Privacy Policy

Increeks (“we”, “us”, or “our”) is an AI-native Product & Design Studio incorporated and operating from Bengaluru, Karnataka, India. We provide services under three verticals: Product Studio (AI/ML, IoT, SaaS, Mobile Apps), Design Studio (Branding, UI/UX, 3D/Motion), and INQB Zone (startup incubation).

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit increeks.com (the “Website”), communicate with us, or engage our services. It applies to all users globally, with specific provisions addressing obligations under:

• The General Data Protection Regulation (GDPR) — EU 2016/679
• The California Consumer Privacy Act (CCPA) as amended by the CPRA
• The Digital Personal Data Protection Act 2023 (DPDP Act) — India
• The Information Technology Act 2000 and IT (Amendment) Act 2008 — India

We are committed to the principles of data minimisation (collecting only what is strictly necessary), purpose limitation (using data only for the purpose it was collected), and storage limitation (retaining data no longer than necessary). By using our Website or services, you acknowledge that you have read and understood this Policy.

We collect personal data in the following categories:

Information You Provide Directly

• Contact & Inquiry Data: Name, email address, phone number, company name, and the content of messages submitted via our contact form or sent to hello@increeks.com.
• Project & Engagement Data: Requirements, briefs, design assets, source files, and other materials you share when engaging our services.
• Account Data: Username and password if you register for a client portal or INQB Zone account.
• Payment Data: Billing name, address, and transaction references. We do not store full card numbers; payment processing is handled by PCI-DSS compliant third-party processors.
• Communications: Email correspondence, meeting notes, and support requests.

Information Collected Automatically

• Usage & Log Data: IP address, browser type and version, operating system, referring URLs, pages visited, time spent, and click-path data.
• Device Data: Device identifiers, screen resolution, and hardware model where relevant to delivering responsive experiences.
• Analytics Data: Aggregated behavioural data collected via Google Analytics 4 and Vercel Analytics (see “Cookies & Tracking” section).
• Cookie & Tracking Data: Persistent and session cookies, localStorage values used for consent preferences. See our Cookie Policy for full details.

Information from Third Parties

• Publicly available professional information (e.g., LinkedIn profiles) when assessing INQB Zone applications.
• Referral information provided by partners or clients who recommend our services.

We do not intentionally collect special categories of personal data (health, biometric, racial or ethnic origin, political opinions, religious beliefs, or criminal records) unless you voluntarily disclose such information to us.

We use the personal data we collect for the following purposes:

1. Providing and delivering our services — executing project work, responding to enquiries, managing client relationships, and operating the INQB Zone programme.
2. Communication — sending project updates, invoices, contractual notices, and responding to support requests.
3. Website operation and improvement — diagnosing technical issues, analysing usage patterns, and improving the user experience.
4. Marketing and outreach — sending newsletters, case study updates, and promotional communications where you have consented or where we have a legitimate interest, with an easy opt-out at all times.
5. Legal and compliance obligations — maintaining records required by Indian tax law (GST), responding to lawful requests from authorities, and enforcing our contracts.
6. Security and fraud prevention — monitoring for abusive behaviour, preventing unauthorised access, and protecting our systems.
7. Business analytics — understanding which services are most in demand, measuring marketing effectiveness, and informing business decisions using aggregated, de-identified data.

We will not use your personal data for purposes incompatible with those stated above without providing you fresh notice and, where required, obtaining your consent.

For users in the European Economic Area (EEA) and the United Kingdom, we rely on the following legal bases under GDPR Article 6:

• Contract Performance (Art. 6(1)(b)): Processing necessary to enter into or perform a contract with you — including delivering project work, issuing invoices, and onboarding you as a client.
• Legitimate Interests (Art. 6(1)(f)): Processing for our legitimate business interests where those interests are not overridden by your rights. This includes Website analytics (to improve our services), security monitoring, direct marketing to existing clients, and fraud prevention. We conduct balancing tests and document them upon request.
• Consent (Art. 6(1)(a)): Where you have given freely given, specific, informed, and unambiguous consent — for example, subscribing to our newsletter or accepting non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
• Legal Obligation (Art. 6(1)(c)): Processing required to comply with applicable law, including Indian GST record-keeping requirements, anti-money laundering obligations, and responses to valid court orders or regulatory requests.

For special category data (Art. 9 GDPR), we rely on explicit consent or other applicable derogations. For California residents, the CCPA does not require a formal legal basis, but we apply the purposes described in this Policy consistently.

We do not sell, rent, or trade your personal data to third parties for their own marketing purposes. We do not sell personal information as defined under the CCPA/CPRA.

We may share data with the following categories of recipients:

• Service Providers (Data Processors): Third parties who process data on our behalf under written data processing agreements, including cloud hosting (Vercel), email delivery (e.g., transactional mail providers), analytics (Google Analytics 4), project management tools, and payment processors. These parties are contractually restricted to processing data solely on our instructions.
• Professional Advisers: Lawyers, accountants, and auditors acting as data controllers in their own right, bound by professional secrecy obligations.
• Government & Regulatory Authorities: Where required by applicable law, court order, or regulatory direction — including the Income Tax Department of India, GST authorities, or law enforcement agencies with proper legal process.
• Business Transfers: In the event of a merger, acquisition, restructuring, or sale of all or part of our business, personal data may be transferred to the acquiring entity. We will notify you before your data is transferred and becomes subject to a different privacy policy.
• With Your Consent: Any other disclosure made with your prior explicit consent.

All third-party service providers are assessed for their data protection practices before engagement and are required to maintain appropriate technical and organisational measures.

We use cookies and similar tracking technologies (pixels, localStorage) on our Website. Our full Cookie Policy is available at increeks.com/cookies.

In summary, we use the following categories of cookies:

• Strictly Necessary: Session management cookies essential for Website functionality. These cannot be disabled without breaking core features.
• Analytics & Performance: Google Analytics 4 (_ga, _gid) and Vercel Analytics to measure page views, session duration, and user journeys. These are anonymised where possible and subject to IP anonymisation.
• Preference Cookies: localStorage values that remember your cookie consent choices.

We do not use advertising or cross-site tracking cookies. You can manage cookie preferences via our consent banner on first visit, or through your browser settings at any time.

Google Analytics data is processed under Google's terms of service and privacy policy. We have enabled IP anonymisation and have signed the applicable data processing addendum with Google. Vercel Analytics is privacy-first by design and does not use cookies to track individual users across sessions.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our general retention schedule is as follows:

• Contact & Enquiry Data: 2 years from last interaction, unless a client relationship develops.
• Client Project Data: 5 years after project completion, to support warranty claims, references, and tax obligations.
• Financial & Invoice Records: 8 years in accordance with Indian Companies Act and GST requirements.
• Marketing Consent Records: Until consent is withdrawn, plus 1 year for audit purposes.
• Website Analytics Data: 26 months (Google Analytics default); Vercel Analytics data is aggregated and does not retain individual records.
• INQB Zone Application Data: 3 years from application date, or 5 years if admitted to the programme.
• Security & Access Logs: 90 days, unless an incident investigation requires longer retention.

After the applicable retention period, data is securely deleted or anonymised. We review retention schedules annually and update them in line with changes in legal obligations.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Rights Under GDPR (EEA/UK Users)

• Right of Access (Art. 15): Request a copy of all personal data we hold about you, along with information about how it is used.
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
• Right to Erasure / “Right to Be Forgotten” (Art. 17): Request deletion of your personal data where processing is no longer necessary, consent has been withdrawn, or the data has been unlawfully processed.
• Right to Data Portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible.
• Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds.
• Right to Restriction of Processing (Art. 18): Request that we restrict processing of your data in certain circumstances, such as while a rectification request is being assessed.
• Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time via privacy@increeks.com or the unsubscribe link in any marketing email. Withdrawal does not affect the lawfulness of prior processing.
• Right to Lodge a Complaint: If you are unsatisfied with our response, you may lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, or your EU Member State's data protection authority).

Rights Under CCPA/CPRA (California Residents)

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months, and how it has been used and shared.
• Right to Delete: Request deletion of personal information we have collected, subject to certain exceptions (e.g., completing a transaction, legal obligations).
• Right to Opt-Out of Sale or Sharing: We do not sell or share personal information as defined under CCPA/CPRA. This right is therefore not applicable, but we honour it as a commitment.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Limit Use of Sensitive Personal Information: Limit our use of sensitive personal information to purposes permitted under the CPRA.
• Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA rights.

To exercise any of these rights, please contact us at privacy@increeks.com. We will respond within 30 days (GDPR) or 45 days (CCPA), with the possibility of a single 30-day extension where the request is complex. We may need to verify your identity before processing the request.

Increeks is based in India. When we engage service providers in other countries — including the European Economic Area, the United States, or other jurisdictions — personal data may be transferred internationally.

We safeguard such transfers through:

• Standard Contractual Clauses (SCCs): For transfers to countries without an EU adequacy decision, we rely on the European Commission's Standard Contractual Clauses (2021 SCCs) incorporated into our data processing agreements with sub-processors.
• Adequacy Decisions: Where the destination country has been deemed adequate by the European Commission, we rely on that decision.
• Binding Corporate Rules or Approved Codes of Conduct: Where applicable to specific service providers.
• Explicit Consent: In limited cases where none of the above apply and no other derogation under Art. 49 GDPR is available, we will seek your explicit informed consent.

For transfers from India under the DPDP Act 2023, we comply with any restrictions on cross-border data transfers notified by the Central Government, and ensure that recipient jurisdictions provide comparable protection.

Our Website and services are directed at business professionals and are not intended for children under the age of 18 (or the applicable age of digital consent in your jurisdiction, which is 13 under COPPA in the United States, 16 in many EU Member States, or as specified under India's DPDP Act).

We do not knowingly collect personal data from minors. If we discover that we have inadvertently collected personal data from a child without verifiable parental consent, we will promptly delete that data. If you believe we have collected data from a minor, please contact us immediately at privacy@increeks.com.

The Digital Personal Data Protection Act 2023 (“DPDP Act”) governs the processing of digital personal data of individuals in India. As a company incorporated and operating in India, we act as a Data Fiduciary under the DPDP Act.

Our Obligations as Data Fiduciary

• Processing personal data only for lawful purposes for which consent has been given or for legitimate uses specified under the Act.
• Providing clear, plain-language notice to Data Principals regarding the nature, purpose, and manner of processing before or at the time of collecting data.
• Implementing reasonable security safeguards to prevent personal data breaches.
• Notifying the Data Protection Board of India and affected Data Principals of any personal data breach in accordance with prescribed timelines.
• Erasing personal data upon withdrawal of consent or when the specified purpose is no longer being served, unless retention is required by law.
• Ensuring our Data Processors (contracted third parties) maintain equivalent data protection standards through contractual obligations.

Rights of Data Principals (Indian Residents)

• Right to Information: Access a summary of personal data being processed and the processing activities undertaken by us.
• Right to Correction & Erasure: Request correction of inaccurate, incomplete, or outdated personal data, and erasure of personal data that is no longer necessary for the specified purpose.
• Right of Grievance Redressal: Raise a complaint regarding our processing activities. We will acknowledge and respond within a reasonable period.
• Right to Nominate: Nominate another individual to exercise your rights in the event of your death or incapacity.
• Right to Withdraw Consent: Withdraw consent at any time; processing after withdrawal and prior to withdrawal remains lawful.

To exercise your rights under the DPDP Act, contact our designated point of contact at privacy@increeks.com. If your grievance is not resolved to your satisfaction, you may approach the Data Protection Board of Indiaonce it is constituted and operational.

We review this Privacy Policy at least annually and whenever there is a material change in our data processing practices, applicable law, or the services we offer. When we make significant changes, we will:

• Update the “Last Updated” and “Effective Date” at the top of this page.
• Display a prominent notice on our Website for at least 30 days.
• Where required by law (e.g., GDPR or DPDP Act), notify you directly by email if the changes materially affect how we process your personal data.

Your continued use of our Website or services after the effective date of the revised Policy constitutes your acknowledgement of the changes. If you do not agree, you should discontinue use and contact us to exercise your data rights.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

• Data Protection Contact / DPO: privacy@increeks.com
• General Enquiries: hello@increeks.com
• Registered Office: Increeks, Bengaluru, Karnataka, India
• Website: https://increeks.com

We aim to acknowledge all privacy-related requests within 48 hours and resolve them within the timeframes mandated by applicable law (30 days under GDPR; 45 days under CCPA; as prescribed under the DPDP Act). For complex requests we may extend this period and will inform you of the extension and the reason before the initial deadline expires.

EEA and UK users who are not satisfied with our response have the right to lodge a complaint with the relevant supervisory authority in their country of residence. Indian users may approach the Data Protection Board of India.