Privacy Policy — Costimator

This Privacy Policy describes how Create2Inspire Pvt. Ltd. (“we”, “us”, or “Costimator”) collects, uses, stores, and protects your personal data when you access costimator.in or use the Costimator application (the “Service”). It is written to comply with India’s Digital Personal Data Protection Act, 2023 (DPDP Act) and the Information Technology Act, 2000.

By using the Service, you consent to the practices described in this Policy. If you do not agree with these practices, please do not use the Service.

1. Who We Are

Costimator is a cloud-based cost estimation and tender justification platform for engineers working with Indian Schedules of Rates (DSR/DAR/SoR/AoR). It is operated by Create2Inspire Pvt. Ltd., a private limited company incorporated in India in 2017.

Operating Entity: Create2Inspire Pvt. Ltd.

Corporate Identification Number (CIN): U70100UR2017PTC007978

Registered Office: Rishikesh, Uttarakhand, India (full address available on request)

Privacy Contact: Kushal Singh, Founder, available at support@costimator.in

2. What Data We Collect

When you create a Costimator account, we collect the following:

Full name
Email address
Phone number
Organization or company name
Job title or role

We do not collect government department, location, or any tax-identifier information at signup.

2.2 Information You Provide for Specific Purposes

GSTIN (Goods and Services Tax Identification Number): We collect your GSTIN only when you specifically request a GST invoice. GSTIN is not required to use the Service.

Student Verification: If you apply for the Student Plan (50% discount), you will be asked to email proof of student status to support@costimator.in. Submitted ID images are reviewed for verification and deleted from our email systems within 30 days. We retain a record of verification (name, date verified, ID type, expiry) but not the ID image itself.

2.3 Information We Collect Automatically

When you use the Service, we automatically collect:

Estimates, projects, non-scheduled items, justifications, and other data you create within the application
Login timestamps and session data
Pages visited within the application (for product analytics — see Section 4)
Search queries you enter in the search feature
IP addresses (for security, fraud detection, and audit logging)
Device and browser information (browser type, operating system, screen resolution)

We do not collect files or images uploaded by you; the Service does not currently support file or image uploads.

2.4 Payment Information

When you subscribe to a paid plan, payment is processed by Stripe. Stripe handles all card payment details directly. We do not see, store, or have access to your full payment card details. We retain only the transaction reference number, the amount paid, and the subscription plan associated with the payment, for invoicing and tax purposes.

If you pay via direct bank transfer or government Purchase Order, we receive the relevant transaction details (bank reference number, PO number) but no card information.

3. How We Use Your Data

We use the data we collect for the following purposes:

To provide and operate the Service (creating estimates, generating reports, processing subscriptions)
To authenticate your identity and secure your account
To process payments and issue tax invoices
To send transactional emails (password resets, billing receipts, signup confirmations)
To send marketing emails to subscribers who have opted in via double opt-in
To improve the Service through aggregated usage analytics (e.g., feature usage, performance metrics)
To respond to support requests and service inquiries
To detect, prevent, and address fraud, security incidents, or violations of our Terms of Service
To comply with legal obligations (tax records, lawful requests from authorities)

We do not use your data for automated decision-making or AI/ML-based profiling that produces legal or significant effects on you. We do not sell your data, rent it, or share it with advertising networks or data brokers.

4. Third-Party Service Providers

We use a small number of trusted service providers (“processors”) to operate the Service. Each processes your data only to deliver the function described below. We do not share your data with anyone for marketing, advertising, or any purpose unrelated to operating the Service.

Provider	Purpose	Data Shared
Supabase Inc.	Application infrastructure, database hosting, authentication	All account and product data. Data is stored on AWS infrastructure in the Mumbai (ap-south-1) region in India.
Stripe, Inc.	Payment processing for paid subscriptions	Name, email, phone, payment amount, subscription plan. Stripe separately collects card payment details directly from you.
Brevo SA (formerly Sendinblue)	Transactional and marketing email delivery	Name, email address, email engagement data (opens, clicks). Brevo is a French company subject to GDPR and is contractually bound to data protection standards.
Vercel Inc.	Marketing website hosting (costimator.in) and aggregated traffic analytics	Page views, anonymized visitor counts, performance metrics. Vercel Analytics does not use cookies and does not track individual users across sessions.

We may add additional processors in the future. When we do, this Policy will be updated and the change communicated to active users.

5. Where Your Data is Stored

All user account and product data is stored on infrastructure in India. Specifically, our database is hosted on Amazon Web Services (AWS) in the Mumbai region (ap-south-1) via Supabase Inc.

Note that Supabase Inc., though our infrastructure provider, is a US-incorporated company. The physical location of your data is in India; the corporate processor of that data is incorporated in the United States. Brevo (our email provider) stores email-related data on its EU infrastructure.

6. How Long We Keep Your Data

We retain different categories of data for different periods:

6.1 Project Data

Estimates, projects, non-scheduled items, justifications, reports, and other content you create through the Service are retained for the duration of your active subscription. If your subscription expires without renewal, this project data is preserved for 14 days, after which it is permanently deleted from our systems.

During the 14-day grace period, you can renew your subscription and your project data will be restored to full access.

6.2 Account Profile Data

Your account profile information (name, email, phone, organization, job title) is retained indefinitely while your account exists, even after a subscription expires. This allows you to retain your account, view your subscription history, and renew at any time.

Profile data is deleted within 30 days of one of the following events: (a) you submit a verified account deletion request, or (b) we close your account for cause as permitted under our Terms of Service.

6.3 Statutory Retention

Tax-related records (invoices, GST records, payment transaction logs) are retained for 8 years from the date of the relevant transaction, in compliance with Indian tax law. This applies regardless of whether your account is active, expired, or deleted. These records contain transaction-level data only and are kept in secure, access-restricted archives separate from the active product database.

7. Your Rights Under the DPDP Act

As a user residing in India, the DPDP Act, 2023 grants you specific rights regarding your personal data. We honor each of these rights as follows:

7.1 Right of Access

You may request a copy of all personal data we hold about you. The Service already supports this in two ways:

In-app export: You can download all your project data (estimates, reports, NS items, justifications) as Excel files directly from the application.
Other personal data: For account profile data, billing history, login timestamps, or any other data on file, email support@costimator.in. We will provide a complete export within 30 days of receiving a verified request.

7.2 Right of Correction

You may correct your name, phone number, organization, and job title at any time through your account settings within the application. You cannot directly edit your email address (it serves as your primary account identifier). To change your email, contact support@costimator.in; we will verify the change request before processing.

7.3 Right of Erasure (Account Deletion)

You may request deletion of your account and personal data by emailing support@costimator.in. We will process verified deletion requests within 30 days. Project data is hard-deleted from our database; account profile data is removed; statutory records (tax invoices) are retained for the 8-year period required by Indian tax law and are not deletable.

Once deleted, your data cannot be recovered. We will send a confirmation email when deletion is complete.

You may withdraw consent for marketing emails at any time by clicking the unsubscribe link in any marketing email we send, or by emailing support@costimator.in. Withdrawal of marketing consent does not affect transactional emails (billing receipts, password resets, service notifications), which we send as part of operating your account.

7.5 Right to Grievance Redressal

If you have concerns about how your data is being handled, please contact our Privacy Contact:

Kushal Singh, Founder

Email: support@costimator.in

We will acknowledge your grievance within 7 business days and provide a substantive response within 30 days. If you are dissatisfied with our response, you may escalate the matter to the Data Protection Board of India once it becomes operational under the DPDP Act.

8. How We Protect Your Data

We use industry-standard security practices to protect your data, including:

Encryption of data in transit using TLS 1.2 or higher
Encryption of data at rest within our database infrastructure
Access controls limiting employee access to user data on a need-to-know basis
Audit logging of administrative database access
Use of trusted infrastructure providers (Supabase, AWS) that maintain SOC 2 Type II or equivalent certifications

Despite these measures, no system is completely secure. If we become aware of a personal data breach affecting your data, we will notify you and the Data Protection Board (where required) in accordance with the DPDP Act timelines.

9. Cookies and Tracking

Our marketing website (costimator.in) uses minimal tracking. We do not use cookies for advertising or third-party tracking. The only analytics tool currently in use is Vercel Analytics, which is cookieless and does not track individual users across sessions.

Our application (the part you log into) uses session cookies strictly necessary for authentication and security. These are not optional and are required for the Service to function.

For full details on cookie use, please see our Cookie Policy.

10. Children’s Privacy

The Service is intended for use by individuals 18 years of age or older. We do not knowingly collect personal data from individuals under 18. If we discover that an account has been created by a minor, we will close the account and delete associated data. If you believe a minor has provided personal data to us, please contact support@costimator.in.

11. Changes to This Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this Policy will reflect when changes were made. Material changes (such as new categories of data collection, new processors, or material changes to data sharing) will be communicated to active users via email at least 14 days before the change takes effect.

Your continued use of the Service after a Policy update constitutes acceptance of the updated Policy.

12. How to Contact Us

For privacy-related questions, requests, or concerns, contact us at: