Privacy Policy

This Privacy Policy governs the collection, use, processing, storage, disclosure, and protection of information by CodeWint Technologies (“Company”, “we”, “us”, “our”) through its websites, applications, platforms, white-label software solutions, and related services (“Services”).

This document is drafted in accordance with applicable laws of India and international best practices for data protection, transparency, and user rights.

1. Legal Framework & Compliance

This Privacy Policy is formulated, published, and implemented in strict accordance with the applicable laws, rules, regulations, guidelines, and governmental directions governing data protection, information security, and privacy in India. The Company is committed to ensuring lawful, fair, transparent, and accountable processing of personal and non-personal data and has adopted reasonable security practices to safeguard such information against unauthorized access, misuse, alteration, disclosure, or destruction.

This Privacy Policy is governed by, interpreted under, and fully compliant with the following Indian legal and regulatory frameworks, including any amendments, re-enactments, rules, notifications, or guidelines issued thereunder from time to time:

The Information Technology Act, 2000 – which provides the primary legal framework for electronic governance, cyber security, electronic records, data protection obligations, and penalties for cyber offences, including unauthorized access, data theft, hacking, identity theft, and privacy violations.
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 – which mandate the adoption of reasonable security practices, lawful collection of sensitive personal data or information, purpose limitation, consent-based processing, disclosure controls, and grievance redressal mechanisms.
The Digital Personal Data Protection Act, 2023 (DPDP Act) – which establishes a comprehensive data protection regime in India by defining the rights of Data Principals, obligations of Data Fiduciaries and Data Processors, lawful bases for processing personal data, consent management, data minimization, retention limitation, data breach reporting, grievance redressal, and penalties for non-compliance.
Directions, Advisories, and Guidelines issued by the Indian Computer Emergency Response Team (CERT-In) – which prescribe mandatory cyber security practices, incident reporting timelines, log retention requirements, and proactive measures to prevent cyber security incidents.
The Indian Penal Code, 1860 (as applicable to cyber-related offences) – which addresses criminal liability in cases involving fraud, cheating, misrepresentation, impersonation, extortion, and misuse of electronic or digital information.
All applicable rules, notifications, circulars, advisories, policies, and directions issued by the Government of India, regulatory authorities, statutory bodies, and competent authorities, as may be applicable to information technology services, data protection, consumer protection, and cyber security.

In addition to statutory compliance under Indian law, the Company endeavours to align its data protection and information security practices with internationally recognised standards and best practices, where reasonably applicable, including but not limited to:

OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
ISO/IEC 27001 Information Security Management Systems (ISMS) principles
Globally accepted principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability

2. Scope of Applicability

This Privacy Policy applies to all individuals, entities, and users who access, interact with, or make use of the Company’s websites, mobile applications, software platforms, white-label solutions, and associated digital services, whether accessed directly or indirectly, and regardless of the mode or device used to access such Services.

Without limitation, this Privacy Policy applies to the following categories of users and stakeholders:

Website Visitors – Individuals who browse, access, or interact with the Company’s websites, landing pages, portals, or online resources, including users who submit inquiries, forms, or contact requests.
Mobile Application Users – Individuals who download, install, register, access, or use mobile applications developed, operated, or provided as part of the Company’s Services, whether for personal, commercial, or organizational purposes.
White-Label Software Clients – Businesses, organizations, financial institutions, retailers, or service providers who license, integrate, or deploy the Company’s software solutions under their own brand name or identity.
Retailers, Distributors, and Administrators – Authorized users who manage, configure, monitor, or operate the Services through administrative dashboards, control panels, or management interfaces, including personnel acting on behalf of clients.
End Users Whose Data is Processed by Clients – Individuals whose personal or device-related data is collected, uploaded, processed, or managed by clients using the Company’s software platforms, where the Company acts solely as a data processor and not as a data controller.
Support, Onboarding, and Operational Users – Individuals who interact with the Company’s support systems, onboarding processes, training platforms, customer service channels, or operational tools in connection with the Services.

This Privacy Policy governs all forms of information collected or processed through the Services, including personal data, sensitive personal data (where applicable), technical data, device-related information, usage logs, and communications, irrespective of whether such data is collected online, offline, electronically, or through automated means.

This Privacy Policy does not apply to third-party websites, applications, software, services, or platforms that are not owned, operated, or controlled by the Company, even if such third-party services are linked to, integrated with, or accessible through the Services. The Company shall not be responsible or liable for the privacy practices, content, security, or data handling policies of any such third parties, which shall be governed by their respective privacy policies and terms of use.

Users are encouraged to review the privacy policies of all third-party services before interacting with or providing any information to such services.

3. Nature of Business & Role Definition

The Company operates exclusively as a technology service provider and software development entity engaged in the design, development, licensing, deployment, maintenance, and support of digital software platforms and technology-based solutions. The Services are provided on a proprietary, licensed, and subscription-based model, including white-label implementations for business clients.

The Company’s offerings include, without limitation, the following categories of software platforms and technical services:

Device Management Systems – Software tools that enable authorized users to monitor, configure, secure, and manage devices in accordance with predefined policies and contractual instructions provided by clients.
EMI Management Software – Technology platforms designed to facilitate the recording, monitoring, scheduling, and status tracking of installment-based payment arrangements, as configured and controlled solely by clients.
Mobile Lock and Unlock Mechanisms – Technical features that enable conditional access control, restriction, or restoration of device functionality based on parameters defined by clients, subject to user consent and applicable law.
Administrative Dashboards – Web-based or application-based control panels that allow authorized personnel to manage users, devices, configurations, reports, and system operations.
Reporting and Analytics Tools – Data visualization and reporting features that generate insights based on usage data, system activity, operational metrics, and client-configured parameters.
White-Label SaaS Solutions – Fully customizable software solutions offered under the brand name, identity, and control of clients, where the Company remains a backend technology provider.

The Company does not engage in, offer, or provide any form of financial service, banking activity, lending operation, credit facility, loan disbursement, EMI financing, debt recovery, collection, or monetary transaction with end users. The Company does not act as a lender, financier, collection agent, or recovery authority, and does not exercise any discretion or control over financial decisions, eligibility criteria, repayment terms, or enforcement actions.

All financial relationships, lending arrangements, EMI terms, customer communications, recovery processes, regulatory compliance obligations, and dispute resolutions are solely managed, controlled, and executed by the respective clients in accordance with applicable laws, regulatory requirements, and contractual obligations between the client and their end users.

For the purposes of applicable data protection and privacy laws, including the Digital Personal Data Protection Act, 2023:

Clients act as “Data Controllers” (or “Data Fiduciaries”), as they determine the purpose, means, and lawful basis for the collection and processing of personal data of end users.
The Company acts solely as a “Data Processor”, processing personal data only on documented instructions received from clients and solely for the purpose of providing the Services.

The Company does not independently determine the purpose or means of processing personal data of end users and shall not be responsible for the legality, accuracy, or validity of data collected by clients. Clients are solely responsible for obtaining valid consent, providing statutory disclosures, and ensuring compliance with applicable data protection, consumer protection, and financial regulations.

Nothing contained in this Privacy Policy shall be construed as creating a partnership, agency, joint venture, fiduciary relationship, or financial obligation between the Company and any user or client.

4. Definitions

For the purposes of this Privacy Policy, unless the context otherwise requires, the following terms shall have the meanings assigned to them below. These definitions are intended to be consistent with the Information Technology Act, 2000, the Digital Personal Data Protection Act, 2023, and other applicable Indian laws.

“Personal Data” means any data or information, whether true or not, and whether recorded in a digital or physical form, about an individual who is identifiable or identifiable by or in relation to such data. Personal Data includes, without limitation, identifiers such as name, contact details, online identifiers, device identifiers, location data, or any combination of data that can reasonably be used to identify an individual, either directly or indirectly.

“Sensitive Personal Data” means such personal data or information that is classified as sensitive under applicable Indian laws and regulations, including but not limited to passwords, authentication credentials, financial information (such as bank account details, payment instrument information, or transaction data), biometric information, health-related data, sexual orientation, and any other category of data notified as sensitive by the Government of India from time to time.

“Processing” means any operation or set of operations performed on Personal Data or Sensitive Personal Data, whether or not by automated means, including but not limited to the collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, restriction, erasure, or destruction of such data.

“Data Principal” means the individual to whom the Personal Data relates and who is identifiable by or in relation to such data, as defined under the Digital Personal Data Protection Act, 2023.

“Data Fiduciary” means any person, company, or entity that alone or in conjunction with others determines the purpose and means of processing Personal Data, as defined under applicable data protection laws.

“Data Processor” means any person, company, or entity that processes Personal Data on behalf of a Data Fiduciary and strictly in accordance with documented instructions provided by such Data Fiduciary.

“Consent” means any freely given, specific, informed, unconditional, and unambiguous indication of the Data Principal’s agreement to the processing of their Personal Data, provided through clear affirmative action, including electronic or digital acceptance mechanisms.

“Service(s)” means all websites, mobile applications, software platforms, white-label solutions, application programming interfaces (APIs), dashboards, tools, and related technology services provided by the Company.

“Third Party” means any individual, organization, entity, or service provider other than the Company, the Data Principal, or the Data Fiduciary, including analytics providers, cloud service providers, messaging platforms, or integration partners.

“Device Data” means technical and system-related information associated with a device, including but not limited to device identifiers, operating system details, hardware specifications, application status, network information, and diagnostic data.

“Anonymized Data” means data that has been processed in such a manner that the Data Principal cannot be identified, directly or indirectly, and which cannot be reasonably re-identified.

“Applicable Law” means all statutes, enactments, regulations, rules, notifications, directions, circulars, guidelines, and judicial decisions having the force of law in India, as amended from time to time.

5. Information We Collect

The Company collects information strictly in accordance with the principles of lawfulness, fairness, transparency, purpose limitation, and data minimization, as required under applicable Indian data protection laws. Information is collected only to the extent necessary for providing, operating, securing, and improving the Services.

Information collected by the Company may include personal data, business-related data, technical data, and communications, depending on the nature of the user’s interaction with the Services and the role of the user.

5.1 Information Provided Directly

The Company may collect information that is voluntarily and knowingly provided by users, clients, or authorized representatives during registration, onboarding, use of the Services, or communication with the Company. Such information may include, without limitation:

Name – Including first name, last name, or authorized representative name, used for identification, account management, communication, and support purposes.
Email Address – Used for account creation, authentication, notifications, service updates, security alerts, and official communications.
Phone Number – Used for verification, support communication, service-related notifications, and operational coordination, where applicable.
Business Details – Including business name, organization type, address, registration details, and related information provided by clients or partners for onboarding, billing, contractual, and compliance purposes.
Login Credentials – Such as usernames, encrypted passwords, authentication tokens, or access keys, used to securely authenticate users and control access to the Services. Passwords and credentials are stored in encrypted or hashed form in accordance with reasonable security practices.
Support Communications – Information shared through customer support channels, including emails, messages, call records, tickets, screenshots, documents, or other materials submitted to resolve issues, respond to inquiries, or provide assistance.
Identity Information (Where Legally Required) – Limited identity-related information may be collected only where required by applicable law, regulatory obligations, or contractual requirements imposed on clients, and only with appropriate authorization and consent.

Users are responsible for ensuring that the information provided is accurate, complete, and up to date. The Company shall not be responsible for inaccuracies or omissions in information provided by users or clients.

The Company does not intentionally collect sensitive personal data unless such collection is expressly required for lawful purposes, is mandated by applicable law, or is specifically authorized by the client and the Data Principal in accordance with legal requirements.

5.2 Automatically Collected Information

In addition to information provided directly by users, the Company may automatically collect certain technical, system-generated, and usage-related information when users access or interact with the Services. Such information is collected through standard technologies, application programming interfaces (APIs), software development kits (SDKs), log files, and system processes, and is necessary to ensure the functionality, security, performance, and reliability of the Services.

Automatically collected information may include, without limitation:

Device Identifiers – Including unique device identifiers such as IMEI numbers, Android ID, serial numbers, or other hardware or software-based identifiers, which are used for device recognition, security enforcement, fraud prevention, access control, and system integrity verification, subject to user consent and applicable law.
Device Model and Manufacturer – Information regarding the make, model, manufacturer, and hardware configuration of the device, collected for compatibility checks, troubleshooting, performance optimization, and support purposes.
Operating System Details – Including operating system name, version, build number, security patch level, and platform type, collected to ensure proper application functionality, apply security updates, and diagnose technical issues.
Application Usage Logs – Records of interactions with the Services, including features accessed, actions performed, timestamps, session duration, and system events, used for monitoring performance, detecting anomalies, auditing activity, and improving user experience.
Internet Protocol (IP) Address – Network-related information collected to facilitate communication between devices and servers, detect fraudulent or malicious activity, enforce security controls, and comply with legal and regulatory requirements.
Crash Reports and Diagnostic Data – Technical data generated when the application experiences errors, crashes, or performance issues, including stack traces, error logs, and diagnostic metrics, used to identify, analyze, and resolve technical problems and enhance system stability.
Time Zone and Language Preferences – Regional settings such as time zone, language, and locale information, collected to localize content, schedule notifications, and optimize user interface display.

Automatically collected information is processed strictly for legitimate business purposes, including system administration, security monitoring, service improvement, analytics, and compliance with applicable laws. Such information is not used to independently identify individuals unless combined with other personal data and only to the extent permitted by law.

Where required by applicable law, consent for the collection and processing of such information is obtained through application permissions, system prompts, or contractual arrangements with clients.

5.3 Sensitive Personal Data

The Company does not intentionally collect, process, store, or retain Sensitive Personal Data of users or end users unless such collection is strictly necessary for lawful purposes, is expressly required under applicable law, or is explicitly authorized by the client and the Data Principal in accordance with statutory requirements.

For the purposes of this Privacy Policy, Sensitive Personal Data may include, but is not limited to, passwords, authentication credentials, financial information, payment instrument details, biometric data, health-related information, or any other category of data notified as sensitive under applicable Indian laws.

Where the collection or processing of Sensitive Personal Data is required, such processing shall be carried out only:

With prior, explicit, informed, and lawful consent of the Data Principal, obtained through clear affirmative action or legally valid mechanisms;
In accordance with documented instructions provided by the client, who acts as the Data Fiduciary or Data Controller;
For a specific, clearly defined, and lawful purpose that has been disclosed to the Data Principal; and
Subject to enhanced security safeguards, access controls, and confidentiality obligations, as mandated under applicable law.

The Company does not use Sensitive Personal Data for marketing, profiling, or unrelated purposes and does not disclose such data to third parties except where required to provide the Services, comply with legal obligations, or pursuant to lawful instructions from the client.

In cases where Sensitive Personal Data is inadvertently collected or processed without lawful authorization, the Company shall take reasonable steps to promptly delete or anonymize such data in accordance with applicable law and internal data protection procedures.

Clients are solely responsible for determining the necessity and legality of collecting Sensitive Personal Data from end users, obtaining valid consent, providing statutory disclosures, and ensuring compliance with applicable data protection, consumer protection, and sector-specific regulations.

6. User Consent

The Company processes personal data and related information only after obtaining valid, lawful, and informed consent from users or Data Principals, except where processing is otherwise permitted or required under applicable law. Consent is obtained in a manner that is free, specific, informed, unconditional, and unambiguous, in accordance with the Digital Personal Data Protection Act, 2023, and other applicable Indian data protection laws.

Consent may be obtained through one or more of the following mechanisms, depending on the nature of the Service, the role of the user, and the type of data being processed:

Application Permission Prompts – System-generated or in-app permission requests seeking user authorization for accessing device features, data, or functionalities, clearly explaining the purpose and scope of such access.
Checkbox Acknowledgements – Explicit opt-in mechanisms, including checkboxes or toggle actions, requiring users to actively acknowledge and agree to this Privacy Policy, Terms and Conditions, End User License Agreement, or other applicable documents.
Digital Acceptance of Agreements – Acceptance of electronic or digital agreements through click-wrap, browse-wrap, or similar legally recognized acceptance methods, constituting valid consent under Indian contract and information technology laws.
Contractual Arrangements with Clients – Consent obtained by clients from end users through legally binding agreements, declarations, or disclosures, where the Company acts solely as a Data Processor and processes data on the documented instructions of the client.

Where consent is obtained indirectly through clients, clients are solely responsible for ensuring that such consent is valid, lawful, informed, and compliant with applicable data protection laws, and that appropriate notices have been provided to Data Principals.

Users and Data Principals have the right to withdraw their consent at any time by following the procedures specified within the Services or by contacting the appropriate support or grievance redressal mechanism. Withdrawal of consent shall not affect the lawfulness of processing carried out prior to such withdrawal.

Withdrawal of consent may result in limited or discontinued access to certain features or Services where such data processing is necessary for the performance of contractual obligations, compliance with legal requirements, or maintenance of system security.

The Company shall retain records of consent, where required, for audit, compliance, and legal purposes, in accordance with applicable law and internal data retention policies.

6. User Consent

Consent may be obtained through one or more of the following mechanisms, depending on the nature of the Service, the role of the user, and the type of data being processed:

Application Permission Prompts – System-generated or in-app permission requests seeking user authorization for accessing device features, data, or functionalities, clearly explaining the purpose and scope of such access.
Checkbox Acknowledgements – Explicit opt-in mechanisms, including checkboxes or toggle actions, requiring users to actively acknowledge and agree to this Privacy Policy, Terms and Conditions, End User License Agreement, or other applicable documents.
Digital Acceptance of Agreements – Acceptance of electronic or digital agreements through click-wrap, browse-wrap, or similar legally recognized acceptance methods, constituting valid consent under Indian contract and information technology laws.
Contractual Arrangements with Clients – Consent obtained by clients from end users through legally binding agreements, declarations, or disclosures, where the Company acts solely as a Data Processor and processes data on the documented instructions of the client.

The Company shall retain records of consent, where required, for audit, compliance, and legal purposes, in accordance with applicable law and internal data retention policies.

7. Purpose of Data Processing

The Company processes personal data, device-related data, and technical information solely for lawful, legitimate, and clearly defined purposes, in accordance with the principles of purpose limitation, data minimization, and proportionality as mandated under applicable Indian data protection laws.

Personal data is processed only to the extent necessary to provide, operate, secure, and improve the Services, and shall not be used for purposes that are incompatible with the original purpose of collection without obtaining additional lawful consent.

The purposes for which data may be processed include, without limitation:

Providing and Operating the Services – To enable access to software platforms, deliver functionalities, manage accounts, support white-label deployments, and ensure continuous availability of the Services.
Device Control and Security Enforcement – To implement client-configured device management policies, conditional access controls, lock and unlock mechanisms, security restrictions, and other protective measures, subject to user consent and applicable law.
User Authentication and Access Management – To verify user identity, authenticate logins, manage roles and permissions, prevent unauthorized access, and maintain secure system access.
System Monitoring and Diagnostics – To monitor system performance, detect errors, analyze crashes, troubleshoot technical issues, conduct audits, and ensure the stability, integrity, and reliability of the Services.
Legal and Regulatory Compliance – To comply with applicable laws, regulations, government directions, court orders, lawful requests from authorities, and contractual obligations, including record-keeping and reporting requirements.
Fraud Prevention and Security – To detect, prevent, investigate, and mitigate fraudulent, unauthorized, malicious, or illegal activities, protect systems and users, and enforce security policies.
Customer Support and Communication – To respond to inquiries, resolve issues, provide technical assistance, send service-related notifications, and manage support requests.
Service Improvement and Optimization – To analyze usage patterns, conduct research and development, improve features, enhance user experience, optimize performance, and develop new functionalities, using aggregated or anonymized data where feasible.

The Company does not process personal data for marketing, advertising, profiling, or unrelated commercial purposes unless expressly permitted by applicable law and supported by valid consent.

Where processing is carried out on behalf of clients, such processing is performed strictly in accordance with documented instructions provided by the client, who remains solely responsible for determining the lawful purpose and basis of such processing.

8. Device Permissions & Lock Mechanisms

The Company’s applications may require certain advanced device permissions in order to deliver the declared functionalities of the Services in a secure, reliable, and effective manner. Such permissions are requested strictly on a necessity basis and are implemented in accordance with applicable laws, platform policies, and user consent requirements.

The permissions that may be requested by the applications include, without limitation:

Device Administration Permissions – Required to enable authorized device management functions such as enforcing security policies, restricting or restoring access to certain device features, and implementing client-configured control mechanisms in accordance with contractual terms and user consent.
Accessibility Services – Used solely to support specific declared functionalities, such as assisting with device control features, monitoring compliance with configured policies, or enabling accessibility-related operations, and not for surveillance, content interception, or unauthorized data access.
Location Access – Collected, where enabled, for purposes such as device security, fraud prevention, compliance verification, and operational requirements defined by clients, and only to the extent permitted by applicable law and user consent.
Background Execution and System Permissions – Required to ensure uninterrupted operation of essential Services, including security enforcement, policy updates, system monitoring, notifications, and compliance checks, even when the application is not actively in use.

The Company implements device lock, unlock, or restriction mechanisms solely as a technical capability within the software platform. Such mechanisms are activated, configured, and controlled exclusively by clients in accordance with their contractual arrangements with end users and applicable legal requirements.

The Company does not independently initiate, determine, or enforce any device lock, restriction, or access limitation. All such actions are performed based on predefined parameters, instructions, and triggers established by clients, and are subject to applicable law and user consent.

All permissions requested by the applications are:

Clearly Disclosed – Users are informed, through in-app notices, permission prompts, and policy disclosures, of the nature, purpose, and scope of each permission requested.
Granted Voluntarily – Permissions are enabled only after affirmative action by the user or Data Principal, except where system-level permissions are required for the performance of contractual obligations or legal compliance.
Used Only for Stated Purposes – Permissions are utilized strictly for the purposes explicitly disclosed at the time of collection and as described in this Privacy Policy.
Revocable Subject to Functionality Limitations – Users may revoke permissions at any time through device or application settings; however, such revocation may result in limited, degraded, or discontinued functionality of certain features that depend on those permissions.

The Company does not misuse device permissions for unauthorized monitoring, hidden operations, data exfiltration, or activities that violate user trust, platform policies, or applicable law. Reasonable safeguards are implemented to prevent abuse, misuse, or unauthorized access arising from the use of such permissions.

Clients are solely responsible for ensuring that device control features, lock mechanisms, and permission-dependent functionalities are used in a lawful, fair, and transparent manner, including obtaining valid consent from end users and providing all required statutory disclosures.

9. Third-Party Services & SDKs

In order to provide, operate, secure, analyze, and improve the Services, the Company may integrate and use certain third-party services, software development kits (SDKs), application programming interfaces (APIs), and technology tools. These third-party services are used strictly for legitimate business purposes and are implemented in accordance with applicable laws, platform policies, and contractual safeguards.

The Company does not control the internal data processing practices of third-party service providers and shall not be responsible for the privacy policies, security practices, or data handling procedures of such third parties. Users are encouraged to review the respective privacy policies of third-party service providers for more information.

9.1 Google Firebase

The Services may use Google Firebase, a mobile and web application development platform, to support essential functionalities such as user authentication, crash reporting, performance monitoring, analytics, and cloud messaging.

Firebase may automatically collect and process certain technical and usage-related information, including but not limited to device identifiers, application instance identifiers, device model, operating system details, app usage data, crash logs, performance metrics, diagnostic information, and messaging tokens.

Such information is used to:

Authenticate users and manage sessions
Detect, analyze, and resolve application errors or crashes
Monitor application performance and stability
Deliver system notifications and messages
Improve functionality, reliability, and user experience

Firebase data processing is governed by Google’s applicable privacy policies and terms. The Company configures Firebase services to the extent reasonably possible to limit data collection to what is necessary for the intended purposes.

9.2 Google Analytics

The Services may use Google Analytics to collect and analyze aggregated statistical information regarding user interactions, traffic patterns, feature usage, and usage trends. Google Analytics uses cookies, tracking technologies, or similar mechanisms to collect anonymized or pseudonymized data.

Information collected through Google Analytics may include, without limitation, pages or screens visited, session duration, interaction events, device type, browser information, geographic region (at a generalized level), and referral sources.

Such information is used solely for:

Understanding how users interact with the Services
Measuring effectiveness of features and functionality
Identifying performance or usability issues
Improving service design and optimization

The Company does not use Google Analytics to identify individual users or to collect sensitive personal data, and implements reasonable configuration measures to respect user privacy.

9.3 Google Tag Manager

Google Tag Manager may be used to manage and deploy analytics, tracking, or measurement scripts efficiently without requiring direct modification of application or website code.

Google Tag Manager itself does not collect personal data; however, it may facilitate the deployment of other tags or scripts that collect data in accordance with their respective purposes and privacy policies.

All tags deployed through Google Tag Manager are subject to internal review and are limited to legitimate, disclosed, and lawful purposes.

9.4 OneSignal

The Services may use OneSignal to deliver push notifications, alerts, and service-related communications to users. OneSignal may collect and process certain information, including device tokens, notification identifiers, delivery status, interaction data, and subscription preferences.

Such information is used to:

Deliver transactional and service-related notifications
Communicate important updates or alerts
Analyze notification delivery and engagement metrics

The Company does not use OneSignal for unsolicited marketing communications unless permitted by applicable law and supported by valid user consent.

All third-party services and SDKs used by the Company operate under their respective privacy policies, terms of service, and data protection frameworks, and are expected to comply with applicable data protection laws. The Company takes reasonable steps to integrate third-party services that demonstrate appropriate data protection and security practices.

10. Cookies & Tracking Technologies

The Company may use cookies and similar tracking technologies, including but not limited to web beacons, pixels, tags, scripts, and local storage objects, to enhance the functionality, security, performance, and usability of the Services. These technologies enable the Company to recognize user preferences, maintain session continuity, and understand how the Services are accessed and used.

Cookies are small text files that are stored on a user’s device when visiting a website or accessing web-based components of the Services. Cookies may be classified as session cookies (which expire when the browser is closed) or persistent cookies (which remain on the device for a defined period or until deleted).

Cookies and tracking technologies may be used for purposes including, without limitation:

Functional Purposes – To enable core features of the Services, maintain user sessions, authenticate users, remember login states, and ensure smooth navigation.
Preference Management – To store user preferences such as language, region, time zone, and display settings, thereby enhancing user experience.
Performance and Analytics – To collect aggregated and anonymized statistical information regarding usage patterns, feature interactions, traffic volumes, and system performance, which helps in monitoring, analyzing, and improving the Services.
Security and Fraud Prevention – To detect suspicious activity, prevent unauthorized access, protect user accounts, and maintain system integrity.

The Company does not use cookies or tracking technologies to collect sensitive personal data or to engage in intrusive profiling without valid legal basis or consent.

Users have the ability to manage or disable cookies through their browser or device settings. However, disabling or restricting cookies may result in limited functionality, reduced performance, or the unavailability of certain features of the Services that rely on such technologies for proper operation.

Where required by applicable law, the Company provides appropriate disclosures and obtains necessary consent for the use of cookies and tracking technologies. Continued use of the Services after such disclosure shall be deemed as consent to the use of cookies in accordance with this Privacy Policy.

11. Data Storage & Retention

The Company stores personal data, device-related data, and technical information on secure servers and infrastructure that are protected by appropriate administrative, technical, and physical safeguards. Data is stored and retained only for such duration as is necessary to fulfil the purposes for which it was collected, including the performance of contractual obligations, compliance with applicable laws, and legitimate operational requirements.

Data retention periods are determined in accordance with the principles of storage limitation and data minimization, as mandated under applicable Indian data protection laws. The Company does not retain personal data for longer than is reasonably necessary, unless retention is required or permitted by law.

The duration for which data is retained may vary depending on factors including, without limitation:

Purpose of Processing – The nature, scope, and objective of the data processing activity, including whether the data is required for service delivery, security enforcement, system operation, or analytics.
Legal and Regulatory Obligations – Statutory retention requirements imposed under applicable laws, regulations, government directions, court orders, or regulatory guidelines, including obligations relating to record-keeping, audits, or investigations.
Client Instructions – Documented instructions or contractual requirements provided by clients acting as Data Controllers or Data Fiduciaries, including retention or deletion requests in accordance with applicable law.
Security and Risk Considerations – The need to retain certain data for a reasonable period to detect, prevent, investigate, or respond to security incidents, fraud, misuse, or unauthorized activities.

Upon expiry of the applicable retention period, or upon receipt of a valid deletion request from the client or Data Principal (subject to legal and contractual limitations), the Company shall take reasonable steps to securely delete, anonymize, or irreversibly de-identify such data, in accordance with internal data disposal procedures and applicable law.

The Company may retain anonymized or aggregated data for statistical, analytical, or research purposes, provided that such data does not identify, and cannot reasonably be used to identify, any individual.

Clients are responsible for determining appropriate retention periods for end-user data and for ensuring that such retention is lawful. The Company shall not be responsible for retention decisions made by clients that are inconsistent with applicable law or regulatory requirements.

12. Data Security Measures

The Company implements and maintains reasonable security practices and procedures designed to protect personal data, sensitive personal data, and technical information against unauthorized access, disclosure, alteration, loss, or destruction. Such measures are implemented in accordance with applicable Indian data protection laws, CERT-In guidelines, and generally accepted information security standards.

The security measures adopted by the Company include, without limitation:

Encryption in Transit and at Rest – Use of industry-standard encryption protocols to protect data during transmission over networks and while stored on servers, databases, or backup systems, thereby reducing the risk of unauthorized interception or access.
Role-Based Access Control (RBAC) – Restriction of access to personal data based on defined roles and responsibilities, ensuring that only authorized personnel with a legitimate business need can access such data.
Authentication Mechanisms – Implementation of secure authentication processes, including password protection, multi-factor authentication (where applicable), and session management controls to prevent unauthorized system access.
Audit Logs and Monitoring – Maintenance of system logs and audit trails to record access, modifications, and operational activities, which support monitoring, forensic analysis, compliance audits, and investigation of security incidents.
Regular Vulnerability Assessments – Periodic security testing, vulnerability assessments, and penetration testing to identify and remediate potential security weaknesses in systems, applications, and infrastructure.
Incident Response Protocols – Established procedures and internal controls to detect, assess, contain, investigate, and remediate security incidents or suspected data breaches in a timely and structured manner.

While the Company takes reasonable and appropriate measures to protect data, no method of transmission or storage is completely secure. Users acknowledge and accept the inherent risks associated with digital data processing.

13. Data Breach & Incident Reporting

In the event of a personal data breach, security incident, or unauthorized access affecting personal data processed by the Company, reasonable and prompt actions shall be taken to contain, assess, and mitigate the impact of such incident in accordance with applicable law and internal incident response procedures.

Such actions may include, without limitation:

Immediate investigation and containment of the incident
Assessment of the nature, scope, and potential impact of the breach
Implementation of remedial measures to prevent recurrence
Documentation of the incident for audit and compliance purposes

Where required under applicable law, regulatory directions, or contractual obligations, the Company shall notify affected clients, Data Principals, and competent authorities of the data breach within the prescribed timelines, including reporting to relevant cyber security or governmental authorities as mandated.

In cases where the Company acts as a Data Processor, the Company shall promptly inform the client acting as the Data Fiduciary or Data Controller of any data breach affecting data processed on their behalf, and shall provide reasonable assistance to enable the client to fulfil its legal and regulatory obligations.

The Company shall not be responsible for data breaches or security incidents arising from the actions, omissions, or systems of clients or third parties beyond the Company’s reasonable control.

14. Rights of Data Principals (DPDP Act)

In accordance with the provisions of the Digital Personal Data Protection Act, 2023, Data Principals are entitled to certain rights in relation to the processing of their Personal Data. The Company recognizes and respects these rights and has implemented reasonable procedures to enable Data Principals to exercise them in a lawful and effective manner.

The rights available to Data Principals include, without limitation:

Right to Access Information – The right to obtain confirmation regarding whether personal data relating to the Data Principal is being processed, and to receive a summary of such data, the purpose of processing, and the categories of personal data involved, subject to applicable legal and contractual limitations.
Right to Correction and Updating – The right to request correction of inaccurate, incomplete, or outdated personal data, and to have such data updated where necessary to ensure accuracy and completeness.
Right to Erasure – The right to request deletion or erasure of personal data that is no longer necessary for the purpose for which it was collected or processed, subject to retention obligations imposed by applicable law, contractual requirements, or legitimate security and compliance needs.
Right to Withdraw Consent – The right to withdraw previously granted consent for the processing of personal data at any time. Withdrawal of consent shall not affect the lawfulness of processing carried out prior to such withdrawal, and may result in limited or discontinued access to certain Services.
Right to Grievance Redressal – The right to lodge a grievance or complaint regarding the processing of personal data, including alleged violations of applicable data protection laws or this Privacy Policy, and to receive a timely and reasoned response.

Requests to exercise the above rights may be made through the contact or grievance redressal mechanisms specified in this Privacy Policy. The Company may require reasonable verification of identity before processing such requests to protect against unauthorized access or misuse.

Where the Company acts as a Data Processor, requests from Data Principals shall be forwarded to the relevant client acting as the Data Fiduciary or Data Controller, and the Company shall provide reasonable assistance to enable the client to respond in accordance with applicable law.

The exercise of Data Principal rights is subject to applicable legal, regulatory, and contractual limitations, including circumstances where processing or retention of data is necessary for compliance with law, enforcement of legal rights, or protection of system security.

15. Grievance Redressal

Any grievance relating to data protection may be addressed via email:

Email: contact@codewint.com

16. Children’s Privacy

Services are not intended for individuals under 18 years of age. We do not knowingly process children's data.

17. Cross-Border Data Transfer

Data may be transferred outside India only in compliance with applicable laws and adequate safeguards.

18. Limitation of Liability

To the maximum extent permitted under applicable law, the Company shall not be liable for any indirect, incidental, special, consequential, exemplary, or punitive damages, including but not limited to loss of profits, loss of business, loss of data, loss of goodwill, business interruption, reputational harm, or any other intangible losses, arising out of or in connection with the access to, use of, or inability to use the Services or the processing of personal data.

The Company shall not be responsible or liable for any acts, omissions, decisions, or conduct of clients, end users, or third parties, including but not limited to:

The manner in which clients collect, use, disclose, or process personal data of end users;
The legality, validity, or adequacy of consents obtained by clients from Data Principals;
The configuration, activation, enforcement, or misuse of device control, lock, or access restriction mechanisms by clients;
Any financial, lending, recovery, or credit-related decisions made by clients or third parties using the Services;
Any unauthorized access, data breach, or security incident arising from systems, networks, or infrastructure not controlled by the Company.

The Company does not warrant that the Services will be uninterrupted, error-free, secure, or free from defects, and shall not be liable for any damages resulting from service interruptions, delays, technical failures, or system downtime, except to the extent expressly required by applicable law.

19. Indemnification

Clients agree to indemnify, defend, and hold harmless the Company, its proprietors, officers, employees, contractors, and affiliates from and against any and all claims, demands, actions, proceedings, losses, damages, liabilities, penalties, costs, and expenses (including reasonable legal fees) arising out of or in connection with:

Any misuse, unauthorized use, or unlawful use of the Services by the client, its employees, agents, representatives, or end users;
Any violation of applicable laws, regulations, government directions, or regulatory requirements by the client or its end users, including but not limited to data protection, consumer protection, financial, or cyber security laws;
Any failure by the client to obtain valid, lawful, and informed consent from Data Principals for the collection and processing of personal data;
Any configuration, activation, enforcement, or misuse of device control, lock, access restriction, or security mechanisms implemented by the client using the Services;
Any claims, disputes, complaints, or legal actions initiated by end users, regulators, or third parties arising from the client’s business practices, financial activities, lending decisions, or customer engagements.

The Company shall have the right, but not the obligation, to participate in the defense of any such claim at its own expense. The client shall not settle any claim in a manner that imposes any liability or obligation on the Company without the Company’s prior written consent.

This indemnification obligation shall survive the termination or expiration of the client’s use of the Services.

20. Amendments

The Company reserves the right to modify, update, revise, or amend this Privacy Policy at any time, in order to reflect changes in legal requirements, regulatory guidance, technological developments, operational practices, or business needs.

Any amendments to this Privacy Policy shall become effective upon being posted on the Company’s website, application, or platform, or upon such other notice as may be provided in accordance with applicable law.

Continued access to or use of the Services after the effective date of any amendment shall constitute acknowledgment of, and agreement to be bound by, the updated Privacy Policy. Users who do not agree with the amended terms should discontinue use of the Services.

Where required by applicable law, the Company shall seek renewed consent from users or Data Principals prior to implementing material changes that affect the processing of personal data.

21. Governing Law & Jurisdiction

This Privacy Policy shall be governed by the laws of India. Courts located in Jaipur, Rajasthan, India shall have exclusive jurisdiction.

22. Contact Details

Website: www.codewint.com
Email: contact@codewint.com

By accessing or using our Services, you acknowledge that you have read, understood, and agreed to this Privacy Policy.