Privacy Policy
Tacten Services LLP is the sole Data Controller for Espresso Cloud. Effective: June 1, 2025 · Version: v2.0 Primary Law: Digital Personal Data Protection Act, 2023 (India)
This Privacy Policy explains how Tacten Services LLP ("Tacten", "we", "us", or "our"), operating the cloud platform under the brand name Espresso Cloud, handles your personal data when you use our services — including Frappe-based managed hosting environments, the Hydra AI Coding Agent (Frappe/ERPNext only), Espresso Sites static and frontend hosting, and the Bring Your Own Cloud (BYOC) service.
This Policy applies to: Customers who register for and use Espresso Cloud services; End Users authorised by a Customer to access services; and Visitors who browse espresso.zimplify.tech.
Important Scope Note
This Policy does not cover data that Customers collect from their own users through applications hosted on Espresso Cloud. In that context, Tacten Services LLP acts as a Data Processor for the Customer (Data Controller). That relationship is governed by a separate Data Processing Agreement (DPA) — not this Policy. Request a DPA at legal@espresso.zimplify.tech.
1. Data Controller
Tacten Services LLP is the sole Data Controller for all personal data collected through Espresso Cloud.
| Detail | Information |
|---|---|
| Legal Name | Tacten Services LLP |
| Brand | Espresso Cloud |
| Registered Address | Flat #1110, Aratt Requizza Apts, Gollahalli Road, Electronic City, Bengaluru, Karnataka, India — 560100 |
| Privacy Contact | privacy@espresso.zimplify.tech |
| Grievance Officer (India) | grievance@espresso.zimplify.tech |
| Security Incidents | security@espresso.zimplify.tech |
| Primary Applicable Law | Digital Personal Data Protection Act, 2023 (India) |
| Additional Laws | Applicable data protection laws in the Customer's jurisdiction where required |
2. Data Protection Principles
All data processing by Tacten Services LLP is governed by the following binding principles:
- Lawfulness, Fairness & Transparency — We process personal data only where we have a valid legal basis, and we tell you clearly what we collect and why before we collect it.
- Purpose Limitation — We collect personal data only for specified, explicit, and legitimate purposes and never use it for incompatible purposes.
- Data Minimisation — We collect only what is adequate, relevant, and strictly necessary. We do not collect data "just in case".
- Accuracy — We keep personal data accurate and up to date. Customers can update their information at any time via the dashboard.
- Storage Limitation — We retain personal data only as long as necessary. See Section 7 for our full retention schedule.
- Integrity & Confidentiality — We implement appropriate technical and organisational security measures to protect personal data.
3. Personal Data We Collect
3.1 Account and Registration Data
Full name; email address; company name; country and billing address; phone number (optional, for 2FA and critical alerts); and profile information you voluntarily provide.
3.2 Billing and Payment Data
Billing name and address; GST/Tax ID (where applicable); invoice records and transaction history. Payment card and bank details are collected and stored exclusively by Razorpay (INR) and Razorpay International (USD). We never store raw card numbers on our servers.
3.3 Platform Usage Data
Login timestamps and IP addresses; browser and device information; dashboard activity logs; API call logs; environment resource metrics (CPU, memory, storage, bandwidth); error logs and crash reports; and deployment events and build logs.
3.4 Hydra AI Session Data
Hydra AI — Frappe Sites Only
Hydra AI is available exclusively in Frappe-based Development Environments. It is not available in Espresso Sites (static/frontend) deployments.
When you use Hydra AI, we process: prompts and code snippets you submit; AI responses and generated code; session metadata (timestamp, environment ID, duration, token count); and optional feedback ratings. Session data is processed solely to generate responses, retained for a maximum of 30 days, then permanently and irreversibly deleted. We never use your Hydra AI data to train AI models without your explicit opt-in consent.
3.5 Espresso Sites Deployment Data
Repository connection metadata; build logs and deployment history; custom domain names; SSL certificate metadata; and aggregate visitor statistics (page views, geographic region, referral sources) where analytics are enabled. We do not collect individual visitor personal data through our default analytics.
3.6 BYOC Service Data
Cloud provider account identifiers and IAM roles granted to Espresso Cloud; management plane telemetry (deployment events, scaling actions, health checks, resource names); and orchestration error logs. We do not access, read, or store application data within your cloud provider account.
3.7 Communications Data
Support ticket content and correspondence; email message content; survey responses; and marketing email engagement data (where you have opted in).
3.8 Special Categories of Personal Data
Special Categories — Not Intentionally Collected
Espresso Cloud does not intentionally collect or process special categories of personal data (health data, biometric data, racial or ethnic origin, religious beliefs, political opinions, or genetic data) as defined under DPDPA 2023 and applicable data protection law. If you inadvertently include such data, please notify us at privacy@espresso.zimplify.tech.
3.9 Cookies
| Category | Cookies | Purpose | Duration | Consent |
|---|---|---|---|---|
| Strictly Necessary | ec_session, ec_csrf | Login session, CSRF protection | Session | Not required |
| Functional | ec_prefs, ec_lang | Dashboard preferences (theme, language) | 1 year | Not required |
| Analytics | _ga, _gid, ec_analytics | Aggregate usage analytics. No cross-site tracking. | 2 years | Consent required |
| Marketing | ec_utm | Sign-up attribution to campaigns | 90 days | Consent required |
Manage cookie preferences via the Cookie Preferences link in the dashboard footer. Disabling analytics and marketing cookies will not affect platform use.
4. Legal Basis for Processing
We process personal data only where we have a valid legal basis under applicable law, primarily the Digital Personal Data Protection Act, 2023 (DPDPA 2023). Each processing purpose is mapped below:
| Purpose | Data Used | Legal Basis (DPDPA 2023) |
|---|---|---|
| Account creation & authentication | Name, email, password hash, 2FA data | Contract performance; Consent (DPDPA) |
| Delivering and operating the Services | Account data, usage logs, environment metrics | Contract performance |
| Billing and payment processing | Billing address, payment tokens, transaction records | Contract performance; Legal obligation (tax/GST) |
| Hydra AI code assistance (Frappe only) | Prompts, code snippets, session metadata | Contract performance; Consent for opt-in model training |
| Security monitoring & fraud prevention | IP address, login logs, API logs, error logs | Legitimate interest; Legal obligation |
| Platform improvement & analytics | Aggregate usage metrics, crash reports | Legitimate interest; Consent for non-essential analytics |
| Customer support | Ticket content, account data, usage logs | Contract performance; Legitimate interest |
| Legal & regulatory compliance | Account data, transaction records, correspondence | Legal obligation |
| Marketing communications | Email address, name, product usage | Consent — freely given, specific, informed, withdrawable |
| Service notifications & critical alerts | Email, phone number (if provided) | Contract performance; Legitimate interest |
Legitimate Interests Assessments (LIAs)
Where we rely on legitimate interests, we have conducted and documented Legitimate Interests Assessments confirming our interests are not overridden by your rights and freedoms. LIAs are available on request at privacy@espresso.zimplify.tech.
5. Consent
5.1 How We Obtain Consent
Where processing is based on consent, we obtain it through clear, affirmative action — either by ticking an unchecked checkbox during account registration, or clicking an explicit opt-in button in the dashboard. We do not use pre-ticked boxes, bundled consent, or silence as a mechanism for consent. For Indian data principals, consent is obtained per Section 6 of DPDPA 2023 with a notice specifying the data and purpose.
5.2 Granular Consent
Consent is obtained separately for each distinct processing purpose. You may consent to service notifications without consenting to marketing, and vice versa.
5.3 Withdrawing Consent
You may withdraw consent at any time without detriment. Withdrawal does not affect prior lawful processing. To withdraw: (a) update preferences in dashboard Settings → Privacy; (b) click "Unsubscribe" in any marketing email; or (c) email privacy@espresso.zimplify.tech.
6. How We Share Your Data
We Do Not Sell Your Data
Tacten Services LLP does not sell, rent, lease, or trade your personal data to any third party for marketing, advertising, or commercial purposes. We share data only as described below.
6.1 Sub-processors
All sub-processors are bound by Data Processing Agreements requiring them to process data only on our instructions and maintain appropriate security. Full current list: espresso.zimplify.tech/sub-processors — 30 days' notice before adding any new sub-processor.
| Sub-processor | Purpose | Data Shared | Location | Safeguard |
|---|---|---|---|---|
| Razorpay | INR payment processing | Billing name, email, payment token | India | DPA |
| Razorpay International | USD payment processing | Billing name, email, payment token | Global | DPA + SCCs |
| Amazon Web Services | Cloud hosting infrastructure | All platform data in AWS data centres | India / Global | DPA + SCCs |
| AI Inference Provider | Hydra AI — Frappe only | Code & prompts from Frappe Dev environments only | See sub-processors page | DPA + SCCs |
| Email Delivery Provider | Transactional emails | Name, email, email content | USA | DPA + SCCs |
| Support Platform | Customer support ticketing | Name, email, ticket content, account metadata | USA | DPA + SCCs |
| Cloudflare | CDN, DDoS protection, DNS | IP address, request metadata (no content) | Global | DPA + SCCs |
7. Data Retention
| Data Category | Retention Period | Post-Retention Action | Legal Basis |
|---|---|---|---|
| Account registration data | Account term + 3 years | Anonymised or deleted | Contract / Legal obligation |
| Billing & transaction records | 7 years from transaction | Deleted | Legal obligation (GST / tax law) |
| Platform usage & API logs | 90 days (rolling) | Permanently deleted | Legitimate interest (security) |
| Hydra AI session data (Frappe only) | 30 days maximum | Permanently & irreversibly deleted | Contract; no model training without consent |
| Espresso Sites build & deploy logs | 90 days | Permanently deleted | Legitimate interest |
| BYOC management telemetry | 30 days post-termination | Permanently deleted | Contract (billing reconciliation) |
| Support correspondence | 3 years from ticket closure | Archived then deleted | Legitimate interest |
| Security incident records | 5 years | Archived securely | Legal obligation |
| Marketing consent records | Until withdrawn + 3 years | Deleted | Legal obligation (proof of consent) |
8. Data Security
Security Commitment
We implement industry-standard technical and organisational security measures. No internet transmission is 100% secure, but we apply measures appropriate to the risk and sensitivity of the data processed.
- Encryption in transit: TLS 1.2+ for all data between your browser, our API, and infrastructure.
- Encryption at rest: AES-256 encryption for all stored personal data, database backups, and file storage.
- Access controls: RBAC; strict need-to-know internal access; MFA required for all internal systems.
- Network isolation: Logical and physical isolation between all customer environments.
- Vulnerability management: Regular automated scanning; periodic independent penetration testing; responsible disclosure programme.
- Security monitoring: 24×7 event monitoring; automated anomaly detection; defined incident response procedures.
- Employee controls: Mandatory data protection training; contractual confidentiality obligations for all staff.
9. International Data Transfers
9.1 Default Data Residency
By default, all Customer personal data is stored in data centres in India. International hosting plans with alternative data residency are available on request.
9.2 Transfer Safeguards
Transfers to sub-processors outside India are made under:
- Data Processing Agreements (DPAs) with all sub-processors incorporating appropriate technical and organisational measures.
- Contractual safeguards and applicable legal mechanisms as required by the laws of the countries involved in the transfer.
9.3 BYOC Data Transfers
Data in your BYOC cloud account (AWS, Azure, or GCP) is subject to that provider's data transfer policies and your chosen regions. Tacten's transfer safeguards apply only to data processed on Espresso Cloud's own infrastructure.
10. Your Data Rights
How to Exercise Your Rights
Email privacy@espresso.zimplify.tech (all users) or grievance@espresso.zimplify.tech (India). We respond within the timeframes below. We may need to verify your identity first. No fee unless requests are manifestly unfounded or excessive.
| Right | What It Means | Response Time |
|---|---|---|
| Access | Receive a copy of the personal data we hold about you and how it is processed. | 30 days |
| Correction | Request correction of inaccurate or incomplete personal data. | 30 days |
| Erasure | Request deletion of your personal data where we no longer have a legal basis to retain it. | 30 days |
| Portability | Receive your personal data in a structured, machine-readable format. | 30 days |
| Withdraw Consent | Withdraw consent for any consent-based processing at any time without penalty. | Immediate |
| Object to Direct Marketing | Object to processing of your data for direct marketing at any time. Absolute right — we stop immediately. | Immediate |
| Nominate Representative | Nominate another person to exercise rights on your behalf in the event of death or incapacity (DPDPA 2023). | 30 days |
| Lodge a Complaint | Lodge a complaint with the Data Protection Board of India (or MeitY in the interim) if unsatisfied with our response. | N/A |
Absolute Right — Object to Direct Marketing
You have an absolute right to object to the processing of your personal data for direct marketing at any time, regardless of the legal basis used. We will immediately stop all direct marketing upon your objection. To exercise this right: click "Unsubscribe" in any marketing email, update preferences in the dashboard, or email privacy@espresso.zimplify.tech.
10.2 Supervisory Authority
If you are not satisfied with how we handle your personal data or your rights request, you may lodge a complaint with the Data Protection Board of India (once constituted under DPDPA 2023). In the interim, you may escalate to the Ministry of Electronics and Information Technology (MeitY): www.meity.gov.in. You may also contact our Grievance Officer directly at grievance@espresso.zimplify.tech.
11. Children's Privacy
No Data from Minors
Espresso Cloud is not directed to children or minors. We do not knowingly collect personal data from: individuals under 13 (COPPA, USA); individuals under 18 (DPDPA 2023, India); or individuals under the applicable digital age of consent in their EU/UK jurisdiction (13–16 years). If we discover we have collected data from a minor, we will delete it immediately.
Parents or guardians who believe their child has provided data: contact privacy@espresso.zimplify.tech or grievance@espresso.zimplify.tech immediately.
12. Hydra AI & Automated Decisions
12.1 Hydra AI Scope
Hydra AI is available exclusively in Frappe-based Development Environments (Frappe Framework and ERPNext). It is not available in Espresso Sites environments. Session data is retained for a maximum of 30 days and then permanently deleted. We do not use your Hydra AI data to train AI models without your explicit opt-in consent.
12.2 No Solely Automated Decisions with Legal Effects
Espresso Cloud does not make decisions about you based solely on automated processing that produce legal or similarly significant effects (Article 22 / DPDPA 2023). Our automated systems (billing alerts, usage monitoring, anomaly detection) do not produce decisions with significant legal consequences for individual users. If this changes, we will update this Policy and obtain consent where required.
12.3 AI Inference Provider
Hydra AI is powered by third-party AI inference infrastructure. The provider's identity is disclosed at espresso.zimplify.tech/sub-processors. We contractually require our AI inference provider to: not use data to train models; maintain strict data confidentiality; delete session data within 30 days; and comply with applicable data protection laws. A Data Processing Agreement is in place with our AI inference provider.
13. Data Breach Notification
- Notify the relevant regulatory authority within 72 hours of becoming aware of a breach (CERT-In under the IT Rules, 2022 for incidents affecting Indian personal data).
- Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
- Maintain an internal breach register recording all known or suspected breaches, their impact, and remedial actions.
If you believe your personal data has been compromised: security@espresso.zimplify.tech.
14. Third-Party Services & BYOC
Espresso Cloud may contain links to third-party websites or integrations. This Privacy Policy does not apply to those services. For BYOC customers, data stored within your AWS, Azure, or GCP account is governed by that provider's privacy policies and the regions you have selected — entirely outside the scope of this Policy.
15. Policy Updates
When we make material changes we will: update the version number and effective date; notify registered Customers by email at least 30 days before changes take effect; display a prominent dashboard notice; and where required by DPDPA 2023, obtain fresh consent. Continued use after the effective date constitutes acceptance.
17. Grievance Officer — India (DPDPA 2023)
In compliance with the Digital Personal Data Protection Act, 2023 and the IT (Intermediary Guidelines) Rules, 2021, Tacten Services LLP has appointed a Grievance Officer:
| Detail | Information |
|---|---|
| Designation | Grievance Officer — Tacten Services LLP (Espresso Cloud) |
| grievance@espresso.zimplify.tech | |
| Postal Address | Grievance Officer, Tacten Services LLP, Flat #1110, Aratt Requizza Apts, Gollahalli Road, Electronic City, Bengaluru, Karnataka, India — 560100 |
| Acknowledgement | Within 48 hours of receipt |
| Resolution Time | Within 30 days of receipt |
| Escalation | Data Protection Board of India (once constituted) or MeitY in the interim: www.meity.gov.in |
18. Contact Us
| Purpose | Contact | Response |
|---|---|---|
| General Privacy Questions | privacy@espresso.zimplify.tech | 3 business days |
| Grievance Officer (India — DPDPA 2023) | grievance@espresso.zimplify.tech | 48 hrs ack · 30 days resolution |
| Data Rights (Access, Erasure, Portability) | privacy@espresso.zimplify.tech | 30 days (extendable to 45) |
| Security (Data Breaches & Incidents) | security@espresso.zimplify.tech | Immediate acknowledgement |
| Legal (DPA Requests & Legal Notices) | legal@espresso.zimplify.tech | 5 business days |
| Postal | Tacten Services LLP, Flat #1110, Aratt Requizza Apts, Gollahalli Road, Electronic City, Bengaluru — 560100, India | — |
© 2025 Tacten Services LLP. All rights reserved. Espresso Cloud is a brand of Tacten Services LLP. Privacy Policy v2.0 · Effective June 1, 2025 · Governed by DPDPA 2023 (India) and applicable data protection laws. See also: Terms of Service.