Last updated · 09 May 2026 · Version 2.0
Privacy Policy
This policy explains what personal data Dezynum Software Services (OPC) Private Limited collects when you interact with this website or engage us as a client, how we use that data, who we share it with, where we store it, and the rights you can exercise under Indian, European, and US privacy law.
1. Scope of this Policy
This Privacy Policy (“Policy”) applies to:
- Your use of www.dezynum.com and any Dezynum-operated subdomain (the “Website”);
- Forms you submit to us — including the contact form, request-for-proposal form, careers form, and any newsletter or marketing sign-up;
- Email, phone, and messaging exchanges you have with our sales, delivery, operations, or support teams; and
- Engagements where Dezynum is acting as a data controller in respect of your personal data — primarily our prospect, client-relationship, and vendor records.
When Dezynum processes personal data on behalf of a client — for example, as part of delivering a software engineering, cloud migration, or data engineering engagement — we act as a data processor for that client and our obligations are governed by the data-processing addendum in the relevant Master Services Agreement, not by this Policy. Contact your engagement partner if you need the data-processing addendum for an active engagement.
2. Who we are and how to reach us
Dezynum Software Services (OPC) Private Limited (“Dezynum,” “we,” “us,” or “our”) is a One Person Company incorporated under the Companies Act, 2013 (India), with Corporate Identification Number U62099HR2024OPC125884.
For any question about this Policy or any request to exercise your rights:
Dezynum Software Services (OPC) Private Limited
Attn: Grievance Officer / Data Protection Contact
Email: privacy@dezynum.com
Alternative email: info@dezynum.com
Phone: +91 888–208–2228
Under Section 8(9) of the Digital Personal Data Protection Act, 2023 (“DPDP Act”) we will acknowledge a grievance within seven (7) working days and resolve it within thirty (30) days. If you are not satisfied with our response you may approach the Data Protection Board of India. Contact details for the Board are published at meity.gov.in.
3. The personal data we collect
We collect the categories of data described below. We have tried to be specific: the categories below are the actual ones our systems record, not a generic template.
3.1 Information you provide directly
- Contact and identity data — full name, work email, personal email (if you choose to supply it), phone number, company name, job title, country, time zone, and any free-text you write into “message” or “project notes” fields.
- Request-for-proposal data — the project description, indicative budget range, target timeline, technology preferences, and any attachments you upload through the RFP form.
- Career application data — CV/résumé, portfolio links, employment history, references you supply, and the notes you add about role interest or compensation expectations.
- Marketing-subscription data — your email address plus the topics or formats you opted into.
- Engagement data — for active clients, the operational contact details, billing contacts, signed agreements, statements of work, project artefacts, and meeting minutes that arise during delivery.
- Communications — the content of emails, calls (where recorded with consent), Slack/Teams/WhatsApp messages, and any other correspondence between you and a Dezynum team member.
3.2 Information collected automatically
- Server logs — truncated IP address, request URL, HTTP method, response status, user agent string, referrer URL, and timestamp.
- Analytics events — page views, time on page, scroll depth, click events on calls-to-action, navigation paths, device class (desktop/mobile/tablet), browser family and version, operating system family and version, screen resolution, and a pseudonymous Google Analytics 4 client identifier.
- Anti-bot signals — we run Google reCAPTCHA on form submissions; reCAPTCHA collects hardware and software information (such as device and application data) and sends it to Google to provide its bot-detection service.
- Performance and error data — uncaught JavaScript errors, Core Web Vitals (LCP, INP, CLS), and similar signals used to keep the site healthy.
3.3 Information we receive from third parties
- Recruiters and references — for career applications, background-check vendors and named references may supply information about you with your authorisation.
- Business-intelligence data — for prospect outreach, we may consult publicly available business databases (such as company filings, LinkedIn public profiles, or industry directories) to confirm professional titles and contact information.
- Authorised representatives — when someone at your organisation provides your details to us as a point of contact for an engagement.
3.4 Sensitive personal data
We do not solicit sensitive personal data (race, religion, political beliefs, health, genetic, biometric, sexual orientation, financial account numbers, or government identifiers) through any form on this Website. Please do not include such data in free-text fields. If you transmit it to us unsolicited we will delete it on detection, except where a specific engagement makes processing it necessary and a separate written agreement covers it.
4. Why we process your data and on what legal basis
For every category below we identify the purpose, the categories of data involved, and the legal basis under the DPDP Act and the EU/UK GDPR. If you are in the EEA, UK, or Switzerland, the GDPR basis is the operative one for you. If you are in India, the DPDP Act basis is operative.
4.1 Responding to your enquiry and proposing services
Data: contact, identity, RFP data, communications.
GDPR basis: Art. 6(1)(b) — steps prior to entering a contract at your request; Art. 6(1)(f) — our legitimate interest in qualifying and pursuing business opportunities, balanced against your interests.
DPDP basis: consent or, where you have approached us first, the legitimate use under Section 7(a) of the Act (you having voluntarily provided data for a specified purpose).
4.2 Delivering an active engagement
Data: engagement data, communications, and any data the engagement requires.
GDPR basis: Art. 6(1)(b) — performance of our contract with you or your employer.
DPDP basis: consent or contractual necessity under Section 4 of the Act.
4.3 Operating and improving the Website
Data: server logs, analytics events, performance and error data, anti-bot signals.
GDPR basis: Art. 6(1)(f) — legitimate interest in measuring, securing, and improving our online presence, balanced against your right to a private browsing experience. We use IP anonymisation and short retention windows to reduce impact.
DPDP basis: consent obtained via the cookie banner, where applicable, and the legitimate use of Section 7(b) for ensuring the integrity and availability of the service.
4.4 Marketing communications
Data: contact data, marketing-subscription data.
GDPR basis: Art. 6(1)(a) — your consent. You can withdraw consent at any time through the unsubscribe link in every marketing email or by emailing the Grievance Officer.
DPDP basis: consent under Section 6 of the Act.
4.5 Recruitment
Data: career application data, references, background-check results.
GDPR basis: Art. 6(1)(b) — pre-contractual steps; Art. 6(1)(f) — legitimate interest in evaluating fit.
DPDP basis: consent given when you submit the application.
4.6 Compliance and legal obligations
Data: any of the above, as required.
GDPR basis: Art. 6(1)(c) — legal obligation; Art. 6(1)(f) — legitimate interest in defending claims.
DPDP basis: Section 7(c) — compliance with a legal duty.
4.7 Security and abuse prevention
Data: server logs, anti-bot signals.
GDPR basis: Art. 6(1)(f) — legitimate interest in protecting our systems and users from fraud, scraping, denial-of-service, and credential-stuffing.
DPDP basis: Section 7(b) — ensuring service integrity.
5. Automated processing and AI features
Dezynum operates AI-assisted internal tools to draft blog content and generate author portraits for our editorial system. The following points apply to your data in connection with those tools:
- We do not feed visitor or client personal data into a public LLM prompt. The AI drafting tools work on internal editorial prompts and do not include your contact, RFP, or engagement data in the prompt sent to the model providers.
- Author portraits shown on blog posts are synthetic. They are generated images, not photographs of real individuals, and are not used to infer or render any visitor’s likeness.
- No solely-automated decision with legal or similarly significant effect. Decisions about engaging with you as a prospect, hiring you, or pricing an engagement are taken by humans. We do not use solely-automated decision-making within the meaning of GDPR Art. 22.
- Model providers we use for content drafting (when active): Anthropic, OpenAI, Google (Gemini), xAI (Grok), Stability AI, depending on operator configuration. Each is bound by its provider terms; none of them receives personal data about you through these tools.
If you ever interact with a Dezynum-deployed AI assistant on a client engagement (for example, an internal copilot we build for a client), processing is governed by the engagement’s data-processing addendum, not by this Policy.
6. Cookies and similar technologies
A cookie is a small text file placed on your device that lets a website recognise your browser. Some of what we set are first-party (set by Dezynum) and some are third-party (set by a service we embed). The table below lists every cookie or similar identifier this Website uses:
| Name | Set by | Purpose | Duration |
|---|---|---|---|
| payload-token | Dezynum (first-party) | Admin authentication. Only set for staff who log into the CMS at /admin. Not used on public pages. | Session / 2 hours |
| _ga, _ga_* | Google Analytics 4 (third-party) | Distinguishes unique visitors and sessions; powers traffic analytics. IP anonymisation is enabled. | Up to 2 years |
| _GRECAPTCHA | Google reCAPTCHA (third-party) | Bot detection on form submissions to prevent scraping, fraud, and automated abuse. | Up to 6 months |
You can manage cookies through your browser settings, refuse non-essential cookies via our cookie banner where one is shown, and erase any cookie at any time. Blocking the essential payload-token cookie will stop the admin panel from working but will not affect public browsing.
7. How we share and disclose data
We do not sell your personal data and we do not let third parties run their own advertising trackers on this Website. We share data only in the following circumstances:
7.1 Sub-processors that help us run the firm
The table below names the categories of vendors we engage and what they receive. Specific vendors within each category may change; we keep this list current and maintain a more granular vendor register internally that we will share on request from a regulator or, in summary form, on request from an enquirer with a legitimate interest.
| Category | Representative vendor(s) | Data received |
|---|---|---|
| Cloud hosting and CDN | Vercel, Cloudflare, AWS | Server logs, request data, cached static assets |
| Database hosting | Neon / managed PostgreSQL provider | All form submissions, engagement records |
| Transactional & marketing email | Google Workspace (Gmail), Zoho Mail | Email addresses, message contents |
| Analytics | Google Analytics 4, Google Search Console | Pseudonymous IDs, page events, anonymised IP |
| Anti-abuse | Google reCAPTCHA | Device and interaction signals |
| Payments and invoicing | Razorpay, Wise, banking partners | Billing contacts and transaction metadata |
| Productivity and collaboration | Google Workspace, Microsoft 365, Slack, Notion | Engagement-related documents and messages |
| AI text and image providers | Anthropic, OpenAI, Google AI Studio, xAI, Stability AI | Internal editorial prompts (no visitor PII) |
| Professional advisors | Auditors, tax, legal, insurance brokers | Strict need-to-know basis |
7.2 Authorities and legal proceedings
We disclose data to courts, tribunals, law-enforcement authorities, tax authorities, and regulators where we are legally compelled or where doing so prevents fraud or protects life. We resist over-broad requests and consider the least-data principle when complying.
7.3 Corporate transactions
If Dezynum is acquired, merges, restructures, sells assets, or carries out a comparable transaction, data may be transferred as part of that transaction. We will require the recipient to honour this Policy or give you notice and a meaningful chance to object before reuse for a materially different purpose.
7.4 With your consent or at your direction
We share data with any party you specifically ask us to, for example a referral partner you nominate or a reference you supply for a job application.
8. International data transfers
We are headquartered in India and run operations across India, North America, and EMEA. Personal data we collect may therefore be transferred to and processed in jurisdictions outside your country of residence, including jurisdictions whose data-protection laws differ from yours.
Where we transfer data out of the EEA, UK, or Switzerland, we rely on one of:
- An adequacy decision recognised by the European Commission / UK ICO / Swiss FDPIC;
- The European Commission’s Standard Contractual Clauses (2021) and the UK International Data Transfer Addendum, executed with the recipient;
- The EU-US Data Privacy Framework where the recipient is certified and the data flows are in scope;
- Other appropriate safeguards under Art. 46 GDPR.
Where we transfer data out of India we comply with the cross-border rules notified under Section 16 of the DPDP Act as they enter into force, including any restricted-jurisdiction list issued by the Central Government.
You can request a copy of the safeguard in force for a specific transfer by emailing the Grievance Officer.
9. How long we keep your data
We hold data only as long as we need it to provide what you asked for, run the firm, defend our rights, and meet a legal obligation. Indicative retention periods follow; the longer period applies if a legal obligation requires it.
| Category | Default retention |
|---|---|
| Contact / RFP submissions that do not become a client | 24 months from last contact |
| Client engagement records and project artefacts | 8 years after engagement close (Indian tax + statute of limitations) |
| Invoicing, accounting, and tax records | 8 years (Section 44AA, Income-tax Act, 1961) |
| Career application data of unsuccessful candidates | 12 months, unless you ask us to keep it longer |
| Marketing subscriptions | Until you unsubscribe + 6 months for suppression-list |
| Analytics events and pseudonymous IDs | 14 months in Google Analytics 4 (default) |
| Server logs | 90 days |
When retention expires we delete or anonymise the data. Anonymised data is no longer treated as personal data under this Policy.
10. Your rights
The rights you can exercise depend on which jurisdiction’s law applies to you. We will honour the most protective set you are entitled to. The jurisdiction-neutral rights are:
- Access — obtain a copy of the personal data we hold about you and information about how we use it.
- Correction — ask us to correct inaccurate or incomplete data.
- Erasure — ask us to delete your data, subject to legal retention obligations.
- Portability — receive a machine-readable copy of data you gave us and ask us to send it to another controller where technically feasible.
- Restriction — ask us to stop processing while a dispute is resolved.
- Objection — object to processing based on legitimate interests, including direct marketing.
- Withdrawal of consent — withdraw any consent you gave; does not affect processing already done.
- Complain — lodge a complaint with the Data Protection Board of India, the EEA Supervisory Authority of your habitual residence, the UK ICO, the Swiss FDPIC, the California Privacy Protection Agency, or another competent regulator.
To exercise any of these rights, email privacy@dezynum.com. We will verify identity proportionate to the sensitivity of the request and respond within the statutory window (30 days under DPDP and GDPR; 45 days under CCPA/CPRA, with a 45-day extension where permitted).
We will not discriminate against you for exercising any privacy right. We will also not charge a fee unless the request is manifestly unfounded or excessive, in which case we will tell you the basis for the fee.
11. Region-specific notices
11.1 India (DPDP Act 2023)
If you are a Data Principal in India: we collect, process, and retain personal data only for lawful purposes for which you have provided consent or for which a legitimate use under Section 7 applies. The Grievance Officer above is also our named contact for DPDP enquiries. You may complain to the Data Protection Board of India if we do not resolve your grievance within thirty (30) days.
11.2 EEA, UK, and Switzerland (GDPR / UK GDPR / Swiss FADP)
If you are a Data Subject in the EEA, UK, or Switzerland: the legal-basis table in Section 4 sets out the GDPR / UK GDPR / FADP basis for each purpose. You have the right to lodge a complaint with the Supervisory Authority of your habitual residence, place of work, or place of the alleged infringement. Dezynum has not appointed an Art. 27 GDPR representative in the EU/UK at this time; any complaint may be directed to the Supervisory Authority of your habitual residence or to the Grievance Officer above. We will update this section if a representative is appointed.
11.3 California (CCPA / CPRA)
If you are a California resident:
- In the preceding twelve months we have not sold and have not shared personal information within the meaning of the CCPA/CPRA. We have collected the categories listed in Section 3 and used them for the purposes listed in Section 4. We have disclosed the categories listed in Section 3 to the vendor categories listed in Section 7.1.
- You have the right to know, to delete, to correct, to limit use of sensitive personal information, and to non-discrimination. To exercise any of these rights, email privacy@dezynum.com.
- You may also designate an authorised agent to make a request on your behalf; we will ask the agent for written proof of authorisation and may ask you to verify the request directly.
- We do not knowingly collect personal information of California residents under sixteen (16) without authorisation.
12. Children’s data
Our services are not directed to anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact privacy@dezynum.com and we will delete it promptly. For the GDPR, the threshold is the age applicable in your Member State (between 13 and 16, depending on jurisdiction).
13. How we secure your data
We take security seriously. Our control set is documented in our internal information-security policy and reviewed annually. Highlights:
- TLS 1.2+ in transit for every page and form on this Website. HSTS is enabled.
- Encryption at rest for production databases and object storage.
- Principle of least privilege on internal systems. Single sign-on with mandatory multi-factor authentication on every Dezynum account.
- Quarterly access review and immediate revocation on team departures.
- Audit logging on the CMS for content, user, and permission changes.
- Vendor due diligence before onboarding new sub-processors, including review of their security and privacy documentation.
- Incident-response runbook with a 72-hour notification target where the law requires us to notify regulators or affected individuals.
No method of transmission or storage is one-hundred-percent secure. Where a compromise occurs and is likely to result in a risk to your rights and freedoms, we will notify you and the relevant authority within statutory timelines (72 hours under GDPR; statutory timelines under the DPDP Act once notified).
14. Direct marketing and your choices
With your consent we may send you marketing email about Dezynum services, research, and events. You can opt out at any time using the unsubscribe link in the footer of any marketing email, by replying with the word STOP, or by emailing the Grievance Officer. Withdrawing consent does not affect operational and transactional emails about engagements you have with us, security notifications, or this Policy itself.
15. Third-party links and embeds
Our Website links to third-party sites and may embed third-party content (for example, a video player or a code-repository snippet). We are not responsible for third-party practices. Before sharing personal data on a third-party page, review that party’s privacy notice.
16. Changes to this Policy
We may update this Policy as our practices, the technology we use, or applicable law evolves. The “Last updated” date at the top of this page shows when this Policy last changed. Material changes will be announced through a prominent banner on the Website and, where appropriate, by direct email to active clients. Continued use of the Website or our services after the effective date of an updated Policy constitutes acceptance of the change.
17. Reaching us
We treat every privacy question seriously and try to make a real human available. If you cannot resolve a concern with privacy@dezynum.com, write to the Grievance Officer at the same address with the subject line “DPDP / GDPR Grievance – [your subject]” and we will assign a named owner inside Dezynum to your case within seven (7) working days.