ADF Designtech · Legal
Effective Date
May 31, 2026
Version
1.0
Operator
ADF DesignTech Private Limited
CIN
U62011HR2026PTC146319
Your privacy matters to us. This Policy explains how we collect, use, store, and protect your personal data when you use the Credwik platform operated by ADF DesignTech Private Limited.
ADF DesignTech Private Limited ("Credwik", "we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use the Credwik platform ("Service").
We comply with: the Information Technology (Reasonable Security Practices and SPDI) Rules 2011 under the IT Act 2000; the Digital Personal Data Protection Act 2023 (DPDP Act) and DPDP Rules 2025; the General Data Protection Regulation (EU) 2016/679 (GDPR) for EU/EEA users; the UK GDPR for UK users; the CCPA/CPRA for California residents; and other applicable national and regional privacy laws.
Company: ADF DesignTech Private Limited CIN: U62011HR2026PTC146319 Registered Office: 956/7, HB529, Bahadurgarh, Jhajjar – 124507, Haryana Email: support@credwik.com Website: www.credwik.com
For EU/EEA users, Credwik acts as the data controller. Where we process data on your behalf (e.g., your employees' payroll data), we act as a data processor under your instructions.
Information you provide directly includes: account registration data (name, email, mobile number, business name, business type, GSTIN, PAN); financial and accounting data (vouchers, invoices, ledger entries, receipts, payments, journal entries); inventory data (product names, HSN codes, quantities, pricing); salary and payroll data entered by you; team member data (names, email addresses, roles); and communication data (messages, support tickets).
Information collected automatically includes: device and access data (IP address, browser type, operating system); usage data (pages visited, features used, session duration); log data (server logs, error reports); and cookies and similar technologies.
Information from third parties includes: payment processors (transaction confirmations, payment status — we do not store full card details); GST portal/GSTN APIs you authorise us to access; and single sign-on providers (name and email if you register via Google or other OAuth providers).
Service Delivery: to create and manage your account; to provide accounting, GST, inventory, payroll, and reporting features; to process payments and manage subscriptions; to facilitate role-based access for team members and CAs.
Communication: to send transactional emails (invoices, account notifications, security alerts) and provide customer support; to send product updates and marketing communications (with your consent, which you may withdraw at any time).
Improvement & Analytics: to analyse usage patterns and improve the Service; to conduct research and develop new features; to generate aggregated, anonymised analytics (your individual data is never sold).
Legal & Compliance: to comply with applicable laws and regulatory requirements; to detect and prevent fraud, abuse, or security incidents; to enforce our Terms and Conditions; to respond to legal processes (court orders, government requests).
Contract Performance (Article 6(1)(b) GDPR): Processing necessary to perform our contract with you.
Legitimate Interests (Article 6(1)(f) GDPR): Improving the Service, fraud prevention, security monitoring, and direct marketing to existing customers.
Legal Obligation (Article 6(1)(c) GDPR): Compliance with applicable tax, accounting, anti-money laundering, and other legal obligations.
Consent (Article 6(1)(a) GDPR): Marketing communications to prospective users; non-essential cookies. You may withdraw consent at any time.
We do not sell, rent, or trade your personal data.
Service Providers (Data Processors): We engage trusted third-party processors including cloud hosting providers, payment gateways (Razorpay, PayU), email and communication providers, and analytics providers. All processors are bound by data processing agreements obligating them to maintain confidentiality and security.
Legal & Regulatory Disclosures: We may disclose your data to government authorities, courts, or regulators if required by applicable law, including the IT Act, GST laws, or orders from GSTN, MCA, or other competent authorities.
Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will provide at least 30 days' advance notice before your data is transferred to a different privacy policy.
Your Authorised Third Parties: If you grant access to a CA or team member, they will access your data according to the permissions you set. You are responsible for managing and revoking such access.
Strictly Necessary: Session management, authentication, security — cannot be disabled as essential to the Service.
Performance & Analytics: Understanding how users interact with the Service (e.g., Google Analytics with IP anonymisation). You may opt out via cookie settings.
Functional: Remembering your preferences (e.g., language, display settings).
We do not currently use marketing or advertising cookies. You can manage cookie preferences through your browser settings or our cookie consent tool.
Account data: duration of account + 3 years after closure (or longer if required by law).
Financial/accounting records: 7 years — per Section 36 CGST Act 2017 and Rule 56 CGST Rules 2017.
Payroll data: 8 years — per applicable labour laws.
Support communications: 3 years.
Server logs: up to 12 months.
Upon account deletion, your personal data will be anonymised or deleted within 30 days, except where retention is required by law.
We implement: encryption in transit (TLS 1.2/1.3) and at rest (AES-256); row-level security ensuring your data is isolated and inaccessible to other users or Credwik staff except as required for support; role-based access controls for internal staff; regular security audits and vulnerability assessments; and secure cloud infrastructure with automatic backups.
In the event of a personal data breach: (a) we will notify the relevant supervisory authority within 72 hours under GDPR, or report to the Data Protection Board of India per the DPDP Act 2023; (b) we will notify affected users without undue delay where the breach is likely to result in high risk.
For EU/EEA data: Standard Contractual Clauses (SCCs) approved by the European Commission, or transfers to countries with an adequacy decision.
For UK data: UK International Data Transfer Agreements or UK Addendum to SCCs.
For other transfers: compliance with the DPDP Act 2023 and DPDP Rules 2025 cross-border data transfer provisions.
All Users (India — IT Rules & DPDP Act): Right to access your personal data held by us; right to correct inaccurate or incomplete data; right to withdraw consent (where processing is consent-based); right to grievance redressal; right to nominate another individual to exercise your data rights on your behalf.
EU/EEA & UK Users (GDPR / UK GDPR): Right of access; right to rectification; right to erasure ("right to be forgotten"); right to restriction of processing; right to data portability; right to object; right not to be subject to solely automated decisions; right to lodge a complaint with your supervisory authority.
California Residents (CCPA/CPRA): Right to know what personal information is collected, used, shared, or sold; right to delete personal information; right to opt out of sale (we do not sell personal information); right to correct inaccurate personal information; right to non-discrimination.
To exercise any of these rights, contact support@credwik.com. We respond within 30 days under Indian law, and within 30 days (extendable by 60 days for complex requests) under GDPR/UK GDPR.
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from persons under 18. If we learn that we have collected such data, we will delete it promptly.
We may update this Privacy Policy from time to time. We will notify you of material changes by: (a) email to the address on your account; (b) prominent in-app notification. The updated Policy takes effect 14 days after notification.
Grievance Officer: Dinesh Kataria Email: grievance@credwik.com Address: ADF DesignTech Private Limited, 956/7, HB529, Bahadurgarh, Jhajjar – 124507, Haryana Response Time: Within 30 days of receipt of grievance
Company: ADF DesignTech Private Limited CIN: U62011HR2026PTC146319 Privacy Email: support@credwik.com Legal Email: legal@credwik.com Website: www.credwik.com/privacy Registered Office: 956/7, HB529, Bahadurgarh, Jhajjar – 124507, Haryana
EU/EEA users may also contact their local Data Protection Authority. ADF DesignTech Private Limited does not currently meet the thresholds under Article 37 GDPR requiring mandatory DPO appointment. We will appoint a DPO if and when those thresholds are met.
© 2026 ADF DesignTech Private Limited. All rights reserved.