Privacy Notice

In accordance with the Digital Personal Data Protection Act, 2023 (India)

Effective Date: 25 May 2026

1. Identity of the Data Fiduciary

CraftX IT Services LLP ("CraftX", "we", "us", "our") is the Data Fiduciary under the Digital Personal Data Protection Act, 2023 (DPDP Act). Our registered details are:

  • Registered Address: U/1-14, Vishram Griha, Sector-6, Shreenagar, Thane – 400604, Maharashtra, India
  • LLPIN: AAE-0836  |  Udyam: UDYAM-MH-33-0358910
  • Email: info@craftx.asia  |  Phone / WhatsApp: +91 70211 54607
  • Website: www.craftxitservices.com

2. Scope & Applicability

This Privacy Notice applies to all natural persons ("Data Principals") whose personal data is processed by CraftX IT Services LLP in connection with our website, services, sales enquiries, customer onboarding, and ongoing service delivery. It covers personal data processed digitally, whether collected online or subsequently digitised.

3. Personal Data We Collect

CategoryExamplesSource
Identity & ContactFull name, designation, business email, mobile number, company nameEnquiry forms, onboarding, contracts
Business & BillingGST/PAN, billing address, payment reference numbersPurchase orders, invoices
Technical & UsageIP address, browser type, pages visited, cookies, session logsWebsite analytics, service portals
IT Infrastructure DataDevice inventory, network topology, user account lists, software licencesManaged IT engagements
Communication RecordsEmails, support tickets, MS Teams / Google Chat messagesHelp-desk and support channels
Cloud Service DataMicrosoft 365 tenant IDs, Google Workspace domain info, Azure/AWS resource tagsManaged productivity & cloud projects
We do not knowingly collect sensitive personal data (as defined under the DPDP Act) unless expressly required for a specific service and with explicit consent.

4. Purposes of Processing

  • Service Delivery: Provisioning and managing Managed IT, Cloud Services (Azure / AWS / Hybrid), Hosting, SSL Certificates, Acronis Cyber Protect Cloud, Microsoft 365, and Google Workspace.
  • Customer Onboarding & Account Management: Identity verification, contract execution, SLA management, and support ticket handling.
  • Billing & Payments: Invoicing, payment collection, GST compliance, and reconciliation.
  • Security & Monitoring: Protecting our systems and clients' infrastructure against cyber threats, anomalies, and unauthorised access.
  • Legal & Regulatory Compliance: Adherence to Indian laws including the IT Act, GST Act, Companies Act, and the DPDP Act, 2023.
  • Marketing & Communication: Service updates, renewal reminders, and promotional materials — only where consent has been given or a legitimate interest exists.
  • Analytics & Improvement: Analysing website usage and service performance to improve our offerings.

5. Legal Basis for Processing

  • Consent: Where you have given explicit, free, specific, informed, and unambiguous consent.
  • Contractual Necessity: Processing necessary to perform or enter into a contract with you.
  • Legal Obligation: Processing required to comply with applicable Indian law.
  • Legitimate Use: Processing for fraud prevention, network security, and internal analytics where our interests are balanced against your rights.

6. Data Sharing & Third-Party Processors

We may share your personal data with:

  • Technology Partners: Microsoft (Microsoft 365, Azure), Google (Google Workspace), Acronis, and AWS — as sub-processors under contractual data protection agreements.
  • Hosting & CDN Providers: Third-party data centres and infrastructure providers hosting client websites and applications.
  • Payment Gateways: For processing transactions securely.
  • Professional Advisors: Chartered accountants, legal counsel, and auditors under confidentiality obligations.
  • Regulatory Authorities: Government bodies, courts, or law enforcement where mandated by law.

We do not sell, rent, or trade your personal data to any third party for commercial purposes.

7. Cross-Border Data Transfers

Some of our cloud and productivity services involve processing data on servers located outside India (e.g., Microsoft Azure, Google Workspace, and AWS data centres). Where personal data is transferred internationally, we ensure adequate safeguards are in place — including Standard Contractual Clauses and compliance with the DPDP Act's cross-border transfer provisions as notified by the Central Government.

8. Data Retention

  • Client & Contractual Records: Retained for 7 years after the end of the contract or last transaction (Companies Act, 2013 and GST Act).
  • Support & Communication Logs: Retained for 3 years from the date of interaction.
  • Website Analytics & Cookies: Session data retained for up to 13 months; aggregated analytics may be retained indefinitely in anonymised form.
  • IT Infrastructure Data (Managed IT): Deleted or returned within 30 days of contract termination, unless retention is required by law.

9. Cookies & Tracking Technologies

  • Strictly Necessary Cookies: Essential for website functionality — no consent required.
  • Analytics Cookies: Used to understand visitor behaviour (e.g., Google Analytics) — consent required.
  • Marketing Cookies: For personalised outreach — consent required. You may withdraw consent at any time via your browser settings or by contacting us.

10. Your Rights as a Data Principal

RightDescription
Right to InformationKnow what personal data we hold and how it is being processed.
Right of Correction & ErasureRequest correction of inaccurate data or erasure of data no longer necessary, subject to legal retention obligations.
Right to Grievance RedressalHave your grievances addressed promptly by our designated Data Protection Contact.
Right to NominateNominate another individual to exercise your rights in the event of death or incapacity.
Right to Withdraw ConsentWithdraw consent at any time. Withdrawal may limit our ability to deliver certain services.
To exercise any of these rights, email us at info@craftx.asia with the subject line "DPDP Rights Request". We will respond within 30 days.

11. Data Security

  • SSL/TLS encryption for all data in transit.
  • Role-based access controls and multi-factor authentication for internal systems.
  • Acronis Cyber Protect Cloud for endpoint security, backup, and disaster recovery.
  • Regular security audits and vulnerability assessments.
  • Staff training on data handling and cybersecurity best practices.

In the event of a personal data breach, we will notify the Data Protection Board of India and affected Data Principals in accordance with the timelines prescribed under the DPDP Act.

12. Children's Data

Our services are directed at businesses and professionals. We do not knowingly collect or process personal data of children (persons under 18 years of age). If we become aware of inadvertent collection of a minor's data, we will delete it promptly. Parental or guardian consent will be obtained where required under the DPDP Act.

13. Grievance Redressal & Contact

  • Designation: Data Protection Officer, CraftX IT Services LLP
  • Email: info@craftx.asia
  • Phone / WhatsApp: +91 70211 54607
  • Address: U/1-14, Vishram Griha, Sector-6, Shreenagar, Thane – 400604, Maharashtra, India
  • Response Time: Within 30 days of receipt

If your grievance is not resolved satisfactorily, you may escalate to the Data Protection Board of India as established under the DPDP Act, 2023.

14. Changes to This Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our services, legal requirements, or data practices. Material changes will be communicated via email to registered clients and displayed prominently on our website. Continued use of our services after the effective date constitutes acceptance.