Privacy Policy

ÉCLATIN ("ÉCLATIN," "we," "us," or "our") is the Data Fiduciary responsible for the personal data you share with us. This Privacy Policy explains what data we collect, why we collect it, how we use it, and the rights you have over your data under the Digital Personal Data Protection Act, 2023 ("DPDP Act") and other applicable Indian laws.

Quick summary of your rights:

• Right to access the personal data we hold about you
• Right to correct inaccurate or incomplete data
• Right to erase your personal data (subject to legal retention requirements)
• Right to withdraw consent at any time, with the same ease with which it was given
• Right to nominate another individual to exercise these rights in case of your death or incapacity
• Right to grievance redressal through our internal process and the Data Protection Board of India

You can exercise most of these rights directly through your dashboard settings. For others, contact us at enquiries@eclat-india.com.

Below is an itemized description of the personal data we collect, in compliance with DPDP Act requirements. Data is collected directly from you, automatically through your use of the platform, or from third-party services where applicable.

Data You Provide Directly

• Account information (email sign-up): Full legal name, email address, phone number, date of birth (used for age verification only), and password (stored as a one-way hash by our authentication provider — never in plain text, never accessible to ÉCLATIN staff)
• Verification data: Email and phone OTP codes during verification (not stored after verification completes)

Data from Third-Party Sign-In (Google)

If you choose to sign up or log in using your Google account, we receive the following information from Google as part of the OAuth 2.0 authentication flow:

• Name: Your display name as it appears on your Google account
• Email address: Your primary Google account email, which we use as your ÉCLATIN account identifier
• Profile photo: Your Google profile picture (used only to display within your ÉCLATIN account; you may change or remove it at any time)
• Google account identifier: A unique identifier issued by Google that allows us to recognise your account on future sign-ins; we do not receive or store your Google password

We do not receive access to your Google Drive, Gmail, contacts, or any other Google services. We request only the minimum scopes required for authentication: your basic profile and email address. You may revoke ÉCLATIN's access to your Google account at any time via Google Account Permissions.

Other Directly Provided Data

• Portfolio content: Headshots, gallery images, showreel video URLs, biographical text, work history, achievements, languages, skills, physical attributes (height, eye color, hair details, etc.), location (city, state), social media links
• Messages:Content of messages you send and receive through the platform's chat feature, including any image attachments
• Communications with us: Support requests, feedback submissions, abuse reports, and any other correspondence

Data Collected Automatically

• Authentication tokens: Session cookies that keep you logged in
• Technical data: IP address, browser type, operating system, device identifiers, referring URL — collected primarily for security, fraud prevention, and platform reliability
• Usage data: Pages visited, features used, timestamps of activity, error logs
• Audit logs: Records of significant actions (publishing portfolios, sending messages, blocking users, deleting content) for security and dispute resolution

What We Do NOT Collect

• Government-issued identifiers (Aadhaar, PAN, passport numbers)
• Financial information (bank account details, payment card numbers)
• Biometric data (other than photographs you voluntarily upload)
• Health, medical, or genetic data
• Information about your location (beyond city/state you choose to share)
• Data from minors — accounts are restricted to users 18 and older

We process your personal data for the specific purposes listed below. Each purpose is tied to a lawful basis under the DPDP Act, primarily your consent (given when you create an account and use platform features) or legitimate use (where processing is necessary to provide a service you have voluntarily requested).

• Account creation and management: Verifying your identity, securing your account, processing your authentication
• Portfolio hosting: Storing and displaying the content you upload, generating your public portfolio URL, optimizing images for delivery
• Public discovery: When you publish a portfolio version, making it accessible at your unique URL and to search engines (you control whether to publish or keep portfolios private)
• Messaging: Routing messages between users, enforcing rate limits and block lists, storing conversation history
• Verification: Sending OTP codes via email and SMS to verify your contact information
• Security and fraud prevention: Detecting and blocking unauthorized access, abuse, spam, and other malicious activity
• Platform improvement: Understanding which features are used, identifying bugs, improving performance (we use only aggregated, anonymized data for this purpose)
• Legal compliance: Meeting our obligations under Indian law, including responding to lawful requests from authorities
• Communications: Sending you essential service announcements, security alerts, and (with separate consent) updates about new features

We do not process your data for advertising, profiling, or selling to third parties. We do not use your data to train AI models or sell it to AI companies.

When you create an account on ÉCLATIN, you provide consent for the processing described in this policy. We seek to make consent specific, informed, and freely given as required by the DPDP Act.

Withdrawing consent: You may withdraw your consent at any time, with the same ease with which you provided it:

• To stop marketing emails:Click the unsubscribe link in any marketing email, or email us at enquiries@eclat-india.com with the subject "Unsubscribe" and we will remove you within 5 business days
• To stop processing of your data entirely:Delete your account through the dashboard's "Delete Profile" feature (requires email OTP confirmation), or email us at enquiries@eclat-india.com
• To withdraw cookie consent:Click the "Manage Cookies" link in our cookie banner or in the footer of any page

Note that withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal. Some processing may continue after consent withdrawal where it is necessary for legal compliance or to protect our legitimate interests (such as retaining audit logs for fraud investigation).

When you withdraw consent, we will, within a reasonable time, erase your personal data and instruct our data processors to do the same, except where retention is required by law.

ÉCLATIN does not sell your personal data. We share your data only with the following categories of recipients, and only to the extent necessary:

Service Providers (Data Processors)

We use trusted third-party service providers who process data on our behalf under strict contractual obligations:

• Supabase Inc. — Database, authentication, file storage, and real-time messaging infrastructure. Data processing occurs on AWS infrastructure in Asia-Pacific regions.
• Vercel Inc. — Application hosting and content delivery network.
• MSG91 (Walkover Web Solutions Pvt. Ltd.) — For delivering Email OTP codes for Login. MSG91 processes your email address solely for this purpose.

Each processor is contractually bound to handle your data only for purposes we specify, maintain reasonable security safeguards, and delete data when no longer needed.

Other Users

Some of your data is intentionally shared with other users:

• Your published portfolio is visible to anyone who visits your URL (including search engines)
• Messages you send are visible to the recipient
• Your name appears in conversations you participate in

We do not share private (unpublished) portfolio versions with anyone other than you.

Legal & Regulatory

We may share your data when required by law, including:

• Responding to lawful requests from Indian government authorities, courts, or regulators
• Cooperating with investigations into illegal activity, fraud, or threats to safety
• Protecting our legal rights, property, or the safety of users and the public
• Complying with the Data Protection Board of India in the event of a personal data breach (within 72 hours of discovery, as required by law)

Business Transfers

In the event of a merger, acquisition, restructuring, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you of any such change and any change in how your data will be processed.

Your personal data is primarily stored on servers located in the Asia-Pacific region. Some of our service providers (such as Vercel) may process data outside India for content delivery and platform operations.

The DPDP Act permits cross-border transfer of personal data, except to specific countries notified by the Indian government as restricted. We do not transfer data to any country currently restricted under the Act.

Where data is transferred internationally, we ensure that equivalent levels of data protection are maintained through contractual safeguards with our processors.

We retain your personal data only as long as necessary for the purposes for which it was collected:

• Active account data: Retained while your account is open and active
• Deleted account data: Most data is deleted within 30 days of account closure. Some data may be retained for up to 90 days in encrypted backups.
• Audit logs: Retained for up to 24 months for security, dispute resolution, and legal compliance
• Aggregated analytics: Anonymized usage data may be retained indefinitely (this data cannot be linked back to you)
• Communications with support: Retained for up to 36 months to provide continuity of service
• Legal holds: Data subject to legal proceedings, investigations, or regulatory inquiries may be retained until those matters are resolved

When data is no longer needed for any of these purposes, it is permanently deleted from our active systems and backups.

We implement reasonable security safeguards to protect your personal data against unauthorized access, alteration, disclosure, or destruction. Our measures include:

• Encryption in transit: All data exchanged between your browser and our servers uses TLS 1.2 or higher
• Encryption at rest: Database and file storage are encrypted at the infrastructure level
• Access controls: Production systems are accessible only to authorized personnel through role-based access control
• Authentication: Passwords are hashed using industry-standard algorithms; we never store passwords in plain text
• Audit logging: Significant actions are logged for forensic review
• Backup and recovery: Regular encrypted backups ensure data can be recovered in the event of failure
• Vendor diligence: Our service providers are contractually bound to maintain equivalent security standards

Despite our efforts, no security system is impenetrable. If a personal data breach occurs, we will notify the Data Protection Board of India and affected users within 72 hours of becoming aware of the breach, as required by the DPDP Rules 2025. The notification will describe the nature and extent of the breach, the data affected, the timing and location, the consequences, and the steps we are taking to mitigate harm.

As a Data Principal under the DPDP Act, you have the following rights with respect to your personal data:

Right to Access (Section 11)

You may request a summary of:

• The personal data we are processing about you
• The processing activities undertaken
• The identities of any other Data Fiduciaries with whom we have shared your data
• Any other information specified by the DPDP Rules

Right to Correction & Erasure (Section 12)

You may request that we:

• Correct inaccurate or misleading personal data
• Complete incomplete personal data
• Update outdated personal data
• Erase your personal data, except where retention is necessary for the specified purposes or required by law

You can correct most data directly by editing your profile in the dashboard. For erasure, use the "Delete Profile" feature.

Right to Grievance Redressal (Section 13)

If you have a complaint about how we process your personal data, you may file a grievance with our designated Grievance Officer (see the "Contact Us" section below). We will respond within 7 business days of receiving your complaint and resolve it within 30 days, as required by the Act.

If you are not satisfied with our response, you may escalate the complaint to the Data Protection Board of India:

• Website: www.dpbi.gov.in (when operational)
• Postal address: Data Protection Board of India, Ministry of Electronics and Information Technology, Government of India, New Delhi

Right of Nomination (Section 14)

You may nominate any other individual to exercise your rights under the DPDP Act in the event of your death or incapacity. To file a nomination, contact us at enquiries@eclat-india.com with the nominee's name, contact details, and your authorization.

How to Exercise These Rights

For any request related to the rights above:

1. Self-service: Use the dashboard's account settings, profile editor, or "Delete Profile" feature
2. Email us at enquiries@eclat-india.com with your request and a description of what you need
3. We will respond within 30 days as required by law. Complex requests may take longer; we will notify you if more time is needed.

We may need to verify your identity before processing rights requests to ensure data is not disclosed to unauthorized parties.

We use cookies and similar tracking technologies to make ÉCLATIN work and to improve your experience. Under DPDP Act and Rules, we ask for informed consent before setting non-essential cookies.

Categories of Cookies We Use

• Strictly necessary cookies (no consent required): Authentication tokens that keep you logged in, security cookies that prevent CSRF attacks, session management cookies. These are required for the platform to function.
• Functional cookies (consent required): Preferences such as your selected portfolio style, dashboard layout settings.
• Analytics cookies (consent required): Aggregate usage statistics to help us understand how the platform is used and identify areas for improvement. We do not currently use third-party analytics services.

We do not use:

• Advertising or tracking cookies
• Social media tracking pixels
• Cross-site tracking technologies

Managing Your Preferences

You can manage your cookie preferences at any time by clicking the "Manage Cookies" link in our cookie banner or in the footer. You can also clear cookies through your browser settings, though this may affect platform functionality.

ÉCLATIN is intended for adults 18 years of age and older. We do not knowingly collect personal data from individuals under 18.

If we become aware that we have collected personal data from a person under 18 without verifiable parental consent, we will delete that data promptly and close the associated account.

If you believe a minor has created an account on ÉCLATIN, please contact us immediately at enquiries@eclat-india.com.

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify registered users via email or through prominent platform notifications at least 30 days before the changes take effect
• For changes that materially expand the use of your data, request renewed consent where required

We encourage you to review this Privacy Policy periodically. Continued use of the platform after the effective date of any changes constitutes acceptance of the updated policy.

For all questions, requests, or complaints related to your personal data, you can submit a grievance online or contact our designated Grievance Officer directly:

For escalation, you may file a complaint directly with the Data Protection Board of India once it becomes operational. Visit www.meity.gov.in for current information about the Board.

For general support questions unrelated to privacy, contact enquiries@eclat-india.com.