Last updated · 16 May 2026
Privacy Policy
This Privacy Policy explains how Dapplon ("we", "us", "our") collects, uses, shares, and protects personal information when you visit our website, create an account, use the Service, or otherwise interact with us. It applies worldwide and is designed to comply with the EU and UK General Data Protection Regulations (GDPR & UK GDPR), India's Digital Personal Data Protection Act, 2023 (DPDPA), and the California Consumer Privacy Act / California Privacy Rights Act (CCPA / CPRA).
1. Who we are and how to reach us
Dapplon is the data controller for personal information you provide to us directly (e.g., to subscribe, request a demo, or contact us). For personal information that our business customers upload about their own employees, Dapplon acts as a data processor on the customer's behalf — see our standard data-processing terms.
Dapplon909 Runway Heights, 150 Feet Ring Road
Rajkot 360006, Gujarat, India
Privacy queries: [email protected]
2. What we collect
We collect the following categories of personal information:
- Account & identity: name, work email, phone, company name, job title.
- Authentication: hashed password, multi-factor codes, session tokens.
- Billing: billing address, last 4 digits of card / UPI / bank details (we never store full card numbers — these go directly to our payment processors).
- Usage: pages visited, features clicked, IP address, browser, device, OS, referrer, approximate location (country / region) derived from IP.
- Communications: messages you send us, support tickets, demo form responses, feedback.
- Cookies and similar technologies: we use first-party cookies for session, security, and remembering your country choice, and you can manage them via the consent banner.
3. How we use it & legal bases
| Purpose | Legal basis (GDPR / UK GDPR) |
|---|---|
| Operate the Service — authenticate you, run payroll, store HR records | Contract performance |
| Handle support requests, demo follow-ups | Legitimate interest / Contract performance |
| Take payment, prevent fraud | Contract performance & Legitimate interest |
| Send transactional emails (receipts, alerts, account updates) | Contract performance |
| Send marketing emails (newsletters, product updates) | Consent (you can unsubscribe at any time) |
| Improve and secure the Service, detect abuse, comply with law | Legitimate interest / Legal obligation |
| Comply with tax, accounting, anti-money-laundering, and employment-law obligations | Legal obligation |
4. When we share data
We do not sell personal information. We share it only:
- with sub-processors that operate the Service on our behalf (cloud hosting, email delivery, payment processing, analytics) — listed on request — each bound by data-protection terms equivalent to GDPR Article 28;
- with your employer (for employee data uploaded by them);
- with payment processors (Razorpay, Stripe) to process transactions;
- with law-enforcement or regulators when required by valid legal process;
- with a successor entity in case of a merger, acquisition, or sale of assets — you will be notified before your data is transferred.
5. International data transfers
Personal data may be transferred to and processed in countries other than where it was collected. When transferring out of the EEA, UK, or India, we rely on Standard Contractual Clauses (or equivalent UK / Indian-approved mechanisms) plus supplementary technical safeguards (encryption in transit and at rest).
6. How long we keep it
We retain personal data only as long as needed to deliver the Service and meet legal obligations:
- Account & HR records: while your subscription is active, plus 7 years for tax / payroll compliance (or longer if local law requires).
- Marketing contacts: until you unsubscribe.
- Demo / contact submissions: 2 years from last activity unless converted to a customer.
- Audit logs & security logs: 1 year by default; longer if needed for an investigation.
7. Security
We protect personal data with industry-standard controls: TLS 1.2+ in transit, AES-256 at rest where supported, role-based access controls, audit logging, regular penetration testing, employee background checks, and a documented incident response plan. No internet system is 100% secure, however — if a breach occurs that materially affects your data, we will notify you and the appropriate regulator within the timeframes required by law (typically 72 hours under GDPR).
8. Your rights
Depending on where you live, you have some or all of the following rights:
- Access — request a copy of personal data we hold about you.
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure / "Right to be forgotten" — ask us to delete your data (subject to legal retention requirements).
- Restrict processing or object on grounds related to your particular situation.
- Data portability — receive your data in a structured, machine-readable format and transmit it elsewhere.
- Withdraw consent — at any time where processing is based on consent (this does not affect the lawfulness of prior processing).
- Opt out of sale or sharing for cross-context behavioural advertising (CCPA / CPRA) — we do not sell or share for these purposes, but you can confirm and reinforce this preference on our Your Privacy Choices page.
- Non-discrimination — we will not deny you service, charge you more, or provide a different level of service because you exercised your rights.
To exercise any right, email [email protected] with the subject "Privacy request" or use our Privacy Choices form. We respond within 30 days (or as required by your local law).
9. Children
The Service is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided personal data to us, write to [email protected] and we will delete it.
10. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be announced by email or in-product banner. The "Last updated" date at the top reflects the current version. Older versions are archived and available on request.
11. Complaints
If you have an unresolved concern, you have the right to complain to your local supervisory authority — for example, the Data Protection Board of India, the UK ICO, the relevant EU Data Protection Authority, or the California Privacy Protection Agency. We encourage you to contact us first at [email protected] so we can address the issue directly.