Privacy Policy

1. Introduction

This Privacy Policy explains how Perter Technology Solutions Private Limited ("Perter", "we", "us", or "our") collects, uses, discloses, and protects personal data when you interact with Grengin and our related offerings.

We are committed to protecting your privacy. The Grengin software is open source and source-available, distributed under the Sustainable Use License Version 1.0. The Software itself does not contain telemetry, phone-home mechanisms, or analytics that send any data back to us. When you self-host Grengin on your own cloud account or infrastructure, we do not see, collect, or have access to anything you do with it.

This Policy describes the limited circumstances in which we do process personal data — primarily when you visit our website, contact us, raise a support ticket, contribute to our community channels, or purchase Paid Services through a cloud marketplace.

This Policy is incorporated into, and forms part of, our Terms and Conditions. Capitalised terms not defined here have the meaning given to them in the Terms and Conditions.

2. Who we are and how to contact us

Perter Technology Solutions Private Limited is the data controller, data fiduciary, or equivalent under applicable law for personal data described in this Policy.

The contact details of our Data Protection Officer and our Grievance Officer are set out in Section 14.

3. Scope of this Policy

This Policy applies to personal data we collect through:

• The Grengin website at https://grengin.com and its sub-domains (the "Website");
• The Paid Services we offer (currently Technical Support and Managed Hosting);
• Our community channels, including GitHub repositories at https://github.com/grengin-oss, issue trackers, discussion forums, chat platforms, and similar venues we operate or host;
• Email, telephone, and other direct communications with us; and
• Events, webinars, and marketing communications (where you opt in).

This Policy does not apply to:

• The Grengin software itself, which performs no telemetry — when you self-host Grengin on your own infrastructure, your data stays on your infrastructure;
• The cloud providers (AWS, Microsoft Azure, Google Cloud, OVHcloud) on which you may run Grengin — your relationship with those providers is governed by their own privacy notices;
• Third-party services we link to or integrate with, such as GitHub — your relationship with each is governed by that party's own privacy notice; or
• Websites of any third party that may link to ours.

4. The Software does not collect telemetry

We want to be unambiguous about this:

• The Grengin software does not collect, transmit, or send to Perter any telemetry, usage analytics, crash reports, performance metrics, or any other data about how you use it.
• The source code is publicly available at https://github.com/grengin-oss for inspection.
• Software updates are pulled by you from the relevant cloud marketplace or repository; we do not push updates and cannot reach into your installation.
• If a future version of Grengin ever introduces optional telemetry, it will be (a) opt-in only, (b) clearly disclosed in release notes, and (c) reflected in an updated version of this Policy before the change takes effect.

If you choose to share information with us — for example, by attaching log files to a support ticket, posting in a community channel, or asking us to operate a Managed Hosting environment on your behalf — that information is processed as described in the rest of this Policy.

5. What personal data we collect, and why

5.1 Information you provide directly

5.2 Information we receive from cloud marketplaces

When you purchase a Paid Service through AWS Marketplace, Microsoft Azure Marketplace and Microsoft AppSource, Google Cloud Marketplace, or OVHcloud Marketplace, the marketplace shares with us the limited information required to fulfil the order — typically the buyer organisation name, a customer or buyer identifier, the entitlement or subscription details, billing country, and a contact email. We do not receive your payment card or bank details. Each cloud marketplace acts as a billing agent on your behalf; you can review what data the marketplace shares in its own terms and privacy notice.

5.3 Information we collect automatically when you use the Website

The Website is hosted behind Cloudflare, Inc. ("Cloudflare"), which provides our content delivery network (CDN), DDoS protection, web application firewall, and analytics. When you visit the Website, Cloudflare's servers — and our origin servers — automatically receive certain technical information:

• IP address (which we treat as personal data under EU/UK law) and approximate geolocation derived from it;
• Device and browser information: user-agent string, operating system, browser type and version, screen size, language;
• Usage data: pages visited, time spent, referring URL, search queries entered on our Website, clicks on links;
• Network and security data: TLS fingerprints, request rate, and signals used by Cloudflare to detect bots, abuse, and attacks.

We use this data to operate, secure, and improve the Website, to detect and prevent fraud and abuse, to compile aggregate statistics about Website usage, and to comply with legal obligations.

Cloudflare's separate processing of data for CDN, DDoS protection, and security purposes is described in Cloudflare's own privacy policy at https://www.cloudflare.com/privacypolicy/. Cloudflare acts as our processor for these services, under Cloudflare's Data Processing Addendum (available at https://www.cloudflare.com/cloudflare-customer-dpa/) which is incorporated by reference into our subscription agreement with Cloudflare and which includes the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum where applicable.

We do not use Google Analytics, Fathom, Plausible, PostHog, Mixpanel, or any other third-party analytics or advertising tool on the Website.

5.4 Information we collect when you contribute to community channels

When you post on a Grengin GitHub repository, raise an issue or pull request, comment on documentation, or post in any community discussion channel we operate, the content you post (including your username, avatar, and the substance of your post) is public. We process this content to operate the community, moderate it, respond to you, and improve the project. The platform you post on (for example, GitHub) also processes your data under its own privacy notice.

5.5 Information we collect when we provide Managed Hosting

If you purchase Managed Hosting (a Paid Service under which we operate a Grengin instance on infrastructure managed by us on your behalf), we will necessarily have access to the infrastructure on which Grengin runs, and may incidentally have access to data you store in or process through that instance ("Customer Data"). We act as a processor / data processor for that Customer Data and process it only on your documented instructions and as set out in a separate data processing agreement that we will enter into with you. We do not access Customer Data for our own purposes.

5.6 Cloudflare developer-platform services we use

In addition to the CDN and security services described in Section 5.3, we use selected Cloudflare developer-platform products — Cloudflare Workers, Workers KV, D1, and R2 — only for two specific products that we sell separately from the same Website:

(a) Grengin Auth Proxy. A separately-sold product that customers deploy to broker single sign-on between their applications and identity providers such as Google Workspace or Microsoft Entra ID (Azure AD). When a customer's end user signs in, the Auth Proxy may process — on the customer's behalf and only as needed to complete the sign-in — identifiers issued by the upstream identity provider (such as the user's email address, name, OIDC sub, group membership, and short-lived tokens), together with operational data such as session identifiers, audit timestamps, and IP address. We act as a data processor for the customer in respect of this data, and the customer's end users are not in a direct relationship with us through this product.

(b) Grengin LLM Proxy. A separately-sold product that proxies large-language-model requests on behalf of the customer. When a customer's end user makes a request through the LLM Proxy, we — acting as a data processor for the customer — may process configuration, request-routing data, rate-limiting state, and (only where the customer has enabled logging) request and response payloads. Prompts and model outputs are not used to train any model, and are not used for any purpose beyond providing the service to the customer in accordance with the product-specific terms.

Each of these two products has its own product-specific terms and, where applicable, a separate data processing agreement that the customer enters into with us. This Privacy Policy describes only the personal data we process about you as a customer or prospective customer of grengin.com — for example, your account, billing, contact, and support data. Personal data of your end users that flows through the Auth Proxy or LLM Proxy is processed under the relevant product-specific terms and DPA, with the customer as controller and Perter as processor.

We do not use Workers, Workers KV, D1, or R2 to process personal data we collect under Sections 5.1, 5.2, 5.4, or 5.5 (i.e., website, marketplace, community, or Managed Hosting data covered by this Policy).

In both contexts above, Cloudflare acts as our sub-processor under the Cloudflare Data Processing Addendum referenced in Section 5.3 (https://www.cloudflare.com/cloudflare-customer-dpa/), which incorporates the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and Cloudflare's certification under the EU–U.S., UK Extension, and Swiss–U.S. Data Privacy Frameworks. Cloudflare maintains its current sub-processor list at https://www.cloudflare.com/gdpr/subprocessors/.

5.7 Information we do not collect

We do not knowingly collect:

• Payment card numbers, bank account numbers, or other financial-account details (cloud marketplaces handle billing);
• Biometric data;
• Precise location data;
• Special-category data (health, race, religion, political opinions, sexual orientation, etc.) — please do not include such data in support tickets or community posts; and
• Personal data of children under 18 (see Section 13).

6. How we use personal data — purposes and legal bases

We process personal data for the following purposes. The legal bases listed apply where the GDPR, UK GDPR, or equivalent law requires one; in other jurisdictions we rely on the analogous lawful ground.

Where we rely on legitimate interests, we have considered whether those interests are overridden by your rights and freedoms and have concluded they are not. You may object at any time (Section 11).

Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

7. Who we share personal data with

We do not sell personal data. We share personal data only with the following categories of recipients, and only as necessary:

7.1 Service providers (processors and sub-processors)

We use carefully selected third-party providers to help us run our business. They process personal data on our behalf, under written contracts that require them to apply appropriate security and confidentiality measures and prohibit any use of the data other than on our instructions.

The principal processor we currently rely on is:

• Cloudflare, Inc. (101 Townsend Street, San Francisco, CA 94107, USA) — provides our content delivery network, DDoS protection, web application firewall, bot management, and Cloudflare Web Analytics across the Website (Section 5.3), and acts as our sub-processor for the Cloudflare Workers, Workers KV, D1, and R2 services that underpin our Auth Proxy and LLM Proxy products (Section 5.6). Cloudflare processes Personal Data on our behalf under the Cloudflare Data Processing Addendum (https://www.cloudflare.com/cloudflare-customer-dpa/), which incorporates the EU Standard Contractual Clauses (Modules 2 and 3), the UK International Data Transfer Addendum, and Cloudflare's Data Privacy Framework certification. Cloudflare's own sub-processor list is published at https://www.cloudflare.com/gdpr/subprocessors/.

Other categories of providers we may use include:

• Email and communication tools — transactional email senders, customer-support help-desk software, calendaring and meeting tools;
• Source-code and collaboration platforms — including GitHub, Inc. for source repositories, issue tracking, and discussions;
• Customer-relationship-management tools — for sales and support pipelines;
• Professional advisers — accountants, auditors, lawyers, and insurers, where engaged in connection with the relevant matter.

We will update this list as our processor relationships change. If we add a new processor that materially affects how your personal data is processed, we will update this Policy in accordance with Section 17.

7.2 Cloud marketplaces

When you purchase through AWS Marketplace, Azure Marketplace, Google Cloud Marketplace, or OVHcloud Marketplace, the marketplace operator processes the transaction. We exchange order, entitlement, and contact data with them as needed to fulfil the purchase. The marketplace operator acts as an independent controller for its own purposes (billing, fraud prevention, marketplace operation) under its own privacy notice.

7.3 Public community channels

Information you post on a public Grengin community channel (GitHub issues, pull requests, discussions, public chat) is visible to anyone who can access that channel. We do not control how third parties use information you make public.

7.4 Authorities and legal disclosures

We may disclose personal data if we believe in good faith that disclosure is necessary to:

• Comply with a court order, subpoena, search warrant, or other lawful request from a government, regulator, or law-enforcement body;
• Enforce our Terms and Conditions or investigate violations;
• Protect the rights, property, or safety of Perter, our users, or others; or
• Comply with any legal, regulatory, or tax obligation.

In India, we will respond to lawful requests under the Information Technology Act 2000, the Code of Criminal Procedure 1973, the Bharatiya Nagarik Suraksha Sanhita 2023, and orders of competent courts. We aim, where lawfully possible, to notify the affected user of the request before responding.

7.5 Corporate transactions

If we are involved in a merger, acquisition, financing, reorganisation, bankruptcy, receivership, sale of assets, or transition of service to another provider, personal data may be transferred as part of that transaction, subject to standard confidentiality protections and applicable law. We will notify you of any such change in ownership or control of personal data.

7.6 Reporting abuse routed through Cloudflare

If you wish to report content or activity that you believe is being routed through Cloudflare's network on our domains (for example, alleged copyright infringement, malware, phishing, harassment, or other abuse), you may contact us directly at cloudflare-abuse@grengin.com. This is the dedicated abuse channel we have designated to receive complaints forwarded by Cloudflare under their abuse-reporting process. We will review your report and respond in accordance with applicable law and our Terms and Conditions. Copyright complaints under the U.S. DMCA should additionally follow the procedure set out in Section 25.5 of our Terms and Conditions.

8. Cookies and similar technologies

The Website is designed to operate with minimal use of cookies. Because we use Cloudflare Web Analytics (which is cookieless — see Section 5.3), we do not set any analytics or advertising cookies.

The only cookies the Website may set are:

• Strictly necessary cookies — required for the Website to function or for security. These may include a Cloudflare-issued security cookie (such as __cf_bm, used to distinguish humans from bots, with a typical lifetime of around 30 minutes), session and CSRF-protection cookies, and load-balancing cookies. Under the EU e-Privacy Directive, the UK Privacy and Electronic Communications Regulations 2003, and analogous laws, strictly necessary cookies do not require prior consent.
• Functional cookies — used only if you opt in to a preference such as language or theme, and only for that purpose.

We do not use: analytics cookies, advertising cookies, social-media tracking pixels, cross-site tracking technologies, or browser fingerprinting.

Because we do not deploy non-essential cookies, the Website does not currently display a cookie consent banner. If we ever introduce a non-essential cookie or similar technology, we will (a) update this Policy and any Cookie Notice, (b) deploy a compliant consent mechanism for users in jurisdictions that require one, and (c) notify users in accordance with Section 17 before the change takes effect.

You can also control cookies through your browser settings, although blocking strictly necessary cookies may break parts of the Website.

We honour the Global Privacy Control (GPC) signal as required under California law (Cal. Civ. Code § 1798.135) and treat it as an opt-out of any "sale" or "sharing" of personal information.

9. International transfers

Perter is established in India. Personal data we process is primarily processed in India and in regions where our service providers operate, which may include the United States, the European Union, the United Kingdom, and other jurisdictions.

When we transfer personal data out of the European Economic Area, the United Kingdom, or other jurisdictions with restrictions on international transfers, we rely on appropriate safeguards, which include:

• Standard Contractual Clauses (Module 1, 2, 3, or 4 as applicable) approved by the European Commission under Decision (EU) 2021/914;
• The UK International Data Transfer Addendum (IDTA) or the UK Addendum to the EU SCCs;
• adequacy decisions, where the European Commission, the UK Government, or another competent authority has determined that the destination provides an adequate level of protection;
• explicit consent for occasional transfers where applicable; and
• Analogous safeguards under PIPEDA, Quebec's Law 25, the Australian Privacy Principles, and the Singapore PDPA.

You may request a copy of the relevant safeguard by contacting privacy@grengin.com.

10. How long we keep personal data

We keep personal data only as long as necessary for the purposes for which it was collected, unless a longer retention is required by law. Indicative retention periods:

• Customer account data: for the duration of the customer relationship and seven (7) years thereafter, to comply with Indian tax and accounting law (Income Tax Act 1961 and Companies Act 2013) and analogous obligations elsewhere.
• Support tickets and communications: typically three (3) years after the ticket is closed, unless a longer period is required to defend a claim.
• Marketing-suppression list (people who have unsubscribed): retained indefinitely so we can honour your opt-out.
• Website server logs: typically 30 to 90 days for security and diagnostic purposes.
• Cookies: retention is set per cookie and disclosed in the Cookie Notice.
• Recruitment data for unsuccessful candidates: typically 12 months after the recruitment decision, unless you ask us to delete it sooner or to keep it for future opportunities.
• Information retained under the Indian IT Rules 2021 (where applicable to us as an intermediary): retained for the periods specified in those Rules — including, for example, the 180-day retention obligation under Rule 3(1)(h) for certain user information after withdrawal or cancellation of registration.

When personal data is no longer needed and no legal basis to retain it remains, we delete or anonymise it.

11. Your rights

Subject to applicable law, you have the following rights in respect of personal data we hold about you. Some of these rights are jurisdiction-specific.

11.1 Rights available under the EU GDPR, UK GDPR, India's DPDP Act 2023, and most other modern privacy laws

• Access — request confirmation of whether we process your personal data, and a copy of it.
• Rectification / correction — ask us to correct inaccurate or incomplete data.
• Erasure / deletion — ask us to delete your personal data in certain circumstances.
• Restriction — ask us to limit how we use your data while a query is being investigated.
• Portability — receive your data in a structured, commonly used, machine-readable format and transmit it to another controller.
• Object — object to processing based on our legitimate interests, or to direct marketing.
• Withdraw consent — where we rely on your consent.
• Not be subject to solely automated decision-making that produces legal or similarly significant effects (we do not currently engage in such automated decision-making).
• Nominate another individual to exercise these rights in the event of your death or incapacity (under India's DPDP Act 2023).

11.2 Additional California rights (CCPA/CPRA)

If you are a California resident:

• The right to know the categories and specific pieces of personal information we have collected, the categories of sources, the purposes, and the categories of third parties to whom we have disclosed it;
• The right to delete personal information (subject to exceptions);
• The right to correct inaccurate personal information;
• The right to opt out of the "sale" or "sharing" of personal information for cross-context behavioural advertising — we do not sell or share personal information as those terms are defined under the CPRA;
• The right to limit the use of sensitive personal information — we do not use or disclose sensitive personal information for purposes that trigger this right;
• The right to non-discrimination for exercising your rights; and
• The right to designate an authorised agent to exercise these rights on your behalf.

A "Your Privacy Choices" / "Do Not Sell or Share My Personal Information" link is, or will be, provided on our Website homepage in accordance with Cal. Civ. Code § 1798.135.

11.3 Additional Australia, Canada, New Zealand, and Singapore rights

Residents of Australia, Canada, New Zealand, and Singapore have rights of access and correction, and rights to complain to their respective regulators, under the Privacy Act 1988 (Cth), PIPEDA / Quebec Law 25, the Privacy Act 2020, and the PDPA respectively. Quebec residents additionally have rights of de-indexing and to information about automated decisions.

11.4 How to exercise your rights

To exercise any of these rights, email us at privacy@grengin.com or contact our Data Protection Officer (Section 14). We will respond within the period required by applicable law — generally within one month under the GDPR/UK GDPR, within 45 days under the CPRA (extendable once by 45 days), and within the period specified by the Digital Personal Data Protection Rules under the DPDP Act once those Rules are notified.

We may need to verify your identity before acting on a request. We will not charge a fee unless your request is manifestly unfounded or excessive.

If you are not satisfied with our response, you may complain to:

• The Data Protection Board of India (under the DPDP Act 2023, once operational);
• The Information Commissioner's Office (ICO) in the UK at https://ico.org.uk;
• Your national EU/EEA supervisory authority — a list is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en;
• The California Privacy Protection Agency at https://cppa.ca.gov;
• The Office of the Privacy Commissioner of Canada at https://www.priv.gc.ca;
• The Office of the Australian Information Commissioner at https://www.oaic.gov.au;
• The Office of the Privacy Commissioner of New Zealand at https://www.privacy.org.nz; or
• The Personal Data Protection Commission of Singapore at https://www.pdpc.gov.sg.

12. Security

We take reasonable and appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. These include:

• Encryption of data in transit (TLS) and, where reasonable, at rest;
• Access controls based on the principle of least privilege;
• Multi-factor authentication for administrative access;
• Secure software-development practices and dependency management;
• Regular review of access, vulnerability scanning, and patching;
• Written policies governing employee handling of personal data; and
• Contractual obligations on service providers to apply equivalent measures.

These measures are intended to comply with the Indian IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, the security requirements of Article 32 of the GDPR, and analogous laws in other jurisdictions.

No system is perfectly secure. If we ever suffer a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within the timelines required by applicable law.

To report a security vulnerability, please contact security@grengin.com.

13. Children

The Grengin offerings are intended for businesses, professional developers, and adult individuals. They are not directed at children, and we do not knowingly collect personal data from anyone under 18 years of age (or the age of majority in the user's jurisdiction, if higher).

If you believe a child has provided us with personal data, please contact privacy@grengin.com and we will delete the data promptly.

Under India's Digital Personal Data Protection Act 2023, we will not process the personal data of a child (a person under 18) without verifiable parental consent once those provisions are in force, and we will not undertake tracking, behavioural monitoring, or targeted advertising directed at children.

14. Data Protection Officer and Grievance Officer

14.1 Data Protection Officer

For the purposes of the Digital Personal Data Protection Act 2023 (India), the GDPR (EU and UK), the Personal Data Protection Act 2012 (Singapore), Quebec's Law 25, and equivalent laws in other jurisdictions:

14.2 Grievance Officer (India)

For the purposes of (a) Rule 3(2) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 and (b) Rule 4(5) of the Consumer Protection (E-Commerce) Rules 2020:

We will acknowledge complaints within 24 hours and resolve them within 15 days under the IT Rules 2021 (with shorter timelines for certain categories), and within 30 days under the Consumer E-Commerce Rules 2020.

14.3 EU and UK Article 27 Representatives

We have not currently appointed representatives in the European Union or the United Kingdom under Article 27 of the GDPR or the UK GDPR, on the basis that our processing of personal data of EU/UK data subjects is presently occasional, does not include large-scale processing of special-category data, and is unlikely to result in a risk to the rights and freedoms of data subjects (Article 27(2)(a) GDPR / UK GDPR). We will appoint representatives as soon as our processing requires it. EU and UK data subjects may, in the meantime, contact our Data Protection Officer above.

14.4 DMCA Designated Agent (United States)

For copyright complaints under 17 U.S.C. § 512(c)(2), see Section 25.5 of our Terms and Conditions.

15. Marketing communications

If you have given consent or if applicable law permits us to do so under a "soft opt-in" or legitimate-interests basis, we may send you marketing communications about our products and services.

You can opt out at any time by:

• Clicking the "unsubscribe" link in any marketing email;
• Replying to a marketing email asking to be removed; or
• Contacting us at privacy@grengin.com.

Opting out of marketing does not stop service-related messages (security notices, billing, breach notifications, Terms updates) which we are required or legitimately entitled to send.

We comply with applicable anti-spam laws including India's TRAI regulations on commercial communications, the U.S. CAN-SPAM Act, Canada's Anti-Spam Legislation (CASL), Australia's Spam Act 2003, the UK Privacy and Electronic Communications Regulations 2003, and the EU e-Privacy Directive as transposed.

16. Third-party links

The Website and our community channels may contain links to third-party websites and services that we do not control. We are not responsible for their privacy practices. We encourage you to read the privacy notices of any third party before providing them with personal data.

17. Changes to this Policy

We may update this Policy from time to time. The current version is always available at https://grengin.com/privacy-policy with the "Last Updated" date noted at the top.

For material changes (changes that materially affect your rights, the categories of data processed, the purposes, the recipients, or the legal basis), we will provide reasonable advance notice — typically at least thirty (30) days — by email (where we have your address), in-product notice, a Website banner, or a posting on our changelog. Where applicable law requires fresh consent, we will obtain it before the change takes effect.

18. Governing law and complaints

This Policy is governed by the laws of India, without prejudice to mandatory data-protection rights you may have under the law of your country of residence. The dispute-resolution and jurisdiction provisions in our Terms and Conditions apply to disputes arising out of this Policy, except that you retain the unconditional right to lodge a complaint with the supervisory authority in your country of residence (see Section 11.4).

19. Version history

• Version 1.0 — 30 April 2026: initial publication.
• Last Updated: 29 April 2026