Your data, handled with care.

This Privacy Policy explains how Deburise Solutions("Deburise", "we", "our") collects, uses, shares, and protects personal data in connection with our website, products, and services. It applies whether you visit our site, send us an email, request a demo, become a client, or interact with us in any other way.

We follow the strictest applicable data-protection standard for every person we deal with. That means even where the local law in your country requires less, we typically apply the same protections we'd use under the EU's GDPR. Where a specific framework (GDPR, CCPA, DPDP, LGPD, PIPEDA, POPIA, UK GDPR) grants you extra rights, those apply on top of this baseline.

We collect personal data in three ways:

1. Information you provide directly: when you fill in a form, sign up for a newsletter, request a consultation, send us an email, or interact during an engagement.
2. Information collected automatically: through cookies, server logs, and similar technologies when you visit our website or use our services.
3. Information from third parties: from enrichment tools, public business databases (e.g. LinkedIn profile data), partners, and from clients when they provide data to us under a Data Processing Agreement.

We use personal data for these specific purposes:

We do not sell or rent personal data to anyone. We do not use personal data in our website forms to train AI models. For client engagements, any AI processing of client-supplied data is governed by a separate Data Processing Agreement that prohibits such uses.

For users in the EU, UK, and other jurisdictions with similar frameworks, we process personal data under one or more of the following legal bases:

• Consent - for marketing communications, certain analytics cookies, and optional features. You can withdraw consent any time.
• Contract - to provide the services agreed in a signed Statement of Work or to take pre-contractual steps at your request.
• Legitimate interests - to operate, improve, and secure our business and services, balanced against your rights. We document this balancing for sensitive processing.
• Legal obligation - to comply with tax, audit, anti-money-laundering, and other applicable laws.
• Vital interests / public interest - only in exceptional cases (very rare for our business).

We use cookies and similar technologies for essential operations, functional preferences, analytics, and marketing. Detailed categories, what each does, and a granular preference toggle live in our Cookie Policy.

You can manage preferences at any time via the cookie banner on first visit, the "Cookie Preferences" link in our footer, or your browser settings.

We share personal data only in these limited circumstances:

• Service providers who help us operate - cloud hosting (e.g. AWS, Vercel), email delivery, CRM, analytics, payment processing. We use a small set of well-known providers, each under a contractual obligation to protect your data and use it only for our purposes.
• Sub-processors approved by you under a Data Processing Agreement, when required to deliver services to your business.
• Authorities when legally compelled by valid court order, subpoena, or regulatory request - we'll push back on overbroad requests and notify you where lawful to do so.
• Successors in the event of a merger, acquisition, or sale of assets - with continuity of these privacy commitments and notice to you.

We retain personal data only as long as needed for the purposes set out in this policy, or as required by law. Specific retention periods:

• Marketing list contacts: until you unsubscribe, plus 30 days for verification.
• Inquiry / contact form submissions: up to 24 months from last interaction.
• Client engagement records: duration of the engagement plus 7 years (tax / contract record-keeping).
• Website logs / analytics: 12 months for raw logs, aggregated for longer.
• Cookie data: per category, see the Cookie Policy. Typical max is 12 months.

We use industry-standard administrative, technical, and physical safeguards designed to protect personal data. This includes encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access controls, least-privilege provisioning, multi-factor authentication for all internal systems, regular security training, and ongoing penetration testing.

No system is 100% secure. In the event of a personal data breach that's likely to result in a risk to your rights, we will notify you and the relevant supervisory authority within the timeframes required by law (e.g. 72 hours under GDPR).

Full details of our security practices live on our Security page.

Deburise is headquartered in India. Personal data we process may be transferred to, stored in, or processed in countries outside your country of residence - including India, the United States, and the European Union - depending on where our team and service providers operate.

For transfers out of the EU/EEA or UK, we rely on appropriate safeguards as required by GDPR / UK GDPR. These include the European Commission's Standard Contractual Clauses (SCCs), UK International Data Transfer Addendums, and, where applicable, the UK/EU-US Data Privacy Framework with participating sub-processors. We assess each transfer for risk and apply supplementary measures where needed.

Depending on your jurisdiction, you have specific rights over your personal data. Some apply universally, while others are jurisdiction-specific. We honour the strictest applicable rights for everyone - but the supervisory authority you can complain to depends on where you live.

To exercise any of these rights, use our Data Subject Request form or email privacy@deburise.com. We respond within 30 days, free of charge for the first request per calendar year. We'll verify your identity before acting on access or deletion requests, to protect your data from impersonators.

Deburise's services are intended for businesses and adults aged 18 or older. We do not knowingly collect personal data from children under 16 (or the applicable minimum age in your jurisdiction). If you believe a child has provided data to us, please email privacy@deburise.com and we will delete it promptly.

We build AI solutions for clients. Whenever we deploy AI systems that process the personal data of a client's end users, we operate as a data processor under the client's instructions, governed by a signed Data Processing Agreement.

For our own AI features (such as any AI-assisted communication on this website), we use enterprise tiers of major AI providers with contractual commitments that exclude customer data from model training. We don't make consequential decisions about you solely on the basis of automated processing - there is always meaningful human review where automated tooling assists internal decisions.

We may update this policy from time to time to reflect changes in our practices, technology, legal requirements, or feedback from you. Material changes will be communicated via prominent notice on our website and, where you have a relationship with us, by email at least 30 days before they take effect.

The "last updated" date at the top of this page indicates when the policy was last revised. We maintain a public changelog for material revisions.

Questions, complaints, or requests related to your personal data should go to:

You also have the right to lodge a complaint with your local supervisory authority. We'd appreciate the chance to address your concerns first - please reach out to us before escalating.