Privacy Policy

1. Who we are

We are SRI INFOIT, a system-integration and IT services firm headquartered in Visakhapatnam, India. For the purposes of DPDP-2023 we act as a Data Fiduciary with respect to the personal data submitted to us through this website, our email channels, and our service-delivery operations.

Our registered correspondence address, official phone number and primary email are listed in the Contact section below and on every page footer.

2. Personal data we collect

We collect only what we need. Specifically:

2.1 Data you give us directly

• Contact form submissions: name, work email, phone number (optional), company name (optional), and the message you send us. We never make any of these fields conditional on unrelated marketing consent.
• Email correspondence: the contents of emails you send to info@sriinfoit.com and any attachments.
• Engagement data: if you engage us as a customer, additional contact details for project stakeholders, technical information about your environment that you choose to share, and documents required for service delivery (e.g. PO numbers, GST details, invoicing addresses).

2.2 Data collected automatically

• Server logs: our hosting provider records the IP address, user-agent string, requested URL, HTTP status code, and timestamp of each request. These logs are retained for 30 days and used only for security monitoring, rate-limiting, and operational debugging.
• Functional cookies: a single CSRF cookie set when you load the contact form, which expires when you close your browser. We do not use third-party cookies. See Cookies.

2.3 Data we do not collect

• We do not run analytics or behavioural-tracking scripts on this site.
• We do not embed third-party advertising or social-share trackers.
• We do not collect Aadhaar, PAN, or other government identifiers via this website.
• We do not knowingly collect data from children (see §9).

3. Why we collect it (purpose & lawful basis)

Under DPDP-2023, every act of personal-data processing must have a defined purpose and a lawful basis. The table below maps every category of data we collect to a single primary purpose.

We do not use your personal data for automated decision-making, profiling, or targeted advertising.

4. When we share your data

We do not sell your data. We do not share your data for marketing purposes. We share data only in these specific cases:

• Service-delivery sub-processors — the minimum required (e.g. our email provider for transactional replies, our hosting provider for server operations). Each sub-processor is bound by contract to the same security standards. A current list of sub-processors is available on request via info@sriinfoit.com.
• Legal compliance — when we are required by a binding order from an Indian court or a competent authority acting under Indian law. We disclose only the specific data the order requires and only after legal review.
• Business transfers — if SRI INFOIT is acquired or merged, your data may transfer to the successor entity. You will be notified before any such transfer takes effect, and you will retain all rights in this policy.

5. Cookies and similar technologies

This website uses exactly one cookie: a session-scoped CSRF token named srib_csrf set when the contact form loads. It contains a random 32-byte hex string, has the HttpOnly, Secure, and SameSite=Lax attributes, and is deleted when you close your browser.

We do not use Google Analytics, advertising pixels, social-share widgets, or any other cookie-setting third party.

6. How long we keep your data

• Contact-form submissions that do not lead to engagement: deleted from our inbox 180 days after the last reply.
• Active engagement data: retained for the duration of the engagement plus 3 years from end of contract for warranty, audit, and legal record-keeping.
• Invoicing & tax records: retained for 8 years as required under the Income Tax Act and GST law.
• Server logs: rotated and deleted after 30 days.
• Backups: service-delivery data is kept in an encrypted backup for up to 90 days from the point of deletion in production. Backups age out and are permanently overwritten.

7. How we secure your data

We apply reasonable security practices and procedures as required under Rule 8 of the IT Rules, 2011, including:

• TLS 1.2 or higher for all data in transit between your browser and our servers.
• Server-side input validation, CSRF protection, rate-limiting on all submission endpoints, and a Content-Security-Policy that prevents inline-script injection.
• Role-based access control on internal systems, with multi-factor authentication on all administrative accounts.
• Encrypted backups; encrypted laptop storage on every employee device that holds customer data.
• A documented incident-response procedure with notification obligations to affected Data Principals and to the Data Protection Board within the timelines required by DPDP-2023.

No system is perfectly secure. If you suspect a vulnerability, please report it via our security policy or /.well-known/security.txt.

8. Your rights as a Data Principal

Under DPDP-2023, you have the following rights regarding your personal data:

• Right to access a summary of your personal data being processed.
• Right to correction of inaccurate or incomplete data.
• Right to erasure of personal data once the purpose for which it was collected is over — subject to retention obligations described in §6.
• Right to nominate a person to exercise these rights on your behalf in the event of your death or incapacity.
• Right to grievance redressal — we acknowledge every grievance within 5 working days and resolve within 30 days, in line with §13(3) DPDP-2023.
• Right to withdraw consent — with effect from the date of withdrawal. Note that withdrawal does not affect processing already carried out under valid consent.

To exercise any right, send a written request to our Grievance Officer (§12) with a subject line beginning [Privacy] and enough detail to identify you and your request. We do not require government ID for routine requests; if a request involves a high-risk action (e.g. erasure of an active engagement record) we may ask for additional verification.

If you are unsatisfied with our response, you may complain to the Data Protection Board of India at the address notified by the Government of India under §28 DPDP-2023.

9. Children's data

Our website and services are intended for businesses and professional adults. We do not knowingly collect personal data from individuals under the age of 18. If you believe a child has submitted data through our site, please email our Grievance Officer and we will delete it without undue delay.

10. International transfers

Personal data submitted through this website is processed and stored on servers located in India. We do not transfer personal data outside India unless (a) it is required to deliver a service you have specifically engaged us for (e.g. an OEM-cloud deployment) and (b) the destination country has not been restricted by the Central Government under §16 DPDP-2023. We will always inform you in writing before any such cross-border transfer.

11. Changes to this policy

We may revise this policy to reflect changes in our practices, applicable law, or regulatory guidance. The "Last updated" date at the top of this page reflects the most recent change. For substantive changes that materially affect your rights, we will notify you by email if we have an active engagement with you, or by a prominent notice on this site for at least 30 days before the change takes effect.

12. Grievance Officer & contact

In compliance with §13 DPDP-2023 and Rule 5(9) of the IT Rules, 2011, we have nominated a Grievance Officer:

Subject lines we recognise: [Privacy] for general privacy questions, [Privacy: Access] for data-access requests, [Privacy: Correction] to correct data, [Privacy: Erasure] to request deletion. Using these subject prefixes routes the request straight to the Grievance Officer and starts the 5-working-day acknowledgement clock.