Privacy Notice

A few terms get used throughout this notice. Where they have specific meanings under Indian law, we use the term that the law itself uses so it's clear what rule applies.

• You / Data Principal: the natural person whose personal data we process — typically a visitor, prospective client, or representative of a client business.
• Personal Data: any information relating to an identified or identifiable natural person (as defined under the Digital Personal Data Protection Act, 2023 — “DPDP Act”).
• Sensitive Personal Data or Information (SPDI): the narrower set defined under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 — passwords, financial information, health data, biometric data, etc.
• Processing: any operation performed on personal data — collection, storage, use, sharing, or deletion.
• We / Us / Data Fiduciary: Dezynum Software Services (OPC) Private Limited, operating the WeYug brand.
• Subprocessor: a third-party vendor that processes personal data on our behalf under a written contract (hosting, email, analytics, etc.).

Information you give us directly

When you fill in a project brief, contact form, request a Free Website Mockup, sign up, or write to us by email / WhatsApp / phone, we collect: name, business name, designation, phone number, email address, city, project details, budget bracket, attachments you share, and anything else you choose to include in the message.

Information collected automatically

When you visit our website, our servers and our analytics tools may automatically record: IP address (used to derive coarse geo-location only, then discarded), user-agent string, referring URL, pages visited, time spent on each page, device type, screen size, and approximate session timestamps.

Information from third-party sources

If you sign in through a federated identity provider (Google, etc.) we receive your verified email address and display name from them — nothing more. If you have an active engagement, we may receive documents or information from people you authorise (your accountant, designer, internal team).

What we do not collect

We do not collect financial information — payments are routed via invoice through your bank, and we never store card numbers or UPI VPAs. We do not knowingly collect SPDI (passwords, health data, biometric data, financial credentials) and ask you not to share any in messages to us.

We use personal data only for the specific lawful purposes you would expect from a B2B services company:

• To respond to your enquiry — replying to your contact form, sending you a proposal, scheduling a discovery call.
• To deliver an engagement — designing, building, and supporting the website or application you've hired us for.
• To send transactional communications — invoices, project status updates, AMC reports, security advisories about your hosting.
• To meet legal and accounting obligations — issuing GST-compliant invoices, retaining books of account per the Income Tax Act and Companies Act.
• To improve our services — aggregated analytics on which pages get read help us write better content. Individual reading habits are not profiled.
• To defend against fraud or abuse — rate-limiting and security logging when our infrastructure is targeted.

We do not use your data for marketing email blasts, retargeting ads, or profiling. We do not sell or rent your data to anyone — full stop.

Under the DPDP Act we may process personal data only for a lawful purpose and only with one of these grounds:

• Consent — when you fill in a contact form, hit submit on a project brief, or accept analytics cookies, you give consent for the specific stated purpose.
• Legitimate use — to deliver an engagement you've asked us to deliver; to respond to communications you initiate; to comply with a legal obligation.

We share personal data only in the narrow cases listed below.

With subprocessors

We engage carefully chosen vendors who help us run the business (hosting, email, analytics, calendar). Every subprocessor is bound by a written contract requiring confidentiality and DPDP-compatible processing. The current list is in the next article.

With your authorised representatives

If you ask us to coordinate with your accountant, internal team, third-party designer, or content writer, we share the minimum project information needed.

For legal reasons

We will comply with a valid court order, summons, or written demand from a competent Indian authority. We will notify you that this happened unless we are legally prohibited from doing so.

On a business transfer

If the company is acquired, merged, or restructured, personal data may transfer to the successor entity under the same protections. Material changes would be notified to you in advance.

What we never do

We do not sell, rent, or barter personal data. We do not share it with data brokers, advertising networks, retargeting networks, or third-party affiliate-marketing platforms. (We do participate in the Envato Market Affiliate Program — see Terms — but Envato receives only an anonymous click event from those outbound links, never your personal data.)

The companies below process limited personal data on our behalf, strictly to provide a service we have contracted them for. The list reflects the current state; we update it when we change vendors.

• Google Workspace — email, calendar, and document collaboration for our team. Used to receive and reply to your enquiries.
• Google Analytics 4 — anonymised website analytics. Only loaded after consent. IP anonymisation enabled.
• VPS hosting providers — DigitalOcean, Hetzner, Linode, or AWS, depending on your specific project. Your project's VPS is provisioned in your name on final handover.
• Cloudflare — DNS, CDN, and DDoS protection for our marketing site and (optionally) for client sites we operate.
• Payment processors — banks, UPI rails, and (for international clients) Stripe or Razorpay. We do not store any payment details ourselves.
• WhatsApp Business — when you message us on WhatsApp, message metadata sits on Meta's servers per their policy.

We do not use AI tools (LLMs, image generators) to process your personal data unless you have explicitly opted in on a specific engagement. Internal use of AI tools is restricted to non-identifying snippets only.

Some of our subprocessors (Google, Cloudflare, certain hosting providers) operate from servers outside India. Under the DPDP Act, transfers of personal data are permitted to any country except those that the Central Government may notify by exclusion. We monitor that list and would relocate processing if a relied-upon country were ever notified. The protections in this notice travel with your data wherever it is processed.

We retain personal data only as long as needed for the purpose it was collected, plus what Indian law requires for retention. Specifically:

• Contact form / enquiry data: 24 months from your last interaction, unless you become a client.
• Active client records: for the lifetime of the engagement plus any AMC term.
• Past-client records: 8 financial years after engagement closure, matching Income Tax Act and Companies Act retention requirements for books of account.
• Server logs: 90 days, then automatically purged.
• Analytics data: aggregated only after 14 months per the GA4 default retention setting.
• Backups: rolling 30 days on encrypted off-site storage, then overwritten.

We follow the “reasonable security practices” required by Section 43A of the Information Technology Act, 2000 and the SPDI Rules, 2011, layered with current industry practice.

• Encryption in transit: TLS 1.2+ on every endpoint that touches personal data.
• Encryption at rest: AES-256 for our internal databases and off-site backups.
• Access control: role-based, principle of least privilege. MFA required on every internal admin account.
• Credential hygiene: secrets are vaulted; production keys rotated at least quarterly; no shared logins.
• Audit logging: admin actions on our systems are logged centrally and retained for 12 months.
• Vendor diligence: every subprocessor is reviewed before onboarding and re-reviewed annually.

Under the DPDP Act, 2023 you have the following rights, which we honour for every data principal regardless of nationality:

• Right to information — ask what we have, where it lives, and how it's used. We respond within 7 working days.
• Right to correction & completion — ask us to fix inaccurate or incomplete data. Done immediately on verified request.
• Right to erasure — ask us to delete your data. We comply, except where Indian law requires retention (e.g., tax records).
• Right to grievance redressal — escalate any concern to our Grievance Officer (see final article). Acknowledged within 24 hours; resolved within 15 days at the latest.
• Right to nominate — name a person who can exercise these rights on your behalf if you become incapacitated or in the event of your death.
• Right to withdraw consent — at any time, with effect going forward.

To exercise any of these rights, email compliance@dezynum.com with the words “Data Request” in the subject line. We may ask for proof of identity to stop someone else from exercising your rights on your behalf without authorisation.

Our website uses two categories of cookies. We do not use any others.

Strictly necessary

Session cookies that keep you logged into the admin panel, remember whether you've dismissed the cookie banner, and protect against CSRF. These are required for the site to work and load with or without consent.

Analytics (consent-based)

Google Analytics 4 cookies with IP anonymisation. Only set after you click “Accept” on the cookie banner. Used to count visitors and pages in aggregate. Decline and the site continues to work normally.

We do not set advertising cookies, retargeting pixels, or cross-site tracking identifiers. Your browser's Do-Not-Track signal is honoured.

Our services are intended for businesses and adults working on behalf of businesses. We do not knowingly collect personal data from anyone under 18, and we do not direct any of our content at children. Under the DPDP Act, processing of a child's personal data requires verifiable parental consent and is restricted to the child's welfare. If you believe a minor has shared information with us, email compliance@dezynum.com and we will delete it without delay.

Our website and the websites we build may link to third-party sites — vendor pages, social platforms, documentation, news articles. We are not responsible for the privacy practices of those third-party sites and recommend you read their notices before sharing personal data with them. A link from our site is not an endorsement of the destination's privacy practices.

If this notice changes materially — new categories of data, new purposes, new subprocessors that materially affect you — we will publish the updated version at this URL with a new effective date and, where you are an active client, email you the summary of changes at least 14 days before they take effect. Non-material changes (typo fixes, clarifying language, vendor name changes that don't change what they do) are published silently.

In line with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and the DPDP Act, 2023, we publish a Grievance Officer for India-resident users.

Data Controller / Data Fiduciary

Statutory references: Information Technology Act, 2000 § 43A & § 79; IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011; IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021; Digital Personal Data Protection Act, 2023.