PRIVACY POLICY

This Privacy Policy explains how Effect Control (operated by Nexaura Studios) collects, uses, stores, and protects your personal data. We are committed to compliance with privacy laws across all regions we serve.

Last Updated: May 30, 2026 DPDP Act 2023 GDPR UK GDPR CCPA

Data Controller Details
What Data We Collect
Legal Basis for Processing
How We Use Your Data
Data Sharing & Third Parties
Data Retention
Your Rights (by Region)
Cookies & Tracking
Data Security
Children & Minors
International Data Transfers
Changes to This Policy
Contact & Complaints

1. DATA CONTROLLER DETAILS

Effect Control is a product operated by Nexaura Studios, registered in India. For the purposes of GDPR, UK GDPR, and India's DPDP Act 2023, Nexaura Studios is the Data Controller / Data Fiduciary.

Controller Information

Business Name: Nexaura Studios
Product / Website: Effect Control — effectcontrol.com
Registered Country: India
Support Email: hello@effectcontrol.com
Privacy Contact: hello@effectcontrol.com

2. WHAT DATA WE COLLECT

We follow a data minimisation principle — we only collect what is strictly necessary to operate the service.

Category	Data Points	When Collected
Account Data	Email address, name (optional), hashed password	On sign-up / registration
Authentication Data	Google OAuth ID (if used), session tokens	On login
Payment Metadata	Payment ID, order ID, subscription plan, amount, currency — provided by Razorpay. We do not store card numbers or UPI credentials.	On checkout
Usage Analytics	Pages visited, tools used, session duration (anonymised via Google Analytics)	Ongoing, with consent
Technical Data	IP address, browser type, device type (in server logs, auto-deleted after 30 days)	Automatically on each request
Tool Inputs	We do NOT upload or store any images, videos, or creative files you process in our tools. All processing is browser-side (client-side).	Never stored on our servers

3. LEGAL BASIS FOR PROCESSING

EU / EEA (GDPR)

Article 6(1)(b) — Contract performance (account & subscription). Article 6(1)(a) — Consent (analytics cookies). Article 6(1)(c) — Legal obligation (tax records).

United Kingdom (UK GDPR)

Same bases as EU GDPR. UK International Data Transfer Agreements (IDTAs) apply for cross-border transfers.

India (DPDP Act 2023)

Consent of the Data Principal (user) for processing. Legitimate uses include performance of contract and compliance with legal obligations under Indian law.

United States (CCPA)

Business purpose processing. California residents have the right to know, delete, and opt-out of sale of personal information (we do not sell personal data).

4. HOW WE USE YOUR DATA

To create and manage your account and provide access to tools.
To process subscription payments via Razorpay and send invoices.
To send transactional emails (account verification, password reset, subscription receipts).
To send service announcements (new tools, major changes) — you can opt out at any time.
To improve the platform through aggregated, anonymised analytics.
To prevent fraud, abuse, and violations of our Terms of Service.
To comply with applicable tax, financial reporting, and legal obligations.

We Do NOT

Sell your personal data to third parties. Use your data to train AI models. Share your data with advertisers for targeting purposes. Store or access any creative files you process through our browser-based tools.

5. DATA SHARING & THIRD PARTIES

We share data only with trusted processors who are contractually bound to protect it:

Processor	Purpose	Data Shared	Privacy Policy
Razorpay	Payment processing (India)	Email, payment metadata	razorpay.com/privacy
Google (OAuth & Analytics)	Authentication & analytics	Google account ID (if OAuth used), anonymised usage stats	policies.google.com/privacy
SMTP / Email Provider	Transactional email delivery	Email address, name	Disclosed upon request

We may disclose data to Indian government authorities or courts if required by law (e.g., under the IT Act 2000 or DPDP Act 2023). We will notify you to the extent legally permitted.

6. DATA RETENTION

Data Type	Retention Period	Basis
Account data (email, name)	Immediately upon account deletion	Contract performance
Payment records & invoices	7 years from transaction date	India income tax law (IT Act), GST Act
Server access logs (IP)	30 days	Security / fraud prevention
Analytics data	26 months (Google Analytics default, anonymised)	Legitimate interest
Deleted accounts	Immediately purged, except payment records required by law	DPDP Act / GDPR erasure

7. YOUR RIGHTS (BY REGION)

You may exercise any of the following rights by contacting us at hello@effectcontrol.com. We will respond within 30 days.

Right	India (DPDP)	EU/UK (GDPR)	US (CCPA)
Access your data
Correct inaccurate data			Limited
Delete your data ("right to erasure")
Data portability	(via DPDP consent managers)
Withdraw consent
Opt-out of data sale	N/A (we don't sell data)	N/A	(we don't sell data)
Lodge a complaint	Data Protection Board of India	Your local Supervisory Authority	California AG / FTC

How to Delete Your Account

You can instantly and permanently delete your account at any time by clicking the "Delete Account" button located in your profile dashboard. Alternatively, you can email hello@effectcontrol.com from your registered email address with the subject "DATA DELETION REQUEST". We will permanently delete your account and personal data immediately (payment records retained as legally required).

8. COOKIES & TRACKING

We use the following cookies on effectcontrol.com:

Cookie	Type	Purpose	Duration
`session_token`	Essential	Maintains your login session	Session / 30 days
`theme`	Functional	Remembers your dark/light mode preference	1 year
`_ga`, `_gid`	Analytics	Google Analytics — anonymised usage statistics	2 years / 24 hours

You can disable analytics cookies at any time via your browser settings or by opting out at Google Analytics Opt-out. Essential cookies cannot be disabled as they are required for the site to function.

9. DATA SECURITY

All data in transit is encrypted using TLS 1.2+ (HTTPS enforced on all pages).
Passwords are hashed using bcrypt — we never store plain-text passwords.
Payment data is processed entirely by Razorpay (PCI-DSS Level 1 certified) — card/UPI data never touches our servers.
Database access is restricted to server-side code only; no direct external access.
In the event of a data breach affecting your data, we will notify you and relevant authorities within 72 hours (GDPR Art. 33) or as required by applicable law.

10. CHILDREN & MINORS

Effect Control is intended for users aged 18 years and above. We do not knowingly collect personal data from children under 13 (or 16 in the EU/UK). If you believe a minor has created an account, please contact us at hello@effectcontrol.com and we will immediately delete the account.

11. INTERNATIONAL DATA TRANSFERS

Our primary servers are located in India. Data may be processed by third-party sub-processors (Google, Razorpay) whose infrastructure may involve international data transfers.

EU/UK users: Transfers are protected by Standard Contractual Clauses (SCCs) or UK International Data Transfer Agreements (IDTAs) with our sub-processors.
Indian users: Data processing is governed by India's DPDP Act 2023 and may involve cross-border transfers as permitted under Section 16 of the DPDP Act.

12. CHANGES TO THIS POLICY

We may update this Privacy Policy to reflect changes in law, our services, or data practices. We will notify you of material changes via email (to your registered address) and by posting a notice on our website at least 15 days before the change takes effect. The "Last Updated" date at the top of this page will always reflect the most recent revision.

13. CONTACT & COMPLAINTS

For any privacy-related queries, data subject requests, or complaints:

Privacy Contact

Email: hello@effectcontrol.com
General Support: hello@effectcontrol.com
Response Time: Within 30 days of receipt

EU/UK Supervisory Authorities: If you are unhappy with our response, you have the right to lodge a complaint with your local Data Protection Authority (e.g., ICO in the UK, your national DPA in the EU).

India — Data Protection Board: Once operational, complaints may be filed with India's Data Protection Board under the DPDP Act 2023.

You can also reach us via our Contact Page.