Legal

Privacy Policy

Effective date: 1 January 2025  ·  Last updated: 22 June 2026

1. Introduction

Verdeshell Technologies Pvt. Ltd. ("Verdeshell", "we", "us", or "our") operates the ScrumTeam platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard information about you when you use our Service.

By accessing or using ScrumTeam, you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of the Service.

2. Our Role & Your Responsibility

There are two distinct categories of data on the Service, and our role differs for each.

Account & service data: for information we collect to operate the Service and manage your account (such as your name, email, billing status, and usage logs), Verdeshell acts as the "Data Fiduciary" under the Digital Personal Data Protection Act, 2023 ("DPDP Act") — equivalent to a "data controller" under the GDPR — and determines the purposes and means of processing.

Customer content: for the personal data that you and your organisation choose to upload, enter, or process within the Service (for example, details you put into issues, comments, attachments, or member profiles), your organisation is the Data Fiduciary / controller and Verdeshell acts as a Data Processor that processes such data only on your instructions and on your behalf. Your organisation is responsible for having a lawful basis to collect that data, for its accuracy, and for honouring the rights of the individuals it relates to.

You are responsible for the personal data you choose to put into the Service and for ensuring you are permitted to share it. We are not responsible for content or personal data that you upload in violation of law or another person's rights. See section 3 of our Terms of Service.

4. Information We Collect

We collect information you provide directly: name, email address, password (hashed), organisation name, and optional profile details such as avatar and designation.

We collect information generated through use of the Service: issues, comments, sprint data, file attachments, and activity logs. This content is owned by you and your organisation.

We automatically collect usage data: IP address, browser type, device identifiers, pages visited, and feature interactions. This data is used for security, debugging, and product analytics.

We collect billing information: for paid plans, payment is processed by our payment provider (Razorpay). We store only plan type and subscription status — never raw card numbers.

5. How We Use Your Information

To provide and maintain the Service: authenticate your account, persist your data, and deliver features you use.

To communicate with you: send transactional emails (invite notifications, password reset, sprint reminders) and occasional product updates. You can opt out of product updates at any time.

To improve the Service: analyse aggregate usage patterns to prioritise features and fix bugs.

To enforce our Terms of Service and prevent abuse.

To comply with legal obligations.

6. How We Share Your Information

We do not sell your personal data.

Service providers: we share data with sub-processors (cloud hosting, email delivery, payment processing, error monitoring) under data processing agreements. A current list of sub-processors is available on request.

Within your organisation: members of your ScrumTeam organisation can see your profile name, avatar, and work activity. Organisation owners and admins can see member email addresses.

Legal requirements: we may disclose data if required by applicable law, court order, or to protect rights and safety.

Business transfers: in the event of a merger, acquisition, or sale of assets, user data may be transferred as part of the transaction.

7. Data Retention

We retain your data for as long as your account is active. Deleted accounts are anonymised within 30 days and hard-deleted within 90 days, except where retention is required by law.

Soft-deleted projects enter a 90-day Trash period before permanent deletion. During this period you can restore the project.

Audit logs are retained for 90 days (Business plan) or 1 year (Enterprise).

8. Data Residency & Transfers

By default, your data is stored in India (Mumbai, AWS ap-south-1).

Business and Enterprise plans may select EU-West (Frankfurt, AWS eu-central-1) or US-East (Virginia, AWS us-east-1) residency at organisation creation.

We implement Standard Contractual Clauses (SCCs) for data transfers to processors outside your selected region.

9. Security

We use industry-standard security measures: TLS 1.3 in transit, AES-256 at rest, bcrypt password hashing, and role-based access controls.

We are working toward SOC 2 Type II certification. Our infrastructure is hosted on AWS with VPC isolation, WAF, and automated vulnerability scanning.

Despite our safeguards, no method of transmission or storage over the internet is 100% secure, and we cannot guarantee absolute security. You provide your data at your own risk, and to the maximum extent permitted by law we are not liable for unauthorised access, disclosure, or loss that occurs despite our use of reasonable security measures. You are responsible for keeping your account credentials confidential.

If you discover a security vulnerability, please report it responsibly to connect@verdeshell.com.

10. Your Rights

Access: you can export your personal data from your profile settings or by emailing us.

Correction: you can update your name, email, and profile details from your profile settings.

Deletion: you can delete your account from settings. We will anonymise or delete your data per section 7. You may also nominate another individual to exercise your rights in the event of death or incapacity, as provided under the DPDP Act.

Portability: you can export your organisation's issues, sprints, and goals in CSV or JSON format.

Objection / restriction / withdrawal of consent: you may contact us to restrict specific processing activities or withdraw consent.

Grievance redressal: you have the right to readily available means of grievance redressal — see section 14.

For DPDP Act or GDPR requests, we respond within the timelines required by applicable law (and in any event within 30 days). Email connect@verdeshell.com with subject "Data Request". If you are not satisfied with our response, you may have the right to complain to the Data Protection Board of India or your local supervisory authority.

11. Cookies

We use strictly necessary cookies for authentication (session tokens). We do not use third-party advertising or tracking cookies.

You can disable cookies in your browser, but core functionality will not work without session cookies.

12. Children's Privacy

The Service is not directed to individuals under 16. We do not knowingly collect personal information from children. If you believe a child has provided us data, contact us and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app banner at least 14 days before the change takes effect.

Continued use of the Service after changes indicates your acceptance of the updated policy.

14. Grievance Officer

In accordance with the DPDP Act, 2023 and the Information Technology Act, 2000 (and the rules thereunder), you may contact our Grievance Officer for any complaint regarding the processing of your personal data or your use of the Service:

Grievance Officer, Verdeshell Technologies Pvt. Ltd.

Sector 58, Gurgaon, Haryana 122011, India

Email: connect@verdeshell.com

We will acknowledge your grievance within 48 hours and endeavour to resolve it within the timelines prescribed under applicable law.

15. Contact Us

For privacy-related questions or to exercise your rights, contact us at:

Verdeshell Technologies Pvt. Ltd., Sector 58, Gurgaon, Haryana 122011, India

Email: connect@verdeshell.com

Questions about this policy? Contact us or email connect@verdeshell.com.