ENCATCH PRIVACY POLICY

Effective Date: [●]

Last Updated: March 03, 2026

This Privacy Policy explains how Phyder Mobile Solutions Pvt. Ltd., a company incorporated in India with its registered office at 412/413, 4th Floor, Palmspring (Above Croma), Link Road, Malad West, Mumbai City, Mumbai, Maharashtra, India, 400064 (the "Company"), operating the business and brand name "Encatch" ("Encatch," "we," "us," or "our"), collects, uses, discloses, and otherwise processes Personal Data in connection with (a) our website located at https://encatch.com (the "Website") and (b) the Encatch platform, including its dashboard, SDKs, APIs, integrations, and AI-enabled features.

1. INTRODUCTION, SCOPE AND APPLICATION

Capitalized terms not defined in this Privacy Policy have the meanings given in our Terms of Service (available at: [INSERT ToS LINK]) and, where applicable, the Data Processing Addendum / Data Processing Agreement ("DPA") and other documents referenced in this Privacy Policy.

1.2. Customer End-User Notices

Where a Customer uses the SDKs or APIs to collect feedback, surveys, bug reports, or similar inputs from the end users of the Customer's own applications or websites, the Customer is responsible for providing its own privacy notice and obtaining any required consents or authorizations. This Privacy Policy does not replace a Customer's privacy notice to its end users.

1.3. Cookies

Our use of cookies and similar technologies on the Website is described in our Cookie Policy, available at: [INSERT COOKIE POLICY LINK]. Non-essential cookies are disabled by default and are enabled only after you provide consent through our cookie preference controls.

1.4. Processing on Customer Instructions; DPA Controls

To the extent Encatch processes certain Personal Data on behalf of a Customer as a Processor (for example, feedback data collected via the SDKs) under a DPA, the DPA governs that processing and will control in the event of any conflict with this Privacy Policy for that processing.

1.5. Who this Privacy Policy Applies to

This Privacy Policy applies to individuals who:

a. visit or interact with the Website;

b. engage with us in a business context (including sales inquiries, marketing communications, events, demos, and similar interactions);

c. create, administer, or use an account to access or use the Service on behalf of a Customer; and/or

d. contact us for support or otherwise communicate with us.

1.6. Updates

We may update this Privacy Policy from time to time. The "Last Updated" date at the top indicates when this Privacy Policy was last revised. If we make material changes, we will provide notice as required by Applicable Law (for example, by posting an updated version on the Website or through the Service).

2. DEFINITIONS

2.1. "Personal Data"

means any information relating to an identified or identifiable natural person and includes "personal data" as defined under (a) the General Data Protection Regulation (EU) 2016/679 ("GDPR") and (b) the Digital Personal Data Protection Act, 2023 (India) ("DPDP Act"), as applicable.

2.2. "Controller"

means the person or entity that determines the purposes and means of processing Personal Data and includes a "controller" under the GDPR and a "data fiduciary" under the DPDP Act, as applicable.

2.3. "Processor"

means the person or entity that processes Personal Data on behalf of a Controller and in accordance with the Controller's documented instructions and includes a "processor" under the GDPR and a "data processor" under the DPDP Act, as applicable.

2.4. "Processing"

means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, transfer, combination, restriction, erasure, or destruction.

2.5. "Applicable Law"

means all laws, regulations, and legally binding requirements applicable to the Processing of Personal Data under this Privacy Policy, including, where relevant, the GDPR and the DPDP Act.

3. CONTROLLER VS PROCESSOR (OUR ROLE)

3.1. When Encatch Acts as a Controller

Encatch acts as a Controller with respect to Personal Data that we collect and process directly in connection with:

a. visits to and interactions with the Website;

b. sales, marketing, events, demos, and other business communications;

c. creation and administration of Customer accounts, including Authorized Users;

d. billing, invoicing, and payment-related activities;

e. support requests and communications; and

f. security, compliance, and internal business operations.

In these circumstances, Encatch determines the purposes and means of processing such Personal Data.

3.2. When Encatch Acts as a Processor

Encatch acts as a Processor where we process Personal Data on behalf of a Customer, for example, where a Customer uses the Service (such as SDKs or APIs) to collect feedback, surveys, bug reports, or similar inputs from individuals interacting with the Customer's own applications or websites.

In such cases:

a. the Customer acts as the Controller (or data fiduciary under the DPDP Act);

b. Encatch processes Personal Data only in accordance with the Customer's documented instructions and the applicable DPA; and

c. requests from Customer End Users relating to such Personal Data should be directed to the relevant Customer, subject to Encatch's assistance obligations under the DPA.

4. INFORMATION WE COLLECT (CONTROLLER-SIDE)

4.1. Website Interactions

When you visit or interact with the Website, we may collect Personal Data such as IP address, device and browser information, pages viewed, referring/exit pages, approximate location derived from IP address, and similar usage information.

4.2. Business Communications

If you contact us or engage with us for sales, marketing, events, demos, or other business communications, we may collect Personal Data such as your name, work email address, company name, job title/role, and the content of your communications.

4.3. Account and Workspace Information

If you create, administer, or use an account to access or use the Service on behalf of a Customer, we may collect Personal Data such as name, work email address, account authentication information (such as hashed passwords or similar credentials), user roles/permissions, workspace settings/configurations, and related account metadata.

4.4. Billing and Payment Administration

If you subscribe to a paid Plan or otherwise transact with us, we may collect billing contact details, invoicing information, payment status, and related transaction metadata. We typically do not receive full payment card details where payments are handled by a payment processor.

4.5. Support and Communications

If you contact us for support or otherwise communicate with us, we may collect Personal Data contained in your messages and any attachments you choose to provide.

4.6. Usage, Telemetry, and Logs

We may collect technical and usage information generated when Authorized Users access or use the Service, such as feature usage events, diagnostics, performance logs, and security logs.

5. INFORMATION PROCESSED ON CUSTOMER INSTRUCTIONS (PROCESSOR-SIDE)

5.1. Customer End-User Data Processed on Instructions

Where a Customer uses the Service (including the SDKs or APIs) to collect feedback, surveys, bug reports, or similar inputs from its Customer End Users, Encatch processes only such Personal Data that the Customer (through its configuration and use of the Service) elects to submit or transmit to Encatch for processing on the Customer's behalf, and does so in accordance with the Customer's documented instructions and the applicable DPA.

5.2. Customer Control and Configuration

The Customer determines what end-user data is collected, the fields or prompts shown to Customer End Users, whether identifiers (such as user IDs, email addresses, phone numbers, or hashed identifiers) are provided to Encatch, and which integrations or workflows are enabled. The Customer is responsible for providing appropriate notices and obtaining any required consents or authorizations from its end users.

5.3. Sensitive Data

Customer will not (and will not permit Customer End Users to) submit, upload, transmit, or otherwise make available through the Service any Sensitive Data. Encatch does not monitor, screen, or filter Personal Data processed on Customer instruction to detect or prevent submission of Sensitive Data. Customer is responsible for configuring its feedback flows, forms, and SDK/API implementations and for providing appropriate end-user notices and obtaining any required consents or authorizations to minimize and avoid the collection of Sensitive Data through the Service. Customer represents and warrants that it has implemented appropriate notices, consents, and safeguards designed to minimize and avoid the collection of Sensitive Data through the Service. Customer will promptly notify Encatch if Customer anticipates that Sensitive Data will be processed through the Service (whether intentionally or inadvertently), and any such processing will be governed by the DPA's Sensitive Data terms.

5.4. Customer End-User Rights Requests

Requests from Customer End Users relating to Personal Data processed by Encatch on Customer instruction should be directed to the relevant Customer. Encatch will assist the Customer in responding to such requests as required under the applicable DPA and Applicable Law.

6. HOW WE USE PERSONAL DATA (PURPOSES)

6.1. Controller-Side Purposes (When Encatch Acts as a Controller)

Where Encatch acts as a Controller (as described in Clause 3.1), we may use Personal Data for the following purposes:

a. to operate, maintain, and provide the Website and Service (including account creation, authentication, access management, and workspace administration);

b. to respond to inquiries, provide customer support, troubleshoot issues, and communicate with you (including service-related notices and administrative messages);

c. to manage subscriptions, billing, invoicing, and payment administration, and to maintain related records;

d. to monitor, prevent, detect, and address security issues, fraud, abuse, and unauthorized access, and to enforce our Terms of Service and other applicable policies;

e. to analyze usage of the Website and Service and improve their functionality, performance, and user experience (including through analytics and service optimization);

f. to conduct internal business operations, reporting, audits, and recordkeeping; and

g. to comply with Applicable Law, respond to lawful requests, and protect our rights, property, and safety (and those of our Customers, users, and others).

6.2. Processor-Side Purposes (When Encatch Acts as a Processor)

Where Encatch acts as a Processor (as described in Clause 3.2), we process Personal Data solely on behalf of the relevant Customer and in accordance with the Customer's documented instructions and the applicable DPA, including to:

a. provide, operate, and support the Service for the Customer (including routing, tagging, organizing, and otherwise processing Customer End-User Feedback Data as configured by the Customer);

b. maintain the security and integrity of the Service, prevent or address technical issues, and perform troubleshooting and support; and

c. comply with Applicable Law to the extent applicable to Encatch as a Processor.

6.3. No Independent Use

Encatch does not use Personal Data processed on Customer instruction for its own independent purposes, except to the extent such data has been aggregated and/or de-identified so that it no longer constitutes Personal Data, or as otherwise expressly permitted under the DPA and Applicable Law.

Where the GDPR applies to our Processing of Personal Data as a Controller, we rely on one or more of the following lawful bases, depending on the context:

a. Contract. Processing is necessary to perform a contract with you (or to take steps at your request before entering into a contract), including to provide the Website and Service, administer accounts, manage subscriptions, and provide support.

b. Legitimate Interests. Processing is necessary for our legitimate interests (or those of a third party), including to operate, secure, and improve the Website and Service; prevent fraud, abuse, and unauthorized access; maintain service performance; conduct internal business operations; and communicate with Customers and Authorized Users about service-related matters, provided such interests are not overridden by your rights and interests.

c. Consent. Processing is based on your consent, where required (for example, for certain marketing communications or the use of non-essential cookies and similar technologies on the Website). You may withdraw your consent at any time. Withdrawal will not affect the lawfulness of Processing based on consent before its withdrawal.

d. Legal Obligation. Processing is necessary to comply with our legal obligations (for example, responding to lawful requests or maintaining records required by Applicable Law).

Where the DPDP Act applies to our Processing of Personal Data, we process Personal Data with appropriate notice and consent where required, and as otherwise permitted under Applicable Law. Where we act as a Processor on behalf of a Customer, the Customer is responsible for providing required notices and obtaining any required consents or other lawful basis/authorizations from Customer End Users for the Customer's collection and provision of such Personal Data to Encatch, subject to the applicable DPA.

7.3. Processor-Side Processing (Customer-controlled)

Where Encatch acts as a Processor (as described in Clause 3.2), we process Personal Data on behalf of the relevant Customer and in accordance with the Customer's documented instructions and the applicable DPA. In such cases, the Customer (as Controller/data fiduciary) is responsible for determining the lawful basis for Processing and providing required notices to Customer End Users. Encatch's Processing is limited to the Customer's documented instructions, the DPA, and Applicable Law.

7.4. Other Data Protection Laws (where applicable)

Where any other data protection or privacy law applies to our Processing of Personal Data, we will process such Personal Data in accordance with that law's requirements, including (as applicable) by providing required notices, obtaining required consents or authorizations, honoring applicable rights requests, and implementing appropriate safeguards. Where Encatch processes Personal Data as a Processor on behalf of a Customer, the Customer remains responsible for compliance with such laws for its collection and use of that Personal Data, subject to the applicable DPA.

Our use of cookies and similar technologies on the Website is described in the Cookie Policy. Where required by Applicable Law, non-essential cookies (including analytics cookies) are used only based on appropriate consent choices made through our cookie preference controls. Consistent with our current configuration, analytics (including Google Analytics) is disabled by default and is enabled only after consent is provided; if a user rejects non-essential cookies, Google Analytics remains disabled. Essential cookies may be used without consent where permitted by Applicable Law.

7.6. Marketing Choices (where applicable)

Where we send marketing communications, you may opt out at any time by using the unsubscribe mechanism in the message or by contacting us using the details in Clause 18. If you opt out of marketing communications, we may still send you non-promotional, service-related messages (for example, security notices, billing notices, or administrative updates).

8. AI FEATURES & AI PROCESSING

8.1. AI Processing Inputs and Outputs

Depending on the Customer's configuration and configured workflows, AI Features may process (a) Customer End-User Feedback Data and related identifiers provided by the Customer, (b) other Customer Data submitted through the Service, and (c) usage and context necessary to generate AI Outputs (collectively, "AI Inputs"). AI Features may generate AI Outputs such as summaries, classifications, tags, suggested actions, and other results.

8.2. Third-Party Model Providers

AI Features may rely on third-party model providers and routing layers to process AI Inputs and generate AI Outputs. When AI Features are used (for example, when an Authorized User invokes an AI workflow or an AI-enabled function runs as part of the configured workflow), AI Inputs may be transmitted to and processed by such providers as part of providing the Service. We take reasonable steps to ensure that such providers process AI Inputs only for the purpose of providing the AI Features (including hosting, support, and security), and subject to applicable contractual terms and safeguards.

8.3. No Training by Default

Encatch's intended configuration is that Customer Data submitted through AI Features is not used to train or improve third-party providers' general-purpose models. Where AI Features rely on third-party model providers, Encatch's approach is to use providers/settings that offer "no training"/restricted-use options (where available) and to rely on applicable contractual terms and safeguards. If a Customer requests or enables any such broader-use configuration, to the extent that capability is made available, it will be subject to Customer agreement and, where applicable, the DPA and Applicable Law.

8.4. International Processing

AI processing may involve cross-border data transfers or processing outside the country where the Customer or Customer End Users are located (including, depending on configuration, in the United States or other jurisdictions). Where required by Applicable Law, Encatch will implement appropriate safeguards for such transfers.

8.5. Customer Responsibilities

Depending on the Plan, Service configuration, and the capabilities made available in the Service from time to time, AI Features may be enabled by default and may run as part of configured workflows. Customers are responsible for (a) deciding how to configure and use AI Features within their workflows and (b) determining what information they submit, input, route, or otherwise make available for AI processing through their use of the Service (including through prompts, workflow design, and any integrations the Customer enables). Customers are responsible for providing any required notices and obtaining any required consents or authorizations for such AI processing, including where AI Inputs include Personal Data of Customer End Users.

Where Encatch acts as a Controller, we may share Personal Data with:

a. Service Providers. Vendors and service providers that help us operate the Website and Service and perform business functions on our behalf (for example, hosting and infrastructure, analytics, customer support, email/communications, and billing, invoicing, and payment processing). These providers are authorized to process Personal Data only as necessary to provide services to us and in accordance with applicable contractual terms and safeguards.

b. Professional Advisers. Our professional advisers (such as lawyers, auditors, and accountants) where necessary for advice, compliance, or protection of our legal interests.

c. Compliance and Protection. Government authorities, regulators, law enforcement, courts, or other third parties where we believe disclosure is necessary to comply with Applicable Law, respond to lawful requests, protect rights and safety, prevent fraud or abuse, or enforce our Terms of Service and other policies.

d. Business Transfers. In connection with a merger, acquisition, financing, reorganization, sale of assets, or similar transaction (including due diligence), subject to appropriate confidentiality and data protection safeguards.

Where Encatch acts as a Processor, we may share Personal Data processed on Customer instruction with:

a. Subprocessors. Vendors engaged to help us provide the Service (including hosting, infrastructure, support, and security providers). Subprocessors are engaged and managed in accordance with the DPA.

b. Customer-Directed Disclosures. Third-Party Services or integrations enabled or configured by the Customer (for example, webhooks, workflow tools, or external systems), in accordance with the Customer's configuration and instructions. Third-Party Services are governed by their own terms and privacy policies, and the Customer is responsible for evaluating and enabling such Third-Party Services. For clarity, Encatch does not control, and is not responsible for, how Third-Party Services process data once transmitted to them.

c. Legal Requirements. Authorities or third parties where required by Applicable Law, in which case we will take reasonable steps to notify the Customer where permitted.

Encatch does not sell Personal Data, and we do not share Personal Data for cross-context behavioral advertising.

10. INTERNATIONAL TRANSFERS

10.1. Cross-Border Processing

The Website and Service are operated from India, and Personal Data may be processed, accessed (including through remote access), or stored in countries other than the country where you are located, including where we use service providers, subprocessors, or AI model providers that operate in other jurisdictions.

10.2. Safeguards (where required)

Where Applicable Law requires safeguards for international transfers (for example, under the GDPR), we take appropriate measures to protect Personal Data, which may include entering into appropriate contractual safeguards and implementing supplementary technical and organizational measures, as applicable. Where Encatch processes Personal Data on behalf of a Customer as a Processor, transfer mechanisms and safeguards are addressed in the applicable DPA.

10.3. Customer-Directed Transfers

Where a Customer enables integrations or Third-Party Services, Personal Data may be transmitted to those third parties as configured by the Customer, and may be subject to international processing by those third parties. The Customer is responsible for evaluating and enabling such Third-Party Services and for ensuring required notices and lawful bases are in place for such transfers.

11. RETENTION

11.1. Retention During the Term

We retain Personal Data for as long as necessary to provide the Website and Service, administer accounts, provide support, and carry out the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by Applicable Law, including for security and audit logs. For Service data stored within the Service (including Customer Data), retention during the subscription term may vary based on the applicable Plan and the Customer's configuration choices (for example, selecting a feedback data retention window such as 3 months up to 2 years).

11.2. Post-Termination Retention (Service Data)

Where a Customer terminates the Service, we retain Customer Data (including Personal Data contained in such Customer Data) for up to 60 days following termination, unless otherwise required by Applicable Law or subject to a legal hold.

11.3. Backups

Customer Data (including Personal Data contained in such Customer Data) may remain in backups for up to 45 days after deletion or termination, after which it is deleted or overwritten in the ordinary course, unless otherwise required by Applicable Law or subject to a legal hold.

11.4. Operational Logs

Certain security, diagnostic, and operational logs (including logs indicating when AI Features are invoked or triggered at a workspace/dataset level) may be retained for security, troubleshooting, and audit purposes. Where retained, we generally discard such logs from active records within one (1) month, and such logs may remain in backups for up to ninety (90) days, unless a longer period is required by Applicable Law or subject to a legal hold.

11.5. Legal Hold and Disputes

Notwithstanding the above, we may retain Personal Data for longer periods where necessary to comply with Applicable Law, respond to lawful requests, enforce our agreements, resolve disputes, or protect our rights, property, and safety (and those of our Customers, users, and others).

11.6. Processor-Side Retention

Where Encatch processes Personal Data on behalf of a Customer as a Processor, retention and deletion obligations are governed by the applicable DPA and the Customer's documented instructions, subject to Applicable Law.

12. SECURITY

12.1. Safeguards

We implement commercially reasonable technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

12.2. No Absolute Guarantee

While we take reasonable steps to protect Personal Data, no method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security.

12.3. Shared Responsibility

Security is a shared responsibility. Customers are responsible for maintaining the confidentiality of account credentials and API Keys, controlling Authorized User access, and securely configuring their deployments (including SDK/API implementations, fields/prompts, integrations, and AI workflows).

12.4. Processor-Side Security

Where Encatch processes Personal Data on behalf of a Customer as a Processor, we will implement appropriate security measures as required under the applicable DPA and Applicable Law.

12.5. Security Incidents

Our security incident handling and notification obligations (including applicable timelines and delivery methods) are addressed in the Terms of Service and, where relevant, the DPA. Where Encatch processes Personal Data as a Processor, incident handling and notifications are governed by the DPA. Customers remain responsible for any end-user or regulator notifications required under Applicable Law.

13. YOUR RIGHTS & CHOICES

13.1. Rights When Encatch Acts as a Controller

Where Encatch acts as a Controller (as described in Clause 3.1), you may have certain rights in relation to your Personal Data under Applicable Law. The specific rights available to you depend on where you are located and the laws that apply (including, where applicable, the GDPR and the DPDP Act), and may be subject to conditions and exceptions.

Where the GDPR applies, and subject to applicable conditions and exceptions, you may have the right to:

a. request access to and a copy of your Personal Data;

b. request rectification of inaccurate Personal Data;

c. request erasure of your Personal Data;

d. request restriction of Processing;

e. request data portability;

f. object to Processing (including where we rely on legitimate interests, and for direct marketing); and

g. lodge a complaint with a supervisory authority in the EU/EEA (or the UK supervisory authority (ICO), where applicable).

13.3. DPDP Act Rights (where DPDP Act applies)

Where the DPDP Act applies, and subject to applicable conditions and exceptions, you may have the right to:

a. access information about the Personal Data we process about you;

b. request correction and updating of your Personal Data;

c. request deletion/erasure of your Personal Data;

d. withdraw consent (where consent is the basis of Processing); and

e. submit grievances using the contact details in Clause 18.

13.4. Requests Relating to Processor-Side Data (Customer End Users)

Where Encatch processes Personal Data on behalf of a Customer as a Processor (as described in Clause 3.2), requests from Customer End Users relating to such Personal Data should be directed to the relevant Customer. Encatch will assist the Customer in responding to such requests as required under the applicable DPA and Applicable Law.

13.5. How to Exercise Your Rights

You may submit requests by contacting us using the details in Clause 18. We may need to verify your identity before fulfilling a request. If you are an Authorized User acting on behalf of a Customer, we may refer your request to the relevant Customer where appropriate.

14. COOKIES

Our use of cookies and similar technologies on the Website is described in our Cookie Policy, available at: [INSERT COOKIE POLICY LINK].

You can manage your cookie preferences through our cookie preference controls. Non-essential cookies (including analytics cookies) are disabled by default and are enabled only after you provide consent through those controls. Where permitted by Applicable Law, essential cookies may be used without consent.

15. THIRD-PARTY SERVICES

15.1. Third-Party Services and Links

The Website and Service may contain links to, or enable connections with, third-party websites, applications, services, or integrations (including Third-Party Services enabled by a Customer through configurations, webhooks, or other workflows).

15.2. Independent Third Parties

Third-Party Services are operated by independent third parties and are governed by their own terms and privacy policies. If you access or use a Third-Party Service, you should review the third party's privacy practices.

15.3. No Control After Transfer

To the extent Personal Data is transmitted to a Third-Party Service (including through Customer-enabled integrations), Encatch does not control and is not responsible for the Third-Party Service's processing of that data once transmitted.

15.4. Customer Responsibility for Integrations

Where a Customer enables or configures Third-Party Services, the Customer is responsible for evaluating those Third-Party Services and for ensuring appropriate notices, consents, and lawful bases are in place for any related data sharing or transfers, subject to Applicable Law.

b. General Support: support@encatch.com.

c. Postal Address:

Phyder Mobile Solutions Pvt. Ltd.

412/413, 4th Floor, Palmspring (Above Croma),

Link Road, Malad West,

Mumbai City, Mumbai, Maharashtra, India – 400064.

18.2. Response

We will review and respond to privacy requests and grievances in accordance with Applicable Law.

Privacy Policy

On this page