Legal
Privacy Policy
Plain-language summary (the numbered sections below are what governs): we collect what we need to run the website and the platform — account details, billing information and usage telemetry. Data your organization puts intothe platform (orders, staff records, vendor files) is processed on your organization's instructions under a Data Processing Agreement, and your organization controls it. We don't sell personal data, ever. You can ask us to access, correct or delete your data at privacy@appwharf.co.
01Who we are and what this covers
This policy explains how Appwharf, Inc.(“Appwharf”, “we”, “us”), with offices in New Delhi, India and San Francisco, California, handles personal data when you visit appwharf.co, contact us, attend our events, or use the Appwharf platform. It applies alongside our Terms of Serviceand, for platform customers, the Data Processing Agreement (“DPA”).
02Two roles: controller and processor
We handle personal data in two distinct roles, and your rights differ between them:
| Role | What it covers | Who decides |
|---|---|---|
| Controller | Website visits, demo requests, marketing, billing, account administration, support conversations. | Appwharf decides how and why this data is processed. This policy governs. |
| Processor | Customer Data inside the platform — the orders, employee records, vendor files, telemetry and other objects your organization loads into its graph. | Your organization (our customer) decides. We process only on its documented instructions under the DPA. Direct requests about this data to your organization; we will assist it in responding. |
03Data we collect
Data you give us
- Account and contact details — name, work email, phone, organization, role, when you register, request a demo or book a working session.
- Billing information — billing contact, address, tax IDs. Card details go directly to our payment processor; we never store full card numbers.
- Communications — support tickets, emails, chat with our team, and event registrations.
Data collected automatically
- Usage telemetry — pages viewed, features used, queries run (metadata, not the content of Customer Data), device and browser type, IP address, and approximate location derived from IP.
- Logs — authentication events, API calls and security logs, retained as part of the platform's audit trail.
- Cookies — see section 11.
Data from others
- Your organization — an administrator may provision your user account and set your permissions.
- Service providers — business contact enrichment and fraud-prevention signals from vendors, where lawful.
04How we use data
- Provide, secure and operate the Site and the Service, including authentication, support and incident response.
- Administer accounts, process payments and send transactional messages (invoices, security alerts, maintenance notices — these cannot be opted out of while you hold an account).
- Improve the Service using aggregated or de-identified analytics. We do not use Customer Data to train models for other customers.
- Send product news and marketing you can opt out of at any time via the unsubscribe link or privacy@appwharf.co.
- Comply with law, enforce our terms, and establish or defend legal claims.
We do not sell personal data and we do not share it for cross-context behavioral advertising.
05Legal bases
Where GDPR or similar laws apply, we rely on:
- Contract — to provide the Service you or your organization signed up for;
- Legitimate interests — securing the platform, preventing fraud, improving the product, and B2B marketing to business contacts (balanced against your rights);
- Consent — for non-essential cookies and, where required, marketing communications;
- Legal obligation — tax, accounting and lawful requests from authorities.
For personal data of individuals in India, we process digital personal data in accordance with the Digital Personal Data Protection Act, 2023, on the grounds of consent or legitimate uses recognized by that Act.
06Sharing and subprocessors
We share personal data only with:
- Subprocessors that host and support the Service (cloud infrastructure, payment processing, email delivery, support tooling), each bound by contract to confidentiality and data-protection obligations. The current subprocessor list is available at request from privacy@appwharf.co, and DPA customers receive advance notice of changes.
- Your organization — if your account was provisioned by an employer or other organization, its administrators can see and manage your account activity within their workspace.
- Professional advisers and authorities — where required by law or to protect rights, safety or the integrity of the Service, with notice to affected customers where lawful.
- A successor entity — in a merger, acquisition or asset sale, under this policy's protections and with notice of any material change.
07International transfers
We operate from India and the United States, and platform data is hosted in the region selected in your order form (India, EU or US). Where personal data is transferred across borders, we use recognized safeguards — including the EU Standard Contractual Clauses and the UK Addendum — and apply the same protections described in this policy regardless of where the data is processed.
08Security
Security controls include encryption in transit (TLS 1.2+) and at rest (AES-256), row-level permissions, SAML SSO and SCIM provisioning, customer-managed encryption keys on eligible plans, continuous monitoring, and independent audits — we maintain SOC 2 Type II and ISO 27001 certifications. If a breach affects your personal data, we will notify you and the relevant authorities as required by law, without undue delay.
09Retention
| Data | Retention |
|---|---|
| Account & billing records | Life of the account, then up to 7 years as required for tax and accounting. |
| Customer Data (platform) | Controlled by your organization; exportable for 30 days and deleted from production within 60 days after termination (see Terms §4). |
| Audit logs | 7 years, as part of the platform's compliance audit trail. |
| Support conversations | 3 years after closure. |
| Marketing contacts | Until you opt out or 2 years of inactivity, whichever is first. |
10Your rights
Depending on your location (including under the GDPR, UK GDPR, India's DPDP Act and the California Consumer Privacy Act), you may have the right to:
- access the personal data we hold about you, and receive a portable copy;
- correct inaccurate data and complete incomplete data;
- delete your data, subject to legal retention duties;
- object to or restrict certain processing, including direct marketing (always honored);
- withdraw consent at any time, without affecting prior processing;
- complain to your data-protection authority, or under the DPDP Act, to the Data Protection Board of India;
- not be discriminated against for exercising any of these rights.
To exercise a right, email privacy@appwharf.co. We verify requests and respond within 30 days (or the period local law requires). If your data is in a customer's workspace, we will refer the request to that customer and assist them in responding.
11Cookies
We use a deliberately small set of cookies:
| Type | Purpose | Basis |
|---|---|---|
| Strictly necessary | Sign-in sessions, CSRF protection, load balancing. | Required — cannot be disabled. |
| Preferences | Remembering your region, industry selection and UI settings. | Legitimate interest. |
| Analytics | First-party, privacy-preserving usage measurement of the Site. | Consent, where required — set via the cookie banner. |
We use no third-party advertising cookies or tracking pixels. Browser “Do Not Track” and Global Privacy Control signals are honored for analytics.
12Children
The Site and Service are for business use by adults. We do not knowingly collect personal data from anyone under 18; if you believe a minor has provided us data, contact us and we will delete it.
13Changes to this policy
When we change this policy we will post the new version here with an updated effective date, and for material changes we will notify account holders by email or in-product notice at least 30 days before the change takes effect.
14Contact us
Privacy questions and rights requests: privacy@appwharf.co. Our Data Protection Officer and India grievance officer can be reached at the same address or by post: Appwharf, Inc., Attn: Privacy, New Delhi, India / San Francisco, CA, USA.