Skip to main content
Back to Home

Legal

Privacy Policy

We are committed to protecting your personal data. This policy explains what information we collect, how we use it, and your rights under Indian and international law.

Last Updated: June 1, 2025
Effective Date: June 1, 2025
Jurisdiction: Republic of India

Compliance Notice

This Privacy Policy is compliant with the Digital Personal Data Protection Act, 2023 (DPDP Act), IT Act 2000, SPDI Rules 2011, Consumer Protection (E-Commerce) Rules 2020, and the California Consumer Privacy Act (CCPA) where applicable.

1. Introduction & Scope

Marketrun.io (referred to as “Company,” “we,” “us,” or “our”) is an AI and software development company based in Hyderabad, Telangana, India. We are the Data Fiduciary (as defined under the Digital Personal Data Protection Act, 2023) and the Body Corporate (as defined under the IT Act, 2000 and SPDI Rules, 2011) responsible for the personal data processed through our website and services.

This Privacy Policy describes how we collect, use, store, share, and protect personal information when you:

  • Visit our website at https://marketrun.io
  • Engage us for software development, AI, or consulting services
  • Contact us via email, phone, or web forms
  • Apply for a job or mentorship program
  • Subscribe to our newsletter or marketing communications

This Policy applies to website visitors, prospective clients, active clients, client personnel, and job applicants. The effective date of this Policy is June 1, 2025.

2. Data We Collect

2.1 Personal Data (General)

  • Full name, email address, phone number
  • Job title, company name, and business address
  • Communications you send us (contact form submissions, emails, WhatsApp messages)
  • Project requirements, briefs, and feedback you provide
  • IP address, browser type, device type, and operating system
  • Website usage data (pages visited, time on site, referral source, click behavior)
  • Cookies and similar tracking technology data (see Section 6)

2.2 Sensitive Personal Data or Information (SPDI)

Under the SPDI Rules, 2011, the following categories constitute Sensitive Personal Data. We collect such data only when strictly necessary:

  • Financial information: Billing details, bank account or payment card information (processed via payment gateways; we do not store raw card numbers)
  • Passwords: Stored only in cryptographically hashed form; never stored in plain text

We do not collect biometric data, health or medical information, racial or ethnic origin, political opinions, religious beliefs, or sexual orientation unless explicitly and voluntarily provided by you for a specific, stated purpose.

2.3 Data Collected from US Clients (CCPA Categories)

  • Identifiers (name, email, IP address)
  • Commercial information (project history, purchase records)
  • Internet or other electronic network activity information
  • Professional or employment-related information
  • Inferences drawn from the above to create a profile about preferences and needs

3. How We Collect Data

We collect personal data through the following means:

  • Directly from you: When you fill in a contact form, request an audit, send an email, make a payment, or register for our services.
  • Automatically: When you visit our website, we automatically collect technical data via cookies, web beacons, server logs, and analytics tools (Google Analytics, Microsoft Clarity, PostHog).
  • From third parties: We may receive information about you from referral partners, social media platforms (if you engage with our profiles), or third-party analytics providers.
  • During service delivery: Data you share with us in the course of a project engagement, including system credentials, business data, or personal data belonging to your customers (processed as a data processor on your behalf).

4. Purposes of Processing

In compliance with Section 5 of the DPDP Act, 2023 (purpose limitation principle), we process your personal data for the following specific purposes:

  • Service Delivery: To provide, manage, and improve the software and AI services you have engaged us for.
  • Communication: To respond to inquiries, send project updates, and communicate about your engagement.
  • Billing & Payments: To process invoices, payments, and maintain financial records as required by Indian tax law.
  • Legal Compliance: To comply with applicable Indian laws, court orders, and regulatory requirements (including GST filings, and responding to lawful government requests).
  • Security & Fraud Prevention: To detect, investigate, and prevent unauthorized access, fraud, and abuse of our systems.
  • Marketing (with consent): To send newsletters, service updates, or promotional communications. You may withdraw consent at any time by clicking “Unsubscribe” or emailing privacy@marketrun.io.
  • Analytics & Improvement: To analyze website usage patterns and improve our services and user experience.
  • Recruitment: To review job applications and communicate with candidates.

Under the DPDP Act, 2023, we process personal data on the following lawful bases:

  • Consent (Section 6, DPDP Act): For marketing communications, cookie analytics, and any processing beyond what is strictly necessary for service delivery. Consent is obtained through clear, affirmative action (no pre-ticked boxes). You may withdraw consent at any time.
  • Performance of a Contract: Processing necessary to deliver the services you have engaged us for.
  • Legal Obligation: Processing required to comply with Indian law (e.g., GST records, responding to lawful government requests under the IT Act).
  • Legitimate Interests (applicable to GDPR/CCPA context): For fraud prevention, network security, and direct marketing to existing clients where permitted by applicable law.

6. Cookies & Tracking Technologies

Our website uses cookies and similar tracking technologies. We use the following categories:

  • Strictly Necessary Cookies: Essential for the website to function. Cannot be disabled. Example: session cookies, CSRF protection.
  • Analytics Cookies: Help us understand how visitors interact with the website. We use Google Analytics and Microsoft Clarity for this purpose. These tools may collect IP addresses and browsing behavior.
  • Functional Cookies: Remember your preferences (e.g., language settings) to enhance your experience.
  • Marketing Cookies: Used to deliver relevant advertisements. Only activated with your consent.

You can manage cookie preferences through your browser settings or through any cookie consent mechanism on our website. Note that disabling certain cookies may impact website functionality. For Google Analytics opt-out, visit tools.google.com/dlpage/gaoptout.

7. How We Share Your Data

We do not sell your personal data. We share data only as described below:

7.1 Service Providers & Sub-Processors

We engage third-party service providers who process data on our behalf under data processing agreements. These include:

  • Cloud Infrastructure: AWS, Google Cloud, or similar providers (hosting and storage)
  • Analytics: Google Analytics, Microsoft Clarity, PostHog
  • Communication: Email service providers for transactional and marketing emails
  • Payment Processing: Razorpay (India), Stripe (International)
  • CRM & Project Management: Tools used to manage client relationships and project delivery

7.2 Legal Disclosures

We may disclose personal data to government agencies, law enforcement, or courts when required by applicable law, including under Section 69 of the IT Act, 2000. We will provide reasonable prior notice to you where legally permissible.

7.3 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of assets, personal data may be transferred to the successor entity, subject to the same privacy protections.

7.4 With Your Consent

We may share your data with third parties not listed above where you have given us explicit, prior written consent.

8. Cross-Border Data Transfers

As a company serving clients globally, personal data may be transferred to and processed in countries outside India, including the United States, Singapore, and EU member states, for hosting, analytics, or communication purposes.

Such transfers are conducted in compliance with Section 16 of the DPDP Act, 2023 and Rule 7 of the SPDI Rules, 2011. We ensure appropriate safeguards are in place, including contractual data transfer agreements with sub-processors. We will not transfer personal data to countries that have been specifically restricted by the Government of India under the DPDP Act.

9. Data Retention

We retain personal data only for as long as necessary for the purposes stated in this Policy, in accordance with Section 8(7) of the DPDP Act, 2023. Specific retention periods:

  • Client project data: Duration of engagement plus 7 years (for legal, audit, and tax compliance purposes)
  • Financial records & invoices: 8 years (as required under the Income Tax Act, 1961 and Companies Act, 2013)
  • Marketing & contact data: Until consent is withdrawn or 3 years from last interaction, whichever is earlier
  • Website analytics data: 14 months (Google Analytics default) to 24 months
  • Server logs & IP data: 90–180 days
  • Job applications: 12 months from receipt, or longer if a role is offered

Upon expiry of the applicable retention period, personal data is securely deleted or anonymized. SPDI is deleted as soon as the purpose for which it was collected is fulfilled, unless retention is required by law.

10. Data Security

We implement reasonable security practices and procedures as required by Rule 8 of the SPDI Rules, 2011 and Section 8(5) of the DPDP Act, 2023, including:

  • Encryption in transit: All data transmitted to and from our website is encrypted using TLS 1.2 or higher.
  • Encryption at rest: Sensitive data stored in our systems is encrypted using AES-256 or equivalent standards.
  • Access controls: Role-based access controls limit data access to personnel who need it for legitimate business purposes.
  • Organizational measures: Employee confidentiality agreements, security training, and data handling policies.
  • Vendor security: Third-party sub-processors are assessed for security compliance before onboarding.

Notwithstanding these measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

11. Data Breach Notification

In the event of a personal data breach, we will comply with Section 8(6) of the DPDP Act, 2023 and DPDP Rules, 2025:

  • We will notify the Data Protection Board of India of any breach promptly upon becoming aware of it.
  • We will notify affected Data Principals (individuals whose data was breached) without undue delay, including information about the nature of the breach, data affected, and remedial steps taken.
  • Where we are acting as a data processor for a client, we will notify the client within 72 hours of discovering a breach affecting their data.

12. Your Rights as a Data Principal (India)

Under Chapter III of the DPDP Act, 2023, you have the following rights regarding your personal data:

  • Right of Access (Section 11): Obtain a summary of the personal data being processed about you and the processing activities.
  • Right to Correction (Section 12): Request correction of inaccurate, incomplete, or outdated personal data.
  • Right to Erasure (Section 12): Request deletion of your personal data when it is no longer necessary for the stated purpose or when you withdraw consent, unless retention is required by law.
  • Right to Withdraw Consent (Section 13): Withdraw consent for processing at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
  • Right to Grievance Redressal (Section 13): File a complaint with the Company’s Grievance Officer (see Section 16) and, if unsatisfied, with the Data Protection Board of India.
  • Right to Nominate (Section 14): Nominate another individual to exercise your rights on your behalf in the event of your death or incapacity.

To exercise any of these rights, please contact us at privacy@marketrun.io. We will respond within a reasonable period as specified under the DPDP Rules, 2025.

13. Rights of California Residents (CCPA / CPRA)

If you are a resident of California, USA, you may have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), subject to applicable thresholds:

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, our business purpose for collection, and the categories of third parties with whom we share it.
  • Right to Delete: Request deletion of your personal information, subject to exceptions for legal compliance and contract performance.
  • Right to Correct: Request correction of inaccurate personal information we hold about you.
  • Right to Opt Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioral advertising. If this changes, we will provide a “Do Not Sell or Share My Personal Information” link.
  • Right to Limit Use of Sensitive Personal Information: Request limitation of use of sensitive personal information.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, email privacy@marketrun.io. We will respond within 45 days (extendable by another 45 days with notice).

14. Children’s Privacy

In compliance with Section 9 of the DPDP Act, 2023, our Services are not directed to individuals under 18 years of age. We do not knowingly collect personal data from children without verifiable parental or guardian consent.

If you believe we have inadvertently collected personal data from a child under 18, please contact us immediately at privacy@marketrun.io and we will promptly delete such data. We do not engage in behavioral monitoring or targeted advertising directed at children.

Our website may contain links to third-party websites, social media platforms, or external tools. These third-party sites have their own privacy policies and are not covered by this Policy. We are not responsible for the privacy practices or content of any third-party websites. We encourage you to review the privacy policy of any website you visit.

16. Grievance Officer & Data Protection Contact

In compliance with Rule 5(9) of the SPDI Rules, 2011, the Consumer Protection (E-Commerce) Rules, 2020, and IT Rules 2021 Rule 3(2), the following Grievance Officer has been designated for privacy-related complaints:

Grievance Officer — Data Protection

Name: Nikhil
Designation: Founder & CEO / Data Protection Contact
Privacy Email: privacy@marketrun.io
Grievance Email: grievance@marketrun.io
Phone: +91 93913 50508
Address: Hyderabad, Telangana, India — 500001
Acknowledgment: Within 48 hours of receipt
Resolution: Within 30 days (72 hrs for critical complaints)

If your complaint is not resolved satisfactorily, you may approach the Data Protection Board of India (once operationalized under the DPDP Act, 2023) or the Consumer Disputes Redressal Commission as applicable.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or services. Material changes will be communicated to registered users via email or through a prominent notice on our website at least 30 days before taking effect.

The “Last Updated” date at the top of this page indicates when the Policy was last revised. Continued use of our services after the effective date of changes constitutes acceptance of the updated Policy.

We maintain a version history of this Policy and will provide previous versions upon request.

For any privacy-related questions or to exercise your rights, contact us at privacy@marketrun.io. Postal address: Marketrun.io, Hyderabad, Telangana, India — 500001.