Legal

Privacy Policy

Effective Date: —  |  Last Updated: —

Overview

This Privacy Policy describes our policies and procedures on the collection, use, and disclosure of your information when you use the Service and tells you about your privacy rights and how the law protects you.

We use your personal data to provide and improve the Service. By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.

We may update this Privacy Policy at any time. Material changes will require your active re-consent, and you will be notified by email at least 14 days before they take effect. The revised policy will be effective 15 days from the date it is posted on the Service. Your continued use of the Service after that date will be treated as your acceptance of the changes. We recommend that you check this page from time to time.

1. Information We Collect

We collect the following information when you use the Service:

  • Account details: name, professional email, company name, and password.
  • Payment details: billing information and transaction history, processed by PCI-DSS-compliant gateways. We do not store raw card numbers.
  • Technical data: IP address, browser type, device identifiers, and usage logs.
  • Cookies: session, preference, and analytics cookies. See Clause 7 for details.

How we collect data: We collect data directly from you (e.g., during account registration, form submissions), automatically via the Service (e.g., server logs, cookies, embedded scripts), and through third-party integrations you authorize.

We collect only what is needed to provide and improve the Service.

Under Section 4 of the DPDP Act, personal data may only be processed for a lawful purpose with consent or for a legitimate use. We process your data for the following specific purposes only:

  • Service delivery: To operate, maintain, and improve the OpenMarketer.
  • Account management: To create, authenticate, and manage your user account.
  • Payment processing: To bill you and maintain transaction records as required by law.
  • Customer support: To respond to support requests, bug reports, and complaints.
  • Security & fraud prevention: To detect abuse, prevent unauthorized access, and comply with legal obligations (Section 43A, IT Act).
  • Analytics & product improvement: Aggregated, anonymized usage analytics to improve the Service.
  • Legal compliance: To comply with court orders, government directives, or applicable law.

We do not use your data for automated profiling that produces legal effects or for training AI models on your proprietary content without your explicit written consent.

3. Data Sharing & Third Parties

We do not sell your personal data. We may share data with:

  • Data processors: Cloud infrastructure providers, payment gateways, and email delivery services are bound by contractual data processing agreements aligned with the DPDP Act.
  • Professional advisors: Lawyers and auditors under strict confidentiality obligations.
  • Law enforcement / government: Where required by a court order, government directive, or other mandatory legal process under Indian law.
  • Business transfers: In the event of a merger, acquisition, or asset sale, data may transfer to the successor entity, subject to the same protections.

All third-party processors are obligated under Section 8(2) of the DPDP Act, and we remain responsible for their compliance.

4. Cross-Border Data Transfers

Section 16 of the DPDP Act permits the transfer of personal data outside India, except to countries restricted by the Central Government via notification. As of the effective date of this policy, no such restriction list has been published. We may transfer data to servers in jurisdictions outside India solely for cloud infrastructure and service delivery purposes. Should the central government notify restricted countries, we will cease transfers to such countries and update this policy accordingly.

For international (non-Indian) business users: You acknowledge that your data is processed and stored in India under Indian law.

5. Data Retention

Under Section 8(7) of the DPDP Act, we must not retain personal data longer than necessary for the specified purpose. Our retention schedule:

  • Account data: Retained for the duration of your subscription and for 3 years after account closure (to comply with tax and audit obligations).
  • Payment records: Retained for 8 years as required under the Income Tax Act, 1961, and GST law.
  • Content & review logs: Retained for 12 months after the review is completed, then permanently deleted unless you request earlier deletion.
  • Cookie/analytics data: Retained for 13 months from collection.
  • Security logs: Retained for minimum 90 days.

Upon expiry of the retention period or upon a valid deletion request (see Clause 9), data is securely erased or anonymized.

6. Your Rights

Under the DPDP Act, you have the right to:

  • Access a summary of the personal data we hold about you.
  • Correct inaccurate data or request erasure of data we no longer need.
  • Withdraw your consent at any time from Settings > Privacy.
  • Request restriction of processing of your personal data in certain circumstances.
  • Export your personal data in a machine-readable format via Settings > Privacy > Export Data.
  • Nominate someone to exercise these rights on your behalf.
  • File a complaint with our Grievance Officer if you are not satisfied with how we handle your data.

To exercise any of these rights, email with the subject "Data Rights Request" or use the self-serve Privacy Dashboard at Settings > Privacy. We will respond within 30 days.

7. Cookies

We use three types of cookies:

  • Strictly necessary: required for login and security. These cannot be disabled.
  • Preference: remember your settings. You can disable these in your browser.
  • Analytics: collect anonymized usage data. These are off by default. You can opt in from Settings > Privacy.

Marketing cookies are not used by default. Only activated with your explicit prior consent.

8. Data Security and Breach Notification

We use reasonable security measures to protect your data, including encryption in transit and at rest, access controls, and regular security reviews. No system is completely secure, and we cannot guarantee absolute security.

If a data breach occurs, we will notify the Data Protection Board of India and affected users within 72 hours of becoming aware of the breach, as required under Section 8(6) of the DPDP Act. Notifications will be sent to your registered email address.

9. Grievance Redressal

If you have a complaint, write to our Grievance Officer at the email below. We will acknowledge within 48 hours and resolve within 30 days.

If you are not satisfied with our response, you may approach the Data Protection Board of India (DPBI), constituted under Section 18 of the DPDP Act.

Read more at: www.meity.gov.in

10. Children's Data

Section 9 of the DPDP Act imposes enhanced obligations when processing personal data of children (under 18 years). Our Service is intended exclusively for businesses and professional users. We do not knowingly collect personal data from individuals under 18 years of age. If we discover such data has been collected, we will delete it promptly. If you believe a minor has created an account, contact us immediately at the email below.

11. Subscription & Billing

This section governs your subscription and how billing data is managed:

  • Auto-renewal: Your subscription automatically renews at the end of each billing period. We will notify you at least 7 days in advance of renewal by email.
  • Cancellation: You may cancel your subscription at any time via Settings > Billing. Upon cancellation, your account data will be retained for 90 days to allow for reactivation, after which it will be deleted subject to statutory retention requirements.
  • Downgrade: On subscription downgrade, features associated with higher tiers will be disabled. Data associated with those features will be retained for 30 days before deletion.
  • Payment failure: In the event of a failed payment, we will notify you by email and allow a 7-day grace period before suspending access. Data will not be deleted during suspension.
  • Price changes: We will notify you at least 30 days before any pricing change takes effect.
  • Post-cancellation retention: Billing records are retained for 8 years for tax compliance (see Clause 5). All other account data is deleted within 90 days of account closure.

We obtain your consent in accordance with Section 6 of the DPDP Act, which requires consent to be free, specific, informed, unconditional, and unambiguous.

  • How consent is obtained: Consent is collected via a clear affirmative checkbox at account registration and through a separate consent flow for any new data uses introduced after registration.
  • Consent records: We maintain a timestamped log of each consent action. You can view your active consents at Settings > Privacy > Consent History.
  • Withdrawing consent: You may withdraw any non-essential consent at any time from Settings > Privacy. Withdrawal will not affect the lawfulness of processing that occurred before withdrawal.

13. User-Generated Content & Data Ownership

You retain full ownership of all content, campaigns, and data you create or upload through the Service.

  • Access for support: Our staff may access your content solely to provide customer support or investigate bugs, and only with your permission or where strictly necessary for security purposes.
  • Confidentiality: We treat your business data, campaign content, and any proprietary information as confidential and will not disclose it to third parties except as described in Clause 3.
  • Deletion: Upon account deletion, all user-generated content will be permanently deleted within the timeframes specified in Clause 5.
  • No AI training: We will not use your content to train AI or machine learning models without your explicit written consent.

14. Third-Party Integrations & API Access

OpenMarketer may integrate with third-party platforms (e.g., CRMs, email tools, ad platforms) via OAuth or API keys. The following applies when you enable such integrations:

  • Data flows: Connecting a third-party app may result in data being shared with that app's provider. We will display a clear disclosure of the data shared before you authorize any integration.
  • Sub-processors: Third-party integration providers act as sub-processors under Section 8(2) of the DPDP Act. We maintain an updated list of integration sub-processors available at Settings > Privacy.
  • User responsibility: You are responsible for the configuration and permissions granted to third-party integrations connected to your account.
  • Revocation: You can disconnect any integration at any time from Settings > Integrations. Revoking access will stop further data sharing, though it will not delete data already transferred.

15. Data Portability & Account Deletion

You have the right to export your data and request deletion of your account at any time.

  • Data export: You can download a copy of your account data (including profile, campaign history, and settings) in JSON or CSV format from Settings > Privacy > Export Data. Exports are processed within 48 hours.
  • Account deletion: To permanently delete your account, go to Settings > Account > Delete Account. You will be asked to confirm, and deletion will be irreversible.
  • Deletion timeline: Personal data will be deleted within 30 days of the confirmed deletion request, subject to the retention obligations in Clause 5.
  • What is retained: Payment records and security logs are retained for the statutory periods described in Clause 5, even after account deletion.

16. General

Governing Law: This Privacy Policy is governed by and construed in accordance with the laws of India. Any dispute arising out of or related to this policy shall be subject to the exclusive jurisdiction of the courts in Pune, Maharashtra.

Entire Agreement: This Privacy Policy, together with our Terms and Conditions, constitutes the entire agreement between you and us regarding your privacy.

Severability: If any provision of this Privacy Policy is found to be unenforceable or invalid under applicable law, the remaining provisions shall continue in full force and effect.

Waiver: Our failure to enforce any right or provision of this Privacy Policy shall not be deemed a waiver of such right or provision.

Contact

Questions about this Privacy Policy? Reach out:

ShikhaShikz Marketing Private Limited RH No. C10, Tranquility Phase 1 Shewalewadi, Manjari Maharashtra 412307, India Grievance Officer support@openmarketer.com