Legal · DPDP Act 2023

Privacy policy

Draft for legal review. This policy is a good-faith statement of our actual practices, prepared for review by counsel before general availability. Questions meanwhile: ayush@capeasy.in.

Who we are

Saral is operated by CapEasy (“we”). For data you submit on this website and in the Saral product, we are the data fiduciary under the Digital Personal Data Protection Act, 2023 (DPDP). For personal data your company records about its stakeholders inside Saral (for example, employees on the ESOP register), your company is the data fiduciary and we process on its instructions.

What we collect, and why

What we never do

Where data lives, and how it is protected

Databases and file storage are in AWS ap-south-1 (Mumbai). Company data is isolated with database row-level security; the equity ledger is append-only; backups are encrypted and restore-tested. Details on the Security & Trust page.

Processors we use

Supabase (database/auth/storage, Mumbai region), Vercel (application hosting and anonymous analytics), Resend (transactional email), GitHub (encrypted backup artifacts). Each processes data only to provide their service to us.

Retention and deletion

Website leads: kept until you ask us to delete them or 24 months of inactivity, whichever is earlier. Product data: kept while your company uses Saral; on verified request we export and then delete your company’s data, subject to record-keeping a statute imposes on us directly.

Your rights

You may request access to, correction of, or deletion of your personal data, and may withdraw consent for non-essential communications at any time: ayush@capeasy.in. If you are a stakeholder whose data a company records in Saral, we will route your request to that company and assist them in honouring it. Grievances are acknowledged within 72 hours.

Changes

We will post changes here with a dated note, and material changes will be emailed to account holders before they take effect.