Privacy Policy

Account & Profile Data. When you register, we collect your email address, display name, company name, job title, phone number, website URL, and biographical information you provide. This data is required to create and manage your account.

Authentication Credentials. Passwords are hashed using bcrypt (cost factor 12) before storage. We never store plaintext passwords and cannot recover them.

CRM Data. Information you enter into the platform about companies, contacts, deals, and activities is data you own. We process it only on your behalf under a data processing relationship.

Email Campaign Data. Campaign content, recipient lists, send configurations, and performance metrics (open rates, click rates, bounces) are stored to operate the platform's email marketing features.

Mailbox & Email Data. If you connect an IMAP mailbox to your workspace, we store cached email messages, metadata (sender, recipients, subject, timestamps), message bodies (both plain text and HTML), and activity logs. You remain the owner of this data. Email data is retained as long as your workspace is active and you have not deleted the associated emails. Attachments are stored securely in S3-compatible object storage and are deleted when you delete the associated email or revoke mailbox access.

Document & File Data. Files and documents you upload to the platform are stored in S3-compatible object storage. Metadata (filename, folder structure, upload timestamp, file size) is retained in the database. You own all file data and may delete files at any time.

Usage & Technical Data. We collect IP addresses, browser type and version, operating system, referring URLs, pages visited, timestamps, and feature interaction logs for security, fraud prevention, and product improvement.

API Keys. If you generate API keys (REST or MCP), we store the SHA-256 hash of each key - never the key itself. You bear responsibility for securing your plaintext API keys after generation. Do not share API keys in version control, environment files, or logs.

Session Data. We maintain server-side session records including JWT token family identifiers, device information, and last-used timestamps to manage authentication and support session revocation.

We use your personal data to:

• Create and maintain your account and workspace memberships
• Authenticate your identity and manage secure sessions
• Operate CRM features: storing and retrieving contacts, companies, deals, and activities
• Send and track email campaigns on your behalf
• Sync, cache, search, and retrieve emails from your connected IMAP mailbox
• Send emails via SMTP from your workspace mailbox account
• Store and manage documents, files, and attachments in secure S3 storage
• Process and enforce role-based access control (RBAC) within workspaces
• Execute API calls and MCP tool invocations made by authorized API keys or workspace members
• Detect, investigate, and prevent fraud, abuse, and security incidents (including suspicious API usage patterns)
• Comply with legal obligations, including data subject requests
• Send transactional communications (email verification, password resets, account notices, API security alerts)
• Improve platform reliability, performance, and feature quality through aggregated analytics

We do not sell your personal data to third parties. We do not use your CRM, campaign, mailbox, or document data to train machine learning models without your explicit consent. Your data is not used for advertising or marketing purposes.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on the following legal bases under Article 6 of the GDPR:

• Contract performance (Art. 6(1)(b)): Processing your account data, CRM data, and campaign data is necessary to deliver the services you have contracted with us.
• Legitimate interests (Art. 6(1)(f)): We process usage and technical data for security monitoring, fraud prevention, and product improvement, where these interests are not overridden by your rights.
• Legal obligation (Art. 6(1)(c)): We process data to comply with applicable laws, including responding to lawful government requests and fulfilling data retention obligations.
• Consent (Art. 6(1)(a)): Where consent is required (e.g., optional marketing communications), we will seek it explicitly and you may withdraw it at any time.

Service Providers (Sub-processors). We share data with trusted sub-processors who help operate the platform, including cloud infrastructure providers (hosting, object storage), email delivery services (transactional sends), and Redis/database providers. All sub-processors are bound by data processing agreements that require equivalent data protection standards.

Within Your Organisation. Workspace members you invite may access CRM data, campaigns, and contact records according to their assigned role. You are responsible for managing your workspace membership.

Legal Requirements. We may disclose personal data if required by law, court order, or government authority, or when necessary to protect our rights, prevent fraud, or ensure the safety of users.

Business Transfers. If Tarth Studio undergoes a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We will notify you before any such transfer subjects your data to a materially different privacy policy.

No Sale of Data. We do not sell, rent, or trade your personal data to third parties for advertising or any commercial purposes.

We retain your personal data for as long as your account is active or as needed to provide the services. Specific retention periods:

• Account data: Retained for the duration of your account. Upon account deletion, account data is removed within 30 days unless required for legal compliance.
• CRM, campaign, and activity data: Retained for the duration of the associated workspace subscription. You may export or delete workspace data at any time through the platform settings.
• Mailbox & email data: Retained as long as you maintain the mailbox connection and have not deleted emails. You may delete cached emails individually or clear the entire mailbox cache at any time. Attachments are deleted when the associated email is deleted.
• Document & file data: Retained as long as stored in your workspace. You may delete files and folders at any time.
• API key hashes: Retained until you revoke the key or delete your account.
• Security & audit logs: Retained for up to 12 months to support incident investigation and fraud prevention.
• Billing records: Retained for 7 years as required by applicable tax and financial regulations.
• Backup copies: May persist for up to 90 days after deletion in encrypted backups before permanent removal.

We implement industry-standard technical and organisational security measures to protect your data:

• All data in transit is encrypted using TLS 1.2 or higher
• Passwords are hashed with bcrypt (cost factor 12) - plaintext passwords are never stored
• API keys are stored as SHA-256 hashes only
• Authentication uses HTTP-only, SameSite=Strict cookies to prevent XSS and CSRF attacks
• Automatic account lockout after 5 consecutive failed login attempts
• All database queries use parameterised statements (SQL injection structurally prevented)
• Session tokens include family tracking to enable precise revocation
• Access to production systems is restricted to authorised personnel with audited credentials

No security system is impenetrable. If you discover a security vulnerability, please report it responsibly to security@studio.tarth.in.

We use the following types of cookies:

• Essential cookies: HTTP-only authentication cookies (tarth.access and tarth.refresh) required for secure session management. Cannot be disabled without breaking authentication.
• Analytics cookies: We use Google Analytics (or an equivalent privacy-first analytics tool) to understand aggregate usage patterns. These cookies do not identify you individually.

You may manage browser cookies through your browser settings. Disabling non-essential cookies will not affect core platform functionality.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Correct inaccurate or incomplete personal data.
• Erasure ("Right to be Forgotten"): Request deletion of your personal data, subject to legal retention obligations.
• Restriction: Request that we limit how we process your data in certain circumstances.
• Data Portability: Receive your data in a structured, machine-readable format.
• Objection: Object to processing based on legitimate interests or for direct marketing purposes.
• Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting prior processing.
• Lodge a Complaint: You have the right to lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us at privacy@studio.tarth.in. We will respond within 30 days (or as required by applicable law).

California residents (CCPA): You have the right to know what personal information is collected, the right to delete personal information, and the right to opt out of the sale of personal information. We do not sell personal information. To submit a verifiable consumer request, contact us at the address above.

Tarth Studio is operated from India. If you are located in the EEA, UK, or another jurisdiction with data transfer restrictions, your data may be transferred to and processed in countries that may not have equivalent data protection laws.

Where required, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other appropriate transfer mechanisms, to ensure an equivalent level of protection for your data.

Tarth Studio is an enterprise platform intended for use by professionals aged 18 and over. We do not knowingly collect personal data from individuals under the age of 18. If we become aware that we have inadvertently collected data from a minor, we will take steps to delete it promptly.

If you believe a minor has provided us with personal data, please contact us at privacy@studio.tarth.in.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable law. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify registered users by email at least 30 days before changes take effect (for material changes)
• Display a notice within the platform

Your continued use of the platform after the effective date of any changes constitutes acceptance of the revised policy.

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact our privacy team:

We aim to respond to all privacy-related inquiries within 5 business days.