What personal data does Scyverge collect?

Scyverge collects only the personal data necessary to provide cybersecurity services, including contact information, project scope details, and communication records. We do not sell or share personal data with third parties for marketing purposes.

How does Scyverge protect my data?

Scyverge protects client data using encryption at rest and in transit, strict access controls, regular security assessments, and compliance with applicable data protection regulations including GDPR and India's DPDP Act.

How can I request data deletion?

You can request deletion of your personal data by contacting info@scyverge.com. Scyverge will process your request within 30 days in accordance with applicable data protection regulations.

Privacy Policy | Scyverge

1. Who We Are

Scyverge Labs Private Limited ("Scyverge", "we", "our", or "us") is a cybersecurity firm incorporated under the laws of India. Under the Digital Personal Data Protection Act, 2023 ("DPDPA"), we act as a Data Fiduciary.

2. Scope

This Privacy Policy applies only to personal data we collect through our website (scyverge.com), including data you submit via our online forms and data collected automatically through cookies and server-side security mechanisms. This Privacy Policy does not apply to information we collect by other means (including offline) or from other sources, such as data shared during in-person meetings, phone conversations outside our website, service engagements governed by separate agreements, or information obtained from public registries and third-party databases. It also does not apply to third-party websites linked from our site.

3. Definitions

Data Principal means the individual to whom personal data relates, i.e., you.
Personal Data means any data about an identifiable individual, as defined under the DPDPA.
Processing means any operation on personal data, including collection, storage, use, disclosure, erasure, or destruction.
Data Fiduciary means the entity that determines the purpose and means of processing. Scyverge is the Data Fiduciary.
Data Processor means any person who processes personal data on behalf of a Data Fiduciary.
Consent means a free, specific, informed, unconditional, and unambiguous indication of agreement to processing, by way of a clear affirmative action.
Sensitive Personal Data includes financial data, sexual orientation, racial or ethnic origin, political opinions, religious beliefs, caste or tribe, biometric or genetic data, health data, and data relating to criminal convictions, as defined under the DPDPA.

4. Data We Collect

Contact Enquiry Data: Full name, company name, email address, phone number, subject, and message content submitted via our contact form.
Startup Application Data: Founder name, startup name, email address, phone number, funding stage, primary security need, company website URL, and product description submitted via our application form.
Security and Anti-Abuse Data: IP address (stored as an irreversible MD5 hash for rate limiting; never stored in plaintext; timestamps older than 1 hour are automatically deleted) and session data for CSRF token protection (expires when you close your browser).
Cookie Data: A session cookie for CSRF protection and a consent cookie that records your cookie notice acknowledgment and the date it was given. No analytics, advertising, or tracking cookies are used. See our Cookie Policy for details.
Client Engagement Data: Project details, deliverables, and correspondence generated during service delivery, collected under a separate service agreement.

We do not collect job title, business address, browser type, pages visited, time on site, referral URLs, device identifiers, marketing preferences, file attachments, geolocation, or sensitive personal data through our website. We do not use third-party analytics or tracking tools.

5. Sources of Data

We collect data directly from you when you fill out our contact form, apply for our Startup Security Program, or interact with us via email. We do not use third-party analytics tools, advertising networks, or tracking services. We may receive data indirectly from business partners with your knowledge, or from publicly available sources, but only when necessary for a stated purpose.

6. Lawful Basis for Processing

Under the DPDPA, we process your personal data on the following grounds:

Consent (Section 6): Where you have given free, specific, informed, and unambiguous consent for a specified purpose, such as submitting a contact form or subscribing to communications.
Legitimate Use (Section 7): Without consent, where processing is:
- Voluntarily provided by you for a specified purpose.
- Necessary for performance of a contract or steps at your request.
- Necessary for compliance with any law in force in India.
- Necessary for employment-related purposes or safeguarding employer assets.
- For prevention, detection, or investigation of an offence.
- For ensuring the safety or security of the state.

You may withdraw consent at any time by contacting info@scyverge.com. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

7. How We Use Your Data

Responding to enquiries submitted via our contact form.
Evaluating and processing Startup Security Program applications.
Delivering cybersecurity services under a separate service agreement.
Complying with legal and regulatory obligations under Indian law.
Preventing fraud, spam, and abuse through rate limiting and CSRF protection.
Internal accounting, auditing, and record-keeping.

We process data only for the purpose collected, or a purpose reasonably incidental or connected to it. For any new purpose, we will seek your fresh consent. We do not use your data for profiling, advertising, or behavioural tracking.

8. Data Sharing

We do not sell, rent, or trade your personal data. We may share it only with:

Data Processors: Trusted third parties (e.g., email delivery, hosting) bound by contracts requiring DPDPA-compliant processing and appropriate security.
Legal Requirements: Where required by law, regulation, or governmental request under Indian legislation.
Corporate Transactions: In connection with mergers, acquisitions, or asset sales, subject to the same protections herein.
With Your Consent: Where you have explicitly agreed to share data with a specific third party.
Protection of Rights: To protect our rights, safety, or property, or that of our clients or the public, as permitted under the DPDPA.

We remain responsible for ensuring Data Processors comply with the DPDPA and our instructions.

9. Data Retention

We retain personal data only as long as necessary for the purpose collected, or as required by law. Our retention periods:

Contact Enquiry Data: Up to 2 years from last interaction, then deleted or anonymised.
Startup Application Data: Up to 1 year, unless it progresses to an engagement.
Client Engagement Data: Duration of engagement plus 5 years, or as required by law (collected under separate service agreements, not through this website).
Security/Rate-Limit Data: Rate-limit timestamps older than 1 hour are automatically purged; session data expires when you close your browser.
Cookie Consent Record: 180 days, then the cookie expires and you will be prompted again.
Legal Holds: Retained beyond standard periods where litigation or regulatory action is reasonably anticipated.

10. Your Rights as a Data Principal

Right to Access (Section 11): Request confirmation of whether we process your data, and a summary of the data, purposes, and processors involved.
Right to Correction and Erasure (Section 12): Request correction of inaccurate data or erasure where data is no longer needed, consent is withdrawn, or processing is non-compliant.
Right to Withdraw Consent (Section 6): Withdraw consent at any time with the same ease with which it was given.
Right to Nominate (Section 14): Nominate another individual to exercise your rights in the event of your death or incapacity.
Right to Grievance Redressal (Section 13): Lodge a complaint with our Data Protection Officer. If unsatisfied, approach the Data Protection Board of India.

To exercise these rights, contact info@scyverge.com. We will acknowledge within 7 business days and respond within 30 days. We may require identity verification. Where we cannot comply, we will provide reasons and available remedies.

11. Security Measures

We implement appropriate technical and organisational measures including:

Encryption in transit (TLS 1.2+) and at rest (AES-256).
Role-based access controls and multi-factor authentication.
Regular vulnerability assessments and penetration testing.
Firewalls, intrusion detection, and endpoint protection.
Secure development practices and code reviews.
Employee data protection training.
Incident response and breach notification procedures.
Periodic security audits and compliance assessments.

12. Data Breach Notification

In the event of a personal data breach, we will:

Notify the Data Protection Board of India and each affected Data Principal without delay, within the time prescribed by DPDPA rules.
Include in the notification: the nature of the breach, categories and approximate number of affected Data Principals, likely consequences, and measures taken to address and mitigate the breach.
Document the breach and remedial actions, and make this available to the Board upon request.

13. Cross-Border Data Transfers

Our primary processing is within India. Under the DPDPA, we may transfer personal data outside India only where:

The destination country has been notified by the Central Government as providing an adequate level of data protection (Section 17).
Appropriate contractual safeguards are in place with the recipient.
Your explicit consent has been obtained where required, with clear information about the transfer and safeguards.

14. Children's Data

Our services are not directed at individuals under 18. We do not knowingly collect data from children. We will not process a child's data without verifiable consent from a parent or lawful guardian, and will not engage in tracking, behavioural monitoring, or targeted advertising directed at children. If we become aware of data collected from a child without required consent, we will delete it promptly. Contact info@scyverge.com if you believe a child has provided us data.

15. Cookies

We use only essential, first-party cookies to keep the site secure and functional. We do not use any analytics, advertising, or tracking cookies. See our Cookie Policy for full details.

16. Significant Data Fiduciary Obligations

If notified as a Significant Data Fiduciary by the Central Government, we will comply with additional obligations including appointing a India-based Data Protection Officer, conducting Data Protection Impact Assessments, performing periodic independent audits, and maintaining additional processing records.

17. Changes to This Policy

We may update this policy periodically. Material changes will be posted on this page with a revised effective date, and we will notify you via a prominent website notice or email. Where changes require new consent, we will seek it before implementation.

18. Grievance Redressal

Step 1: Contact our Data Protection Officer at info@scyverge.com. We will acknowledge within 7 business days and endeavour to resolve within 30 days.
Step 2: If unsatisfied, you may approach the Data Protection Board of India under the DPDPA.

19. Contact

Data Protection Officer
Scyverge Labs Private Limited
Email: info@scyverge.com
Phone: +91-9487140830