Effective version and date: V1.0, Dated: 02.03.2026

​

1. Introduction

This Privacy Policy explains how we collect, use, store, share, and protect personal data in the course of providing cybersecurity consulting, security assessments, penetration testing, compliance audits, incident response, and advisory services. We are committed to processing personal data lawfully, fairly, and securely in accordance with the DPDP Act, 2023.

By engaging with our services or interacting with our website, you acknowledge that you have read and understood this Privacy Policy.

 

2. Definitions

·   Data Principal: The individual to whom personal data relates

·   Data Fiduciary: The entity that determines the purpose and means of processing personal data.

·   Data Processor: Any entity that processes personal data on behalf of a Data Fiduciary.

·   Personal Data: Any data about an individual who is identifiable by or in relation to such data.

Depending on the engagement, we may act as a Data Fiduciary (e.g., for our employees, website users) or a Data Processor (e.g., when processing client-provided data during audits or assessment).

 

3. Categories of Personal Data We Collect

We may collect the following types of personal data:

3.1  From Clients and Their Employees

·   Names, email addresses, phone number

·   User access logs, system identifiers, audit logs

·   Security incident details

·   Employee information required for audits or assessments

3.2  From Website Visitors

·   Contact form details

·   IP address, browser metadata, cookies

 

3.3  From Job Applicants

·   Resumes, qualifications, employment history

·   Contact details

We do not intentionally collect sensitive personal data unless required for a specific engagement and explicitly authorized.

 

4. Purpose of Processing

We use personal data only for lawful, specific, and limited purposes connected to cybersecurity consulting and related services. These purposes include:

·       Delivering cybersecurity consulting, auditing and training services.

·       Delivering advisory services related to DPDP Act, ISO 27001, SOC 2, HIPAA, GDPR, and other frameworks.

·       Conducting penetration tests, vulnerability assessments, and compliance audits.

·   Investigating, responding to, and managing security incidents.

·       Improving our services, website functionality, and user experience

 

·       Managing client relationships and communication.

·       Providing reports, recommendations, and remediation guidance.

·       Ensuring security of our systems and infrastructure.

·       Recruitment and HR operations.

·       Maintaining legal, regulatory, and contractual compliance.

·       Collecting Customer feedback.

We do not use personal data for purposes unrelated to the original intent unless required by law or with explicit consent.

 

5. Legal Basis for Processing

We process personal data based on:

·       Consent- when individuals voluntarily provide personal data for a specific purpose (e.g., website forms, marketing communication)

·       Contractual necessity (e.g., performing cybersecurity audits for clients)

·       Legal obligations (e.g., regulatory reporting)

·       Legitimate interests (e.g., improving service quality, security monitoring)

 

Where consent is required, it is free, specific, informed, and unambiguous.

 

6. Data Sharing & Disclosure

We may share personal data with: 

·       Authorized internal teams involved in service delivery

·       Third‑party service providers (cloud hosting, tools or contractual staff/ organisations used for audits, trainings and consulting).

·       Regulatory authorities, when legally required.

·       Clients, strictly as per contractual obligation

We do not sell or trade personal data.

Cross‑border transfers are performed only under permitted conditions and with adequate safeguards.

​

7. Data Retention

Personal data is retained only for as long as necessary to fulfill the purpose of processing, comply with legal requirements, or meet contractual obligations. After the retention period, data is securely deleted.

 

8. Security Safeguards

We implement reasonable technical and organizational measures, including:

·       Access control and least‑privilege principle.

·       Multi‑factor authentication.

·       Employee training on data protection and cybersecurity.

 

9. Rights of Data Principals

Data Principals have the right to:

·       Request access to your personal data.

·       Request correction or updating of inaccurate data.

·       Request erasure of personal data.

·       Withdraw consent at any time

·   Nominate another individual to exercise your right

Requests will be processed within a reasonable timeframe as mandated by the DPDP Act.

​

10.  Personal Data Breach Notification

In the event of a personal data breach, we will notify:

·       The Data Protection Board of India, and

·       Affected Data Principals

as required under the DPDP Act and applicable rules. Breach notification is a core fiduciary obligation

​

11.  Grievance Redressal

For any concerns or complaints regarding your personal data, you may contact our Grievance Officer:

Name: Manjul Sood

Email: msood@qualitylabs.in

 

12.  Children’s Data

We do not knowingly collect personal data of children (below 18 years) unless explicitly required for a specific engagement and permitted by law.

 

13.  Updates to This Policy

We may update this Privacy Policy periodically to reflect legal, technical, or operational changes. The latest version will always be available on our website.