Legal

Privacy Policy

How Real Craft Tech Pvt. Ltd. collects, uses, shares and protects personal data when you use Crove — and how we handle the data of the recipients and signers your documents reach.

Effective
11 June 2026
Version
2.0
Entity
Real Craft Tech Pvt. Ltd.

Last updated: 11 June 2026

On this page

1. Introduction

This Privacy Policy explains how Real Craft Tech Pvt. Ltd.(“Real Craft Tech”, “Crove”, “we”, “us”, “our”) collects, uses, discloses and safeguards personal data in connection with the Crove website and the Crove document-automation and electronic-signature application (together, the “Service”).

We are committed to processing personal data in accordance with India’s Digital Personal Data Protection Act, 2023(the “DPDP Act”) and the rules made under it, and the Information Technology Act, 2000 and its rules. This Policy should be read together with our Terms of Service.

By creating an account or using the Service, you acknowledge that you have read and understood this Policy. Where the law requires consent, we ask for it separately and you may withdraw it at any time.

2. Who we are (Data Fiduciary)

For personal data we determine the purpose and means of processing, the Data Fiduciary under the DPDP Act is:

  • Entity: Real Craft Tech Pvt. Ltd.
  • Registered office: Office 46, 10th Floor, Sushma Infinium, Zirakpur, Punjab - 140603, India
  • Corporate Identity Number (CIN): U72900CH2014PTC035110
  • Contact: hello@crove.app

Our Grievance Officer’s details are in the Grievance Officer and contact section below.

3. Our two roles: Fiduciary and Processor

Crove processes personal data in two distinct capacities.

As a Data Fiduciary

When you sign up for and use Crove, we decide how your account and usage data is processed — for example your name, email, login credentials and the records we keep to operate, secure and bill the Service. For this data we are the Data Fiduciary and this Policy governs our processing.

As a Data Processor

When you build templates, generate documents, collect form responses, or send documents for signature, you decide what personal data goes into that content and why. That includes the personal data of your document recipients and signers, who may not have a Crove account. For this Customer Content you are the Data Fiduciary and we act as your Data Processor, processing it only on your instructions to provide the Service. If you are a recipient or signer and want to exercise your rights over a document, please contact the Crove customer who sent it to you; we will support them in responding.

4. Personal data we collect

Data you provide directly

  • Account data — first name, last name, email address and password (stored only in hashed form). Optionally, your phone number, company name and role, and a profile image if you add them.
  • Customer Content — the templates, documents, form fields and responses you create or upload, including any personal data they contain, and files such as images you add to documents.
  • Recipient & signer data — for people you invite to fill or sign a document: their email address and role, the responses they enter, their drawn electronic signature, and their explicit consent to sign electronically.
  • Billing data — for paid plans, your billing name and email and subscription details. Card and payment-instrument details are collected and processed directly by our payment processor, not stored by us.
  • Support communications — messages you send us by email, the contact form, or the live-chat widget.

Data collected automatically

  • Device & log data — IP address, browser type, and timestamps, collected for security, abuse prevention and reliability.
  • Signing audit data — to preserve the legal validity of an electronic signature, we record an audit trail of signing events (such as when a document was sent, opened, submitted and completed) together with associated timestamps.
  • Usage data — basic information about how the Service is used, to operate and improve it.

Data from third parties

  • Sign in with Google — if you choose to sign in with Google, we receive your Google account email and basic profile information to create or match your account.

We do not sell personal data, and we do not use the content of your documents to train AI models.

5. Purposes and lawful basis

Under the DPDP Act we process personal data either with your consent (Section 6) or for a legitimate use permitted by the Act (Section 7). The table below sets out why we process data and on what basis.

Purposes of processing and the lawful basis for each
PurposePersonal data usedLawful basis (DPDP Act, 2023)
Create and operate your accountName, email, hashed passwordConsent given at sign-up (s.6)
Provide the Service you request — templates, document generation, e-signature and deliveryAccount data, Customer Content, recipient & signer dataConsent / the purpose for which you provided the data (s.6, s.7)
Authenticate users, secure accounts and prevent abuseEmail, IP and device/log data, anti-bot challenge tokenLegitimate use — security and fraud prevention (s.7)
Send transactional and service messagesName, emailConsent / performance of the requested service (s.6, s.7)
Process payments and manage subscriptionsBilling name and email, subscription recordsConsent and compliance with legal/tax obligations (s.6, s.7)
Provide support and respond to enquiriesName, email, your messagesConsent (s.6)
Comply with law and respond to lawful requestsRelevant account and document recordsLegitimate use — compliance with applicable law (s.7)

6. How we handle recipient and signer data

When a Crove customer sends you a document through a shareable link, you can open and complete it without creating an account. In that flow we process, on the customer’s behalf:

  • your email address and assigned role on the document;
  • the information you enter into the document’s fields;
  • your electronic signature and your explicit consent that it is your signature; and
  • audit-trail data — timestamps and signing events — recorded to support the legal validity of the signed document.

The completed document and its audit trail are made available to the customer who created it. Because that customer is the Data Fiduciary for this content, requests to access, correct or erase it are directed to them, and we assist them as their Data Processor.

7. Cookies and similar technologies

We use a small number of cookies and similar browser storage that are strictly necessary to run the Service — for example to keep you signed in and to maintain your session securely.

We do not currently use third-party web-analytics or advertising cookies. Our optional live-chat widget sets cookies to maintain a chat session if you open it. If we introduce analytics in future, we will update this Policy and, where required, request your consent.

8. Sharing and sub-processors

We do not sell personal data. We share it only with service providers (“sub-processors”) that process it under contract and on our instructions to operate the Service, and where required by law or to protect rights and safety. Our current sub-processors are:

Sub-processors and the data shared with each
Sub-processorFunctionData sharedLocation
DigitalOceanApplication hosting and PostgreSQL databaseAccount, document, template and signer dataBangalore, India
VercelWebsite and app frontend hosting / CDNIP address and request metadataGlobal edge (US-primary)
Amazon Web Services (S3)Object storage for uploaded images and document assetsFiles you upload into templates and documentsMumbai, India (ap-south-1)
ResendTransactional email deliveryRecipient name, email and document linksUSA
StripePayment processing and subscription billingBilling name and email; card details handled directly by StripeGlobal
CrispLive-chat support widgetChat messages, email if provided, page contextEU (France)
Cloudflare (Turnstile)Bot and abuse prevention at sign-upIP address and challenge tokenGlobal
InngestEvent-driven notification dispatchDocument event metadata and recipient emailUSA
GoogleOptional “Sign in with Google”Google account email and basic profile (only if you use it)Global
AnthropicOptional AI integration via our MCP connectorOnly the template/document data you explicitly request through the API; not used to train modelsUSA

Our PDF-rendering service (Gotenberg) runs on our own DigitalOcean infrastructure and is not a separate external recipient of your data. We will keep this list current as our sub-processors change.

9. Cross-border data transfers

Your account data, documents and signer data are hosted on our primary infrastructure in Bangalore, India. Some supporting sub-processors listed above operate outside India (for example for frontend delivery, payments, live chat and optional AI features). Where personal data is transferred outside India, we do so in accordance with the DPDP Act and any restrictions notified by the Central Government, and we take steps intended to ensure the data continues to receive an appropriate level of protection through our contracts with those providers.

10. Data retention

We keep personal data only as long as needed for the purposes above or as required by law, after which we delete or anonymise it. Indicative periods:

Data categories and retention periods
Data categoryRetention
Account profile dataFor the life of your account; deleted within 90 days of account closure
Documents, templates and form responsesUntil you delete them or close your account
Completed signed documents and audit trailWhile your account is active; retained thereafter as needed to preserve the legal validity of signed documents
Billing and invoice recordsUp to 8 years, as required by Indian tax and company law
Support and live-chat logsUp to 24 months
Server and security logsUp to 180 days

11. Your rights as a Data Principal

Subject to the DPDP Act, where we are the Data Fiduciary you have the right to:

  • Access a summary of the personal data we process about you and the processing activities;
  • Correction, completion and updating of inaccurate or incomplete personal data;
  • Erasure of your personal data where it is no longer needed for the purpose it was collected;
  • Withdraw consent at any time, as easily as it was given (this does not affect processing already carried out);
  • Grievance redressal through our Grievance Officer; and
  • Nominate another individual to exercise your rights in the event of your death or incapacity.

To exercise any of these rights, email hello@crove.app. We may need to verify your identity before acting. Where we process data as a Processor on a customer’s behalf, we will refer your request to that customer. You also have the right to lodge a complaint with the Data Protection Board of India.

12. Security measures

We take reasonable technical and organisational measures to protect personal data, including:

  • encryption of data in transit using HTTPS/TLS;
  • encryption of data at rest;
  • storing account passwords only in hashed form;
  • access controls and authentication on accounts, with document signing links gated by secret tokens;
  • restricting access to production data to authorised personnel on a need-to-know basis;
  • regular backups of stored data; and
  • hosting on reputable managed infrastructure providers.

No method of transmission or storage is completely secure, so we cannot guarantee absolute security.

13. Children’s data

The Service is intended for users aged 18 and over and is not directed to children. Consistent with Section 9 of the DPDP Act, we do not knowingly process the personal data of a child without verifiable consent of a parent or lawful guardian, and we do not undertake tracking, behavioural monitoring or targeted advertising directed at children. If you believe a child has provided us personal data, contact us and we will delete it.

14. Personal data breach notification

We maintain an internal process to detect, assess and respond to personal data breaches. In the event of a breach, we will notify the Data Protection Board of India and affected Data Principals in the manner and within the timelines required by the DPDP Act and the DPDP Rules.

15. Changes to this Policy

We may update this Policy from time to time. When we make material changes we will revise the “Effective” date and version above and, where appropriate, notify you. Your continued use of the Service after an update takes effect constitutes acknowledgement of the revised Policy.

16. Grievance Officer and contact

For any questions, requests or complaints about this Policy or your personal data, contact our Grievance Officer:

  • Grievance Officer: Gourav Manchanda
  • Entity: Real Craft Tech Pvt. Ltd.
  • Address: Office 46, 10th Floor, Sushma Infinium, Zirakpur, Punjab - 140603, India
  • Email: hello@crove.app

We will acknowledge and respond to grievances within the timelines required under applicable law.