Skip to content
Legal

Privacy policy

Effective June 26, 2026 · Last updated June 26, 2026

1. Who we are

This Privacy Policy describes how Paramount Tech Network OPC Private Limited ("Paramount", "we", "us", "our") — a One Person Company incorporated in India under CIN U72200CT2015OPC001710, with registered office at Panache Villa, 14 B, Vivekanand Nagar, Kohka, Bhilai, Chhattisgarh 490023, India — collects, uses, and protects personal data in connection with Captivar (the "Service"), our white-label business software platform sold to digital agencies and their end clients.

The Service is delivered through:

  • The marketing website at captivar.com
  • The application portal at app.captivar.com and portal.captivar.com
  • The tracking, lead capture, booking, chat, and AI receptionist code we provide for installation on customer-owned websites

This Policy applies to personal data we process while operating the Service. For end-visitor data collected through customer-installed code, see Section 4 — Paramount acts as a processor; the customer (or its end client) is the controller.

2. Our role under GDPR

The Service involves two distinct processing relationships:

(a) When you are our direct customer — meaning you hold an account on app.captivar.com or portal.captivar.com (typically a digital agency, an agency team member, or an end client invited to a client portal) — Paramount is the controller of the personal data you give us to create and operate your account.

(b) When personal data is collected through code we provide that runs on a customer-owned website — visitor analytics, lead forms, chat, booking, and AI receptionist data — Paramount is a processor acting on your instructions. You are the controller; we process such data only as needed to provide the Service and only according to the terms of our Data Processing Agreement. For UK data subjects, references to GDPR in this Policy also cover the UK GDPR and UK Data Protection Act 2018 where applicable.

3. Personal data we collect

3.1 Account data (we are the controller)

  • Identity data: name, business name, role / title
  • Contact data: email address, phone number (optional), country
  • Authentication data: hashed passwords, two-factor settings, login timestamps and IP addresses
  • Billing data: billing address, plan and invoice history. Card and bank details are collected and stored exclusively by our payment processor — we never see or store them.
  • Support communications: any messages you send to support, hello, or privacy mailboxes, or through in-product channels
  • Usage data: features used, pages visited within the portal, actions taken, error logs, device and browser information

3.2 End-visitor data (we are the processor)

  • Tracking analytics: pseudonymous visitor identifier (first-party cookie scoped to your domain), IP address, approximate location, pages viewed, session duration, referrer, UTM parameters, device, browser, OS
  • Form submissions and leads: the fields a visitor submits to a form you have built — typically name, email, phone, message, and any custom fields you configure
  • Chat and AI receptionist transcripts: messages exchanged between visitors and your chat or AI receptionist, including any contact details provided
  • Booking data: appointments visitors book — name, email, phone, meeting notes

We process this data strictly on your instructions and never use it for our own purposes. We do not sell it, share it with advertisers, or use it to train AI models outside your specific account.

3.3 Marketing site data

When you visit captivar.com without an account, we collect minimal data needed to operate the site: an essential session cookie, basic server logs (IP, user agent, request URL — retained 30 days for security), and, only with your consent, analytics on how you navigated the site.

4. How we use personal data and our legal basis

For account data (Section 3.1), we process on the following lawful bases under GDPR Article 6:

  • Contract (Art. 6(1)(b)): creating and operating your account, providing the Service, billing, sending essential service notifications, providing support
  • Legitimate interest (Art. 6(1)(f)): protecting against fraud, abuse, and security incidents; analyzing aggregate usage to improve the Service
  • Consent (Art. 6(1)(a)): sending product update emails and marketing communications. You can withdraw consent any time via the unsubscribe link or your account settings.
  • Legal obligation (Art. 6(1)(c)): tax, accounting, and regulatory recordkeeping under Indian law

For end-visitor data (Section 3.2), you as controller establish the lawful basis (typically consent for analytics cookies and legitimate interest or consent for lead capture). The consent banner and configuration tools we provide are designed to support your compliance, but the legal responsibility rests with you.

5. Sub-processors

To deliver the Service we engage third-party sub-processors, each bound by a Data Processing Agreement requiring confidentiality and GDPR-compliant data protection. The full, up-to-date list is published at captivar.com/sub-processors. We will notify customers in advance of any material changes via email and the changelog on that page.

Primary categories of sub-processors: hosting and infrastructure (Germany), backup storage and CDN (United States), error monitoring (Germany), payments (Luxembourg / United States), transactional email (United States), AI inference (United States), video meetings (United States), and uptime monitoring (Malta). See the sub-processors page for the full table including transfer mechanisms.

6. International data transfers

The Service stores production data in Germany (Frankfurt). Some sub-processors are based outside the EEA — principally the United States — and certain operational activities, including administrative access to production systems by Paramount's founding administrator from India, constitute transfers of personal data outside the EEA within the meaning of GDPR Chapter V.

We rely on the following mechanisms for these transfers:

  • Standard Contractual Clauses approved by the European Commission (Decision 2021/914), incorporated in our DPA with you and our agreements with non-EEA sub-processors
  • EU-US Data Privacy Framework where the relevant sub-processor is certified
  • A Transfer Impact Assessment documenting safeguards in place (encryption in transit and at rest, contractual confidentiality, restricted personnel, access logs); a summary is available to customers on request

7. Data retention

7.1 Account data

We retain account data while your account is active and for up to 12 months after closure to handle disputes, finalize billing, and meet statutory recordkeeping obligations under Indian tax and corporate law. Backups containing account data are pruned on a rolling 90-day cycle after deletion from production.

7.2 End-visitor data

End-visitor personal data is automatically deleted after the retention period configured by the controller. Each plan has a maximum permitted retention; within that maximum the controller may configure the actual value from the Privacy Settings dashboard.

  • Free: up to 90 days (default 30 days)
  • Founder: up to 180 days (default 60 days)
  • Starter: up to 365 days (default 180 days)
  • Agency: up to 730 days (default 365 days)
  • Enterprise: up to 730 days (default 365 days) plus custom per-site retention rules

Automatic deletion runs nightly. Once the retention period elapses:

  • Visitor identifiers, IP addresses, session and pageview records are permanently deleted
  • Form submissions are anonymized — name, email and phone are removed; structural fields (submission count, form ID, date) are retained for historical analytics
  • Chat and AI receptionist transcripts older than the retention period are deleted

Aggregate, anonymized analytics (visitor counts, page view totals, conversion rates, source breakdowns) are retained indefinitely. After the retention period elapses these contain no personal data and are not subject to retention limits under GDPR.

7.3 Backups

Operational backups are retained for 7 days (hourly), 30 days (daily), and 12 weeks (weekly) before automatic deletion. Backups are encrypted in transit (TLS) and at rest (storage-provider server-side encryption).

7.4 Support communications and logs

Support emails, in-product messages, and security logs are retained for 24 months, after which they are deleted or anonymized.

8. Your rights

If you are in the EEA, the United Kingdom, Switzerland, or a jurisdiction granting similar rights (including India under the DPDP Act 2023, California under the CCPA / CPRA, and Brazil under the LGPD), you have the following rights:

  • Access (Art. 15): request a copy of the personal data we hold about you
  • Rectification (Art. 16): correct inaccurate or incomplete data
  • Erasure (Art. 17): delete your data, subject to legal retention requirements
  • Restriction (Art. 18): limit processing in certain circumstances
  • Portability (Art. 20): receive your data in a structured, machine-readable format
  • Objection (Art. 21): object to processing based on legitimate interests, including direct marketing
  • Withdraw consent: where processing is consent-based, withdraw at any time
  • Not be subject to solely automated decision-making that produces legal or similarly significant effects

For account data, email [email protected] from the address registered to your account. We respond within 30 days and may verify your identity before fulfilling certain requests.

For end-visitor data (you are an end visitor of a site running Captivar), please contact the operator of that site — they are the controller and have tools within Captivar to fulfill your request directly. If you contact us instead, we will forward your request to the controller and inform you.

Right to lodge a complaint: you may complain to your local data protection authority. In India: the Data Protection Board (when operational under the DPDP Act). In the EEA: your national supervisory authority (list at edpb.europa.eu). In the UK: the Information Commissioner's Office (ico.org.uk).

9. EU and UK representatives

Captivar does not currently target the European Union or the United Kingdom as primary markets and processes only incidental personal data of EU / UK data subjects in connection with customers whose own audiences may include EU / UK individuals. We are monitoring our user base and will appoint an EU representative under GDPR Article 27 and a UK representative under UK GDPR Article 27 prior to commencing systematic targeting of, or sustained large-scale processing of personal data of, EU or UK data subjects. Until such appointments are made, EU and UK data subjects may contact us directly at [email protected] for any matter relating to the GDPR or UK GDPR. We will respond on the same terms as if a representative had been appointed.

10. Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption in transit: TLS is enforced on all customer-facing connections via our CDN
  • Encryption at rest: backups are encrypted at rest via our storage provider's server-side encryption; database storage runs on dedicated infrastructure with provider-managed disk encryption
  • Access control: production system access is restricted to a small number of authorized personnel, authenticated using SSH keys; administrative accounts on critical third-party services are protected by multi-factor authentication
  • Account security: passwords are stored as one-way hashes using an industry-standard algorithm; two-factor authentication is available for customer accounts; session tokens expire after a defined period
  • Audit logging: sensitive administrative actions (account deletion, bulk export, security-policy changes) are logged with actor identity, timestamp, and IP address
  • Network security: firewall rules permit only required ports; rate limiting at application and CDN layers; WAF protection via our CDN
  • Software hygiene: dependencies are reviewed and updated on a regular schedule; security-relevant code changes undergo additional review prior to deployment

Additional detail on our specific controls is available to customers conducting due diligence under NDA.

In the event of a personal data breach likely to result in a risk to the rights and freedoms of data subjects, we will notify the relevant supervisory authority within 72 hours of becoming aware of it, in accordance with GDPR Article 33. Affected customers will be notified without undue delay where required by Article 34.

11. Cookies

The Service uses a limited set of cookies, detailed in our Cookie Policy. Essential cookies (session, CSRF, login) are set under the ePrivacy Directive's "strictly necessary" exemption. Analytics cookies on captivar.com are set only with your explicit consent. The Captivar tracking script installed on customer websites uses a first-party cookie scoped to the installing domain; whether and how consent is required is determined by the website operator (the controller) using the consent-mode configuration in their Captivar dashboard.

12. Children

The Service is intended for business use by adults aged 18 and over. We do not knowingly collect personal data from children. If we learn we have collected personal data from a child, we will delete it promptly. If you believe a child has provided us with personal data, please contact [email protected].

13. Changes to this Policy

We may update this Policy from time to time. The "Last updated" date at the top reflects the latest revision. Material changes will be announced by email to active account holders at least 14 days before they take effect. Continued use of the Service after the effective date constitutes acceptance.

14. Contact

For privacy inquiries, data subject rights requests, and DPA execution:

  • Post: Paramount Tech Network OPC Private Limited, Panache Villa, 14 B, Vivekanand Nagar, Kohka, Bhilai, Chhattisgarh 490023, India

General inquiries: [email protected] · Support: [email protected]