This Privacy Policy explains how DigiLyt Tech (“DigiLyt”, “we”, “us”) collects, uses, stores and shares personal data when you use the DigiLyt customer portal, website-builder service, and related products operated at digilyt.com and app.digilyt.com. It is written to comply with India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”). It applies to users in India and anyone whose personal data we process in connection with an Indian business relationship.
1. Who we are
DigiLyt Tech is the data fiduciary for the personal data described in this policy. Our registered contact for data-protection matters is privacy@digilyt.com. Our grievance officer under §8(10) of the DPDP Act is listed in section 10 below.
2. Personal data we collect
We collect only what we need to operate the service:
- Account data: the email address you sign in with, any name and business details you provide, and a timestamp of each sign-in.
- Verification data: one-time codes we send you and the hashed record of whether you used each one.
- Intake data: information you fill into the intake form (business name, industry, contact details, descriptive text, and any files you upload) so that our website-builder can generate your site.
- Abuse-prevention signals: your IP address, browser user-agent, a device fingerprint hash, and request timing. These are collected on every request as a necessary part of performing the service contract with you (see §3a of our Terms) and are used to detect fraudulent signups, spam, and credential-stuffing against the sign-in flow.
- Operational logs: error logs and service metrics necessary to keep the platform running and secure.
We do not knowingly collect the personal data of children under 18. If we learn that we have collected data from a child without their parent or guardian’s verifiable consent as required by §9 of the DPDP Act, we will delete it promptly.
3. Why we process your data (purposes)
- Account and sign-in: to authenticate you, maintain your session, and keep your account secure.
- Service delivery: to generate your website from the intake data you provide and to deliver the result.
- Abuse prevention: to detect spam, fraud, and automated abuse. Collection of the abuse-prevention signals above is necessary for us to perform the service contract on the terms set out in our Terms of Service, §3a.
- Legal compliance: to meet obligations under Indian law, including tax, audit, and data-protection record-keeping.
- Customer support and product communication: to reply to your queries and to inform you about material changes to the service.
We do not use your personal data for behavioural advertising. We do not sell your personal data.
4. Legal basis
Our primary legal basis under the DPDP Act §6 is your informed, free, specific, and unambiguous consent to these Terms and this Privacy Policy. When you sign in, you tick a box confirming you agree to both — that is your recorded consent for the purposes above, including the abuse-prevention signals described in §3a of our Terms, which we collect as necessary to perform the service contract.
Where the DPDP Act permits processing for certain “legitimate uses” under §7 — such as compliance with a legal obligation, or responding to a medical emergency — we may rely on those bases in those narrow cases.
5. Your rights under the DPDP Act
You have the right to:
- Access a summary of the personal data we hold about you and the identities of the data processors with whom we share it (§11).
- Correction, completion, updating and erasure of your personal data (§12). Erasure applies except where we are required by law to retain records.
- Grievance redressal — see section 10 (§13).
- Nominate another person to exercise your rights in the event of your death or incapacity (§14).
- Withdraw consent at any time. Withdrawal will not affect the lawfulness of processing done before the withdrawal. After withdrawal we will stop the dependent processing and delete the data unless law requires us to retain it.
To exercise any of these rights, email privacy@digilyt.com. We aim to respond within 30 days and will never charge you for exercising a statutory right.
6. Withdrawing consent
You can withdraw consent at any time. The simplest ways:
- Email privacy@digilyt.com from the address associated with your account.
- Use the “Delete my account” option inside the customer portal (available once you are signed in).
We will confirm receipt, process the withdrawal within 30 days, and tell you specifically what data was deleted and what (if anything) we had to retain for legal reasons.
7. Data retention
- Active accounts: retained while your account is active.
- Intake submissions: retained for 7 years for invoicing and audit traceability, then deleted.
- Abuse-prevention fingerprints: hashed and retained for 90 days, then purged.
- One-time codes: expire in 5 minutes; consumed codes are retained only as hashed records for audit.
- Request logs: 30 days for operational debugging.
8. Sharing and data processors
We share personal data with a small set of data processors acting on our instructions:
- Cloudflare, Inc. — hosting, CDN, and database (Cloudflare Pages, Workers, D1, R2). See our data-residency notice for the specific region posture.
- Resend and Postmark — transactional email delivery (sign-in codes, service notifications).
- Razorpay — payment processing when you pay an invoice.
- Government and law-enforcement authorities — only when legally compelled and scoped to the narrowest request possible.
Each of these processors is contractually bound to process data only on our instructions and to maintain security controls appropriate to the data they handle. We do not sell personal data to anyone.
9. Security and breach notification
We use encryption in transit (TLS), encryption at rest for the customer database, short-lived sessions, rate limiting, and operational security practices documented in our internal breach-response procedure.
If a personal-data breach affects you, we will notify you and the Data Protection Board of India within 72 hours of becoming aware of it, as required by the DPDP Act. The notice will describe what happened, what data was involved, what we are doing about it, and what steps you can take.
10. Grievance officer
Under §8(10) of the DPDP Act, 2023 and rule 3(2) of the IT Rules 2021, we have designated a Grievance Officer to address concerns about this policy, our data-processing practices, and any content matter under our Acceptable Use Policy. The Grievance Officer acknowledges every complaint within 24 hours and resolves it no later than 15 days from receipt.
- Name: TBD — to be confirmed before launch
- Email: grievance@digilyt.com
- Postal address: TBD — to be confirmed before launch
If you are not satisfied with the grievance officer’s response, you may escalate to the Data Protection Board of India at the address it publishes on meity.gov.in.
11. Cross-border transfer
Cloudflare and our email processors operate globally, which can mean your data transits or is stored in servers outside India. Transfers are made only to countries that are not restricted by the Central Government under §16 of the DPDP Act. We review the Government’s restricted-countries list and update our processor posture if a change is required.
12. Children
DigiLyt is not directed at individuals under 18. We do not knowingly process the personal data of a child without the verifiable consent of the parent or lawful guardian, as required by §9 of the DPDP Act. If you believe we hold a child’s data without the required consent, email privacy@digilyt.com and we will investigate and delete as appropriate.
13. Changes to this policy
We update this policy when our practices, our processors, or the law changes. The “Last updated” date at the top of the page reflects the most recent change. For material changes, we will email account-holders at least 14 days before the change takes effect and ask for fresh consent where the DPDP Act requires it.
14. Contact
Privacy questions: privacy@digilyt.com
Grievance officer: grievance@digilyt.com
General support: hello@digilyt.com