Privacy Policy

We collect the following categories of personal data: **Information you provide directly:** Name, email address, phone number, company name, and any other information you submit through our contact forms, demo request forms, or data subject request forms. **Information collected automatically:** IP address (anonymised for analytics), browser type and version, operating system, referring URL, pages visited, time spent on pages, and interaction data. This data is only collected with your explicit consent via our cookie preference centre. **Cookies and tracking technologies:** We use essential cookies required for site functionality (authentication, security, consent preferences) and optional cookies for analytics (Google Analytics 4) and marketing (HubSpot) that are only activated with your explicit consent. See the Cookie Policy section below for full details.

We process your personal data for the following purposes: - **Service delivery:** To respond to enquiries, provide quotes, schedule meetings, and deliver our managed IT, cybersecurity, and AI consulting services. - **Communication:** To send transactional emails (form confirmations, meeting reminders) and, with your consent, marketing communications. - **Analytics:** With your consent, to understand how visitors use our website so we can improve the user experience. - **Security:** To protect our website against abuse, fraud, and cyberattacks. This includes CSRF protection, rate limiting, and error monitoring. - **Legal compliance:** To fulfil our obligations under applicable data protection laws, including responding to data subject requests.

We process personal data on the following legal bases: - **Consent (GDPR Art. 6(1)(a), DPDP Act §6):** For analytics cookies, marketing cookies, and marketing communications. You can withdraw consent at any time via our cookie preference centre or by contacting us. - **Legitimate interest (GDPR Art. 6(1)(f)):** For website security (rate limiting, CSRF protection, error monitoring) and responding to business enquiries. - **Contractual necessity (GDPR Art. 6(1)(b)):** For processing data necessary to deliver services you have requested. - **Legal obligation (GDPR Art. 6(1)(c)):** For compliance with applicable laws and regulations.

We retain personal data only as long as necessary for the purposes described above: - **Contact form submissions:** Retained in our CRM (HubSpot) for up to 3 years after last interaction, then deleted. - **Analytics data:** Google Analytics retains anonymised data for 14 months. We do not store analytics data on our own servers. - **Consent records:** Consent preferences are stored in a browser cookie for 365 days. We retain server-side consent audit logs for 5 years for compliance purposes. - **Data subject requests:** Request records are retained for 5 years to demonstrate compliance. - **Error logs:** Sentry retains error data for 90 days.

Depending on your jurisdiction, you have the following rights regarding your personal data: **Under GDPR (EU/EEA residents):** - Right of access — obtain a copy of your personal data - Right to rectification — correct inaccurate personal data - Right to erasure ("right to be forgotten") — request deletion of your personal data - Right to restrict processing — limit how we use your data - Right to data portability — receive your data in a structured, machine-readable format - Right to object — object to processing based on legitimate interests - Right to withdraw consent — withdraw consent at any time without affecting the lawfulness of prior processing **Under DPDP Act 2023 (Indian residents):** - Right to access information about personal data processing - Right to correction and erasure of personal data - Right to grievance redressal - Right to nominate another person to exercise rights in case of death or incapacity **Under CCPA/CPRA (California residents):** - Right to know what personal information is collected, used, shared, or sold - Right to delete personal information - Right to opt out of the sale or sharing of personal information - Right to non-discrimination for exercising privacy rights - Right to correct inaccurate personal information To exercise any of these rights, please submit a request through our [Data Request Form](/privacy/data-request) or contact our Data Protection Officer. We will respond within 30 days (GDPR), 72 hours (DPDP Act), or 45 days (CCPA) as required by law.

You can contact our Data Protection Officer for any privacy-related enquiries: **Email:** privacy@sentostech.com **Address:** Sentos Technologies Private Limited, Chennai, Tamil Nadu, India For data subject requests, please use our [Data Request Form](/privacy/data-request) to ensure your request is processed efficiently.

We use the following categories of cookies: **Essential cookies (always active):** - `consent_preferences` — Stores your cookie consent choices (365 days) - `__csrf` — CSRF protection token (session) - `__Secure-next-auth.session-token` — Authentication session (portal users only) **Analytics cookies (requires consent):** - Google Analytics 4 (`_ga`, `_ga_*`) — Anonymised website usage analytics - Sentry — Error monitoring and performance data **Marketing cookies (requires consent):** - HubSpot (`hubspotutk`, `__hstc`, `__hssc`) — Lead tracking, behavioural analytics You can manage your cookie preferences at any time by clicking "Cookie Settings" in the footer or using the cookie preference centre that appears on your first visit.

We use the following third-party service providers to process personal data on our behalf. All processors are bound by data processing agreements (DPAs) and, where applicable, EU Standard Contractual Clauses (SCCs). See the table below for details on each processor, the data shared, and their privacy policies.

Our primary operations are in India. Some of our third-party processors are based in the United States or operate globally. Where personal data is transferred outside of the EU/EEA or India, we ensure adequate safeguards are in place: - **EU Standard Contractual Clauses (SCCs):** Used for transfers to US-based processors (HubSpot, Sentry, Google, Resend). - **Adequacy decisions:** Where the European Commission has deemed a country to provide adequate data protection. - **Contractual obligations:** All processors are bound by data processing agreements requiring equivalent data protection standards.

Our website and services are not directed at children under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact our Data Protection Officer immediately and we will delete it promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will post the updated policy on this page with a revised "Last updated" date. For material changes, we will provide additional notice via our website or email where appropriate. We encourage you to review this policy periodically.