top of page

Privacy Policy

This Privacy Policy (“Policy”) describes how Converza Technologies, the entity operating the SuperGem platform available at www.supergem.in and app.supergem.in (collectively, the “Platform,” “SuperGem,” “we,” “our,” or “us”), collects, uses, stores, shares, discloses, processes, and protects your personal data and your customers’ personal data when you access or use our website, mobile applications, services, and related offerings (collectively, the “Services”).

SuperGem is a performance marketing platform that enables small and local businesses in India to create advertisements and run lead generation campaigns on third-party platforms such as Google and Meta (Facebook and Instagram). Our Services include AI-powered ad creation, automated campaign setup, lead synchronisation, and intent-based audience optimisation.

We are committed to protecting your privacy and the privacy of the end customers whose data is processed through our Platform. This Policy is published in compliance with applicable Indian laws, including the Digital Personal Data Protection Act, 2023 (“DPDP Act”), the Information Technology Act, 2000 (“IT Act”), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”), the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the Consumer Protection (E-Commerce) Rules, 2020, as applicable.

By accessing, registering for, or using the Services, you confirm that you have read, understood, and agree to be bound by this Policy. If you do not agree with any part of this Policy, please do not use our Services.

This Policy should be read together with our Terms of Service and any other notices or consent forms presented to you when you sign up for or use specific features of the Platform.

1. Scope and Applicability

This Policy applies to all individuals and entities that interact with SuperGem in any of the following capacities:

  • Advertiser Businesses: Business owners, employees, or authorised representatives who register on the Platform to create and run advertising campaigns (referred to as “You,” “Your,” or “Advertiser”).

  • End Customers / Leads: Individuals whose personal data is captured through lead generation forms on Google or Meta, or whose information is uploaded by the Advertiser to the Platform (referred to as “Leads,” “End Customers,” or “Data Principals”).

  • Website Visitors: Any person who visits our website www.supergem.in without registering for the Services.

Our Services are intended for use by businesses and individuals located in India. The Platform is operated from India, and all personal data is processed in India in accordance with applicable Indian laws.

2. Our Role under Indian Data Protection Law

Under the DPDP Act, our role depends on the type of data being processed:

  • As a Data Fiduciary: When you register as an Advertiser and provide your own personal data (such as your name, email, phone number, and business details), we act as a Data Fiduciary and determine the purposes and means of processing your personal data.

  • As a Data Processor: When you, as an Advertiser, upload customer data (CRM contacts) or instruct us to capture leads from Google or Meta on your behalf, we act as a Data Processor and process such personal data only as per your documented instructions and the terms of our agreement with you. In such cases, you remain the Data Fiduciary for your customers’ personal data and are responsible for obtaining valid consent and providing required notices to your End Customers.

 

3. Information We Collect

We collect different categories of information depending on how you interact with our Services. The categories are described below.

3.1 Information You Provide Directly

  • Account Information: When you register on the Platform, we collect your full name, business name, designation, email address, mobile number, business address, GSTIN (where applicable), and login credentials (such as password in encrypted form).

  • Business Information: Information about your business category (e.g., jewellery, furniture, travel, professional services), store locations, products or services offered, target geographies, and other operational details required to set up your campaigns.

  • Payment and Billing Information: When you purchase Services or make payments, we (or our authorised payment gateway partners) collect payment-related information such as billing name, billing address, GSTIN, credit/debit card type (last four digits), UPI ID, and transaction reference numbers. We do not store full card numbers, CVV, or banking passwords. Payment data is used solely for transaction processing, invoicing, and audit purposes.

  • Customer Service and Survey Information: Information you provide when contacting our customer support team, responding to surveys or feedback forms, or participating in promotional activities.

3.2 Customer Data You Upload

When you use our CRM and marketing automation features, you may upload or sync contacts that include your end customers’ names, phone numbers, email addresses, purchase history, birthdays, anniversaries, and other contact details. You confirm that you have obtained all required consents from your end customers before sharing such data with us.

3.3 Lead Data Captured via Google and Meta

When you run lead generation campaigns through SuperGem on Google or Meta, the following information is captured on your behalf from individuals who submit lead forms:

  • Name of the prospective customer.

  • Phone number and, where provided, email address.

  • City, locality, or other location information they share.

  • Consumer Intent Data: Purchase intent signals such as sub-category preferences (e.g., necklaces, bracelets, domestic travel, foreign travel, dining tables), target price range, timeline for purchase, intent to visit a physical store, passenger count, and similar fields configured for your advertiser category.

3.4 Information from Meta and Google Platforms

When you connect your Meta Business account or Google Ads account to SuperGem via OAuth, we receive information necessary to provide the Services. This may include your Facebook Business Page name and public profile information, Page ID, ad account ID, campaign performance data, and tokens that allow us to fetch leads and manage campaigns on your behalf. We only request the permissions strictly necessary to provide the Services.

3.5 Usage and Technical Information

  • IP address, approximate location (city or region) derived from IP.

  • Device information such as device type, operating system, and unique device identifiers.

  • Browser type and version, browser language, and time zone settings.

  • Pages viewed, features used, clicks, session duration, referring URLs, and timestamps of access.

  • Log files and diagnostic data used to identify errors, fraud, or security incidents.

3.6 Cookies and Similar Technologies

We use cookies, web beacons, pixels, and similar technologies on our website and Platform to remember your preferences, keep you logged in, analyse usage patterns, and improve our Services. You can control cookies through your browser settings. Disabling certain cookies may affect the functionality of the Platform. For details, please refer to Section 13 (Cookies).

3.7 Sensitive Personal Data

We do not intentionally collect sensitive personal data or information as defined under the SPDI Rules (such as passwords, financial information beyond what is required for billing, health information, biometric data, or sexual orientation). You are requested not to upload or share such information with us. If we become aware that we have inadvertently collected such information, we will delete it promptly.

 

4. How We Use Your Information

We use the collected information for the following purposes, in each case relying on a lawful basis recognised under the DPDP Act (such as your consent, legitimate uses, or the performance of a contract):

  • Service Delivery: To create and manage your account, set up and run advertising campaigns on Google and Meta, sync and deliver leads to you, and provide AI-powered ad creation and campaign optimisation features.

  • AI-Powered Personalisation and Optimisation: We use Consumer Intent Data (such as sub-category interest and price range) and aggregated campaign performance data to dynamically tailor ad creatives, segment audiences, optimise bidding, and improve the quality of leads delivered to you. Where personal data is used to train or fine-tune our AI models, it is processed in hashed or de-identified form so that it is not directly attributable to any individual.

  • Communication: To send transactional communications such as account updates, billing notices, security alerts, lead notifications, service announcements, and customer support messages. With your consent, we may also send promotional communications about new features, offers, or relevant content. You may opt out of marketing communications at any time.

  • Meta and Google Integration: To retrieve leads from your connected Facebook Pages and Google Ads accounts, orchestrate campaign setup, manage ad spends as per your instructions, and report performance metrics.

  • Service Improvement and Analytics: To analyse usage patterns, troubleshoot issues, conduct internal research, develop new features, and improve the overall user experience of the Platform.

  • Security and Fraud Prevention: To detect, investigate, and prevent fraudulent activity, unauthorised access, abuse of the Platform, or violations of our Terms of Service.

  • Legal and Regulatory Compliance: To comply with applicable laws, regulations, court orders, or lawful requests from government or regulatory authorities, and to enforce our Terms of Service.

  • Business Operations: For tax, accounting, audit, billing, recovery of dues, and general administration of our business.

We do not use personal data for automated decision-making that produces legal or similarly significant effects on an individual without appropriate safeguards and, where required, your consent.

 

5. Legal Basis for Processing

We process personal data only where we have a lawful basis to do so under the DPDP Act and applicable Indian law. The lawful bases we typically rely on are:

  • Consent: We process most personal data based on the free, specific, informed, unconditional, and unambiguous consent of the Data Principal, obtained through clear affirmative action (such as ticking a checkbox or clicking “I Agree”).

  • Legitimate Uses: Certain processing is carried out for legitimate uses permitted under Section 7 of the DPDP Act, such as performing a contract, complying with a legal obligation, or responding to a medical emergency.

  • Contractual Necessity: Processing required to perform our contract with you or to take steps at your request before entering into a contract.

You have the right to withdraw your consent at any time, as described in Section 8 (Your Rights). Withdrawal of consent will not affect the lawfulness of processing carried out before such withdrawal but may affect our ability to continue providing certain Services.

6. Sharing and Disclosure of Information

We do not sell your personal data or your customers’ personal data to any third party for monetary or other consideration. We do not share personal data of one Advertiser with another Advertiser. We may share information only in the limited circumstances described below:

  • Service Providers and Sub-Processors: We engage trusted third-party service providers (such as cloud hosting providers, AI model providers including but not limited to Google Gemini, customer support tools, communication and messaging providers, analytics tools, and payment gateways) to perform specific functions on our behalf. These providers have access to personal data only to the extent necessary to perform their tasks and are contractually obligated to protect it and not to use it for any other purpose.

  • Meta and Google Platforms: When you run campaigns through SuperGem, certain data is inherently shared with Meta and Google in order to set up campaigns, fetch leads, and (where applicable) send WhatsApp or other messages, in accordance with your instructions and the terms of those platforms.

  • Business Transfers: If we are involved in a merger, acquisition, restructuring, sale of assets, financing, or bankruptcy, personal data may be transferred as part of that transaction. We will notify affected Data Principals in such cases, as required by law.

  • Legal Compliance and Protection of Rights: We may disclose information when required by applicable law, a court order, or a lawful request by a public authority; to enforce our Terms of Service; to investigate or prevent fraud, security issues, or illegal activity; or to protect the rights, property, or safety of SuperGem, our users, or others.

  • With Your Consent: In any other case where you have given us your explicit consent to share your information.

 

6.1 Requests from Public Authorities

From time to time, we may receive requests, summons, notices, or directions from law enforcement agencies, regulators, courts, or other public authorities seeking disclosure of personal data of our Advertisers, End Customers, or other users. We handle each such request in accordance with the procedures set out below:

  • Review of Legality: Every request received from a public authority is reviewed by our Grievance Officer, in consultation with legal counsel where required, to verify that the request is issued under a valid legal basis recognised under Indian law, including Section 17(1)(c) of the DPDP Act, Section 69 of the IT Act, Section 94 of the Bharatiya Nagarik Suraksha Sanhita, 2023, or any other applicable statutory provision. We confirm that the request is in writing, signed by an authorised officer, identifies the legal authority being invoked, and is specific in scope.

  • Challenging Unlawful or Overbroad Requests: Where a request appears to be unlawful, overbroad, ambiguous, lacking in jurisdiction, or otherwise inconsistent with applicable law, we reserve the right to seek written clarification from the issuing authority, require a properly authorised order, or challenge the request before the appropriate forum through legal counsel. Pending such clarification or challenge, no disclosure is made except where immediate disclosure is mandated by law.

  • Data Minimisation: In responding to a lawful request, we disclose only the specific personal data that is strictly necessary to comply with the request, and no more. We do not provide bulk data, related records, or information pertaining to other Data Principals that falls outside the scope of the request.

  • Documentation and Record-Keeping: We maintain an internal register of all requests received from public authorities. The register records the date and source of the request, the legal basis invoked, the personal data sought, our internal legal review and reasoning, the personnel involved in the review and response, the data disclosed (if any), and the date of disclosure. These records are retained for the period prescribed under applicable law and are made available for inspection by the Data Protection Board of India or any other competent authority, where required.

  • Notification to Affected Data Principals: Where permitted by law and not prohibited by the terms of the request, we may inform the affected Data Principal of such disclosure. We do not provide such notification where doing so would obstruct an ongoing investigation, prejudice the rights of a third party, or contravene a legal restriction.

 

7. Meta and Google Data Usage Policy

In compliance with the Meta Platform Terms, Meta Developer Policies, and Google API Services User Data Policy:

  • We only request permissions on Meta and Google that are strictly necessary to deliver the SuperGem Services (such as managing Pages, retrieving leads, and sending messages via approved channels).

  • We do not use data obtained from Meta or Google for any purpose other than providing the agreed-upon performance marketing and lead generation services to you.

  • We do not transfer data obtained from Meta or Google to any data broker, information reseller, or unauthorised third party.

  • We do not use such data to build user profiles for sale, to enable advertising to users whose data we have not lawfully collected, or for any other unauthorised purpose.

  • Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

8. Your Rights as a Data Principal

Subject to applicable law, you have the following rights with respect to your personal data:

  • Right to Access Information: You may request a summary of the personal data we process about you and the processing activities undertaken.

  • Right to Correction and Erasure: You may request correction of inaccurate or misleading personal data, completion of incomplete data, updating of outdated data, and erasure of personal data that is no longer necessary for the purpose for which it was collected (subject to legal retention requirements).

  • Right to Grievance Redressal: You have the right to readily available means of grievance redressal in respect of any act or omission regarding the performance of our obligations. Please refer to Section 14 for our Grievance Officer details.

  • Right to Nominate: You have the right to nominate another individual to exercise your rights under the DPDP Act in the event of your death or incapacity.

  • Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw your consent at any time. The withdrawal will not affect the lawfulness of processing carried out before withdrawal.

  • Right to Opt Out of Marketing Communications: You may unsubscribe from promotional communications at any time by following the unsubscribe instructions in our emails or contacting us at the address below.

To exercise any of these rights, please write to us at privacy.supergem@gmail.com from the email address registered with your account. We will respond to your request within the timelines prescribed under applicable law. We may request additional information to verify your identity before processing your request.

Please note that if you are an End Customer whose data was uploaded or captured by an Advertiser, you should first contact the Advertiser directly to exercise your rights. We will assist the Advertiser in fulfilling such requests in our capacity as a Data Processor.

9. Data Retention and Deletion

We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by applicable law, whichever is longer. The retention periods depend on the type of data and the purpose of processing:

  • Account information is retained for the duration of your active account and for a reasonable period thereafter to handle any disputes, comply with legal obligations, or enforce our agreements.

  • Lead and campaign data is retained for the duration necessary to provide the Services and for analytics and improvement of our AI models in hashed or de-identified form.

  • Billing and transaction data is retained for the period mandated by Indian tax, accounting, and audit laws (typically up to eight years).

  • Usage and log data is retained for a shorter period, generally not exceeding the period prescribed by the Information Technology Act and rules thereunder.

9.1 Account and Data Deletion Request

If you wish to delete your account or any data associated with your Meta / Google integration, you may do so by following these steps:

  • Send an email to privacy.supergem@gmail.com with the subject line “Data Deletion Request.”

  • Include your SuperGem registered email address and, where applicable, your associated Facebook Page Name or ID and Google Ads account ID in the email body.

  • Our team will verify your identity and process your request, typically within seven (7) business days. We will permanently delete your account data, imported leads, and revoke applicable Meta and Google integration tokens, and confirm the deletion to you via email.

You may also remove our app’s access directly from your Facebook account by going to Facebook Settings → Business Integrations and removing “SuperGem,” or from your Google account by visiting Google Account Permissions and revoking access.

Notwithstanding the above, we may retain certain information where required to comply with legal obligations, resolve disputes, prevent fraud, enforce our agreements, or where the data has been de-identified or aggregated such that it can no longer be associated with you.

10. Data Security

We implement reasonable security practices and procedures as required under Section 8(5) of the DPDP Act, the IT Act, and the SPDI Rules, including organisational, technical, administrative, and physical security measures designed to protect personal data against unauthorised access, alteration, disclosure, destruction, or loss. These measures include, without limitation:

  • Encryption of data in transit using TLS / HTTPS, and encryption of sensitive data at rest where applicable.

  • Role-based access controls so that only authorised personnel can access personal data on a need-to-know basis.

  • Secure storage with reputed cloud infrastructure providers that maintain industry-recognised security certifications.

  • Regular review of our security practices, periodic vulnerability assessments, and prompt patching of identified vulnerabilities.

  • Employee training on data protection and confidentiality obligations.

  • Maintenance of audit logs for critical activities on the Platform.

While we strive to use commercially acceptable means to protect personal data, no method of transmission over the internet or method of electronic storage is one hundred per cent secure. We cannot guarantee absolute security, and you acknowledge that you provide your information at your own risk.

10.1 Data Breach Notification

In the event of a personal data breach that is likely to result in harm to affected Data Principals, we will notify the Data Protection Board of India and affected Data Principals in the manner and within the timelines prescribed under the DPDP Act.

11. Children’s Personal Data

Our Services are intended for use by businesses and adult individuals. We do not knowingly collect personal data of children (individuals below the age of 18 years under Indian law) or persons with disabilities who have a lawful guardian, without verifiable consent of the parent or lawful guardian, as required under Section 9 of the DPDP Act.

We do not undertake tracking, behavioural monitoring, or targeted advertising directed at children. If you believe that we have inadvertently collected personal data of a child without verifiable parental consent, please contact us at privacy.supergem@gmail.com, and we will take appropriate steps to delete such information.

If you are an Advertiser, you confirm that you will not upload to the Platform any personal data of children or use the Services to advertise products or services in a manner that targets children, unless you have obtained verifiable parental or guardian consent as required by law.

12. Cross-Border Transfer of Personal Data

Our primary servers and operations are located in India. However, some of our third-party service providers (such as cloud hosting providers and AI model providers) may store or process data in jurisdictions outside India. Where such transfers occur, we ensure that:

  • The transfer is to a country or territory not restricted by notification of the Central Government under Section 16 of the DPDP Act.

  • The third party is bound by contractual obligations to maintain a level of data protection consistent with this Policy and applicable Indian law.

  • Appropriate safeguards are implemented to protect the personal data during transfer and processing abroad.

13. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to provide and improve our Services. The cookies we use fall broadly into the following categories:

  • Strictly Necessary Cookies: Required for the Platform to function, including authentication, session management, and security.

  • Functional Cookies: Used to remember your preferences and provide enhanced features.

  • Analytics Cookies: Used to understand how users interact with the Platform, so we can improve performance and user experience.

  • Advertising Cookies: Used by Google, Meta, and similar advertising platforms to measure campaign performance and (where permitted) deliver relevant advertisements.

You can manage your cookie preferences through your browser settings. Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser. Please note that disabling cookies may affect the availability and functionality of the Platform.

Grievance Officer / Data Protection Contact

Name: Venkatesh Kamath

Designation: Grievance Officer

Email: admin@supergem.in

Address: SuperGem Digital, BTM Layout, Bengaluru, Karnataka 560076, India

Working Hours: Monday to Friday, 10:00 a.m. to 6:00 p.m. IST (excluding public holidays)

We will acknowledge your grievance within forty-eight (48) hours of receipt and endeavour to resolve it within fifteen (15) days, in accordance with applicable law. If you are not satisfied with our response, you may approach the Data Protection Board of India once it is constituted under the DPDP Act.

 

15. Third-Party Links and Services

Our Platform may contain links to third-party websites, applications, or services (including Google, Meta, payment gateways, and other partners). This Policy does not apply to such third-party services. We encourage you to review the privacy policies of any third-party services before providing your personal data to them. We are not responsible for the privacy practices or content of such third-party services.

16. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other reasons. When we make material changes, we will notify you by posting the updated Policy on this page and updating the “Last Updated” date at the top. Where required by law, we will provide additional notice (such as by email or in-app notification) and, where necessary, obtain your fresh consent. Your continued use of the Services after the effective date of the revised Policy constitutes your acceptance of the changes.

17. Governing Law and Jurisdiction

This Policy and any disputes arising out of or in connection with it shall be governed by and construed in accordance with the laws of India. Subject to applicable law, the courts at Bengaluru, Karnataka, India shall have exclusive jurisdiction over any disputes arising under this Policy.

18. Definitions

For the purposes of this Policy, the following terms shall have the meanings set out below:

  • “Data Principal” means the individual to whom the personal data relates.

  • “Data Fiduciary” means a person who, alone or in conjunction with other persons, determines the purpose and means of processing personal data.

  • “Data Processor” means a person who processes personal data on behalf of a Data Fiduciary.

  • “Personal Data” means any data about an individual who is identifiable by or in relation to such data.

  • “Processing” means a wholly or partly automated operation or set of operations performed on personal data, including collection, recording, organisation, structuring, storage, retrieval, use, alignment, sharing, disclosure, erasure, or destruction.

  • “Sensitive Personal Data or Information (SPDI)” has the meaning ascribed to it under the SPDI Rules and includes passwords, financial information, health condition, biometric information, sexual orientation, and similar categories.

 

By using SuperGem, you acknowledge that you have read and understood this Privacy Policy and agree to its terms.

Sopana Digital LLP. All rights reserved.

Made For Growth

bottom of page