Privacy Policy

This Privacy Policy ("Policy") is published by ChronoSparkSolutions ("Company", "we", "us", or "our"), headquartered at Santhipuram, Kuppam, Chittoor District, Andhra Pradesh — 517425, India.

This Policy governs how we collect, use, process, store, share, and protect personal information obtained through our website (chronosparksolutions.com), related sub-domains, and all services we offer as a custom software development and IT solutions company.

This Policy is compliant with:

• The Digital Personal Data Protection Act, 2023 (DPDPA) — India
• The Information Technology Act, 2000 (IT Act) and IT (Amendment) Act 2008 — India
• The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) — India
• The General Data Protection Regulation (GDPR) — European Union
• The California Consumer Privacy Act (CCPA/CPRA) — USA
• Generally accepted international data protection best practices

By accessing our website or engaging our services, you acknowledge and consent to this Policy.

We collect the following categories of personal data:

A. Information You Provide Directly:

• Full name, email address, and phone number (with country code)
• Company name, designation, and professional contact details
• Project requirements, technical specifications, and business objectives
• Payment-related information (processed via PCI-DSS compliant gateways; we do not store card data)
• Any documents, files, or content you share during service engagement

B. Information Collected Automatically:

• IP address, browser type, device type, and operating system
• Pages visited, time spent, referring URLs, and session duration
• Location data (country/region level, derived from IP address)
• Cookie identifiers and analytics tags (see Section 8 for Cookie Policy)

C. Sensitive Personal Data or Information (SPDI) under Indian Law:

We do NOT ordinarily collect SPDI (such as passwords, financial information, health data, biometric data, sexual orientation, or religious/political beliefs). Where any such data is incidentally collected, it is handled with heightened protection under the SPDI Rules 2011 and DPDPA 2023.

We process your personal data only when we have a valid lawful basis. Our processing activities are based on one or more of the following:

• Consent: You have given explicit consent (e.g., by submitting a contact form, opting into communications, or accepting cookies). You may withdraw consent at any time.
• Contract Performance: Processing is necessary to fulfil a signed service agreement, statement of work, or project contract between you and ChronoSparkSolutions.
• Legitimate Interest: We process data for purposes such as website analytics, fraud prevention, and service improvement where our interests do not override your fundamental rights.
• Legal Obligation: We process data to comply with applicable Indian laws (IT Act, GST Act, Income Tax Act) or any lawful government directive.

Under the DPDPA 2023, we act as a Data Fiduciary when we determine the purposes and means of processing your personal data.

We use collected personal data for the following purposes:

• Service Delivery: Designing, developing, testing, and deploying custom software solutions per your project brief.
• Project Communication: Sending updates, milestone reports, sprint reviews, invoice notifications, and support messages.
• Quotation & Onboarding: Preparing proposals, statements of work, NDAs, and service agreements.
• Customer Support: Responding to queries, resolving disputes, and providing post-delivery maintenance.
• Analytics & Improvement: Understanding how users interact with our website to improve content, UI, and performance.
• Legal & Tax Compliance: Maintaining records as required under GST, Income Tax Act, IT Act, and applicable company law.
• Marketing (with consent only): Sending newsletters, service updates, or promotional content. You can unsubscribe at any time via the link in every email.
• Fraud Prevention & Security: Identifying and preventing fraudulent or unauthorized access to our systems.

We do NOT sell, rent, or trade your personal data to any third party for their marketing purposes.

We do not sell your personal data. We may share it only in the following limited circumstances:

• Service Providers (Data Processors): We may share data with trusted vendors who assist us in delivering services — including cloud hosting providers (AWS, Google Cloud), payment gateways (Razorpay, PayU), email service providers, and project management tools. All processors are bound by confidentiality agreements and are required to handle data only on our instructions.
• Legal Requirements: We may disclose your data to government authorities, law enforcement, or courts if required by law, court order, or government directive — including under Section 69 of the IT Act 2000 or any other applicable Indian statute.
• Business Transfers: In the event of a merger, acquisition, or restructuring, your data may be transferred to the successor entity, subject to this Policy or an equivalent privacy commitment.
• Professional Advisors: Solicitors, accountants, or auditors may access data under strict confidentiality obligations.
• With Your Consent: Any other sharing will only occur with your explicit prior consent.

All international data transfers (if any) are conducted with appropriate safeguards including Standard Contractual Clauses (SCCs) under GDPR requirements and in compliance with Section 16 of DPDPA 2023 regarding cross-border data transfers.

We retain personal data only for as long as necessary for the purposes stated in this Policy, or as required by applicable law:

• Active Client Records: Retained for the duration of the engagement plus 7 years (as required under Indian tax and company law including GST, Income Tax Act).
• Contact Form Enquiries: Retained for up to 2 years from the date of submission, unless a service contract follows.
• Website Analytics Data: Aggregated and anonymized data is retained indefinitely; personally identifiable analytics are retained for up to 26 months.
• Marketing Lists: Retained until you unsubscribe or request deletion, whichever is earlier.
• Legal/Compliance Records: Retained for the period mandated by the applicable law or statute.

After the retention period expires, data is securely deleted or anonymized in accordance with our data destruction procedures.

We implement reasonable security practices and procedures as mandated under Rule 8 of the SPDI Rules 2011 and Section 8(5) of the DPDPA 2023, including:

• TLS/SSL Encryption: All data transmitted between your browser and our servers is encrypted using industry-standard TLS 1.2+ protocols.
• Access Controls: Access to personal data is restricted on a need-to-know basis, with role-based access controls and multi-factor authentication for administrative systems.
• Secure Hosting: Our servers and databases are hosted on SOC 2 Type II / ISO 27001 certified infrastructure (e.g., AWS/Google Cloud).
• Regular Security Audits: We conduct periodic vulnerability assessments and security reviews of our systems.
• No Card Data Storage: Payment card data is processed exclusively by PCI-DSS Level 1 certified payment gateways. We never store, log, or transmit raw card details.
• Incident Response: In case of a data breach, we will notify affected individuals and the relevant authorities (as applicable) within the timeframe prescribed by the DPDPA 2023 and GDPR (72 hours for GDPR, as required for DPDPA).

While we take all reasonable steps to protect your data, no internet transmission or electronic storage method is 100% secure. We cannot guarantee absolute security.

We use cookies and similar tracking technologies on our website. Cookies are small text files stored on your device that help us recognize you and improve your experience.

Types of Cookies We Use:

• Strictly Necessary Cookies: Essential for the website to function (e.g., session management). Cannot be disabled.
• Analytical/Performance Cookies: Help us understand how visitors use our site (e.g., Google Analytics). These are only placed with your consent.
• Functional Cookies: Remember your preferences (e.g., language, country selection). Placed with your consent.
• Marketing Cookies: Used to deliver relevant advertisements. We currently do NOT use third-party advertising cookies.

You can control cookies through your browser settings. Disabling non-essential cookies may affect some functionality of our website. Where required by law (e.g., GDPR), we obtain explicit consent before placing non-essential cookies.

Under the DPDPA 2023, GDPR, CCPA, and other applicable laws, you have the following rights over your personal data:

• Right to Access (Section 11, DPDPA): Request a summary of the personal data we hold about you and how it is being processed.
• Right to Correction & Erasure (Section 12, DPDPA / Art. 16 & 17, GDPR): Request correction of inaccurate data or deletion of data we no longer need to process.
• Right to Grievance Redressal (Section 13, DPDPA): Raise any privacy concerns through our designated Grievance Officer (see Section 13 below).
• Right to Nominate (Section 14, DPDPA): Nominate another individual to exercise your rights in the event of your death or incapacity.
• Right to Withdraw Consent (Section 6, DPDPA): Withdraw consent at any time where processing is based on consent. Withdrawal will not affect the lawfulness of prior processing.
• Right to Portability (GDPR / CCPA): Receive your data in a structured, machine-readable format where applicable.
• Right to Object / Opt-Out (GDPR / CCPA): Object to processing for direct marketing or profiling purposes at any time.
• Right to Non-Discrimination (CCPA): We will not discriminate against you for exercising your privacy rights.

To exercise any of these rights, contact our Grievance Officer at privacy@chronosparksolutions.com or refer to Section 13 below. We will respond within 30 days (as required under DPDPA 2023) or within the GDPR-mandated 30 calendar days.

Our services are intended solely for adults (18 years and older). We do not knowingly collect personal data from individuals under the age of 18 years.

Under Section 9 of the DPDPA 2023, processing of personal data of children (under 18) requires verifiable parental consent. Under COPPA (USA), children under 13 are similarly protected.

If we discover that personal data of a minor has been collected without appropriate consent, we will promptly delete such data. If you believe we have inadvertently collected a child's data, please contact us immediately at privacy@chronosparksolutions.com.

Our website may contain links to third-party websites (e.g., LinkedIn, GitHub, partner portals) and may embed third-party services (e.g., Google Maps, YouTube). These external platforms have their own privacy policies, which we do not control.

We are not responsible for the privacy practices of any third-party websites. We encourage you to review the privacy policy of every website you visit. Access to such links or embedded content is entirely at your own risk.

Third-party services currently integrated into our platform include: Google Analytics, Google Maps Embed, Razorpay/PayU (payment processing), and WhatsApp Business API.

ChronoSparkSolutions is based in India. Where data is processed or stored outside India (e.g., on international cloud servers), we ensure appropriate safeguards are in place as mandated by Section 16 of the DPDPA 2023 and Chapter V of the GDPR.

Safeguards include:

• Transfers only to countries notified by the Central Government of India as having adequate data protection standards.
• Use of Standard Contractual Clauses (SCCs) where transferring data to GDPR-covered recipients.
• Binding corporate agreements with cloud infrastructure providers ensuring data protection obligations are contractually enforced.

As required under Rule 5(9) of the SPDI Rules 2011 and the DPDPA 2023, we have designated a Grievance Officer to address any privacy-related queries, concerns, or complaints:

If you are not satisfied with our response, you may escalate your grievance to the Data Protection Board of India (once constituted under the DPDPA 2023) or the applicable data protection authority in your jurisdiction.

We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or industry standards. The "Last Updated" date at the bottom of this Policy reflects the most recent revision.

We will notify you of material changes by:

• Posting a prominent notice on our website for at least 30 days prior to the change taking effect.
• Sending an email notification to registered users or active clients where feasible.

Continued use of our services after changes are posted constitutes your acceptance of the revised Policy.