Skip to main content
Ongrid Design
Start sketching
Legal

Privacy Policy

Last updated 27 April 2026

Elevations is an online studio tool for Indian homeowners, operated by M/s Utopian Fold — the firm behind Ongrid, India's online architecture studio. This policy explains what we collect, why, who we share it with, and how to exercise your rights. The legal frameworks behind it are the Digital Personal Data Protection Act, 2023 (DPDPA), the Information Technology Act, 2000, and the SPDI Rules, 2011.

1. Who we are

The "Data Fiduciary" under the DPDPA for Elevations is M/s Utopian Fold, a partnership firm with its registered office at First Floor, Office No. 110, Skyone Building, Kalyani Nagar, Pune 411006, Maharashtra, India. GSTIN 27AAGFU0108H1ZF. We can be reached at hello@ongrid.design.

2. Data we collect

  • Account data: your email address, name, and a PBKDF2 hash of your password. We never see or store the password itself.
  • Generation data: the configuration parameters you choose for each elevation (floors, materials, style, plot orientation, references, prompt text) and the resulting images we render for you.
  • Payment data: the Razorpay order ID, payment ID, amount, currency, and status. We do not see or store full card numbers, CVVs, UPI PINs, or net-banking credentials — these stay with Razorpay, an RBI-regulated payment aggregator.
  • Expert Report data: if you submit the Expert Report, we collect your phone number, plot size, location, budget range, build timeline, and current build stage, plus any notes you choose to share. This is the only place we collect lead-quality information, and only with your explicit submission.

    Phone numbers — what we do and don't do. We ask for your phone number only when you request an Expert Report. The phone number is used to:
    • Allow an Ongrid designer to call you for clarification on your sketch.
    Your phone number is never:
    • Shared with advertisers, brokers, or third-party marketers.
    • Used for unrelated marketing without your separate consent (the unticked-by-default checkbox below the phone field on the Report form).
    You can ask us to delete your phone number at any time by emailing hello@ongrid.design. We will action the request within 7 working days. Every consent grant or withdrawal is recorded in our consent ledger as required under DPDPA §6.
  • Technical and log data: IP address, browser user-agent, request timestamps, error logs, and Cloudflare Turnstile verification tokens. We use these for security, abuse prevention, rate limiting, and debugging.

We do not knowingly collect any sensitive personal data or information ("SPDI") under Rule 3 of the SPDI Rules, 2011 — no financial information beyond the Razorpay token, no health, no biometric, no caste, no political opinion, no sexual orientation. Please do not include such data in your prompts or report submissions.

3. Why we collect it

As required by Section 5 of the DPDPA, here is the specific purpose for each category we collect:

  • Account data — to create your account, authenticate you, and let you access your work across sessions.
  • Generation data — to actually generate the image you asked for, deliver it to your account, and show it back to you in your gallery.
  • Payment data — to process credit pack purchases, issue receipts, and meet our tax-record obligations.
  • Expert Report data — to write your free 6-page PDF review, deliver it to you, and (if you do not opt out) follow up with information about Ongrid's full architecture services.
  • Technical / log data — to keep the service secure and reliable, prevent bot abuse, enforce free-tier limits, and diagnose issues.

4. Legal basis

We rely on three lawful bases under the DPDPA. Consent (Section 6) — for sending you the Expert Report follow-up communications and for any marketing we do. You give consent by ticking a box; you can withdraw it at any time. Performance of contract — for the things we must do to actually deliver Elevations to you (account creation, generation, payment processing, transactional email). Legitimate use — for security, abuse prevention, and meeting legal and tax obligations.

5. How we use your data

  • Authenticating you and delivering the service you signed up for.
  • Generating elevation images via a third-party image model (see sub-processors below). By default all generations route through Google's Gemini API. OpenAI is engaged only when you opt in by selecting the Drawings tier.
  • Processing payments via Razorpay and issuing receipts.
  • Sending transactional email (sign-up confirmation, payment receipts, report delivery, account notices) from hello@ongrid.design via AWS SES.
  • If you have requested the Expert Report and not opted out, contacting you about Ongrid's architecture services. Every such email contains a one-click unsubscribe.
  • Aggregate analytics to improve the service. We do not run individual user tracking.
  • Detecting and preventing fraud, abuse, and security incidents.

We do not sell your personal data. We do not show third-party advertising. We do not run behavioural tracking pixels.

6. Who we share with, and cross-border transfers

We share data only with the processors we need to actually run the service. As required by Section 16 of the DPDPA, you should know that some of these processors are located outside India and your data may be transferred to and stored in jurisdictions other than India.

  • Google (Gemini API) — receives your generation prompt and configuration. Used for all image generations on the default photoreal tiers. We do not send your name, email, or any account identifier with the prompt. Processed in Google data centres globally. Per Google's paid-tier Gemini API terms, your prompts and any reference images you upload are not used to train Google's models.
  • OpenAI, L.L.C. (OpenAI API, gpt-image-2 model) — receives your generation prompt and any reference images you upload. Engaged only when you explicitly select the Drawings tier; by default no data is sent to OpenAI. We do not send your name, email, or any account identifier with the prompt. Processed in the United States. Per OpenAI's API terms, prompts and uploads sent through the API are not used to train OpenAI's models, and inputs/outputs are retained by OpenAI for up to 30 days for abuse-monitoring purposes only before being deleted. See OpenAI's privacy policy.
  • Razorpay Software Private Limited — receives payment-related data. India-based. Regulated by the Reserve Bank of India under the Payment Aggregator Guidelines.
  • Amazon Web Services (Simple Email Service) — receives the email address and the message body for any transactional email we send you. Processed in AWS infrastructure.
  • Cloudflare, Inc. — provides hosting (Pages, Workers), database (D1), object storage (R2), and bot protection (Turnstile). Processes IP, request metadata, and stored content. Global edge network.
  • Meta Platforms Ireland Ltd. — receives hashed event data (account-creation, purchase) via the Conversions API for ad-attribution. We send SHA-256 hashes of email and a rotating visitor identifier; raw email, phone, or name never leaves our infrastructure. No client-side Meta Pixel or Facebook tracker runs on this site. Processed in EU/US infrastructure.

We may also share data when we are legally compelled to by a court, the Data Protection Board of India, or a competent authority under Indian law.

7. How long we keep it

  • Account data — until you delete your account. On deletion we scrub the personally identifiable fields (email, name, phone) immediately, the moment your delete request reaches our backend; we send you a confirmation email at the address on file. Payment records remain in anonymised form for 7 years per the Income Tax Act, 1961 and CGST Act, 2017.
  • Free-tier generations — 30 days from creation, then automatically purged from R2.
  • Premium (paid) generations — kept for at least 1 year. You can delete individual sketches at any time from your gallery; we do not run a forced purge after the 1-year mark. We recommend downloading any generation you want to keep beyond a year.
  • Expert Report PDFs and submissions — kept for as long as your account exists, so you can come back to them.
  • Payment records — 7 years from the end of the financial year, as required by the Income Tax Act, 1961 and the CGST Act, 2017.
  • Server and Turnstile logs — 90 days, after which we keep only aggregated counts.

8. Your rights under DPDPA

As a Data Principal, you have:

  • Right to access (Section 11) — a summary of the personal data we hold about you and the processors we have shared it with.
  • Right to correction and erasure (Section 12) — to ask us to correct, complete, update, or erase your personal data.
  • Right to withdraw consent (Section 6(4)) — at any time, with effect going forward.
  • Right to grievance redressal (Section 13) — to raise a grievance with our Grievance Officer (see below) and, if unresolved, to escalate to the Data Protection Board of India.
  • Right to nominate (Section 14) — to nominate another individual to exercise your rights in the event of your death or incapacity. Email us to register a nominee.

9. How to exercise your rights

Email hello@ongrid.design from the address on file, with the subject line "DPDPA request — [access / correction / erasure / withdrawal / nomination]". We respond within thirty days, the timeline mandated by the DPDPA. There is no fee. We may ask you to confirm your identity before acting on the request.

10. How we keep it safe

  • Passwords are hashed with PBKDF2 using a per-user salt. We never store, log, or transmit them in plain text.
  • All traffic to and from Elevations is encrypted in transit with TLS 1.2 or higher.
  • We sit behind Cloudflare's web application firewall and use Cloudflare Turnstile to filter automated abuse.
  • Access to the production database is restricted, audited, and limited to a small set of authorised personnel.
  • If a personal data breach occurs that is likely to result in risk to you, we will notify you and the Data Protection Board of India in accordance with the DPDPA and CERT-In rules.

11. Children's data

Elevations is intended only for users aged 18 and over. We do not knowingly process the personal data of children (defined as under 18 by Section 2(f) of the DPDPA) or persons with disabilities who have a lawful guardian. If we discover that an account belongs to a child, we will close it and delete the associated data. If you believe a child has created an account, please email hello@ongrid.design and we will action the deletion immediately.

12. Cookies and tracking

Cookies and site storage. We use only the cookies needed to keep you logged in (a session cookie) and the Cloudflare Turnstile cookie that protects sign-up and payment forms from bots. We do not run client-side tracking pixels — no Google Analytics, no Facebook Pixel, no third-party JavaScript that watches what you do on the page. For ad-attribution we send hashed conversion events (account-creation, purchase) to Meta server-side via the Conversions API; raw email, phone, or name never leaves our infrastructure. See sub-processor table in §6 for full disclosure.

For our own understanding of how the site is used, we store a random identifier (_el_vid) in your browser's local storage. It is not a cookie, contains no personal information, never leaves our servers, and is not readable by any third party. We use it only to count repeat visits and to understand which pages lead to which actions on our own site. You can clear it at any time by clearing site data in your browser, and doing so has no effect on your account or your saved work. We do not need a cookie consent banner because no non-essential cookie is set.

13. Grievance Officer

In accordance with Section 10(2)(c) of the DPDPA, the Information Technology Act, 2000, and the Consumer Protection (E-Commerce) Rules, 2020, our Grievance Officer is:

Abhishek Pramanick, Grievance Officer
M/s Utopian Fold
First Floor, Office No. 110, Skyone Building, Kalyani Nagar, Pune 411006, Maharashtra, India
Email: grievance@ongrid.design
Response window: within 30 days of receipt, as mandated by DPDPA.

If you are not satisfied with our response, you may escalate to the Data Protection Board of India under Section 13 of the DPDPA.

14. Data deletion

You can delete your account yourself: sign in, open /profile, scroll to "Permanent actions", and use Delete account. The action is immediate — your email, name, phone, and any session data are scrubbed from our database the moment you confirm. Linked OAuth records are deleted, generations are removed, and your session is invalidated across all devices.

You will receive a confirmation email at your registered address from hello@elevations.ongrid.design. If for any reason you cannot access the self-serve flow, email hello@ongrid.design from your registered address with subject line "Delete my account" and we will action it manually within seven working days.

Payment records are retained in anonymised form (no email, no name) for 7 years from the end of the financial year, as required by the Income Tax Act, 1961 and the CGST Act, 2017. We cannot delete these earlier without breaching tax law.

15. Changes to this policy

We may update this policy from time to time. Material changes will be notified to you by email and by a notice on the site at least fifteen days before they take effect. The "Effective" date at the top of this page always shows the latest version.

16. Contact

M/s Utopian Fold
First Floor, Office No. 110, Skyone Building,
Kalyani Nagar, Pune 411006, Maharashtra, India
GSTIN: 27AAGFU0108H1ZF
hello@ongrid.design