Privacy Policy

1. INTRODUCTION

WHORV is a Web, App & Digital Agency incorporated in India. We respect your privacy and are committed to processing Personal Data in accordance with the Digital Personal Data Protection Act, 2023 (“DPDP Act”), the Information Technology Act, 2000 and allied rules. This Policy explains what data we collect, why we collect it, how we protect it and the rights you have.

2. DEFINITIONS

• “Personal Data” means any data about an individual who is identifiable by or in relation to such data.
• “Data Principal” means the individual to whom the Personal Data relates.
• “Processing” means any operation performed on Personal Data such as collection, storage, use, sharing, deletion, etc.
• “Service(s)” means any website, mobile application, digital marketing, design, development, hosting, maintenance, support, consultation or other digital services offered by WHORV.

3. PERSONAL DATA WE COLLECT

We may collect, store and process the following categories of Personal Data:

a. Identity & Contact Data – name, salutation, job title, postal address, email, phone, social-media handles.
b. Professional Data – company name, industry, role, project requirements, prior agency experience.
c. Financial Data – GSTIN, PAN, bank account / UPI / card last-4 digits, invoicing address, purchase orders.
d. Technical & Usage Data – IP address, browser type, device identifiers, pages visited, time-zone, cookies, click-stream.
e. Marketing & Communications Data – your preferences in receiving newsletters, case-studies, event invites.
f. Credential Data – usernames, encrypted passwords, SSH/FTP keys, API tokens (provided voluntarily to deliver Services).
g. Any other data you voluntarily share in briefs, chats, emails, support tickets or feedback forms.

We do not intentionally collect “Sensitive Personal Data” (e.g., passwords unrelated to our service, biometric, health or financial PINs). If you share such data, we will delete it upon discovery.

 

4. HOW WE COLLECT DATA

• Direct interactions – when you request a quote, sign a contract, send an email, call us, fill a form, attend our webinar, or message us on WhatsApp / social media.
• Automated technologies – via cookies, log files, analytics pixels, server logs, Google Analytics, Hotjar, Facebook Pixel, LinkedIn Insight, etc.
• Third parties – domain registrars, hosting partners, advertising platforms, referral partners, publicly-available sources such as LinkedIn or your corporate website.

 

5. PURPOSE & LAWFUL BASIS FOR PROCESSING

We process Personal Data only when we have a lawful basis under the DPDP Act (primarily consent and certain legitimate uses).

Table

Purpose	Lawful Basis under DPDP Act
Provide, customise & manage the Services (websites, apps, UI/UX, hosting, support)	Consent + Performance of contract
Respond to enquiries, prepare proposals & invoices	Consent + Legitimate use (pre-contract)
Send service-related notices, security alerts, software updates	Legitimate use (service-related)
Share project updates, newsletters, promotional offers	Consent (opt-in) – you may withdraw anytime
Detect, prevent & investigate fraud, abuse, security incidents	Legitimate use (security & compliance)
Maintain accounting, taxation & other statutory records	Legal obligation
Defend or establish legal claims	Legitimate use (legal rights)

 

6. COOKIES & SIMILAR TECHNOLOGIES

We use essential, performance, analytics and marketing cookies.

• Essential cookies are strictly necessary and cannot be refused.
• Non-essential cookies are placed only after you provide explicit consent via our cookie banner.
  You may manage preferences or withdraw consent at any time through the “Cookie Settings” link in the footer.

 

7. DATA SHARING & DISCLOSURE

We never sell or rent your Personal Data. We share it only:

1. With your consent (e.g., listing your brand in our portfolio).
2. Service Providers & Sub-processors – cloud hosts (AWS, Google Cloud, DigitalOcean), domain registrars, email services (Google Workspace, Mailchimp), analytics (Google, Mixpanel), project-management tools (Jira, Trello), code repositories (GitHub, Bitbucket), payment gateways (Razorpay, PayPal). Each provider is bound by data-processing agreements that impose confidentiality, security & DPDP Act obligations.
3. Regulatory / Legal – when required by law, court order, or to respond to a valid request by a government authority.
4. Business transfers – in connection with a merger, acquisition, or sale of assets (we will notify you).

A current list of sub-processors is available on request.

 

8. INTERNATIONAL DATA TRANSFERS

We may host or back-up data in servers located outside India (e.g., Singapore, EU, US). Before any transfer, we:

• confirm the destination country is not on India’s “negative list”;
• execute Standard Contractual Clauses or rely on adequacy decisions;
• ensure same level of protection as required under the DPDP Act.

 

9. DATA RETENTION

We retain Personal Data only for as long as necessary to fulfil the specified purpose(s) or to meet legal, accounting, contractual or reporting obligations. Typical timelines:

• Marketing leads – 2 years after last interaction.
• Client project files & emails – 7 years after contract termination (statutory limitation period).
• Analytics logs – 26 months.
• Back-ups – overwritten in 30 days.
  
  When retention expires, we securely delete or anonymise the data.

 

10. SECURITY MEASURES

We follow reasonable security practices consistent with ISO 27001 controls and the SPDPI Rules, 2011:

• TLS 1.3 encryption in transit; AES-256 at rest.
• Role-based access control (RBAC) & MFA for all critical tools.
• Regular vulnerability scans, OWASP-top-10 secure coding, quarterly penetration tests.
• Encrypted password hashing (bcrypt/Argon2), salted keys.
• 24/7 log monitoring, DDoS protection, Web Application Firewall.
• NDAs with all employees & contractors; annual security training.

 

11. DATA PRINCIPAL RIGHTS

Under the DPDP Act you have the following rights:

• Access – obtain a summary of Personal Data we hold about you.
• Correct / Update – rectify inaccurate or outdated data.
• Withdraw Consent – at any time; we will stop processing for that purpose unless another lawful basis applies.
• Erase – request deletion where data is no longer necessary or consent is withdrawn (subject to legal retention).
• Grievance – lodge a complaint with our Grievance Officer (see §14) and/or with the Data Protection Board of India.

We will respond within 7 working days of receiving a verifiable request.

 

12. CHILDREN’S DATA

Our Services are not directed to children under 18. We do not knowingly collect their data. If you are a parent/guardian and believe we have such data, contact us immediately; we will delete it.

 

13. AUTOMATED DECISION MAKING

We do not carry out profiling or automated decision-making that significantly affects you.

 

14. CHANGES TO THIS POLICY

We may update this Policy periodically. Revisions will be posted on this page with a new “Effective Date” and, where changes are material, we will notify you via email or prominent notice on our website.

 

15. THIRD-PARTY LINKS

Our website may contain links to third-party sites/apps. We are not responsible for their privacy practices; please review their policies before sharing any data.

 

16. CONTACT US

If you have questions, please reach out:

• • Email: karan@whorv.com
  • Post: WHORV – Privacy Office, B-30, Defence Colony, New Delhi – 110 024, India