Privacy Policy

Effective date: April 1, 2026 · GDPR · DPDP · CCPA · CPRA · UK GDPR · LGPD aligned

Quick summary: We collect what you give us. We process it to run the service. We don't sell it. You can export or delete it anytime. Email dpo@ideadunes.com for any privacy request.

1. Who we are

Ideadunes is operated by Niket Gupta, sole proprietor, headquartered in Jaipur, Rajasthan, India. For EU customers, our Article 27 representative is retained in Frankfurt; for UK customers we are registered with the ICO.

Data Protection Officer: dpo@ideadunes.com
EU representative: address available on request
UK ICO registration: ZA8472XX (controller)

2. What we collect

Account data: name, email, phone, business name, country, payment details (processed by Stripe/Razorpay).

Usage data: bookings created, features used, pages visited, errors encountered, IP address (truncated for analytics), browser/device info.

Customer data (yours): when you bring your customers' data into the platform, we process it as your data processor.

Cookies: session cookies (required) and analytics cookies (with consent in EU/UK/Brazil/Canada).

3. Why we process

We process your data for these purposes only:

  • To deliver the service (legitimate interest, contract)
  • To bill you (contract)
  • To comply with law (legal obligation)
  • To detect fraud and security incidents (legitimate interest)
  • To send service updates (legitimate interest, no marketing)
  • To send marketing (only with consent, easy opt-out)

4. Who we share with

We share with subprocessors strictly to deliver the service. Full list at our trust center. Each subprocessor signs a DPA mirroring or stricter than ours. We do not sell your data to advertisers.

5. Where we store

Default region for new accounts is matched to billing country. You can choose data residency on Scale and Enterprise plans. We never transfer data across regions without your explicit configuration.

6. How long we keep it

Account data: while your account is active + 90 days after closure (for billing reconciliation, legal compliance). Audit logs: 7 years (regulatory). Customer data (yours): per your retention configuration. Backups: 35 days rolling.

7. Your rights

Depending on where you live, you have rights to:

  • Access: get a copy of your data (GDPR Art 15, DPDP § 11, CCPA § 1798.110)
  • Rectification: correct inaccurate data (GDPR Art 16, DPDP § 12)
  • Erasure: delete your data (GDPR Art 17, DPDP § 12, CCPA § 1798.105)
  • Portability: get data in machine-readable format (GDPR Art 20)
  • Object: stop certain processing (GDPR Art 21)
  • Restrict: limit how we process (GDPR Art 18)
  • Withdraw consent: at any time (DPDP § 6, GDPR Art 7)
  • Complain: to your data protection authority

All requests: dpo@ideadunes.com or self-service in your account → Settings → Privacy. Average response time: 4.2 hours. Maximum: 72 hours.

8. Children

Ideadunes is not intended for children under 16 (EU/UK), 13 (US), or 18 (India per DPDP for sensitive data). If a tenant uses our platform to schedule services for children (e.g., schools, pediatric clinics), the tenant is responsible for parental consent and age verification.

9. Security

Industry-standard encryption, access controls, and monitoring. Detailed at security page. Breach notifications within 72 hours (GDPR), 30 days (HIPAA, DPDP, most US state laws).

10. Changes

We update this policy occasionally. Material changes notified by email 30 days in advance. Previous versions available on request.

11. Region-specific terms

India (DPDP): Niket Gupta is the Data Fiduciary. Grievance officer: dpo@ideadunes.com. Complaints to Data Protection Board of India.

EU/UK (GDPR): Lawful bases as listed above. Lodge complaints with your local data protection authority.

California (CCPA/CPRA): We do not sell personal information. We honor "Do Not Sell" and Global Privacy Control signals.

Brazil (LGPD): See pt-BR version available at /pt-BR/privacidade.