Privacy Notice — PrivacyTru Consulting LLP

Last updated: September 28, 2025

This document constitutes the Privacy Notice of PrivacyTru and is provided in accordance with the Digital Personal Data Protection Act, 2023 (India), the General Data Protection Regulation (EU/UK), the California Consumer Privacy Act (as amended by the CPRA), and other applicable global data protection and privacy laws and regulations. ​ PrivacyTru Consulting LLP. (“Company”) is the licensed owner and operator of the platform PrivacyTru (www.privacytru.com) and acts as the data fiduciary/controller with respect to the processing of your Personal Data. ​

We respect your privacy and are committed to being transparent about the Personal Data we collect, how we use it, and the rights you have as a data subject/principal. We collect only what’s necessary to provide consulting, training and AI governance services; we protect it, explain why we process it, and give you clear rights and controls. If you refuse required data, we may not be able to provide the requested service.

Privacy at a glance

What this means: limited collection, clear lawful bases, strong security, global compliance, and easy ways to exercise your rights.

1. Who is collecting the information?

Collector: PrivacyTru Consulting LLP (India LLP)

Scope: This notice covers website visitors, clients (prospective/current/former), employees, job applicants, event participants, newsletter subscribers, and business contacts worldwide.

2. Who this notice applies to

Applies to individuals whose personal data we process in the course of providing our services or running our business. We apply the strictest applicable rule across jurisdictions: no processing of personal data for persons under 18 without verified parental consent.

Jurisdictional age thresholds:

• India (DPDPA): under 18 – parental/guardian consent required.
• EU (GDPR): under 13-16 depending on member state; parental consent as applicable.
• California (CPRA): under 16 requires opt-in for certain processing.

3. What information we collect (direct & indirect)

We follow data minimisation: only data necessary for legitimate purposes.

Directly collected:

• Identity & professional: name, title, company, business email, business phone, LinkedIn.
• Communications: emails, consultation notes, recorded calls (only with consent).
• Contract & service data: project briefs, contracts, invoices, training records.
• Employment: CV, qualifications, references (where lawful).

Automatically / indirectly collected:

• Technical & security: IP address, browser, session identifiers, timestamps.
• Minimal analytics (anonymised where possible): pages visited, session duration.

Sensitive categories (only where strictly necessary and with explicit consent):

• Payment information (for billing), government-issued IDs (for verification), health data (for specific compliance projects).

We do NOT collect: precise location tracking, cross-site behavioural tracking, social-media surveillance for ad targeting, or third-party advertising identifiers.

4. Legal bases for processing & purposes

We rely on the appropriate lawful basis for each activity and document the basis in our RoPA.

Legal bases under DPDPA:

• Contract: to perform services you requested.
• Consent: marketing, newsletters, sensitive processing, profiling where required. Consent is freely given, specific, informed, and withdrawable.
• Legitimate interests / Legitimate uses (DPDPA Section 7): limited administrative tasks, security, fraud prevention, business continuity — balanced against individual rights.
• Legal obligation: accounting, tax, regulatory reporting, responding to lawful requests.

We operate under multiple legal frameworks, applying the highest standards globally.

Primary purposes:

• Deliver consulting, training, and AI governance services.
• Manage contractual and billing obligations.
• Communicate about engagements and events.
• Improve services via anonymised analytics.
• Maintain security and meet legal obligations.

Effects if you don’t provide data: we may be unable to enter into a contract, provide services, or respond to requests. We will explain consequences at collection points.

5. Automated decision-making & profiling

Where we use automated decision-making or profiling that produces legal or similarly significant effects, we will:

• Explain the logic involved, the significance, and the likely consequences.
• Provide options for human review and challenge.

For most engagements we act as a controller/fiduciary for our own internal processing and as a processor for client-controlled projects; details and roles will be specified in client contracts.

6. How long we keep data (retention)

We retain personal data only as long as necessary for the purposes stated and to satisfy legal, tax, or contractual obligations.

Typical retention periods:

• Enquiries / initial contacts: 12 months.
• Client contracts & account records: up to 8 years (or as required by applicable law).
• Employment records: per local employment laws.
• Marketing lists: until consent withdrawn; removed within 30 days of withdrawal.
• Security logs: short-term for operational needs unless required for investigations or legal holds.

At the end of retention, data is deleted or irreversibly anonymised.

7. How we share data & international transfers

We do not sell personal data.

Categories of recipients:

• Service providers/subprocessors: hosting, email, payments, analytics (privacy-respecting). Contracts and DPAs in place.
• Professional advisors: legal, audit, accounting; bound by confidentiality.
• Authorities: courts, regulators, law enforcement as legally required.

International transfers: Where personal data is transferred outside your jurisdiction, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs), adequacy decisions, or documented Transfer Impact Assessments with contractual safeguards. For transfers to higher-risk jurisdictions we apply enhanced due diligence.

Subprocessor transparency: We maintain a current subprocessor list and will notify clients of material additions; an objection window will be provided where legally required.

8. Security measures

We implement reasonable technical and organisational measures proportionate to risk, including but not limited to:

• HTTPS/TLS for data in transit.
• Encryption at rest (industry standard).
• Multi-Factor Authentication (MFA) for privileged access.
• Role-based access and least privilege.
• Regular patching, vulnerability scanning, and logging.
• Periodic staff training and contractual NDAs.
• Vendor due diligence and DPAs.
• Incident response plan with containment, assessment, notification timelines, and regulatory reporting where required.

We perform periodic security reviews and tabletop exercises; summaries of audit outcomes available to clients under NDA or on request.

9. Your rights & how to exercise them

You have the right to: access, correct, delete, restrict processing, object to processing, data portability (where applicable), withdraw consent, and lodge a complaint with a supervisory authority.

Regional specifics:

• India: nominate a representative; grievance redressal.
• EU: portability and supervisory authority complaints (EDPB).
• California: opt-out of sale/sharing and limit use of sensitive data.

How to submit a request: Email dpo@privacytru.com with: your name, relationship to PrivacyTru, specific request, and proof of identity as described below. We will acknowledge within 48 hours and respond substantively within 30 days (extensions where permitted by law). Emergency requests receive faster acknowledgement during business hours.

DSAR verification: To protect privacy, we verify requesters. Verification may require a government ID copy (redact non-essential details where possible) or secure electronic verification. We will specify any required verification steps when you submit a request.

10. Consent capture, proof & withdrawal

Where consent is required:

• We capture explicit opt-in (no pre-ticked boxes) with purpose-specific options.
• Consent records include timestamp, source (web/form/phone), notice version, and what was agreed to.
• We keep a consent ledger linked to data flows so we can provide proof.
• You can withdraw consent at any time via the same channel or by contacting dpo@privacytru.com; withdrawal is effective within 30 days and we will stop future processing unless another lawful basis applies.

11. Cookies & similar technologies

We use essential cookies required for site functionality and minimal analytics cookies only after opt-in. Our cookie banner provides granular options (essential, preferences, analytics, marketing). Analytics and marketing cookies are set only after you opt-in. You can change preferences any time via the cookie settings link or our privacy dashboard.

Full details are in our Cookie Policy (link).

12. Grievance resolution & supervisory contacts

Internal process:

1. Contact DPO / Grievance Officer: grievance@privacytru.com.
2. Acknowledgement: within 48 hours. Substantive resolution: within 30 days. Internal appeal: 15 days after decision.

Supervisory authorities:

• India: Data Protection Board (details when operational).
• EU: European Data Protection Board – https://edpb.europa.eu.
• California: California Privacy Protection Agency – https://cppa.ca.gov.

13. Contact details

• DPO: dpo@privacytru.com
• Grievance Officer: grievance@privacytru.com
• General privacy queries: privacy@privacytru.com
• DPO postal address: PrivacyTru Consulting LLP., [GF-17, Ground Floor, Doon Square, IT Park, Sahastradhara, Dehradun, Uttarakhand, INDIA – 248001], India.