Section 01 — Scope & Applicability
Scope and applicability of this Policy
This Privacy Policy ("Policy") is published by DST Global, a proprietary entity operating under the trade name DeepSphere Technologies, having its principal place of business at Pune, Maharashtra, India, and its associated digital product PRO.TR.ON (Project Tracking Online) (collectively "DST Global", "we", "us", or "our").
This Policy applies to all personal data processed in connection with:
- The website located at deepspheretech.com and all subdomains thereof;
- The PRO.TR.ON SaaS platform, including web and API interfaces;
- All marketing, sales, and support communications conducted by DST Global;
- Any third-party integrations or connectors activated by users within the platform.
This Policy does not apply to the data practices of third-party platforms, vendors, or partners who may be accessible via links or integrations within our Services. DST Global accepts no responsibility for the privacy practices of such third parties.
Important: By accessing or using our Services in any manner, you acknowledge that you have read, understood, and agreed to the terms of this Policy. If you are accessing the Services on behalf of a company or other legal entity, you represent and warrant that you have the authority to bind that entity to this Policy.
Section 02 — Definitions
Key definitions
The following terms carry the meanings set out below throughout this Policy:
"Personal Data" means any data about an individual who is identifiable by or in relation to such data, as defined under the Digital Personal Data Protection Act, 2023 ("DPDPA").
"Data Principal" means the individual to whom Personal Data relates — i.e., the user, customer, or visitor whose data is being processed.
"Data Fiduciary" means DST Global, which alone or in conjunction with others determines the purpose and means of processing Personal Data.
"Processing" means any operation or set of operations performed on Personal Data, including collection, storage, use, disclosure, transfer, or erasure.
"Services" means the PRO.TR.ON platform, the deepspheretech.com website, and all associated communications, support, and marketing activities operated by DST Global.
"Consent" means a freely given, specific, informed, and unambiguous indication of agreement to the processing of Personal Data for a stated purpose.
Section 03 — Personal Data We Collect
Personal data we collect
We collect only the minimum personal data necessary to provide, operate, and improve our Services ("data minimisation principle"). The categories of data collected are as follows:
A. Data you provide directly
Identity & Contact Data
Full name, work email address, designation, company name, and phone number collected during account registration, demo requests, or contact form submissions.
Billing & Commercial Data
Organisation legal name, billing address, GST registration number, and invoice-related correspondence. Payment card details are handled exclusively by PCI-DSS-compliant processors and are never stored by DST Global.
Platform Content Data
Projects, sprints, user stories, tasks, timesheets, budgets, uploaded files, and any other content that you or your organisation create within the PRO.TR.ON platform. This data is owned by you.
Communications Data
Content of emails, support tickets, chat messages, demo call notes, and feedback submissions addressed to DST Global.
B. Data collected automatically
- Log & Technical Data: IP address, browser type and version, operating system, referral URL, pages visited, timestamps, and error logs generated during platform use.
- Device Data: Device type (desktop / mobile / tablet), screen resolution, and preferred language.
- Usage & Behavioural Data: Features accessed, actions performed, session duration, navigation paths, and frequency of use — collected in aggregate and pseudonymised where possible.
- Cookie Data: Session identifiers, authentication tokens, and analytics identifiers placed by first-party and approved third-party cookies (see Section 9).
C. Data received from third parties
Where you elect to authenticate via a third-party identity provider (e.g., Google OAuth, Microsoft SSO), we receive only the data you expressly authorise — typically name, email address, and profile photograph. DST Global does not purchase, acquire, or receive personal data from data brokers or data aggregators under any circumstances.
Special Categories: DST Global does not intentionally collect any sensitive personal data as defined under the DPDPA 2023, including financial passwords, health information, biometric data, caste, religion, or sexual orientation. If any such data is inadvertently submitted, it will be deleted upon identification and the submitter notified.
Section 04 — Purposes & Legal Basis
Purposes for which we process personal data
We process personal data only for specified, explicit, and legitimate purposes. The processing activities, corresponding data categories, and legal bases are set out in the table below. Where processing is based on consent, you retain the right to withdraw that consent at any time without affecting the lawfulness of prior processing.
| Processing Purpose | Data Categories Used | Legal Basis |
|---|---|---|
| Provision and operation of the PRO.TR.ON platform | Identity, contact, platform content data | Contractual necessity |
| Account creation, authentication, and access management | Identity, contact, log data | Contractual necessity |
| Billing, invoicing, and payment processing | Billing and commercial data | Contractual necessity / Legal obligation |
| Sending transactional notifications (security alerts, system updates, invoices) | Contact, identity, billing data | Contractual necessity |
| Sending promotional and marketing communications | Email address, role, company | Consent (freely withdrawn at any time) |
| Responding to enquiries, support requests, and demo bookings | Identity, contact, communications data | Legitimate interest / Pre-contractual steps |
| Product improvement, analytics, and research | Anonymised / pseudonymised usage data | Legitimate interest |
| Platform security, fraud detection, and abuse prevention | Log, device, usage data | Legitimate interest / Legal obligation |
| Compliance with legal, regulatory, or judicial obligations | Any data required by competent authority | Legal obligation |
| Exercising or defending legal rights and claims | Relevant data as required | Legitimate interest / Legal obligation |
DST Global does not use personal data for automated individual decision-making or profiling that produces legal or similarly significant effects without explicit consent. If such processing is introduced in future, affected users will be notified and their consent sought prior to commencement.
Section 06 — Storage, Security & Transfers
How we store and protect your data
Personal data is stored on enterprise-grade cloud infrastructure hosted within India and/or Singapore. DST Global implements a layered, defence-in-depth security programme comprising the following controls:
Encryption
All personal data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256. Database backups are independently encrypted.
Access Control
Role-based access control (RBAC) restricts internal access on a strict need-to-know basis. Privileged access requires multi-factor authentication.
Authentication & SSO
Enterprise single sign-on (SSO) and two-factor authentication are available to all paid account holders.
Audit Trails
All access events, data modifications, and administrative actions are logged immutably and retained for security review and compliance purposes.
Vulnerability Management
Regular penetration testing, dependency scanning, and security code reviews are conducted as part of our secure development lifecycle.
Network Security
Firewalls, DDoS mitigation, intrusion detection systems, and network segmentation protect platform infrastructure from external threats.
International transfers
Where personal data is transferred to a sub-processor located outside India (e.g., for cloud infrastructure or email delivery), DST Global ensures such transfers are protected by appropriate contractual safeguards, including Standard Contractual Clauses or equivalent mechanisms consistent with applicable Indian law. No personal data is transferred to a jurisdiction that does not provide an adequate level of protection without appropriate safeguards in place.
Security Limitation: Notwithstanding the foregoing measures, no method of electronic transmission or digital storage can be guaranteed to be 100% secure. DST Global therefore cannot warrant the absolute security of personal data transmitted to or stored within our Services. We will, however, notify affected users and relevant authorities in accordance with applicable breach notification obligations under the DPDPA 2023 in the event of a material security incident.
Section 07 — Retention Periods
How long we retain personal data
DST Global retains personal data for no longer than is necessary to fulfil the purpose for which it was collected, or as required or permitted by applicable law. Upon expiry of the applicable retention period, data is securely deleted or irreversibly anonymised.
| Data Category | Retention Period | Basis |
|---|---|---|
| Active account and identity data | Duration of account, then 30 days post-closure | Contractual necessity |
| Platform content (projects, sprints, files) | 30 days post account deletion, then permanent erasure | Contractual necessity |
| Billing, invoicing, and tax records | 7 years from the relevant financial year | Companies Act 2013 / Income Tax Act 1961 |
| Marketing consent records | Duration of consent + 3 years post-withdrawal | Legal obligation / Proof of consent |
| Security and access logs | 12 months from generation | Legitimate interest / Legal obligation |
| Support and communications data | 3 years from last interaction | Legitimate interest |
| Legal hold data (litigation / dispute) | Until resolution of the relevant matter + 1 year | Legal obligation |
| Anonymised / aggregated analytics data | Indefinite (no longer constitutes personal data) | Legitimate interest |
Where you request erasure of your personal data before the expiry of a legally mandated retention period, DST Global will restrict active processing of that data to the extent required by law and delete it as soon as the legal obligation ceases to apply.
Section 08 — Rights of Data Principals
Your rights and how to exercise them
Subject to applicable law, you have the following rights in respect of your personal data. DST Global will acknowledge all valid requests within 72 hours and fulfil them within 30 calendar days, extendable by a further 30 days in complex cases with prior notification.
- Right of Access (Section 11, DPDPA): You may request a summary of the personal data DST Global holds about you and the purposes for which it is being processed.
- Right to Correction & Completeness: You may request correction of inaccurate, incomplete, or outdated personal data held by us.
- Right to Erasure (Right to be Forgotten): You may request deletion of your personal data where: (i) the purpose of processing is fulfilled; (ii) you withdraw consent and no other lawful basis applies; or (iii) processing is unlawful. Erasure is subject to any overriding legal obligation to retain the data.
- Right to Grievance Redressal: You may raise a complaint or grievance with our designated Grievance Officer (see Section 14) or with the Data Protection Board of India upon its establishment.
- Right to Withdraw Consent: Where processing is based solely on your consent, you may withdraw that consent at any time via email or the platform's notification settings. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
- Right to Data Portability: You may request a copy of your personal data in a structured, commonly used, machine-readable format (e.g., CSV or JSON) to facilitate transfer to another service provider.
- Right to Nominate: You may nominate another individual to exercise your rights on your behalf in the event of your death or incapacity, as permitted under the DPDPA.
To exercise any of the above rights, submit a written request to contact@deepspheretech.com with the subject line "Data Principal Rights Request". We reserve the right to verify your identity before processing the request to prevent unauthorised access or fraudulent erasure. No fee is charged for exercising these rights, except where requests are manifestly unfounded or excessive, in which case DST Global may charge a reasonable administrative fee or decline to respond, with written reasons provided.
Marketing opt-out
Every marketing communication dispatched by DST Global includes a clearly labelled one-click unsubscribe mechanism. You may also opt out by emailing us directly. Unsubscribing from marketing communications does not affect the delivery of transactional or service-essential notifications, which are necessary for the performance of the contractual relationship.
Section 09 — Cookies & Tracking Technologies
Cookies and tracking technologies
DST Global uses cookies, web beacons, and similar technologies to operate our Services securely, retain your preferences, and gather aggregate insights into how our platform and website are used. The following categories of cookies are deployed:
| Cookie Category | Purpose | Basis | Opt-Out Available |
|---|---|---|---|
| Strictly Necessary | Session management, authentication, CSRF protection, and load balancing. The platform cannot function without these. | Legitimate interest / Contractual necessity | No |
| Functional / Preference | Remembering language, time zone, layout, and UI preferences across sessions. | Consent | Yes — via cookie banner or browser settings |
| Analytics (Google Analytics) | Aggregate, anonymised measurement of page views, traffic sources, session durations, and feature usage. IP addresses are anonymised at collection. | Consent | Yes — via cookie banner or Google Analytics opt-out |
| Marketing / Retargeting | May be deployed in future for interest-based advertising and campaign measurement. No marketing cookies are currently active. | Consent (required before activation) | Yes — consent must be granted before any deployment |
You may withdraw or modify your cookie consent at any time via the cookie preference centre accessible on our website or by configuring your browser to refuse or delete cookies. Please note that disabling functional cookies may impair the performance and usability of certain PRO.TR.ON features. Disabling strictly necessary cookies may prevent access to the platform.
Section 10 — Minors
Persons under the age of 18
PRO.TR.ON is a business-to-business (B2B) enterprise software platform designed exclusively for use by professionals and organisational representatives who are 18 years of age or older. DST Global does not knowingly solicit, collect, or process personal data from individuals under the age of 18.
In the event that DST Global becomes aware, or is credibly informed, that personal data belonging to a minor has been submitted to our Services without verifiable parental or guardian consent, we will take prompt steps to permanently delete such data from our systems. If you have reason to believe that a minor's data has been submitted, please notify us immediately at contact@deepspheretech.com. Organisational customers are responsible for ensuring that access credentials are not made available to individuals under the age of 18.
Section 11 — Third-Party Services
Third-party links and integrations
Our website and platform may contain hyperlinks to external websites, or offer integrations with third-party software tools and services (including but not limited to Slack, GitHub, Google Workspace, and Microsoft Teams). DST Global provides such links and integrations as a convenience.
This Policy applies solely to personal data processed directly by DST Global. DST Global has no control over, and assumes no responsibility for, the content, privacy policies, or data practices of any third-party website or service. The presence of a link or integration does not constitute an endorsement by DST Global. We strongly encourage users to review the privacy policies of any third-party service before activating an integration or providing personal data to that service.
Where a third-party integration is activated by an administrator of a DST Global account, that administrator accepts responsibility for ensuring the integration complies with applicable data protection obligations and has obtained any necessary consents from end users within their organisation.
Section 12 — Limitation of Liability
Limitation of liability in connection with data
To the maximum extent permitted by applicable law, DST Global's total aggregate liability in connection with any privacy or data protection claim arising under or in relation to this Policy shall not exceed the greater of: (i) the total fees paid by the relevant user or customer to DST Global in the twelve (12) months immediately preceding the event giving rise to the claim; or (ii) INR 10,000 (Indian Rupees Ten Thousand).
DST Global shall not be liable for any indirect, incidental, consequential, special, or exemplary damages arising out of or in connection with: (i) unauthorised access to or use of your personal data by third parties despite our reasonable security measures; (ii) loss or corruption of data caused by factors outside our reasonable control, including force majeure events; (iii) acts or omissions of third-party sub-processors that are beyond DST Global's reasonable control, provided we have fulfilled our due diligence and contractual obligations to such sub-processors; or (iv) your failure to implement reasonable security practices on your own systems and devices.
Nothing in this section limits DST Global's liability for fraud, wilful misconduct, gross negligence, or any liability that cannot be excluded by applicable Indian law.
Section 13 — Amendments to this Policy
Changes to this Policy
DST Global reserves the right to update or modify this Policy at any time to reflect changes in applicable law, regulatory guidance, business operations, or technological developments. All revisions will be effective from the date published on this page unless a later effective date is specified.
In the event of a material change — meaning any change that substantially affects the nature of the data we collect, the purposes for which we use it, the parties with whom we share it, or your rights under this Policy — we will:
- Update the "Last Revised" date and version number at the top of this page;
- Send a written notification to the email address associated with all registered accounts, no fewer than 14 days prior to the change taking effect;
- Display a prominent in-platform notification for a minimum of 30 days following the effective date of the change.
Your continued access to or use of the Services following the effective date of any revision constitutes your acceptance of the updated Policy. If you do not agree to any material change, you must cease use of the Services and may request deletion of your account and personal data in accordance with Section 8 before the change takes effect. Non-material clarifications or editorial corrections may be made without notice.
Section 14 — Grievance Officer
Grievance redressal mechanism
In accordance with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and in anticipation of the Grievance Appellate Committee framework under the DPDPA 2023, DST Global has designated a Grievance Officer to address data protection and privacy concerns raised by users.
Any Data Principal who has a grievance regarding the processing of their personal data, or considers that their rights under applicable law have not been adequately addressed, may submit a formal complaint to the Grievance Officer. Complaints will be acknowledged within 48 hours of receipt and substantively addressed within 30 calendar days.
If your grievance is not resolved to your satisfaction within the stated timeframe, you may escalate the matter to the Data Protection Board of India (upon its formal establishment under the DPDPA 2023) or seek such other remedies as may be available under applicable Indian law.
Section 15 — Contact Details
How to contact DST Global
For general privacy enquiries, data rights requests, or questions regarding this Policy, please contact us using the details below. All communications should be in English or Hindi. We respond to all enquiries within 3 business days.
Legal Disclaimer: This Privacy Policy has been prepared for general informational and operational purposes and reflects DST Global's current data processing practices. It does not constitute legal advice. DST Global strongly recommends that you seek independent legal counsel if you have specific questions regarding your rights or obligations under applicable data protection law.
This Policy is an integral part of the DST Global Terms of Service and is incorporated by reference therein. In the event of any conflict between this Policy and the Terms of Service regarding personal data, this Policy shall prevail.
This document was last reviewed by the DST Global management team on 09 June 2026. Version history is maintained internally and available upon written request to our Grievance Officer.