Legal
Privacy Policy
Last updated: 11 April 2025
This policy applies to all users of gilgamesh.in and any services provided by Gilgamesh™. It complies with the EU General Data Protection Regulation (GDPR), India's Digital Personal Data Protection Act 2023 (DPDPA), the California Consumer Privacy Act (CCPA/CPRA), the UK GDPR, and other applicable global privacy laws.
1. Data Controller
Gilgamesh™ is the data controller responsible for your personal data collected through gilgamesh.in and its associated services. We are incorporated in India and our trademark is registered with the relevant Indian authority.
For all privacy-related enquiries, requests, or complaints, our designated point of contact is:
Gilgamesh™
Email: likith@gilgamesh.in
2. Scope of This Policy
This Privacy Policy applies to:
- Visitors to gilgamesh.in and any subdomains
- Individuals who submit enquiries, forms, or applications via the site
- Clients, prospective clients, and business contacts
- Subscribers to any communications or updates we issue
It does not apply to third-party websites linked from our site. We encourage you to review the privacy policies of any third-party sites you visit.
3. Personal Data We Collect
3.1 Data you provide directly
- Full name, email address, phone number, and company or organisation name
- Messages, project briefs, or other content submitted via contact or application forms
- Payment and billing information processed through third-party payment processors (we do not store card details)
- Any additional information you voluntarily share during an engagement
3.2 Data collected automatically
- IP address, browser type, device type, operating system, and language preference
- Referring URL, pages visited, time on page, and clickstream data
- Cookie identifiers and similar tracking technology data (detailed in our Cookie Policy)
- Approximate geolocation derived from IP address (country or region level only)
3.3 Data from third parties
- Publicly available professional information (e.g. LinkedIn profiles, company websites) when researching prospective clients
- Analytics and advertising platform data where you have given consent to those platforms
We do not collect special categories of personal data (e.g. health, biometric, racial, or religious data) and have no intention of doing so.
4. Purposes and Legal Basis for Processing
We process personal data only where we have a lawful basis. The table below sets out each purpose and its corresponding legal basis under GDPR and equivalent frameworks:
| Purpose | Legal Basis |
|---|---|
| Respond to enquiries and service applications | Legitimate interests / Pre-contractual steps |
| Deliver contracted services | Performance of a contract |
| Send marketing communications (with opt-in) | Consent |
| Analyse site usage and improve UX | Legitimate interests |
| Comply with legal or regulatory obligations | Legal obligation |
| Fraud prevention and site security | Legitimate interests / Legal obligation |
| Billing and financial record-keeping | Legal obligation / Contract |
Where we rely on legitimate interests, we have conducted a balancing test and determined that our interests are not overridden by your rights and freedoms. You may request a copy of this assessment by contacting us.
5. How We Use Your Data
- To respond to and manage your enquiries, requests, and applications
- To provide, maintain, and improve our services
- To send service-related communications such as confirmations, updates, and invoices
- To send marketing or promotional content where you have consented. you may withdraw consent at any time
- To conduct analytics on how our site is used and optimise the user experience
- To meet our legal, regulatory, and contractual obligations
- To detect, investigate, and prevent fraudulent or harmful activity
We do not sell, rent, or trade your personal data to any third party, ever.
6. Data Sharing and Transfers
6.1 Service providers (processors)
We share personal data with trusted third-party service providers who process it on our behalf under written data processing agreements. These include:
- Cloud hosting and infrastructure providers
- Email delivery and communication platforms
- Analytics tools (e.g. Google Analytics or privacy-first alternatives)
- Payment processors (subject to their own PCI-DSS compliant privacy policies)
- CRM and project management tools used internally
All processors are contractually prohibited from using your data for any purpose beyond the service they provide to us.
6.2 Legal disclosures
We may disclose personal data to government authorities, law enforcement, or regulators where required by applicable law, a valid court order, or to protect our legal rights.
6.3 Business transfers
In the event of a merger, acquisition, restructuring, or asset sale, personal data may be transferred to the successor entity. We will notify you prior to such a transfer and ensure equivalent protections remain in place.
6.4 International transfers
Some of our service providers are located outside India and the EEA. Where personal data is transferred internationally, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs), adequacy decisions, or equivalent mechanisms as required under applicable law. By using our site, you acknowledge that your data may be transferred and processed in countries outside your own.
7. Data Retention
We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law. Our standard retention periods are:
| Data Type | Retention Period |
|---|---|
| Contact form submissions | 3 years from last interaction |
| Client engagement records | 7 years (legal / tax obligations) |
| Marketing consent records | Until consent is withdrawn + 1 year |
| Website analytics data | 26 months |
| Financial and billing records | 7 years (statutory requirement) |
| Security and access logs | 90 days |
When retention periods expire, data is securely deleted or anonymised. You may request early deletion at any time (subject to legal obligations that require us to retain certain records).
8. Your Rights
Depending on your jurisdiction, you have the following rights regarding your personal data. We honour these rights globally, regardless of whether local law mandates it.
Right of Access
Request a copy of the personal data we hold about you, along with information about how it is used.
Right to Rectification
Request correction of inaccurate or incomplete personal data.
Right to Erasure ('Right to be Forgotten')
Request deletion of your personal data where there is no compelling reason for us to continue processing it.
Right to Restrict Processing
Request that we limit how we use your data in certain circumstances.
Right to Data Portability
Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
Right to Object
Object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds.
Right to Withdraw Consent
Where processing is based on consent, withdraw it at any time. Withdrawal does not affect the lawfulness of prior processing.
Right Not to be Subject to Automated Decision-Making
We do not make decisions about you using solely automated means that produce legal or similarly significant effects.
Right to Lodge a Complaint
You have the right to lodge a complaint with your local data protection authority. In India, this is the Data Protection Board of India. In the EU, contact your national supervisory authority.
To exercise any right, email likith@gilgamesh.inwith the subject line “Privacy Request”. We will verify your identity and respond within 30 days. Complex requests may be extended to 60 days with notice.
We will not charge a fee for legitimate requests unless they are manifestly unfounded or excessive, in which case we reserve the right to charge a reasonable administrative fee or refuse the request.
9. Children's Privacy
Our services are not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly. If you believe we have collected data from a minor, please contact us immediately.
10. Cookies and Tracking Technologies
We use cookies and similar technologies to operate our site and understand visitor behaviour. For a full breakdown of the cookies we use, their purpose, duration, and how to manage them, please read our Cookie Policy.
11. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption of data in transit (TLS/HTTPS)
- Access controls limiting data access to authorised personnel only
- Regular security reviews and vulnerability assessments
- Vendor due diligence before engaging third-party processors
In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware, as required under applicable law.
No method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to maintaining industry-standard protections.
12. California Residents (CCPA/CPRA)
If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
- The right to know what personal information we collect, use, disclose, and sell
- The right to delete personal information we have collected from you (subject to exceptions)
- The right to opt out of the sale or sharing of personal information. we do not sell personal information
- The right to correct inaccurate personal information
- The right to limit use and disclosure of sensitive personal information
- The right to non-discrimination for exercising your privacy rights
To submit a CCPA request, contact us at likith@gilgamesh.in. We will respond within 45 days.
13. India Residents (DPDPA 2023)
Gilgamesh™ is incorporated in India and complies with the Digital Personal Data Protection Act 2023 (DPDPA). As a Data Fiduciary, we:
- Collect and process personal data only for lawful purposes with your consent or other lawful basis
- Maintain reasonable security safeguards to prevent personal data breaches
- Notify the Data Protection Board of India and affected individuals in the event of a breach
- Erase personal data once the purpose for which it was collected is fulfilled, unless retention is required by law
- Honour your rights to access, correction, erasure, grievance redressal, and nominating a representative
For grievance redressal, contact our designated representative at likith@gilgamesh.in. We will acknowledge your grievance within 48 hours and resolve it within 30 days.
14. Third-Party Links
Our site may contain links to external websites, social media platforms, or partner tools. These links are provided for convenience only. We have no control over the content, security, or privacy practices of third-party sites and accept no liability for them. We encourage you to review the privacy policy of any site you visit before submitting personal information.
15. Changes to This Policy
We review and update this Privacy Policy periodically to reflect changes in law, our services, or our data practices. When we make material changes, we will update the “Last updated” date at the top of this page and, where required, notify you by email or a prominent notice on our site. Your continued use of the site following any update constitutes acceptance of the revised policy.
We recommend reviewing this page periodically. Previous versions are available upon request.
Questions about this policy? Reach us through any of these: