What we collect, and what we don’t.

1. Who we are.

TagDrishti (“we”, “us”, “our”) is a real-time Google Tag Manager monitoring platform operated by TagDrishti Technologies. Our registered address is India. We can be contacted at [email protected].

When you use TagDrishti, we act as the Data Controller for your account and billing information. For tag monitoring data collected from your website visitors, you are the Data Controller and we act as your Data Processor under a Data Processing Agreement (DPA).

2. Data we collect.

Account Data

• Name and email address (provided on signup)
• Organisation name and billing address
• Payment information (processed by Paddle.com Market Ltd, our Merchant of Record; we never see or store card numbers)
• Usage data (number of events processed, domains monitored)

Monitoring Data (collected on your behalf)

• GTM tag names, types, fire status, and execution times
• Page URLs and paths (PII parameters are stripped automatically)
• Browser type, device class, viewport dimensions
• Core Web Vitals measurements (LCP, CLS, INP, FCP, TTFB)
• Consent mode signals (analytics_storage, ad_storage, etc.)
• Script domains loaded on monitored pages (for Magecart detection)
• Session IDs (pseudonymised via one-way hash for EU/India users)

Technical Data

• IP addresses (used for rate limiting, not stored long-term)
• API request logs (retained for 30 days for debugging)
• Error logs (retained for 30 days)

3. How we use your data.

• Provide the service: Process tag events, generate alerts, display dashboards
• Billing: Process subscription payments via Paddle (our Merchant of Record), including jurisdiction-specific tax collection and remittance
• Security: Detect Magecart attacks, CSP violations, and SRI failures
• Compliance: Generate GDPR/CCPA/DPDP audit trails for you
• Communications: Send alert emails, product updates, and billing notices
• Improvement: Analyse aggregate usage patterns to improve the platform (never individual-level analysis for advertising)

4. Legal basis for processing (GDPR).

• Contract: Processing necessary to deliver the service you subscribed to (Art. 6(1)(b))
• Legitimate Interest: Security monitoring, fraud prevention, service integrity (Art. 6(1)(f))
• Legal Obligation: Compliance with applicable laws including tax and financial regulations (Art. 6(1)(c))
• Consent: Marketing emails. You can withdraw consent at any time

5. Data sharing.

We do not sell your data. We share data only with these sub-processors, all bound by Data Processing Agreements (Article 28(2) GDPR). The canonical, version-stamped list lives at tagdrishti.com/subprocessors. Summary:

• Google Cloud Platform (compute + storage): Cloud Run, BigQuery, Pub/Sub, Cloud Scheduler. Per-tenant residency across asia-south1 (Mumbai), europe-west1 (Belgium), us-central1 (Iowa), australia-southeast1 (Sydney). Each tenant’s events are written to and read from only the dataset in their declared region.
• Supabase: Application database for tenant, workspace, and API-key storage. Region: ap-south-1.
• Clerk: Authentication and session management for the dashboard, auth, and admin surfaces. Stores email, name, and Clerk session metadata.
• Paddle.com Market Ltd: Merchant of Record. Handles payment processing, global tax collection (VAT/GST/sales tax), and subscription billing. PCI DSS Level 1 certified. We never see or store card numbers.
• Sentry: Application error monitoring and source-map symbolication for the marketing, dashboard, auth, and admin Next.js apps. Receives stack traces and minimal request context; PII scrubbed at the SDK layer.
• Resend: Transactional email delivery (alerts, password resets, billing notices).
• Cloudflare: CDN, DNS, DDoS protection, WAF, Worker proxy in front of Cloud Run.
• Vercel: Edge hosting for the marketing site (tagdrishti.com), dashboard, auth (accounts.tagdrishti.com), admin (ssmg.tagdrishti.com), and status (status.tagdrishti.com).
• Upstash: Redis caching layer for rate limits and idempotency keys.

We may also disclose data when required by law, court order, or to protect the rights and safety of TagDrishti, our customers, or the public. Material changes to the sub-processor list are announced at least 30 days in advance via email and on the subprocessor page; you may object during that window.

6. Data retention.

• Starter plan: Monitoring data retained for 7 days
• Agency plan: Monitoring data retained for 90 days
• Enterprise plan: Monitoring data retained for 1 year
• Account data: Retained for the duration of your subscription plus 90 days after cancellation
• Billing records: Retained for 7 years as required by Indian tax law

7. Your rights.

Depending on your location, you may have the following rights:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate data
• Erasure: Request deletion of your data (“right to be forgotten”)
• Portability: Receive your data in a machine-readable format
• Objection: Object to processing based on legitimate interest
• Restriction: Request we restrict processing of your data
• Withdraw consent: For marketing emails at any time

To exercise any right, email [email protected]. For DSAR (Data Subject Access Requests), use the export function in Dashboard → Settings → Data & Privacy.

Per-jurisdiction response times (legal maxima — our internal target is 20 business days regardless of jurisdiction):

• EU + UK (GDPR / UK GDPR Art. 12(3)): 30 days. Extendable to 90 days for complex requests with notification within 30.
• California (CCPA / CPRA 1798.130): 10 business days to acknowledge, 45 days to fulfil. Extendable +45 with notice. Free for 1st two requests per 12-month period.
• India (DPDP 2023 §11, §13): Acknowledge within 7 days, fulfil as soon as practicable. Free for routine requests.
• Australia (Privacy Act 1988 APP 12): 30 days. Refusal requires written reason.

Internal procedure for handling these requests is documented in our DSR runbook (audited quarterly). If we refuse a request, we explain the legal basis and your right to lodge a complaint with your data-protection authority.

8. Cookies.

Our marketing website (tagdrishti.com) uses the following cookies:

• Strictly necessary: Session authentication (cannot be disabled)
• Analytics: Aggregate page view tracking, only with consent
• Preferences: UI preference storage (theme, language)

The TagDrishti monitoring script installed on your customers’ websites does not set any cookies. It uses session pseudonymisation instead.

9. Security.

We implement appropriate technical and organisational measures including: TLS 1.3 encryption in transit, AES-256 encryption at rest, API key authentication, role-based access control, regular security audits, and 72-hour breach notification. See our Security page for details.

10. Children’s privacy.

TagDrishti is not directed to children under 18. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, contact us at [email protected]. The DPDP 2023 children_mode flag blocks all non-essential tag monitoring for users identified as minors.

11. Changes to this policy.

We may update this policy from time to time. We will notify you of material changes by email and by posting a notice on the dashboard. Continued use of TagDrishti after changes constitutes acceptance of the updated policy.

12. Contact us.

For privacy questions, data requests, or to report a concern:

• Email: [email protected]
• Response time: Within 30 days for general enquiries, 72 hours for breach reports
• Postal: TagDrishti Technologies, India

If you are an EU resident and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.

13. EU and UK representatives.

TagDrishti is established in India. Where we offer the service to data subjects in the EEA or the UK, we are required to designate representatives under Article 27 GDPR and the equivalent provision of the UK GDPR. Those representatives act as a local point of contact for data subjects and supervisory authorities and can be reached on the matters set out in Article 27(4):

• EU representative: contact via [email protected]. Designation in progress; for time-sensitive matters use [email protected] and we will route to the representative on record.
• UK representative: contact via [email protected]. Designation in progress; same fallback applies.

These addresses are monitored by TagDrishti staff and forwarded to the named representative under the corresponding Article 27 mandate. The named representatives, their full registered address, and the date of designation will be published here as soon as the mandates are signed; this notice tracks the live state of those designations.

14. AI and Machine Learning.

TagDrishti uses statistical models to detect tag-delivery failures, consent-violation patterns, and credential-authentication failures inside each customer’s own event stream. The models are tenant-scoped: your data shapes only your alerts, never a shared cross-customer model. We do not run generative-AI / large-language-model inference on customer data in production today, and we do not use customer data, customer inputs, or generated outputs to improve any shared model.

The full AI Use Policy — what we do, what we will not do, the six commitments we hold ourselves to, and the customer rights that follow — is published at tagdrishti.com/ai-policy. It is reviewed quarterly; material changes are emailed to admins of active workspaces 30 days before they take effect.