Privacy Policy
We collect the information you give us when you fill in a contact form or use our platform. We use it to respond to your inquiry and deliver our services. We do not sell your data. We do not share it with advertisers. You can ask us to delete it at any time. The full legal detail is below.
1. Overview
This Privacy Policy describes how ZSavvy Technologies Private Limited ("ZSavvy", "we", "us", or "our") collects, uses, stores, and shares personal data when you visit zsavvy.com, use the ZSavvy platform at app.zsavvy.com, or engage with our consulting services.
This policy applies to all data processing activities carried out by ZSavvy. It is written to comply with the General Data Protection Regulation (GDPR), the Information Technology Act 2000 (India), and applicable data protection laws in the jurisdictions where we operate.
By using our website or platform, you acknowledge that you have read and understood this policy. If you do not agree with any part of this policy, you should not use our services.
2. Who We Are
ZSavvy Technologies Private Limited is the data controller responsible for your personal data. We are incorporated under the Companies Act, 2013 in India.
- Entity: ZSavvy Technologies Private Limited
- Founded: July 2015
- Website: zsavvy.com
- Privacy contact: privacy@zsavvy.com
- Security contact: security@zsavvy.com
- Legal contact: legal@zsavvy.com
For the purposes of GDPR, ZSavvy acts as the data controller for personal data collected through our website and platform. Where we process personal data on behalf of our clients as part of consulting or platform services, we act as a data processor under a Data Processing Agreement.
3. Data We Collect
3.1 Data you provide directly
When you complete a contact form, request platform access, or engage with our consulting services, we collect:
- Name and professional title
- Work email address
- Company name and size
- Information about your current technology stack
- Description of your operational requirements or challenges
- Preferred contact time and communication preferences
3.2 Data collected automatically
When you visit our website, we automatically collect certain technical data:
- IP address (anonymised after collection where possible)
- Browser type and version
- Operating system
- Pages visited and time spent on each page
- Referring URL
- Date and time of visit
This data is collected through server logs and, where you consent, through analytics tools. We do not use this data to identify individuals. It is used in aggregate to understand how our website is used.
3.3 Platform data
If you use the ZSavvy platform (app.zsavvy.com), we process additional data as part of delivering the platform service. This data is governed by the Data Processing Agreement between ZSavvy and your organisation. Your organisation is the data controller for data processed within the platform; ZSavvy is the data processor.
3.4 Data we do not collect
We do not collect sensitive personal data (including racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data) unless explicitly required for a specific service and with your explicit consent. We do not knowingly collect personal data from individuals under the age of 16.
4. How We Use Your Data
We use the personal data we collect for the following purposes:
- Responding to inquiries: When you complete a contact form, we use your data to respond to your inquiry and assess whether ZSavvy can help you.
- Delivering consulting services: Where you engage ZSavvy for consulting services, we use your data to deliver those services, communicate with you, and manage the engagement.
- Delivering platform services: Where your organisation uses the ZSavvy platform, we process data as necessary to deliver and support the platform under our contract.
- Improving our services: We use aggregated, anonymised data to understand how our website and platform are used and to improve them.
- Legal and compliance obligations: We may process data to comply with applicable laws, respond to legal process, or enforce our terms.
- Security and fraud prevention: We use technical data to detect, prevent, and respond to security threats and fraudulent activity.
We do not use your data for automated decision-making that produces legal effects or significantly affects you without human review.
We do not use your data for advertising. We do not sell your data to any third party. We do not share your data with data brokers.
5. Legal Basis for Processing (GDPR)
For individuals in the European Economic Area (EEA), the United Kingdom, and other jurisdictions where GDPR or equivalent legislation applies, our legal basis for processing personal data is:
- Legitimate interests (Article 6(1)(f)): Processing your contact form submission to respond to your inquiry. We have assessed that our legitimate interest in responding to business inquiries is not overridden by your interests or fundamental rights.
- Contract performance (Article 6(1)(b)): Processing data necessary to deliver consulting or platform services where you or your organisation has engaged us under a contract.
- Legal obligation (Article 6(1)(c)): Processing data required to comply with applicable laws, including tax, accounting, and regulatory requirements.
- Consent (Article 6(1)(a)): Where we rely on consent (for example, for non-essential cookies or marketing communications), we will obtain your explicit consent before processing and you may withdraw it at any time.
6. Data Sharing
We do not sell, rent, or trade your personal data. We share personal data only in the following limited circumstances:
- Service providers: We use a small number of third-party service providers to operate our infrastructure (including cloud hosting on AWS). These providers process data only on our instructions and are bound by data processing agreements.
- Email delivery: Contact form submissions are delivered via email using Gmail SMTP. Google processes the data required to transmit the email.
- Legal requirements: We may disclose personal data if required to do so by law, court order, or lawful request by a public authority.
- Business transfers: If ZSavvy is involved in a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We will notify affected individuals before data is transferred and becomes subject to a different privacy policy.
We do not share data with advertising networks, social media companies (except where you navigate from a shared link), or data analytics companies operating independently of our service delivery.
7. Data Retention
We retain personal data only for as long as necessary for the purposes for which it was collected:
- Contact form submissions: Retained for 24 months from the date of submission, or until you request deletion, whichever is earlier.
- Consulting engagement data: Retained for the duration of the engagement plus 7 years to comply with applicable accounting and legal obligations.
- Platform data: Retained in accordance with the Data Processing Agreement with your organisation, or for 90 days following contract termination if no agreement specifies otherwise.
- Server logs: Retained for 90 days, after which they are deleted.
- Backup data: Backups are retained for 30 days and then permanently deleted.
When the retention period expires, we securely delete or anonymise the data. You may request earlier deletion at any time see Section 8 (Your Rights).
8. Your Rights
Under GDPR and applicable data protection law, you have the following rights:
- Right of access: You have the right to request a copy of the personal data we hold about you.
- Right to rectification: You have the right to request that we correct inaccurate or incomplete personal data.
- Right to erasure: You have the right to request that we delete your personal data, subject to certain exceptions (for example, where we are required to retain data by law).
- Right to restriction: You have the right to request that we restrict processing of your data in certain circumstances.
- Right to data portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format.
- Right to object: You have the right to object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.
- Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
- Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority.
To exercise any of these rights, email privacy@zsavvy.com. We will respond within 30 days. We may need to verify your identity before fulfilling the request.
We do not charge a fee for exercising your rights unless requests are manifestly unfounded, excessive, or repetitive.
10. Security
We implement technical and organisational measures designed to protect your personal data against unauthorised access, disclosure, alteration, or destruction:
- All data is encrypted in transit using TLS 1.2 or higher
- Data at rest is encrypted using AES-256
- Access to personal data is restricted to authorised personnel on a need-to-know basis
- We use role-based access controls and two-factor authentication for internal systems
- Our infrastructure is hosted on AWS with regular security monitoring
- We conduct annual penetration testing of our platform
No method of data transmission or storage is 100% secure. While we take our security obligations seriously and implement industry-standard controls, we cannot guarantee absolute security.
In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, and notify affected individuals without undue delay where required by law.
To report a security concern, email security@zsavvy.com.
11. International Data Transfers
ZSavvy Technologies Private Limited is incorporated in India. Our infrastructure is hosted on AWS in the EU (Frankfurt, Germany) by default. Enterprise+ customers may specify an alternative data residency region at contract time.
Where we transfer personal data from the EEA or United Kingdom to countries not considered to provide an adequate level of data protection, we rely on appropriate safeguards including Standard Contractual Clauses approved by the European Commission.
For details of the safeguards applicable to your data, or to request a copy of the relevant transfer mechanism, email privacy@zsavvy.com.
12. Children's Privacy
Our website and platform are designed for business use by professionals. We do not knowingly collect personal data from individuals under the age of 16.
If you believe we have inadvertently collected personal data from a person under 16, please contact us immediately at privacy@zsavvy.com and we will delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
When we make material changes, we will update the effective date at the top of this policy and, where appropriate, notify you by email or by placing a notice on our website.
We encourage you to review this policy periodically. Your continued use of our website or platform after changes become effective constitutes your acceptance of the updated policy.
Previous versions of this policy are available on request by emailing legal@zsavvy.com.
14. Contact Us
If you have questions about this Privacy Policy, want to exercise your data rights, or have a concern about how we handle your data, contact us:
- Privacy inquiries and data rights: privacy@zsavvy.com
- Security concerns and vulnerability disclosure: security@zsavvy.com
- Legal inquiries and DPA requests: legal@zsavvy.com
- General inquiries: hello@zsavvy.com
We aim to respond to all privacy-related inquiries within 5 business days and to all data subject rights requests within 30 days.
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority. In the EU, you may contact the supervisory authority in your country of residence. In the UK, the relevant authority is the Information Commissioner's Office (ICO) at ico.org.uk.