Who we are
Capitage Global (OPC) Pvt Ltd ("Capitage", "we", "us") is the data controller for personal data collected through our website and marketing channels, and a data processor for personal data we handle on behalf of clients under a service agreement.
- Registered office: Hyderabad, Telangana, India
- Incorporated: 2024 · One Person Company
- Privacy contact: privacy@capitageglobal.com
For our website and emails to you, we decide how your data is used. For data inside a client's project, the client decides — we follow their instructions.
Scope of this policy
This policy applies to:
- Visitors to capitageglobal.com and any subdomains we operate.
- Users of our products — Dzzel, CapMed, and CapAd — once they are generally available.
- People who contact us, request a proposal, or subscribe to our communications.
- Candidates who apply for roles with us.
It does not apply to third-party websites or services we link to. Those have their own policies.
Data we collect
| Category | Examples |
|---|---|
| Identity & contact | Name, business email, phone, company, role, country |
| Account data | Username, hashed password, authentication tokens, role permissions |
| Engagement data | Project briefs, requirements documents, meeting notes, contracts |
| Billing data | Billing address, GSTIN/VAT ID, invoice history. Card numbers are processed by our payment processor and never stored by us. |
| Technical data | IP address, device, browser, operating system, language, referring URL |
| Usage data | Pages viewed, links clicked, features used, session duration, error events |
| Communications | Emails, contact-form submissions, support tickets, call recordings (with consent) |
| Recruitment | Resume, work history, references, interview notes (only if you apply) |
We do not knowingly collect special-category data (health, biometric, religious belief, sexual orientation, etc.) unless required for a specific service — for example, when CapMed processes healthcare information on a client's instruction under a separate Data Processing Agreement.
How we collect it
- Directly from you — when you fill in a form, sign up, email us, sign a contract, or attend a meeting.
- Automatically — through cookies, server logs, and analytics when you visit our website or use a Product.
- From third parties — for instance, identity providers (Google Workspace, Microsoft) when you sign in, or enrichment services that confirm a business email.
- From clients — when a client provides data about their staff or end-users so we can deliver services.
Why we use your data
- To respond to enquiries, send proposals, and negotiate contracts.
- To deliver, support, and improve the Services and Products you've engaged us for.
- To process billing and recover unpaid amounts.
- To authenticate users and protect against fraud and abuse.
- To send service notices, security alerts, and (where you've opted in) marketing emails.
- To analyse usage and improve product performance and content.
- To assess job applications and run our recruitment process.
- To meet legal, tax, accounting, and regulatory obligations.
Legal basis for processing
Where the GDPR or DPDPA applies, we rely on one or more of:
- Contract — to perform services you've asked us to deliver.
- Legitimate interests — to operate, secure, and grow our business in ways that don't override your rights (e.g. analytics, fraud prevention, B2B outreach to corporate contacts).
- Consent — for marketing emails to individuals, non-essential cookies, and any sensitive processing. You can withdraw consent at any time.
- Legal obligation — to comply with tax, accounting, and law-enforcement requirements.
Sharing & disclosure
We do not sell your personal data. We share it only with:
- Service providers (sub-processors) — see the list below — bound by written agreements that limit them to processing on our instructions.
- Professional advisors — auditors, lawyers, insurers — under confidentiality.
- Authorities — when required by law, court order, or to protect rights, safety, or property.
- Successors — in connection with a merger, acquisition, or sale of assets, with notice.
- Clients — when you contact us through a client's deployment of our Products, your data is shared with that client as the controller.
Sub-processors
The categories of third parties we rely on, with examples:
| Purpose | Examples | Region |
|---|---|---|
| Cloud hosting | AWS, Microsoft Azure | India · EU · US |
| Email & productivity | Google Workspace, Microsoft 365 | EU · US |
| Customer support | Helpdesk & ticketing platform | EU · US |
| Analytics | Privacy-respecting product analytics | EU |
| Payments | PCI-DSS-certified payment processor | India · US |
| AI model APIs | Foundation-model providers, used for product features only | US |
An up-to-date list is available on request from privacy@capitageglobal.com.
International transfers
Your data may be transferred to and processed in countries other than your own — including India, the EU, the United Kingdom, and the United States. Where transfers leave a region with strong data-protection laws (e.g. the EEA or UK), we rely on safeguards such as Standard Contractual Clauses, the UK International Data Transfer Addendum, adequacy decisions where available, and supplementary measures (encryption in transit and at rest, access controls).
Data retention
We keep personal data only as long as needed for the purposes described, then delete or anonymise it.
- Prospect contacts: 24 months from last interaction.
- Active customer records: for the duration of the engagement plus 7 years for tax/audit.
- Product user data: for the duration of the subscription, plus 30 days after termination for export, after which it is deleted.
- Server logs & security events: up to 90 days.
- Marketing email lists: until you unsubscribe, plus 12 months suppression.
- Recruitment data: 12 months after the role closes, unless you consent to a longer talent-pool retention.
Security
We protect your data with administrative, technical, and physical controls, including:
- Encryption in transit (TLS 1.2+) and at rest for production data.
- Role-based access control with least-privilege defaults and SSO for staff.
- Secrets management, credential rotation, and audit logging.
- Vulnerability scanning, dependency monitoring, and a documented patch cycle.
- Background checks and confidentiality agreements for personnel.
- Incident response procedures with on-call rotation.
No system is perfectly secure. If you suspect a vulnerability, please email security@capitageglobal.com.
Cookies & tracking
Our website uses cookies and similar technologies in three categories:
| Category | Purpose | Consent? |
|---|---|---|
| Strictly necessary | Session, security, load-balancing, preference storage | Not required |
| Analytics | Aggregate usage measurement, error reporting | Required where law mandates |
| Marketing | Audience measurement on advertising platforms | Required — opt-in |
You can manage cookies through your browser settings. Where required by law, we present a consent banner the first time you visit. We honour the Global Privacy Control signal as a valid opt-out request.
Your rights
Depending on where you live, you may have the right to:
- Access a copy of the personal data we hold about you.
- Correct inaccurate or incomplete data.
- Delete your data, subject to limited legal exceptions.
- Restrict or object to certain processing, including direct marketing.
- Port your data to another service in a structured format.
- Withdraw consent at any time, without affecting prior lawful processing.
- Nominate someone to exercise rights on your behalf, where law permits (DPDPA).
- Lodge a complaint with your local data-protection authority — in India, the Data Protection Board; in the EEA/UK, your national supervisory authority.
To exercise any right, email privacy@capitageglobal.com. We respond within 30 days (extendable by a further 60 days for complex requests, with notice). We may need to verify your identity before acting.
Children's privacy
Our Services are not directed to children under 18, and we do not knowingly collect data from them. If you believe a child has given us personal data, contact privacy@capitageglobal.com and we will delete it.
AI & automated processing
Our Products may include AI features — for example, summarisation, classification, and assistant agents. We do not use customer content to train foundation models without explicit consent. Where automated decisions produce legal or similarly significant effects, you have the right to human review, to express your point of view, and to contest the decision.
When we use third-party AI APIs to deliver a feature, we contractually require those providers to delete inputs and outputs after processing and not to retain them for model training.
Breach notification
If we experience a personal-data breach that is likely to result in a risk to your rights, we will notify the relevant supervisory authority within 72 hours of becoming aware of it, and notify affected individuals without undue delay where the risk is high. Notifications will describe what happened, the data involved, the likely consequences, and the steps we are taking.
Changes to this policy
We may update this policy as our services evolve or laws change. The "Last updated" date at the top reflects the most recent revision. For material changes, we will notify users by email or in-product banner at least 30 days before the change takes effect.
Contact & data protection officer
For privacy questions or to exercise your rights, contact us: