Your data, itemised.
This is Crawlshark Technologies Pvt. Ltd.'s itemised notice under §5 of the Digital Personal Data Protection Act, 2023. It tells you, in plain language, what personal data we process about you, why, on what legal basis, who we share it with, how long we keep it, and how you can exercise your rights as a Data Principal.
Who we are
Crawlshark Technologies Pvt. Ltd. ("Crawlshark", "we", "us") is the Data Fiduciary for the personal data described in this notice. We are incorporated in India, registered at Indiranagar, Bengaluru, Karnataka 560038.
For our customers' end users, Crawlshark acts as a Data Processor under §2(k) — we process personal data only on documented instructions from the customer (Data Fiduciary). This notice covers data that we determine the purpose for: visitors to our marketing site, prospects, customers and grievance applicants.
Itemised notice of processing (§5)
| Purpose | Categories of personal data | Lawful basis | Retention |
|---|---|---|---|
| Account creation & access | Name, work email, organisation, role | Consent (§6) · Performance of contract (§7(a)) | Active account + 24 months (audit) |
| Service delivery | Tenant configuration, SDK telemetry, consent events | Performance of contract (§7(a)) | Term of contract + 90 days |
| Billing & invoicing | Billing contact, GSTIN, payment reference | Legal obligation (§7(c)) · CGST/IGST Act | ~6 financial years (CGST §36 · 72 months from annual return) |
| Customer support | Support emails, tickets, attached evidence | Consent (§6) · Performance (§7(a)) | 36 months from last interaction |
| Product analytics | Cookie ID, page events, anonymised counters | Consent (§6) — opt-in | 13 months rolling |
| Marketing communications | Email, sector, preferences | Consent (§6) — separate granular opt-in | Until withdrawal |
| Security & abuse prevention | IP, device fingerprint, audit logs | Legitimate use (§7(g)) · Information security | 12 months |
| Statutory & regulatory compliance | Records of processing, breach reports, RoPA | Legal obligation (§7(c)) | As mandated by law |
We do not process sensitive personal data of children without verifiable parental consent (§9). Our marketing site is not directed at individuals under 18.
Recipients & processors
We share personal data only with the processors below, each governed by a written Data Processing Agreement aligned to §8 of the Act. Data resides in India by default; any cross-border transfer is consent-gated and limited to jurisdictions not restricted by the Central Government.
| Processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (Mumbai) | Primary hosting & storage | India (ap-south-1) |
| Oracle Cloud (Hyderabad) | Disaster recovery & failover | India |
| Razorpay | Payment processing | India |
| Postmark / AWS SES (Mumbai) | Transactional email | India |
| MSG91 | SMS & WhatsApp notifications | India |
| Sentry (self-hosted, ap-south-1) | Application error monitoring | India |
| Crisp / Freshdesk | Customer support ticketing | India |
| LinkedIn Insight Tag (consent-gated) | Marketing attribution — opt-in only | Outside India (with SCCs + DPA) |
Your rights as a Data Principal
| Right | Section | What it means |
|---|---|---|
| Right to access | §11 | Request a summary of your personal data, processing purposes and recipients. |
| Right to correction & erasure | §12 | Update inaccurate data; request deletion when the purpose is fulfilled or consent is withdrawn. |
| Right of grievance redressal | §13 | Raise a complaint with our Grievance Officer; escalate to the Data Protection Board if unresolved. |
| Right to nominate | §14 | Nominate another individual to exercise your rights in the event of death or incapacity. |
| Right to withdraw consent | §6(4) | Withdraw any consent at any time, as easily as it was given. Withdrawal does not affect prior lawful processing. |
Submit a Data Principal Request at crawlshark.com/dsr. We resolve verified requests within 30 days — typically under 72 hours — at no cost. You may also write to our Grievance Officer (below) or, if unsatisfied, lodge a complaint with the Data Protection Board of India.
Consent, withdrawal & Consent Managers (§6)
Where we rely on consent, you can withdraw it at any time — through the in-product preferences page, by submitting a request at /dsr, or via a registered Consent Manager once the framework is operationalised. Withdrawal is as easy as the original consent and takes effect within 60 seconds across our systems and processors.
Withdrawal does not affect the lawfulness of processing carried out before withdrawal, and we may continue to retain data where another lawful basis applies (for example, statutory record-keeping under the CGST/IGST Act).
Children's data (§9)
We do not knowingly process the personal data of any individual under 18. The Crawlshark platform is sold to businesses and operated by employees of those businesses. If you believe we hold a child's data, write to our Grievance Officer and we will erase it within 7 working days.
Security & breach notification (§8)
We maintain reasonable security safeguards aligned to ISO 27001 and SOC 2 Type II: encryption in transit (TLS 1.3) and at rest (AES-256), role-based access, hardware-key MFA for production, least-privilege IAM, immutable audit logs and quarterly penetration tests.
On becoming aware of a personal data breach, we notify the Data Protection Board and affected Data Principals on a best-effort basis — operationally within 72 hours — with the nature of the breach, categories and approximate number of records affected, likely consequences and remedial actions taken.
Grievance redressal (§8(10))
grievance@crawlshark.com
Indiranagar, Bengaluru 560038
dpo@crawlshark.com
Response within 7 working days
Escalations: dpb@crawlshark.com
If your grievance is not resolved to your satisfaction, you may approach the Data Protection Board of India established under §18 of the Act.
Changes to this notice
We version every change. Material changes are notified in-product and via email to active account contacts at least 14 days before they take effect. The full revision history is available on request to dpo@crawlshark.com.
Current version: v4.1 · Effective: 29 June 2026 · Supersedes: v4.0 (12 March 2026)
Want to exercise a right?
Submit a Data Principal Request and we will verify your identity, scope your data across our systems and respond within 72 hours.