Privacy Policy

Capera Inc., and in India INDRITA FINTECH PRIVATE LIMITED operating as Capera, is the data fiduciary (under DPDPA) and controller (under GDPR) of the personal data described in this policy. Our registered contact for privacy matters is privacy@capera.co. We do not currently operate a designated Data Protection Officer; the Privacy team handles incoming requests within the timelines set out by applicable law.

If you are writing from the European Economic Area or the United Kingdom and require a representative for GDPR Article 27 or UK GDPR purposes, contact us at the address above and we will direct your enquiry.

This policy covers the following Capera surfaces and the personal data each one processes:

• Public website (capera.co). Rates, insights, marketing pages.
• Capera Core. Financing intake, CashScan bank-statement upload, financing routing across regulated banks and NBFCs.
• Capera Boost. Waitlist signups and email-based product updates.
• Insights blog and rate pages. Public reading and analytics.
• Partner portal (capera.co/partner). Partner access codes, partner visits, partner formalisation.
• Internal CRM (capera.co/internal/crm). Internal use by Capera staff and authorised partners for lead and account management.

Third-party sites linked from Capera surfaces operate under their own privacy policies. We do not control them and are not responsible for their practices.

We collect personal data in three ways.

a. Information you give us directly

When you fill in a form on Capera, you give us the fields you typed into it. This includes:

• Contact details on the financing intake, Boost waitlist, CashScan upload, partner forms, and the contact modal: name, email, company, optional message text.
• Bank statement files uploaded to CashScan. These are PDF documents that contain transactional information about your business. We treat these as confidential business data and store them with restricted access.
• Profile information when Capera staff or authorised partners sign in to the CRM via Google OAuth: name, email address, Google profile picture, and the Google identifier we use to keep your session signed in.

b. Information we collect automatically

When you visit a Capera surface, our infrastructure and analytics tools log certain technical information:

• Device and connection. IP address, user-agent, device type, screen size, time zone, referring page, and the URL you visited.
• Usage. Pages viewed, time on page, links clicked, and approximate location derived from your IP.
• Cookies and similar technologies. Described separately in section 8.

c. Information from third parties

We receive limited personal data from third parties only in specific cases:

• Google, when you sign in to our CRM with a Google account. We receive your name, email, Google ID, and profile picture under the scopes Google's consent screen describes at the time you sign in.
• Lender and partner organisations who refer a business to Capera. In that case the referring organisation has obtained your consent and shared your contact details with us for the purpose of processing your financing enquiry.

We use personal data for the purposes listed below. We do not use it for unrelated purposes without coming back to you.

• To run the service you asked for. Process a financing application, run a CashScan analysis, respond to a contact request, send a Boost or Core waitlist update when the relevant product launches.
• To improve the service. Understand which pages and tools are useful, fix the ones that are not, and prioritise the roadmap based on real usage.
• To run our business. Internal record-keeping, accounting, financial reconciliation with lender partners on closed transactions, fraud prevention, and security monitoring.
• To meet legal and regulatory obligations. Respond to lawful requests from regulators, comply with anti-money-laundering and Know-Your-Customer requirements where applicable, and exercise or defend legal claims.
• To communicate with you. Reply to enquiries, send service updates, and occasionally send marketing emails about Capera products. You can opt out of marketing at any time via the unsubscribe link on every marketing email or by writing to privacy@capera.co.

Where GDPR or DPDPA apply, the legal bases on which we process your personal data are:

• Consent. For non-essential cookies, marketing emails, and bank-statement uploads to CashScan. You can withdraw consent at any time; withdrawing it does not affect processing already carried out.
• Performance of a contract. For data processed to deliver a service you asked for, such as a financing application or CashScan analysis.
• Legitimate interests. For internal analytics, fraud prevention, security monitoring, and routine business operations. We balance our interests against your rights and freedoms before relying on this basis.
• Legal obligation. For data we are required to keep under tax, anti-money-laundering, or other applicable law.

We do not sell personal data. We share it only with the categories of recipients listed below, under contractual confidentiality and data-protection terms.

a. Service providers

We use the following processors to operate Capera. Each one has a written data-processing agreement with us:

• Vercel Inc. Hosting and content delivery for capera.co.
• MongoDB, Inc. (MongoDB Atlas). Database that stores the data submitted through Capera forms, the CRM, and the partner portal.
• Resend Inc. Transactional and notification email delivery.
• Google LLC. Google Sign-In for the CRM (OAuth), Google Analytics for usage measurement, Google Tag Manager for tag delivery.
• Cloudflare, Inc. Selected DNS and edge caching where applicable.

b. Lender and financing partners

When you submit a financing application through Capera Core, we share your application and supporting documents with a shortlist of regulated banks and NBFCs whose products fit the profile you described. We share only what each lender needs to provide an indicative quote. Capera is not itself a lender; the lenders make their own credit decisions and run their own KYC under their own privacy policies.

c. Professional advisers and authorities

We may share personal data with our auditors, lawyers, and other professional advisers under confidentiality obligations, and with regulators or law-enforcement authorities where we are legally required to do so.

d. Corporate transactions

In the event of a corporate transaction, such as a merger, acquisition, or financing round, personal data may be transferred to the counterparty subject to confidentiality terms. Any successor entity will be bound by this policy or one materially equivalent.

Capera operates from India (through INDRITA FINTECH PRIVATE LIMITED) and the United States (through Capera Inc.). Some of our processors are based in jurisdictions other than your own, including the United States and the European Union. When we transfer personal data internationally, we use safeguards recognised under DPDPA, GDPR, and the UK GDPR, which may include the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or transfer to a country recognised as adequate by the relevant regulator.

We use cookies and similar technologies for three purposes: to keep the site working (necessary), to understand how the site is used (analytics), and to measure whether our campaigns reach the right audience (marketing). Necessary cookies are always on. Analytics and marketing cookies are turned on only with your consent.

The cookie modal you saw on your first visit captured your choice. You can change it any time by clicking the cookie-preferences link in our footer, which will reopen the modal. Browser-level controls (DNT, third-party cookie blocking, private browsing) override our preferences in the obvious way.

We keep personal data for as long as we need it for the purpose for which we collected it, then we either delete it or anonymise it. The headline retention periods are:

• Financing applications. For the duration of the engagement plus the period required under applicable record-keeping rules (typically 5 to 8 years in India).
• CashScan uploads. Bank statements are retained for 12 months from the date of analysis unless you instruct us otherwise.
• Waitlist and contact-form submissions. Up to 24 months from your last interaction, then archived or deleted.
• CRM records. While you are an active Capera user, partner, or counterparty, and for 5 years thereafter.
• Analytics data. Aggregated indefinitely; identifiable session data up to 26 months in Google Analytics 4.

We protect personal data using a combination of technical and organisational measures. These include encryption in transit (TLS), encryption at rest where supported by our processors, role-based access control inside Capera, mandatory single-sign-on for staff with Google account hardening enforced, audit logging on the CRM, network and application monitoring, and routine security review of changes.

No system is perfectly secure. If you suspect your data has been compromised, please write to privacy@capera.co immediately.

Subject to the law that applies to you, you have the following rights over your personal data. To exercise them, write to privacy@capera.co from the email address we hold for you, or send a request that gives us enough information to verify your identity.

• Access. A copy of the personal data we hold about you.
• Correction. Update of information that is inaccurate or incomplete.
• Deletion. Erasure of your personal data, subject to legal obligations we may have to retain it.
• Restriction. Limit on how we process your data in defined circumstances.
• Portability. A copy of certain data in a structured, commonly used, machine-readable format.
• Objection. The right to object to processing based on legitimate interests, including for direct marketing.
• Consent withdrawal. Withdraw consent where consent was the basis for processing.
• Nominate a person. Under DPDPA, you may nominate another person to exercise your rights in the event of death or incapacity.
• Complain to a regulator. You may complain to the Data Protection Board of India, your local European supervisory authority, or the UK Information Commissioner's Office, as applicable. We would appreciate the chance to address your concern first.

We will respond within 30 days, or sooner where the law requires it. Where the request is complex, we may extend the response period and tell you so.

Capera is a B2B service. It is not directed at children. We do not knowingly collect personal data from a person under the age of 18. If you believe a minor has provided us with personal data, write to privacy@capera.co and we will delete it.

We may update this policy from time to time. The Last-updated date at the top of the page changes whenever the policy does. Material changes will be highlighted on the site or, where appropriate, communicated to you by email. Continuing to use Capera after a change means you accept the updated policy.

For any privacy matter, including requests under DPDPA, GDPR, or the UK GDPR, write to privacy@capera.co. For general enquiries, use the contact form on the website. Please include enough detail for us to identify you and act on your request.