🔒 Privacy Policy for Clepto.io

1. INTRODUCTION

Welcome to Clepto.io ("we," "us," "our," or "Clepto"). This Privacy Policy explains how CLEPTO.IO SERVICES PRIVATE LIMITED collects, uses, discloses, and protects information from visitors to our website and users of our services.

Our Commitment

We are committed to protecting your privacy and handling your personal information transparently in accordance with applicable data protection laws.

Who We Are

• Company Name: CLEPTO.IO SERVICES PRIVATE LIMITED
• Corporate Identity Number (CIN): U62013PN2025PTC248011
• Registered Address: SNO.107-108, PT-B, ROSEWOOD, SFL-J-603, PIMPLE SAUDAGAR, Sangavi, Pune-411027, Maharashtra, India
• Primary Business: AI automation services and workflow automation solutions
• Privacy Contact: privacy@clepto.io

Applicable Laws

This policy is designed to comply with:

• The Digital Personal Data Protection Act, 2023 (India)
• General Data Protection Regulation (GDPR) for EU visitors and clients
• Privacy best practices for international operations

2. SCOPE OF THIS POLICY

What This Policy Covers

This Privacy Policy applies to:

• Visitors to our website (clepto.io)
• Individuals who contact us through forms, email, or chat
• Newsletter subscribers
• Prospective and current clients engaging with our website

What This Policy Does NOT Cover

This policy does not cover how we process data on behalf of our clients in their automation workflows. That relationship is governed by separate Data Processing Agreements (DPAs) where we act as a data processor. For information about that, please see our Data Processing Agreement.

3. INFORMATION WE COLLECT

3.1 Information You Provide Directly

Contact Forms

When you submit a contact form on our website, we collect:

• Full name
• Email address
• Phone number (if provided)
• Company name (if provided)
• Message content
• Any other information you choose to provide

Newsletter Subscriptions

When you subscribe to our newsletter, we collect:

• Email address
• Subscription preferences
• Date and time of subscription

Chat Interactions

When you interact with our AI chatbot (powered by n8n), we collect:

• Chat messages and conversation history
• Timestamp of interactions
• Basic technical information (browser type, device type)

Legal Basis (GDPR): Consent (when you submit forms or subscribe), Legitimate interests (analyzing website usage, improving services), Contract performance (when engaging with prospective clients)

Legal Basis (India DPDP Act): Consent for collection and processing of personal data

3.2 Information Collected Automatically

Website Analytics

We use Google Analytics to understand how visitors use our website. This collects:

• IP address (anonymized)
• Browser type and version
• Device type (desktop, mobile, tablet)
• Operating system
• Pages visited and time spent
• Referring website
• Geographic location (country/city level)
• Language preferences

Cookies and Similar Technologies

We currently use minimal cookies. In the future, we may implement:

• Essential cookies (necessary for website functionality)
• Analytics cookies (Google Analytics)
• Marketing cookies (with your explicit consent)

When we implement cookie consent management, you will be able to accept or reject non-essential cookies through our cookie banner.

Legal Basis (GDPR): Legitimate interests (website optimization, security)

Legal Basis (India DPDP Act): Legitimate business purpose

3.3 Information We Do NOT Collect

We do not knowingly collect:

• Sensitive personal data (health information, biometric data, financial information beyond basic billing details)
• Information from children under 18 years of age
• Data from our client workflows (that is processed separately under DPA terms)

4. HOW WE USE YOUR INFORMATION

We use the information we collect for the following purposes:

Primary Purposes

Service Delivery

• Respond to your inquiries and requests
• Provide information about our AI automation services
• Process service agreements and deliver contracted services
• Provide customer support

Communication

• Send newsletters and updates (only with your consent)
• Send important service announcements
• Respond to questions via email or chat
• Follow up on inquiries

Website Improvement

• Analyze website usage patterns
• Improve user experience and functionality
• Develop new features and services
• Troubleshoot technical issues

Business Operations

• Maintain records of communications
• Comply with legal and regulatory requirements
• Protect against fraud and abuse
• Enforce our terms of service

Marketing (with consent)

• Send promotional materials about our services
• Share relevant industry insights and content
• Invite you to webinars or events

5. HOW WE SHARE YOUR INFORMATION

5.1 Third-Party Service Providers (Data Processors)

We share information with trusted third-party service providers who help us operate our website and deliver services. These providers are contractually obligated to protect your information and use it only for specified purposes.

Current Service Providers

AI Providers (for chatbot functionality)

Our n8n chatbot may use the following AI services:

• OpenAI (USA)
• Anthropic (USA)
• Google Gemini (USA/EU)
• Mistral AI (EU - France)
• Other AI providers as needed

Safeguards for International Transfers

When data is transferred outside India or the EU, we ensure appropriate safeguards:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements with all processors
• Encryption in transit and at rest
• Regular security assessments

5.2 Legal Requirements

We may disclose your information if required by law or in good faith belief that such action is necessary to:

• Comply with legal obligations (court orders, subpoenas, regulatory requests)
• Protect and defend our rights or property
• Prevent fraud or abuse
• Protect the safety of our users or the public
• Respond to government or law enforcement requests

Notice: Where legally permitted, we will notify you before disclosing your information in response to legal requests.

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

6. INTERNATIONAL DATA TRANSFERS

Our Location: We are based in India.

Where Your Data May Be Processed

• India (primary location)
• European Union (Supabase, Hostinger servers)
• United States (Google Analytics, AI providers)
• Other locations where our service providers operate

Transfer Safeguards

For transfers outside India or the EU, we implement:

• Standard Contractual Clauses (SCCs): EU-approved contract terms for international data transfers
• Data Processing Agreements: Written contracts with all processors defining security obligations
• Encryption: Data encrypted in transit (TLS/SSL) and at rest
• Transfer Impact Assessments: For transfers to countries without adequacy decisions (e.g., USA), we assess risks and implement supplementary measures

Your Rights: If you are in the EU, you have the right to obtain information about international transfers and request copies of the safeguards in place.

7. DATA RETENTION

How Long We Keep Your Information

Deletion: After the retention period expires, we securely delete or anonymize your information so it can no longer identify you.

Legal Holds: We may retain data longer if required by law, to resolve disputes, enforce agreements, or defend legal claims.

7.4 CLIENT DATA RETENTION FOR WORKFLOW DATA

This section applies when Clepto.io processes data in your automated workflows (different from Section 7.1-7.3 which covers website visitor data).

DURING YOUR CONTRACT (While You Use Clepto.io):

• Timeline: Entire duration of your service
• Data Kept: All your workflow data, as configured by you
• Backups: Regular backups by Hostinger VPS

Why: Ensure your workflows operate continuously, enable disaster recovery, support workflow history and audit trails.

Your Control: Pause workflows to stop data collection, delete data within workflows manually, or request immediate deletion (contact: contact@clepto.io)

AFTER YOUR CONTRACT ENDS (When You Stop Using Clepto.io):

Timeline: Automatic deletion process

PHASE 1 (Days 1-30): Account Closure

• Your account marked for deletion
• Workflows stopped and disabled
• You can request data export before this completes
• Contact: contact@clepto.io for final data export

PHASE 2 (Days 31-60): Data Deletion

• Account data permanently deleted from database
• Backups scheduled for deletion
• Hostinger performs secure deletion

PHASE 3 (Days 61+): Compliance Retention Only

• Legal/audit logs retained (required by law for 7 years in India)
• Personal data fully deleted
• Workflow configurations removed
• Cannot be recovered

HOW WE DELETE YOUR DATA:

• Secure Deletion: Account data marked for deletion in database, automated deletion process runs, backup cleanup by Hostinger, verification that data is inaccessible
• Certificate of Deletion: We provide confirmation of deletion via email to contact@clepto.io

EXCEPTIONS (We Retain Data Longer If):

• Legal Hold: Court order requires data retention, tax audit or investigation ongoing, dispute resolution in progress. You will be notified immediately.
• Regulatory Compliance: Indian tax law (7-year retention for business records), GDPR (legal basis for retention documented), audit requirements specific to your industry.
• Your Request: You can ask us to retain data for archival purposes. Contact: contact@clepto.io

HOW TO REQUEST DELETION IMMEDIATELY:

Email: contact@clepto.io

Subject: "Please Delete My Clepto Account and All Data"

Include: Your email address, Account ID (if known), Reason (optional)

We will:

• Acknowledge within 24 hours
• Begin deletion within 48 hours
• Confirm completion within 30 days

No Penalty: Deletion can happen anytime during contract, no extra charges, no notice period required.

8. DATA SECURITY

Security Measures We Implement

Technical Safeguards

ENCRYPTION IN TRANSIT (Data Moving):

• Protocol: TLS 1.2 and TLS 1.3 with modern encryption standards
• Standard: HTTPS enforced on all connections
• Certificate: SSL/TLS certificate management through Hostinger VPS
• Verification: All connections must use HTTPS (secure)

ENCRYPTION AT REST (Data Stored):

• Storage: Hostinger VPS with PostgreSQL encrypted database storage
• Database Password: Strong authentication required
• Access Control: Role-based database access
• Backups: Encrypted backup storage by Hostinger

AUTHENTICATION & PASSWORD SECURITY:

• Algorithm: Industry-standard password hashing (bcrypt or similar)
• Minimum Requirements: Strong password requirements enforced
• Session Management: Secure session tokens
• Failed Attempts: Rate-limiting on failed login attempts

ACCESS CONTROLS:

• Role-Based: Different access levels for different users
• Monitoring: Access logs maintained for security
• Admin Access: Limited to authorized personnel only
• Regular Audits: Periodic review of access logs

Regular Updates: Systems and software regularly updated with security patches

Organizational Safeguards

• Employee Training: Staff trained on data protection and security best practices
• Confidentiality Agreements: Employees and contractors bound by confidentiality obligations
• Data Minimization: We collect only information necessary for specified purposes
• Security Monitoring: Regular monitoring for suspicious activity and security incidents

Third-Party Security

All service providers must meet our security standards and comply with contractual security obligations.

Breach Notification: In the event of a data breach affecting your personal information, we will notify you and relevant authorities as required by law (within 72 hours for GDPR, as prescribed by Indian law).

9. YOUR RIGHTS AND CHOICES

9.1 Rights Under Indian DPDP Act 2023

If you are in India, you have the following rights:

• Right to Access: Request confirmation of whether we are processing your data and obtain a copy
• Right to Correction: Request correction of inaccurate or incomplete personal data
• Right to Erasure: Request deletion of your personal data (subject to legal retention requirements)
• Right to Withdraw Consent: Withdraw consent at any time (without affecting prior processing)
• Right to Nominate: Nominate another person to exercise your rights in case of death or incapacity
• Right to Grievance Redressal: File complaints with the Data Protection Board of India

9.2 Rights Under EU GDPR (for EU Visitors/Clients)

If you are in the European Union, you have additional rights:

• Right to Access (Art. 15): Obtain a copy of your personal data we hold
• Right to Rectification (Art. 16): Correct inaccurate data
• Right to Erasure / "Right to be Forgotten" (Art. 17): Request deletion in certain circumstances
• Right to Restriction of Processing (Art. 18): Limit how we use your data
• Right to Data Portability (Art. 20): Receive your data in machine-readable format
• Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing
• Right Not to Be Subject to Automated Decision-Making (Art. 22): (Note: We do not make automated decisions with legal or significant effects)
• Right to Lodge a Complaint: File complaints with your local Data Protection Authority

EU Data Protection Authorities: https://edpb.europa.eu/about-edpb/board/members_en

9.3 How to Exercise Your Rights

STEP 1: SEND REQUEST EMAIL

Email: contact@clepto.io

Subject Line: "Data Access Request" OR "Data Deletion Request" OR "Data Correction Request"

Include in Your Email:

• Your full name
• Email address associated with your account/data
• Specific request type (choose one):
  • Access: "Please provide a copy of all my personal data"
  • Deletion: "Please permanently delete all my personal data"
  • Correction: "Please correct/update the following information: [details]"
  • Portability: "Please provide my data in machine-readable format"
  • Restriction: "Please restrict processing of my data"
• Additional details to help us locate your information

STEP 2: IDENTITY VERIFICATION (Takes 3-5 Business Days)

What We'll Do:

• Verify your identity (for security, to prevent unauthorized access)
• May request: Email verification, password confirmation, or account details

Why: To protect your privacy from bad actors and ensure only you can access or delete your data.

What You Should Do: Respond to our verification request promptly. Send verification via email to contact@clepto.io

STEP 3: DATA PROCESSING (Takes Up to 30 Days)

For Access Requests:

• We compile all data we hold about you
• Format as CSV or PDF file
• Send download link via email

For Deletion Requests:

• We permanently delete all personal data
• Secure deletion process: Data removal + backup cleanup
• Send confirmation email with deletion date

For Correction Requests:

• We update incorrect information
• Send confirmation of what was changed
• Verify changes applied

For Portability Requests:

• We provide data in machine-readable format (CSV/JSON)
• Include all data associated with your account

For Restriction Requests:

• We limit processing to storage only
• Mark your data as restricted
• Contact you when restriction can be removed

STEP 4: CONFIRMATION & COMPLETION

You Receive:

• Email confirming request was processed
• For access: Download link with all your data
• For deletion: Deletion confirmation + date deleted
• For correction: List of changes made
• For portability: Data in format you requested (CSV/JSON)
• For restriction: Confirmation restriction is in effect

Timeline:

• Step 2 (verify): 3-5 business days
• Step 3 (process): Up to 30 days from verification
• Total typical time: 1-3 weeks

STEP 5: IF NOT SATISFIED - APPEAL TO REGULATOR

If you're unhappy with our response, you can complain to:

For EU Residents:

• Your local Data Protection Authority (DPA)
• Find yours: https://edpb.europa.eu/about-edpb/board/members_en
• No fees required (free to file)

For India Residents:

• Data Protection Board of India (once established)
• Or contact: contact@clepto.io (reference your case)

For Ireland-Related Issues:

• Data Protection Commission (Ireland)
• Website: https://www.dataprotection.ie
• Email: info@dataprotection.ie

Important: Filing a complaint with a regulator does not prevent you from seeking legal remedies.

NO FEES: We do not charge for most data requests. Excessive or repetitive requests (same request 5+ times per year) may incur reasonable administrative fees ($25-50 USD).

9.4 Communication Preferences

Newsletter Unsubscribe

Every marketing email contains an "Unsubscribe" link. Click it to stop receiving newsletters immediately.

Cookie Preferences

When we implement cookies, you will be able to manage preferences via our cookie banner or by contacting privacy@clepto.io.

Do Not Track

Our website does not currently respond to "Do Not Track" browser signals, but you can disable cookies in your browser settings.

10. CHILDREN'S PRIVACY

Our services are not directed to children under 18 years of age. We do not knowingly collect personal information from children under 18.

If We Learn: If we discover we have inadvertently collected information from a child under 18, we will delete it immediately.

Parental Notice: If you are a parent or guardian and believe your child has provided us with personal information, please contact privacy@clepto.io.

11. COOKIES AND TRACKING TECHNOLOGIES

Current Status

We currently use minimal cookies (primarily for website functionality and Google Analytics).

Future Cookie Use

We plan to implement the following cookie types:

Essential Cookies (Always Active)

• Session management
• Security
• Website functionality

Analytics Cookies (Requires Consent)

• Google Analytics
• Usage tracking
• Performance monitoring

Marketing Cookies (Requires Consent)

• Advertising tracking
• Remarketing campaigns
• Conversion tracking

Cookie Consent: Before implementing non-essential cookies, we will deploy a cookie consent banner allowing you to accept or reject them.

Cookie Policy: A detailed cookie policy will be published at clepto.io/cookies when we implement additional cookies.

Your Control

• Accept or reject cookies via our consent banner
• Manage preferences in browser settings
• Clear cookies at any time

12. THIRD-PARTY LINKS

Our website may contain links to third-party websites, plugins, or applications. This Privacy Policy does not apply to those third parties.

Responsibility: We are not responsible for the privacy practices of external websites. We encourage you to review their privacy policies before providing information.

Examples of Third-Party Links

• Social media platforms (LinkedIn, Twitter, etc.)
• Partner websites
• AI provider documentation
• Industry resources

13. CHANGES TO THIS PRIVACY POLICY

Updates

We may update this Privacy Policy from time to time to reflect:

• Changes in our practices
• Legal or regulatory requirements
• New features or services
• User feedback

Notice of Changes

• Material Changes: We will provide prominent notice on our website and/or email notification
• Minor Changes: Updated "Last Updated" date at the top of this policy
• Effective Date: Changes take effect on the date specified in the updated policy

Your Acceptance: Continued use of our website after changes constitutes acceptance of the updated policy.

Archive: Previous versions available upon request at privacy@clepto.io.

14. LEGAL BASIS FOR PROCESSING (GDPR)

For EU visitors, we process your personal data based on the following legal grounds:

Legitimate Interests: When we process data based on legitimate interests, we balance our interests against your rights and freedoms. You have the right to object to such processing.

15. DATA CONTROLLER AND PROCESSOR ROLES

When We Are the Data Controller

For information collected through our website (contact forms, newsletters, analytics), Clepto.io is the data controller. We determine the purposes and means of processing.

When We Are a Data Processor

When we build AI automation workflows for clients and process their customers' data, we are a data processor. Our clients are the data controllers.

Client Data Processing

Governed by separate Data Processing Agreements (DPAs) that define:

• Scope of processing
• Security obligations
• Sub-processor management
• Data subject rights assistance
• Breach notification procedures

Contact for Client Workflow Data: If your data is being processed in a client's workflow, contact that client directly. We can only act on instructions from the client (the controller).

16. CROSS-BORDER DATA TRANSFERS - DETAILED SAFEGUARDS

India to EU/EEA

• Mechanism: Supabase hosting in EU region ensures data stays within EU
• Adequacy: India does not have an EU adequacy decision
• Safeguards: Standard Contractual Clauses with Supabase

India to USA

• Providers: Google Analytics, OpenAI, Anthropic
• Adequacy: USA does not have an EU adequacy decision (Schrems II)
• Safeguards:
  • Standard Contractual Clauses
  • Transfer Impact Assessments (TIA) for each provider
  • Data minimization (only necessary data transferred)
  • Encryption in transit and at rest

EU to USA (for EU visitors)

• Google Analytics: Configured with IP anonymization, consent-based tracking
• AI Providers: Used only when necessary; chat logs minimized

Documentation Available: Copies of our SCCs and Transfer Impact Assessments available upon request at privacy@clepto.io (for legitimate requests only).

17. SPECIFIC PROCESSING DISCLOSURES

AI Chatbot (n8n-powered)

AI MODELS WE USE:

• OpenAI (Latest GPT models)
• Anthropic (Claude - Latest versions)
• Google Gemini (Latest models)
• Mistral (Latest models)
• Perplexity (Latest models)

LIMITATIONS OF AI YOU SHOULD KNOW:

• AI May Provide Inaccurate Information: AI generates text based on training data, which may be outdated. AI can "hallucinate" or confidently state false information. Always verify important information with a human.
• AI Can Be Biased: Training data reflects biases in historical information. Responses may reflect demographic or contextual biases. We review responses but cannot eliminate bias completely.
• AI Lacks Real-Time Information: Cannot access current real-time data. May not understand your specific business context. Recommendations may not fit your unique situation.
• AI Cannot Make Binding Decisions: AI responses are informational only. Not legal advice, medical advice, or financial advice. You should verify before taking action.

OUR SAFEGUARDS:

• Response Review: Our team reviews AI responses for quality
• Multiple Models: We use multiple AI models for comparison and accuracy
• Feedback Loop: We improve responses based on user feedback
• Human Escalation: Important queries routed to humans

YOUR RIGHTS & CONTROL:

• Talk to Human: Every chat has "Contact us" or request human support option
• Delete History: You can request deletion of your chat history anytime
• Opt Out: You can use email support instead: contact@clepto.io
• Data Access: Request your chat logs anytime: contact@clepto.io

PROCESSING DETAILS:

• Purpose: Provide automated customer support and answer questions
• Data Collected: Chat messages, timestamps, basic browser info
• AI Providers Used: OpenAI, Anthropic, Google Gemini, Mistral, Perplexity (selected based on query complexity)
• Data Retention: Chat logs retained for 3 years (for service improvement)
• Human Review: Our team reviews chat logs to improve responses and fix errors
• Your Control: Delete your chat history anytime or email contact@clepto.io

Questions about AI? Email contact@clepto.io

Google Analytics

• Purpose: Understand website traffic and user behavior
• Data Collected: Anonymized IPs, page views, session duration, device info
• Configuration: IP anonymization enabled, data retention set to 26 months
• Your Control: You can opt out via browser plugins (e.g., Google Analytics Opt-out Browser Add-on)

Newsletter (Future Implementation)

• Purpose: Send updates about our services, AI automation insights, industry news
• Frequency: Approximately 1-2 emails per month (you control frequency)
• Opt-out: Every email includes unsubscribe link
• Data Sharing: We do not share subscriber lists with third parties

18. AUTOMATED DECISION-MAKING

Current Status

We do not use automated decision-making with legal or similarly significant effects.

AI Chatbot

While our chatbot uses AI, it does not make decisions that legally affect you. It's purely informational.

Future Use

If we ever implement automated decision-making (e.g., credit scoring, hiring), we will:

• Notify you clearly
• Obtain explicit consent where required
• Provide information about the logic involved
• Allow you to contest decisions and request human review

19. SUPERVISORY AUTHORITIES AND COMPLAINTS

India

If you have complaints about our data practices in India:

• Authority: Data Protection Board of India
• Website: (To be established under DPDP Act 2023)
• First Step: Contact us at privacy@clepto.io to resolve issues directly

European Union (for EU residents)

• Authority: Your local Data Protection Authority (DPA)
• Contact: Find your DPA at https://edpb.europa.eu/about-edpb/board/members_en
• Right: You have the right to lodge a complaint without prejudice to other remedies

Ireland (for EU complaints related to Clepto)

Since some of our service providers are in the EU:

• Authority: Data Protection Commission (Ireland)
• Website: https://www.dataprotection.ie
• Contact: info@dataprotection.ie

20. CONTACT US

For any questions, concerns, or requests regarding this Privacy Policy or your personal information:

Primary Contact

• Email: privacy@clepto.io
• Subject Line: Please use clear subject lines (e.g., "Privacy Policy Question", "Data Access Request", "Unsubscribe Request")

Company Details

• Company: CLEPTO.IO SERVICES PRIVATE LIMITED
• CIN: U62013PN2025PTC248011
• Address: SNO.107-108, PT-B, ROSEWOOD, SFL-J-603, PIMPLE SAUDAGAR, Sangavi, Pune-411027, Maharashtra, India
• Website: https://clepto.io

General Inquiries

• Email: contact@clepto.io

Response Time

• We aim to respond to privacy inquiries within 5 business days
• Formal data subject rights requests: 30 days (GDPR) or as required by Indian law

21. EFFECTIVE DATE AND VERSION HISTORY

• Current Version: 1.0
• Effective Date: November 16, 2025
• Last Updated: November 16, 2025
• Previous Versions: None (initial version)

Version History: Available upon request at privacy@clepto.io

22. ACKNOWLEDGMENT

By using our website, submitting forms, subscribing to our newsletter, or engaging with our services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.