Privacy Policy

How we handle your data.

Applies to all visitors and customers of cehpoint.co.in and our subdomains. Cehpoint is the Data Fiduciary under India's DPDP Act, 2023 and the Data Controller under the GDPR.

1. Who we are

Cehpoint ("Cehpoint", "we", "our", "us") is an Indian IT, AI, and cybersecurity services firm. For this policy, Cehpoint is the Data Fiduciary under India's Digital Personal Data Protection Act, 2023 ("DPDP Act") and the Data Controller under the EU General Data Protection Regulation ("GDPR"). When we process data on behalf of an enterprise client (for example, while delivering a software project), we act as a Data Processor on that client's instructions and the terms of our master services agreement govern.

2. Data we collect

You give us directly — name, email, phone, company, role, country, project description, budget range, attachments — when you fill our quotation, contact, careers, partner, or tender forms.

Collected automatically — IP address, device and browser fingerprint, referring URL, language preference, theme preference, anonymised analytics events. We do not use third-party advertising cookies.

From third parties — when you sign in via an OAuth provider on one of our portals (e.g. Projects Portal, Outreach), we receive the profile fields you authorise that provider to share.

Sensitive personal data — we do not collect government-issued IDs, biometrics, financial account numbers, or health data through the marketing site. If a project requires such data, it is collected only inside the dedicated client portal with a signed Data Processing Addendum.

3. Why we process it (lawful basis)

  • Performance of a contract — to respond to your inquiry, prepare a proposal, deliver the project you engaged us for, and invoice you.
  • Legitimate interest — to keep the website secure, prevent fraud, run aggregate analytics that don't identify you, and improve our services.
  • Consent — for any marketing communications you opt into; you can withdraw consent at any time without affecting prior lawful processing.
  • Legal obligation — to comply with Indian tax, GST, statutory audit, and lawful information requests from competent authorities.

4. Sharing & processors

We share personal data only with vetted processors who help us run the business. Each is bound by data processing agreements and processes data only on our instructions:

  • Hosting & CDN — Vercel Inc. (USA), AWS, and Cloudflare for content delivery.
  • Email & transactional messaging — Google Workspace, WhatsApp Business.
  • Analytics — first-party aggregated event analytics, no cross-site profiling.
  • Payments — Razorpay, Stripe (for invoicing only).
  • Helpdesk & CRM — internally hosted; access restricted by role.

We do not sell personal data. We do not share it for cross-context behavioural advertising. We do not perform automated decision-making with legal effect on you.

5. International transfers

Our primary data is stored in India. When data must move across borders (e.g. to a US-region CDN edge), we rely on the Standard Contractual Clauses (EU) and, where the DPDP Act notifies a country list, we transfer only to jurisdictions that the Indian government has not restricted.

6. Retention

We keep inquiry data for up to 24 months after the last interaction, after which it is securely deleted unless a longer period is required for tax, statutory audit, or active litigation. Active client project data is retained for the duration of the engagement plus the period defined in the master services agreement (typically 7 years for invoicing records, per Indian law).

7. Your rights as a Data Principal

Under the DPDP Act 2023 and GDPR you can:

  • Access the personal data we hold about you.
  • Correct or update inaccurate or incomplete data.
  • Erase data we no longer need to retain by law.
  • Withdraw consent for any processing based on consent.
  • Nominate another individual to exercise these rights in the event of your death or incapacity.
  • Lodge a grievance with our Grievance Officer (Section 9 below).

We respond within 30 days of receiving a verifiable request.

8. Cookies & local storage

We use a small number of first-party cookies and localStorage entries strictly to remember your preferences — language, theme (light/dark), and a session-level flag so our chat assistant doesn't reopen on every page. We do not use third-party tracking cookies, marketing pixels, or session replay tools on this site.

9. Grievance Officer

In accordance with the DPDP Act 2023 and the Information Technology Act 2000, you can contact the Office of the DPO, Cehpoint at contact@cehpoint.co.in. Response time: within 30 days of a verifiable request.

10. Security & breach notification

We apply industry-standard controls — TLS 1.2+ in transit, AES-256 at rest, role-based access, principle of least privilege, signed audit logs, third-party penetration tests. In the event of a personal data breach, affected Data Principals and the Data Protection Board of India will be notified without undue delay and in any event within the statutory timelines.

11. Changes to this policy

We review this policy at least annually and whenever the law materially changes. The "Last updated" date reflects the latest revision. Material changes will be highlighted in the footer for 30 days.

12. Contact

Anything unclear? Email contact@cehpoint.co.in with subject "Privacy" and we'll route it to the right person.