Introduction and Scope
Apro IT Solutions Pvt Ltd ("Apro IT", "we", "us", or "our") is committed to protecting the privacy and security of personal data we collect, process, and store in the course of our business operations.
This Privacy Policy describes how we handle personal information relating to:
- Visitors to our website (aproitsolutions.com and associated sub-domains)
- Prospective and existing clients who inquire about or engage our services
- Employees, contractors, and job applicants
- End users of digital products or applications we develop or operate on behalf of clients, where we act as a data processor
This Policy is designed to comply with the Digital Personal Data Protection Act 2023 (DPDPA), India's primary data-protection legislation, and, where applicable, with the EU General Data Protection Regulation (GDPR), the UK GDPR, and other regional privacy laws that may apply to our clients or their end users.
By accessing our website or engaging our services, you acknowledge that you have read and understood this Policy.
Who We Are (Data Fiduciary / Controller)
Apro IT Solutions Pvt Ltd is the Data Fiduciary under the DPDPA and the Data Controller under the GDPR in respect of personal data we collect for our own business purposes.
Where we develop, host, or maintain digital products on behalf of clients, we typically act as a Data Processor / Data Fiduciary's Consent Manager under their instructions. In such cases, our clients' own privacy notices govern how end-user data is handled.
Key Definitions
| Term | Meaning |
|---|
| Personal Data | Any data about an individual who is identifiable by or in relation to such data (DPDPA, s. 2(t)); any information relating to an identified or identifiable natural person (GDPR, Art. 4(1)). |
| Processing | Any operation performed on personal data, including collection, storage, use, sharing, erasure. |
| Data Principal / Data Subject | The individual whose personal data is being processed. |
| Consent | A free, specific, informed, unconditional, and unambiguous indication of the data principal's wishes by a clear affirmative action. |
| Significant Data Fiduciary | A class of fiduciaries notified by the Central Government based on volume/sensitivity of data processed. |
| Third Country | A country outside India (under DPDPA) or outside the EEA (under GDPR). |
Personal Data We Collect
4.1 Information You Provide Directly
| Category | Examples | Context |
|---|
| Identity Data | Full name, job title, company name | Contact forms, client onboarding, job applications |
| Contact Data | Email, phone number, postal address | Contact forms, contracts, invoices |
| Professional Data | CV/résumé, portfolio, work history | Job applications |
| Financial Data | Bank details, GST number, payment records | Client invoicing and payments |
| Project / Content Data | Briefs, design assets, source code, credentials | Service delivery |
| Communications | Email threads, chat logs, meeting notes | Support and project management |
4.2 Information We Collect Automatically
| Category | Examples |
|---|
| Technical Data | IP address, browser type, OS, device identifiers |
| Usage Data | Pages visited, time on site, referral URL, click paths |
| Cookie / Tracking Data | Session IDs, analytics identifiers (see Section 7) |
| Log Data | Server logs, API request logs, error logs |
4.3 Information from Third Parties
- Professional networking profiles (LinkedIn) when you contact us through those platforms
- Referrals from existing clients or partners
- Publicly available business directories
4.4 Sensitive Personal Data
We do not seek to collect sensitive personal data (health, biometrics, financial account details beyond invoicing, caste, religion, political views) unless strictly necessary for a specific engagement, in which case we will obtain explicit consent and implement enhanced safeguards.
Legal Bases and Grounds for Processing
| Purpose | DPDPA Ground | GDPR Equivalent |
|---|
| Providing contracted IT services | Legitimate uses – contractual necessity | Art. 6(1)(b) – Contract performance |
| Responding to inquiries / quotes | Consent / Legitimate uses | Art. 6(1)(b) / Art. 6(1)(f) |
| Marketing communications (opt-in) | Consent | Art. 6(1)(a) – Consent |
| Legal and regulatory compliance | Legal obligation | Art. 6(1)(c) – Legal obligation |
| Fraud prevention / security | Legitimate uses | Art. 6(1)(f) – Legitimate interests |
| Recruitment / HR | Consent + Contractual | Art. 6(1)(b) + Art. 6(1)(a) |
| Analytics & website improvement | Consent | Art. 6(1)(a) – Consent |
Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.
How We Use Your Information
We use collected personal data for the following purposes:
Service Delivery
- Scoping, designing, developing, testing, and deploying digital products and IT solutions
- Managing project timelines, communication, and deliverables
- Providing technical support and maintenance
Business Operations
- Processing invoices and payments
- Maintaining business records and contracts
- Performing due diligence on vendors and partners
Marketing and Communications
- Sending newsletters, product updates, and promotional material (with consent)
- Responding to enquiries submitted through our website or email
Recruitment and HR
- Evaluating job applications and conducting interviews
- Onboarding and managing employee/contractor relationships
Security and Compliance
- Monitoring for unauthorised access and security incidents
- Meeting statutory, regulatory, and audit obligations
- Enforcing our contracts and terms of service
Analytics and Improvement
- Analysing website traffic patterns to improve user experience
- Measuring effectiveness of marketing campaigns
- Conducting client satisfaction surveys (optional)
We do not use personal data for automated decision-making that produces significant legal effects without human review.
Cookies and Tracking Technologies
Our website uses cookies and similar technologies. A cookie is a small text file placed on your device to help the website function correctly and improve your experience.
| Cookie Type | Purpose | Consent Required? |
|---|
| Strictly Necessary | Session management, security, load balancing | No (exempt) |
| Functional | Language preference, form auto-fill | Yes |
| Analytics | Google Analytics – traffic measurement, behaviour analysis | Yes |
| Marketing / Retargeting | Ad targeting, conversion tracking | Yes |
You can manage cookie preferences via our on-site consent banner or through your browser settings. Withdrawing consent for non-essential cookies will not affect the website's core functionality.
We may use Google Analytics with IP anonymisation enabled. Data collected by Google is governed by Google's own Privacy Policy.
How We Share and Disclose Personal Data
We do not sell personal data. We may share it with:
Service Providers / Sub-processors
| Category | Examples | Purpose |
|---|
| Cloud Hosting | AWS, Google Cloud, Azure, Hostinger | Application and data hosting |
| Communication | Google Workspace, Slack, Zoom | Internal and client communication |
| Project Management | Jira, Trello, Notion, Linear | Task and project tracking |
| Payment Processing | Razorpay, Stripe, PayPal | Invoice and payment processing |
| Analytics | Google Analytics | Website analytics |
| Marketing | Mailchimp, HubSpot | Email marketing |
| Version Control | GitHub, GitLab | Source code management |
| HR / Payroll | Zoho People, Keka | HR and payroll management |
All sub-processors are bound by data-processing agreements ensuring equivalent protections.
Other Disclosure Scenarios
- Legal requirement: Courts, law enforcement, or regulatory authorities when required by law
- Business transfers: In connection with a merger, acquisition, or sale of assets (with prior notice where required)
- Professional advisors: Lawyers, accountants, insurers under confidentiality obligations
- With your consent: Any other sharing you have explicitly authorised
Third-Party Services on Our Website
Our website may integrate third-party tools. Each is governed by its own privacy policy:
International Data Transfers
As an Indian company, our primary data processing occurs in India. However, some of our third-party service providers are located outside India, including in the United States and the European Economic Area.
Under the DPDPA, the Central Government may restrict transfers to certain countries. We ensure that any cross-border transfers occur only to countries or entities that provide adequate protection equivalent to Indian standards, or are subject to approved Standard Contractual Clauses, Binding Corporate Rules, or other recognised transfer mechanisms.
For data subjects in the EEA/UK, transfers outside those regions are protected by the Standard Contractual Clauses (SCCs) adopted under GDPR Article 46 or, where available, an adequacy decision.
You may request information about the safeguards applied to your data transfers by contacting info@aproitsolutions.com.
Data Retention
We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, unless a longer period is required or permitted by law.
| Category | Retention Period | Rationale |
|---|
| Client contract data | 7 years after contract end | Indian tax and legal requirements |
| Employee / HR records | 7 years after leaving | Labour law, statutory compliance |
| Job applicant data (unsuccessful) | 12 months after decision | Potential future hiring; consent-based |
| Website analytics data | 26 months (GA default) | Trend analysis; aggregated after 26 months |
| Marketing contact data | Until opt-out or 3 years inactivity | Consent-based |
| Support / communication logs | 2 years after resolution | Quality assurance and dispute resolution |
| Financial / payment records | 7 years | GST Act, Income Tax Act |
| Server / security logs | 90 days (rolling) | Security monitoring |
After the applicable retention period, data is securely deleted or anonymised in accordance with our Data Destruction Policy.
How We Protect Your Data
We implement appropriate technical and organisational security measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
Technical Measures
- Encryption in transit (TLS 1.2+) and at rest (AES-256 where applicable)
- Firewalls, intrusion-detection systems, and regular vulnerability scans
- Multi-factor authentication for critical systems
- Role-based access control (RBAC) enforcing least-privilege
- Regular security patching and dependency updates
Organisational Measures
- Confidentiality clauses in all employee and contractor agreements
- Annual data-protection training for all staff
- Data-breach incident response procedure
- Periodic internal privacy audits
- Vendor security assessments before onboarding sub-processors
Data Breach Notification: In the event of a personal data breach that is likely to result in risk to individuals, we will notify the Data Protection Board of India within 72 hours (DPDPA) and affected individuals without undue delay, where required. Where the GDPR applies, we follow its equivalent notification requirements.
Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
| Right | DPDPA | GDPR (where applicable) |
|---|
| Access | ✓ (s. 11) | ✓ (Art. 15) |
| Correction / Rectification | ✓ (s. 12) | ✓ (Art. 16) |
| Erasure / Right to be Forgotten | ✓ (s. 12) | ✓ (Art. 17) |
| Withdraw Consent | ✓ (s. 6) | ✓ (Art. 7(3)) |
| Grievance Redressal | ✓ (s. 13) | ✓ (Art. 77) |
| Nominate a Representative | ✓ (s. 14) | N/A |
| Data Portability | Limited (Rules pending) | ✓ (Art. 20) |
| Object to Processing | Via consent withdrawal | ✓ (Art. 21) |
| Restrict Processing | Via consent withdrawal | ✓ (Art. 18) |
GDPR Rights
- Receive a response within 30 days (extendable by 2 months for complex requests)
- Lodge a complaint with a supervisory authority (e.g., ICO in the UK, your national DPA in the EU)
DPDPA Rights
- Lodge a complaint with the Data Protection Board of India if your grievance is not resolved satisfactorily
- Receive a response within 48 hours of acknowledging your grievance (as per Draft Rules)
How to Exercise Your Rights or Raise a Concern
To exercise any of the rights listed above, please contact our Privacy Team using the details below. We may ask you to verify your identity before processing your request.
We will not charge a fee to exercise your rights unless the request is manifestly unfounded, repetitive, or excessive.
Client Data and Our Role as a Processor
When we develop, host, or operate digital solutions on behalf of our clients, we process personal data of our clients' end users strictly under their instructions and subject to our Data Processing Agreement (DPA).
In such circumstances:
- Our clients are the Data Fiduciary / Data Controller
- We act as the Data Processor / Service Provider
- End users' rights should be directed to the relevant client's privacy notice
- We assist clients in fulfilling their obligations including data subject requests, security measures, and breach notifications
We engage sub-processors only with client approval or general authorisation as specified in our DPA, and we ensure sub-processors meet equivalent data-protection standards.
Children's Privacy
Our website and primary services are not directed at children under the age of 18. We do not knowingly collect personal data from minors without verifiable parental consent.
If we develop products intended for use by minors on behalf of clients, we implement additional safeguards including age-gating mechanisms, parental consent flows, and restricted data collection as required under the DPDPA and applicable laws.
If you believe we have inadvertently collected data from a child, please contact info@aproitsolutions.com immediately and we will take steps to delete such data.
Links to Third-Party Websites
Our website may contain links to third-party websites, plugins, or applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy practices.
We encourage you to review the privacy policy of every site you visit. This Policy applies only to information collected by Apro IT Solutions Pvt Ltd on our own platforms.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page
- Notify registered users or clients by email (for significant changes)
- Display a prominent notice on our website
We encourage you to review this Policy periodically. Your continued use of our website or services after the effective date of any change constitutes your acknowledgment of the updated Policy.
For material changes requiring fresh consent under the DPDPA or GDPR, we will obtain your consent before the change takes effect.
Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data-handling practices, please reach out to us:
If you are not satisfied with our response, you have the right to lodge a complaint with the Data Protection Board of India (once constituted) or, where the GDPR applies, with your national data-protection supervisory authority.