This policy explains what personal data Saravana Consultancy (“we”, “us”) collects when you use saravanaconsultancy.in, why we collect it, and the rights you have over it under India's Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the Information Technology Act, 2000.

We keep this policy deliberately short. If anything is unclear, email [email protected] and we will answer plainly.

1. Who we are (Data Fiduciary)

Saravana Consultancy is a sole-proprietorship owned by Balasubramanian Iyer, providing aluminium surface-treatment consulting services across India. For the purposes of the DPDP Act, Saravana Consultancy is the Data Fiduciary and you are the Data Principal.

2. What we collect

2.1 Information you give us (via the contact form)

  • Name and company — so we know who is enquiring
  • Email address — so we can reply
  • Phone number — optional, only if you provide it
  • Message — the content of your enquiry

2.2 Information collected automatically

  • Analytics events via Google Analytics 4: pages viewed, approximate session duration, device/browser type, country (derived from IP — the raw IP is not stored by us)
  • Attribution data stored in our internal analytics system: the page you first landed on, the website that referred you, any UTM campaign parameters in the URL, and — when you submit the contact form — a one-way hash of your email address (not the address itself) so we can measure which pages and channels produce enquiries without storing personal identifiers twice
  • Server-side technical data via our host (Cloudflare): IP address for the duration of the request, user agent, and timing metadata — retained for security and abuse-prevention purposes only

2.3 Information we do not collect

  • We do not use advertising cookies or re-targeting pixels.
  • We do not sell or rent your data to anyone.
  • We do not collect financial information through the website — invoicing, if any, happens offline after an engagement is agreed.
  • We do not knowingly collect information from anyone under 18. If you believe a minor has submitted information, email us and we will delete it.

3. Why we use it (purposes of processing)

  • To respond to your enquiry — the contact form content goes to [email protected] and is retained in our email records for as long as the conversation remains commercially relevant, and typically deleted after 3 years of inactivity.
  • To measure which pages and topics are useful — aggregate analytics and attribution help us decide what to write about and what to fix. No individual visitor is profiled.
  • To comply with legal obligations — where we are required by law to retain records (e.g. tax correspondence), we do so for the mandated period.

4. Legal basis for processing

Under the DPDP Act, we rely on:

  • Your consent — when you submit the contact form, you are giving informed consent to the processing described above. You may withdraw consent at any time by emailing us (see §7).
  • Legitimate uses — for purely technical purposes (security logging, basic analytics) we rely on the “legitimate uses” basis under §7 of the DPDP Act.

5. Who we share data with (third parties / processors)

We use a small number of trusted vendors to operate the site. Each of them processes data on our behalf only:

  • Cloudflare, Inc. (USA) — hosting, CDN, and security. Sees all traffic to the site.
  • Formspree, Inc. (USA) — processes contact-form submissions and forwards them to us.
  • Google LLC (USA, via Google Analytics 4) — aggregate traffic analytics.
  • GoDaddy / Secureserver — email delivery infrastructure for [email protected].

Each of these vendors has their own privacy practices. We have selected them because they offer standard contractual protections and, where applicable, certifications such as SOC 2 or ISO 27001. Some of them are located outside India; by using this site you consent to the transfer of your personal data to those jurisdictions as permitted under the DPDP Act.

6. Cookies and local storage

We use a small set of cookies and browser-storage entries. All are functional or analytical — none are advertising cookies.

Name Set by Purpose Retention
_ga, _ga_<id> Google Analytics Distinguish unique visitors Up to 24 months
sc_attribution_v1 This site (sessionStorage) Remember the page you first landed on, to attribute enquiries Cleared when you close the tab
__cf_bm / cf_clearance Cloudflare Bot and DDoS protection Up to 30 days

You can disable cookies in your browser at any time; the site will still work, but analytics and attribution will not be recorded.

7. Your rights under the DPDP Act

As a Data Principal you have the following rights. To exercise any of them, email [email protected] with the subject line “DPDP request”. We respond within 30 days.

  • Right to access — a summary of the personal data we hold about you.
  • Right to correction — fix anything inaccurate or incomplete.
  • Right to erasure — ask us to delete your data, subject to any legal retention obligations.
  • Right to withdraw consent — at any time, with effect for the future.
  • Right to grievance redressal — raise a complaint (see §9).
  • Right to nominate — nominate another individual to exercise your rights in the event of death or incapacity.

8. Data retention

Different data has different retention periods:

  • Contact-form emails: kept in our inbox for as long as the conversation remains commercially relevant, typically deleted after 3 years of inactivity.
  • Analytics data: aggregated by Google Analytics with a 14-month data retention setting.
  • Attribution records (hashed email + landing page + UTM): 24 months, then purged.
  • Server logs at Cloudflare: managed per Cloudflare's own retention policy, typically 30 days.

9. Grievance officer

Under §10 of the DPDP Act and §79 of the IT Act, our designated Grievance Officer is:

If you are not satisfied with our response, you may approach the Data Protection Board of India once it is constituted, or the jurisdictional consumer forum.

10. Security

We take reasonable steps to protect your data: HTTPS across the whole site, modern TLS, access-controlled email, and a minimal set of processors. No method is 100% secure — but we do not store more than we need, and we do not retain data longer than we need.

11. Changes to this policy

If we materially change how we handle personal data, we will update this page and revise the “last updated” date above. For significant changes (e.g. a new processor), we will make a note on the home page for a reasonable period.

12. Contact

Questions about this policy? Email [email protected].