4AM

// § PRIVACY POLICY

Privacy.
Clearly.

The data you share with us — name, email, brief form details, payment — exactly where it goes, how long it stays, and who can see it. Everything, in plain English.

LAST UPDATED24 APR 2026
VERSION1.0
READ TIME~5 MIN
APPLIES TO4AM.TECH · ALL USERS
// TL;DR — THE 2-MINUTE READ

If you don't have 2 minutes, read this.

  • 01We collect only the data we actually need — account, brief, payment.
  • 02Razorpay handles payment; card/UPI numbers never reach us.
  • 03All data is hosted in India (Mumbai region). Auto-deleted after 24 months.
  • 04We never sell your data. No ad targeting, no data brokers.
  • 05Request access, export, or deletion anytime — fulfilled within 30 days.
  • 06We have a registered grievance officer under DPDPA 2023 — details below.
§ 01WHO THIS POLICY IS FROM

Who we are, and what this document covers.

This privacy policy applies to 4AM Tech Private Limited (“4AM Tech”, “we”, “us”), an Indian private limited company, and to every interaction you have with our website 4am.tech, our client dashboard, and the sites or apps we build for you.

We are a small team. Every engineer and designer who touches your data is a named employee on a signed NDA. No offshore contractors, no anonymous data processors.

In short. You’re not a row in a database we sold to a marketing company. You’re a client whose business we’re building.
§ 02DATA WE COLLECT

Exactly what we ask for, and when we ask for it.

We collect data in three buckets, at three different moments:

1. Account data — when you sign up

  • Name, email, phone. For sign-in, delivery updates, support replies.
  • Password hash. We never see your real password. Google SSO is also available and we only receive the email and display name from Google.
  • Business name + city. To personalise your dashboard and generate GST-compliant invoices.

2. Project data — when you buy or brief

  • Brief form content — copy, photos, logos, brand references you upload.
  • GSTIN and billing address for invoicing.
  • Messages between you and your build team.

3. Usage data — automatic

  • IP address, browser, device type, pages visited, timestamps.
  • Cookies (see section 05).
  • Error logs (if something crashes, we capture the stack trace — no form-field contents).

We do not collect: precise location, contacts list, microphone or camera, social graph, health or financial identifiers (Aadhaar, PAN), or anything else we don’t need to build and run your site.

§ 03PURPOSE OF PROCESSING

What we use your data for — and what we never use it for.

We process your data only for these reasons:

  • Delivery. Building, hosting, and maintaining your site or app.
  • Billing. Generating invoices, processing payments, recording taxes.
  • Support. Responding to your messages, tickets, and WhatsApp queries.
  • Product improvement. Aggregated, de-identified usage stats only. Never your brief content.
  • Legal compliance. Tax filings, DPDPA requests, court orders.
Never. Advertising, profiling, selling to brokers, training third-party AI models, cross-site tracking, or renting to affiliates.
§ 04SUB-PROCESSORS

The tools we use, and what flows to each.

We use a small number of third-party services to operate. Each is listed below with exactly what data crosses the boundary. All are bound by their own privacy policies (linked).

Razorpay

PAYMENT GATEWAY

DATA SHARED
Amount, order ID, billing email & phone. No card number passes through us.

G

Google OAuth

OPTIONAL SIGN-IN

DATA SHARED
If you use ‘Sign in with Google’: email and display name only.

H

Hostinger

VPS HOSTING · MUMBAI

DATA SHARED
All server-side data at rest. India data residency, encrypted volumes.

Resend

TRANSACTIONAL EMAIL

DATA SHARED
Your email address and the content of delivery notifications, receipts.

Plausible

ANONYMOUS ANALYTICS

DATA SHARED
Page URL, referrer, screen width. No cookies, no IP storage, no profile.

Cloudflare

CDN + DDOS SHIELD

DATA SHARED
IP address and request headers at the edge. Logs purged after 7 days.

§ 05COOKIES & LOCAL STORAGE

What we store in your browser, and why.

We keep the cookie footprint minimal. No advertising cookies, no cross-site trackers. The table below lists everything we set.

NAMEPURPOSETYPEEXPIRY
4am_sessionKeeps you signed in to your dashboard.ESSENTIAL30 days
4am_csrfBlocks cross-site request forgery on forms.ESSENTIALSession
4am_signup_ctxRemembers the product you were buying during signup flow.FUNCTIONALSession
4am_themeRemembers your light/dark preference.FUNCTIONAL1 year
_pa_uidPlausible anonymous visitor hash. Rotates daily; cannot identify you.ANALYTICS24 hours

Essential cookies cannot be disabled without breaking sign-in. Functional and analytics cookies can be switched off from your account settings once you sign in.

§ 06STORAGE & SECURITY

Where your data lives, and who can reach it.

  • Location. All production databases and file storage live in Mumbai, India (ap-south-1 region, Hostinger VPS). Nothing leaves the country except email delivery handoff.
  • Encryption. TLS 1.3 in transit. AES-256 at rest. Database backups encrypted with a separate key.
  • Backups. Daily snapshots, retained for 30 days, then rotated. Quarterly cold archives for the past year.
  • Access. Only named, on-payroll engineers can touch production. Every access is audit-logged and signed.
  • Retention. Active project data is kept until you delete your account. After deletion, we retain invoice records for 8 years (Indian tax law requires this) and nothing else.
If we ever suffer a breach that affects your data, you’ll hear from us within 72 hours, by email — per DPDPA requirements.
§ 07YOUR RIGHTS UNDER DPDPA 2023

Things you can ask us to do, with how to ask.

  • Access. See everything we hold about you. Email privacy@4am.tech. We reply within 30 days.
  • Correct. Anything wrong? Fix it yourself from your dashboard, or email us.
  • Delete. Account settings → “Delete account”. Or email us. Invoice records stay (tax law); the rest goes.
  • Export. Machine-readable JSON of your brief, messages, and billing data.
  • Withdraw consent. Opt out of analytics or marketing email anytime. Doesn’t affect essential service emails.
  • Object. Disagree with how we process something? Write to the grievance officer in section 11.
§ 08CHILDREN'S PRIVACY

We don't build accounts for minors.

Our service is meant for adults running or starting a business. We do not knowingly collect data from anyone under 18. If you think a minor has signed up, email us and we will delete the account.

§ 09CROSS-BORDER TRANSFERS

When (rarely) your data leaves India.

Two sub-processors sit outside India: Resend (US, for email delivery) and Cloudflare (global edge network). Both have signed DPAs with us and standard contractual clauses. Only the minimum data needed crosses the border — an email address for a receipt, an IP hash for DDoS protection.

Everything else — your brief, your photos, your messages, your invoices — stays in Mumbai.

§ 10POLICY CHANGES

What happens when we update this page.

Material changes (new sub-processor, new data category, changed retention) are notified by email at least 30 days before they take effect. A banner on the dashboard will also flag it. Minor edits (typos, clarifications) are posted silently with an updated version number.

Older versions are archived and available on request — ask the grievance officer.

§ 11GRIEVANCE REDRESSAL

Your designated officer, per DPDPA 2023.

If anything here concerns you, or you want to escalate:

  • Name. To be appointed on incorporation — contact founder directly until then.
  • Email. grievance@4am.tech
  • Response SLA. First reply within 72 hours. Resolution within 30 days.
  • Escalation. If unresolved, you may complain to the Data Protection Board of India.
§ 12GET IN TOUCH

How to reach us for anything else.

Trust is given once. We'd rather under-collect than over-apologise.

Read Terms of ServiceBack to home