Privacy Policy.

1. Who we are

Stackleaf Studio (referred to as "we," "us," or "Stackleaf") is a small consulting practice operating from India. We help small and medium businesses get more value from their Zoho stack with AI. For data-protection purposes under India's Digital Personal Data Protection Act, 2023 ("DPDP Act"), Stackleaf Studio is the Data Fiduciary.

You can reach us at [email protected].

2. What personal data we collect

We collect the following categories of personal data:

• Contact data you submit voluntarily: name, business email, company name, mobile number (optional), and the message you share through our contact form or by emailing us directly.
• Discovery call data: if you book a discovery call, we collect the slot time, your time zone, and the qualification answers you provide (Zoho products in use, team size).
• Engagement data, if you become a client: business information needed to deliver your audit and quick-fix engagement, including your Zoho account configuration. We never copy raw Zoho data out of your tenant.
• Email correspondence: any emails you send to or from [email protected], including content and attachments.

We do not collect: government-issued identifiers, financial account details (we use payment methods that handle this directly), location data, biometric data, or sensitive personal data of any kind beyond what you voluntarily share.

3. How we collect it

We collect personal data only when you actively share it with us through:

• The contact form on stackleaf.studio (powered by Zoho Forms)
• The discovery call booking page (powered by Zoho Bookings)
• Direct emails to [email protected]
• Conversations during a discovery call or paid engagement

Our website does not use cookies, analytics scripts, or tracking pixels. We do not profile visitors. We do not use behavioural targeting.

4. Why we collect it (lawful basis)

We process your personal data for the following legitimate purposes:

• To respond to your enquiry within 24 hours
• To schedule and conduct a discovery call
• To prepare a fixed-fee proposal if there is a fit
• To deliver an audit-and-fix engagement if you become a client
• To send you our weekly newsletter (Stackleaf Notes), only if you have explicitly subscribed
• To meet legal, accounting, and tax obligations

Under the DPDP Act, our lawful basis is your consent (when you submit a form, book a call, or subscribe), and our legitimate business purpose for delivering the services you have engaged us for.

5. Who we share it with

We share personal data only with the small set of trusted Data Processors required to operate the service. Each is bound by confidentiality and security obligations. They are:

• Zoho Corporation (Chennai, India) for email (Zoho Mail), CRM, Forms, Bookings, and related Zoho One services. Zoho stores data in its data centres including India.
• Netlify Inc. (USA) for website hosting. Netlify processes the IP address and request headers of every visitor to stackleaf.studio.
• Cloudflare Inc. (USA) as the upstream CDN used by our DNS and registrar provider.
• Substack Inc. (USA) only if you subscribe to our newsletter, in which case Substack processes your email address.

We do not sell your personal data. We do not share your data with advertisers, data brokers, or marketing networks.

6. International transfers

Some of our processors are located outside India (Netlify, Cloudflare, Substack are USA-based). When data is transferred internationally, the processors maintain industry-standard safeguards including encryption in transit and at rest. By submitting data to us, you consent to this international processing.

7. How long we keep it

• Lead enquiries that did not convert: retained for 12 months in our CRM, then auto-archived. You can request earlier deletion at any time.
• Active client data: retained for the duration of the engagement plus 3 years for tax and audit purposes (Indian tax law minimum).
• Newsletter subscriber data: retained until you unsubscribe.
• Email correspondence: retained for up to 3 years.

8. Your rights under the DPDP Act

You have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Request deletion of your data (subject to legal retention requirements)
• Withdraw consent at any time
• Nominate someone to exercise these rights on your behalf in case of incapacity
• Lodge a complaint with the Data Protection Board of India

To exercise any of these rights, email [email protected] with the subject line "Data Request." We respond within 7 working days.

9. Security

We use industry-standard technical and organisational measures to protect your data:

• HTTPS/TLS encryption on all stackleaf.studio pages and form submissions
• SPF, DKIM, and DMARC for email authentication
• Strong passwords and two-factor authentication on all admin accounts
• Principle of least privilege for any data access
• Encrypted backups

No system is perfectly secure. If we ever experience a data breach affecting your personal data, we will notify you and the Data Protection Board of India within the timelines required by the DPDP Act.

10. Children's data

Stackleaf Studio is a B2B service. We do not knowingly collect personal data from individuals under 18. If you believe we have collected such data inadvertently, please contact us so we can delete it.

11. Changes to this policy

We may update this policy occasionally. The "Last updated" date at the top will reflect the most recent change. Material changes will be communicated to existing clients and newsletter subscribers by email.

12. Contact

For any privacy-related question or to exercise your rights, contact us at [email protected].