Your data, in plain English.

The data controller (GDPR) and data fiduciary (DPDP Act) for this website is Elofyn Solutions Pvt Ltd, a private limited company registered in India.

For any privacy question or to exercise a right described below, write to us via the contact form. The same channel reaches the Grievance Officer designated under section 8(9) of the DPDP Act — we are small enough that the officer is, today, the studio itself.

We only collect personal data when you give it to us, or when standard web infrastructure necessarily logs it.

Contact form. When you write to us through /contact, we receive your name, email address, subject, and message. We need these to read your note and write back.

Email correspondence. If you email us directly, we receive whatever your message contains.

Server logs. Our hosting provider records standard web-server logs — IP address, browser user-agent, requested URL, response status, timestamp. These exist to operate and secure the service.

Analytics. We use Google Analytics 4 to count visits and understand which pages get read. Analytics only loads after you accept cookies; if you decline, it does not run. See the cookies notice for the full list.

We do not collect special-category data (GDPR Article 9) or sensitive personal data (DPDP Act section 2(36)) — we have no reason to.

Each kind of data has a lawful basis under the GDPR and a corresponding ground under the DPDP Act.

Contact form messages rest on your consent (GDPR Article 6(1)(a); DPDP Act section 6). You chose to write to us.

Server logs rest on our legitimate interest in operating and securing the site (GDPR Article 6(1)(f)) and on the corresponding legitimate-use ground under DPDP Act section 7.

Analytics rests on your consent (GDPR Article 6(1)(a); DPDP Act section 6), captured by the cookie banner and revocable at any time.

We do not rely on a contract-performance basis for anything on this site — we do not yet take orders here.

Contact-form messages are retained while the conversation is open, archived for up to twenty-four months after, and then deleted.

Server logs are retained for thirty days, then deleted.

Analytics events are retained for two months — the shortest window Google Analytics 4 allows.

Email correspondence tied to a working relationship is retained for the life of that relationship plus any statutory limitation period (typically up to seven years for tax-relevant records under Indian law).

A small set of third-party processors run the parts of the service we do not run ourselves.

Hosting. The cloud provider that serves elofyn.com.

Transactional email. The provider that forwards contact-form submissions to our inbox. Until that provider is wired up, contact-form submissions are written to our own server logs only.

Analytics. Google LLC (Google Analytics 4), and only after you accept analytics cookies.

We do not share personal data with advertisers, data brokers, or anyone else. We do not sell personal data, in either the GDPR-prohibited sense or the CPRA “sale or sharing” sense.

Elofyn is incorporated in India. Some of our processors, Google in particular, operate globally. This means personal data may be transferred outside the country in which you live.

For transfers from the European Economic Area or the United Kingdom to India, India is not currently the subject of an EU adequacy decision; we rely on the Standard Contractual Clauses adopted by the European Commission and, where relevant, the UK International Data Transfer Addendum.

Under DPDP Act section 16, transfer outwards from India is permitted to any country not specifically restricted by the Central Government. As of the date at the top of this notice, none of the destinations we use is on a restricted list.

Under the GDPR, if you are in the EEA or the UK, you have the right to access the personal data we hold about you (Article 15), correct inaccurate data (Article 16), erase data in the circumstances Article 17 lists, restrict or object to processing (Articles 18 and 21), receive your data in a portable format (Article 20), withdraw consent at any time without affecting prior lawful processing, and lodge a complaint with your local supervisory authority.

Under the DPDP Act, if you are in India, you have the right to access summary information about your personal data and its processing (section 11), correct, complete, or update inaccurate data (section 12), have data erased once the purpose is fulfilled or consent withdrawn (section 12), nominate another person to exercise these rights in case of death or incapacity (section 13), use a readily available grievance-redressal mechanism (section 13), and escalate to the Data Protection Board of India where redressal fails.

To exercise any of these rights, write to us via the contact form. We respond within thirty days as a default and faster where the DPDP Act’s grievance-redressal timelines require it.

The DPDP Act treats anyone under eighteen as a child and requires verifiable parental consent for the processing of children’s personal data (section 9), with stricter limits on behavioural tracking and targeted advertising. The GDPR sets the age of digital consent at sixteen, lower in some member states, and similarly restricts profiling.

This site is not directed at children, and we do not knowingly collect personal data from anyone under eighteen. If you believe a child has provided us personal data, write to us via /contact and we will delete it.

We use measures appropriate to the small amount of personal data we process: TLS for all web traffic, least-privilege access to systems, encrypted storage where the underlying processor offers it, and prompt patching of known vulnerabilities.

No system is perfectly secure. If a breach is likely to result in a risk to your rights, we will notify you and the relevant authority within seventy-two hours, as required by GDPR Article 33 and DPDP Act section 8(6).

Nothing on this site runs cookies by default. A single consent-state cookie is set the first time you make a choice in the cookie banner, so we do not ask again on every page. The cookies notice lists every cookie we set and every cookie an accepted processor sets on our behalf.

We revise this notice when the underlying practices change. The last-updated date at the top reflects the most recent revision. Material changes are summarised in the journal.

Send privacy questions, rights requests, and grievances via the contact form. Mark the subject “Privacy” and we will route it to the Grievance Officer. A postal address is available on request.

This is a long document. We tried to keep it plain. If anything reads ambiguous to you, write and we will improve the language.