Privacy Policy

Last Updated: April 25, 2025

1. Introduction

Welcome to Craftedfolio ("we," "our," or "us"). We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, services, and applications (collectively, the "Services"), including but not limited to digital cards and portfolios.

We operate from Maharashtra, India, and provide services globally. This policy complies with applicable data protection laws including the General Data Protection Regulation (GDPR) for users in the European Economic Area, the California Consumer Privacy Act (CCPA) for California residents, and India's Digital Personal Data Protection Act, 2023.

Please read this Privacy Policy carefully. If you do not agree with the terms of this Privacy Policy, please do not access our Services.

2. Data Controller Information

The data controller responsible for your personal information is:
Craftedfolio
Location: Maharashtra, India
Email: support@craftedfolio.com
Privacy Inquiries: support@craftedfolio.com

3. Information We Collect

We collect information that you provide directly to us and limited technical information necessary for service operation.

3.1 Personal Data You Provide

Personal Data refers to any information that identifies or can be used to identify an individual. We collect the following categories of Personal Data when you use our Services:

• Contact information: Name, email address, phone number
• Account credentials: Username and encrypted password
• Profile information: Profile picture, job title, company, bio, portfolio summary
• Social media information: Social media handles, links, and URLs you choose to include
• User-generated content: Text, images, project descriptions, and other content you upload to your digital cards or portfolios
• Communication data: Messages you send to our support team

3.2 Payment Information

Important: We do NOT collect, store, or process payment card information (credit card numbers, CVV, etc.) directly on our servers. Any future payment processing will be handled exclusively by third-party PCI-DSS compliant payment processors (such as Stripe, Razorpay, or PayPal). Payment data is transmitted directly to the payment processor and is subject to their privacy policy. We may receive limited transaction information such as transaction ID, payment status, and billing email for record-keeping purposes only.

3.3 Technical and Usage Data

We collect limited technical information necessary to provide and improve our Services. We prioritize your privacy and do NOT use third-party analytics or tracking services. The technical data we collect includes:

• Authentication data: Session tokens and login timestamps for security purposes
• Basic usage analytics: Page views on your portfolios/cards (view counts), manually collected without third-party trackers
• Error logs: Technical errors and system logs for debugging and service improvement (stored temporarily)
• Security logs: Failed login attempts, suspicious activity detection for fraud prevention

We do NOT collect the following information:

• IP addresses (except temporarily in server logs for security, deleted within 7 days)
• Detailed browser fingerprinting or device information
• Operating system or device specifications
• Precise geolocation data
• Cross-site tracking or behavioral profiling
• Third-party analytics or advertising data

3.4 Publicly Posted Content

Any information you include in your published portfolios or digital cards becomes publicly accessible. This content may be viewed by anyone who accesses your portfolio/card URL and may be indexed by search engines. Please do not include sensitive personal information that you do not want to be publicly available.

4. How We Use Your Information

We use your information for the following purposes, based on the legal grounds described below:

• Providing and maintaining our Services (Legal basis: Contract performance) - Creating and managing your account, hosting your portfolios and digital cards
• Processing transactions (Legal basis: Contract performance) - Managing any future premium features or paid services
• Communication (Legal basis: Contract performance, Legitimate interests) - Responding to your requests, comments, and questions via support@craftedfolio.com
• Administrative messages (Legal basis: Contract performance, Legal obligation) - Sending essential service updates, security alerts, and policy changes
• Service improvement (Legal basis: Legitimate interests) - Analyzing aggregated usage patterns to optimize our Services
• Security and fraud prevention (Legal basis: Legitimate interests, Legal obligation) - Protecting against, identifying, and preventing fraud, abuse, and illegal activity
• Legal compliance (Legal basis: Legal obligation) - Complying with applicable laws, regulations, and legal processes
• Copyright enforcement (Legal basis: Legal obligation) - Responding to DMCA notices sent to dmca@craftedfolio.com

4.1 Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), our legal basis for collecting and using your personal information depends on the specific data and context:

• Contract Performance: Processing is necessary to perform our contract with you (providing Services)
• Legitimate Interests: Processing is necessary for our legitimate interests (improving Services, security, fraud prevention), provided these interests don't override your rights
• Legal Obligation: Processing is necessary to comply with legal requirements
• Consent: You have given explicit consent for specific purposes (we will ask separately when applicable)

5. Sharing Your Information

We do NOT sell your personal information to third parties. We may share your information only in the following limited circumstances:

5.1 Service Providers and Partners

We work with the following categories of third-party service providers who process data on our behalf:

• Hosting and Infrastructure: Vercel (hosting), MongoDB Atlas (database) - These providers store and process your data to deliver our Services
• Email Services: Our own email infrastructure for transactional emails (password resets, account notifications)
• Payment Processors: (Future) Stripe, Razorpay, or PayPal - For processing payments, subject to their own privacy policies
• Content Delivery: CDN services for faster content delivery globally

These service providers have contractual obligations to protect your data and may only use it for the purposes we specify.

5.2 Legal Requirements

• Law enforcement: When required by law, subpoena, court order, or governmental request
• Legal rights protection: To enforce our Terms of Service, protect our rights, property, or safety
• Fraud prevention: To detect, prevent, or investigate fraud, security issues, or illegal activity

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal information may be transferred to the acquiring entity. We will notify you via email and/or prominent notice on our website of any such change.

5.4 Public Content

Information you choose to make public in your portfolios or digital cards is accessible to anyone who visits your portfolio/card URL. This content may be shared, copied, or indexed by search engines.

5.5 We Do NOT Sell Your Data

Important for CCPA Compliance: We do not sell, rent, or otherwise disclose your personal information to third parties for their marketing purposes or for monetary consideration. We have not sold personal information in the past 12 months and do not intend to do so in the future.

6. Cookies and Tracking Technologies

We use limited cookies necessary for the operation of our Services. Cookies are small text files stored on your device.

6.1 Types of Cookies We Use

• Essential Cookies (Strictly Necessary):
  • Authentication tokens - Keep you logged in securely (Duration: Session or 30 days if "Remember Me" is selected)
  • Session cookies - Maintain your session state (Duration: Until browser closes)
• Functional Cookies:
  • Theme preference - Remember your light/dark mode choice (Duration: 1 year)
  • Language preference - If implemented (Duration: 1 year)

6.2 Cookies We Do NOT Use

We do NOT use:

• Third-party advertising cookies
• Marketing or targeting cookies
• Cross-site tracking cookies
• Third-party analytics cookies (Google Analytics, etc.)
• Social media tracking pixels

6.3 Managing Cookies

You can control cookies through your browser settings. However, disabling essential cookies may prevent you from using certain features of our Services (such as staying logged in). Most browsers allow you to:

• View what cookies are stored and delete them individually
• Block third-party cookies
• Block all cookies
• Delete all cookies when you close your browser

7. Data Security

We implement industry-standard technical and organizational measures to protect your personal information:

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS/SSL (HTTPS)
• Encryption at Rest: Sensitive data (passwords) are encrypted using industry-standard hashing algorithms (bcrypt)
• Access Controls: Limited employee/administrator access to personal data on a need-to-know basis
• Authentication: Secure session management and password requirements
• Regular Security Monitoring: Monitoring for suspicious activity and potential security threats
• Secure Infrastructure: Our hosting providers (Vercel, MongoDB Atlas) maintain SOC 2 Type II compliance and industry certifications

However, please note that no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security. You are responsible for maintaining the confidentiality of your account credentials.

8. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

8.1 Retention Periods

• Active Account Data: Retained for the duration of your account plus 30 days after account deletion (to allow recovery)
• Deleted Account Data: Permanently deleted 30 days after account deletion, except where retention is required by law
• Published Content: Your portfolios and digital cards remain accessible until you delete them or close your account
• Security Logs: IP addresses and security logs retained for 7 days, then automatically deleted
• Error Logs: Technical error logs retained for 30 days for debugging purposes
• Backup Data: Backup copies may be retained for up to 90 days for disaster recovery purposes
• Legal Hold: Data may be retained longer if required for legal proceedings, investigations, or regulatory requirements
• Anonymized Data: We may retain anonymized, aggregated data indefinitely for statistical purposes

8.2 Account Deletion

When you request account deletion, we will:

• Mark your account for deletion and disable access immediately
• Remove your data from active systems within 30 days
• Purge backup copies within 90 days
• Retain only data required by law (e.g., transaction records for tax purposes)

9. International Data Transfers

Your personal information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws different from those of your country.

9.1 Where Your Data is Stored

We operate from India and use service providers located globally:

• Primary Operations: Maharashtra, India
• Hosting Infrastructure: Vercel (United States, with global CDN edge locations)
• Database: MongoDB Atlas (may be stored in US, EU, or other regions depending on configuration)
• Email Infrastructure: India-based servers

9.2 Safeguards for International Transfers

When transferring data internationally, we ensure appropriate safeguards are in place:

• For EU Users: We rely on Standard Contractual Clauses (SCCs) approved by the European Commission when transferring data outside the EEA
• Service Provider Agreements: Our service providers (Vercel, MongoDB) are contractually obligated to protect your data in compliance with GDPR and other applicable laws
• Security Measures: Data is encrypted in transit and at rest regardless of geographic location

By using our Services, you acknowledge and consent to the international transfer of your personal information as described above.

10. Data Breach Notification

In the event of a data breach that affects your personal information, we will:

• Notify affected users via email within 72 hours of discovering the breach
• Notify relevant supervisory authorities as required by applicable law (e.g., GDPR, CCPA)
• Provide information about the nature of the breach, data affected, and steps being taken
• Offer guidance on protective measures you can take
• Investigate the breach and take remedial action to prevent future incidents

If you believe your account has been compromised, please contact us immediately at support@craftedfolio.com.

11. Children's Privacy

Our Services are not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13 in compliance with the Children's Online Privacy Protection Act (COPPA).

If you are between 13 and 18 years of age, you represent that you have obtained permission from your parent or legal guardian to use our Services and that they have agreed to our Terms of Service and this Privacy Policy on your behalf.

If you become aware that a child under 13 has provided us with personal information, please contact us atsupport@craftedfolio.com. If we become aware that we have collected personal information from a child under 13 without verification of parental consent, we will take immediate steps to delete that information from our servers and terminate the associated account.

12. Your Data Protection Rights

Depending on your location, you have certain rights regarding your personal information. Below we outline rights available to users globally, as well as specific rights for EU/EEA and California residents.

12.1 Rights for All Users

• Right to Access: Request a copy of the personal information we hold about you
• Right to Correction: Request correction of inaccurate or incomplete personal information
• Right to Deletion: Request deletion of your personal information (subject to legal retention requirements)
• Right to Withdraw Consent: Withdraw consent where processing is based on consent
• Right to Object: Object to processing of your personal information for specific purposes

12.2 Additional Rights for EEA/UK Users (GDPR)

If you are located in the European Economic Area or United Kingdom, you have additional rights under GDPR:

• Right to Rectification: Correct inaccurate personal data and complete incomplete data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data in certain circumstances
• Right to Restriction of Processing: Request restriction of processing in certain situations
• Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV)
• Right to Object: Object to processing based on legitimate interests or for direct marketing purposes
• Right Not to Be Subject to Automated Decision-Making: Not be subject to decisions based solely on automated processing, including profiling (Note: We do not engage in automated decision-making)
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
• Right to Lodge a Complaint: Lodge a complaint with your local supervisory authority (e.g., ICO in UK, CNIL in France, etc.)

12.3 California Residents' Rights (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request information about:
  • Categories of personal information we collect
  • Categories of sources from which we collect personal information
  • Business or commercial purposes for collecting personal information
  • Categories of third parties with whom we share personal information
  • Specific pieces of personal information we have collected about you
• Right to Delete: Request deletion of personal information we have collected from you (subject to exceptions)
• Right to Opt-Out of Sale: We do NOT sell personal information. We have not sold personal information in the past 12 months
• Right to Opt-Out of Sharing: We do not share personal information for cross-context behavioral advertising
• Right to Correct: Request correction of inaccurate personal information
• Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information beyond what is necessary to provide our Services
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

12.4 How to Exercise Your Rights

To exercise any of the above rights, please contact us at:

• Email: support@craftedfolio.com
• Subject Line: "Privacy Rights Request"

We will respond to your request within:

• GDPR (EEA/UK): 30 days (may be extended to 60 days for complex requests)
• CCPA (California): 45 days (may be extended to 90 days with notice)
• Other jurisdictions: 30 days

To protect your privacy, we will verify your identity before fulfilling your request. We may ask you to provide:

• The email address associated with your account
• Confirmation via email verification link
• Additional information if necessary to verify your identity

12.5 Authorized Agents (CCPA)

California residents may designate an authorized agent to make requests on their behalf. To designate an authorized agent:

• Provide written permission signed by you authorizing the agent to act on your behalf
• We may require you to verify your identity directly with us
• We may require the agent to provide proof of authorization

13. Third-Party Links and Services

Our Services allow users to include links to third-party websites, social media platforms, payment services, e-commerce sites, and other external services in their portfolios and digital cards.

13.1 No Control Over Third Parties

We have no control over, and assume no responsibility for, the content, privacy policies, data collection practices, or security of any third-party websites or services. When you click on external links in portfolios or digital cards, you are leaving our Services and are subject to the privacy policies and terms of those third-party sites.

13.2 Third-Party Data Collection

Third-party services (such as payment processors, social media platforms, or analytics tools embedded by users) may collect information about you according to their own privacy policies. We are not responsible for their data practices. Examples include:

• Payment processors (Stripe, PayPal, Razorpay) collecting transaction data
• Social media platforms tracking your interactions with embedded content
• External websites collecting information when you visit via links in portfolios/cards

We strongly encourage you to review the privacy policies of any third-party websites or services you interact with.

14. Do Not Track Signals

Some browsers incorporate a "Do Not Track" (DNT) feature that signals to websites you visit that you do not want to have your online activity tracked. Since we do not use third-party tracking or advertising technologies, DNT settings do not affect our Services. We respect your privacy by default and do not track you across other websites.

15. Changes to This Privacy Policy

We may update our Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will:

• Update the "Last Updated" date at the top of this Privacy Policy
• Post the new Privacy Policy on this page
• For material changes, notify you via email to the address associated with your account (if applicable)
• For material changes affecting GDPR rights, provide at least 30 days' notice

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of the Services after changes are posted constitutes your acceptance of the updated Privacy Policy.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

16.1 Supervisory Authority (GDPR)

If you are located in the EEA or UK and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection supervisory authority. You can find your local authority at: https://edpb.europa.eu/about-edpb/about-edpb/members_en