Privacy Policy

Version 1.0 | Last updated: December 15, 2025

1. Introduction

This Privacy Policy explains how Privacy Labs ("Privacy Labs", "we", "our", "us") collects, uses, and protects your personal data when you use our website (theprivacylabs.com), our DPDP Compliance Platform, or any of our services (collectively referred to as the "Services").

By accessing or using any part of our Services, you acknowledge that you have read and understood this Privacy Policy and agree to the practices described herein. If you do not agree to this Privacy Policy, please do not access or use the Services.

Privacy Labs' approach to privacy is guided by three key principles: our policies are clear and easy to understand, our data practices are simple and secure, and we aim to meet the reasonable expectations of our users.

2. Information We Collect

Privacy Labs collects personal and technical information to deliver and improve our services, fulfill our contractual obligations, support user requests, ensure security, and meet regulatory requirements.

a. Information You Provide to Us

We collect personal information when you choose to interact with Privacy Labs:

  • Account Registration: Name, company name, business email address, job title, phone number, and password (hashed).
  • Demo Requests: When you book a demo through our website, we collect your name, email address, company name, and website URL. We also store a hashed version of your IP address for rate limiting and fraud prevention purposes.
  • Customer Support: Content of your communications along with your contact information.
  • Billing and Payment: Billing information such as name, billing address, and transaction data. We do not store payment card details on our servers.
  • DSR and Grievance Submissions: If you submit a Data Subject Request or grievance, we collect your name, email, phone, and details of your request.

b. Information We Collect Automatically

When you access or use our Services, we may automatically collect:

  • Session Information: Browser type and basic device information to ensure compatibility.
  • Cookies: We use essential cookies to maintain your session and preferences. You can manage cookie preferences through our consent banner.

c. Data We Process on Behalf of Customers

As part of delivering our Services, Privacy Labs may process personal data on behalf of our customers—for example, consent records, DSR requests, grievances, and data discovery outputs. In these instances, Privacy Labs acts as a Data Processor, not a Data Fiduciary. We process such information strictly in accordance with our customer's instructions and applicable data protection laws.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Service Delivery: Enabling access to our platform, maintaining your account, and delivering features.
  • Service Improvement: Improving and enhancing our Services, including development of new features.
  • Communications: Sending operational messages, account alerts, system updates, and newsletters (with consent).
  • Customer Support: Responding to inquiries and providing technical support.
  • Analytics: Performing analytics to evaluate performance, identify trends, and optimize functionality.
  • Legal Compliance: Complying with legal obligations under the DPDP Act 2023 and other applicable laws.
  • Security: Preventing misuse, fraud, and security threats.

4. Who We Share Information With

We may share your personal information in the following circumstances:

  • Service Providers: Third-party providers who perform functions on our behalf (cloud hosting, email services, analytics). They are contractually bound to handle information securely.
  • Legal Compliance: When required by law, regulation, or legal proceedings.
  • With Your Consent: When you explicitly authorize sharing.

We do not sell your personal data to third parties.

5. Legal Basis for Processing

Under the Digital Personal Data Protection Act, 2025 (DPDP Act), we process your personal data based on:

  • Consent: Where required, we obtain your clear and informed consent before processing. You may withdraw consent at any time.
  • Contractual Necessity: Processing necessary to fulfill our contractual obligations to you.
  • Legitimate Interests: Processing for our legitimate business interests, provided it does not infringe upon your rights.
  • Legal Obligations: Processing required to comply with applicable laws.

6. Your Rights Under DPDP Act 2023

You have the following rights regarding your personal data:

  • Right to Access: Request confirmation about whether we process your personal data and access a copy.
  • Right to Correction: Request correction of inaccurate or incomplete personal data.
  • Right to Erasure: Request deletion of your personal data, subject to legal retention requirements.
  • Right to Withdraw Consent: Withdraw consent at any time. This will not affect the lawfulness of processing before withdrawal.
  • Right to Grievance Redressal: File a complaint if you believe your privacy rights have been violated.
  • Right to Nominate: Nominate someone to exercise your rights on your behalf.

To exercise any of these rights, please submit a request at: theprivacylabs.com/privacylabs/dsr

7. Data Security

Privacy Labs implements robust security practices to protect your personal data:

  • Encryption: All personal data is encrypted at rest using AES-256-GCM and in transit using TLS.
  • Access Controls: Role-based access controls (RBAC) with multi-factor authentication.
  • Hashing: Passwords are hashed with bcrypt. IP addresses and lookup fields are hashed with SHA-256.
  • Audit Logging: Immutable audit logs with SHA-256 integrity hashing.
  • Monitoring: Continuous security monitoring and threat detection.

8. Data Retention

We retain personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy:

  • Account Data: Retained while your account is active, plus 90 days after deletion.
  • Consent Records: Retained for at least 1 year as required by DPDP Act.
  • Audit Logs: Retained for 7 years for compliance purposes.
  • DSR/Grievance Records: Retained for the duration required by law, then securely deleted.

9. Cookies and Tracking

We use cookies and similar technologies to:

  • Recognize and authenticate your session
  • Store your preferences and settings
  • Analyze usage patterns to improve our Services
  • Support security functions

You can manage your cookie preferences through our consent banner or your browser settings. Disabling cookies may impact the functionality of certain features.

10. Children's Privacy

Our Services are intended for use by individuals who are 18 years of age or older. We do not knowingly collect personal information from children under 18. If we become aware that we have collected such information, we will take steps to delete it promptly.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make changes, we will revise the "Last Updated" date at the top of this page. If we make material changes, we will provide additional notice via email or through the platform.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how your personal data is handled, please contact us:

Data Protection Officer (DPO)

Email: dpo@theprivacylabs.com

Exercise Your Rights (DSR)

theprivacylabs.com/privacylabs/dsr

File a Grievance

theprivacylabs.com/privacylabs/grievance