Cipherion respects the privacy of all visitors and customers. This policy explains how and why we collect personal information, the legal bases for processing under the General Data Protection Regulation (GDPR), UK GDPR and Data Protection Act 2018 (DPA 2018), the California Consumer Privacy Act (CCPA), and the Indian Information Technology Act 2000 together with its Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules 2011 (SPDI Rules). Cipherion operates in the United States, the United Kingdom, the European Union and India, and this policy applies to all services offered across these regions. We do not sell or share personal data with any third party.
By using our website and services you consent to the collection and use of information in accordance with this policy. If you do not agree with the practices described, you should stop using our services. Continued use signifies your acceptance of this policy and any updates.
Definitions
Personal Data – any information relating to an identified or identifiable natural person. Under the GDPR, personal data must be processed lawfully, fairly and transparently, collected for specified purposes, limited to what is necessary, kept accurate and up to date, retained only as long as necessary, and secured against unauthorised processing.
Processing – any operation performed on personal data such as collection, storage, use, transfer or deletion. Processing must have a lawful basis under Article 6 of the GDPR.
Controller – the entity that determines the purposes and means of processing personal data. Cipherion acts as a controller when we process your personal data.
User – any natural person who accesses or uses our services.
Data We Collect
Cipherion collects the following categories of information:
Company name and industry sector – collected when you register or interact with our services. This information is used to tailor services and provide industry‑specific content.
Contact information – such as name and email address. This allows us to respond to enquiries, send updates and communicate regarding services.
IP address and technical data – we collect Internet Protocol (IP) addresses and browser/device information to maintain security, detect misuse and improve our services. Under the SPDI Rules, sensitive personal data includes passwords, financial information, health conditions or biometric data. The data we collect does not fall within these sensitive categories.
We collect data directly from you (for example, via forms or emails) and automatically through our website's cookies. We do not collect financial information, health data or other sensitive personal data defined in the SPDI Rules.
Purpose and Legal Bases for Processing
Lawful bases under the GDPR and UK GDPR
Processing of personal data is lawful only when one of the conditions in Article 6 GDPR applies. Cipherion uses the following legal bases:
Consent – when you voluntarily provide data (e.g., signing up for newsletters). Under the SPDI Rules, consent is the primary means by which personal data may be processed. You may withdraw consent at any time.
Contractual necessity – when processing is necessary to perform a contract with you or to take steps at your request prior to entering into a contract.
Legitimate interests – we may process data for our legitimate interests in operating and improving services, provided that such interests do not override your fundamental rights and freedoms. This includes ensuring security, fraud prevention and communicating with business customers.
Legal obligations – we may process data to comply with legal or regulatory obligations.
Purposes of processing
We process personal data for the following purposes:
Provide and manage services – to register accounts, respond to enquiries, deliver services and updates.
Improve our website and services – to analyse usage, ensure security and develop new features.
Legal compliance – to comply with applicable laws and regulations.
User Rights
Rights under the GDPR and UK DPA 2018
Individuals have the following rights under the GDPR and UK DPA 2018, as summarised by the UK Government and Information Commissioner's Office:
Right to be informed – to receive clear information about how we use personal data.
Right of access – to obtain confirmation that we process your data and to access a copy of it.
Right to rectification – to request correction of inaccurate or incomplete data.
Right to erasure ("right to be forgotten") – to request deletion of personal data when there is no legal basis for retention.
Right to restrict processing – to request that processing is limited in certain circumstances.
Right to data portability – to receive personal data in a structured, commonly used format and transmit it to another controller.
Right to object – to object to processing based on legitimate interests or direct marketing.
Rights relating to automated decision‑making and profiling – to not be subject to decisions based solely on automated processing which significantly affect you.
Rights under the CCPA (California residents)
The CCPA grants the following rights to California consumers:
Right to know – to request disclosure of the categories and specific pieces of personal information we collect, use and share.
Right to delete – to request deletion of personal information, subject to certain exceptions.
Right to opt out of sale or sharing – California residents can direct businesses to stop selling or sharing personal information. Cipherion does not sell personal data.
Right to non‑discrimination – we will not discriminate for exercising these rights.
Businesses subject to the CCPA must implement reasonable security practices, provide notice at collection, honour consumer requests and avoid discrimination. We follow these obligations.
Rights under the Indian IT Act and SPDI Rules
There is no statutory right to a privacy notice under Indian law; however, organisations that process personal data must display a privacy policy outlining types of data collected, purpose, disclosure practices and security safeguards. Consent is the main lawful basis for processing; the SPDI Rules require consent to be obtained freely and through fair contractual terms. In the event of a security incident, the Indian Computer Emergency Response Team (CERT-In) is the primary agency responsible for receiving breach notifications.
Exercising your rights
To exercise any of these rights, please contact us using the details in the Contact section. We will respond within applicable statutory timeframes. Verification of identity may be required. Users may withdraw consent at any time without affecting the lawfulness of processing already carried out. Where requests are manifestly unfounded or excessive, we may refuse or charge a reasonable fee.
Cookies and Tracking Technologies
Cookies are small files placed on your device to store information. Under the GDPR and ePrivacy Directive, websites must obtain consent for non‑essential cookies and provide clear information about their purpose. We use cookies to:
Remember your preferences and provide secure log‑in.
Analyse site usage to improve services.
We follow these principles for cookie compliance:
Obtain your consent before using cookies other than those strictly necessary.
Describe the purpose of each cookie in plain language.
Document and store your consent.
Allow access to our services even if you decline non‑essential cookies.
Allow you to withdraw your consent as easily as you give it.
You can manage cookie preferences through your browser settings or our cookie banner.
Consent Mechanisms
Active consent – We obtain your consent for processing where required by law, such as sending marketing communications or setting non‑essential cookies. Consent must be freely given, informed and specific.
Contractual consent – When consent is part of a standard form contract, the terms must be fair and reasonable.
Implied consent – By continuing to browse our site or use our services after seeing our cookie notice, you consent to the use of strictly necessary cookies. For all other processing we rely on explicit consent or other legal bases.
You may withdraw consent at any time without penalty.
Data Retention
We retain personal data only for as long as necessary to fulfil the purposes described in this policy, consistent with the principle of storage limitation under Article 5 GDPR. Retention periods depend on the type of data and the purpose of processing. When data is no longer needed, we securely delete or anonymise it. Legal obligations may require us to retain certain data for longer periods.
International Data Transfers
Cipherion operates internationally. We may transfer personal data to and from the United States, the European Economic Area, the United Kingdom and India. Article 44 GDPR requires that any transfer to a third country or international organisation maintain an adequate level of protection. We ensure that transfers comply with applicable laws by:
Relying on adequacy decisions or standard contractual clauses approved by the European Commission or UK authorities.
Implementing technical and organisational measures to protect data.
Ensuring that recipients adhere to comparable privacy obligations and provide effective legal remedies.
By providing your information, you acknowledge that it may be transferred to jurisdictions with different data protection regimes.
Security Measures
We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction or damage. Article 32 GDPR requires controllers to implement measures such as pseudonymisation and encryption, ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
Our security program includes:
Encryption and pseudonymisation – we encrypt data in transit and at rest where appropriate.
Access controls – we restrict access to personal data to authorised personnel only.
Regular testing and assessments – we test our systems and procedures regularly to ensure resilience and compliance.
Incident response plan – we maintain procedures to respond to suspected data breaches and to notify authorities and individuals as required.
Under the SPDI Rules, organisations must display descriptions of their security safeguards and may face compensation claims if they fail to implement and maintain adequate measures. We take these obligations seriously but cannot guarantee security.
Data Breach Notification
In case of a personal data breach, we will comply with applicable laws:
Notification to supervisory authorities – Article 33 GDPR requires controllers to notify the competent authority without undue delay and, where feasible, within 72 hours after becoming aware of a breach. The notification must describe the nature of the breach, likely consequences and measures taken. Processors must notify controllers without undue delay.
Communication to affected individuals – If the breach is likely to result in a high risk to the rights and freedoms of individuals, we will inform affected persons without undue delay, describing the nature of the breach and actions taken. Communication may not be required if we have implemented appropriate protective measures (e.g., encryption) or if individual notification would involve disproportionate effort, in which case a public notice will be issued.
Documentation – We will document all breaches, as required by Article 33 GDPR.
Under the Indian framework, CERT-In is the authority responsible for receiving notifications of breaches. We will comply with applicable notification requirements in India and other jurisdictions.
Third-Party Disclosures and Transfers
Cipherion does not sell, rent or share personal data with third parties for their own marketing purposes. We may disclose data to:
Service providers who process data on our behalf (e.g., hosting providers). These providers are bound by contracts requiring the same level of data protection and confidentiality.
Regulators, courts or law enforcement agencies where disclosure is required by law.
Successors in interest in case of a merger or sale, subject to the applicable legal framework.
No disclosure of personal data is made without a lawful basis and appropriate safeguards. Under the CCPA, consumers have a right to opt out of sale or sharing, and we do not sell personal information.
Liability and Disclaimer
Cipherion strives to ensure that all personal data is processed securely and in accordance with applicable regulations. However, no method of transmission or storage is completely secure. To the fullest extent permitted by law:
No warranty – our services are provided "as is" without any warranty of any kind.
Limitation of liability – Cipherion shall not be liable for any indirect, incidental, consequential or punitive damages arising out of or related to the use of personal data, data breaches or unauthorised access, except where required by applicable law. In jurisdictions that do not allow such limitations, our liability will be limited to the maximum extent permitted.
Third‑party misuse – we are not responsible for the actions of third parties who gain unauthorised access to your personal data despite our security measures.
Nothing in this policy excludes or limits liability that cannot be limited under law.
Changes to this Policy
We may update this privacy policy from time to time to reflect changes in legal requirements or our practices. When we make changes, we will update the "Last updated" date at the top of the policy and, if significant, provide notice on our website or via email. Continued use of the services after such updates constitutes your acceptance of the revised policy.
Contact and Complaints
If you have any questions, concerns, or wish to exercise your rights, please contact our Data Protection Officer at: official@cipherion.in
You may also have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office. EU residents may contact their national data protection authority. California residents may contact the California Attorney General, and Indian residents may contact CERT‑In for breach complaints.
Governing Law and Dispute Resolution
This policy and any disputes arising from it are governed by and construed in accordance with the laws of the jurisdiction in which you reside, without regard to conflict of law principles. Where permitted, disputes shall be resolved through arbitration or mediation before resorting to court proceedings.
Consent and Continued Use
Your provision of personal data to Cipherion is voluntary. By accessing or using our services, or by clicking "Accept" when prompted, you acknowledge that you have read this privacy policy and agree to its terms. You also consent to the processing of your personal data as described. If you do not agree, please refrain from using our services. Continued use of Cipherion's services following any update will signify your acceptance of the revised policy.
