logo
Say Hello

Privacy Policy

Last Updated: November 18, 2025

Effective Date: November 18, 2025

1. Introduction

This Privacy Policy describes how Koncepts Lab Private Limited ("Company", "we", "our", "us") collects, uses, processes, and protects personal information when you visit our website, engage with our digital services, or use our web applications.

This policy applies globally and is designed to comply with:

  • GDPR (General Data Protection Regulation) - EU Regulation 2016/679
  • India's Digital Personal Data Protection Act, 2023 (DPDPA)
  • Saudi Data & AI Authority (SDAIA) regulations and guidelines
  • Personal Data Protection Law (PDPL) of Saudi Arabia
  • Other applicable data protection laws in jurisdictions where we operate

This document can be printed for reference using the print command in your browser.

2. Data Controller Information

Koncepts Lab Private Limited
Registered Address: [Complete Address], Kochi, Kerala, India
CIN: [Company Identification Number]

Contact Information:

Data Protection Officer (DPO):

For GDPR-related inquiries, EU data subjects may contact our EU Representative at: [EU Representative Contact - if applicable]
For Saudi Arabia-related inquiries regarding SDAIA/PDPL compliance: compliance@konceptslab.com

3. Types of Data Collected

3.1 Personal Information

We may collect the following categories of personal data:

A. Identity & Contact Data:

  • Name, email address, phone number
  • Company name, job title, professional details
  • Communication preferences
  • Government-issued identification (when required for specific projects)

B. Technical & Usage Data:

  • IP address, browser type, device information
  • Operating system, screen resolution
  • Pages visited, time spent, click patterns
  • Referral source, search terms used
  • Location data (country, city-level)

C. Communication Data:

  • Messages sent via contact forms
  • Project inquiry details
  • Support tickets and correspondence
  • Feedback and survey responses

D. Marketing & Analytics Data:

  • Cookie identifiers
  • Advertising IDs
  • Campaign interaction data
  • Social media engagement metrics

E. Application Data:

  • User account information
  • Application usage patterns
  • Feature interactions
  • User-generated content within applications

F. Special Categories (where applicable): For projects involving Saudi government entities regulated by the Saudi Data & AI Authority (SDAIA):

  • Project-specific personal data as defined in service agreements
  • Data processed in accordance with SDAIA's National Data Management Office (NDMO) frameworks
  • Data stored through approved cloud infrastructure meeting Saudi regulatory requirements

4. Legal Basis for Processing

We process personal data based on one or more of the following legal grounds:

4.1 For GDPR (EU Data Subjects):

  • Consent: You have explicitly consented to processing (Art. 6(1)(a) GDPR)
  • Contract Performance: Processing is necessary to fulfill our services (Art. 6(1)(b) GDPR)
  • Legal Obligation: Required to comply with EU or Member State law (Art. 6(1)(c) GDPR)
  • Legitimate Interests: For our business operations, provided your rights don't override (Art. 6(1)(f) GDPR)

4.2 For India DPDPA:

  • Valid consent obtained through clear, affirmative action
  • Performance of contract or service provision
  • Compliance with legal obligations under Indian law
  • Legitimate purposes as defined under DPDPA

4.3 For Saudi Arabia (PDPL/SDAIA):

  • Explicit consent in accordance with PDPL requirements
  • Contractual necessity for service delivery
  • Compliance with SDAIA regulations and guidelines
  • Legal obligations under Saudi Arabian law

5. Purposes of Data Collection & Processing

We collect and process personal data for the following purposes:

5.1 Service Delivery

  • Provide website functionality and digital services
  • Operate and maintain web applications
  • Respond to inquiries, project requests, and support
  • Execute contracts and deliver project outcomes
  • Manage client relationships and communications

5.2 Analytics & Improvement

  • Analyze website and application traffic and user behavior
  • Improve usability, functionality, and performance
  • Conduct A/B testing and user experience research
  • Generate insights for business intelligence

5.3 Marketing & Communications

  • Send promotional materials and newsletters (with consent)
  • Run targeted advertising campaigns
  • Conduct customer satisfaction surveys
  • Manage social media engagement

5.4 Legal & Compliance

  • Comply with Indian, EU, and Saudi Arabian laws
  • Meet GDPR, DPDPA, and SDAIA regulatory requirements
  • Respond to legal requests and court orders
  • Prevent fraud, security threats, and misuse
  • Maintain records for audit and accountability

5.5 Saudi Regulatory Compliance (where applicable)

  • Process data in accordance with SDAIA's National Data Management Office protocols
  • Implement solutions aligned with Saudi Arabia's digital transformation initiatives
  • Ensure compliance with Personal Data Protection Law (PDPL)
  • Meet data localization requirements when mandated

6. Data Processing Methods & Security

6.1 Processing Methods

We process data using:

  • Secure IT systems with encryption (AES-256 or equivalent)
  • Access controls and role-based permissions
  • Automated and manual processing tools
  • Secure cloud infrastructure (AWS, Google Cloud, Azure)
  • SDAIA-approved infrastructure where required for Saudi regulatory compliance

Data is accessible only to:

  • Authorized employees (administration, marketing, IT, legal teams)
  • Third-party processors bound by strict confidentiality agreements
  • Authorized personnel as required by regulatory frameworks

6.2 Security Measures

  • Industry-standard encryption (in transit and at rest)
  • Multi-factor authentication (MFA)
  • Regular security audits and penetration testing
  • Firewalls and intrusion detection systems
  • ISO 27001 and SOC 2 compliant infrastructure
  • Compliance with SDAIA cybersecurity standards where applicable

Important: While we implement robust security measures, no internet-based system is 100% secure. We cannot guarantee absolute security but commit to maintaining industry best practices.

7. Data Retention

7.1 General Retention Periods

  • Marketing data: 2 years from last interaction (or until consent withdrawal)
  • Client project data: 7 years after project completion (for legal/accounting purposes)
  • Website analytics: 26 months (Google Analytics default)
  • Support communications: 3 years from resolution
  • Legal/compliance records: As required by applicable law (typically 7-10 years)

7.2 GDPR-Specific Retention

  • Data will not be kept longer than necessary for the specified purpose
  • Retention periods align with legitimate business interests and legal requirements
  • Automated deletion or anonymization after retention period expires

7.3 Saudi Regulatory Requirements

  • Retention periods comply with SDAIA guidelines where applicable
  • Government-related data stored per regulatory requirements
  • Minimum retention as per Saudi Arabian legal obligations

You may request early deletion subject to legal retention requirements.

8. International Data Transfers

8.1 Transfer Mechanisms

As an India-based company serving clients globally, including in the EU and Saudi Arabia, we may transfer data internationally. We ensure adequate protection through:

For EU Data (GDPR):

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable
  • Binding Corporate Rules (if applicable)
  • Additional safeguards including encryption and access controls

For Saudi Data (SDAIA/PDPL):

  • Transfers comply with PDPL Article 26 requirements
  • SDAIA approval obtained where necessary
  • Data localization requirements met when mandated by Saudi regulations
  • Cross-border transfer agreements with appropriate safeguards

For India Data (DPDPA):

  • Transfers to approved jurisdictions or with adequate safeguards
  • Contractual protections ensuring equivalent data protection standards

8.2 Third Countries

We may transfer data to:

  • United States: Under SCCs and additional safeguards
  • Saudi Arabia: With appropriate regulatory compliance mechanisms
  • Other jurisdictions: Only with appropriate legal mechanisms in place

9. Third-Party Services & Processors

We engage the following categories of third-party processors:

9.1 Analytics & Tracking

  • Google Analytics (Alphabet Inc., USA) - Website analytics
  • Meta Pixel (Meta Platforms, USA) - Advertising analytics
  • Hotjar (Malta) - Behavior analytics

9.2 Marketing & Advertising

  • Google Ads (Alphabet Inc., USA)
  • Meta Ads (Meta Platforms, USA)
  • LinkedIn Marketing (Microsoft, USA)
  • Mailchimp/SendGrid - Email marketing

9.3 Infrastructure & Hosting

  • AWS/Google Cloud/Azure - Cloud hosting
  • Cloudflare - CDN and security

9.4 Regulatory Compliance Services

  • SDAIA-approved service providers where required
  • Cloud infrastructure meeting Saudi regulatory standards
  • Other jurisdiction-specific compliance services

All processors are contractually bound to:

  • Process data only per our instructions
  • Implement appropriate security measures
  • Maintain confidentiality
  • Comply with GDPR, DPDPA, and SDAIA requirements
  • Notify us of data breaches within 24 hours

External Links: Our website may link to third-party websites. We are not responsible for their privacy practices. Please review their policies before sharing data.

10. Your Rights

10.1 Rights Under GDPR (EU Data Subjects)

You have the following rights:

  1. Right of Access (Art. 15): Obtain confirmation of data processing and copies of your data
  2. Right to Rectification (Art. 16): Correct inaccurate or incomplete data
  3. Right to Erasure (Art. 17): Request deletion ("right to be forgotten")
  4. Right to Restrict Processing (Art. 18): Limit how we use your data
  5. Right to Data Portability (Art. 20): Receive data in machine-readable format
  6. Right to Object (Art. 21): Object to processing, especially for direct marketing
  7. Rights Related to Automated Decision-Making (Art. 22): Not be subject to solely automated decisions with legal effects
  8. Right to Withdraw Consent (Art. 7): Withdraw consent at any time
  9. Right to Lodge a Complaint: File complaints with supervisory authorities

EU Supervisory Authorities:

10.2 Rights Under India DPDPA

As a Data Principal in India, you have:

  1. Right to Access: Obtain information about data processing
  2. Right to Correction: Correct inaccurate data
  3. Right to Erasure: Request deletion (with exceptions)
  4. Right to Grievance Redressal: File complaints with Data Protection Board of India
  5. Right to Nominate: Designate another person to exercise rights in case of death/incapacity

India Grievance Officer:

Data Protection Board of India: [Link when available]

10.3 Rights Under Saudi Arabia PDPL (SDAIA)

For data processed under Saudi jurisdiction:

  1. Right to Access: Request copies of personal data
  2. Right to Rectification: Correct or update data
  3. Right to Erasure: Request deletion (subject to legal requirements)
  4. Right to Object: Object to processing for specific purposes
  5. Right to Withdraw Consent: Revoke consent for processing
  6. Right to Complaint: File complaints with SDAIA

Saudi Data & AI Authority (SDAIA):

  • Website: https://sdaia.gov.sa
  • Email: [SDAIA contact]
  • National Data Management Office (NDMO) complaints: [Contact details]

10.4 Exercising Your Rights

How to Submit Requests:

Response Timeline:

  • GDPR: Within 1 month (extendable to 3 months for complex requests)
  • DPDPA: As soon as reasonably practicable (typically within 72 hours to 30 days)
  • PDPL/SDAIA: Within timeframes specified by Saudi regulations

Verification: We may request identification to verify your identity before processing requests.
No Fees: Requests are generally free. Excessive or repetitive requests may incur reasonable fees.

11. Cookies & Tracking Technologies

11.1 Types of Cookies We Use

  • Essential Cookies: Required for website functionality (session management, security)
  • Performance Cookies: Analyze website usage (Google Analytics, Hotjar)
  • Functional Cookies: Remember preferences and settings
  • Targeting/Advertising Cookies: Deliver relevant ads (Google Ads, Meta Pixel)

11.2 Cookie Management

You can control cookies through:

Note: Disabling essential cookies may affect website functionality.

11.3 Do Not Track (DNT)

We currently do not respond to DNT signals but honor explicit cookie preferences.
For detailed information, please refer to our Cookie Policy: [Link]

12. Automated Decision-Making & Profiling

12.1 Use of Automated Processing

We may use automated processing and profiling for:

  • Personalization: Tailored user experiences in our applications
  • Analytics: Understanding user behavior patterns
  • Marketing: Targeted advertising and recommendations
  • Security: Fraud detection and prevention

12.2 Your Rights

  • Transparency: We inform you when automated decisions significantly affect you
  • Human Oversight: Significant decisions involve human review
  • Right to Explanation: You can request information about automated decisions
  • Right to Object: You may object to automated decision-making (GDPR Art. 22)
  • Right to Human Intervention: Request human review of automated decisions

12.3 Compliance

Our automated processing complies with:

  • GDPR requirements for automated individual decision-making
  • SDAIA guidelines on algorithmic transparency and accountability
  • DPDPA provisions on automated processing

13. Children's Privacy

Our services are not directed to individuals under 18 years of age (or the age of majority in their jurisdiction).

We do not knowingly collect personal data from children. If we discover that a child's data has been collected without proper parental consent:

GDPR: For EU children under 16, we require parental consent for information society services.
DPDPA: We comply with India's requirements for processing data of individuals under 18.
PDPL/SDAIA: We adhere to Saudi Arabian laws regarding minors' data.

14. Data Breach Notification

In the event of a personal data breach involving client data, notification obligations will be determined based on the applicable regulations governing the client's jurisdiction and the nature of the data processed.

14.1 GDPR Obligations (for EU-based clients or EU data subjects)

  • Supervisory Authority: Notification within 72 hours of becoming aware of the breach
  • Data Subjects: Notification without undue delay if high risk to rights/freedoms
  • Breach Details: Nature, categories, approximate numbers, consequences, and remedial measures

14.2 DPDPA Obligations (for India-based clients or Indian data principals)

  • Data Protection Board of India: Notification as required upon becoming aware of the breach
  • Data Principals: Notification in accordance with DPDPA provisions

14.3 SDAIA/PDPL Obligations (for Saudi Arabia-based clients or Saudi data subjects)

  • SDAIA/NDMO: Notification per Saudi regulatory requirements
  • Affected Individuals: Notification per PDPL requirements
  • National Cybersecurity Authority (NCA): Coordination on cybersecurity incidents where applicable

14.4 Notification Process

  • Breach notifications will be made in accordance with the client's applicable regulatory framework
  • The client will be informed immediately upon breach discovery
  • Regulatory notifications will be coordinated with the client and executed within the legal timeframes required by their jurisdiction
  • The Company will assist the client in fulfilling their data breach notification obligations as per applicable law

15. Multi-Jurisdictional Compliance

15.1 Saudi Arabia (SDAIA/PDPL)

Where our services involve Saudi users or entities:

  • Data Localization: Compliance with Saudi data residency requirements when mandated
  • SDAIA Oversight: Adherence to National Data Management Office (NDMO) policies
  • Cloud Services: Use of approved cloud platforms meeting Saudi standards
  • Regulatory Alignment: Support for Saudi Arabia's digital transformation initiatives

15.2 India

  • Compliance with Indian IT Act, 2000 and Rules
  • Cooperation with Indian Computer Emergency Response Team (CERT-In)
  • Adherence to RBI, SEBI, and sector-specific regulations where applicable

15.3 European Union

  • Cooperation with EU supervisory authorities
  • Response to EU data subject requests and complaints
  • Participation in GDPR enforcement proceedings when applicable

16. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy at any time to reflect:

  • Changes in our data processing practices
  • New legal or regulatory requirements (GDPR, DPDPA, SDAIA updates)
  • Enhanced security measures or technologies
  • Organizational changes

16.1 Notification of Changes

  • Material Changes: We will notify you via email or prominent website notice
  • Minor Changes: Posted on this page with updated "Last Updated" date
  • Continued Use: Constitutes acceptance of revised policy

16.2 Version History

We maintain a version history available upon request at dpo@konceptslab.com.

17. Jurisdiction & Dispute Resolution

17.1 Governing Law

This Privacy Policy is governed by:

  • Indian Law: For India-based operations and DPDPA compliance
  • EU Law (GDPR): For EU data subjects
  • Saudi Arabian Law (PDPL): For Saudi-based processing and SDAIA-regulated activities

17.2 Dispute Resolution

Disputes will be resolved through:

  1. Good-faith negotiations
  2. Mediation or arbitration (as per applicable law)
  3. Competent courts in:
    • India: Kochi, Kerala courts for Indian matters
    • EU: Supervisory authority jurisdiction for GDPR matters
    • Saudi Arabia: Relevant Saudi courts/SDAIA for PDPL matters

18. Contact Information & Complaints

18.1 General Inquiries

18.2 Data Protection Officer (DPO)

18.3 Compliance & Regulatory Contacts

GDPR/EU Matters:

  • EU Representative (if applicable): [Contact]
  • EU Supervisory Authority: [Relevant DPA link]

India DPDPA Matters:

Saudi Arabia PDPL/SDAIA Matters:

18.4 Emergency Data Breach Contact

  • 24/7 Breach Hotline: [Emergency Contact]

19. Acknowledgment & Consent

By using our website and services, you acknowledge that you have read, understood, and agree to this Privacy Policy.

For GDPR: Your continued use after policy updates constitutes acceptance.

For DPDPA: We obtain explicit consent for data processing where required by Indian law.

For PDPL/SDAIA: We ensure consent complies with Saudi Arabian requirements.

Consent Withdrawal: You may withdraw consent at any time by contacting dpo@konceptslab.com.