1. Introduction
Ice Penguin (operated under the proprietorship of Engr. Pronabesh Ghosh) and its affiliates ("Ice Penguin," "we," "our," "us") respect your privacy and are committed to protecting your personal data in compliance with applicable Indian laws, including the Information Technology Act, 2000 and its subsequent amendments, the Digital Personal Data Protection Act, 2023 (DPDPA), and applicable rules framed thereunder.
This Privacy Policy describes how we collect, use, share, protect, delete, and otherwise process your information when you visit https://icepenguin.in (the "Platform") and use our Services including but not limited to !ce Forms, !ce Sheets, !ce GoLinks, !ce Pay, !ce Space, and all related sub-domains, APIs, mobile interfaces, and partner integrations.
By accessing or using the Platform, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please discontinue use of the Platform immediately.
2. Definitions
"Personal Data" means any data about an individual who is identifiable by or in relation to such data, including name, email address, phone number, IP address, device identifiers, and payment information.
"Sensitive Personal Data" includes financial information (bank account details, UPI VPA), biometric data, health data, passwords, and any other data classified as sensitive under applicable Indian law.
"Platform" means the website at icepenguin.in, all sub-domains (forms.icepenguin.in, sheets.icepenguin.in, accounts.icepenguin.in, payments.icepenguin.in, go.icepenguin.in, admin.icepenguin.in), mobile-optimized interfaces, APIs, and any software or service operated by Ice Penguin.
"Services" means all products, features, and functionalities offered through the Platform, including form building (!ce Forms), spreadsheet management (!ce Sheets), URL shortening (!ce GoLinks), payment processing (!ce Pay), account management (!ce Space), newsletter subscriptions, and web development/hosting services.
"User" / "You" means any individual who accesses, browses, or uses the Platform or Services, whether registered or unregistered.
3. Information We Collect
3.1 Information You Provide Directly
- Account Registration: Full name, email address, phone number, password (hashed), organization name, and profile picture when you create an account at accounts.icepenguin.in.
- Form Submissions: Any data you voluntarily submit through !ce Forms, which may include text responses, file uploads, contact details, or payment information depending on the form configuration.
- Payment Information: UPI Virtual Payment Address (VPA), transaction references, payment amounts, and timestamps when using !ce Pay or UPI-enabled form fields. We do not store complete bank account numbers, credit/debit card numbers, or banking PINs.
- Newsletter Subscription: Email address when you subscribe to our newsletter or marketing communications.
- Contact Communications: Name, email, phone number, and message content when you contact us via email, WhatsApp, or contact forms.
- Content Creation: Spreadsheet data, form configurations, URL mappings, workspace settings, and any other content you create or upload to the Platform.
3.2 Information Collected Automatically
- Device Information: IP address, browser type and version, operating system, device type, screen resolution, and unique device identifiers.
- Usage Data: Pages visited, click patterns, time spent on pages, referral URLs, search queries, feature usage frequency, and navigation paths.
- Log Data: Server access logs including timestamps, request/response codes, user-agent strings, and error logs for debugging and security monitoring.
- Location Data: Approximate geographic location derived from your IP address (city/state level only; we do not collect precise GPS coordinates).
- Cookie Data: Information stored and retrieved via cookies, local storage, and session storage as described in Section 6 below.
3.3 Information from Third Parties
- Authentication Providers: If you sign in via Google OAuth or other third-party authentication, we receive your name, email address, and profile picture from the authentication provider.
- Analytics Services: Aggregated usage data from Google Analytics, Vercel Analytics, and similar platforms.
- Payment Gateways: Transaction confirmation status and reference IDs from UPI payment networks (we do not receive your bank account details from these gateways).
4. How We Use Your Data
We process your personal data for the following lawful purposes:
- Service Delivery: To create, maintain, and manage your account; to enable form creation, data collection, spreadsheet management, payment processing, URL shortening, and all other Platform functionalities.
- Authentication & Security: To verify your identity, manage sessions, detect and prevent unauthorized access, fraud, abuse, and security threats.
- Communication: To send transactional emails (account verification, password resets, payment confirmations), service announcements, and, with your consent, marketing/promotional communications.
- Platform Improvement: To analyze usage patterns, conduct A/B testing, diagnose technical issues, optimize performance, and develop new features.
- Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests; to enforce our Terms & Conditions; and to protect the rights, property, or safety of Ice Penguin, our users, or the public.
- Payment Processing: To facilitate and verify UPI payments, generate QR codes, process invoices, and maintain financial transaction records as required by Indian tax and financial regulations.
- Customer Support: To respond to your inquiries, troubleshoot issues, and provide technical assistance.
- Rate Limiting & Anti-Abuse: To track and limit API/form submission attempts using IP addresses and user-agent data to prevent spam, bot abuse, and denial-of-service attacks.
5. Authentication & Account Security
When you create an account on Ice Penguin:
- Password Storage: All passwords are cryptographically hashed using industry-standard algorithms (bcrypt/argon2) before storage. We never store plaintext passwords, and our staff cannot view your password.
- Session Management: Authentication sessions are managed via secure, HTTP-only cookies with SameSite protections. Sessions are time-limited and automatically expire after periods of inactivity.
- OAuth/SSO: If you authenticate via Google or other OAuth providers, we store only your email, display name, and profile picture. We do not receive or store your OAuth provider password.
- Role-Based Access Control (RBAC): Workspace access is governed by three role tiers — Admin (full access), Editor (create/edit), and Viewer (read-only). Permissions are enforced server-side on every request.
- Account Recovery: Password reset requests are processed via time-limited, single-use tokens sent to your registered email address.
- Multi-Workspace Isolation: Data in one workspace is logically isolated from data in other workspaces. Cross-workspace access is not possible without explicit invitation from a workspace Admin.
8. Data Retention
- Account Data: Retained for as long as your account is active. Upon account deletion, personal data is purged within 30 days, except where retention is required by law (e.g., financial transaction records under Indian tax law must be retained for a minimum of 8 years).
- Form Responses: Retained until the form creator deletes them or the associated workspace/account is deleted.
- Newsletter Subscriptions: Retained until you unsubscribe. You may unsubscribe at any time via the link provided in every email or by contacting us.
- Server Logs: Access logs and security logs are retained for up to 90 days for debugging and security purposes, then automatically purged.
- Rate-Limiting Records: IP-based rate-limiting records are retained for up to 30 days.
- Payment Records: Transaction records are retained for the minimum period required by applicable Indian tax and financial regulations (typically 8 financial years).
9. Security Measures
We implement industry-standard technical and organizational measures to protect your data:
- Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2/1.3 (HTTPS). We enforce HSTS headers to prevent protocol downgrade attacks.
- Encryption at Rest: Sensitive data stored in our databases is encrypted at rest using AES-256 encryption.
- Access Control: Internal access to production data is restricted to authorized personnel on a need-to-know basis, enforced via multi-factor authentication and audit logging.
- Infrastructure Security: Our Platform is hosted on enterprise-grade cloud infrastructure (Vercel, Google Cloud/Firebase, Neon) that maintains SOC 2 Type II, ISO 27001, and other industry certifications.
- DDoS Protection: Network-level DDoS mitigation is in place via Vercel's edge network and Cloudflare-class protections.
- Input Validation & Sanitization: All user inputs are validated and sanitized server-side to prevent SQL injection, XSS, CSRF, and other common web vulnerabilities.
- Regular Updates: Dependencies and frameworks are regularly updated to patch known security vulnerabilities.
While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.
10. Your Rights
Under the Digital Personal Data Protection Act, 2023 (DPDPA) and other applicable laws, you have the following rights:
- Right to Access: You may request confirmation of whether we process your personal data and obtain a copy of such data.
- Right to Correction: You may request correction of inaccurate or incomplete personal data.
- Right to Erasure: You may request deletion of your personal data, subject to legal retention obligations.
- Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of prior processing.
- Right to Grievance Redressal: You may raise a complaint with our Grievance Officer (details below) or, if unsatisfied, with the Data Protection Board of India as established under the DPDPA.
- Right to Nominate: You may nominate another individual to exercise your rights in the event of your death or incapacity, as provided under the DPDPA.
To exercise any of these rights, contact us at info@icepenguin.in. We will respond within 30 days.
11. Children's Privacy
The Platform is not directed at children under the age of 18. We do not knowingly collect personal data from children. If a child under 18 has provided us with personal data without verifiable parental or guardian consent, the parent or guardian may contact us at info@icepenguin.in, and we will take steps to delete such data promptly.
If an !ce Form is used for educational purposes involving minors (e.g., school examinations), the institution or form creator is responsible for obtaining necessary parental/guardian consent and complying with applicable child-protection laws. Ice Penguin acts as a data processor in such scenarios.
12. International Data Transfers
Ice Penguin is based in India. Our primary data processing occurs in India and on servers operated by cloud providers with data centers globally (including the United States, European Union, and Asia-Pacific).
Where personal data is transferred outside India, we ensure that adequate safeguards are in place as required by the DPDPA, including ensuring that the receiving jurisdiction provides an adequate level of data protection or that appropriate contractual clauses are in effect.
13. Partner & Collaborator Services
Ice Penguin hosts and manages technology infrastructure for independent partner organizations ("Partner Portals"). These include, but are not limited to, educational institutions, digital marketing agencies, creative studios, and other service providers operating under *.icepenguin.in subdomains.
Data Controller & Processor Roles
When you use a Partner Portal, data may be collected both by Ice Penguin (for platform infrastructure and security) and by the respective Partner (for their specific service delivery). In this context:
- The Partner acts as the Data Controller — they determine the purpose and means of processing your service-specific data (e.g., student exam responses, project briefs, contact submissions).
- Ice Penguin acts as the Data Processor — we process data on behalf of the Partner solely for platform operation, hosting, and security.
Data Sharing with Partners: Information you submit through a Partner Portal is shared with the respective Partner for service delivery. Ice Penguin does not control how Partners use this data beyond the obligations specified in this Policy and applicable law.
Partner Obligations: All Partners operating under Ice Penguin's infrastructure are contractually required to:
- Comply with all applicable Indian data protection laws, including the Information Technology Act 2000, the IT (Reasonable Security Practices) Rules 2011, and the Digital Personal Data Protection Act (DPDPA) 2023.
- Maintain reasonable technical and organisational security standards for all personal data processed through the Platform.
- Not use personal data collected through the Platform for purposes beyond their stated service scope without obtaining independent consent from the data principal.
Ice Penguin's Limited Role: Ice Penguin provides technology infrastructure, hosting, domain management, and centralised policy management. Ice Penguin does NOT control, endorse, verify, or guarantee the accuracy, quality, legality, or outcomes of any Partner's services, content, communications, or business practices. Ice Penguin shall not be held liable for any acts, omissions, negligence, or data breaches attributable to a Partner.
Exercising Your Rights: You may exercise your data rights (access, correction, erasure, portability) by contacting Ice Penguin at info@icepenguin.in. For service-specific data queries, you should contact the respective Partner directly through their Portal.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last updated" date at the top of this page.
- Post a prominent notice on the Platform or send you an email notification (for registered users).
- Seek fresh consent where required by law for material changes to data processing purposes.
Your continued use of the Platform after any changes constitutes acceptance of the updated Privacy Policy.
15. Contact Us & Grievance Officer
If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact:
Grievance Officer / Data Protection Contact
We will acknowledge your request within 48 hours and endeavour to resolve it within 30 days. If you are unsatisfied with our response, you may approach the Data Protection Board of India under the DPDPA, 2023.
© 2025 !ce Penguin. All Rights Reserved.
MSME Reg No - UDYAM-WB-15-0083413
