Privacy Policy
CandyCode Tech Lab Private Limited
Dhanbad, Jharkhand, India
Table of Contents
- 1. Preamble & Definitions
- 2. Information We Collect
- 3. Purpose & Legal Basis
- 4. Data Sharing & Disclosure
- 5. Data Retention
- 6. Data Security
- 7. Your Rights
- 8. Cookies & Tracking
- 9. Third-Party Links
- 10. Children’s Privacy
- 11. International Transfers
- 12. Grievance Officer
- 13. Amendments
- 14. Governing Law
1Preamble & Definitions
This Privacy Policy (“Policy”) is published by CandyCode Tech Lab Private Limited, a company duly incorporated under the Companies Act, 2013, having its registered office at Dhanbad, Jharkhand, India (“Company”), in compliance with the Information Technology Act, 2000 (“IT Act”), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”), and the Digital Personal Data Protection Act, 2023 (“DPDPA”).
This Policy governs the collection, processing, storage, use, transfer, and disclosure of Personal Data of individuals who visit, access, or interact with Our website, services, or digital platforms (“Data Subject” or “You”).
For the purposes of this Policy:
- “Personal Data” means any information relating to a natural person that is capable of identifying such person, directly or indirectly.
- “Processing” means any operation performed on Personal Data including collection, recording, storage, use, disclosure, erasure, or destruction.
- “Consent” means a free, specific, informed, and unambiguous indication of the Data Subject’s agreement to the processing of their Personal Data.
- “Data Fiduciary” has the meaning ascribed under Section 2(i) of the DPDPA — the Company determines the purpose and means of processing.
2Information We Collect
The Company collects the following categories of data, inter alia:
| Category | Examples | Source |
|---|---|---|
| Identity Data | Full name, company name, designation | Provided by You |
| Contact Data | Email address, phone number, postal address | Provided by You |
| Financial Data | Bank account/UPI details for payment processing | Provided by You |
| Technical Data | IP address, browser type, device identifiers, cookies | Automatically collected |
| Usage Data | Pages visited, time spent, click patterns | Automatically collected |
| Communication Data | Emails, project briefs, messages | Provided by You |
| Contractual Data | Signed agreements, email acceptances, invoices | Generated during engagement |
The Company does not knowingly collect payment card numbers. Financial transactions are processed through secure third-party payment gateways operating under their own privacy policies.
3Purpose & Legal Basis of Processing
Personal Data is processed strictly on a need-to-know basis for the following lawful purposes:
- Performance of contract — to deliver agreed services and process payments;
- Legal obligation — to comply with applicable laws, court orders, and regulatory requirements;
- Legitimate interests — to improve Our services, prevent fraud, and protect Our legal rights;
- Consent — where explicitly provided by the Data Subject for marketing communications;
- Dispute resolution — to maintain records in the event of contractual disputes, arbitration, or litigation.
The Company shall not process Personal Data for any purpose incompatible with the original purpose of collection without prior notice to and, where required, consent of the Data Subject.
4Data Sharing & Third-Party Disclosure
The Company does not sell, rent, or trade Personal Data. Disclosure is limited to the following categories of recipients:
- Service Providers: Cloud hosting providers, payment gateways, email service providers, and analytics platforms engaged under binding data processing agreements;
- Legal & Regulatory Authorities: Courts, arbitral tribunals, law enforcement agencies, or statutory regulators when required by law, court order, or regulatory directive;
- Professional Advisors: Attorneys, chartered accountants, and auditors bound by professional confidentiality obligations;
- Business Transfers: In the event of merger, acquisition, restructuring, or sale of the Company, subject to the acquirer honouring this Policy.
Any email correspondence between the Client and the Company constitutes an Electronic Record within the meaning of Section 2(1)(t) of the IT Act, 2000, and may be produced as evidence under Section 65B of the Indian Evidence Act, 1872 in any dispute, arbitration, or court proceeding.
5Data Retention
Personal Data shall be retained for the duration necessary to fulfil the purpose for which it was collected, and thereafter for the following minimum statutory periods:
- Financial records: 8 (eight) years as required under the Income Tax Act, 1961 and GST laws;
- Contractual records and email acceptances: 6 (six) years from the date of last transaction, in accordance with the Limitation Act, 1963;
- Dispute-related records: Until final resolution of all disputes, appeals, and enforcement proceedings;
- Technical logs: 90 (ninety) days unless otherwise required by law.
Upon expiry of the applicable retention period, Personal Data shall be securely deleted or anonymised such that it can no longer be attributed to any identifiable individual.
6Data Security
The Company implements reasonable security practices and procedures as mandated under Rule 8 of the SPDI Rules, including, inter alia: encryption of data in transit using SSL/TLS protocols; access controls restricting data access to authorised personnel on a need-to-know basis; regular security assessments; and secure backup and disaster recovery procedures.
Notwithstanding the foregoing, no data transmission over the internet can be guaranteed to be completely secure. The Company shall not be liable for any unauthorised access resulting from circumstances beyond its reasonable control, including force majeure events, zero-day exploits, or acts of third-party malicious actors.
7Your Rights as Data Subject
Subject to applicable law and contractual obligations, You have the following rights:
- Right of Access: To obtain confirmation of whether Your Personal Data is being processed and to receive a copy thereof;
- Right to Correction: To have inaccurate or incomplete Personal Data corrected;
- Right of Erasure: To request deletion of Personal Data where processing is no longer necessary, subject to legal retention obligations;
- Right to Withdraw Consent: To withdraw consent at any time, without affecting the lawfulness of prior processing;
- Right to Grievance Redressal: To lodge a complaint with the Grievance Officer or the Data Protection Board of India.
All requests must be submitted in writing to the Grievance Officer specified in Clause 12. The Company shall respond within 30 (thirty) days of receipt, as required under applicable law.
8Cookies & Tracking Technologies
The Company uses cookies and similar tracking technologies on its website. For comprehensive information on the types of cookies deployed, their purpose, duration, and Your opt-out options, please refer to Our Cookie Policy available at candycode.in/cookie-policy/.
9Third-Party Links
Our website may contain hyperlinks to third-party websites or services not owned or controlled by the Company. The Company assumes no responsibility for the privacy practices of any third-party sites. We strongly advise You to review the privacy policy of every site You visit. The inclusion of a hyperlink does not imply endorsement of the linked site.
10Children’s Privacy
The Company’s services are not directed to individuals below 18 (eighteen) years of age. We do not knowingly collect Personal Data from minors. If You are a parent or guardian and believe that Your child has provided Personal Data to Us, please contact the Grievance Officer immediately. Upon verification, We shall promptly delete such information from Our records.
11Cross-Border Data Transfers
Where the Company transfers Personal Data outside the territory of India, such transfers shall be conducted in accordance with Section 16 of the DPDPA and any rules or notifications issued thereunder by the Central Government. The Company shall ensure that recipient organisations afford a comparable level of data protection as required under Indian law.
12Grievance Officer
In accordance with the IT Act, 2000, and the SPDI Rules, all privacy-related queries, complaints, and requests may be addressed to:
Grievance Officer
CandyCode Tech Lab Private Limited
Dhanbad, Jharkhand — 826001, India
Email: legal@candycode.in
Response Time: Within 30 (thirty) days of receipt
13Amendments
The Company reserves the right to modify, amend, or replace this Policy at any time at its sole discretion. The revised Policy shall be posted on Our website with an updated effective date. Continued use of Our website or services following the posting of changes constitutes acceptance of those changes. It is Your responsibility to review this Policy periodically.
14Governing Law & Jurisdiction
This Policy shall be governed by and construed in accordance with the laws of the Republic of India. Any dispute arising out of or relating to this Policy shall be subject to the exclusive jurisdiction of the courts at Dhanbad, Jharkhand, India, to the exclusion of all other courts.