← HomeLegal
Privacy Policy
Last Updated: 16/04/2026
Notice to Data Principal
In accordance with Section 5 of the Digital Personal Data Protection Act, 2023 ("DPDP Act"), we provide you with the following notice:
| Item | Details |
|---|
| Personal data collected | Name, email address, phone number, company name, IP address, device information, usage data, payment details (processed by third parties) |
| Purpose of processing | Providing our services (Conesta, RUBL, client services), processing transactions, communicating with you, improving our products, ensuring security, and complying with legal obligations |
| Lawful basis | Your consent (Section 6, DPDP Act) and certain legitimate uses including performance of contract, compliance with Indian law, and responding to medical emergencies (Section 7, DPDP Act) |
| How to exercise your rights | Contact our Grievance Officer (details below) or email [email protected] |
| How to file a complaint | You may file a complaint with the Data Protection Board of India as constituted under Section 18 of the DPDP Act |
Information We Collect
1.1 Information You Provide Directly
- Account Information: When you create an account on Conesta or RUBL, we collect your name, email address, and password.
- Contact Form Data: When you reach out through our contact form, we collect your name, email, company name, budget range, and project description.
- Payment Information: When you purchase our services, payment processing is handled by third-party payment gateways. We do not store credit card or bank account numbers on our servers.
- Communications: Emails, messages, and other communications you send to us.
1.2 Sensitive Personal Data or Information (SPDI)
Under Rule 3 of the SPDI Rules, Sensitive Personal Data or Information includes passwords, financial information (bank account, payment instrument details), and any other information classified as such under applicable law. We collect SPDI only with your explicit prior consent and process it strictly for the purposes disclosed herein.
1.3 Information Collected Automatically
- Usage Data: Pages visited, time spent on pages, click patterns, and navigation paths.
- Device Information: Browser type, operating system, device type, and screen resolution.
- IP Address: Used for security, analytics, and approximate geographic location.
- Cookies and Similar Technologies: See our Cookie Policy for details. Analytics cookies are placed only after your consent.
1.4 Information from Third Parties
- Analytics Providers: We use analytics tools that may collect information about your use of our services.
- Authentication Providers: If you sign in using a third-party service (Google, GitHub), we receive your basic profile information from that provider.
How We Use Your Information
We process your personal data for the following purposes:
- Provide and maintain our services — operate Conesta, RUBL, and fludigo.tech
- Process transactions — handle payments, generate invoices (inclusive of GST as applicable under the CGST Act, 2017), and deliver purchased services
- Communicate with you — respond to enquiries, send project updates, and provide customer support
- Improve our products — analyse usage patterns to enhance features and user experience
- Ensure security — detect and prevent fraud, abuse, and unauthorised access
- Comply with legal obligations — meet regulatory requirements under Indian law, including the IT Act, the DPDP Act, the Income Tax Act, 1961, and the CGST Act, 2017
We do not sell your personal data to third parties.
How We Share Your Information
We may share your information only in these circumstances:
- Data Processors: With third-party vendors who assist us in operating our services (hosting on AWS/GCP, analytics, payment processing, email delivery). These data processors are contractually obligated to protect your data and process it only on our instructions, in accordance with Section 8(2) of the DPDP Act.
- Legal Requirements: When required by law, regulation, legal process, or governmental request — including requests from Indian courts, tribunals, or the Data Protection Board of India.
- Business Transfers: In connection with a merger, acquisition, or sale of assets under the Companies Act, 2013, your information may be transferred. We will notify you before your information becomes subject to a different privacy policy.
- With Your Consent: When you explicitly authorise us to share your information.
Data Retention
We retain your personal data only as long as necessary for the purposes outlined in this policy, or as required by applicable law (Section 8(7), DPDP Act):
- Account data: Retained while your account is active. Upon deletion request or withdrawal of consent, data is erased within 30 days, except where retention is required by law.
- Contact form submissions: Retained for 2 years from the date of submission.
- Usage analytics: Aggregated and anonymised data (which is not personal data) is retained indefinitely. Identifiable analytics data is retained for 26 months.
- Financial and payment records: Retained for a minimum of 8 years from the end of the relevant assessment year, as required under the Income Tax Act, 1961, and 6 years under Section 36 of the CGST Act, 2017.
When personal data is no longer required and no legal retention obligation applies, we will securely erase or anonymise it.
Your Rights
Rights Under the DPDP Act, 2023 (Indian Users)
As a Data Principal under the DPDP Act, you have the right to:
- Access (Section 11): Obtain a summary of your personal data being processed and the processing activities.
- Correction and Erasure (Section 12): Request correction of inaccurate or misleading personal data, completion of incomplete data, updating of outdated data, and erasure of personal data no longer necessary for the stated purpose.
- Grievance Redressal (Section 13): File a complaint with our Grievance Officer. If not resolved satisfactorily, you may file a complaint with the Data Protection Board of India.
- Nomination (Section 14): Nominate any person to exercise your rights in the event of your death or incapacity.
- Withdraw Consent (Section 6(5)): Withdraw your consent at any time. Withdrawal shall not affect the lawfulness of processing carried out prior to withdrawal.
Duties of Data Principals (Section 15, DPDP Act)
You agree to:
- Not impersonate another person while providing personal data
- Not suppress any material information while providing personal data
- Not register a false or frivolous grievance or complaint
- Provide only authentic and verifiable information when exercising your rights
Rights Under GDPR (EEA Users)
You additionally have the right to: data portability, restriction of processing, objection to processing, and lodging a complaint with your local data protection authority.
Rights Under CCPA/CPRA (California Users)
You have the right to know, delete, and opt out of the sale or sharing of personal information. See our Do Not Sell My Info page.
To exercise any of these rights, contact our Grievance Officer (details below) or email [email protected].
Data Security
In accordance with Section 43A of the IT Act, 2000, and Rule 8 of the SPDI Rules, we implement reasonable security practices and procedures, including measures aligned with IS/ISO/IEC 27001 standards:
- Encryption of data in transit (TLS/SSL)
- Encryption of sensitive data at rest
- Regular security assessments and vulnerability testing
- Role-based access controls and multi-factor authentication
- Secure cloud infrastructure (AWS/GCP) with data centres that maintain internationally recognised security certifications
- Periodic review of security practices
In the event of a personal data breach, we will notify the Data Protection Board of India and affected Data Principals in accordance with Section 8(6) of the DPDP Act.
No method of transmission over the Internet is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.
Children's Privacy
In accordance with Section 9 of the DPDP Act, 2023, our services are not directed to individuals under the age of 18 years. We do not knowingly collect personal data from children. Processing of a child's personal data requires verifiable consent from the child's parent or lawful guardian.
If you believe we have collected information from a child without parental consent, please contact our Grievance Officer immediately and we will take steps to delete it.
We do not undertake tracking, behavioural monitoring, or targeted advertising directed at children.
International Data Transfers
Fludigo's services use cloud infrastructure (AWS/GCP) that may process data in regions outside India. Under Section 16 of the DPDP Act, the Central Government may notify countries to which transfer of personal data is restricted. As of the date of this policy, no such restrictions have been notified.
For transfers to countries within the European Economic Area, we rely on Standard Contractual Clauses or equivalent mechanisms recognised under the GDPR.
We will update this section as and when the Central Government issues notifications regarding cross-border data transfers.
Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by:
- Posting the updated policy on this page with a revised "Last Updated" date
- Sending email notification to registered users for material changes
- Where required under the DPDP Act, issuing a fresh consent notice
If you do not agree with any material changes, you may withdraw your consent and request deletion of your personal data.
Grievance Officer
In compliance with Rule 5(9) of the SPDI Rules and Section 13 of the DPDP Act, we have designated the following Grievance Officer:
The Grievance Officer shall address your concerns within 30 days of receipt of the complaint. If you are not satisfied with the resolution, you may escalate to the Data Protection Board of India as constituted under the DPDP Act.