1. Overview
This notice explains how SprukoMarket (operated by Spruko Technologies Pvt Ltd) collects, uses, discloses, and protects personal information when you browse our site, create an account, upload or purchase digital products, or interact with our services. It applies to users and authors worldwide and is designed to reflect major laws including GDPR/UK GDPR, U.S. state privacy laws (such as CCPA/CPRA), India’s DPDP Act, and other applicable regulations.
2. Scope
This policy applies when we act as a data controller for personal information related to your account, marketplace participation, and use of our services. It doesn’t apply to processing under separate agreements (e.g., a Data Processing Addendum) or by third-party platforms you use independently.
Roles. Spruko Technologies Pvt Ltd is the data controller (data fiduciary under Indian law) for personal information processed in connection with SprukoMarket. If we process data strictly on behalf of a business customer/author under a separate agreement, we act as a data processor.
3. Who we are
Spruko Technologies Pvt Ltd operates SprukoMarket ("SprukoMarket", "we", "us"). We are based in India and serve a global community.
4. Group companies
Spruko Technologies Pvt Ltd may operate through related entities. Where a Spruko group entity provides parts of the service, that entity may process personal information as described in this policy. If we add or change group entities, we will update this page.
5. Definitions (plain language)
- Personal information / personal data: Any information that identifies or relates to an identifiable individual.
- Processing: Any operation performed on personal information (such as collecting, storing, using, sharing, deleting).
- Controller / Data fiduciary: The entity that decides why and how personal information is processed (that’s us for most processing).
- Processor / Data processor: A third party that processes information on our behalf (e.g., cloud hosting, payment gateways).
6. Information we collect
We collect personal and transactional information to deliver our services smoothly. This includes information you provide directly and data collected automatically when you use SprukoMarket.
1. Account data
Name, username, email address, password, and profile details (e.g., image, bio, other contact information).
2. User data
Purchase history, license details, billing information, payment records, and download activity.
3. Author data
Uploaded products and files, item descriptions, sales records, payout details, tax information, and other data needed to manage author accounts and earnings. Identity verification (where required) via trusted partner; see Information about authors.
4. Technical data
IP address, device/browser information, approximate location, session data, diagnostic logs, and cookie/pixel identifiers for functionality, security, and analytics.
5. Payment data
Payment tokens/IDs, transaction records, and billing details needed to process purchases and payouts. We do not store full payment card numbers or bank account details; payments are handled securely by third-party PCI-compliant payment providers such as Stripe, Razorpay, PayPal, or similar payment gateways.
6. Optional communications data
Support chats and feedback you send us.
7. Personal information we collect about you from others
- Payment & payout partners provide transaction details (not full card/bank data) to process purchases and withdrawals.
- Social sign-in & connected platforms (e.g., Google or Meta) may share registration/profile info when you link or log in, as allowed by your settings with them.
- Fraud, security & verification partners may share risk signals or verification results to help prevent abuse and comply with law.
- Advertising/analytics partners may provide aggregated/interest data where permitted, which we combine with our records to improve performance and personalisation.
- Rights-holder information from authors (e.g., model/property releases) where required for certain content types.
- Team/agency account owners may provide your work email or role to provision access (see International transfers and Your rights).
8. Information about authors
As the operator of a multivendor digital goods marketplace, we have a legitimate interest—and in some regions a legal obligation—to collect, verify, use, store, disclose and in limited cases display certain information about authors. This helps maintain marketplace integrity by reducing fraud, making authors accountable for their content, and enabling us and customers to enforce contracts when rules are broken.
- Identity & business verification. Where required, authors will be asked to verify identity through a trusted third-party verification provider. With your explicit consent, the provider may request a government-issued photo ID and, if applicable, business registration documents, plus a “selfie” image used for biometric comparison performed by the provider. The provider does not share biometric templates with us. It may share verification results and, where necessary for compliance and audit, copies of ID images.
- Regulatory disclosures (e.g., EU Digital Services Act). Where applicable laws require it, we may collect, verify and display certain trader/author information on public pages—such as name, address, email, phone number and business registration details.
- Public profile & listings. Your shop name, avatar, item listings, ratings/reviews, portfolio and other information you choose will appear on your public profile and item pages.
- Use & retention. We process verification and compliance records only for fraud prevention, trust & safety, legal obligations and audit. See Data Retention for applicable periods.
9. How we collect information
Directly from you (sign-up, login, profile updates, uploads, purchases, support), automatically via cookies and similar technologies, and from third parties (payment providers, identity verification partners, analytics/advertising partners, social-sign-in), as permitted by law.
10. Legal bases (EEA/UK only)
Where the GDPR/UK GDPR applies, we rely on: (a) contract (to provide services you request), (b) legitimate interests (to operate, secure and improve our services, prevent fraud, and market our products), (c) consent (where required, e.g., certain cookies/marketing), and (d) legal obligation (e.g., tax and accounting).
11. Purposes of processing (why we use your data)
We process personal information for the purposes below. Where GDPR/UK GDPR applies, the typical legal bases are indicated; under India DPDP, processing is aligned with lawful purposes and consent where required.
- Service delivery & account management — create and manage your account, enable purchases/downloads, issue licenses, and handle author payouts. Legal basis: contract; legitimate interests.
- Payments & billing — process payments, refunds, taxes, and invoices via PCI-compliant providers. Legal basis: contract; legal obligation; legitimate interests.
- Safety, security & fraud prevention — protect accounts and the platform, detect abuse, and enforce our Terms. Includes limited automated checks; you can contact support to request an explanation or human review of decisions that significantly affect you. Legal basis: legitimate interests; legal obligation.
- Customer support & dispute resolution — respond to requests, troubleshoot, and mediate disputes between buyers and authors. Legal basis: contract; legitimate interests.
- Personalisation — tailor content, categories, and recommendations based on your activity and settings. Legal basis: legitimate interests; consent where required.
- Communications — service messages (e.g., receipts, security alerts) and, with consent where required, marketing updates you can opt out of anytime. Legal basis: contract (service); consent/legitimate interests (marketing).
- Analytics & product improvement — measure usage, fix bugs, plan features, and generate de-identified aggregated statistics. Legal basis: legitimate interests; consent where required (e.g., analytics cookies).
- Compliance & record-keeping — meet legal, tax, and regulatory obligations and respond to lawful requests. Legal basis: legal obligation; legitimate interests.
- Advertising/retargeting (where used) — show or measure ads with partners using cookies/IDs, with choices available via cookie preferences and US state opt-outs. Legal basis: consent where required; legitimate interests.
Purpose → legal basis → typical data
| Purpose | Typical legal basis | Typical data used |
|---|---|---|
| Service delivery & account | Contract; Legitimate interests | Account, User, Author, Technical |
| Payments & billing | Contract; Legal obligation | Payment, Commercial |
| Security & fraud | Legitimate interests; Legal obligation | Technical, Identifiers, Commercial |
| Support & disputes | Contract; Legitimate interests | Account, Communications, Commercial |
| Personalisation | Legitimate interests; Consent | Inferences, Technical, Commercial |
| Communications | Contract (service); Consent/Legitimate interests (marketing) | Account, Identifiers |
| Analytics & improvement | Legitimate interests; Consent | Technical, Internet activity |
| Compliance & records | Legal obligation | Commercial, Payment, Account |
| Advertising/retargeting | Consent where required by law | Identifiers, Internet activity, Inferences |
12. How we share information
We do not sell personal information for monetary compensation. Certain advertising activities may be considered "sharing" under U.S. privacy laws. Users can opt out of this type of sharing through our cookie preferences or the Do Not Sell or Share My Personal Information page.
- Payment processors to process payments, withdrawals, and refunds.
- Service providers (hosting, analytics, support, marketing tools, fraud prevention) under confidentiality and data-protection obligations.
- Authors/Users (limited details such as username and order references) to enable delivery, support, and dispute resolution.
- Account holders for team/agency accounts where your access is provided by an organisation.
- Legal and compliance recipients when required by law or to protect our rights and users.
- Business operations in audits, security reviews, or corporate restructuring with appropriate safeguards.
13. Independent controllers (payments & sign-in)
Some partners process your information as independent controllers, not our processors. For example, certain payment methods (e.g., PayPal or card wallets) and social sign-in providers (e.g., Google/Meta) handle your information under their own privacy policies. Please refer to your provider’s policy for details.
14. International transfers
We are based in India and work with service providers worldwide. Your personal information may therefore be processed in India and other countries where our partners operate. Where required by law, we use appropriate safeguards such as European Commission Standard Contractual Clauses (SCCs), UK International Data Transfer Addendum (IDTA), adequacy decisions, or other approved legal mechanisms to ensure your information receives an equivalent level of protection during cross-border transfers.
15. Cookies & tracking
We use first-party cookies to keep you signed in, remember preferences, and secure your account. We may also use third-party cookies and similar technologies (such as analytics or advertising identifiers) to understand usage and measure the effectiveness of our services. Where required by law, optional cookies such as analytics or advertising cookies are activated only after users provide consent through our cookie preference center.
Some browsers provide a “Do Not Track” (DNT) signal. Currently we do not respond to browser DNT signals. However, where required by law we honor legally recognized opt-out signals such as Global Privacy Control (GPC).
To opt out of Google Analytics, you can use the browser add-on available at: Google Analytics opt-out add-on .
16. Advertising & analytics
We may work with analytics and advertising partners that set cookies or read device identifiers to measure advertising effectiveness and personalise content where permitted by law. You can manage these through our cookie preferences and by using platform tools (such as Google or Meta Ad Settings). In some regions, you may also exercise rights through legally recognised opt-out signals.
We may use Google services such as Google Analytics, Google Ads, and Google Ads conversion tracking to measure website performance, analyse traffic, and evaluate advertising effectiveness.
These services may use cookies or similar technologies to collect information about how users interact with our website and advertising campaigns, including remarketing features. Information collected may include IP address, device type, browser information, pages visited, and interactions with advertisements.
Users can manage advertising and analytics cookies at any time through our cookie preference center or by adjusting browser privacy settings.
17. Security
- SSL/TLS transport security; hashed and salted passwords.
- Payments handled by PCI-compliant gateways; we do not store full card or bank details.
- Role-based access for authorized personnel bound by confidentiality.
- Ongoing monitoring, reviews, and vulnerability assessments.
Although we take reasonable measures, no method of transmission or storage is 100% secure.
18. Responsible security disclosure
If you believe you’ve found a security vulnerability, please submit a vulnerability report or email [email protected]. Include a description, steps to reproduce, and any proof-of-concept. We review reports promptly and appreciate responsible disclosure.
19. Data Retention
We keep personal data only for as long as is necessary for the purposes for which it is processed, including to provide our services. Retention periods are determined case-by-case and depend on factors such as:
- Purpose and data type — what the data is and why we process it.
- Legal requirements — laws that require retention (for example, tax/accounting) or until applicable limitation periods expire for possible legal claims or investigations.
- Trust & safety — to protect users and our platform (for example, where accounts breach our Terms, we may retain certain records to prevent abuse).
- Backup/archival needs — short-term retention in backups consistent with our business continuity practices.
Following termination or deactivation of your account, we may retain the information you provided for a commercially reasonable period for backup, archival, contract performance/enforcement or audit, but no longer than is necessary and only where accurate and relevant for our use. Where feasible, we will anonymise or aggregate personal details when we no longer need them in identifiable form, while retaining records required for tax, fraud prevention and security.
| Category | Typical retention | Notes |
|---|---|---|
| Account profile | Until account deletion + 12 months | Backups may persist briefly after deletion. |
| Transactions & payouts | Until account deletion + 12 months | Longer where required by law or regulation (e.g., tax/accounting). |
| Security & access logs | 90–365 days | Longer where needed for investigations. |
| Support communications | Until account deletion + 12 months | For service quality and dispute resolution. |
| Verification records (authors) | As required by law/contract | Minimum necessary for compliance, fraud prevention and audit. |
20. Account closure, deletion & retention limits
To close your account or exercise privacy rights (access, deletion, correction, etc.), please submit a request or email [email protected]. We’ll verify your identity and respond within applicable legal timeframes.
21. Your rights
Subject to applicable law, you may have rights to access, correct, delete, restrict, or object to processing, to data portability, and to withdraw consent. To exercise rights, please submit a request or email [email protected]. We may request identity verification.
Complaints & appeals
If you have concerns about how we handle your information, contact us first (see Contact). We will acknowledge and address your complaint within a reasonable time, and within timelines required by applicable law. If we deny a request, you may appeal by replying to our decision notice or by submitting an appeal via the helpdesk. If you’re in the EEA/UK, you may also complain to your data protection authority.
Regional information
India (DPDP 2023). Contact our Grievance Officer (see Contact). We will acknowledge and address your requests within timelines required by applicable law.
EEA/UK (GDPR/UK GDPR). You can lodge a complaint with your local data protection authority. We will respond within legal timeframes (generally one month, extendable in complex cases).
United States (e.g., California). For opt-out of “sale/share” for cross-context behavioral advertising, use Do Not Sell or Share and cookie preferences; we also honor applicable opt-out signals where required.
22. Marketing choices
- Email preferences: You can unsubscribe using the link in our emails or submit a request.
- Cookies/ads: Manage via cookie preferences and your browser/device settings; some features may not function without certain cookies.
23. Information you make public or give to others
Information you post publicly (e.g., forums, reviews) or share with other users/authors may be seen or collected by others. Review third-party sites’ privacy practices when sharing information off our platform.
24. Children’s privacy
We do not knowingly collect personal information from children under 18. If we become aware that such information has been provided, we will take reasonable steps to delete it promptly. If you believe a minor has provided personal data, please contact us at [email protected].
25. Changes & versioning
We may update this policy to reflect changes in services, legal requirements, or platform features. Updated versions will be posted on this page with a revised effective date and, where required by law, additional notice or consent will be requested.
26. Privacy snapshot
The table below summarises the categories of personal information we may collect over the last twelve (12) months, how we use it, whether we disclose it, and if you can limit sharing. This complements (and doesn’t replace) the detailed disclosures in this policy.
For simplicity, “personal information” and “personal data” are used interchangeably in this snapshot.
| Data category collected | How we collect | Primary purpose of processing | Key disclosures | Can you limit sharing? |
|---|---|---|---|---|
| Identifiers Names, usernames, email, IP address, device IDs. |
When you visit and use SprukoMarket; from third-party services you connect (e.g., social sign-in). | Deliver our services; improve, monitor, personalise and protect our services; customer communications and marketing. | Service providers; advertising partners (where enabled by consent) | No (service providers); Yes (marketing/advertising) |
| Customer records Contact details, tax & business info (for authors), support history. |
Provided by you; from third-party services where you authorise. | Account setup and management; compliance; support; marketplace operations. | Service providers | No |
| Commercial information Purchases, subscriptions, downloads, transaction history. |
When you use our marketplace; from payment processors. | Provide and improve services; license validation; fraud prevention; support. | Service providers | No |
| Payment information Payment tokens/IDs, billing details (no full card or bank details stored by us). |
From PCI-compliant payment processors when you pay or request payouts. | Process payments, withdrawals and refunds; detect and prevent fraud. | Payment processors | No |
| Internet or network activity Logs, pages viewed, referral URLs, session duration. |
Automatically via cookies, pixels, and similar technologies. | Operate, secure, and measure the platform; diagnostics and analytics. | Service providers; advertising partners (where enabled by consent) | No (service providers); Yes (marketing/advertising) |
| Geolocation data Approximate location from IP. |
Automatically when you visit our site/app. | Fraud prevention, legal compliance, personalisation and analytics. | Service providers; advertising partners (where enabled by consent) | No (service providers); Yes (marketing/advertising) |
| Author verification data Government ID, business docs, selfie (processed by verification partner). |
Via third-party identity verification service with explicit consent (authors only). | Verify identity; maintain marketplace integrity; meet legal obligations. | Identity verification partner | N/A |
| Inferences Preferences and usage insights derived from activity (e.g., categories viewed, downloads). |
From your activity on SprukoMarket and analytics partners (where permitted). | Improve and personalise content, recommendations, and marketing. | Service providers; advertising partners (where enabled by consent) | No (service providers); Yes (marketing/advertising) |
You can limit sharing used for marketing or advertising by adjusting your cookie preferences or opting out of marketing emails.
Essential service providers required to operate the marketplace are always permitted. Optional analytics or advertising-related sharing can be limited at any time through cookie preferences and marketing opt-outs.
27. Contact, DPO & Grievance Officer
For all customer support, technical assistance, and privacy or data-rights requests, please submit a request exclusively through the SprukoMarket Help Center .
Important: The email addresses listed below are provided solely for statutory, legal, privacy, grievance, and security-related communications. They are not intended for general customer or technical support.
Privacy / Data Protection Officer (DPO):
[email protected]
Grievance Officer (India – DPDP):
Name: A. UdayKumar
Email: [email protected]
Address: LIG-215, 1-8-67/83, APIIC Colony, ECIL, Kushaiguda, Hyderabad,
Telangana 500062, India
Legal & Intellectual Property Notices:
[email protected] ·
[email protected]
If we appoint an EU/UK representative for GDPR purposes, we will update this section with the relevant contact details.
SprukoMarket is operated by Spruko Technologies Pvt Ltd, India. We are not affiliated with Envato, Creative Market, Dribbble, or any other referenced companies; third-party names are used for identification purposes only.