verifiable parental or guardian consent. If We collect data from children, We obtain consent through mechanisms verified by:

  • Existing information on record
  • Details provided by parent/guardian
  • Virtual tokens from authorized entities or Digital Locker verification

4. PURPOSES FOR WHICH PERSONAL DATA WILL BE PROCESSED

We process Your Personal Data only for specific, explicit, and legitimate purposes:

  1. a) Facilitate access to Website(s) and Scribble Products
  2. b) Process and complete payment transactions
  3. c) Provide product updates, new features, and service communications
  4. d) Perform contractual obligations
  5. e) Organize events and conduct marketing activities (with separate consent)
  6. f) Investigate and prevent fraud, unauthorized access, and illegal activities
  7. g) Personalize Website(s) and Scribble Products
  8. h) Evaluate job applications
  9. i) Technical support and customer service
  10. j) Security and integrity of Scribble Products
  11. k) Improve services and conduct research (anonymized where possible)

5. DATA BREACH NOTIFICATION

5.1. Definition of Personal Data Breach:

Under the DPDP Act, a Personal Data Breach means any unauthorized processing, accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to Personal Data that compromises confidentiality, integrity, or availability.

5.2. Our Notification Obligations:

In the event of a Personal Data Breach, We will:

  1. a) Notify the Data Protection Board of India within 72 hours of becoming aware of the breach
  2. b) Notify affected Data Principals within 72 hours of becoming aware of the breach

5.3. Breach Notification Contents:

Our breach notifications will include:

  • Nature and extent of the breach
  • Categories and approximate number of affected Data Principals
  • Types and approximate volume of Personal Data involved
  • Date, time, and location of the breach
  • Likely consequences of the breach
  • Measures taken or proposed to mitigate harm
  • Contact information for further inquiries

6. SHARING OF PERSONAL DATA

6.1. Data Processors:

We share Personal Data with Data Processors who provide services on Our behalf, including:

  • Cloud hosting providers (Google Cloud Platform)
  • Payment processing services
  • Analytics and monitoring services
  • Marketing and communication platforms

All Data Processors are contractually bound to process Personal Data only as per Our instructions and maintain appropriate security measures compliant with the DPDP Act.

6.2. Legal Disclosure:

We may disclose Personal Data when required by law, including:

  • Response to lawful requests by public authorities
  • Compliance with court orders or legal processes
  • Protection of Our legal rights
  • Prevention of fraud or illegal activities

7. INTERNATIONAL TRANSFER OF PERSONAL DATA

7.1. Cross-Border Transfers:

We may transfer Personal Data outside India to:

  • Our affiliates and subsidiaries
  • Data Processors providing services
  • Cloud infrastructure providers (including United States)

7.2. Safeguards:

We ensure international transfers comply with Section 16 of the DPDP Act by:

  1. a) Transferring data only to countries not restricted by the Indian Government
  2. b) Implementing Standard Contractual Clauses approved by authorities
  3. c) Ensuring recipients provide adequate data protection standards
  4. d) For SaaS deployments using Google Cloud Platform, relying on EU-US Data Privacy Framework and Google’s Standard Contractual Clauses

8. RETENTION AND DELETION OF PERSONAL DATA

8.1. Retention Principles:

We retain Personal Data only as long as necessary for the purposes stated in this Policy or as required by law.

8.2. Specific Retention Periods:

  1. a) Account Data: Duration of active subscription plus 7 years for financial records
  2. b) Marketing Data: Until consent is withdrawn or 3 years of inactivity
  3. c) Technical Logs: 90 days unless required for security investigation
  4. d) Job Applications: 1 year from application date

8.3. Deletion Procedures:

When retention periods expire or consent is withdrawn, We will securely delete or anonymize Personal Data unless legal obligations require continued retention. We also instruct Our Data Processors to delete Your data.

9. SECURITY OF PERSONAL DATA

We implement reasonable security safeguards as required under Section 8 of the DPDP Act, including:

  • Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access Controls: Role-based access, multi-factor authentication, principle of least privilege
  • Security Monitoring: 24/7 intrusion detection, regular vulnerability assessments, penetration testing
  • Compliance Frameworks: SOC 2 Type II, ISO 27001 alignment
  • Incident Response: Documented procedures for breach detection and response
  • Employee Training: Regular security awareness and DPDP compliance training

10. YOUR RIGHTS AS A DATA PRINCIPAL

Under the DPDP Act, You have the following rights:

10.1. Right to Access:

You can request:

  • Summary of Personal Data being processed
  • Identities of Data Fiduciaries and Data Processors with access
  • Other relevant information about data processing activities

10.2. Right to Correction and Completion:

You can request correction of inaccurate Personal Data or completion of incomplete Personal Data.

10.3. Right to Erasure:

You can request deletion of Your Personal Data, except where We have a legal obligation to retain it.

10.4. Right to Withdraw Consent:

You can withdraw consent at any time. This will not affect the lawfulness of processing conducted prior to withdrawal.

10.5. Right to Grievance Redressal:

You can file grievances regarding Personal Data processing with Our Privacy Officer or directly with the Data Protection Board of India.

10.6. Right to Nominate:

You may nominate another individual to exercise Your rights in the event of death or incapacity.

10.7. How to Exercise Your Rights:

Contact Our Privacy Officer at: privacy@scribbledata.io

We will respond to Your requests within a reasonable timeframe, typically within 30 days of verification.

For marketing communications, click ‘unsubscribe’ in emails or contact Us directly.

11. COOKIE POLICY

11.1. What Are Cookies:

Cookies are small text files placed on Your device that collect information about Your browsing behavior. Under the DPDP Act, cookies that collect Personal Data require Your consent.

11.2. Types of Cookies We Use:

  1. a) Essential Cookies (No Consent Required): Enable core functionality like security, authentication, and network management. You cannot opt out of these cookies, but may disable them in browser settings.
  2. b) Analytics Cookies (Consent Required): Help Us understand website usage through aggregated data.
  3. c) Customization Cookies (Consent Required): Remember Your preferences and settings.
  4. d) Advertising Cookies (Consent Required): Track website visits to deliver relevant advertisements.

11.3. Cookie Consent Management:

We use CookieYes, a DPDP-compliant consent management platform, to:

  • Display cookie consent banners with clear choices
  • Provide granular consent options by cookie category
  • Record and store consent preferences
  • Allow easy withdrawal or modification of consent
  • Maintain auditable consent logs

11.4. Managing Cookie Preferences:

You can change Your cookie preferences at any time by clicking the cookie settings link in Our website footer or by visiting Your browser settings.

12. GRIEVANCE REDRESSAL AND CONTACT INFORMATION

12.1. Privacy Officer / Grievance Officer:

Designation: Privacy Officer

Email: privacy@scribbledata.io

Address: No. 40, 4th Floor, Lakshmi Complex, Fort A Road, Kalasipalya, Bangalore 560002, India

Response Time: We aim to respond to all grievances within 30 days of receipt

12.2. Data Protection Board of India:

If You are not satisfied with Our response or wish to file a complaint directly, You may contact the Data Protection Board of India. Details will be available at: [Board website URL when available]

13. MULTILINGUAL PRIVACY NOTICE

As required under Rule 3 of the DPDP Rules, 2025, this Privacy Policy is available in English. If you require this Policy in any other language included in the Eighth Schedule of the Indian Constitution, please contact our Privacy Officer. We will make reasonable efforts to provide a translated copy within a reasonable timeframe.

14. CHANGES TO THIS POLICY

We review this Policy regularly and may update it to reflect:

  • Changes in applicable laws or regulations
  • New features or services
  • Best practice improvements

Material changes will be communicated through:

  • Prominent notice on Our Website(s)
  • Email notification to registered users
  • Updated ‘Last Modified’ date at the top of this Policy

***

This Privacy Policy is compliant with:

Digital Personal Data Protection Act, 2023

Digital Personal Data Protection Rules, 2025

Effective implementation date: May 13, 2027