COOKIESSPACE - PRIVACY POLICY
Version:
2025.1
Effective Date:
01/01/26
CookiesSpace Private Limited (“CookiesSpace”, “we”, “our”, “us”) is committed to protecting personal data and ensuring compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act) and applicable Indian cyber security laws.
This Privacy Policy describes how we collect, use, disclose, store, protect, and process personal data when you access or use our cloud services including IaaS, PaaS, Virtual Servers, Compute, Storage, APIs, and developer tools (“Services”).
1. DEFINITIONS
1.1 “Personal Data” means any data about an identifiable individual, as defined under DPDP Act.
1.2 “Data Principal” means the individual to whom the personal data relates.
1.3 “Data Fiduciary” means CookiesSpace when we determine the purpose and means of processing.
1.4 “Data Processor” means CookiesSpace when processing data on behalf of a Customer.
1.5 “Customer Data” means data uploaded, stored, transmitted, or processed by Customers using our Services.
1.6 “Sensitive Personal Data” includes financial, health, government ID, biometrics, etc.
2. WHAT PERSONAL DATA WE COLLECT
We collect the following categories of personal data:
2.1 Data Provided by You
- Name, email, phone number, address
- Business name, GSTIN, regulatory documentation
- Billing & payment information
- Support requests & communication
- Identity/KYC details as required by CERT-In Directions
- Region selection (India or International regions)
2.2 Data Automatically Collected
- IP address, device type, OS, browser
- Logs, analytics, access timestamps
- Usage data related to VMs, APIs, network activity
- Error reports and crash logs
- Security metadata (as mandated by CERT-In)
2.3 Data Processed on Behalf of Customers
If warranted or requested by the customer with formal requests, Customer Data stored in VMs, databases, apps, containers, or other hosted resources are processed on behalf of the customer. CookiesSpace does not control the content of Customer Data.
3. HOW WE USE PERSONAL DATA (DPDP SECTION 6 COMPLIANCE)
We use personal data only for:
3.1 Service Delivery
- Account creation and authentication
- Provision of cloud compute, storage, and networking
- Resource allocation and performance optimization
- Managing multi-region deployments
3.2 Security & Compliance
- Fraud prevention
- Logging & monitoring as required under CERT-In
- Detection of security incidents
- Responding to legal and government requests
3.3 Billing
- Invoicing, GST compliance, tax documentation
- Payment processing & refunds
- Usage metering and cost calculation
3.4 Customer Support
- Ticketing and troubleshooting
- Technical assistance for premium tiered support plans
3.5 Service Improvements
- Platform optimisation
- Reliability and performance enhancements
We do not sell personal data.
We do not use personal data for advertising.
4. LEGAL BASIS OF PROCESSING (DPDP SECTION 4)
We process personal data based on:
- Consent
- Performance of contract
- Compliance with Indian laws (DPDP, CERT-In, IT Act)
- Security & legitimate business interests
Customer must cooperate with CookiesSpace or law enforcement as required by law.
5. CONSENT & WITHDRAWAL
When consent is the basis of processing:
- Consent is obtained through explicit opt-in
You may withdraw consent anytime at:
- Withdrawal of consent may affect your use of Services
6. CROSS-BORDER DATA TRANSFERS
Users may select:
- India-only region
- India + International (Soon to be operational)
- International-only region (Soon to be operational)
For international regions:
- Data may be transferred outside India only to countries permitted by the Government of India. (Soon to be operational)
- Protection measures equivalent to DPDP Act are implemented.
If Indian law in future restricts transfer to a specific country, CookiesSpace will notify affected customers.
7. DATA STORAGE & RETENTION
7.1 Logs required under CERT-In Directions (2022) are retained for 180 days minimum within India.
7.2 KYC and customer identity records retained for minimum 5 years.
7.3 Billing and GST-related data retained per Indian tax laws.
7.4 Customer Data is retained only as long as the customer maintains an active account.
7.5 On account deletion:
- Personal data is deleted or anonymised
- Backups may persist for up to 30–90 days
- Data may be retained if legally required
8. DATA SHARING & DISCLOSURE
We share data only when necessary and as permitted under DPDP Act.
8.1 With Service Providers
- Payment gateways
- SMS/email service providers
- Data center operators
- Support tools
- Security monitoring vendors
All service providers operate under strict data processing agreements.
8.2 When Required by Law
We may share data with:
- CERT-In
- Law enforcement agencies
- Government authorities
Disclosure occurs only on valid legal orders.
8.3 No Sale of Personal Data
CookiesSpace never sells personal data to third parties.
9. COOKIESSPACE AS DATA PROCESSOR
When Customer uploads data (Customer Data) to Services, CookiesSpace processes it only on Customer instruction.
CookiesSpace will:
- Not access Customer Data except for support/security
- Not use Customer Data for marketing
- Not disclose Customer Data to affiliates or a third party unless it’s required by law or for genuine development of services toward the customer’s benefit at the full consent of the customers.
- Maintain strict technical and organizational security controls
10. DATA PRINCIPAL RIGHTS (DPDP SECTION 11–12)
Users have the following rights:
- Right to Access Personal Data
- Right to Correction
- Right to Erasure
- Right to Grievance Redressal
- Right to Nominate another individual
Requests can be made via:
We respond within 30 days.
11. GRIEVANCE OFFICER (MANDATORY AS PER DPDP ACT)
Name: D Roy
Designation: Grievance Officer
12. SECURITY MEASURES (DPDP SECTION 8)
CookiesSpace implements:
- Encryption at rest and transit
- Secure access controls (MFA, IAM roles)
- Regular vulnerability scanning
- Network firewalls & isolation
- Data loss prevention controls
- 24/7 SOC monitoring
- Abuse detection and anti-DDoS
- Incident response protocols
13. DATA BREACH RESPONSE
If a breach occurs:
- CERT-In will be notified within 6 hours, as legally required
- Affected users will be notified promptly
- Logs and evidence will be preserved
- Investigation will be initiated immediately
14. CHILDREN’S DATA
CookiesSpace does not knowingly collect data from children under 18 years unless the Customer is legally authorized to process such data.
15. POLICY FOR CUSTOMERS HOSTING PERSONAL DATA
Customers hosting personal data through Cookiesspace’s infrastructure must:
- Comply with DPDP Act and other applicable laws
- Implement strong security within their VMs/apps
- Obtain user consent and provide their own privacy policy
- Ensure compliance for cross-border data transfers
CookiesSpace is not responsible for Customer violations.
16. AUTOMATED DECISION MAKING
CookiesSpace does not perform automated decision-making affecting user rights.
17. COOKIES & TRACKING TECHNOLOGIES
We use cookies for:
- Authentication
- Session management
- Analytics
- Security monitoring
Users can control cookies via browser settings. More on Cookie Policy.
18. THIRD-PARTY LINKS
Our website may link to external sites; we are not responsible for their content or privacy practices.
19. CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time. Material changes will be notified via:
- Console notifications
- Website updates
20. CONTACT US
For questions about this Privacy Policy: