Privacy Policy

Effective Date: March 11, 2026 · Kartib Technologies Private Limited

1. Introduction and Scope

This Privacy Policy (“Policy”) describes how Kartib Technologies Private Limited (“Company,” “we,” “us,” or “our”), operating the Kartib platform (“Platform”), collects, uses, stores, processes, discloses, and protects information obtained from and about users of the Platform, including startup founders, CEOs, entrepreneurs, company operators, team members, and any other individuals or entities who access or use the Platform (“Users,” “you,” or “your”).

This Policy applies to all interactions with the Platform, including the web application, APIs, integrations, and any other services. By accessing or using the Platform, you agree to be bound by this Policy.

This Policy complies with the IT Act 2000, DPDPA 2023, GDPR (EU) 2016/679, CCPA/CPRA, and all other applicable data protection laws.

2. Data Controller and Data Protection Officer

Entity: Kartib Technologies Private Limited

Address: Mumbai, Maharashtra, India

DPO: dpo@kartib.comm

For Enterprise plans, the subscribing organisation is the Data Controller and Kartib is the Data Processor, governed by a separate Data Processing Agreement.

3. Categories of Information We Collect

3.1 Information You Provide Directly

•Account registration: full name, email, phone, company name, role/title, company stage, industry
•Company and financial data: revenue figures (MRR, ARR), burn rate, runway, funding amounts, investor details, cap table, valuations, ad spend, financial projections, and all data entered across 37 modules
•Business operational data: KPIs, OKRs, pipeline deals, tasks, team rosters, competitor intelligence, risk registers, decision logs, partnerships, stakeholder maps, regulatory tracking, IP records
•Personal productivity data: journal entries, CEO reviews, mood tracking, ideas bank, open questions, personal OKRs, skill assessments
•Documents: contracts, invoices, legal docs, pitch decks, financial statements uploaded to the Documents module
•Content and social data: content calendar entries, social analytics, marketing campaigns
•Network data: professional contacts, investor relationships, partner contacts
•Payment information (processed by third-party processors)

3.2 Information Collected Automatically

•Device information: type, model, OS, identifiers, screen resolution, browser
•Usage data: features accessed, modules used, frequency, session duration, interaction patterns
•Location data: approximate from IP address
•Client-side storage: Zustand with localStorage persistence for offline-first experience

3.3 Information from Third Parties

•OAuth providers: authentication tokens and basic profile

3.4 Sensitive Business Data

Kartib processes highly sensitive business data. ALL business data is treated as confidential and receives the highest level of protection regardless of category.

4. Purposes and Legal Bases

4.1 Performance of Contract

Providing all 37 modules; auto-calculating KPIs; CSV import/export; account management; payments; data syncing.

4.2 Legitimate Interests

Improving performance and features; analysing aggregated usage patterns; fraud prevention; onboarding demo data.

4.3 Legal Obligations

Financial reporting; responding to lawful requests; audit logs; tax obligations.

4.4 Consent

Marketing (opt-in); anonymised benchmarking; new features.

5. Data Handling Specifics

5.1 Supabase Infrastructure

PostgreSQL with row-level security (RLS) ensuring complete tenant isolation. Supabase Auth handles authentication.

5.2 Client-Side Storage

Zustand with localStorage persistence stores module state, cached KPIs, preferences, and session tokens locally. Synced with Supabase when online.

5.3 AI Agent Data

AI agent configurations and outputs stored within user's isolated environment. Not used for model training without consent.

5.4 Financial Data Sensitivity

Financial data is never shared with third parties, never used for benchmarking without anonymisation (minimum cohort 50), never accessible to employees without documented need and audit trail, and encrypted at rest and in transit.

6. Data Sharing and Disclosure

We do not sell, rent, lease, or trade your personal data or business data.

Recipients

•Service providers: Supabase, payment processors, email delivery (under DPAs)
•Legal authorities: when required by law
•Business transaction parties: in M&A, with same protections

What We NEVER Share

•Individual financial metrics, revenue, KPIs
•Investor relationships, cap table, fundraising info
•Journal entries, CEO reviews, personal reflections
•Competitive intelligence or strategic plans

7. Data Retention

•Account data: duration of account plus 3 years
•Financial data: 7 years per law
•Usage analytics (anonymised): up to 3 years
•Payment records: 7 years
•Support tickets: 2 years after resolution
•localStorage: on device until cleared

8. Data Security

•Supabase RLS for per-user isolation
•AES-256 encryption at rest; TLS 1.3 in transit
•OAuth 2.0 via Supabase Auth; RBAC for Enterprise
•Regular audits and penetration testing
•72-hour breach notification
•Automated backups and disaster recovery

9. Your Rights

Under DPDPA (India)

Access, correction, erasure, grievance redressal, nomination.

Under GDPR

Access, rectification, erasure, restriction, portability (CSV export available anytime), objection, complaint to supervisory authority.

Under CCPA/CPRA

Know, delete, correct, opt-out of sale/sharing, non-discrimination.

Exercise your rights: privacy@kartib.comm. Response within 30 days.

10. Children's Privacy

The Platform is not intended for persons under 18 years of age.

11. Cookies and Local Storage

Essential cookies for auth; localStorage for offline-first experience; first-party analytics (anonymised, with consent); no advertising cookies. See our Cookie Policy.

12. Changes to This Policy

Material changes will be notified via email and in-app notification. Fresh consent will be sought where required by law.

13. Grievance Officer (India)

Email: dpo@kartib.comm. Acknowledged within 24 hours, resolved within 15 days.

14. Contact

General: legal@kartib.comm

Privacy: privacy@kartib.comm

DPO: dpo@kartib.comm

Privacy Policy

Effective Date: March 11, 2026 · Kartib Technologies Private Limited

1. Introduction and Scope

This Policy complies with the IT Act 2000, DPDPA 2023, GDPR (EU) 2016/679, CCPA/CPRA, and all other applicable data protection laws.

2. Data Controller and Data Protection Officer

Entity: Kartib Technologies Private Limited

Address: Mumbai, Maharashtra, India

DPO: dpo@kartib.comm

For Enterprise plans, the subscribing organisation is the Data Controller and Kartib is the Data Processor, governed by a separate Data Processing Agreement.

3. Categories of Information We Collect

3.1 Information You Provide Directly

•Account registration: full name, email, phone, company name, role/title, company stage, industry
•Company and financial data: revenue figures (MRR, ARR), burn rate, runway, funding amounts, investor details, cap table, valuations, ad spend, financial projections, and all data entered across 37 modules
•Business operational data: KPIs, OKRs, pipeline deals, tasks, team rosters, competitor intelligence, risk registers, decision logs, partnerships, stakeholder maps, regulatory tracking, IP records
•Personal productivity data: journal entries, CEO reviews, mood tracking, ideas bank, open questions, personal OKRs, skill assessments
•Documents: contracts, invoices, legal docs, pitch decks, financial statements uploaded to the Documents module
•Content and social data: content calendar entries, social analytics, marketing campaigns
•Network data: professional contacts, investor relationships, partner contacts
•Payment information (processed by third-party processors)

3.2 Information Collected Automatically

•Device information: type, model, OS, identifiers, screen resolution, browser
•Usage data: features accessed, modules used, frequency, session duration, interaction patterns
•Location data: approximate from IP address
•Client-side storage: Zustand with localStorage persistence for offline-first experience

3.3 Information from Third Parties

•OAuth providers: authentication tokens and basic profile

3.4 Sensitive Business Data

Kartib processes highly sensitive business data. ALL business data is treated as confidential and receives the highest level of protection regardless of category.

4. Purposes and Legal Bases

4.1 Performance of Contract

Providing all 37 modules; auto-calculating KPIs; CSV import/export; account management; payments; data syncing.

4.2 Legitimate Interests

Improving performance and features; analysing aggregated usage patterns; fraud prevention; onboarding demo data.

4.3 Legal Obligations

Financial reporting; responding to lawful requests; audit logs; tax obligations.

4.4 Consent

Marketing (opt-in); anonymised benchmarking; new features.

5. Data Handling Specifics

5.1 Supabase Infrastructure

PostgreSQL with row-level security (RLS) ensuring complete tenant isolation. Supabase Auth handles authentication.

5.2 Client-Side Storage

Zustand with localStorage persistence stores module state, cached KPIs, preferences, and session tokens locally. Synced with Supabase when online.

5.3 AI Agent Data

AI agent configurations and outputs stored within user's isolated environment. Not used for model training without consent.

5.4 Financial Data Sensitivity

6. Data Sharing and Disclosure

We do not sell, rent, lease, or trade your personal data or business data.

Recipients

•Service providers: Supabase, payment processors, email delivery (under DPAs)
•Legal authorities: when required by law
•Business transaction parties: in M&A, with same protections

What We NEVER Share

•Individual financial metrics, revenue, KPIs
•Investor relationships, cap table, fundraising info
•Journal entries, CEO reviews, personal reflections
•Competitive intelligence or strategic plans

7. Data Retention

•Account data: duration of account plus 3 years
•Financial data: 7 years per law
•Usage analytics (anonymised): up to 3 years
•Payment records: 7 years
•Support tickets: 2 years after resolution
•localStorage: on device until cleared

8. Data Security

•Supabase RLS for per-user isolation
•AES-256 encryption at rest; TLS 1.3 in transit
•OAuth 2.0 via Supabase Auth; RBAC for Enterprise
•Regular audits and penetration testing
•72-hour breach notification
•Automated backups and disaster recovery

9. Your Rights

Under DPDPA (India)

Access, correction, erasure, grievance redressal, nomination.

Under GDPR

Access, rectification, erasure, restriction, portability (CSV export available anytime), objection, complaint to supervisory authority.

Under CCPA/CPRA

Know, delete, correct, opt-out of sale/sharing, non-discrimination.

Exercise your rights: privacy@kartib.comm. Response within 30 days.

10. Children's Privacy

The Platform is not intended for persons under 18 years of age.

11. Cookies and Local Storage

Essential cookies for auth; localStorage for offline-first experience; first-party analytics (anonymised, with consent); no advertising cookies. See our Cookie Policy.

12. Changes to This Policy

Material changes will be notified via email and in-app notification. Fresh consent will be sought where required by law.

13. Grievance Officer (India)

Email: dpo@kartib.comm. Acknowledged within 24 hours, resolved within 15 days.

14. Contact

General: legal@kartib.comm

Privacy: privacy@kartib.comm

DPO: dpo@kartib.comm