Legal
Privacy Policy
Minimal · Littlebit Labs (Indian Partnership Firm)
Effective Date: Nov 2025
Last Updated: May 2026
Version: 3.0
Our Core Privacy Promise
We do not sell your personal data. We do not share your personal data with third parties for their own marketing, profiling, or commercial purposes. Full stop.
This is not a buried clause. It is the foundational rule that governs everything else in this document. If that ever changes — it will not — we will tell you with explicit, unambiguous notice before it does.
1. Who We Are
Littlebit Labs is a partnership firm registered under the Indian Partnership Act, 1932, with its principal place of business in Coimbatore, Tamil Nadu, India, and a remote office in Bengaluru, Karnataka, India. We operate Minimal, a governed API infrastructure platform.
For the purposes of the Digital Personal Data Protection Act, 2023 (DPDPA 2023), Littlebit Labs is the Data Fiduciary for the personal data we collect from you when you use our platform.
For the purposes of the EU General Data Protection Regulation (GDPR), where applicable to EU-resident users, Littlebit Labs acts as the Data Controller for account and usage data, and as a Data Processor for personal data contained in databases you connect to the Services.
Contact for privacy matters: privacy@littlebit.in · Grievance Officer: grievance@littlebit.in
2. What Data We Collect and Why
We collect only what we need to provide and improve the Services. Here is a precise account of each category.
2.1 Account and Registration Data
What: Name, email address, organisation name, role or title, phone number (optional).
Why: To create and manage your account, communicate with you about the Services, and provide support.
Legal basis (DPDPA 2023): Consent given at registration, and legitimate use for providing the contracted service. Legal basis (GDPR): Performance of a contract; legitimate interests.
2.2 Payment and Billing Data
What: Billing address, invoicing details, GST registration number (for Indian customers), transaction reference IDs.
What we do NOT collect: Full credit card numbers, CVV codes, or bank account credentials. These are collected and processed exclusively by our third-party payment processor directly from you.
Why: To process subscription payments, generate invoices, and maintain financial records as required by applicable law.
Legal basis (DPDPA 2023): Consent; compliance with legal obligations. Legal basis (GDPR): Performance of a contract; compliance with legal obligations.
2.3 Usage and Technical Data
What: API call logs (method, endpoint path, HTTP response status, latency in milliseconds, timestamp), IP address, browser type and version, operating system, session identifiers, error logs.
What usage logs do NOT contain: The content of database query results, database rows, or any data returned by your API endpoints. Minimal is a stateless pass-through runtime. Query responses are delivered to the requesting client and are not persisted by us.
Why: To monitor service performance, detect and investigate security incidents, calculate API usage for billing, enforce fair use limits, and improve the Services.
Legal basis (DPDPA 2023): Consent; legitimate use. Legal basis (GDPR): Legitimate interests (service security, performance, billing).
2.4 Communications Data
What: Emails, messages, and other communications you send to us, including support requests and feedback.
Why: To respond to your enquiries and improve our services.
Retention: Communications are retained for 2 years from the date of last interaction, unless a legal hold requires longer retention.
2.5 Database Connection Metadata
What: Database host addresses, port numbers, and database names that you configure as connections within Minimal.
What we do NOT collect: Database credentials (passwords, certificates) in recoverable form. Credentials are encrypted at rest using AES-256. We cannot read your database passwords.
Why: To establish and maintain the database connections you have authorised.
2.6 Tunnel Software Data
What: The Tunnel Software runs on your machines. It processes: the connection configuration you provide, encrypted tunnel session identifiers, and connection status signals (connected/disconnected, error codes).
What the Tunnel Software does NOT do: It does not read, copy, or transmit the contents of your local file system, browser data, or any data outside the database connections you explicitly configure.
2.7 Your Connected Databases (Customer Database Data)
The data in the databases you connect to Minimal is your data. It is not collected or stored by Littlebit Labs.
When you make an API call through Minimal, the query is forwarded to your database, the result is returned to the API client, and the result is discarded from our infrastructure. We do not cache query results. We do not index your data. We do not retain any database rows.
We are a pass-through API layer, not a data warehouse.
If your database contains personal data of your users or customers: you are the Data Fiduciary / Data Controller for that data. You are responsible for ensuring you have a lawful basis to expose it via API. Littlebit Labs is a Data Processor for such data, processing it only to the extent necessary to route API requests and responses.
3. How We Use Your Data
We use the data described in Section 2 for the following purposes:
| Purpose | Data Used |
|---|---|
| Providing and operating the Services | Account data, usage data, connection metadata |
| Processing payments and managing subscriptions | Payment and billing data |
| Security monitoring and incident response | Usage logs, IP addresses, error logs |
| Communicating with you (service notices, updates, support) | Account data, communications data |
| Improving the Services through aggregate analysis | Anonymised usage data |
| Complying with legal and regulatory obligations | All categories as required |
| Enforcing these Terms and protecting our rights | All categories as necessary |
We do not use your data to build advertising profiles. We do not use your data for behavioural advertising. We do not use your data to train AI models without your explicit consent.
4. What We Do Not Do
We do not sell your personal data. No sale, no transfer for value, no revenue-sharing arrangement with any third party based on your data.
We do not share your personal data for third-party marketing. No data brokers. No advertising networks. No third-party profiling.
We do not use your data to train AI or machine learning models without your explicit, separately given consent.
We do not share your Customer Database Data with any party. The contents of your connected databases do not leave the request-response cycle.
We do not use your data for any purpose not described in this Policy without giving you prior notice and, where required by law, obtaining your consent.
5. Data Sharing — The Narrow Exceptions
We do not sell or share your data for commercial purposes. We do share it in the following strictly limited circumstances:
5.1 Subprocessors. We use a small number of third-party service providers ("Subprocessors") to operate the Services. Each processes your data only on our instruction, under written contracts that impose equivalent privacy and security obligations.
| Subprocessor | Purpose | Location |
|---|---|---|
| Cloud infrastructure provider (e.g., AWS, GCP, or DigitalOcean) | Hosting Minimal's cloud infrastructure | US / EU / India |
| Payment processor (e.g., Stripe, Razorpay) | Subscription billing | US / India |
| Email service provider | Transactional emails and notifications | US / India |
| Error monitoring service | Application error tracking | US / India |
We will update this list when Subprocessors change and will notify you of material changes.
5.2 Legal Requirements. We may disclose your data if required by applicable law, court order, government authority, or regulatory body. Where legally permitted, we will notify you before complying and will cooperate in seeking a protective order.
5.3 Protection of Rights. We may disclose data where necessary to prevent or detect fraud, protect the security of the Services, enforce these Terms, or protect the rights and safety of Littlebit Labs, other users, or the public.
5.4 Business Transfer. If Littlebit Labs is restructured, acquires another business, or transfers its assets, your data may be transferred as part of that transaction. We will notify you 30 days in advance and, if required by applicable law, seek your consent.
6. Data Retention
We retain your data only as long as necessary for the purpose for which it was collected, or as required by applicable law.
| Data Category | Retention Period |
|---|---|
| Account data | Duration of account + 3 years after closure |
| Payment and billing records | 8 years (Indian tax compliance requirement) |
| API usage logs (metadata only) | 12 months rolling |
| Support communications | 2 years from last interaction |
| Database connection metadata | Deleted within 30 days of connection removal or account closure |
| Activity log data | 90 days rolling within the platform; deleted upon account closure |
When retention periods expire, data is securely deleted or irreversibly anonymised. We do not archive personal data indefinitely.
7. Data Security
We implement technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction:
- — Database credentials are encrypted at rest using AES-256 encryption.
- — Data in transit is protected using TLS 1.2 or higher. The Services support mTLS for service-to-service communication.
- — Access to production systems is restricted to authorised Littlebit Labs personnel and is subject to access logging.
- — We conduct periodic reviews of security controls and practices.
- — In the event of a personal data breach likely to cause risk to data principals, we will notify affected users and, where required, the appropriate data protection authority within the timeframes required by applicable law (72 hours under GDPR; as prescribed under DPDPA 2023).
No system is perfectly secure. We cannot guarantee absolute security. You are responsible for maintaining the security of your account credentials.
8. Cookies and Tracking
Our website and Minimal Studio use a limited set of cookies:
| Cookie Type | Purpose | Can be disabled? |
|---|---|---|
| Strictly necessary | Session management, authentication, CSRF protection | No — required for the Services to function |
| Analytics (if used) | Aggregate, anonymised usage measurement | Yes — via cookie preferences |
| Preference | Saving your UI preferences | Yes |
We do not use third-party advertising cookies. We do not use tracking pixels for behavioural advertising.
9. International Data Transfers
Littlebit Labs is based in India. If you access the Services from the European Union, European Economic Area, the United Kingdom, or other jurisdictions with data transfer restrictions, your data may be transferred to and processed in India and in the locations of our Subprocessors.
For EU/EEA/UK users: Transfers occur under:
- — Standard Contractual Clauses (SCCs) approved by the European Commission, or
- — Other transfer mechanisms recognised under applicable EU data protection law.
You may request details of our transfer mechanisms at privacy@littlebit.in.
For US users: Data is processed in accordance with this Policy. We do not transfer your data to jurisdictions with inadequate data protection without appropriate safeguards.
10. Your Rights Under DPDPA 2023 (India)
If you are a Data Principal under the Digital Personal Data Protection Act, 2023, you have the following rights:
Right to access information: You may request a summary of the personal data we hold about you and the purposes for which it is being processed.
Right to correction and erasure: You may request correction of inaccurate or incomplete personal data, and erasure of personal data that is no longer necessary for the purposes for which it was collected, subject to our legal retention obligations.
Right to grievance redressal: You may raise a grievance about our processing of your personal data with our Grievance Officer (see Section 14). We will acknowledge within 24 hours and resolve within 15 days.
Right to nominate: You may nominate another individual to exercise these rights on your behalf in the event of your death or incapacity.
Right to withdraw consent: Where processing is based on your consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
To exercise these rights, contact: privacy@littlebit.in
11. Your Rights Under GDPR (EU/EEA/UK Users)
If you are located in the EU, EEA, or UK, you have the following rights under the GDPR (or UK GDPR):
Right of access: Request a copy of your personal data and information about how it is processed.
Right to rectification: Request correction of inaccurate or incomplete data.
Right to erasure ("right to be forgotten"): Request deletion of your data where there is no compelling reason for continued processing.
Right to restriction: Request that we restrict processing in certain circumstances.
Right to data portability: Receive your data in a structured, machine-readable format and, where technically feasible, have it transferred to another controller.
Right to object: Object to processing based on our legitimate interests. You have an absolute right to object to direct marketing.
Right not to be subject to automated decision-making: We do not make solely automated decisions with legal or similarly significant effects on you.
Right to lodge a complaint: You have the right to lodge a complaint with the supervisory authority in your EU/EEA member state, or with the UK Information Commissioner's Office (ICO) for UK users.
To exercise these rights, contact: privacy@littlebit.in. We will respond within 30 days. Complex requests may take up to 90 days, with notice to you.
12. Children's Privacy
The Services are not intended for use by children under 18 years of age. We do not knowingly collect personal data from children under 18. Where required by applicable law (including DPDPA 2023 for users under 18, and COPPA for US users under 13), processing of children's data requires verified parental consent.
If you believe we have inadvertently collected data from a child, contact privacy@littlebit.in and we will delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- — Email you at the address associated with your account, and
- — Display a prominent notice on the Services
at least 15 days before the changes take effect, or longer if required by applicable law.
Your continued use of the Services after the effective date of the revised Policy constitutes your acceptance. If you do not agree, you must stop using the Services and may request deletion of your account.
14. Contact and Grievance Redressal
For privacy requests, data rights, and general enquiries: privacy@littlebit.in
Grievance Officer (as required under DPDPA 2023 and IT Rules 2011):
Harish S S
Partner, Littlebit Labs
Coimbatore, Tamil Nadu, India
Acknowledgement within: 24 hours · Resolution within: 15 days
Registered office:
Littlebit Labs
Coimbatore, Tamil Nadu, India
Littlebit Labs is committed to handling your data with honesty, transparency, and respect. If anything in this Policy is unclear, email us and we will explain it in plain language.