top of page

PRIVACY POLICY

Effective Date: 1st January 2026

This Privacy Policy constitutes an electronic record under the Information Technology Act, 2000 and the rules made thereunder, and is published in accordance with Rule 4 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. It is to be read alongside our Terms of Service available at terrapincrm.com/terms.

1. Introduction and Acceptance

Turtle Software Pvt Ltd ("Turtle", "Terrapin", "we", "us", or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy explains what data we collect, why we collect it, how we use and protect it, who we share it with, and what rights you have over it.

This Policy applies to all individuals and businesses ("you" or "your") who access or use the Terrapin platform available at terrapincrm.com and any associated mobile applications, APIs, or services (collectively, the "Platform"). By using the Platform, you consent to the practices described in this Policy.

We primarily serve users in India and are committed to compliance with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the

Information Technology Act, 2000, and the rules made thereunder. Users accessing the Platform from outside India acknowledge that their data will be processed and stored in India and, where applicable, on Google Cloud Platform infrastructure, which may span multiple geographies.

2. What Data We Collect

You are responsible for maintaining the confidentiality of your account credentials and for all activity that occurs under your account. You must notify Terrapin immediately at support@terrapintech.org if you become aware of any unauthorised access.

2.1 Information You Provide Directly

When you register for an account or use the Platform, we collect:

  • Identity Information: Full name, email address, and phone number.

  • Business Information: Company name, registered business address, GST Identification Number (GSTIN), and other business registration details required to verify your commercial identity and issue compliant invoices.

  • Payment Information: We collect billing-related information such as the last four digits of your card, card type, UPI ID, and billing address as required to process subscription payments. Full card numbers and CVV details are not stored by Terrapin. Payment transactions are processed through Razorpay, a PCI-DSS compliant payment gateway, and are subject to Razorpay's privacy policy.

  • Communication Data: Any information you share when you contact our support team, submit feedback, or communicate with us via email or WhatsApp.


2.2 Information We Collect Automatically

When you access or use the Platform, we automatically collect:

  • Device and Browser Information: IP address, device type, operating system, browser type and version, and screen resolution.

  • Usage Data: Pages visited, features used, actions taken within the Platform, session duration, and timestamps of access.

  • Log Data: Server-side logs including request metadata, error logs, and performance data used for platform maintenance and security monitoring.


2.3 Information From Third-Party Integrations

When you connect the Platform to third-party services such as Amazon, Flipkart, Meesho, WhatsApp Business API, or advertising platforms, we may receive data from those platforms to the extent necessary to deliver the integrated services. The data received is governed both by this Policy and by the respective third party's privacy terms. You are responsible for ensuring you have the right to share such data with us.

In the case of Meta's Embedded Signup flow, Meta collects certain information from you directly and independently during the authorization process; please refer to Meta's Privacy Policy for details of that collection.


2.4 Information We Do Not Collect

We do not knowingly collect sensitive personal data such as biometric information, health records, racial or ethnic origin, religious beliefs, or financial account passwords. We do not collect data from individuals under the age of 18. If you believe a minor has provided us with personal data, please contact us immediately at support@terrapintech.org so we can delete it.

3. How We Use Your Data

We use the data we collect for the following purposes:

  • Account Management: To create and manage your account, verify your identity, and communicate with you about your subscription.

  • Service Delivery: To provide, operate, and improve the Platform, including processing orders, syncing marketplace data, running AI Agent workflows, and enabling integrations.

  • Billing and Invoicing: To process subscription payments, record handling fees, generate GST-compliant invoices, and manage payment disputes.

  • Customer Support: To respond to your queries, resolve complaints, and provide technical assistance.

  • Security and Fraud Prevention: To detect, investigate, and prevent unauthorised access, abuse, fraud, and other harmful activity on the Platform.

  • Legal Compliance: To comply with applicable Indian laws and regulations, including the DPDP Act, GST requirements, and any lawful requests from government or regulatory authorities.

  • Product Improvement: To analyse usage patterns, conduct internal research, and improve the features and performance of the Platform. Where used for this purpose, data is aggregated and de-identified to the extent practicable.

Communications: To send you transactional messages (such as invoices, account alerts, and service notifications) and, where you have opted in, product updates and promotional communications. You may opt out of marketing communications at any time.

4. Legal Basis for Processing

Under the Digital Personal Data Protection Act, 2023, we process your personal data on the following lawful bases:

  • Consent: Where you have given explicit consent, such as for marketing communications or optional integrations.

  • Contractual Necessity: Where processing is necessary to perform our contract with you - including providing the Services, processing payments, and managing your account.

  • Legal Obligation: Where we are required to process data to comply with applicable Indian law, including tax and regulatory requirements.

  • Legitimate Interests: Where we have a legitimate interest in processing data that is not overridden by your rights - such as platform security, fraud prevention, and service improvement.

You have the right to withdraw consent at any time where consent is the basis for processing. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

5. Data Sharing and Third-Party Processors

We do not sell your personal data. We share your data only in the following circumstances:​

5.1 Service Providers and Sub-Processors

We engage trusted third-party service providers to help us operate the Platform. These providers process data on our behalf and are contractually bound to handle it securely and only as instructed. Current key sub-processors include:

  • Google Cloud Platform (GCP): Cloud infrastructure and data hosting. Your data is stored on GCP servers. GCP's data centres comply with international security standards including ISO 27001 and SOC 2.

  • Razorpay: Payment processing for subscription fees and record handling charges. Razorpay is PCI-DSS Level 1 certified. Terrapin does not store full payment card details.

  • Google Search Console (GSC) API: Where you connect your Google Search Console property to the Platform, Terrapin accesses website performance data - including search query impressions, click-through rates, and indexing information - solely to provide analytics and SEO reporting features within the Platform. This data is aggregated and does not contain personally identifiable information about your end customers. GSC access is authorised via Google OAuth and may be revoked at any time through your Google Account settings under Third-Party App Access.

  • Amazon (SP-API) and Flipkart Seller API: When you connect your marketplace seller accounts to the Platform, Terrapin accesses order, inventory, and catalogue data from these platforms via their respective APIs. This data is used solely to provide the Services. Terrapin does not use marketplace data for any independent commercial purpose and handles it in accordance with the data use restrictions imposed by each marketplace's developer agreement.

  • WhatsApp Business API and Embedded Signup (Meta): Terrapin uses Meta's Embedded Signup to connect your WhatsApp Business Account to the Platform. During the Embedded Signup flow, Meta independently collects data from you through its own OAuth interface - this collection is governed by Meta's Privacy Policy and is outside Terrapin's control. Upon authorization, Terrapin receives and stores your WhatsApp Business Account ID and associated phone number IDs to operate the integration. Outbound messages sent through the Platform via WhatsApp are subject to Meta's data processing terms. You may revoke Terrapin's access to your WhatsApp Business Account at any time through Meta's Business Settings.

  • Email Marketing Tools (e.g. MSG91, Mailchimp, Brevo): Used to send transactional and, where opted into, marketing communications. Only your name and email address are shared for this purpose.

  • SMS Gateway Provider: Where you use SMS features, messages are routed through a third-party SMS gateway. Your registered phone number and message content are shared with the gateway solely for delivery purposes.

 

5.2 Marketplace and Integration Partners
When you connect the Platform to third-party marketplaces (Amazon, Flipkart, Meesho, Shopsy, etc.) or other integrations, data necessary to operate those integrations is exchanged with those platforms. Such sharing is done at your direction and is governed by the respective platform's terms.

5.3 Legal and Regulatory Disclosure

We may disclose your data to government authorities, law enforcement agencies, or regulatory bodies where required to do so by applicable Indian law, a valid court order, or a lawful government request.

5.4 Business Transfers
In the event of a merger, acquisition, restructuring, or sale of all or part of Terrapin's business, your data may be transferred to the successor entity.

5.5 No Sale of Data

Terrapin does not and will not sell, rent, or trade your personal data to any third party.

6. Data Storage and Security

Your data is stored on Google Cloud Platform (GCP) infrastructure. GCP maintains industry-standard physical, technical, and organisational security measures including encryption at rest and in transit, access controls, and continuous security monitoring.

Terrapin implements the following security practices at the application level:

  • All data transmitted between your browser and the Platform is encrypted using TLS (Transport Layer Security).

  • Access to personal data within Terrapin is restricted on a need-to-know basis and is subject to role-based access controls.

  • Account passwords are stored using industry-standard one-way hashing. Terrapin personnel cannot view your password.

  • We conduct periodic reviews of our security practices and update them in response to emerging threats.

 

No system is completely immune to security risks. In the event of a data breach that is likely to affect your rights or interests, we will notify you and the relevant authorities as required under applicable law, within the timeframes prescribed by the DPDP Act and associated rules.

7. Cookies and Tracking Technologies

The Platform may use cookies and similar tracking technologies (such as web beacons and local storage) to operate core platform functionality, remember your session, and analyse usage patterns. At a minimum, the Platform uses essential cookies that are necessary for the Platform to function. These cannot be disabled without affecting your ability to use the Platform. We may also use analytics and functional cookies depending on the features you use.

Where we use non-essential cookies for analytics or marketing purposes, we will seek your consent in accordance with applicable law. A cookie preference centre will be made available on the Platform to allow you to manage your choices.

Most browsers allow you to refuse or delete cookies through their settings. Please note that disabling cookies may affect the functionality of certain features of the Platform. For more information on managing cookies, refer to your browser's help documentation.

8. Data Retention

We retain your personal data for as long as your account is active or as necessary to provide the Services. Specific retention periods are as follows:

  • Account Data: Retained for the duration of your subscription and for up to 12 months following account termination, after which it is deleted or anonymised.

  • Billing and Invoice Records: Retained for a minimum of 8 years from the date of the transaction, as required under the GST Act and applicable Indian tax law. This data cannot be deleted on request during this period.

  • Support and Communication Records: Retained for up to 24 months from the date of the interaction.

  • Usage and Log Data: Retained for up to 12 months for security and performance purposes, after which it is deleted or aggregated.

  • Inactivity Deletion: Where an account has been completely inactive for 90 continuous days, Terrapin reserves the right to permanently delete all associated data. Please refer to our Terms of Service for full details.

Where data is retained beyond the period of active use, it will be stored securely with access restricted to authorised personnel only.

9. Your Rights

Under the Digital Personal Data Protection Act, 2023 and other applicable Indian law, you have the following rights with respect to your personal data:

9.1 Right to Access

You have the right to request a summary of the personal data we hold about you and the purposes for which it is being processed. Requests can be submitted to support@terrapintech.org.

9.2 Right to Correction

You have the right to request correction of personal data that is inaccurate, incomplete, or outdated. You may update most of your account information directly within the Platform. For information you cannot update yourself, contact us at support@terrapintech.org.

9.3 Right to Erasure

You have the right to request deletion of your personal data. We will honour deletion requests subject to the following exceptions: (a) data that we are legally required to retain, including billing and invoice records under Indian tax law; (b) data necessary to resolve an active dispute or enforce our legal rights; and (c) data required to comply with a regulatory or law enforcement obligation.

9.4 Right to Withdraw Consent

Where we process your data on the basis of your consent (such as marketing communications), you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal. To withdraw consent, use the unsubscribe link in any marketing communication or contact us at support@terrapintech.org.

9.5 Right to Grievance Redressal

If you believe your data rights have been violated, you may raise a complaint with our Grievance Officer (details in Section 12). If your complaint is not resolved to your satisfaction, you may approach the Data Protection Board of India once it is constituted under the DPDP Act.

9.6 Exercising Your Rights

To exercise any of the above rights, please write to us at support@terrapintech.org or legal@terrapintech.org with the subject line "Data Rights Request". We may need to verify your identity before processing your request. We will respond within 30 days of receiving a complete and verified request.

10. International Users and Cross-Border Data Transfers

Terrapin primarily serves users in India. If you access the Platform from outside India, please be aware that your data will be transferred to, processed in, and stored in India and on Google Cloud Platform infrastructure, which may involve servers in multiple countries.

By using the Platform from outside India, you consent to this transfer. We take appropriate steps to ensure that cross-border transfers of personal data are carried out in compliance with applicable law and with adequate protections in place, consistent with the requirements of the DPDP Act and any rules notified thereunder regarding cross-border data transfers.

11. Children's Privacy

The Platform is intended solely for use by individuals who are at least 18 years of age operating a lawful business. We do not knowingly collect, process, or store personal data from individuals under 18. If we become aware that personal data of a minor has been submitted to us, we will delete it promptly. If you believe a minor has provided us with their data, please contact us immediately at support@terrapintech.org.

12. Grievance Officer

In accordance with the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023, Terrapin has designated a Grievance Officer to address complaints regarding the Platform or these Terms.


If you have any grievance, objection, or complaint - including concerns about your account, data handling, or any action taken by Terrapin - please raise it with the Grievance Officer at the contact below, providing all relevant information to enable timely resolution.


Complaints will be acknowledged within 48 hours of receipt. The Grievance Officer will endeavor to resolve all complaints within 30 days. If you fail to provide information reasonably requested by the Grievance Officer, your complaint may remain unresolved through no fault of Terrapin.

Grievance Officer
Name: Vikash Periwal
Email: grievance@terrapintech.org


For all other questions, legal notices, or support requests:

 

Turtle Software Pvt Ltd
Legal: legal@terrapintech.org
Support: support@terrapintech.org
Website: www.terrapincrm.com

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, the Services we offer, or applicable law.

 

The updated Policy will be posted at terrapincrm.com/privacy-policy with a revised effective date. Your continued use of the Platform after the effective date of the updated Policy constitutes your acceptance of the changes. If you do not agree, you should stop using the Platform and cancel your subscription.

bottom of page