PRIVACY POLICY 

PRIVACY NOTICE 

 This privacy notice for Fortmindz Private Limited (“Fortmindz,” “we,” “us,” or “our”) describes how and why we collect, store, use, and/or share (“process”) your information when you use our services (“Services”), such as when you: 

• Visit our website at https://fortmindz.com, or any website of ours that links to this privacy notice 

• Engage with us in other related ways, including any sales, marketing, or project enquiries 

 Questions or concerns? Reading this privacy notice will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services. If you have any questions or concerns, please contact us at dpo@fortmindz.com. 

 SUMMARY OF KEY POINTS 

 This summary provides key points from our privacy notice. You can find full details by clicking the link following each key point or by using the table of contents below. 

• What personal information do we process? When you visit, use, or navigate our Services, we may process personal information depending on how you interact with Fortmindz, the choices you make, and the products and features you use. 
• Do we process any sensitive personal information? We do not process sensitive personal information. 
• Do we receive any information from third parties? We do not receive any information from third parties. 
• How do we process your information? We process your information to provide and improve our Services, communicate with you, for security and fraud prevention, and to comply with law. 
• What are your rights? Depending on where you are located, applicable privacy law may give you certain rights. See Section 10 for details on rights under DPDP (India), GDPR (EU/UK), CCPA (California) and PIPEDA (Canada). 
• How do I exercise my rights? Email us at dpo@fortmindz.com. We will consider and act upon any request in accordance with applicable data protection laws. 

TABLE OF CONTENTS 

1. WHAT INFORMATION DO WE COLLECT? 
2. HOW DO WE PROCESS YOUR INFORMATION? 
3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR PERSONAL INFORMATION? 
4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION? 
5. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES? 
6. IS YOUR INFORMATION TRANSFERRED INTERNATIONALLY? 
7. HOW LONG DO WE KEEP YOUR INFORMATION? 
8. HOW DO WE KEEP YOUR INFORMATION SAFE? 
9. DO WE COLLECT INFORMATION FROM MINORS? 
10. WHAT ARE YOUR PRIVACY RIGHTS? 
11. CONTROLS FOR DO-NOT-TRACK FEATURES 
12. DO CALIFORNIA RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS? 
13. DO WE MAKE UPDATES TO THIS NOTICE? 
14. HOW CAN YOU CONTACT US ABOUT THIS NOTICE? 
15. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU? 

1. WHAT INFORMATION DO WE COLLECT? 

Personal information you disclose to us 

In Short: We collect personal information that you provide to us. 

We collect personal information that you voluntarily provide to us when you express an interest in our products and Services, when you participate in activities on the Services, or when you contact us. 

The personal information we collect may include the following: 

• Full name 
• Phone numbers 
• Email addresses 
• Mailing or billing addresses 
• IP address 
• Job titles and company name 
• Browsing behaviour on our website 
• Project requirements, briefs or other information you share with us when making an enquiry 
• Resume, CV, portfolio and professional qualifications (for job applicants) 

 Sensitive Information. We do not process sensitive personal information. 

All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information. 

 Information collected automatically 

In Short: Some information — such as your IP address and/or browser and device characteristics — is collected automatically when you visit our Services. 

We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity but may include device and usage information such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, and information about how and when you use our Services. 

The information we collect includes: 

 Log and Usage Data 

Service-related, diagnostic, usage, and performance information our servers automatically collect when you access or use our Services. This may include your IP address, device information, browser type and settings, and information about your activity (such as the date/time stamps, pages and files viewed, searches, and other actions you take). 

Device Data 

Information about your computer, phone, tablet, or other device you use to access the Services, including information such as your IP address, device and application identification numbers, location, browser type, hardware model, operating system, and system configuration information. 

Location Data 

We collect location data such as information about your device’s location based on your IP address. You can opt out of allowing us to collect this information by disabling your Location setting on your device. 

2. HOW DO WE PROCESS YOUR INFORMATION? 

In Short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. 

We process your personal information for the following reasons: 

• To deliver and facilitate delivery of services to the user — we process your information to provide you with the requested service. 
• To respond to user enquiries and offer support — we process your information to respond to your enquiries and resolve any potential issues. 
• To fulfil and manage orders, projects and contracts — we may process your information to fulfil and manage project engagements and service agreements. 
• To request feedback — we may process your information to request feedback about your experience with our Services. 
• To send service-related communications — we may send you information about your project, account, or engagement that is necessary for the administration of our Services. 
• To send marketing and promotional communications (where you have opted in) — if this is in accordance with your marketing preferences. You can opt out of our marketing emails at any time by clicking the unsubscribe link. 
• To protect our Services — we may process your information as part of our efforts to keep our Services safe and secure, including fraud monitoring and prevention. 
• To comply with our legal obligations — we may process your information where required to do so by applicable law. 

3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR INFORMATION? 

In Short: We only process your personal information when we have a valid legal reason to do so under applicable law. 

 For GDPR — EU and UK users 

If you are located in the EU or UK, the General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases we rely on. We map each purpose to its legal basis as follows: 

For India — DPDP Act 2023 

Under the Digital Personal Data Protection Act 2023, we process personal data lawfully on the following bases: 

• With the consent of the data principal, freely given, specific, informed and unconditional, for a stated purpose. 

• For legitimate uses as permitted under the DPDP Act, including: processing voluntarily provided personal data, compliance with legal obligations, performance of functions under applicable law, and normal business operations as defined in the Act. 

• We ensure data is processed only for the specified purpose, kept accurate, secured and not retained beyond the period necessary for that purpose. 

 For Canada — PIPEDA 

If you are located in Canada, we process your information if you have given us specific or implied consent, or in situations where processing without consent is legally permitted — such as fraud detection, compliance with legal obligations, or processing of publicly available information.

4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION? 

In Short: We may share information in specific situations and with the following parties. We do not sell your personal information. 

 Service Providers 

We may share your personal information with third-party vendors, service providers, and contractors who perform services for us or on our behalf. These may include: 

• Cloud infrastructure providers: Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure 
• Website analytics: Google Analytics 
• Email and communication platforms 
• Customer relationship management (CRM) tools 
• Project management and collaboration platforms 

All service providers are contractually required to process personal information only as directed by us and in accordance with applicable data protection law. 

 Business Transfers 

We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company. 

 Affiliates 

We may share your information with our affiliates, in which case we will require those affiliates to honour this privacy notice. 

 Legal Requirements 

We may disclose your personal information where required to do so by law, court order, or governmental authority, or where we believe disclosure is necessary to protect our rights, prevent fraud, or respond to a legal process. 

5. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES? 

In Short: We may use cookies and similar tracking technologies to collect and store information. 

We use cookies and similar tracking technologies (such as web beacons and pixels) to access or store information. The cookies we use fall into the following categories: 

• Strictly necessary cookies — essential for the website to function correctly. These cannot be disabled. 
• Analytics cookies — help us understand how visitors interact with our website (e.g. Google Analytics). These are set only with your consent where required by applicable law (including the EU ePrivacy Directive and UK PECR). You can opt out by adjusting your browser settings or using our cookie preference controls. 
• Preference cookies — remember your settings and preferences across sessions. 

You can control and manage cookies through your browser settings. Most browsers allow you to refuse cookies, delete existing cookies, or be notified when a cookie is set. Please note that disabling certain cookies may affect the functionality of our website. 

For users in the EU and UK: We obtain your explicit consent before setting any non-essential cookies, including analytics cookies. You may withdraw your cookie consent at any time by adjusting your browser settings.

6. IS YOUR INFORMATION TRANSFERRED INTERNATIONALLY? 

In Short: We may transfer, store, and process your information in countries other than your own. 

Fortmindz is based in India. Our primary data processing occurs in India. We also use cloud infrastructure providers (Amazon Web Services, Google Cloud Platform, Microsoft Azure), which means your information may also be processed in the United States and the European Union. 

If you are accessing our Services from outside India, please be aware that your information may be transferred to, stored, and processed in these locations. 

 For EEA and UK users 

India does not currently have a formal EU adequacy decision. For transfers of personal data from the EEA or UK to India and other third countries, we rely on the European Commission’s Standard Contractual Clauses (SCCs) as an appropriate safeguard under GDPR Art. 46. 

Our Standard Contractual Clauses can be provided upon request by contacting dpo@fortmindz.com. 

 Data Localisation 

Fortmindz will comply with any data localisation requirements notified by the Government of India under the Digital Personal Data Protection Act 2023, as and when they are specified.

7. HOW LONG DO WE KEEP YOUR INFORMATION? 

In Short: We keep your information only for as long as necessary for each specific purpose, or as required by law. 

We retain personal information in accordance with the following purpose-specific retention periods:  

 When personal information is no longer required, we securely delete or anonymise it. If deletion is not immediately possible (e.g. because information is stored in backup archives), we securely isolate the information from further processing until deletion is possible.

8. HOW DO WE KEEP YOUR INFORMATION SAFE? 

In Short: We implement appropriate technical and organisational measures to protect your personal information. 

We have implemented the following security measures to protect the security of any personal information we process: 

• SSL/TLS encryption for all data transmitted between your browser and our website 
• Role-based access controls — personal information is accessible only to team members who need it for their role 
• ISO 9001:2015 certified quality management system, which includes information security practices 
• Non-disclosure agreements signed by all team members who handle client or personal data 
• Enterprise-grade cloud infrastructure on AWS, GCP or Azure with security configurations aligned to industry standards 
• Secure data disposal processes for personal information that is no longer required 
• Regular security assessments as part of our development and delivery process 

Privacy by Design 

As a software engineering company, we build privacy considerations into our internal products and workflows from the design stage, not as an afterthought. We apply the same principles of data minimisation, purpose limitation and security-by-design to our own systems that we recommend to our clients. 

 Data Breach Notification 

In the event of a personal data breach, Fortmindz will assess the risk to affected individuals and, where required by applicable law: 

• Notify affected data principals without undue delay, describing the nature of the breach, the data affected, the likely consequences, and the measures taken or proposed. 
• Notify the Data Protection Board of India (under DPDP Act S.8(6)) and any other relevant supervisory authority (e.g. under GDPR Art. 33, within 72 hours of becoming aware of the breach). 

Please note that despite our safeguards, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure. Transmission of personal information to and from our Services is at your own risk. You should only access the Services within a secure environment.

9. DO WE COLLECT INFORMATION FROM MINORS? 

In Short: We do not knowingly collect data from or market to children under 18 years of age. 

Our Services are not directed at individuals under the age of 18. We do not knowingly solicit data from or market to children under 18 years of age. By using the Services, you represent that you are at least 18 or that you are the parent or guardian of a minor and consent to such minor’s use of the Services. 

If we learn that personal information from users less than 18 years of age has been collected, we will take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from a child under age 18, please contact us at dpo@fortmindz.com. 

10. WHAT ARE YOUR PRIVACY RIGHTS? 

In Short: Depending on where you are located, you may have rights to access, correct, delete, restrict, or object to our processing of your personal information. 

 10.1 Rights Under GDPR — EU and UK Users 

If you are located in the EEA or UK, you have the following rights under the General Data Protection Regulation (GDPR) and UK GDPR: 

• Right of access (Art. 15) — request a copy of the personal information we hold about you 
• Right to rectification (Art. 16) — request correction of inaccurate or incomplete information 
• Right to erasure / “right to be forgotten” (Art. 17) — request deletion of your personal information in certain circumstances 
• Right to restriction of processing (Art. 18) — request that we limit our processing of your data in certain circumstances 
• Right to data portability (Art. 20) — receive your personal information in a structured, commonly used machine-readable format 
• Right to object (Art. 21) — object to processing based on legitimate interests or for direct marketing purposes at any time 
• Right to withdraw consent (Art. 7(3)) — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing 

If you believe we are unlawfully processing your personal information, you have the right to complain to your local data protection supervisory authority. EU DPA contact details: https://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm. Switzerland: https://www.edoeb.admin.ch/edoeb/en/home.html 

 10.2 Rights Under the DPDP Act 2023 — Indian Data Principals 

If you are located in India, you have the following rights under the Digital Personal Data Protection Act 2023: 

• Right to access information (S.11(1)) — obtain a summary of the personal data Fortmindz has processed about you and the identities of data fiduciaries and processors with whom it has been shared 
• Right to correction (S.12(1)) — request correction of inaccurate or misleading personal data 
• Right to erasure (S.12(2)) — request deletion of personal data that is no longer necessary for the purpose for which it was collected 
• Right to grievance redressal (S.13) — have your grievance redressed by our Grievance Officer within 30 days. If the grievance is not redressed to your satisfaction, you may escalate to the Data Protection Board of India. 
• Right to nominate (S.14) — nominate another individual to exercise your rights on your behalf in the event of death or incapacity 

 10.3 Opting Out of Marketing Communications 

You can unsubscribe from our marketing and promotional communications at any time by clicking on the unsubscribe link in the emails we send, replying “STOP” to any SMS messages, or by contacting us at dpo@fortmindz.com. You will then be removed from the marketing list. We may still communicate with you for service-related or administrative purposes. 

 10.4 Withdrawing Consent 

If we are relying on your consent to process your personal information, you have the right to withdraw your consent at any time by contacting us at dpo@fortmindz.com. Please note that this will not affect the lawfulness of processing before the withdrawal. 

 10.5 Exercising Your Rights 

To exercise any of the rights described above, please email us at dpo@fortmindz.com with “Privacy Rights Request” in the subject line. We will respond to all verifiable requests within 30 days (or within the applicable statutory period — e.g. 45 days for CCPA requests). We may need to verify your identity before processing your request. We will not charge a fee for responding to reasonable requests.

11. CONTROLS FOR DO-NOT-TRACK FEATURES 

Most web browsers and some mobile operating systems include a Do-Not-Track (“DNT”) feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage no uniform technology standard for recognising and implementing DNT signals has been finalised. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this privacy notice. 

12. DO CALIFORNIA RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS? 

In Short: Yes, if you are a resident of California, you have specific rights under the CCPA and CPRA regarding access to your personal information. 

 Categories of Personal Information Collected 

We have collected the following categories of personal information in the past twelve (12) months: 

 Your CCPA / CPRA Rights 

California residents have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA): 

• Right to know — request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties with whom we share it 
• Right to delete — request deletion of your personal information, subject to certain exceptions 
• Right to correct (CPRA) — request correction of inaccurate personal information 
• Right to opt out of the “sale” or “sharing” of personal information — we do not sell your personal information. If this practice changes, we will update this notice and provide a “Do Not Sell or Share My Personal Information” link 
• Right to limit use of sensitive personal information — we do not process sensitive personal information 

 Non-Discrimination 

We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny you our Services, charge you different prices, provide a different quality of Services, or suggest that you may receive a different price or quality of Services because you exercised your rights. 

 Response Time 

We will respond to verifiable CCPA consumer requests within 45 days of receiving the request. If we require more time (up to 90 days in total), we will inform you of the reason and extension period in writing. 

 Authorised Agents 

You may designate an authorised agent to submit requests on your behalf. We may deny a request from an authorised agent who does not submit proof that they have been validly authorised to act on your behalf in accordance with the CCPA/CPRA. 

 Contact for CCPA Requests 

California residents may submit verifiable consumer requests by contacting us at: 

• Email: dpo@fortmindz.com 
• Subject line: “California Privacy Rights Request”

13. DO WE MAKE UPDATES TO THIS NOTICE? 

In Short: Yes, we will update this notice as necessary to stay compliant with applicable law and reflect changes in our practices. 

We may update this privacy notice from time to time. The updated version will be indicated by an updated “Last Updated” date at the top of this notice. If we make material changes to this privacy notice, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. 

We encourage you to review this privacy notice frequently to be informed of how we are protecting your information. 

 Policy Version History 

14. HOW CAN YOU CONTACT US ABOUT THIS NOTICE? 

If you have questions or comments about this notice, you may contact our Data Protection Officer (DPO) or our Grievance Officer: 

 Fortmindz Private Limited 

CN-8/2, Room No. 604, 6th Floor, Sector V, Salt Lake 

Kolkata, West Bengal — 700091, India 

DPO Email: dpo@fortmindz.com 

General Email: hello@fortmindz.com 

Sales: sales@fortmindz.com 

Phone: +91 7003123020 

CIN: U72900WB2022PTC258288 

D-U-N-S: 931867199 

Grievance Officer: [CONFIRM: Full name of designated Grievance Officer] 

Designation: [CONFIRM: e.g. Chief Privacy Officer / Data Protection Officer / Company Secretary] 

Email: [CONFIRM: e.g. grievance@fortmindz.com] 

We will acknowledge all grievances within 24 hours and resolve them within 30 days of receipt. If the grievance is not resolved to your satisfaction, you may escalate to the Data Protection Board of India.

15. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU? 

Based on the applicable laws of your country or state of residence, you may have the right to request access to the personal information we collect from you, change that information, or delete it. 

To request to review, update, or delete your personal information, please submit a request to: 

 Email: dpo@fortmindz.com 

Subject line: “Data Subject Request — [Access / Correction / Deletion / Portability / Objection]” 

 We will respond to all verifiable requests within the following timeframes: 

• GDPR (EU/UK users) — 30 days, extendable by a further 2 months for complex requests 
• DPDP Act (Indian data principals) — 30 days 
• CCPA (California residents) — 45 days, extendable to 90 days with written notice 
• PIPEDA (Canadian users) — 30 days 

 We may need to verify your identity before processing your request. We will not charge a fee for responding to reasonable requests unless the request is manifestly unfounded, excessive, or repetitive.