Privacy Policy

1. Introduction & Our Commitment to Privacy

Welcome to StateCheck Security. We are a cybersecurity and data privacy consultancy specialising in helping organisations achieve and demonstrate compliance with India's Digital Personal Data Protection Act, 2023 (DPDPA) and other international privacy frameworks. As a company that advises others on privacy, we hold ourselves to the highest standard of data stewardship.

This Privacy Policy is a binding statement of how StateCheck Security ("we", "us", or "our") collects, uses, stores, shares, and protects the personal data of individuals ("Data Principals") who visit and interact with our website at statechecksecurity.com.

We have designed this policy to be clear, plain-language, and actionable. If you have any question about any part of this document, please contact our Data Protection Officer before providing us with any personal data.

2. Who We Are — Data Fiduciary Details

Under the DPDPA 2023, StateCheck Security acts as the "Data Fiduciary" in respect of personal data collected through this website. This means we determine the purpose and means of processing your data and bear primary responsibility for its lawful handling.

3. Scope of This Policy

This Privacy Policy applies to:

• All visitors to statechecksecurity.com, regardless of geographical location.
• Individuals who submit enquiries through our Contact Form.
• Individuals who subscribe to our newsletter or compliance update mailing list.
• Individuals who download gated resources (e.g., DPDPA compliance guides, templates, whitepapers).
• Individuals who engage with us via email or other digital communications referencing this website.

This policy does NOT apply to:

• Client data processed under separate Data Processing Agreements (DPAs) as part of our consulting engagements — those are governed by the relevant engagement contracts.
• Third-party websites linked from our website. We recommend you review the privacy policies of any external site you visit.

4. Personal Data We Collect

We collect personal data only when you actively provide it to us or when it is automatically generated as a result of your interaction with our website. Below is a complete inventory of every category of data we collect.

4.1 Data You Provide Directly

Contact Form Submissions

When you use the contact form on our website, we collect:

• Full name
• Email address
• Subject line of your enquiry
• Message content
• Timestamp of submission

Newsletter & Compliance Update Subscriptions

When you subscribe to receive our newsletters, DPDPA updates, or blog notifications, we collect:

• Email address
• Subscription source (e.g., blog sidebar, article footer, homepage banner)
• Date and time of subscription
• Consent record (the specific consent language accepted, consent timestamp, and source URL)

Resource Download Lead Capture

When you download a gated resource (guide, template, checklist, or whitepaper), we collect:

• Email address
• Resource metadata: file ID, file name, post slug
• Gate type (e.g., email-only, registration form)
• Consent text presented to you at the point of download
• Consent source URL and timestamp
• IP address (retained for up to 1 hour solely for abuse prevention and rate limiting; not used for profiling)

4.2 Data Collected Automatically

Website Analytics

If we use analytics tools, we may collect aggregated, anonymised data including:

• Pages visited and time spent on each page
• Session duration and entry/exit pages
• Referrer source (e.g., search engine, social media, direct)
• Country-level location inferred from IP address (we do NOT store raw IP addresses for analytics purposes)
• Device type and browser type

Technical & Security Data

For the security and integrity of our website and APIs, we automatically collect:

• IP address (for rate limiting and abuse prevention on API endpoints — cached for a maximum of 1 hour in Redis, then automatically purged)
• HTTP request metadata (method, path, response code, timestamp) retained in server logs for up to 90 days

Cookies

4.3 Data We Do NOT Collect

5. Legal Basis for Processing

Every instance of personal data processing at StateCheck Security is grounded in at least one lawful basis. Under the DPDPA 2023, our primary bases are consent and legitimate interest. Where EU/EEA residents are concerned, Article 6 of the GDPR also applies.

Legitimate Interest Assessment: Where we rely on legitimate interest, we have conducted a balancing test confirming that our interests do not override your fundamental rights and freedoms. You may request a copy of our Legitimate Interest Assessment by contacting privacy@statechecksecurity.com.

6. How We Use Your Personal Data

We use your personal data exclusively for the purposes disclosed at the point of collection. We do not repurpose data for incompatible secondary uses without first obtaining fresh consent.

6.1 Service Delivery & Communication

• To respond to enquiries submitted through the contact form, including providing information about our DPDPA compliance services, privacy audits, and training programmes.
• To deliver downloadable resources you have requested (e.g., DPDPA compliance checklists, template policies, implementation guides).
• To send transactional emails confirming subscription status, download access, or enquiry receipt.

6.2 Marketing & Educational Content

With your explicit consent, we will:

• Send newsletters covering DPDPA regulatory updates, enforcement actions, compliance best practices, and changes to other relevant privacy frameworks (GDPR, etc.).
• Share blog notifications when new articles are published on topics relevant to your subscribed interests.
• Send follow-up educational content related to the specific resource you downloaded (e.g., if you downloaded a DPDPA implementation guide, we may share related articles on consent management).

You may unsubscribe from marketing communications at any time via the one-click unsubscribe link present in every email, or by emailing privacy@statechecksecurity.com. Unsubscribes are processed within 24 hours.

6.3 Website Improvement & Security

• To analyse aggregated, anonymised website traffic to understand which content is most valuable to our audience and improve the quality of our publications.
• To protect our website and APIs from abuse, spam submissions, brute-force attacks, and denial-of-service attempts through IP-based rate limiting.
• To maintain server security logs for incident response and forensic investigation if required.

7. Data Retention

We apply a "minimum necessary retention" principle. Personal data is held only for as long as required for the stated purpose or as mandated by applicable law. At the end of the retention period, data is permanently deleted or irreversibly anonymised.

Data Deletion Requests: You may request early deletion of your personal data by exercising your Right to Erasure (see Section 11). Deletion requests are processed within 7 days, subject to identity verification and any applicable legal retention obligations.

8. Data Sharing & Third-Party Processors

StateCheck Security does not sell, rent, or trade your personal data to any third party. We share personal data only with carefully vetted sub-processors who are contractually bound to process data solely on our documented instructions and to maintain data security standards equivalent to or exceeding our own.

8.1 Our Sub-Processors

Each sub-processor relationship is governed by a Data Processing Agreement (DPA) that includes: (a) purpose and scope limitations, (b) security obligations, (c) sub-processor restrictions, (d) audit rights, and (e) data return or deletion upon termination. Copies of our DPAs are available upon request by verified Data Principals.

8.2 Legal Disclosures

We may disclose personal data to Indian law enforcement authorities, courts, or government bodies if required to do so by a lawful order, judicial directive, or statutory obligation under Indian law. Where legally permissible, we will notify affected Data Principals of such disclosure requests before complying.

8.3 Business Transfers

In the event of a merger, acquisition, or sale of all or part of StateCheck Security's business assets, personal data may be transferred to the acquiring entity. Affected Data Principals will be notified via email and a prominent website notice at least 30 days prior to any such transfer, and will be given the opportunity to delete their data before the transfer takes effect.

9. International Data Transfers

Some of our sub-processors operate servers located outside of India, primarily in the United States and European Union. When personal data is transferred internationally, we ensure that appropriate safeguards are in place to provide a standard of protection equivalent to that required under the DPDPA 2023.

9.1 Safeguards for International Transfers

• Standard Contractual Clauses (SCCs): All transfers to sub-processors in countries without an adequacy decision are governed by the EU Standard Contractual Clauses (2021/914/EU) or equivalent DPDPA-compliant cross-border transfer mechanisms.
• Adequacy: Transfers to EU/EEA countries are covered by the EU–India adequacy relationship (where applicable) or SCCs.
• Sub-Processor DPAs: Each sub-processor DPA includes binding international transfer provisions.

9.2 Data Residency

If your organisation requires personal data to be stored exclusively within India's territorial boundaries (for example, due to sectoral regulations or internal policy), please contact us at privacy@statechecksecurity.com to discuss a dedicated India-hosted infrastructure arrangement.

10. Security Measures

We implement comprehensive technical and organisational security measures as required by DPDPA Section 8(5) and proportionate to the sensitivity and volume of data we process.

10.1 Technical Controls

10.2 Organisational Controls

• Access controls: Sanity Studio CMS access is restricted to authorised team members via role-based permissions. Principle of least privilege is enforced.
• Security reviews: We conduct periodic security audits of our website, dependencies, and third-party integrations. Dependency vulnerabilities are addressed within 30 days of disclosure (critical: 72 hours).
• Vendor security assessments: Sub-processors are assessed for security maturity before onboarding and reviewed annually.
• Incident response: We maintain a documented incident response plan. In the event of a data breach, we will notify the Data Protection Board of India within 72 hours (as required by DPDPA) and notify affected Data Principals without undue delay.
• Staff training: All team members with access to personal data receive privacy and security training upon onboarding and annually thereafter.

10.3 Data Breach Notification

In the event of a personal data breach that is likely to result in harm to Data Principals, StateCheck Security will:

• Notify the Data Protection Board of India within 72 hours of becoming aware of the breach (DPDPA Section 8(6)).
• Notify affected Data Principals without undue delay, including a description of the nature of the breach, the data affected, likely consequences, and remedial steps taken.
• Maintain a breach register documenting all incidents, their scope, and our response actions.

11. Your Rights as a Data Principal

Under the Digital Personal Data Protection Act, 2023 (and GDPR for EU/EEA residents), you have the following rights in relation to your personal data. We are committed to facilitating the exercise of these rights promptly, transparently, and free of charge.

11.1 Identity Verification

To protect you from unauthorised disclosure of your personal data, we will verify your identity before fulfilling access or erasure requests. Verification typically involves confirming the email address associated with your data and may include a one-time verification code. We will not request more information than is necessary for verification.

11.2 Escalation to the Data Protection Board of India

If you are not satisfied with our response to a grievance, you may escalate your complaint to the Data Protection Board of India (DPBI). The DPBI is an independent adjudicatory body established under DPDPA Section 18. Contact and complaint procedures are available at dpb.gov.in.

11.3 For EU/EEA Residents

If you are located in the European Union or European Economic Area, you also have the right to lodge a complaint with the supervisory authority in your country of residence or place of work. A list of EU data protection authorities is available at edpb.europa.eu.

12. Children's Privacy

StateCheck Security's website and services are directed exclusively at business professionals and are not intended for individuals under 18 years of age. We do not knowingly solicit or collect personal data from minors.

In compliance with DPDPA 2023 and its provisions for the protection of children, we implement the following safeguards:

• We do not use personal data of minors for targeted advertising or profiling of any kind.
• If we become aware that personal data has been collected from an individual under 18 without verified parental or guardian consent, we will immediately delete such data.
• If you are a parent or guardian and believe your child has submitted personal data to our website, please contact privacy@statechecksecurity.com immediately and we will take prompt corrective action.

13. Cookies & Tracking Technologies

We believe in minimal and purposeful use of cookies. Our cookie use is restricted to those strictly necessary for the functioning of our website. We do not use any third-party advertising or tracking cookies.

13.1 What Are Cookies?

Cookies are small text files placed on your device by a website you visit. They are widely used to make websites function correctly and to provide analytical information to site owners. Cookies can be session cookies (deleted when you close your browser) or persistent cookies (stored on your device for a defined period).

13.2 Cookies We Use

13.3 How to Control Cookies

You can control cookies through your browser settings. Instructions for the most common browsers:

• Google Chrome: Settings → Privacy and Security → Cookies
• Mozilla Firefox: Settings → Privacy & Security → Cookies and Site Data
• Safari: Preferences → Privacy → Manage Website Data
• Microsoft Edge: Settings → Cookies and site permissions

Please note that disabling strictly necessary cookies may impair the functionality of our website.

14. Regulatory Framework & Multi-Jurisdiction Compliance

StateCheck Security is a DPDPA-first organisation, and our primary compliance obligations arise under Indian law. However, given the global nature of the internet and our ambition to serve clients internationally, we have designed our data practices to be compatible with major international privacy frameworks.

This Privacy Policy will be updated as new regulations come into force or as our services expand into new jurisdictions. Material updates will always be communicated in advance (see Section 16).

15. DPDPA 2023 — Specific Compliance Disclosures

As a company specialising in DPDPA compliance, we apply the following specific provisions:

15.1 Consent Framework (Section 6)

All consent collected on this website meets the DPDPA standard of being free, specific, informed, unconditional, and unambiguous, expressed through a clear affirmative action. We maintain timestamped, source-attributed consent records for every Data Principal. Withdrawal of consent is as easy as giving it.

15.2 Notice (Section 5)

We provide a clear notice at every data collection point, setting out: (a) the personal data being collected, (b) the purpose of processing, (c) the rights available to the Data Principal, and (d) how to contact the Data Protection Officer. This Privacy Policy serves as the comprehensive notice document.

15.3 Data Fiduciary Obligations (Section 8)

• We process personal data only for the lawful purpose for which consent was given.
• We ensure completeness, accuracy, and consistency of personal data during processing.
• We implement appropriate technical and organisational security measures.
• We notify the Data Protection Board and affected Data Principals in the event of a breach.
• We do not retain personal data beyond the stated retention period.

15.4 Significant Data Fiduciary (SDF) Readiness

StateCheck Security is not currently designated as a Significant Data Fiduciary by the Government of India. However, we have implemented practices aligned with SDF obligations (data audits, DPIA procedures, consent manager compatibility) in anticipation of potential future designation or to support clients who are SDFs.

16. Changes to This Privacy Policy

We review this Privacy Policy at least every six months and update it whenever our data practices change, new legal obligations arise, or we introduce new services.

16.1 Minor Changes

For non-material changes (e.g., typographical corrections, clarifications that do not affect your rights), we will update the "Last Updated" date at the top of this document. Continued use of the website following such changes constitutes acceptance.

16.2 Material Changes

For material changes (new data categories, new purposes, new third-party sharing, or changes to your rights), we will:

• Display a prominent banner notification on our website for at least 14 days.
• Send an email notification to all newsletter subscribers and registered download leads at least 7 days before the changes take effect.
• Where the change involves a new processing purpose not covered by existing consent, seek fresh explicit consent before implementing the change.

Updated policies take effect 7 days after notification. If you object to a material change, you may request erasure of your data before the effective date.

17. Contact Us & Grievance Redressal

We welcome your questions, feedback, and requests relating to this Privacy Policy and our data practices. Our Data Protection Officer is your primary point of contact for all privacy-related matters.

17.1 Data Protection Officer

17.2 Grievance Process

1. Step 1: Submit your grievance in writing to privacy@statechecksecurity.com with the subject line "Privacy Grievance — [Brief Description]".
2. Step 2: We will acknowledge your grievance within 48 hours and begin investigation.
3. Step 3: We will provide a substantive written response within 7 days.
4. Step 4: If unresolved, you may escalate to the Data Protection Board of India via dpb.gov.in.

17.3 Regulatory Authorities

18. Definitions & Glossary

---

Document Title: Privacy Policy — StateCheck Security
Version: 2.0  |  Status: Active
Effective Date: March 29, 2026  |  Last Reviewed: March 29, 2026
Next Review Date: September 29, 2026 (6-month review cycle)
Owner: Data Protection Officer, StateCheck Security
© 2026 StateCheck Security. For the most current version, visit statechecksecurity.com/privacy-policy.