Privacy Policy

This Privacy Policy describes how Ethyra Advisory ("we", "us", or "our") collects, uses, discloses, and protects personal data when you visit ethyraadvisory.co.in or engage us for consulting services. We are committed to handling your data with the same discipline we bring to our clients' compliance programs.

1. Who we are

Ethyra Advisory is a governance, risk, and compliance consultancy operating out of India. We act as a Data Controller (under GDPR) and Data Fiduciary (under India's DPDP Act, 2023) in respect of personal data collected through this website and direct client engagements.

2. Data we collect

2.1 Data you provide

• Contact enquiries: name, work email, company name (optional), framework of interest, and the free-text message you submit through our contact form or send to us directly.
• Engagement data: when you become a client, we collect information necessary to deliver services — this is governed by the separate engagement contract and a signed Data Processing Agreement where applicable.

2.2 Data collected automatically

• Request metadata: our hosting provider (Cloudflare) logs IP addresses, user-agent strings, referrer headers, and request timing for security, abuse-prevention, and uptime purposes. These logs are retained according to Cloudflare's standard policies.
• Analytics: we use privacy-respecting, cookieless analytics that do not fingerprint users or track across sites. No third-party advertising pixels are used on this site.

2.3 Cookies

This website does not use tracking cookies. We may set strictly necessary cookies for security (for example, to prevent automated abuse of the contact form). No consent banner is displayed because no non-essential cookies are set.

3. How we use your data

• To respond to enquiries and evaluate whether we are a fit for your engagement.
• To deliver consulting services once you engage us.
• To protect the website and our systems from abuse, fraud, and security incidents.
• To comply with applicable legal and regulatory obligations.

We do not sell your personal data, use it for advertising, share it with data brokers, or train AI models on it.

4. Lawful basis for processing (GDPR / UK GDPR)

• Legitimate interests — responding to unsolicited enquiries, preventing abuse, and operating the website. Our interests are balanced against your rights and you may object at any time.
• Contract — where we are performing or preparing to perform an engagement contract with you or your employer.
• Legal obligation — retaining records required by tax and corporate law.
• Consent — where applicable, for example where you subscribe to optional communications.

5. Data we share with third parties

We use a minimal set of reputable sub-processors to operate the site:

• Cloudflare, Inc. — website hosting, DNS, CDN, DDoS protection, and WAF.
• FormSubmit (or equivalent form relay) — receives contact-form submissions and forwards them to our email.
• Email service provider — stores and delivers our inbound and outbound email.

Sub-processors are engaged under contractual terms that include appropriate security and data-processing commitments. A current list is available on request.

6. International transfers

Because we use global hosting and email infrastructure, your data may be processed outside the country in which you reside, including in the United States and the European Union. Where transfers are subject to GDPR, we rely on Standard Contractual Clauses and appropriate supplementary measures. Where transfers are subject to DPDP Act, we only transfer to jurisdictions permitted by the Government of India.

7. How long we keep your data

• Contact enquiries that do not convert: deleted within 12 months.
• Client engagement records: retained for the duration of the engagement and up to 7 years thereafter, in line with tax and professional-liability obligations.
• Security logs: retained by Cloudflare per its standard retention schedule (generally ≤ 30 days for non-security-relevant logs).

8. Your rights

Subject to your local law, you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate or incomplete data.
• Erase your data (subject to retention obligations).
• Restrict or object to certain processing.
• Portability — receive your data in a machine-readable format.
• Withdraw consent at any time, where processing is based on consent.
• Complain to a supervisory authority — your local Data Protection Authority (EU/UK) or the Data Protection Board of India.

To exercise any right, email privacy@ethyraadvisory.co.in. We respond within 30 days.

9. How we protect your data

We apply the same controls to our own environment that we advise our clients to implement: role-based access, full-disk encryption on endpoints, TLS in transit, multi-factor authentication, centralised logging, documented incident response, and vendor risk management. If you discover a security issue with this website, please see our security.txt and report it responsibly.

10. Children

This website is not directed at children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.

11. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent change. Material changes will be announced on this page at least 30 days before they take effect.

12. Contact

For any privacy-related question, write to us at privacy@ethyraadvisory.co.in. For general enquiries, use our contact form.