Privacy Policy

Effective Date: 17 June 2026Version: 1.1Controller: SilicaSecure Private Limited, New Delhi, India

1. About this policy

This Privacy Policy explains how SilicaSecure Private Limited ("SilicaSecure", "we", "us", "our") collects, uses, shares, retains, and protects personal data when you visit silicasecure.com, use our risk-assessment tool, book a meeting, sign in to our customer portal, or otherwise interact with us.

It is written to satisfy — at a minimum — India's Digital Personal Data Protection Act 2023 ("DPDP Act"), the EU and UK General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act as amended by the CPRA, Brazil's LGPD, Canada's PIPEDA, and South Africa's POPIA. It should be read together with our Cookie Policy, which covers cookies and similar storage technologies in detail.

2. Controller and contact

The Data Fiduciary / Controller of personal data processed under this policy is:

SilicaSecure Private Limited
New Delhi, India
Email: info@silicasecure.com

Data Protection Officer / Grievance Officer: dpo@silicasecure.com. Under § 8(10) of the DPDP Act, the Grievance Officer is the first point of contact for any complaint regarding the exercise of your rights under the Act.

If you are in the EEA or UK and would prefer to write to an Article 27 representative, contact us at the address above and we will share current details.

3. Personal data we collect

We collect personal data in three ways:

  • Information you give us — when you book a demo or meeting, request a risk assessment, sign in to the portal, apply for a job by email, or otherwise contact us.
  • Information we collect automatically — IP address, user-agent, requested URLs and timestamps, and CSP violation reports, captured by our hosting provider and our security logging in order to operate the Site safely.
  • Information from public sources— limited business context (e.g., your company's public LinkedIn page, or your target website during a scan you initiate).

We do not knowingly collect special-category data (such as health, biometric, or political data) other than what you may volunteer in a CV. To assess an application we only need your identity and contact details, work history, qualifications, and right-to-work status — please avoid sending sensitive information that is not relevant to the role. Where a CV does contain special-category data, we process it on the basis of Article 9(2)(b) GDPR (carrying out obligations in the field of employment) and § 7(i) of the DPDP Act, and only to the extent necessary to evaluate your application. We do not buy data lists.

4. How we use personal data — register of processing

The table below is our authoritative record of processing under Article 30 GDPR and the equivalent obligations under § 8 of the DPDP Act. We use personal data only for the purposes listed here.

Table 1 — Register of Processing Activities

Table 1 — Register of Processing Activities: purpose, categories of data, legal basis under GDPR and the DPDP Act, and retention period
PurposeCategories of dataLegal basis (GDPR)Legal basis (DPDP Act)Retention
Respond to booking and demo requestsName, work email, company, phone (optional), free-text messageArt. 6(1)(b) – steps prior to contract§ 6 – explicit consent; § 7(a) – voluntary provision for specified purposeEngagement close + 7 years; 24 months for unconverted leads
Run the DPDP risk-assessment toolCompany name, requester name, work email, phone, target website URL, generated PDF reportArt. 6(1)(b) – pre-contract performance; Art. 6(1)(a) – your consent for the report email§ 6 – explicit consentReport and inputs retained for 12 months; aggregated, de-identified scan metrics retained for 36 months
Authenticate customers in the secure portalEmail, hashed password (handled by our managed authentication provider), session metadataArt. 6(1)(b) – performance of the service contract§ 6 – explicit consent; § 7(a) – voluntary provision for specified purposeWhile account is active; 90 days after deletion for security/audit logs
Site security, fraud prevention, abuse mitigationIP address, user-agent, request metadata, CSP violation reportsArt. 6(1)(f) – legitimate interests (security and fraud prevention), implemented in line with the security-of-processing obligation in Art. 32§ 7(a) – voluntary provision for specified purposeAccess logs: 30 days; CSP violation reports: 30 days
Careers — applications via emailAnything you choose to send to careers@silicasecure.com (typically name, CV, contact details, work history)Art. 6(1)(b) – pre-contract; Art. 9(2)(b) where special-category data is included§ 7(i) – employment-related purposesSuccessful: duration of employment + statutory periods; unsuccessful: 12 months unless you ask us to keep it on file
Statutory accounting, tax and audit recordsInvoice and engagement metadata, KYC data where requiredArt. 6(1)(c) – legal obligation§ 7(d) – fulfilling obligation under law; § 17(1)(a) – legal compliance8 years (Companies Act 2013 § 128(5) / Income-Tax Act § 44AA)

We do not use personal data for automated decision-making with legal or similarly significant effects, and we do not engage in profiling for advertising.

What our risk-assessment tool does with your data. When you run the DPDP risk-assessment tool against a website you are authorised to scan, the tool analyses the target's public configuration and the details you submit to generate a compliance risk score, flag specific gaps, and produce a PDF report with recommendations. The analysis is performed with the assistance of a contracted third-party AI model (currently Google Gemini), which acts as our processor under a data processing agreement and does not use your inputs to train its models; it is listed on our sub-processor page. The tool surfaces findings for a human to review; it does not make automated decisions that produce legal or similarly significant effects about you, and it does not profile you for advertising. The report and the inputs you provide are retained as set out in Table 1.

5. Third-Party Sharing Disclosure (Categories of recipients)

In accordance with § 8(1) of the DPDP Act, we ensure that your personal data is complete, accurate, and consistent to the best of our knowledge before disclosing it to any third party. We disclose personal data only to (a) sub-processors who act on our documented instructions under a written data processing agreement, (b) professional advisers (lawyers, auditors) bound by confidentiality, and (c) authorities where we are legally required to do so.

We do not sell or rent personal data for money. We are also conscious that the CCPA/CPRA defines "sell" and "share" broadly — to include some disclosures of personal information to third parties for monetary or other valuable consideration, or for cross-context behavioural advertising, even where no money changes hands. We do not engage in such "sales" or "sharing": we do not disclose personal information to third parties for cross-context behavioural advertising, and any analytics or advertising technology is loaded only after you opt in and is configured so the provider acts as our service provider, not for its own purposes. You can exercise the opt-out rights described in section 8 even though we do not currently sell or share.

The categories of recipient that form our processing infrastructure are set out below. We also publish a current named sub-processor list — naming each vendor, what it does, and the country in which it processes data — at silicasecure.com/sub-processors, and we provide further detail on request. We may redact only the technical configuration details whose disclosure would itself create a security risk; we do not withhold vendor names or processing locations.

  • Cloud hosting and content delivery — to serve the Site and run our backend.
  • Managed database and authentication — to store booking submissions and authenticate portal users.
  • Headless content management — to manage marketing content (no end-user personal data).
  • Meeting scheduling — when you choose to book a call through an embedded scheduling widget.
  • Professional advisers — legal counsel, auditors, and tax advisers, on a need-to-know basis.

Our published sub-processor list names each vendor, the personal data it processes, its processing location, and the transfer safeguard. Customers, prospects, and regulators may request further detail — including specific processing regions and copies of our transfer safeguards — by emailing dpo@silicasecure.com. We give contracted customers prior notice of any change in sub-processors at the contact address on file.

6. International data transfers

SilicaSecure is established in India. Some of the providers within the categories listed in section 5 operate globally, which means your personal data may be processed in the United States, the European Economic Area, the United Kingdom, or other jurisdictions where they maintain infrastructure.

Where personal data leaves the EEA or the UK, we rely on the European Commission's Standard Contractual Clauses (2021/914) for controller-to-processor transfers, supplemented by the UK International Data Transfer Addendum. Consistent with Schrems II, we carry out a transfer impact assessment for every transfer of EEA or UK personal data to a third country, and we apply supplementary measures — encryption in transit and at rest, access controls, and contractual restrictions on government-access disclosure — to all such transfers.

Transfers of personal data outside India are made only to jurisdictions that have not been restricted by the Central Government under § 16 of the DPDP Act. For CCPA/CPRA, transfers are accompanied by service-provider commitments that the recipient will not sell or share the personal information.

7. Data Retention and Disposal Policy

We retain personal data only for as long as necessary for the purposes set out in section 4. In accordance with § 8(7) and § 8(8) of the DPDP Act, we will erase your personal data (and direct our Data Processors to do the same) when the specified purpose is no longer being served or if you withdraw your consent, unless retention is necessary for compliance with any other law.

The purpose of processing is deemed to be no longer served if you do not approach us for the performance of the specified purpose and do not exercise any of your rights for the periods prescribed below. Specific retention periods are also listed in the right-hand column of the register. The principal periods are:

  • Active customer engagement: for the duration of the engagement plus 7 years, to support invoicing, dispute resolution, and statutory accounting obligations under § 128(5) of the Companies Act 2013 and § 44AA of the Income-Tax Act 1961.
  • Unconverted leads: 24 months from last contact, after which records are anonymised or deleted.
  • Risk-assessment outputs: 12 months for the report and inputs; up to 36 months for aggregated, de-identified scan metrics used to improve the tool.
  • Server access and security logs: 30 days.
  • Backups: rolling 35 days.

Deletion and backups. When you ask us to erase your personal data, or when the purpose is exhausted, we delete it from our live production systems promptly. A copy may persist in our encrypted disaster-recovery backups for up to 35 days, after which it is overwritten on the rolling backup cycle. During that window the backup copy is suppressed: we do not access or use it for any purpose other than restoring the system after a failure, and if a restore occurs we re-apply your deletion request to the restored data.

Where law requires a longer period (for example, statutory accounting), we keep only the minimum data necessary for that obligation and segregate it from active records.

8. Your rights

Subject to applicable law, you have the right to:

  • Access the personal data we hold about you and obtain a copy;
  • Rectify inaccurate or incomplete data;
  • Erase data ("right to be forgotten"), subject to overriding legal obligations;
  • Restrict or object to processing;
  • Withdraw consent at any time, with future effect — email dpo@silicasecure.com, or click the unsubscribe link in any marketing email to withdraw consent to marketing. Withdrawal is as easy as giving consent and does not affect the lawfulness of processing before withdrawal;
  • Data portability — we will provide your data in a structured, commonly used, machine-readable format (typically JSON or CSV) where technically feasible;
  • Nominate another individual to exercise your rights in the event of death or incapacity (DPDP Act § 14);
  • Lodge a grievance or complaint with us first (via the Grievance Officer in section 2), and thereafter with a supervisory authority — the Data Protection Board of India (§ 27 DPDP Act), the Information Commissioner's Office in the UK, or your local EU supervisory authority;
  • Opt out of the "sale" or "sharing" of personal information and certain profiling (CCPA/CPRA, Colorado, Connecticut, Virginia, and similar US state laws). We do not currently sell or share.

To exercise any right, email dpo@silicasecure.com. We may need to verify your identity before we act on a request. We will respond within the period required by the applicable law — typically 30 days under GDPR and the DPDP Act, and 45 days under CCPA/CPRA. Where a request is manifestly unfounded or excessive we may charge a reasonable fee or refuse, and we will explain why.

Exercising your rights is free of charge and does not put you at any disadvantage.

9. Specific notice to Data Principals in India (DPDP Act)

Under § 5 of the DPDP Act, where we process your personal data on the basis of your consent, this section serves as our notice. You are providing your personal data to SilicaSecure Private Limited as Data Fiduciary for the purposes listed in section 4 of this policy. The categories of personal data, the purposes, and how you may exercise the rights below are set out in sections 3, 4, and 8.

Language Accessibility: In accordance with § 6(3) of the DPDP Act, if you wish to receive a copy of this notice or any consent request in any of the languages specified in the Eighth Schedule to the Constitution of India, please contact us at dpo@silicasecure.com. We will promptly provide you with a translated version.

As a Data Principal you have, in addition to the rights in section 8, the right to:

  • Obtain a summary of personal data being processed and the processing activities (§ 11);
  • Correction, completion, updating, and erasure (§ 12);
  • Grievance redressal via our Grievance Officer (§ 13). We will respond within the period prescribed by the Act and accompanying rules;
  • Nominate another individual to exercise your rights upon death or incapacity (§ 14);
  • Withdraw consent at any time using the same channel by which it was given (§ 6(4) – (6));
  • Where available, exercise rights through a Consent Manager registered with the Data Protection Board of India (§ 6(7) – (9)).

If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India in the manner provided under § 27 of the Act.

10. Your duties as a Data Principal in India

Under § 15 of the DPDP Act, as a Data Principal you are required to comply with the provisions of all applicable laws while exercising your rights. Specifically, you must:

  • Not impersonate another person while providing your personal data.
  • Not suppress any material information while providing your personal data.
  • Not register a false or frivolous grievance or complaint with us or the Data Protection Board.
  • Furnish only verifiably authentic information when exercising your right to correction or erasure.

Please note that the Act prescribes penalties for Data Principals who breach these statutory duties.

11. Children and Minors

Our services are intended for businesses and not for children. The age of a "child" differs by jurisdiction — 18 in India (DPDP Act § 9), 16 under the GDPR (or the lower digital-consent age, down to 13, set by the relevant Member State), and 13 in the United States (COPPA). Where we cannot reliably determine a user's location or age, we apply the strictest threshold and treat anyone under 18 as a child.

Under § 9 of the DPDP Act we do not process the personal data of a Data Principal under 18 without verifiable parental or guardian consent, and we do not undertake tracking, behavioural monitoring of children, or targeted advertising directed at children. Under COPPA, we do not knowingly collect personal information from children under 13.

If you believe a child has provided us with personal data, contact us and we will delete it promptly.

12. Security and Breach Notification Disclosure

We implement technical and organisational measures appropriate to the risk, as required by Article 32 GDPR and § 8(5) of the DPDP Act. These include:

  • Encryption in transit (TLS 1.2+) and at rest for all stored personal data;
  • Row-level security on our managed database, with insert-only public roles and least-privilege access for staff;
  • Hardened HTTP security headers (HSTS preload, strict Content-Security-Policy, X-Content-Type-Options, frame-ancestors none) and CSP violation reporting;
  • Same-origin and rate-limiting controls on submission endpoints;
  • Logical separation between development, staging, and production environments;
  • Background checks, role-based access, and confidentiality undertakings for staff who process personal data;
  • Regular vulnerability scanning and an internal security review process;
  • Periodic third-party penetration testing of our production environment, with material findings tracked and remediated promptly. As a cybersecurity company, independent testing is part of our standard security lifecycle.

Breach notification. In the event of a personal data breach likely to result in risk to your rights and freedoms, we will notify the Data Protection Board of India, other competent supervisory authorities, and affected individuals in accordance with § 8(6) of the DPDP Act and Articles 33–34 GDPR, without undue delay and in any event within the timeframes required by law. Where a breach is likely to result in a high risk to your rights — for example, a risk of serious harm — we will notify you personally and directly, and tell you what happened, what data was involved, and the steps you can take to protect yourself.

13. Marketing communications

We may send you operational emails about an engagement (booking confirmations, report delivery, account notices) — these are not marketing. We will send marketing emails (newsletter, product updates, event invitations) only with a lawful basis and an unambiguous unsubscribe link in every message. You can withdraw consent at any time without affecting the lawfulness of prior processing.

14. Cookies and similar technologies

Cookies, localStorage entries, and similar tracking technologies — including how to accept, reject, or change your preferences — are described in detail in our Cookie Policy. You can revisit your choices at any time using the "Cookie Preferences" link in the footer. In summary, we group them into four categories:

Summary of cookie categories, their purpose, whether consent is required, and typical retention
CategoryPurposeConsent required?Typical retention
Strictly necessaryDeliver the Site, authenticate users, prevent fraud, and record your consent.No (essential)Session – 7 days
FunctionalRemember choices such as theme, language, and region.YesUntil cleared
AnalyticsUnderstand aggregate usage to improve the Site. None set today; loaded only after you opt in.YesUp to 24 months
MarketingMeasure campaigns and tailor advertising. None set today; loaded only after you opt in.YesUp to 13 months

15. Country-specific information

We apply the protections in this policy to everyone. The points below set out additional information for individuals protected by specific national laws. We will expand these as our processing in each jurisdiction grows.

United States — California and other states (CCPA/CPRA and similar). California residents have the rights to know, access, correct, delete, and to opt out of the "sale" or "sharing" of personal information and of certain profiling, and not to be discriminated against for exercising them. As explained in section 5, we do not sell or share personal information as those terms are broadly defined. To exercise these rights, contact dpo@silicasecure.com; we respond within 45 days.

Brazil (LGPD). If you are in Brazil, the LGPD gives you the rights to confirmation and access, correction, anonymisation or deletion of unnecessary data, portability, information about sharing, and to withdraw consent. The legal bases we rely on map to Articles 7 and 11 of the LGPD. You may exercise these rights, or contact our data-protection contact (encarregado), at dpo@silicasecure.com.

South Africa (POPIA). If you are in South Africa, POPIA gives you the rights to access, correction, and deletion of your personal information and to object to processing. SilicaSecure has appointed an Information Officer who can be reached at dpo@silicasecure.com; the Information Officer's registration with the Information Regulator (South Africa) is maintained and current details are available on request. You may also complain to the Information Regulator (South Africa).

Canada (PIPEDA). If you are in Canada, we handle personal information in accordance with PIPEDA and applicable provincial privacy laws. You have the right to access and correct your personal information and to withdraw consent, subject to legal or contractual limits. Contact dpo@silicasecure.com, and you may complain to the Office of the Privacy Commissioner of Canada.

16. Data protection governance and assessments

Legitimate Interest Assessments (LIA). Where we rely on legitimate interests as our legal basis under Article 6(1)(f) GDPR — for example, for site security and fraud prevention — we first carry out and document a Legitimate Interest Assessment that balances our interest against your rights and freedoms. These assessments are kept on file and a summary is available to data principals and regulators on request from dpo@silicasecure.com.

Data Protection Impact Assessments (DPIA). Before we begin any processing that is likely to result in a high risk to individuals — for example, large-scale or systematic processing, or processing of sensitive data — we carry out a Data Protection Impact Assessment under Article 35 GDPR (and an equivalent risk assessment under the DPDP Act) and implement the measures it identifies before going live.

17. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in law, our services, or our processing activities. Material changes will be highlighted at the top of this page and, where required by law, communicated to you directly. The effective date and version number at the top indicate the most recent revision. Previous versions are available on request from dpo@silicasecure.com.

18. How to contact us

For privacy enquiries and rights requests: dpo@silicasecure.com

For general enquiries: info@silicasecure.com

Postal address: SilicaSecure Private Limited, New Delhi, India.

You retain the right to complain directly to the Data Protection Board of India or to your local supervisory authority, but we'd appreciate the chance to address your concern first.