Privacy Policy

CreativeCyber ("we", "us", "our") is a cybersecurity and DPDP compliance platform operated by CreativeCyber Technologies Private Limited. We are committed to handling all personal data with transparency, integrity, and respect for your rights under India’s Digital Personal Data Protection (DPDP) Act, 2023.

This Privacy Policy governs how we collect, use, store, share, and protect personal data across all CreativeCyber platforms and services. By accessing or using any of our platforms, you agree to the terms of this Policy.

This Policy applies to personal data processed across the following products and digital touchpoints:

We collect personal data only to the extent necessary to deliver our services. The categories of data collected vary by product.

3.1 Corporate Website (creativecyber.in)

• Contact form submissions: name, professional email address, organisation name, message content
• Newsletter subscriptions: email address and preference settings
• Analytics data: page views, session duration, referral source (collected via Google Analytics 4 and custom page-view analytics — no raw IP addresses are stored)
• Technical metadata: browser type, device type, approximate geographic region (country/state level only)

Privacy note: Our custom analytics system hashes IP addresses using salted SHA-256 before any storage, in compliance with DPDP Act, 2023. Raw IP addresses are never retained.

3.2 RiskSage

• Account registration data: full name, business email address, job title, organisation name, industry sector
• Assessment inputs: cyber risk posture data, control gap information, maturity scores entered by the user or organisation
• Organisation profile: sector, employee count range, existing security frameworks in use
• Usage telemetry: feature interactions, report generation events, session metadata
• Communication preferences and notification settings

3.3 DPDP Assurance Platform

• Account data: name, designation, work email, organisation name, role (Data Fiduciary / DPO / Compliance Officer)
• Compliance assessment inputs: responses to DPDP control questionnaires, gap findings, evidence artefacts uploaded by the user
• Organisational data: business entity details provided for compliance scoping (not customer PII of BFSI clients)
• Workflow and collaboration data: task assignments, comments, review status within the platform
• Audit logs: user action logs for accountability and compliance trail purposes
• Subscription and billing metadata: plan tier, payment reference IDs (full card details are not stored; payment processing is handled by our payment partner)

Important: DPDP Assurance processes compliance metadata about your organisation — it does not process personal data of your organisation’s end customers. If you upload any documents containing third-party personal data, you are responsible for ensuring appropriate consent or lawful basis for that upload.

3.4 Practitioner Toolkit (practitioner-toolkit.creativecyber.in)

• Identity and authentication data: name, email address, professional credentials or certifications declared during registration
• Profile data: professional bio, area of specialisation, organisation affiliation
• Single Sign-On (SSO) / centralised identity: the Practitioner Toolkit uses CreativeCyber’s centralised identity service, which may share authentication tokens across integrated platforms
• Toolkit usage data: downloads, tool interactions, assessment history within the toolkit
• Communication and support interactions: messages submitted to support or feedback channels

3.5 Data Collected Automatically (All Platforms)

• Session tokens and cookies (see Section 9 for details)
• Hashed device fingerprint components for rate-limiting and fraud prevention
• Error and performance logs (anonymised at ingestion; no personal identifiers retained beyond 30 days)

Under the DPDP Act, 2023, we process personal data on the following bases:

5.1 Service Delivery

• Creating and managing your account across our platforms
• Providing access to RiskSage assessments, DPDP Assurance compliance workflows, and Practitioner Toolkit resources
• Processing subscription plans, plan upgrades, and billing communications
• Delivering knowledge articles, reports, and newsletters you have subscribed to

5.2 Security & Platform Integrity

• Detecting and preventing unauthorised access, fraud, or abuse
• Rate-limiting requests using hashed identifiers (no raw IP storage)
• Maintaining audit trails for compliance accountability within the DPDP Assurance platform
• SSO session management for users authenticated via the Practitioner Toolkit identity service

5.3 Compliance & Legal

• Maintaining records required under applicable Indian law, including the DPDP Act, 2023
• Responding to lawful requests from regulatory authorities or law enforcement
• Exercising or defending legal rights

5.4 Product Improvement & Analytics

• Analysing aggregated and anonymised usage data to improve product features
• Measuring page performance and content engagement via custom analytics and GA4
• Conducting user research with explicit consent of participants

5.5 Communications

• Sending transactional emails (account confirmations, password resets, plan notifications)
• Sending newsletters and product updates to subscribers who have given consent
• Responding to support and contact form queries

We do not sell your personal data. We do not share your data with third parties for their own marketing purposes. Sharing occurs only in the limited circumstances described below.

6.1 Service Providers (Data Processors)

We engage the following categories of service providers who process data on our behalf, subject to data processing agreements and DPDP-compliant obligations:

• Email delivery: Zoho SMTP (transactional and notification emails)
• Analytics: Google Analytics 4 (with IP anonymisation enabled; governed by your cookie consent)
• Cloud infrastructure: hosting and database providers for platform operations
• Payment processing: our payment partner for subscription billing (we retain only payment reference IDs, not full card data)

6.2 SSO & Identity Integration

The Practitioner Toolkit uses CreativeCyber’s centralised identity service. When you authenticate, your identity token may be shared across linked CreativeCyber platforms to enable seamless access. This is a first-party integration; no identity data is shared with external third parties.

6.3 Legal & Regulatory Disclosure

We may disclose personal data to government authorities, regulatory bodies, or law enforcement when required by law, court order, or to protect the rights, safety, or property of CreativeCyber or others. We will notify affected users to the extent permitted by law.

6.4 Business Transfers

In the event of a merger, acquisition, or asset sale, personal data may be transferred to the successor entity, subject to equivalent privacy protections. Affected users will be notified.

We retain personal data only as long as necessary for the purpose for which it was collected, or as required by law.

As a Data Principal under the DPDP Act, 2023, you have the following rights with respect to your personal data held by CreativeCyber:

To exercise any of the above rights, please contact our Grievance Officer at admin@creativecyber.in. We will acknowledge your request within 72 hours and aim to resolve it within 30 days of receipt.

We use cookies and similar technologies to operate our platforms and, with your consent, to measure usage and behaviour.

A cookie consent banner is displayed to users on first visit to our website. You may update your preferences at any time via the Cookie Settings link in our website footer. Withdrawing consent for analytics cookies will not affect your ability to use the platform.

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, and destruction. Key measures include:

• Transport security: all data in transit is encrypted using TLS 1.2 or higher
• Database security: personal data stored in PostgreSQL with access control and encrypted connections
• IP address protection: all IP-based rate-limiting uses salted SHA-256 hashing; raw IP addresses are never stored
• Authentication: token-based session management for admin and authenticated product interfaces
• Infrastructure: services run within Docker containers behind Nginx reverse proxy with restricted exposure
• Access controls: production credentials and environment variables are managed as secrets and rotated periodically
• Rate limiting: API endpoints are protected against abuse through Postgres-backed rate limiting

Despite these measures, no internet-based transmission is completely secure. We encourage users to use strong, unique passwords and to contact us immediately at admin@creativecyber.in if they suspect any unauthorised access to their account.

Our primary data storage and processing infrastructure is located in India. Where we use third-party service providers (such as Google Analytics 4 or Zoho) that may process data outside India, we ensure that such transfers comply with applicable provisions of the DPDP Act, 2023 and any Rules notified thereunder regarding cross-border data transfer.

For Google Analytics 4, IP anonymisation is enabled, and data is processed subject to Google’s standard contractual commitments. For Zoho SMTP, data is processed subject to Zoho’s privacy and data protection commitments under Indian and applicable international law.

Our platforms are designed for business and professional users. We do not knowingly collect personal data from children (persons under 18 years of age). If you believe we have inadvertently collected data from a minor, please contact us at admin@creativecyber.in and we will promptly delete such data.

For users under 18 who may access our platforms in a supervised professional capacity, we require verifiable consent from a parent or guardian as required under the DPDP Act, 2023.

13.1 DPDP Assurance — B2B Compliance Tool

DPDP Assurance is a business-to-business (B2B) compliance tool. The data you enter into the platform pertains to your organisation’s compliance posture, not to end consumers. CreativeCyber acts as a Data Processor with respect to any personal data you (as a Data Fiduciary) upload or enter into the platform for compliance assessment purposes. A Data Processing Agreement (DPA) is available on request for enterprise customers.

13.2 RiskSage — Risk Assessment Data

Risk assessment results, scores, and reports generated within RiskSage are confidential to your account and are not shared with other users or organisations. Aggregated and fully anonymised benchmarking data (with no organisation-level identifiers) may be used to improve platform risk models.

13.3 Practitioner Toolkit — SSO and Identity

The Practitioner Toolkit authenticates users via CreativeCyber’s centralised identity service. Your session token and identity profile may be shared across CreativeCyber platforms where you are authenticated. This is a first-party SSO integration; no identity data is shared with external third parties.

We may update this Privacy Policy from time to time. Material changes will be communicated via:

• A banner notification on the affected platform(s)
• Email notification to registered account holders
• Updated "Effective Date" and version number at the top of this document

Continued use of our platforms after the effective date of any update constitutes acceptance of the revised policy. We encourage you to review this page periodically.

If you have any questions, concerns, or wish to exercise any of your rights under this Privacy Policy or the DPDP Act, 2023, please contact:

We will acknowledge your request within 72 hours and aim to resolve it within 30 days of receipt.

If you are unsatisfied with our response, you may raise a complaint with the Data Protection Board of India as established under the DPDP Act, 2023.