1. Introduction and Purpose

TFAdatalabs ("Company," "we," "us," "our") is a consulting services provider specializing in AI,
data engineering, and related technical services ("Services"). We respect your privacy and are
committed to protecting the personal and business information you provide when engaging with us.
We are also committed to protecting our Company's confidential information, intellectual property,
and business interests.
This Privacy Policy governs how we collect, use, store, process, and share information when you
visit our website, engage with our Services, or interact with us in any capacity. By accessing our
website or engaging with our Services, you acknowledge that you have read, understood, and
agree to be bound by this Privacy Policy. If you do not agree with our practices, please do not
use our Services or website.

2. Legal Basis and Regulatory Compliance

This Privacy Policy complies with applicable data protection laws, including but not limited to:

• Digital Personal Data Protection (DPDP) Act, 2023 and Rules, 2025 (India)

• Information Technology Act, 2000 and Rules, 2011 (India)

• General Data Protection Regulation (GDPR) (for EU/UK data subjects)

• Applicable international and local data protection laws (as applicable to our operations)

3. Information We Collect

We collect various categories of information to deliver our Services effectively and protect our
business interests:

3.1 Client and Contact Information

• Full name, email address, phone number, and postal address

• Company/organizational name, industry, and business type

• Job title, designation, and reporting structure

• Professional credentials and certifications

• Payment and billing information (including bank details, credit card information processed through
  secure payment gateways)
  3.2 Project and Service-Related Data

• Project scope, specifications, timelines, and deliverables

• Files, datasets, code repositories, databases, and technical materials provided for project
  execution

• Communications regarding project requirements, feedback, and progress updates

• Intellectual property and proprietary information shared for service delivery

• System access credentials and authentication information (API keys, database access, etc.)

• Performance metrics, quality assessments, and project outcomes
  3.3 Business and Commercial Information

• Business proposals, pricing discussions, and contract terms

• Budget information and financial arrangements

• Business development communications and sales interactions

• References provided by clients and recommendations

• Historical engagement records and past service relationships
  3.4 Technical and Usage Information

• IP address, device type, browser type, and operating system

• Pages visited, features accessed, time spent on website, and click patterns

• Referrer information and navigation behavior

• Cookies, pixel tags, web beacons, and similar tracking technologies

• Server logs and system access records

• Geolocation information (if enabled by user)
  3.5 Communication Records

• Emails, messages, call logs, and correspondence

• Feedback, complaints, inquiries, and support requests

• Records of meetings, video conferences, and presentations
  3.6 Engagement and Interaction Data

• Event attendance records (webinars, workshops, training sessions)

• Social media interactions and public profile information

• Survey responses and feedback submissions

• Engagement metrics and interaction history

4. How We Collect Information

We collect information through multiple channels:

• Direct provision: Information you voluntarily provide through forms, applications, emails, phone
  calls, or in-person interactions

• Automated collection: Cookies, pixels, web beacons, and similar tracking technologies

• Third-party sources: Referral partners, business associates, public databases, and data vendors
  (with appropriate legal basis)

• Passive collection: Server logs, usage analytics, and system-generated records

• Integrated tools: CRM systems, project management platforms, analytics tools, and
  communication platforms

5. Legal Basis for Processing

We process personal data based on the following legal grounds:
5.1 Contractual Necessity

• Information required to enter into or perform service contracts

• Delivery of agreed Services and project management

• Invoice generation and payment processing

5.2 Consent

• Explicit, informed consent obtained through clear affirmative action

• Separate consent for different processing purposes

• Withdrawal of consent at any time (subject to contractual obligations)
  5.3 Legitimate Business Interests

• Protecting Company assets and intellectual property

• Detecting and preventing fraud, security incidents, and unauthorized access

• Business development, marketing, and client relationship management

• Analytics and service improvement

• Compliance with internal policies and procedures

• Legal claims defense and dispute resolution
  5.4 Legal Obligations

• Compliance with tax, accounting, and regulatory requirements

• Response to legal notices, court orders, and regulatory inquiries

• Mandatory reporting requirements under applicable law

• Data breach notification obligations
  5.5 Vital Interests

• Protection of individual safety and security in emergency situations

6. How We Use Your Information

We use collected information for the following purposes:
6.1 Service Delivery

• Executing projects and delivering Services as agreed

• Project planning, execution, monitoring, and quality assurance

• Client communication and project status updates

• Technical support and troubleshooting

• Invoice generation and payment processing

• Performance tracking and metrics reporting
  6.2 Business Operations

• Account management and record maintenance

• Vendor and supplier management

• Internal reporting and audit compliance

• Resource allocation and team assignments

• System administration and IT management
  6.3 Marketing and Business Development

• Promotional communications (with consent where required)

• Lead generation and prospecting activities

• Client newsletters, case studies, and success stories

• Industry events, webinars, and training notifications

• Product and service announcements

6.4 Analytics and Improvement

• Website usage analysis and user behavior analytics

• Service quality improvement and optimization

• Trend analysis and market research

• Performance benchmarking

• Customer satisfaction surveys and feedback
  6.3 Legal and Security

• Fraud detection and prevention

• Unauthorized access prevention and cybersecurity

• Compliance with legal obligations and regulatory requirements

• Legal claims defense and dispute resolution

• Data breach investigation and notification

• Policy enforcement and contract compliance
  6.5 Consent-Based Activities

• Special communications or requests (requiring explicit consent)

• Research participation or testimonials

• Case study or client reference usage (requiring written permission)

7. Data Protection and Security Measures

We implement comprehensive technical and organizational security measures to protect
information against unauthorized access, disclosure, alteration, loss, or destruction:
7.1 Technical Safeguards

• SSL/TLS encryption for data transmission over the internet

• End-to-end encryption for sensitive communications

• Encrypted storage for data at rest using industry-standard encryption protocols

• Secure password management and multi-factor authentication

• Firewalls, intrusion detection systems, and vulnerability assessments

• Regular security patches and updates

• Network segmentation and access controls

• Data anonymization and pseudonymization where applicable
  7.2 Organizational Safeguards

• Role-based access control (RBAC) limiting data access to authorized personnel only

• Confidentiality agreements and non-disclosure commitments with all staff and contractors

• Data protection and information security training for all employees

• Clear data handling procedures and information governance policies

• Incident response and breach management procedures

• Regular security audits and penetration testing

• Vendor assessment and third-party security compliance verification

• Secure physical facilities with restricted access
  7.3 Administrative Safeguards

• Designated Data Protection Officer (DPO) or privacy contact for accountability

• Privacy by design and by default principles incorporated into all processes

• Data Protection Impact Assessments (DPIAs) for high-risk processing

• Regular compliance reviews and policy updates

• Documentation of processing activities and legal basis

• Incident logging and breach notification procedures
  7.4 Limitation and Minimization

• Collection of only necessary data for specified purposes (data minimization principle)

• Restriction of data access to authorized personnel on a need-to-know basis

• Retention of data only for the period necessary to fulfill stated purposes

• Secure deletion or anonymization of data when no longer required

8. Data Retention

We retain information only for as long as necessary to achieve the purposes outlined in this Privacy
Policy:

• Client and contact information: Duration of engagement plus 7 years (for tax, accounting, and
  legal compliance)

• Project and service data: Duration of project plus 5-7 years (for dispute resolution, contractual
  claims, and audit purposes)

• Payment and billing records: Duration of business relationship plus 7 years (for tax and
  regulatory compliance)

• Marketing communications: Until consent withdrawal or 2 years of inactivity (whichever is
  earlier)

• Website usage and technical data: 12-24 months (depending on analytics requirements)

• Cookies and tracking data: Duration specified in cookie policy (typically 1-2 years)

• Legal and compliance records: As long as required by applicable law (minimum 5-7 years)
  Note: Information may be retained longer if retention is required by law, for legal claims defense, or
  if disputes are pending.

9. Sharing and Disclosure of Information

We do not sell, rent, lease, or trade your personal data to third parties for profit. However, we may
share information in the following circumstances:
9.1 Service Providers and Processors
We may share information with carefully selected third-party service providers who assist in
delivering Services or operating our business:

• Cloud hosting providers and data center operators

• Payment processors and financial institutions

• CRM and project management platforms

• Analytics and business intelligence tools

• Email and communication service providers

• Legal, accounting, and audit firms

• IT security and maintenance service providers

• Marketing and advertising platforms (with consent where required)
  All service providers are contractually bound to:

• Process data only on our documented instructions

• Maintain confidentiality and security equivalent to our standards

• Implement appropriate technical and organizational security measures

• Not use data for their own purposes

• Not transfer data to unauthorized third parties

• Comply with applicable data protection laws
  9.2 Business Partners and Collaborators

• Co-service providers required for integrated project delivery

• Subcontractors and technology partners (with appropriate contractual safeguards)

• Joint venture partners and strategic alliance partners (subject to confidentiality agreements)
  9.3 Legal and Regulatory Requirements

• Law enforcement agencies, government authorities, and regulatory bodies in response to lawful
  requests

• Courts, arbitration bodies, and judicial proceedings

• Tax authorities and financial regulators

• Mandatory data breach notification to affected individuals and authorities

• Protection of public interest or national security (where legally required)
  9.4 Business Transfers and Restructuring

• In the event of merger, acquisition, bankruptcy, or sale of assets

• Information may be transferred as part of the business transaction

• Transferee will be required to honor this Privacy Policy or provide equivalent protections

• We will provide notice to affected individuals of any such transfer
  9.5 Aggregate and Anonymized Data

• We may share anonymized, aggregated data for industry analysis, benchmarking, and research

• Such data cannot identify individuals or specific clients

• No consent is required for anonymized data sharing

9.6 Data Subject Requests and Disputes

• Information may be disclosed in response to valid legal requests, court orders, or subpoenas

• Information necessary for legal defense, arbitration, or dispute resolution

• Information required by contractual obligations or indemnification clauses

10. Confidentiality and Non-Disclosure

TFAdatalabs treats all client and business information as strictly confidential. All personnel sign
confidentiality agreements committing to:

• Non-disclosure of client information to unauthorized parties

• Protection of client intellectual property and proprietary information

• Prohibition of using client information for competitive advantage

• Secure handling and storage of sensitive materials

• Prohibition of personal use or unauthorized access

• Return or destruction of information upon termination
  This confidentiality obligation survives the termination of business relationships.

11. Cookies and Tracking Technologies

11.1 Use of Cookies
Our website uses cookies and similar technologies to:

• Remember user preferences and login information

• Understand user behavior and website usage patterns

• Improve website functionality and user experience

• Provide personalized content and recommendations

• Measure campaign effectiveness and analytics

• Prevent fraud and enhance security
  11.2 Types of Cookies

• Essential cookies: Required for website functionality (cannot be disabled)

• Performance cookies: Track usage patterns and website performance

• Functional cookies: Remember user preferences and settings

• Marketing cookies: Track user interactions for marketing purposes
  11.3 Cookie Management

• Users can manage cookies through browser settings

• Disabling certain cookies may affect website functionality or user experience

• Detailed cookie information is available in our Cookie Policy

• Users can withdraw consent to non-essential cookies at any time
  11.4 Third-Party Analytics
  We use third-party analytics platforms (Google Analytics, Hotjar, etc.) to track website usage.
  These providers may collect and use data according to their privacy policies. Users can opt-out
  through:

• Browser plugins or extensions

• Third-party provider opt-out mechanisms

• Direct communication with us

12. Your Rights and Choices

Under applicable data protection laws (particularly DPDP Act and GDPR), you have the following
rights:
12.1 Right to Access

• Obtain confirmation of whether we process your personal data

• Receive a copy of your personal data in a structured, commonly-used, machine-readable format

• Understand the purposes of processing, legal basis, and recipient details
  12.2 Right to Correction

• Request correction of inaccurate or incomplete personal data

• Update your personal data to ensure accuracy
  12.3 Right to Erasure ("Right to be Forgotten")

• Request deletion of your personal data under certain conditions:

• Data is no longer necessary for stated purposes

• You withdraw consent and no other legal basis applies

• Processing violates applicable law

• Exceptions: Erasure may be restricted if:

• Retention is required by law or for legal claims

• Data is necessary for contract performance

• Data is required for fraud prevention or security

• Retention is necessary for our legitimate business interests
  12.4 Right to Restrict Processing

• Request suspension of data processing while accuracy is being verified

• Request restriction during disputes about data processing lawfulness

• Data may be retained but processing restricted during limitation period
  12.5 Right to Object

• Object to processing based on legitimate interests

• Opt-out of marketing communications at any time

• Object to profiling and automated decision-making

• Exception: Cannot object to processing necessary for contract performance or legal obligations
  12.6 Right to Data Portability

• Receive your personal data in a structured, commonly-used format

• Transmit data to another service provider without hindrance

• Applies to: Data provided by you and processed based on consent or contract

• Exception: Does not apply to data processed for other legal bases
  12.7 Right to Withdraw Consent

• Withdraw consent for data processing at any time

• Withdrawal does not affect legality of prior processing

• Withdrawal may affect our ability to provide certain Services
  12.8 Rights Related to Automated Decision-Making

• Right to explanation if significant decisions are made based solely on automated processing

• Right to request human review of automated decisions

• Right to contest automated decisions

12.9 Right to Lodge Complaints

• File complaints with relevant data protection authorities if you believe your rights are violated

• In India: Digital Personal Data Protection Board (DPPB)

• In EU: Relevant Member State data protection authority

13. Exercising Your Rights

To exercise any of your rights under this Privacy Policy, contact us using the details provided in
Section 15 (Contact Us):
13.1 Request Process

• Submit a written request clearly stating your desired action

• Include sufficient information for identification (email, name, client ID, etc.)

• Request must be submitted via secure channels (encrypted email or registered contact form)
  13.2 Response Timeline

• We will acknowledge receipt of your request within 5 business days

• We will respond to your request within 30-45 days from receipt (or as required by applicable law,
  maximum 60 days under DPDP Act)

• Extension of up to 30 days is permitted for complex requests

• You will be notified if an extension is required
  13.3 Verification

• We may verify your identity before processing your request

• Additional information may be requested to confirm your identity

• Failure to verify identity may delay request processing
  13.4 Fees

• Requests are processed free of charge

• Exceptional or repetitive requests may incur reasonable administrative costs

• You will be informed of any costs before processing
  13.5 Rejection or Partial Approval

• If requests are rejected or partially approved, we will provide reasons

• Right to appeal or escalate decisions is available

14. Automated Decision-Making and Profiling

We do not use automated decision-making or algorithmic profiling that produces legal or similarly
significant effects on individuals, except:

• Fraud detection and security screening

• Lead scoring for sales purposes (non-binding recommendations)

• Basic analytics and usage patterns

• System-level security measures
  Individuals retain the right to:

• Obtain human review of automated decisions

• Challenge automated determinations

• Request transparency regarding decision logic

15. Data Breach Notification and Incident Response

15.1 Breach Notification Policy
In the event of a confirmed personal data breach, we will:

• Conduct immediate investigation to determine scope and impact

• Notify affected individuals without undue delay and in no case later than 72 hours (DPDP Act
  requirement) using:

• Email or secure communication channels

• Plain language explaining the breach, potential impact, and protective measures

• Clear information on steps individuals can take

• Contact information for assistance

• Notify relevant authorities and the Data Protection Board (if required under law)

• Document all breach details and response measures

• Implement remedial measures to prevent recurrence

• Provide periodic updates as investigation progresses
  15.2 Information Included in Breach Notification

• Description of the breach and affected data categories

• Approximate number of individuals affected

• Likely consequences of the breach

• Measures taken to address the breach

• Steps individuals can take to protect themselves

• Contact information for further assistance

• Details of any insurance or compensation available
  15.3 Exception to Notification
  Notification may be waived if:

• Data is encrypted or rendered unintelligible

• Risk to individuals is minimal or non-existent

• Notification would impede law enforcement investigation (rare exception)

16. International Data Transfers

16.1 Cross-Border Transfers

• Our servers and data centers may be located in India or other countries

• Information may be transferred to countries with varying data protection standards

• Transfers comply with applicable laws and include appropriate contractual protections (Standard
  Contractual Clauses, Binding Corporate Rules, etc.)
  16.2 Third-Country Transfer Mechanisms

• EU/UK to non-EU transfers include adequate safeguards

• Data Processing Agreements with service providers include data transfer protections

• Individuals are informed of transfer locations and protections

17. Children and Minors

17.1 Age Restriction
Our Services and website are not intended for individuals under 18 years of age. We do not
knowingly collect or solicit personal information from minors.
17.2 Parental Consent
If a minor has provided information without parental consent, parents/guardians may contact us to
request deletion. We will take reasonable steps to remove such information promptly.
17.3 Compliance
If we become aware of information provided by minors, we will delete it or obtain parental consent
as required by applicable law.

18. Third-Party Links and External Websites

Our website may contain links to external websites, social media platforms, and third-party
services. We are not responsible for:

• Privacy practices of external websites

• Content or policies of third-party platforms

• Security measures of linked sites

• Information collection by third-party services
  Recommendation: Review the privacy policies of any external sites before providing information.
  Your use of third-party services is at your own risk and subject to their respective terms and
  policies.

19. Company Responsibility and Liability

19.1 Security Limitations

While we implement comprehensive security measures, no system is absolutely secure. We do not
guarantee:

• Complete prevention of unauthorized access

• Complete protection against data theft or loss

• Protection against sophisticated cyber attacks

• 100% data availability or uptime
  19.2 Limitation of Liability
  To the maximum extent permitted by law:

• We are not liable for unauthorized access resulting from user negligence

• We are not liable for loss or misuse of data shared at user's own risk

• Liability is limited to the extent permitted by applicable law

• You assume all risks associated with information transmission

19.3 User Responsibility
Users are responsible for:

• Maintaining confidentiality of login credentials and authentication information

• Reporting unauthorized access or security incidents immediately

• Reviewing account activity regularly

• Backing up important information

• Complying with all applicable laws in their use of our Services

20. Changes to This Privacy Policy

20.1 Modifications
We may update this Privacy Policy periodically to reflect:

• Changes in data protection laws

• Changes in business practices or Services

• Changes in security measures

• Clarifications and improvements
  20.2 Notification of Changes

• Updated policy will be posted on our website

• "Last Updated" date will be modified accordingly

• Material changes will be communicated via email or prominent notice

• Users will have 30 days to review changes before acceptance required
  20.3 Acceptance

• Continued use of Services after changes indicates acceptance

• If you disagree with changes, discontinue use of Services

• No new consent is required for non-material changes

21. Governing Law and Jurisdiction

21.1 Governing Law
This Privacy Policy is governed by the laws of India, specifically:

• Digital Personal Data Protection (DPDP) Act, 2023

• Information Technology Act, 2000

• Indian Contract Act, 1872

• Applicable local laws of the jurisdiction where TFAdatalabs is registered
  21.2 Jurisdiction

• Disputes arising from or relating to this Privacy Policy are subject to exclusive jurisdiction of
  courts in Gurgaon/Gurugram, Haryana, India

• All parties consent to the jurisdiction and venue of courts in Gurgaon

• Arbitration: Disputes may be resolved through arbitration under Arbitration and Conciliation Act,
  1996 if mutually agreed
  21.3 Conflict of Laws
  If this Privacy Policy conflicts with international laws:

• The more stringent standard will apply

• Compliance with GDPR for EU data subjects

• Compliance with local laws for data subjects in other jurisdictions

22. Data Protection Officer and Privacy Contact

22.1 Designated Privacy Officer
Name: Vikas Chauhan
Title: Founder & Privacy Officer
Email: vikas.chauhan@tfadatalabs.com
Phone: +91-8130493931

22.2 Responsibilities
The Privacy Officer is responsible for:

• Monitoring Privacy Policy compliance

• Addressing data subject rights requests

• Investigating data breaches and security incidents

• Liaising with data protection authorities

• Providing privacy training and guidance

• Reviewing and updating privacy practices

23. Contact Us

For questions, concerns, or requests regarding this Privacy Policy, your personal data, or our data
protection practices, contact us:
TFAdatalabs Private Limited
Address: Sector 79, Gurugram, Haryana 122018, India
Email (Primary): vikas.chauhan@tfadatalabs.com
Phone: +91-8130493931
Website: www.tfadatalabs.com
Contact Form: Available on our website for privacy-related inquiries
Response Timeframe: We will acknowledge your inquiry within 2 business days and provide a
substantive response within 10-15 business days.

24. Additional Resources

• Privacy Policy: This document

• Cookie Policy: Available on our website

• Terms of Service: Available on our website

• Data Processing Agreement (DPA): Available for clients processing personal data

• Digital Personal Data Protection Board: https://dpdpboard.gov.in/ (for complaints)

• Indian Ministry of Electronics & IT: https://meity.gov.in/

25. Acknowledgment and Consent

By using our Services or website, you acknowledge that you have:

• Read this entire Privacy Policy

• Understood our data collection, usage, and sharing practices

• Understood your rights and how to exercise them

• Understood our security measures and their limitations

• Consented to our data processing practices

• Agreed to be bound by this Privacy Policy and our Terms of Service

TFAdatalabs Private Limited
Last Updated: November 22, 2025
Effective Date: November 22, 2025

Appendix A: DPDP Act Compliance Checklist

Appendix B: GDPR Compliance Checklist (for EU Data Subjects)

End of Privacy Policy