Privacy Notice
Last updated: 15 June 2026
This Privacy Notice explains how CapEasy Consulting Private Limited, a company incorporated under the Companies Act, 2013, bearing CIN U67190MP2023PTC064159, with its registered office at 803-A Shridhar Athens, Shivranjini, Satellite, Ahmedabad-380015, India ("CapEasy", "CapBlue", "we", "us" or "our"), collects, uses, stores, shares and protects your personal data when you access or use the CapBlue platform at capblue.in and any related pages, applications, dashboards and communications (together, the "Platform").
CapEasy is the Data Fiduciary for the personal data described in this Notice. We process personal data in accordance with the Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Rules, 2025 (together, the "DPDP Law"), the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, as applicable and as each comes into force.
Please read this Notice together with our Terms of Use and Cookies Policy.
1. Who this Notice applies to
This Notice applies to everyone who interacts with the Platform, including:
- Founders and their authorised representatives who create or manage a company listing;
- Investors and their authorised representatives who access curated deal flow;
- Partners (incubators, accelerators and institutions) who nominate cohorts;
- Visitors who browse the public surface of the Platform.
For the purposes of the DPDP Law, you are a Data Principal — the individual to whom personal data relates.
2. Definitions
- Personal Data means any data about an individual who is identifiable by or in relation to such data.
- Processing means any operation performed on personal data, including collection, storage, use, sharing and erasure.
- Sensitive Personal Data or Information (SPDI) has the meaning given under the SPDI Rules, 2011 (for example, financial information and identity documents).
- Data Principal, Data Fiduciary, Consent Manager, Data Protection Board and Grievance Officer have the meanings given under the DPDP Law.
3. The personal data we collect
We collect only the personal data we need to operate the Platform and deliver the services you request.
3.1 Information you provide
| Category | Examples | Who it relates to |
|---|---|---|
| Identity & contact | Name, email address, phone number, role/designation, organisation | All users |
| Account & authentication | Email used for one-time passcode (OTP) or magic-link sign-in; Google account identifier (curators only) | All users |
| KYC & verification | Government identity documents, company registration details and other verification records you upload to our KYC module | Founders, Investors, Partners (as applicable) |
| Company & fundraise data | Company profile, sector, stage, valuation, ask, cap-table information, and documents uploaded to your data room | Founders |
| Investor profile data | Investment thesis, cheque size, sector and stage preferences, geography, exclusions | Investors |
| Partner data | Organisation details, cohort nominations, MOU contact information | Partners |
| Communications | Messages, intro requests, support queries and your correspondence with us | All users |
3.2 Information we collect automatically
When you use the Platform, we automatically collect limited technical data such as IP address, device and browser type, pages viewed, and actions taken, along with cookies and similar technologies. See our Cookies Policy.
3.3 Information from third parties
If you sign in using Google (curators), we receive basic profile information from Google in accordance with the permissions you grant. Partners may provide information about nominated founders; founders may provide information about team members. Where you submit personal data about another individual, you confirm you are authorised to do so.
We do not knowingly collect personal data from anyone under the age of 18. The Platform is intended for businesses and professional users only.
4. How and why we use your personal data
We process your personal data for the following purposes, in each case relying on your consent or on a legitimate use permitted under the DPDP Law:
| Purpose | Examples |
|---|---|
| Providing the Platform | Creating and authenticating your account, operating dashboards, enabling listings, deal flow, data rooms and intro requests |
| Curation & matching | Editorially reviewing listings and scoring potential matches against an investor's stated thesis |
| KYC & integrity | Verifying identity and eligibility, preventing fraud and misuse, and maintaining trust on the Platform |
| Communications | Sending OTPs, magic links, transactional emails, service updates and responses to your queries |
| Support & improvement | Diagnosing issues, securing the Platform and improving features |
| Legal & compliance | Meeting our obligations under applicable law and responding to lawful requests |
We do not sell your personal data.
5. Consent and your choices
Where we rely on consent, it is requested in clear and plain language, is specific to the stated purpose, and may be withdrawn at any time. Withdrawing consent does not affect processing carried out before withdrawal. If you withdraw consent necessary to operate your account, we may be unable to continue providing the relevant service.
You can manage consent and exercise your rights by contacting our Grievance Officer (Section 12). Where a registered Consent Manager is available under the DPDP Law, you may also manage consent through it.
6. The data room and confidential business information
Files you upload to your virtual data room and cap-table information are treated as confidential. They are made available only to parties you or the curation process authorise (for example, a matched investor who has agreed to applicable confidentiality terms). You are responsible for ensuring you have the right to upload and share any information you place in your data room. Do not upload material you are not authorised to disclose, including export-controlled or classified information.
7. Who we share your personal data with
We share personal data only as needed and only with:
- Other Platform users, where you choose to participate — for example, a curated match shares relevant founder information with a matched investor, and intro requests share your contact details with the intended recipient;
- Service providers (Data Processors) who help us run the Platform under contract, including:
- Supabase — database and authentication (hosted in the Mumbai, India region);
- Vercel — application hosting and delivery;
- Resend — transactional email delivery;
- Google — sign-in for curators only;
- Professional advisers, where reasonably necessary;
- Authorities and regulators, where required by law or to protect rights, safety and the integrity of the Platform;
- A successor entity, in connection with a merger, acquisition or reorganisation, subject to this Notice.
We require our service providers to protect personal data and to use it only for the purposes we specify.
8. Storage location and cross-border transfers
Personal data on the Platform is primarily stored on infrastructure located in the Mumbai, India region. Some service providers may process limited data outside India. Where any cross-border transfer occurs, we do so in accordance with the DPDP Law and only to jurisdictions not restricted by the Central Government.
9. How long we keep your data
We retain personal data for as long as your account is active and for as long as needed to fulfil the purposes in this Notice, to comply with legal, tax and regulatory obligations, and to resolve disputes and enforce agreements. When personal data is no longer required, we delete or anonymise it in accordance with the DPDP Law.
10. Anonymised public showcase
Some company listings may appear on a public, anonymised showcase. Only a limited, non-identifying set of fields is shown publicly (for example, sector, a short blurb, valuation and ask). Identifying founder or company details are not disclosed in the public showcase without authorisation.
11. How we protect your data
We maintain reasonable security safeguards appropriate to the nature of the data, including access controls, encryption in transit, row-level data access restrictions, and KYC verification. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. If a personal data breach occurs, we will act in accordance with the notification requirements of the DPDP Law as they come into force.
12. Your rights as a Data Principal
Subject to the DPDP Law, you have the right to:
- Access a summary of the personal data we process about you and the processing activities;
- Correct, complete or update inaccurate or incomplete personal data;
- Erase personal data that is no longer required, subject to legal retention;
- Withdraw consent previously given;
- Nominate another individual to exercise your rights in the event of death or incapacity;
- Grievance redressal — raise a complaint with us and, if unresolved, escalate to the Data Protection Board of India.
To exercise any right, contact our Grievance Officer below. We may verify your identity before acting on a request.
13. Cookies
We use cookies and similar technologies to keep you signed in, secure the Platform and remember preferences. For details and how to manage them, see our Cookies Policy.
14. Third-party links
The Platform may link to third-party websites and services we do not control. This Notice does not apply to them. Please review their privacy policies.
15. Changes to this Notice
We may update this Notice from time to time. We will post the updated version here and revise the "Last updated" date. Material changes will be notified through the Platform or by email.
16. Contact and Grievance Officer
For any question, request or complaint regarding your personal data:
Grievance Officer: Ayush Joshi Data Fiduciary: CapEasy Consulting Private Limited Email: info@capeasy.in Address: 803-A Shridhar Athens, Shivranjini, Satellite, Ahmedabad-380015, India
We will acknowledge and respond to grievances within the timelines required under applicable law.