UpCraft Logo

UpCraft Solutions Private Limited

Effective Date: 16 December 2025Governing Law: Republic of India

1. INTRODUCTION

1.1 This Privacy Policy describes how UpCraft Solutions Private Limited, a company incorporated under the Companies Act, 2013 ("Company", "we", "us", "our"), collects, uses, discloses, stores and protects personal data and information in connection with:

  • (a) Our website located at https://upcraft.in ("Website"); and
  • (b) Our professional software engineering, consulting and related services ("Services").

1.2 We are committed to protecting your privacy and handling personal data in a lawful, fair, transparent and secure manner, in accordance with applicable Indian data protection laws and regulations, including but not limited to:

  • Information Technology Act, 2000.
  • Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
  • Digital Personal Data Protection Act, 2023 (when notified and in force).

1.3 By using our Website, submitting information through our contact forms, subscribing to our communications, or engaging our Services, you acknowledge that you have read, understood and consent to the collection, use and disclosure of your personal data as described in this Privacy Policy.

1.4 If you do not agree with this Privacy Policy, please do not use our Website or provide us with any personal data.

2. SCOPE AND APPLICABILITY

2.1 Controller and Processor Roles.

(a) For personal data that we collect and control for our own business purposes (for example, via the Website, contact forms, billing records, newsletters and marketing activities), we act as a data controller (or data fiduciary under applicable Indian law).

(b) For personal data that we process on behalf of our Clients in the course of providing Services (for example, limited access to Client systems, production logs, user data or test data as part of audits or development projects), we act as a data processor (or data processor under applicable Indian law), and the Client remains the data controller (or data fiduciary). Such processing is governed primarily by the relevant Statement of Work ("SOW") and, where required, a separate data processing agreement ("DPA") executed between the Company and the Client.

2.2 This Privacy Policy applies primarily to personal data for which we act as data controller. For data processing activities where we act as data processor on behalf of a Client, the Client's privacy policy and our DPA with the Client shall govern.

3. CATEGORIES OF PERSONAL DATA WE COLLECT

3.1 We may collect the following categories of personal data:

(a) Contact and Identification Information:

  • Full name, designation, job title.
  • Email address.
  • Phone number (if provided).
  • Company name, industry and business address (for B2B contacts).

(b) Enquiry and Communication Information:

  • Content of enquiries, questions, requests or messages submitted via contact forms, email or other channels.
  • Project requirements, technical specifications and business needs shared during discovery, scoping or project execution.
  • Feedback, testimonials and survey responses.

(c) Billing and Financial Information:

  • Billing contact details, company name and address.
  • GSTIN (Goods and Services Tax Identification Number) or other tax identifiers (for invoicing and compliance purposes).
  • Payment transaction details (processed securely through third-party payment service providers; we do not store complete credit card or banking details on our systems).
  • Invoice and payment history.

(d) Website Usage and Technical Information:

  • IP address, browser type and version.
  • Device type, operating system and screen resolution.
  • Pages visited, time spent on pages, clickstream data.
  • Referral source (how you arrived at our Website).
  • Date and time of access.
  • Approximate geographic location (derived from IP address, typically at country or city level).

(e) Cookies and Tracking Data:

  • Data collected through cookies, web beacons and similar tracking technologies (see Section 5 for details).

(f) Service Delivery and Project Data (as Data Processor):

  • When providing Services to Clients, we may access or process limited personal data from Client systems, databases, logs or environments as reasonably necessary for audits, performance testing, software development, API integration or support activities. Such data is processed strictly in accordance with the Client's instructions, the applicable SOW and our DPA with the Client, and is subject to strict confidentiality and security obligations.

3.2 Sensitive Personal Data. We do not intentionally collect or process "sensitive personal data or information" as defined under Indian law (such as financial information like bank account or credit card details beyond payment processing, passwords, health data, biometric data, sexual orientation, etc.) through our Website or in our capacity as data controller. If you believe you have inadvertently provided such information, please contact us immediately at upcraft.consulting@gmail.com.

4. HOW WE COLLECT PERSONAL DATA

4.1 We collect personal data in the following ways:

(a) Information You Provide Directly:

  • When you fill out and submit enquiry forms, contact forms or request a consultation on the Website.
  • When you subscribe to our newsletter, blog updates or other communications.
  • When you send us an email or communicate with us via phone, messaging platforms or video calls.
  • When you enter into an SOW or contract with us for Services.
  • When you provide project requirements, specifications, access credentials or other information as part of the service delivery process.

(b) Information Collected Automatically:

  • When you visit or interact with our Website, we automatically collect certain technical and usage information using cookies, log files and similar technologies (see Section 5).

(c) Information from Third-Party Sources:

  • We may collect limited publicly available business information about prospective clients and contacts from professional networking platforms (such as LinkedIn), company websites, business directories and public databases, for the purposes of business development and outreach.
  • We do not purchase or obtain personal data from data brokers or third-party marketing lists.

5. COOKIES AND TRACKING TECHNOLOGIES

5.1 What Are Cookies?

Cookies are small text files that are placed on your device (computer, smartphone, tablet) when you visit a website. Cookies help the website recognize your device on subsequent visits and may be used to remember preferences, understand usage patterns and improve user experience.

5.2 Types of Cookies We Use.

Our Website may use the following types of cookies:

(a) Strictly Necessary Cookies:

  • These cookies are essential for the basic functionality and security of the Website. They enable core features such as page navigation, access to secure areas, and form submissions.
  • You cannot disable these cookies through our Website settings, as the Website would not function properly without them. However, you may disable them through your browser settings (see Section 5.4).

(b) Analytics and Performance Cookies:

  • We use Google Analytics (or similar analytics tools) to collect aggregated, anonymised or pseudonymised data about how visitors use our Website, including pages visited, time spent, referral sources and general geographic location.
  • This information helps us understand user behaviour, identify popular content and improve the Website's performance and user experience.
  • Google Analytics may set cookies on your device. For more information about how Google processes data, please see Google's Privacy Policy at: https://policies.google.com/privacy

(c) Functional Cookies:

  • These cookies enable the Website to remember choices you make (such as your preferred language, region or display settings) to provide a more personalized experience.

(d) Marketing and Advertising Cookies (if applicable):

  • Currently, we do not use third-party advertising or retargeting cookies on our Website.
  • If we introduce such cookies in the future, we will update this Privacy Policy and provide appropriate notice and consent mechanisms.

5.3 Third-Party Cookies.

Some cookies on our Website may be set by third-party service providers (such as Google Analytics, embedded video players, social media plugins, or content delivery networks). We do not have direct control over these third-party cookies. We recommend reviewing the privacy policies of these third parties:

  • Google Analytics: https://policies.google.com/privacy
  • Other third-party services will be listed here if and when we integrate them.

5.4 Managing and Disabling Cookies.

(a) Browser Settings:

You can control and manage cookies through your browser settings. Most browsers allow you to:

  • View and delete cookies.
  • Block all cookies or only third-party cookies.
  • Receive a notification before a cookie is stored.

Please note that disabling cookies may affect the functionality and user experience of our Website. Certain features may not work correctly if cookies are disabled.

For instructions on managing cookies in popular browsers, please visit:

  • Google Chrome: https://support.google.com/chrome/answer/95647
  • Mozilla Firefox: https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer
  • Safari: https://support.apple.com/en-in/guide/safari/sfri11471/mac
  • Microsoft Edge: https://support.microsoft.com/en-us/microsoft-edge/delete-cookies-in-microsoft-edge-63947406-40ac-c3b8-57b9-2a946a29ae09

(b) Google Analytics Opt-Out:

You may opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on, available at: https://tools.google.com/dlpage/gaoptout

5.5 Do Not Track Signals.

Some browsers support "Do Not Track" (DNT) signals. Our Website does not currently respond to DNT signals, as there is no universal standard for how websites should interpret and respond to such signals. If a standard is established in the future, we will evaluate adopting it.

6. PURPOSES AND LEGAL BASES FOR PROCESSING PERSONAL DATA

6.1 We process personal data for the following purposes, and on the following legal bases (as applicable under Indian data protection laws and, where relevant, international frameworks):

(a) To Respond to Enquiries and Provide Information:

  • Purpose: To respond to contact form submissions, emails, phone calls and other enquiries; to provide information about our Services, pricing and capabilities.
  • Legal Basis: Performance of a contract or steps at your request prior to entering into a contract; consent; legitimate interests in business development and customer service.

(b) To Perform Contracts and Deliver Services:

  • Purpose: To execute and manage SOWs and service contracts; to perform audits, software development, consulting and related Services; to communicate with Clients regarding project status, deliverables, timelines and requirements; to provide technical support and assistance.
  • Legal Basis: Performance of a contract.

(c) For Billing, Invoicing and Payment Processing:

  • Purpose: To generate invoices, process payments, manage accounts receivable and maintain financial records; to comply with tax and accounting obligations.
  • Legal Basis: Performance of a contract; legal obligation (tax, accounting and financial record-keeping requirements under Indian law).

(d) To Improve and Secure Our Website and Services:

  • Purpose: To analyse Website usage, identify trends, diagnose technical issues and improve the functionality, performance, security and user experience of the Website and Services; to detect, prevent and respond to security incidents, fraud and abuse.
  • Legal Basis: Legitimate interests in operating, improving and securing our business and systems; consent (for certain analytics cookies).

(e) For Marketing and Business Development:

  • Purpose: To send newsletters, blog updates, service announcements, insights, case studies and other marketing communications (only if you have opted in or where permitted for B2B communications); to conduct market research; to understand customer needs and preferences.
  • Legal Basis: Consent (for email marketing to individuals); legitimate interests (for B2B marketing communications to business contacts, subject to applicable opt-out rights).

(f) For Legal Compliance and Protection of Rights:

  • Purpose: To comply with applicable laws, regulations, court orders and government or regulatory requests; to enforce our Terms and Conditions and other agreements; to protect our rights, property, safety and the rights, property and safety of our users and third parties; to prevent fraud and illegal activity; to defend or pursue legal claims.
  • Legal Basis: Legal obligation; legitimate interests in protecting our business and complying with legal requirements; vital interests (in exceptional cases involving safety or harm).

6.2 Consent and Withdrawal.

Where we process personal data based on your consent (for example, for marketing emails or certain analytics cookies), you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. You may withdraw consent by:

  • Clicking the "unsubscribe" link in any marketing email.
  • Contacting us at upcraft.consulting@gmail.com with the subject line "Withdraw Consent".
  • Disabling cookies through your browser settings (see Section 5.4).

7. HOW WE SHARE AND DISCLOSE PERSONAL DATA

7.1 We Do Not Sell Personal Data.

We do not sell, rent, lease or trade personal data to third parties for their marketing purposes or for monetary or other valuable consideration.

7.2 Sharing with Service Providers and Processors.

We may share personal data with trusted third-party service providers who assist us in operating our business, providing Services and managing our Website ("Service Providers"). These Service Providers act as data processors on our behalf and are contractually obligated to:

  • Use personal data only for the purposes we specify.
  • Implement appropriate technical and organisational security measures.
  • Maintain confidentiality and comply with applicable data protection laws.

Categories of Service Providers include:

(a) Website Hosting and Infrastructure Providers:

  • Web hosting services, cloud infrastructure providers and content delivery networks (CDNs) that host and deliver our Website and applications.

(b) Email and Communication Services:

  • Email service providers (e.g., Google Workspace, Gmail) for business email.
  • Email marketing platforms (if we use dedicated tools for newsletters).
  • Messaging and video conferencing platforms (e.g., Zoom, Google Meet, Slack) for client communication and collaboration.

(c) Analytics and Performance Tools:

  • Google Analytics for website traffic analysis and usage statistics.

(d) Payment Processing:

  • Third-party payment gateways and processors (e.g., Razorpay, Stripe, PayPal, bank payment systems) for processing Client payments. These providers process payment information directly and are responsible for the security and privacy of payment data in accordance with applicable payment card industry standards (PCI-DSS) and their own privacy policies.

(e) Project Management and Collaboration Tools:

  • Project management, task tracking and collaboration platforms (e.g., Notion, Linear, Trello, Asana, GitHub, GitLab) used for managing client projects and internal workflows.

(f) Professional Advisors:

  • Lawyers, accountants, auditors, tax consultants and other professional advisors who provide legal, financial, accounting, audit or advisory services to the Company, under appropriate confidentiality and professional obligations.

7.3 Legal and Regulatory Disclosure.

We may disclose personal data if required or permitted by law, or if we believe in good faith that such disclosure is necessary to:

  • Comply with applicable laws, regulations, legal processes (such as court orders, subpoenas, summons) or government or regulatory requests.
  • Enforce our Terms and Conditions, contracts or policies.
  • Protect the rights, property, safety or security of the Company, our users, clients or the public.
  • Detect, prevent or investigate fraud, security incidents, abuse or illegal activity.
  • Defend against legal claims or litigation.

In such cases, we will disclose only the minimum personal data necessary to fulfill the legal requirement, and will (where legally permissible and feasible) provide you with prior notice of the disclosure.

7.4 Business Transfers.

In the event of a merger, acquisition, corporate reorganisation, sale of assets, financing, or other business transaction involving the Company, personal data may be transferred to, or shared with, the prospective or actual successor or acquiring entity, subject to:

  • Appropriate confidentiality and data protection obligations during due diligence.
  • Continuity of privacy protections substantially similar to those in this Privacy Policy.
  • Notice to affected individuals, where required by law.

7.5 With Your Consent.

We may share personal data with third parties for purposes not described in this Privacy Policy if we obtain your explicit consent to do so (for example, featuring your company in a case study or testimonial with your approval).

8. INTERNATIONAL DATA TRANSFERS

8.1 Primary Data Location.

Our primary operations and data processing activities are located in India. Personal data collected through the Website and in connection with our Services is generally stored and processed on servers and systems located in India or controlled by us or our Service Providers.

8.2 Transfers Outside India.

Some of our Service Providers, cloud infrastructure or collaboration tools may be located outside India, or may store or process data on servers located in other countries (for example, cloud services with data centers in Singapore, the United States, the European Union or other jurisdictions).

8.3 Safeguards for International Transfers.

When personal data is transferred to or processed in countries outside India, we take steps to ensure an adequate level of data protection, which may include:

  • Selecting Service Providers that are located in countries recognized as providing adequate data protection.
  • Entering into Standard Contractual Clauses (SCCs), Data Processing Agreements (DPAs) or other contractual safeguards with Service Providers to ensure appropriate data protection standards.
  • Relying on the Service Provider's certification under recognized data protection frameworks (such as EU-U.S. Data Privacy Framework, if applicable).
  • Obtaining your explicit consent for the transfer, where required by law.

8.4 For information about specific Service Providers and their data locations, or if you have questions or concerns about international data transfers, please contact us at upcraft.consulting@gmail.com.

9. DATA SECURITY

9.1 Security Measures.

We implement and maintain reasonable and appropriate technical, administrative and organisational security measures designed to protect personal data against unauthorised access, disclosure, alteration, loss, misuse, destruction or damage, having regard to:

  • The nature and sensitivity of the personal data.
  • The current state of technology and cost of implementation.
  • The risks associated with the processing.

Our security measures include (but are not limited to):

(a) Access Controls:

  • Least-privilege and role-based access controls.
  • Strong password policies and multi-factor authentication where feasible.
  • Regular review and revocation of access rights for departing personnel or contractors.

(b) Data Protection:

  • Encryption of data in transit (e.g., HTTPS/TLS for website communications).
  • Encryption of sensitive data at rest, where technically feasible and appropriate.
  • Secure storage and handling of passwords, API keys and access credentials (use of secrets management tools, hashing and salting of passwords).

(c) Network and Infrastructure Security:

  • Firewalls, intrusion detection and prevention systems.
  • Regular security patching and updates of systems, software and dependencies.
  • Use of reputable cloud service providers and hosting platforms with industry-standard security certifications.

(d) Organisational Measures:

  • Confidentiality agreements and data protection training for employees and contractors.
  • Secure software development lifecycle (SDLC) practices, including code reviews and security testing.
  • Regular backups and disaster recovery procedures.
  • Incident response and data breach notification procedures.
  • Disaster recovery and business continuity plans.

9.2 Limitations of Security.

While we strive to protect personal data, no method of transmission over the internet, no method of electronic storage, and no security system is completely secure or impenetrable. We cannot guarantee the absolute security of personal data. You acknowledge and accept the inherent risks of transmitting information over the internet and using online services.

9.3 Your Responsibilities.

You are responsible for:

  • Maintaining the confidentiality and security of any login credentials, passwords or access keys provided to you for accessing our systems, tools or platforms.
  • Ensuring that your own systems, devices and networks are secure and free from malware.
  • Promptly notifying us if you suspect any unauthorised access to or use of your account or credentials.

10. DATA BREACH NOTIFICATION

10.1 In the event of a confirmed personal data breach or security incident that is likely to result in a risk to the rights and freedoms of individuals, we will:

  • (a) Take immediate steps to contain and mitigate the breach.
  • (b) Notify affected individuals without undue delay, where feasible within seventy-two (72) hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to their rights and freedoms.
  • (c) Provide information about the nature of the breach, the categories and approximate number of affected individuals, the likely consequences, and the measures taken or proposed to address the breach and mitigate harm.
  • (d) Notify relevant regulatory authorities or law enforcement agencies, if and as required by applicable law.

10.2 We will cooperate fully with affected individuals and Clients in investigating and responding to the breach, and will take all reasonable steps to mitigate harm and prevent future incidents.

11. DATA RETENTION

11.1 Retention Principles.

We retain personal data only for as long as reasonably necessary to fulfill the purposes for which it was collected, to comply with legal, regulatory, accounting, tax and audit obligations, and to establish, exercise or defend legal claims.

11.2 Indicative Retention Periods.

The following are indicative retention periods for different categories of personal data. Actual retention periods may vary depending on the nature of the relationship, legal requirements and legitimate business needs.

  • Contact form enquiries and general communications: Typically retained for two (2) to three (3) years from the date of last contact, unless required for ongoing business or legal purposes.
  • Client contracts, SOWs and project-related communications: Retained for the duration of the contractual relationship plus seven (7) to ten (10) years after completion or termination of the engagement, to comply with tax, accounting and legal record-keeping requirements under Indian law.
  • Invoices, billing records and payment information: Retained for seven (7) to ten (10) years from the end of the financial year in which the transaction occurred, as required by Indian tax and accounting laws.
  • Marketing and newsletter communications: Retained until you opt out or unsubscribe, or until we determine that the data is no longer relevant for marketing purposes (typically two (2) to five (5) years from last engagement).
  • Website usage and analytics data: Typically retained for twenty-six (26) months (default Google Analytics retention period) or as configured in our analytics tools.
  • For data processed as data processor on behalf of Clients, retention is governed by the Client's instructions and the applicable SOW or DPA. Typically, we retain such data for the duration of the project plus a defined archival period (for example, six (6) to twenty-four (24) months), unless the Client instructs earlier deletion or longer retention.

11.3 Deletion and Anonymisation.

Upon expiry of the applicable retention period, or upon your request for deletion (subject to Section 13), we will:

  • Securely delete personal data from our active systems.
  • Where immediate deletion is not feasible or required, anonymise or pseudonymise the data such that it can no longer be attributed to an identifiable individual.
  • Securely archive data that must be retained for legal, regulatory or audit purposes, with restricted access.

12. THIRD-PARTY WEBSITES AND SERVICES

12.1 Our Website may contain links to third-party websites, platforms, services or resources (for example, links to social media profiles, partner websites, open-source projects, reference materials, or tools and platforms we integrate with).

12.2 No Responsibility for Third-Party Practices.

This Privacy Policy applies only to our Website and our Services. We do not control, and are not responsible for, the content, privacy practices, terms of use or security of any third-party websites or services. Third-party websites and services have their own privacy policies and terms, which we encourage you to review before providing any personal data to them.

12.3 Third-Party Service Providers.

Where we use third-party service providers to process personal data on our behalf (as described in Section 7.2), we enter into appropriate data processing agreements and take steps to ensure they provide adequate data protection. However, we are not responsible for the privacy practices of third parties to whom you provide personal data directly (for example, if you sign up directly with a third-party tool or service that we recommend).

13. YOUR RIGHTS AND CHOICES

Subject to applicable Indian data protection laws, you may have the following rights in relation to your personal data:

13.1 Right to Access and Confirmation.

  • You have the right to request confirmation of whether we process your personal data and, if so, to access the personal data and obtain information about the processing (including categories of data, purposes, recipients, retention periods, etc.).
  • We will provide the information in a commonly used electronic format, where feasible.

13.2 Right to Rectification (Correction).

  • You have the right to request correction or updating of any inaccurate, incomplete or out-of-date personal data that we hold about you.

13.3 Right to Erasure (Deletion / "Right to be Forgotten").

  • You have the right to request deletion or erasure of your personal data in certain circumstances, including when:
    • The data is no longer necessary for the purposes for which it was collected.
    • You withdraw consent (where processing is based on consent) and there is no other legal basis for processing.
    • You object to processing and there are no overriding legitimate grounds for continued processing.
    • The data has been unlawfully processed.
    • Erasure is required to comply with a legal obligation.
  • Exceptions and Limitations: We may decline or delay a deletion request if retention is required or permitted by law (for example, to comply with legal, regulatory, tax or accounting obligations; to establish, exercise or defend legal claims; or for archival or statistical purposes in the public interest). In such cases, we will inform you of the reason and, where feasible, restrict processing to only those purposes.

13.4 Right to Restriction of Processing.

  • You have the right to request that we restrict or limit the processing of your personal data in certain circumstances (for example, while we verify the accuracy of data you have contested, or while we assess your objection to processing).

13.5 Right to Data Portability.

  • In certain circumstances (for example, where processing is based on consent or contract and is carried out by automated means), you have the right to receive your personal data in a structured, commonly used and machine-readable format, and to transmit that data to another controller (data fiduciary) without hindrance.

13.6 Right to Object.

  • You have the right to object to processing of your personal data in certain circumstances:
    • For direct marketing: You have an absolute right to object to processing for direct marketing purposes. We will cease such processing upon receipt of your objection.
    • For other legitimate interests: We will cease processing unless we demonstrate compelling legitimate grounds for continued processing that override your interests, rights and freedoms, or the processing is necessary for the establishment, exercise or defence of legal claims.

13.7 Right to Withdraw Consent.

  • Where processing is based on your consent, you have the right to withdraw your consent at any time (see Section 6.2).

13.8 Right to Lodge a Complaint.

  • If you believe that we have not complied with applicable data protection laws or this Privacy Policy, you have the right to lodge a complaint with a supervisory authority or regulatory body.
  • In India, you may lodge a complaint with the Data Protection Board of India (once established under the Digital Personal Data Protection Act, 2023) or with other relevant sectoral regulators or consumer protection authorities.

13.9 How to Exercise Your Rights.

To exercise any of the above rights, please contact us at:

Email: upcraft.consulting@gmail.com
Subject Line: "Privacy Rights Request – [Specify Right: Access / Correction / Deletion / etc.]"

Please include in your request:

  • Your full name and email address (and phone number if available).
  • The specific right you wish to exercise and any relevant details or context.
  • Sufficient details to help us locate and verify your personal data (for example, approximate date of enquiry, project name, invoice number, etc.).

Verification: To protect your privacy and security, we may need to verify your identity before fulfilling your request (for example, by asking for additional identifying information or sending a verification email to the email address on record).

Response Time: We will respond to your request within a reasonable time and, where required by law, within thirty (30) days (or such other period as prescribed by applicable law). If we require an extension, we will inform you of the reason and the new timeline.

No Fee (Generally): We will generally process your requests free of charge. However, we reserve the right to charge a reasonable fee if your request is manifestly unfounded, excessive or repetitive, or if you request multiple copies of the same information.

14. CHILDREN'S PRIVACY

14.1 Our Website and Services are intended for use by businesses, professionals and adults. We do not knowingly or intentionally collect, use or disclose personal data from children under the age of eighteen (18) years (or such other age of majority as applicable under Indian law or the law of your jurisdiction).

14.2 If you are a parent or guardian and believe that your child has provided us with personal data without your consent, please contact us immediately at upcraft.consulting@gmail.com, and we will take prompt steps to investigate and delete such information from our systems.

14.3 If we become aware that we have inadvertently collected personal data from a child under 18 without appropriate parental consent, we will delete such data as soon as reasonably practicable.

15. MARKETING COMMUNICATIONS AND OPT-OUT

15.1 Types of Communications.

We may send you:

  • (a) Service-related communications: Transactional emails, invoices, project updates, account notifications and other communications necessary for the performance of our contractual obligations or the provision of Services. You cannot opt out of these communications, as they are essential to our business relationship.
  • (b) Marketing communications: Newsletters, blog updates, insights, case studies, service announcements, event invitations and other promotional content. You may opt out of marketing communications at any time (see Section 15.2).

15.2 Legal Basis for Marketing.

We will send you marketing communications only if:

  • You have provided your explicit consent (for example, by subscribing to our newsletter or opting in to receive marketing emails); or
  • We are sending B2B marketing communications to business contacts in accordance with applicable laws and where you have not opted out.

15.3 How to Opt Out of Marketing Communications.

You may opt out of receiving marketing communications at any time, free of charge, by:

  • (a) Clicking the "unsubscribe" link at the bottom of any marketing email we send you.
  • (b) Contacting us at upcraft.consulting@gmail.com with the subject line "Opt Out" or "Unsubscribe".
  • (c) Updating your communication preferences (if we provide a preference center or account settings in the future).

Processing Time: We will process opt-out requests within ten (10) business days. You may continue to receive emails for a short period while your request is being processed.

Note: Even if you opt out of marketing communications, you will still receive service-related communications (such as invoices, project updates and important notices) as necessary for the performance of our contract or compliance with legal obligations.

16. CHANGES AND UPDATES TO THIS PRIVACY POLICY

16.1 Right to Modify.

We reserve the right to modify, update or revise this Privacy Policy from time to time to reflect:

  • Changes in our data processing practices or business operations.
  • Changes in applicable laws, regulations or regulatory guidance.
  • New features, services or technologies.
  • Feedback from users, clients or regulators.

16.2 Notice of Changes.

When we make material changes to this Privacy Policy, we will:

  • Update the "Last Updated" date at the top of this Privacy Policy.
  • Post a prominent notice on our Website for a reasonable period.
  • Where required by law, or where the changes materially affect your rights, we may notify you directly by email (to the email address we have on record) or other appropriate means.

16.3 Your Acceptance of Changes.

Your continued use of our Website or Services after the effective date of the updated Privacy Policy constitutes your acknowledgment and acceptance of the changes. If you do not agree with the updated Privacy Policy, you should discontinue use of our Website and Services and contact us to request deletion of your personal data (subject to legal retention obligations).

16.4 Previous Versions.

We will maintain an archive of previous versions of this Privacy Policy for reference purposes. If you wish to review a previous version, please contact us at upcraft.consulting@gmail.com.

17. CONTACT US

If you have any questions, concerns, complaints or requests regarding this Privacy Policy or our data protection and privacy practices, please contact us:

UpCraft Solutions Private Limited

Email: upcraft.consulting@gmail.com
Subject Line (for privacy matters): "Privacy Enquiry" or "Data Protection Request"

Website: https://upcraft.in

Response Time: We aim to respond to all privacy enquiries and requests within five (5) to ten (10) business days, and to formal rights requests within the timeframes prescribed by applicable law (generally thirty (30) days).

Complaints and Escalation:

If you are not satisfied with our response or if you believe we have not complied with applicable data protection laws, you have the right to:

  • Escalate your concern to our senior management by marking your email as "URGENT – Privacy Complaint".
  • Lodge a complaint with the relevant data protection authority or regulatory body (see Section 13.8).

BY USING OUR WEBSITE, PROVIDING PERSONAL DATA THROUGH OUR CONTACT FORMS OR COMMUNICATIONS, OR ENGAGING OUR SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD AND CONSENT TO THE COLLECTION, USE, DISCLOSURE AND PROCESSING OF YOUR PERSONAL DATA AS DESCRIBED IN THIS PRIVACY POLICY.

This Privacy Policy was last updated on 16 December 2025.

Chat with us