Last updated: 14 April 2026
1. Who we are
UnfoldCRO is a sole proprietorship operated by Adarsh, with its principal place of business at Harda, Madhya Pradesh, India. Throughout this policy, "we", "us", and "our" refer to UnfoldCRO. Our website is https://unfoldcro.com.
UnfoldCRO operates as a technology development agency. Our work includes (a) white-label development and consulting for other agencies, (b) direct engagements with B2C and D2C e-commerce brands, (c) the development and licensing of software products, SaaS tools, and Shopify features, and (d) publishing educational content including a blog, newsletter, and a public knowledge base.
2. Scope of this policy
This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you:
- visit our website, read our blog, or browse our knowledge base and feature library;
- subscribe to our newsletter or submit a lead, contact, or feature-request form;
- book a consultation call or engage us as a client for development, SEO, CRO, or related services;
- use our software products, client portals, or hosted Shopify applications.
This policy is issued under the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023 ("DPDP Act").
3. Data we collect
3.1 Information you provide
- Contact details — name, email, phone, company, country, role, website URL — when you submit any form on the site (contact, lead, feature request, newsletter, booking).
- Project & engagement data — scope documents, brand guidelines, credentials you share with us (e.g. Shopify staff access, GitHub invites, hosting logins), files, screenshots, and any other material required to deliver the service.
- Billing information — business name, GSTIN where applicable, billing address, and the payment method you use (we do not store raw card numbers; see §4).
- Communications — emails, chat messages, voice and video call recordings (only when you are informed and consent), meeting notes.
3.2 Information collected automatically
- Usage data — pages viewed, session duration, referrer, user agent, and device type, collected through our analytics providers.
- Cookies and similar tech — see our Cookies Policy.
- IP address — logged for security, rate-limiting, and abuse prevention.
3.3 Information from third parties
- OAuth providers — when you authenticate via Google or a partner platform, we receive basic profile data (name, email, avatar).
- Shopify and e-commerce platforms — when engaged as a client, we access data you have authorised us to access via the platform's official APIs.
- Enrichment — occasionally we look up publicly available information about a lead or client (LinkedIn profile, company website) before a call.
4. Payment information
We do not store your raw card or bank details. Payments are processed by PCI-DSS compliant third-party processors including Razorpay, Stripe, Wise, and standard banking channels. We retain only the transaction reference, amount, currency, date, and associated invoice identifier for accounting and statutory compliance.
5. How we use your data
- To deliver services you requested — responding to enquiries, scoping projects, building, deploying, supporting, and invoicing.
- To communicate with you — transactional updates, project progress, and in some cases, newsletters and educational content (which you can unsubscribe from at any time).
- To improve our products and website — aggregated analytics, heatmaps, A/B tests on our own site.
- To comply with legal obligations — taxation, GST filings, anti-fraud, record-keeping under Indian law.
- To protect our rights and operations — prevention and investigation of abuse, fraud, or breach of our Terms.
6. Legal basis
Under the DPDP Act, we process your data based on:
- Consent — when you fill a form, subscribe, or explicitly opt-in.
- Contract — to perform the services you have engaged us for.
- Legitimate use — to respond to communication you initiated, for operational security, or for statutory compliance (e.g. GST records).
7. Sharing and disclosure
We do not sell your personal data. We share it only in the following scenarios:
- Sub-processors and service providers that help us deliver the service — for example, hosting (Contabo, Hostinger, Vercel), transactional email (e.g. Google Workspace, Resend), payment processors (Razorpay, Stripe), analytics (Google Analytics), CRM tools, code collaboration (GitHub), and scheduling (Google Calendar). Each is contractually bound to confidentiality and data-protection terms.
- With your explicit instruction — for example, granting you access to a shared tool or coordinating a handover with your other vendors.
- Legal obligation — when required by court order, subpoena, or a lawful demand from an Indian authority.
- Business transfers — if the business is transferred, sold, or reorganised, data may be transferred as part of that transaction, with continued protection under this policy.
For B2B white-label engagements, we treat information about your end-clients with the same duty of care we apply to our own clients, under NDA where requested.
8. International transfers
Some sub-processors are based outside India. When we transfer data abroad, we do so only to countries and providers that offer comparable standards of data protection and only for the stated purposes.
9. Retention
- Client project data — retained for the duration of the engagement plus 3 years, unless a longer period is required by law or agreed contractually. Source code and deliverables handed over to you are yours; we keep working copies under access control.
- Billing and tax records — retained for a minimum of 8 years as required under Indian taxation law.
- Leads & enquiries — retained for up to 24 months of inactivity, then deleted or anonymised.
- Newsletter subscribers — retained until you unsubscribe.
- Analytics data — retained per the provider's default retention (typically 14-26 months).
10. Security
We implement industry-standard safeguards: TLS on all transport, encrypted credential storage, role-based access to production systems, principle-of-least-privilege for team members, MFA on all critical admin tools, regular backups, and monitoring. No system is absolutely secure; in the event of a breach affecting your data we will notify you and the Data Protection Board as required by the DPDP Act.
11. Your rights
Subject to applicable law, you have the right to:
- access a copy of the personal data we hold about you;
- correct inaccurate or outdated information;
- erase your personal data, subject to our legal retention obligations;
- withdraw consent where we rely on it as a basis for processing;
- object to or restrict certain processing;
- nominate another person to exercise these rights on your behalf (DPDP Act);
- lodge a complaint with the Data Protection Board of India.
To exercise any right, email info@unfoldcro.com with subject "Data Rights Request". We respond within 30 days.
12. Children
Our services are not intended for children under 18. We do not knowingly collect data from minors. If you believe a minor has submitted data through our site, contact us and we will delete it.
13. Third-party links
Our website and blog may contain links to third-party sites. We are not responsible for the privacy practices of those sites. Review their policies before submitting any data.
14. Changes to this policy
We may update this policy to reflect changes to our services, legal obligations, or best practices. The updated version is published at https://unfoldcro.com/policies/privacy-policy with a new "Last updated" date. Material changes will be announced via email to subscribers and active clients.
15. Grievance Officer
In accordance with Rule 5(9) of the IT Rules and Section 10 of the DPDP Act, 2023, the Grievance Officer for UnfoldCRO is:
Adarsh
UnfoldCRO, Harda, Madhya Pradesh, India
Email: info@unfoldcro.com
We aim to acknowledge grievances within 24 hours and resolve them within 30 days.