Privacy notice

Privacy notice.

How Ethyra Advisory handles personal data collected through this website and during scoping engagements. Aligned with GDPR, UK GDPR, and the India Digital Personal Data Protection Act 2023.

Effective 20 April 2026 · v1.2

1. Who we are

Ethyra Advisory (“we”, “us”) is an independent GRC implementation practice operating from India and delivering to clients globally. For personal data collected via this website and engagement intake, we are the data controller / data fiduciary.

Contact: hello@ethyraadvisory.co.in · Privacy: privacy@ethyraadvisory.co.in

2. What we collect

Only what we need to respond to you, scope work, or operate the website:

  • Enquiry data — name, email, organisation, role, country, and the information you provide in the message field.
  • Engagement data — any documents or information you share to help us scope or deliver work.
  • Operational data — emails you exchange with us.
  • Server logs — IP address, timestamp, user-agent, URL requested (retained by our hosting provider for abuse prevention and diagnostics).

We do not use cookies to identify you, and we do not run marketing or behavioural analytics on this website.

3. Lawful basis

  • Article 6(1)(b) — contract or pre-contract performance (scoping, proposals, delivery).
  • Article 6(1)(f) — legitimate interests (replying to enquiries, maintaining the website, preventing abuse).
  • DPDP 2023 — lawful purpose and consent where applicable.

4. Retention

  • Enquiries we do not take forward: deleted within 12 months.
  • Client engagement records: retained for 6 years after the engagement ends, consistent with typical commercial and tax record-keeping obligations in India.
  • Server logs: 30 days.

5. Sub-processors

We use a minimum set of well-governed sub-processors:

  • Cloudflare, Inc. — website hosting (Cloudflare Pages), DNS, CDN, and edge security.
  • FormSubmit — contact form submission relay (submissions arrive by email at our inbox).

A current sub-processor list is available on request. We do not sell personal data, ever.

6. International transfers

Some of our sub-processors host infrastructure outside India or the EEA. Where EEA / UK data is transferred, we rely on the European Commission’s Standard Contractual Clauses and, where relevant, supplementary measures determined in a Transfer Impact Assessment.

7. Your rights

Depending on your location, you have rights to: access your personal data; request correction; request deletion; restrict or object to processing; port your data to another controller; and withdraw consent where processing relies on consent. To exercise any of these rights, email privacy@ethyraadvisory.co.in. We respond within 30 days (GDPR) or 7 days (DPDP) where applicable.

You can also lodge a complaint with your data-protection authority (in India: the Data Protection Board).

8. Security

This website is served over HTTPS with HSTS preload, a strict Content-Security-Policy, and the standard anti-clickjacking and anti-sniffing headers. Engagement data is handled only by authorised practice members under strict confidentiality obligations.

9. Cookies

This website does not set any first-party cookies and does not embed third-party trackers. Your browser may receive technical cookies from Cloudflare for security (rate-limiting, bot mitigation); these are not used for profiling.

10. Children

This website and our services are not directed at children. We do not knowingly collect personal data from children under 18.

11. Changes

We may update this notice. Material changes will be highlighted at the top of the page with a new effective date. We keep a short version history internally.