Appwharf
Why one systemProductIndustriesResultsEnterprise
Sign inBook a working session

Legal

Privacy Policy

Effective date · 14 July 2026Applies to · appwharf.co and the Appwharf platform

Plain-language summary (the numbered sections below are what governs): we collect what we need to run the website and the platform — account details, billing information and usage telemetry. Data your organization puts intothe platform (orders, staff records, vendor files) is processed on your organization's instructions under a Data Processing Agreement, and your organization controls it. We don't sell personal data, ever. You can ask us to access, correct or delete your data at privacy@appwharf.co.

1. Who we are and what this covers2. Two roles: controller and processor3. Data we collect4. How we use data5. Legal bases6. Sharing and subprocessors7. International transfers8. Security9. Retention10. Your rights11. Cookies12. Children13. Changes to this policy14. Contact us

01Who we are and what this covers

This policy explains how Appwharf, Inc.(“Appwharf”, “we”, “us”), with offices in New Delhi, India and San Francisco, California, handles personal data when you visit appwharf.co, contact us, attend our events, or use the Appwharf platform. It applies alongside our Terms of Serviceand, for platform customers, the Data Processing Agreement (“DPA”).

02Two roles: controller and processor

We handle personal data in two distinct roles, and your rights differ between them:

RoleWhat it coversWho decides
ControllerWebsite visits, demo requests, marketing, billing, account administration, support conversations.Appwharf decides how and why this data is processed. This policy governs.
ProcessorCustomer Data inside the platform — the orders, employee records, vendor files, telemetry and other objects your organization loads into its graph.Your organization (our customer) decides. We process only on its documented instructions under the DPA. Direct requests about this data to your organization; we will assist it in responding.

03Data we collect

Data you give us

  • Account and contact details — name, work email, phone, organization, role, when you register, request a demo or book a working session.
  • Billing information — billing contact, address, tax IDs. Card details go directly to our payment processor; we never store full card numbers.
  • Communications — support tickets, emails, chat with our team, and event registrations.

Data collected automatically

  • Usage telemetry — pages viewed, features used, queries run (metadata, not the content of Customer Data), device and browser type, IP address, and approximate location derived from IP.
  • Logs — authentication events, API calls and security logs, retained as part of the platform's audit trail.
  • Cookies — see section 11.

Data from others

  • Your organization — an administrator may provision your user account and set your permissions.
  • Service providers — business contact enrichment and fraud-prevention signals from vendors, where lawful.

04How we use data

  • Provide, secure and operate the Site and the Service, including authentication, support and incident response.
  • Administer accounts, process payments and send transactional messages (invoices, security alerts, maintenance notices — these cannot be opted out of while you hold an account).
  • Improve the Service using aggregated or de-identified analytics. We do not use Customer Data to train models for other customers.
  • Send product news and marketing you can opt out of at any time via the unsubscribe link or privacy@appwharf.co.
  • Comply with law, enforce our terms, and establish or defend legal claims.

We do not sell personal data and we do not share it for cross-context behavioral advertising.

05Legal bases

Where GDPR or similar laws apply, we rely on:

  • Contract — to provide the Service you or your organization signed up for;
  • Legitimate interests — securing the platform, preventing fraud, improving the product, and B2B marketing to business contacts (balanced against your rights);
  • Consent — for non-essential cookies and, where required, marketing communications;
  • Legal obligation — tax, accounting and lawful requests from authorities.

For personal data of individuals in India, we process digital personal data in accordance with the Digital Personal Data Protection Act, 2023, on the grounds of consent or legitimate uses recognized by that Act.

06Sharing and subprocessors

We share personal data only with:

  • Subprocessors that host and support the Service (cloud infrastructure, payment processing, email delivery, support tooling), each bound by contract to confidentiality and data-protection obligations. The current subprocessor list is available at request from privacy@appwharf.co, and DPA customers receive advance notice of changes.
  • Your organization — if your account was provisioned by an employer or other organization, its administrators can see and manage your account activity within their workspace.
  • Professional advisers and authorities — where required by law or to protect rights, safety or the integrity of the Service, with notice to affected customers where lawful.
  • A successor entity — in a merger, acquisition or asset sale, under this policy's protections and with notice of any material change.

07International transfers

We operate from India and the United States, and platform data is hosted in the region selected in your order form (India, EU or US). Where personal data is transferred across borders, we use recognized safeguards — including the EU Standard Contractual Clauses and the UK Addendum — and apply the same protections described in this policy regardless of where the data is processed.

08Security

Security controls include encryption in transit (TLS 1.2+) and at rest (AES-256), row-level permissions, SAML SSO and SCIM provisioning, customer-managed encryption keys on eligible plans, continuous monitoring, and independent audits — we maintain SOC 2 Type II and ISO 27001 certifications. If a breach affects your personal data, we will notify you and the relevant authorities as required by law, without undue delay.

09Retention

DataRetention
Account & billing recordsLife of the account, then up to 7 years as required for tax and accounting.
Customer Data (platform)Controlled by your organization; exportable for 30 days and deleted from production within 60 days after termination (see Terms §4).
Audit logs7 years, as part of the platform's compliance audit trail.
Support conversations3 years after closure.
Marketing contactsUntil you opt out or 2 years of inactivity, whichever is first.

10Your rights

Depending on your location (including under the GDPR, UK GDPR, India's DPDP Act and the California Consumer Privacy Act), you may have the right to:

  • access the personal data we hold about you, and receive a portable copy;
  • correct inaccurate data and complete incomplete data;
  • delete your data, subject to legal retention duties;
  • object to or restrict certain processing, including direct marketing (always honored);
  • withdraw consent at any time, without affecting prior processing;
  • complain to your data-protection authority, or under the DPDP Act, to the Data Protection Board of India;
  • not be discriminated against for exercising any of these rights.

To exercise a right, email privacy@appwharf.co. We verify requests and respond within 30 days (or the period local law requires). If your data is in a customer's workspace, we will refer the request to that customer and assist them in responding.

11Cookies

We use a deliberately small set of cookies:

TypePurposeBasis
Strictly necessarySign-in sessions, CSRF protection, load balancing.Required — cannot be disabled.
PreferencesRemembering your region, industry selection and UI settings.Legitimate interest.
AnalyticsFirst-party, privacy-preserving usage measurement of the Site.Consent, where required — set via the cookie banner.

We use no third-party advertising cookies or tracking pixels. Browser “Do Not Track” and Global Privacy Control signals are honored for analytics.

12Children

The Site and Service are for business use by adults. We do not knowingly collect personal data from anyone under 18; if you believe a minor has provided us data, contact us and we will delete it.

13Changes to this policy

When we change this policy we will post the new version here with an updated effective date, and for material changes we will notify account holders by email or in-product notice at least 30 days before the change takes effect.

14Contact us

Privacy questions and rights requests: privacy@appwharf.co. Our Data Protection Officer and India grievance officer can be reached at the same address or by post: Appwharf, Inc., Attn: Privacy, New Delhi, India / San Francisco, CA, USA.

Appwharf

The enterprise operations platform. Built in New Delhi and San Francisco.

Platform
  • Why one system
  • Product clouds
  • Enterprise scale
  • API & event bus
Industries
  • Manufacturing
  • Logistics & warehousing
  • Hotels & healthcare
  • Retail & eCommerce
Company
  • About
  • Careers
  • Security
  • Terms of Service
  • Privacy Policy
© 2026 Appwharf · team@appwharf.coTerms · Privacy · SOC 2 II · ISO 27001 · GDPR