Privacy Policy

Data Controller: PiTech Studio

Country of Registration: Nepal

Privacy Contact: privacy@pitech.com.np

Data Protection Officer (DPO): For GDPR-related enquiries, contact our DPO at dpo@pitech.com.np

If you are in the European Economic Area, PiTech Studio acts as data controller for personal data processed through the Service. EU/EEA users may also contact our EU Representative at eu-rep@pitech.com.np.

2.1 Account Registration Data

2.2 Usage and Audit Data

2.3 Technical Data (Automatically Collected)

We log only the minimum data necessary for security and operational purposes. In production, request bodies (which may contain credentials or personal data) are never logged.

2.4 Lead Email Data (Unregistered Users)

When an unregistered visitor requests their PDF audit report, we collect:

Important: By submitting your email to receive a report, you consent to us storing your email address and sending you the requested report. You may also receive occasional product updates. You can unsubscribe at any time using the link in any email we send.

2.5 Connected Site Credentials (Content Optimizer Add-on)

If you use the Content Optimizer, you may provide CMS credentials (WordPress Application Passwords, WooCommerce API keys, Shopify tokens). These are:

• Encrypted at rest using AES-256-GCM before storage
• Never transmitted to third parties
• Decrypted only transiently during operations you explicitly initiate
• Deleted immediately upon disconnection or account termination

2.6 Guest Audit Tracking (Unregistered Users)

To enforce fair use limits, we store the hashed IP address and domain of unregistered user audits for a rolling 15-day period. This data is not linked to any personally identifiable information and is automatically purged.

2.7 Communication Data

If you contact our support team, we retain the contents of that communication to resolve your enquiry and for quality assurance. Support communications are stored for a maximum of 3 years.

For users in the European Economic Area (EEA), we rely on the following legal bases under GDPR Article 6:

• Contract performance (Art. 6(1)(b)): Processing necessary to deliver the Service you have subscribed to — account management, audit delivery, billing.
• Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, service improvement, and product analytics.
• Legal obligation (Art. 6(1)(c)): Compliance with applicable laws including tax, accounting, and law enforcement requests.
• Consent (Art. 6(1)(a)): Email marketing communications to leads and newsletter subscribers. You may withdraw consent at any time.

For special category data, we do not knowingly process such data and users should not submit it.

Nepal's Individual Privacy Act, 2075 (2018) ("IPA") grants individuals specific rights regarding their personal information. We comply with the IPA as follows:

• Lawful collection: We collect personal information only for the specific, disclosed purposes described in this Policy.
• Consent: Where the IPA requires consent as a basis for collection, we obtain it before collecting data.
• Access and correction: Nepali users have the right to access personal information we hold about them and to request correction of inaccurate data.
• Prohibition on disclosure: We do not disclose personal information to third parties except as described in Section 6 and as permitted by the IPA.
• Security: We implement technical and organisational measures appropriate to the sensitivity of the data and required by the IPA.
• Data localisation: We are aware of Nepal's emerging data localisation requirements and will comply with any mandatory localisation rules enacted under Nepali law. Users requiring data storage within Nepal should contact us at privacy@pitech.com.np.

For privacy-related grievances under Nepali law, you may also approach the Department of Information Technology, Ministry of Communication and Information Technology, Nepal.

• Providing, operating, and improving the Service
• Processing your transactions and managing your subscription
• Sending transactional emails (account verification, password reset, billing notifications)
• Sending product updates, feature announcements, and marketing communications (you may opt out at any time)
• Enforcing audit quotas and preventing abuse
• Detecting and preventing fraud, security incidents, and Terms violations
• Complying with legal obligations
• Aggregated, anonymised product analytics (no individual tracking)
• Responding to your support enquiries

We do not sell, rent, or trade your personal data to third parties for their marketing purposes.

We share personal data only in the following circumstances:

6.1 Service Providers (Data Processors)

All processors are bound by data processing agreements and may only process your data on our documented instructions.

6.2 Legal Disclosures

We may disclose data when required by law, court order, or governmental authority — including under Nepal's Electronic Transactions Act 2063 and applicable law enforcement requests. We will notify you of such requests where legally permitted.

6.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquirer. You will be notified 30 days in advance with the option to delete your account.

Your data may be processed in countries outside Nepal, including the United States (Anthropic, Google, Stripe) and potentially the EU/EEA. We ensure such transfers comply with applicable law by:

• Relying on the EU Standard Contractual Clauses (SCCs) for transfers to non-adequate countries under GDPR
• Ensuring US processors participate in adequate frameworks or have appropriate safeguards
• Assessing transfer impact and implementing supplementary measures where required

You may request early deletion of your personal data subject to our retention obligations under law.

Depending on your location, you have the following rights:

All Users

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations
• Opt-out of marketing: Unsubscribe from marketing emails at any time using the link in any email or by contacting us

EEA / UK Users (GDPR / UK GDPR)

• Portability: Receive your data in a structured, machine-readable format
• Restriction: Request restriction of processing in certain circumstances
• Object: Object to processing based on legitimate interests
• Withdraw consent: Where processing is based on consent, withdraw it at any time
• Lodge a complaint: File a complaint with your local supervisory authority (e.g., ICO in the UK, your national DPA in the EU)

California Users (CCPA / CPRA)

• Know / Access: Know what personal information we collect, use, share, or sell (we do not sell)
• Delete: Request deletion of your personal information
• Opt-out of sale: We do not sell personal information
• Non-discrimination: We will not discriminate for exercising your rights

Nepali Users (Individual Privacy Act 2075)

• Right to access personal information held about you
• Right to correction of inaccurate information
• Right to complain to the Department of Information Technology

To exercise any of these rights, contact us at privacy@pitech.com.np. We will respond within 30 days (or 72 hours for urgent security requests).

We implement industry-standard technical and organisational security measures including:

• TLS 1.2+ encryption for all data in transit
• AES-256-GCM encryption for credentials at rest
• bcrypt (cost factor 12) password hashing
• JWT authentication with algorithm pinning (HS256) and 7-day expiry
• SSRF protection preventing server-side requests to internal infrastructure
• Security headers (CSP, HSTS, X-Frame-Options) on all responses
• Rate limiting on all endpoints, with stricter limits on authentication routes
• Account lockout after repeated failed login attempts
• Regular dependency vulnerability scanning

Despite these measures, no system is 100% secure. In the event of a data breach affecting your personal data, we will notify you within 72 hours in accordance with GDPR Article 33 and applicable Nepali law.

The Service is not directed at children under the age of 18. We do not knowingly collect personal data from anyone under 18. If we discover we have collected data from a child under 18, we will delete it promptly. Parents or guardians who believe their child has provided us with personal data should contact privacy@pitech.com.np.

We may update this Privacy Policy from time to time. Material changes will be notified to registered users by email and via a notice on the Service at least 30 days before the change takes effect. The "Last updated" date at the top of this page will always reflect the most recent version. Continued use of the Service after the effective date constitutes your acceptance of the updated Policy.

For any privacy-related questions, data requests, or complaints:

• Email: privacy@pitech.com.np
• DPO (GDPR): dpo@pitech.com.np
• Postal: PiTech Studio, Kathmandu, Nepal

EU users: You have the right to lodge a complaint with your national data protection authority. UK users: Information Commissioner's Office (ICO) — ico.org.uk.