Legal

Privacy Statement

v2.0 Effective 24 May 2026 Last updated 24 May 2026 Read 10 min
  • DPDP Act 2023
  • GDPR
  • UK GDPR
  • CCPA / CPRA
  • CMMI Level 5
On this page
  1. 1. Who we are
  2. 2. What we collect
  3. 3. Purposes & legal bases
  4. 4. How we share
  5. 5. International transfers
  6. 6. Retention
  7. 7. Your rights
  8. 8. Grievance Officer
  9. 9. How we protect data
  10. 10. Security vulnerability reports
  11. 11. Breach notification
  12. 12. Marketing & unsubscribe
  13. 13. Children
  14. 14. Cookies
  15. 15. Automated decision-making
  16. 16. Third-party links
  17. 17. Changes to this Statement
  18. 18. Contact us

1. Who we are

This Privacy Statement explains how eCorp Information Technologies Private Limited ("eCorpIT", "we", "our", or "us") collects, uses, shares, retains, and protects personal data when you visit ecorpit.com, engage with our services, apply for a role, or otherwise interact with us.

This Privacy Statement applies to personal data processed by eCorpIT on its own account — including website, marketing, recruitment, and business-development activities. Where eCorpIT processes personal data on behalf of clients under engagement contracts, such processing is governed by the relevant client agreement, Data Processing Agreement (DPA), Statement of Work (SOW), and client instructions.

Under the India Digital Personal Data Protection Act, 2023 ("DPDP Act") and the Digital Personal Data Protection Rules, 2025 ("DPDP Rules"), eCorpIT acts as the Data Fiduciary in respect of personal data we process on our own account. When processing on behalf of clients, we act as a Data Processor.

Under the EU General Data Protection Regulation ("GDPR") and the UK GDPR, eCorpIT acts as the Controller in respect of data processed on our own account, and as a Processor in respect of personal data processed on behalf of clients.

2. What personal data we collect

Website visitors

  • IP address, browser type and version, operating system, device identifiers
  • Pages viewed, time spent, referring URL, exit URL, click events
  • Approximate geolocation derived from IP address (city / region level)
  • Cookies and similar technologies (see our Cookie Policy)

Prospects and clients

  • Name, business email, business phone number, country, company name, job title
  • Information you provide in project estimate forms, discovery calls, and proposals
  • Records of communications (email, WhatsApp messages, call notes, meeting notes)
  • Billing and payment information processed by our payment partners
  • Engagement documents (NDAs, MSAs, SOWs)

Candidates and applicants

  • CV / resume, contact details, employment and education history, references
  • Interview notes, assessment results, right-to-work documentation

We do not request diversity, health, caste, religion, or other sensitive information during recruitment unless required by law or voluntarily provided by the candidate in connection with a specific process.

Newsletter and marketing subscribers

  • Email address, name (optional), subscription preferences, engagement metrics

Visitors to our office

  • Name, organization, time of visit, host name, and visitor-management records

We do not knowingly collect sensitive personal data (as defined by the DPDP Act and Rules, GDPR Article 9, or equivalent frameworks) unless explicitly necessary and consented to for a specific service engagement.

3. Why we collect personal data (purposes and legal bases)

We process personal data only where we have a valid legal basis under the DPDP Act, the DPDP Rules, GDPR, and other applicable law.

Consent

Where you have given clear, specific, informed, and freely-given consent — for marketing communications, optional cookies, and similar processing. You can withdraw consent at any time.

Performance of a contract

Where processing is necessary to perform a contract with you or to take steps at your request before entering into a contract — including project estimates, engagement letters, MSAs, and SOWs.

Legitimate interests

Where we have a legitimate interest that is not overridden by your rights — including improving our website, securing our systems, preventing fraud, responding to business inquiries, and maintaining business records.

Legal obligation

Where processing is required to comply with applicable law — including tax law, employment law, anti-money-laundering requirements, and lawful requests from competent authorities.

Specific purposes

  • Responding to project estimate requests and inquiries
  • Delivering services under engagement contracts
  • Sending invoices and processing payments
  • Recruiting and onboarding employees and contractors
  • Operating, securing, and improving ecorpit.com and our internal systems
  • Sending newsletters and service updates (with consent or under permitted communications)
  • Complying with legal, regulatory, and audit obligations
  • Defending or asserting legal claims

4. How we share personal data

Service providers (sub-processors)

We share personal data only with parties who need it for the purposes set out in this Statement, under binding confidentiality and data-protection terms. Categories include cloud infrastructure providers (Amazon Web Services, Microsoft Azure, Google Cloud), email and productivity providers (Google Workspace, Microsoft 365), CRM and analytics tools, payment processors, marketing automation tools, security tools (including Kaspersky), and time-tracking tools (Desktime). A current list of sub-processors is maintained internally and is available to clients under engagement-specific Data Processing Agreements.

Affiliates and subsidiaries

Where applicable, with eCorpIT group entities operating under the same data-protection framework.

Professional advisors

Lawyers, accountants, auditors, and insurers — bound by professional confidentiality obligations.

Authorities and law enforcement

Where required by law, court order, or in response to lawful requests from competent regulatory or governmental authorities.

Business transfers

In the event of a merger, acquisition, restructuring, sale of assets, or insolvency — personal data may be transferred as part of the transaction, subject to confidentiality protections.

We do not sell personal data. We do not share personal data for cross-context behavioral advertising in the meaning of California or Virginia data-protection law without explicit consent.

5. International data transfers

eCorpIT is headquartered in India. We process personal data primarily in India and in cloud regions provided by our hyperscaler partners (AWS, Microsoft Azure, Google Cloud) which may be located in India, the United States, the European Union, the United Kingdom, the United Arab Emirates, Australia, Canada, or Singapore — depending on the workload and client requirement.

Where we transfer personal data of EU, UK, or other regulated jurisdictions to a third country that does not provide an equivalent level of protection, we rely on appropriate safeguards including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • UK International Data Transfer Agreement (IDTA) or UK Addendum to SCCs
  • Other transfer mechanisms recognized under applicable law

Clients engaging eCorpIT under Data Processing Agreements may specify data-residency requirements, which we will honor through cloud region selection and sub-processor designation.

6. How long we retain personal data

We retain personal data only for as long as necessary for the purposes for which it was collected, including legal, accounting, audit, or regulatory requirements.

  • Website analytics: up to 26 months (Google Analytics 4 default retention)
  • Prospect inquiries: up to 24 months from last interaction unless converted to a client
  • Client engagement records: duration of engagement plus 7 years (tax, contract, and audit retention)
  • Candidate records: up to 12 months from application unless you consent to longer retention for future opportunities
  • Newsletter subscribers: until unsubscribed plus 30 days for processing
  • Visitor logs: up to 12 months
  • Financial records: as required by Indian tax law and audit obligations (minimum 8 years)

After the retention period ends, we delete, anonymize, or aggregate personal data. eCorpIT maintains an internal retention SOP that mirrors these public commitments.

7. Your rights

Depending on your jurisdiction, you may have the following rights in respect of personal data we hold about you.

Rights under the India DPDP Act and DPDP Rules, 2025

  • Right to access information about processing
  • Right to correction and erasure
  • Right to grievance redressal
  • Right to nominate another individual to exercise rights on your behalf
  • Right to withdraw consent (where processing is consent-based)

Rights under GDPR and UK GDPR

  • Right of access, rectification, erasure, restriction, portability
  • Right to object to processing (including direct marketing)
  • Right not to be subject to automated decision-making, including profiling
  • Right to lodge a complaint with a supervisory authority

Rights under CCPA / CPRA (California residents)

  • Right to know, delete, correct, opt out of sale/sharing, and limit use of sensitive personal information
  • Right to non-discrimination for exercising your CCPA rights

How to exercise your rights

Submit a request via email to privacy@ecorpit.com with the subject line "Data Subject Request — [right requested]". We will respond within the timeframes required by applicable law (statutory timeframes under the DPDP Act and Rules; typically 30 days under GDPR; 45 days under CCPA, extendable to 90 days).

Identity verification

To protect personal data, we may ask you to verify your identity by confirming your email address, phone number, prior interaction details, or other information reasonably necessary to match your request with our records. We will only use this information for verification and will delete it after the request is closed.

8. Grievance Officer / Data Protection Contact

Under the India DPDP Act, you may contact our designated Grievance Officer for any concerns regarding the processing of your personal data:

  • Name: Dipika Sachdeva
  • Title: Grievance Officer / Data Protection Lead
  • Email: grievance@ecorpit.com
  • Postal: Grievance Officer, eCorp Information Technologies Private Limited, 1120, 11th Floor, SVH 83 Metro Street, Sector 83, Gurugram, Haryana 122012, India

For EU and UK data subjects, the same contact serves as our point of contact for data-protection inquiries. If you are unsatisfied with our response, you have the right to lodge a complaint with the Data Protection Board of India, your local EU supervisory authority, the UK Information Commissioner's Office (ICO), or other competent regulator.

eCorpIT maintains procedures to receive, verify, and respond to requests from Data Principals in accordance with the DPDP Act and DPDP Rules, 2025. We may ask for reasonable information to verify identity before acting on a request.

9. How we protect personal data

eCorpIT holds a current CMMI Maturity Level 5 appraisal — the highest level in the CMMI for Development model. Information-security practices are aligned with the principles of ISO 27001 and the NIST Cybersecurity Framework. Specific technical and organizational measures include:

  • Encryption at rest and in transit for personal data we process
  • Role-based access controls and least-privilege defaults
  • Multi-factor authentication for system access
  • Endpoint protection (Kaspersky) and managed security operations
  • Regular security testing and vulnerability management
  • Documented incident response and breach notification procedures
  • Employee security training and confidentiality obligations
  • Vendor and sub-processor due diligence

No information transmitted over the Internet can be guaranteed 100% secure. We use reasonable efforts to protect personal data but cannot warrant absolute security.

10. Security vulnerability reports

If you believe you have discovered a vulnerability, security issue, or unauthorized access affecting eCorpIT systems, the Website, or any service we operate, please report it to security@ecorpit.com. Please do not publicly disclose the issue until we have had a reasonable opportunity to investigate and respond. We commit to acknowledging legitimate security reports within 5 working days.

11. Personal data breach notification

In the event of a personal data breach likely to result in a risk to the rights and freedoms of data subjects:

  • Under the DPDP Act and DPDP Rules, we will notify the Data Protection Board of India and affected Data Principals as required
  • Under GDPR / UK GDPR, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach where required, and affected data subjects without undue delay where there is a high risk to their rights and freedoms
  • Under CCPA / CPRA and other US state privacy laws, we will notify affected California residents and other applicable parties as required
  • For breaches affecting client data processed under engagement contracts, we will notify the client without undue delay as specified in the Data Processing Agreement

12. Marketing communications and unsubscribe

You may unsubscribe from marketing emails at any time by using the unsubscribe link in any marketing email or by contacting privacy@ecorpit.com. We may still send non-marketing communications relating to active projects, transactions, security, or legal matters where permitted by applicable law.

13. Children

eCorpIT's services and website are not directed to children under 18 (or the applicable age of majority in your jurisdiction). We do not knowingly collect personal data from children. Under the DPDP Act and DPDP Rules, 2025, processing of personal data of children requires verifiable parental consent, and we do not process children's data on our own account. If you believe we have inadvertently collected personal data from a child, please contact privacy@ecorpit.com and we will delete the data.

14. Cookies

Our website uses cookies and similar technologies. For details about which cookies we use, why we use them, and how to control them, please see our separate Cookie Policy.

15. Automated decision-making

eCorpIT does not make decisions that produce legal effects or similarly significant effects concerning you based solely on automated processing of personal data on our own account. Where we build AI systems for clients under engagement contracts, the client is the data controller for those systems, and any automated decision-making provisions are governed by the client's privacy notices.

17. Changes to this Privacy Statement

We may update this Privacy Statement from time to time. The "Last updated" date at the top indicates when it was last revised. We will notify you of material changes by posting a prominent notice on ecorpit.com or, where appropriate, by email. We encourage you to review this Statement periodically.

18. Contact us

For any questions, requests, or concerns about this Privacy Statement or the processing of your personal data, please contact us: