Privacy Policy.
1. Who we are
This Privacy Policy explains how HephaTech ("we", "us", "our") collects, uses, stores, and protects the personal data of visitors and subscribers ("you" or the "Data Principal") of the website at hephatech.in (the "Website").
HephaTech acts as the Data Fiduciary under India's Digital Personal Data Protection Act, 2023 ("DPDP Act") for the personal data it collects on or through this Website. By using the Website or joining our launch list, you agree to the practices described in this policy.
Registered office: [Registered address], India.
2. Scope & legal basis
This policy is issued in compliance with:
- The Digital Personal Data Protection Act, 2023 (DPDP Act) and rules notified under it
- The Information Technology Act, 2000 ("IT Act") and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules")
We process your personal data on the lawful basis of your consent (for the launch-list signup) and on the basis of legitimate uses permitted under §7 of the DPDP Act (for limited purposes such as security, fraud prevention, and operational logging).
3. What we collect
3.1 Information you give us
- Email address — when you subscribe to the launch list via the form on this Website. The email is the only field we collect through that form.
3.2 Information collected automatically
- Server logs: your IP address, user-agent string, requested URL, referrer, and timestamp — collected by our hosting provider (Vercel) for delivery, security, and rate-limiting
- Local browser storage: a single key (
ht-theme) stores your light/dark theme preference. This is stored locally on your device only and is never transmitted to us
3.3 What we do not collect
- No name, phone number, postal address, photograph, payment information, or government identifiers
- No analytics or tracking cookies — at the time of writing this Website does not run analytics or third-party trackers
- No location data
- No biometric, financial, or sensitive personal data
4. Why we collect it
| Category | Purpose | Lawful basis |
|---|---|---|
| Email (launch list) | To send you a single notification when our main product launches, and occasional updates if you opt-in | Consent (DPDP §6) |
| Server logs | Operational delivery, security, abuse prevention | Legitimate use (DPDP §7) |
| Local storage (theme) | Remembering your visual preference | Legitimate use; not transmitted |
5. Sharing & disclosure
We share personal data only with the following Data Processors, each bound to process it strictly per our instructions:
- Formspree (Wildbit, USA) — receives your launch-list email and forwards it to hello@hephatech.in. Their privacy policy is at formspree.io/legal/privacy-policy
- Vercel (USA) — hosts the Website and retains server logs per their policies, available at vercel.com/legal/privacy-policy
We do not sell, rent, or share personal data with advertisers, data brokers, or any third party for commercial gain.
We may disclose personal data if required to do so by law, by court order, or by a competent authority issuing a lawful direction under the IT Act, the DPDP Act, or the Code of Criminal Procedure.
6. Cookies & storage
This Website does not set cookies. We use the browser's localStorage only to remember your theme preference (ht-theme), which never leaves your device.
If we add analytics in the future, we will use a privacy-respecting service that does not require cookie consent (e.g., Plausible) and we will update this policy before doing so.
7. Cross-border transfers
The Data Processors listed in §5 may host or process your personal data on servers outside India (Formspree and Vercel operate primarily from the United States). Such transfers are made for the purposes set out in §4 and are protected by the contractual obligations those vendors are subject to. The Indian government may, by notification under DPDP §16, restrict transfers to specified countries; we will comply with any such notification.
8. How long we keep data
- Launch-list emails: retained until you unsubscribe or until 30 days after the launch announcement, whichever is later. After that the address is deleted
- Server logs: retained for up to 90 days by our hosting provider, then automatically purged
- Local storage: stays on your device until you clear your browser data; we have no control over it
9. How we secure data
We follow the security practices required under §8(5) of the DPDP Act and Rule 8 of the SPDI Rules:
- HTTPS (TLS 1.2+) on every page; strict HSTS headers
- A Content-Security-Policy that blocks third-party script injection
- X-Frame-Options DENY to prevent clickjacking
- Form submissions use spam-protection (honeypot field + minimum-time check + disposable-email blocklist) to reduce abuse
- Access to subscriber lists is restricted to founders only
10. Your rights as a Data Principal
Under the DPDP Act, you have the right to:
- Access — request a summary of personal data we hold about you
- Correction & updation — ask us to correct inaccurate or incomplete data
- Erasure — ask us to delete your data, except where retention is required by law
- Withdraw consent — at any time, with the effect that we will stop processing your data going forward
- Grievance redressal — see §13
- Nominate another individual to exercise these rights on your behalf in the event of your death or incapacity (DPDP §14)
To exercise any of these, email us at hello@hephatech.in with the subject "DPDP Request". We will respond within 30 days as required.
11. Children
This Website is not directed at children under the age of 18. We do not knowingly collect personal data from any individual we know to be under 18. If you believe we have collected such data, please contact us at hello@hephatech.in and we will delete it.
Where we do process the personal data of any individual under 18, we will obtain verifiable parental consent in the manner prescribed under §9 of the DPDP Act.
12. Data breach handling
In the event of a personal-data breach, we will notify the Data Protection Board of India and each affected Data Principal as required under §8(6) of the DPDP Act, with sufficient detail and within the timelines prescribed by the Rules.
13. Grievance redressal
For any complaint about how your personal data has been handled, you may contact our Grievance Officer:
- Name: [Grievance Officer name]
- Email: [Grievance Officer email]
- Phone: [Grievance Officer phone]
- Address: [Registered address]
The Grievance Officer will acknowledge your complaint within 72 hours and resolve it within 30 days. If you remain dissatisfied, you may escalate to the Data Protection Board of India.
14. Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes will be flagged on the Website's home page for 30 days, and where we have your email, we will notify you directly before changes take effect.
15. Contact
For any privacy-related question, email hello@hephatech.in or write to the Grievance Officer above.
This document is a good-faith draft prepared in line with the Digital Personal Data Protection Act, 2023 and the Information Technology Act, 2000. We recommend obtaining independent legal advice before relying on it for production.