Privacy Policy

Introduction

Pythrust Technologies OPC Private Limited ("Company", "we", "us", or "our") is committed to protecting and respecting your privacy. This Privacy Policy ("Policy") describes how we collect, use, disclose, and safeguard personal data when you access or use:

• The primary web application at angularize.dev;
• The beta environment at beta.angularize.dev;
• Any APIs, documentation, or related services (collectively, the "Platform").

By accessing the Platform, you acknowledge that you have read, understood, and agree to the practices described in this Policy. If you do not agree, please discontinue use of the Platform immediately.

Who We Are — Data Fiduciary

Under the Digital Personal Data Protection Act, 2023 ("DPDPA"), Pythrust Technologies OPC Private Limited is the Data Fiduciary responsible for determining the purposes and means of processing your personal data.

Data We Collect

We collect the following categories of personal data:

3.1 Data You Provide Directly

• Registration information when creating an Account;
• Content, code, and project files you submit or generate on the Platform;
• Communications you send us via email or support channels;
• Feedback, bug reports, or survey responses.

3.2 Data Collected Automatically

• Log data: IP address, browser type, OS, referring URLs, pages visited, timestamps;
• Device identifiers and session tokens (via Firebase Authentication);
• Usage patterns, feature interactions, and performance metrics;
• Cookies and similar tracking technologies (see Section 9).

3.3 Data from Third Parties

• OAuth profile data (name, email, profile picture) when you sign in with Google or GitHub via Firebase Authentication;
• Payment confirmation data from our payment processor (we never receive raw card data).

3.4 Sensitive Data

We do not intentionally collect sensitive personal data (e.g. biometric data, health data, religious beliefs, political opinions) through the Platform. Please do not submit such data.

How We Use Your Data

We use personal data only for legitimate, specified purposes:

• Service Delivery: Providing, operating, and maintaining the Platform and all its features;
• Account Management: Creating and managing your Account, authentication, and subscription;
• Security: Detecting, preventing, and investigating fraud, abuse, unauthorised access, and cyber attacks;
• Communications: Sending transactional emails (account activation, password reset, billing receipts), security alerts, and product updates;
• Support: Responding to your queries and resolving issues;
• Analytics: Understanding how the Platform is used to improve features and user experience — using aggregated, anonymised data wherever possible;
• AI Improvement: Improving code-generation accuracy using anonymised, aggregated usage patterns — your proprietary code is never used to train general models without explicit consent;
• Legal Compliance: Meeting our obligations under applicable law, responding to lawful government requests, and protecting our legal rights;
• Business Operations: Billing, subscription management, and fraud prevention.

Legal Basis for Processing

We process your personal data on the following legal bases under the DPDPA 2023 and, where applicable, GDPR:

• Consent (DPDPA S.6 / GDPR Art. 6(1)(a)): Where you have given clear, informed consent — e.g. optional analytics, marketing communications, or AI training participation. You may withdraw consent at any time.
• Contract Performance (DPDPA S.4 / GDPR Art. 6(1)(b)): Processing necessary to provide the Platform you signed up for, including authentication, code generation, and billing.
• Legitimate Interests (GDPR Art. 6(1)(f)): For EEA users — security monitoring, fraud prevention, platform analytics, and improving our AI models using anonymised data, balanced against your privacy interests.
• Legal Obligation (DPDPA S.4 / GDPR Art. 6(1)(c)): Where processing is required to comply with applicable law, regulatory requirements, or court orders.

Data Sharing & Disclosure

We do not share your personal data with third parties except as described below:

6.1 Service Providers (Data Processors)

We engage trusted third-party service providers who process data strictly on our behalf and under our instructions, bound by data processing agreements:

• Google Cloud Platform (GCP): Infrastructure, compute, storage, and database services;
• Firebase (Google LLC): User authentication, real-time database, and hosting;
• Payment Processors: Billing and subscription management — they receive payment data under their own PCI-DSS compliant terms;
• Email Service Providers: Transactional email delivery;
• Analytics Providers: Aggregated, anonymised usage analytics.

6.2 Legal Requirements

We may disclose personal data when required by law, including in response to:

• Court orders, judicial decrees, or subpoenas from Indian or other competent courts;
• Requests from CERT-In (Indian Computer Emergency Response Team) in connection with cyber security incidents;
• Requests from law enforcement agencies under the IT Act, 2000, CrPC, or other applicable legislation;
• Government and regulatory body requests backed by legal authority.

6.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity. We will provide reasonable notice before any such transfer and ensure the successor is bound by equivalent privacy obligations.

6.4 Protection of Rights

We may disclose data where we reasonably believe it is necessary to: enforce these Terms; prevent fraud or abuse; protect the safety of users or the public; or defend legal claims against the Company.

Third-Party Services & Links

The Platform may contain links to third-party websites or integrate third-party tools. This Policy does not govern third-party data practices. We recommend reviewing each third party's privacy policy before providing them with personal data.

Key third parties whose services are integrated into the Platform:

• Google LLC — Firebase Auth, GCP infrastructure. Governed by the Google Privacy Policy;
• GitHub Inc. — Optional OAuth sign-in. Governed by GitHub Privacy Statement;
• Payment Gateways — Subject to their own PCI-DSS compliant privacy policies.

We are not responsible for the privacy practices of these third parties.

Google Cloud Platform & Firebase

8.1 Google Cloud Platform

We use GCP for our core infrastructure including compute (Cloud Run / GCE), Cloud Storage, Cloud SQL / Firestore databases, and related managed services. Google processes data on our behalf as a Data Processor under a Google Cloud Data Processing Addendum.

• GCP is certified under ISO 27001, SOC 2 Type II, SOC 3, and is GDPR-compliant;
• Data stored on GCP may be processed in Google's data centres globally, subject to Google's data residency commitments;
• Google does not sell GCP customer data or use it to serve ads;
• All data in GCP is encrypted at rest and in transit by default.

8.2 Firebase Authentication

We use Firebase Authentication (a Google service) to manage user identity. Firebase Auth processes:

• Email address and password hash (for email/password sign-in);
• OAuth tokens and basic profile data (name, email, profile photo) for Google / GitHub sign-in;
• Session tokens and refresh tokens used to maintain authenticated sessions.

Firebase Authentication is governed by the Firebase Privacy & Security documentation and Google's overall data processing terms. Firebase does not use authentication data for advertising purposes.

8.3 Firebase Other Services

We may also use: Firestore (NoSQL database for real-time data), Firebase Hosting (static asset delivery), and Firebase Analytics (aggregated usage insights). Each product is governed by Google's data processing terms.

8.4 Our Obligations as GCP Customer

As a GCP customer, we are responsible for configuring these services appropriately, including setting appropriate access controls, encrypting sensitive fields, and ensuring our use of GCP complies with applicable privacy law. We maintain a Google Cloud Data Processing Addendum (Cloud DPA) covering all GCP and Firebase processing.

8.5 Company Liability Limitation for GCP/Firebase

Cookies & Tracking Technologies

9.1 What We Use

We use the following types of cookies and similar technologies:

• Strictly Necessary Cookies: Session tokens, CSRF tokens, and authentication cookies required for the Platform to function. These cannot be disabled.
• Functional Cookies: Remembering your preferences (theme, language, last-visited project).
• Analytics Cookies: Aggregate usage data to understand how the Platform is used. Used with anonymisation where possible.
• Firebase SDK Cookies: Firebase Authentication sets cookies/local storage tokens for session management. These are essential to the login system.

9.2 Your Cookie Choices

You can control non-essential cookies through our cookie settings panel in the Platform. You may also configure your browser to block all cookies, but this may impair your ability to use the Platform. Blocking strictly necessary cookies will prevent you from logging in.

9.3 Do Not Track

Our Platform does not currently respond to browser "Do Not Track" signals, but we minimise tracking to what is necessary for Platform operation and improvement.

Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected:

• Account Data: Retained for the duration of your active Account plus 90 days post-deletion (to allow account recovery), then permanently deleted;
• User Content & Code: Deleted within 90 days of Account deletion request;
• Usage & Log Data: Retained for up to 12 months for security and analytics, then anonymised or deleted;
• Payment Records: Retained for 7 years as required by Indian accounting and tax law;
• Support Communications: Retained for 2 years from last interaction;
• Legal Hold Data: Retained for the duration of any active dispute, legal proceeding, or regulatory investigation, then deleted when no longer required.

After the applicable retention period, data is securely deleted or anonymised such that it can no longer be attributed to an identifiable individual.

Data Security

We implement a comprehensive set of technical and organisational measures to protect your personal data:

11.1 Technical Measures

• TLS 1.2+ encryption for all data in transit;
• AES-256 encryption at rest for databases and storage (via GCP default encryption);
• Firebase Authentication with industry-standard password hashing (bcrypt/scrypt);
• Role-Based Access Control (RBAC) limiting internal data access on a need-to-know basis;
• Web Application Firewall (WAF) and DDoS mitigation via GCP's security infrastructure;
• API rate limiting, input validation, and output encoding to prevent injection attacks;
• Automated vulnerability scanning and dependency auditing in our CI/CD pipeline;
• Multi-factor authentication (MFA) required for all administrative access to production systems.

11.2 Organisational Measures

• Security training for all team members with access to personal data;
• Strict need-to-know internal access controls with access logging;
• Vendor due diligence for all third-party processors, including GCP and Firebase;
• Regular internal security reviews and periodic third-party penetration tests;
• A documented Incident Response Plan aligned with CERT-In reporting obligations.

11.3 Breach Notification

In the event of a personal data breach that poses a risk to your rights and interests, we will:

• Notify the Data Protection Board of India (once constituted) within the timeframe prescribed under the DPDPA 2023;
• Notify affected users without undue delay, with details of the breach, data affected, and remediation steps;
• Document the breach and our response in our internal breach register.

International Data Transfers

As we use Google Cloud Platform, your data may be processed in Google data centres outside India, including in the United States and other countries where Google operates. These transfers occur because GCP's infrastructure is globally distributed.

We ensure such transfers are lawful by relying on:

• Google Cloud's Data Processing Addendum, which incorporates Standard Contractual Clauses (SCCs) for EEA transfers;
• GCP's ISO 27001 and SOC 2 Type II certifications providing adequate protection equivalence;
• Google's commitments under the EU-US Data Privacy Framework where applicable.

For Indian users, cross-border transfers comply with restrictions to be notified under the DPDPA 2023 by the Indian Government. We will update this Policy as those regulations are finalised and notified.

Children's Privacy

The Platform is not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data without appropriate consent, please contact us at angularize.dev@gmail.com and we will promptly delete that data.

Under the DPDPA 2023, we will implement additional age-verification mechanisms as and when required by law or as directed by the Data Protection Board of India.

Your Data Rights

Depending on your jurisdiction, you have the following rights with respect to your personal data. Indian residents have rights under the DPDPA 2023; EEA residents have rights under GDPR.

• Right to Access (DPDPA S.11 / GDPR Art.15): Request a summary of personal data we hold about you and how it is being used.
• Right to Correction (DPDPA S.12 / GDPR Art.16): Request correction of inaccurate or incomplete personal data.
• Right to Erasure / Right to be Forgotten (DPDPA S.12 / GDPR Art.17): Request deletion of your personal data where it is no longer necessary or where you withdraw consent, subject to legal retention obligations.
• Right to Grievance Redressal (DPDPA S.13): File a complaint with our Grievance Officer (see Section 18) if you believe your data rights have been violated.
• Right to Data Portability (GDPR Art.20): For EEA users — receive your personal data in a structured, commonly used, machine-readable format.
• Right to Restrict Processing (GDPR Art.18): For EEA users — request restriction of processing in certain circumstances.
• Right to Object (GDPR Art.21): For EEA users — object to processing based on legitimate interests.
• Right to Withdraw Consent: Withdraw consent at any time without affecting the lawfulness of prior processing.
• Right to Nominate (DPDPA S.14): Nominate another individual to exercise your rights in the event of your death or incapacity.

To exercise any right, submit a request to angularize.dev@gmail.com with your registered email address and the right you wish to exercise. We will respond within 30 days. We may request verification of your identity before processing your request.

If you are not satisfied with our response, you have the right to lodge a complaint with:

• India: The Data Protection Board of India (once constituted under DPDPA 2023);
• EEA: Your local Supervisory Authority.

Beta Platform — Privacy Notice

• Data stored in the beta environment is subject to the same processing as the primary platform but may be held in separate beta infrastructure with less stringent backup guarantees;
• Beta user data may be deleted, reset, or migrated at any time without advance notice;
• Do not submit sensitive, confidential, or production-critical data to the beta environment;
• Bug reports and feedback submitted through the beta platform may be reviewed by our engineering team in identifiable form to reproduce issues;
• Privacy rights (Section 14) apply equally to data collected through the beta platform.

AI Features & Generated Content Privacy

16.1 What AI Processes

When you use AI-powered code generation features, the Platform processes your Input (prompts, requirements, code snippets) through our AI systems running on GCP infrastructure to produce Generated Output (code, components, scaffolding).

16.2 No General AI Training Without Consent

Your proprietary Input and User Content are not used to train our general AI models without your explicit, opt-in consent. We use aggregated, anonymised usage patterns (not identifiable code or prompts) to improve the Platform's capabilities.

16.3 Input Retention

Prompts and inputs submitted to the AI system may be temporarily retained for up to 30 days for debugging, quality assurance, and safety monitoring, after which they are deleted or anonymised.

16.4 Third-Party AI Models

If we use third-party large language model APIs as part of our stack, those providers process your Input under their own terms and privacy policies. We will maintain data processing agreements with any such providers and disclose material changes to our AI infrastructure in updates to this Policy.

16.5 No Sensitive Data in AI Prompts

Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our data practices, legal requirements, or Platform features. For material changes, we will:

• Update the "Effective" date at the top of this Policy;
• Post a prominent notice on the Platform;
• Send a notification email to your registered Account address where required by law.

We encourage you to review this Policy periodically. Continued use of the Platform after changes are posted constitutes acceptance of the updated Policy.

Contact & Grievance Officer

Under the DPDPA 2023 and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, we have designated a Grievance Officer to handle privacy-related complaints:

If you are not satisfied with our response, you may escalate to the Data Protection Board of India (once established under DPDPA 2023) or to your local Supervisory Authority if you are in the EEA.