Privacy Policy

Last updated: 14 March 2026 · Effective: 14 March 2026

Plain-language summary: CitraInsight scans software and hardware on your organisation’s machines. It never reads your files, emails, passwords, documents, or keystrokes. It never reports data to software vendors. Every person’s identity is protected by a pet-name system — we never need to know who sits at which desk.

1. Who We Are

Code & Clause Systems (“we”, “us”, “our”) is the Data Fiduciary under the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and a Data Controller under the General Data Protection Regulation (“GDPR”) for data processed through the CitraInsight platform (“CitraInsight”, “the Service”).

Registered address: Bhopal, Madhya Pradesh, India.

Contact: privacy@citrainsight.in

2. What We Collect

2.1 Data We Collect During Registration

When an administrator signs up for CitraInsight, we collect:

Name and email address
Phone number (optional)
Company name
Designation (e.g. CTO, IT Admin, Finance)
Industry (e.g. IT Services, Manufacturing, Healthcare)
Company size (employee range)
Estimated number of systems to be monitored
Referral source (optional — how you heard about CitraInsight)
GST number (if provided)

Legal basis: Consent (DPDP Act s.6) / Contractual necessity (GDPR Art.6(1)(b)).

2.1a How We Use Registration Data

Service delivery: To create and manage your CitraInsight account, configure your environment, and provide technical support.
Communication: To send OTP verification, account alerts, billing information, and subscription-related notices.
Product updates: To inform you of new features, security updates, and platform improvements (with your consent — you may opt out at any time).
Upgrade contact: To provide information about plans, pricing, and capacity upgrades relevant to your usage. We do not share your data with third parties for marketing purposes.

To opt out of product updates and marketing communications, email privacy@citrainsight.in. Service-critical communications (security alerts, billing) cannot be opted out of while your subscription is active.

2.2 Machine Telemetry

The CitraInsight agent installed on organisation endpoints collects:

Hardware identifiers: hostname, machine UUID, BIOS serial, MAC address, CPU, RAM, disk model and capacity, GPU, motherboard
Operating system: name, version, build, edition, end-of-life status
Installed software: name, version, publisher, install path, install date, last-used date
Running processes and services (name and path only — not contents)
Registry keys related to software installation
PE header metadata (publisher, version fields) for executable files
Network adapter information (IP, MAC)

What we NEVER collect: file contents, email, passwords, documents, browser history content, keystrokes, screenshots, camera or microphone data, personal files, or any data entered by the user of the machine. CitraInsight reads metadata only — never content.

2.3 Pet-Name Privacy Architecture

CitraInsight uses a pet-name system to protect individual privacy. Each machine is assigned a randomised alias (e.g., “BlueTiger-7”, “CoralFox-3”). The real hostname and logged-in username are visible only to the organisation’s own administrators. Code & Clause Systems staff never see real names, usernames, or personal identifiers.

2.4 Usage & Analytics

We collect anonymised telemetry about CitraInsight platform usage (feature usage counts, error rates, scan durations) only with explicit opt-in consent. This can be withdrawn at any time via the dashboard.

3. How We Use Your Data

Purpose	Data used	Legal basis
Deliver the Service (scanning, detection, compliance)	Machine telemetry, account data	Contract
Send OTP for authentication	Email, phone number	Contract
Send piracy/compliance alerts	Email, finding data	Contract
Generate audit reports	Machine telemetry, findings	Contract
Improve detection accuracy	Anonymised software signatures	Legitimate interest / Consent
Billing and subscription management	Account data, system count	Contract

4. Data Storage & Security

Encryption at rest: AES-256
Encryption in transit: TLS 1.3
Database: DigitalOcean Managed PostgreSQL, Bangalore region (BLR1), India
Audit trail: SHA-256 hash chain — tamper-evident, append-only
Access control: Role-Based Access Control (RBAC) with 31 atomic permissions
Password storage: bcrypt with salt
Agent tokens: DPAPI-encrypted on Windows endpoints

5. Data Sharing

We never share, sell, or transmit your data to:

Software vendors (Adobe, Microsoft, Autodesk, or any other publisher)
Advertising networks
Data brokers
Government agencies (unless compelled by valid court order under Indian law)

CitraInsight is not a vendor audit tool. Your compliance data belongs to you, not to the software publishers.

5.1 Sub-Processors

Sub-processor	Purpose	Location
DigitalOcean	Server hosting & managed database	Bangalore, India
Amazon Web Services (SES)	Transactional email (OTP, alerts)	Mumbai, India (ap-south-1)
GoDaddy	Domain registration & DNS	USA

6. Data Retention

Active accounts: Data retained for the duration of the subscription.
Registration data: Retained for 24 months from last account activity, then deleted unless an active subscription exists.
Scan results: Retained for 24 months, then archived or deleted at organisation’s choice.
Audit logs: Retained for 36 months (regulatory compliance requirement).
After termination: Scan data deleted within 90 days of account closure. Registration data deleted within 24 months. Data export available on request within 30 days of termination.
Backups: 7 daily + 4 weekly rotating backups. Purged within 30 days of data deletion.

7. Your Rights

7.1 Under the DPDP Act 2023 (India)

As a Data Principal, you have the right to:

Access — Request a summary of your personal data we process (s.11)
Correction & Erasure — Request correction of inaccurate data or erasure of data no longer necessary (s.12)
Grievance Redressal — Contact our Grievance Officer (s.13)
Nomination — Nominate another person to exercise your rights in case of death or incapacity (s.14)
Withdraw Consent — Withdraw previously given consent at any time (s.6(7))

7.2 Under GDPR (if applicable)

If you are located in the European Economic Area, you additionally have the right to data portability (Art.20), restriction of processing (Art.18), and to lodge a complaint with your supervisory authority.

8. Breach Notification

In the event of a personal data breach:

We will notify the Data Protection Board of India within 72 hours of becoming aware of the breach, as required under the DPDP Act.
We will notify affected Data Principals without unreasonable delay.
Notification will include: nature of the breach, data affected, remedial measures taken, and contact details for further information.

9. Children’s Data

CitraInsight is an enterprise B2B product. We do not knowingly collect data from individuals under the age of 18. If organisation endpoints are used by minors (e.g., in educational institutions), the organisation is responsible for obtaining verifiable parental consent as required under DPDP Act s.9.

10. Cross-Border Data Transfer

All primary data processing occurs in India (Bangalore). No personal data is transferred outside India except to sub-processors listed in Section 5.1, and only as permitted under DPDP Act s.16 and any restrictions notified by the Central Government.

11. Cookies

The CitraInsight website uses only essential session cookies for authentication. We do not use tracking cookies, advertising cookies, or analytics cookies. No third-party cookies are loaded.

12. Grievance Officer

Name: Grievance Officer, Code & Clause Systems
Email: privacy@citrainsight.in
Address: Bhopal, Madhya Pradesh, India
Response time: Within 30 days of receiving the grievance.

13. Data Visibility and Sharing

CitraInsight collects system assessment data to provide you with compliance visibility. By default, Code & Clause Systems can view only aggregate information — system counts, finding counts, and approximate financial exposure — for billing and product improvement purposes.

For CitraInsight to assist you with compliance remediation, procurement recommendations, or audit preparation, you may optionally share detailed assessment data with our team through the Data Sharing Preferences in your Settings page.

You can change your sharing preferences at any time. All access to customer data by Code & Clause Systems personnel is logged in the audit trail.

Code & Clause Systems will never share your data with software vendors, auditors, or any third party without your explicit written consent.

14. Changes to This Policy

We may update this policy from time to time. Material changes will be notified via email to all registered administrators at least 30 days before taking effect. The “Last updated” date at the top of this page will be revised accordingly.

15. Contact

For any questions about this Privacy Policy, contact us at privacy@citrainsight.in.