Privacy Protocol

Forgestack Labs LLP ("Company", "we", "us", or "our") is a product-first technology company incorporated in India. We are committed to protecting the privacy, confidentiality, and security of personal and business data entrusted to us.

This Privacy Protocol governs the collection, use, storage, and disclosure of information in connection with:

• Our Website: www.forgestacklabs.com
• Our Products & Platforms: Proprietary SaaS applications and software products
• Our Services: Custom software development, consulting, and related professional services

By accessing or using our website, products, or services, you agree to the data practices described herein, in accordance with the Digital Personal Data Protection Act, 2023 (DPDPA) and the Information Technology Act, 2000, along with applicable rules thereunder.

We collect information based on the nature of your interaction with Forgestack Labs.

• Identity & Contact Information: Name, email address, phone number, company name, and other details submitted through contact forms or inquiries.
• Project & Business Information: Details relating to project requirements, budgets, timelines, or service requests.
• Technical Information: IP address, browser type, device identifiers, and usage metadata collected through cookies and analytics tools.

• Account Information: Usernames, encrypted passwords, authentication tokens, and role-based access credentials.
• Operational & Business Data: Data entered into our platforms as part of normal usage — including inventory records, staff details, transaction logs, or operational metrics.
• Usage & System Logs: Activity timestamps, feature usage patterns, and diagnostic logs used for monitoring and issue resolution.

Forgestack Labs does not sell or commercially exploit personal or business data. Information is processed strictly for the following lawful purposes:

• Product Operation: User authentication, session management, and delivery of core software features.
• Service Fulfilment: Execution of contractual obligations, including development, deployment, and maintenance of software solutions.
• Security & Risk Management: Fraud detection, access control, monitoring, and safeguarding platform integrity.
• Communication & Support: Account notifications, service updates, billing communications, and customer support.
• Legal & Regulatory Compliance: Compliance with applicable Indian laws, tax regulations, audits, and lawful governmental requests.

Security is foundational to our operations. We implement reasonable, industry-accepted safeguards in line with the IT (Reasonable Security Practices and Procedures) Rules, 2011.

• Encryption in Transit: All data exchanged between user devices and our servers is secured using SSL/TLS encryption.
• Encryption at Rest: Sensitive information, including credentials and databases, is encrypted within our storage systems.
• Access Controls: Production data access is strictly limited to authorized personnel, protected by role-based permissions and Multi-Factor Authentication (MFA).
• Periodic Reviews: Regular internal assessments of data handling practices to identify and mitigate potential risks.

We disclose information only where necessary to operate our services securely and efficiently.

• Infrastructure & Hosting Providers: Trusted cloud service providers (such as AWS, Google Cloud, or Vercel) for hosting and infrastructure management.
• Analytics Services: Limited use of analytics tools (e.g., Google Analytics) to evaluate anonymized usage trends.
• Legal Obligations: Disclosure when required under applicable laws, court orders, or requests from authorized government agencies.

• Client & Contractual Data: Retained for the duration of the engagement and thereafter as required by applicable tax, accounting, or legal obligations (generally 5–8 years).
• Product & Operational Data: Retained while the account remains active. Upon termination, clients may request a data export. Operational data will be deleted from active systems within 60 days, subject to backup retention and legal requirements.

As a Data Principal under the DPDPA, 2023, you have the right to:

• Access: Request information about personal data processed by us.
• Correction: Request correction of inaccurate or incomplete personal data.
• Erasure: Request deletion of personal data, subject to statutory retention obligations.
• Grievance Redressal: Raise concerns regarding data protection or privacy practices.

Requests may be submitted using the contact details in Clause 9.0 below.

• Essential Cookies: Required for authentication, session management, and security. These cannot be disabled without affecting platform functionality.
• Non-Essential Cookies: Analytics cookies used to evaluate aggregate usage patterns. These can be managed through your browser settings.

Disabling certain cookies may affect platform functionality and your experience.

For questions, concerns, or data rights requests relating to this Privacy Protocol, please contact: