Privacy Policy

How Avythera collects, uses, and protects your personal data — and the rights you have over it.

This Privacy Policy describes how Avythera ("Avythera", "we", "us", or "our"), a software studio based in Bangalore, Karnataka, India, collects, uses, shares, and protects personal data relating to visitors to the website at avythera.com (the "Site") and to prospective and existing clients ("you" or "Data Principal"). This Policy is published in compliance with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000, and the rules framed thereunder.

01Who we are (Data Fiduciary)

For the purposes of the DPDP Act, Avythera is the Data Fiduciary in respect of the personal data described in this Policy. Our contact details are set out in Section 11.

02What we collect

We collect only the personal data that is reasonably necessary for the purposes described in this Policy. We do not knowingly collect special categories of sensitive personal data unless expressly required for a specific engagement and with your explicit consent.

03How we use it (Purpose & Lawful Basis)

We process personal data on the following lawful bases under the DPDP Act:

• Your consent — when you submit an enquiry, subscribe to updates, or voluntarily share information.
• Legitimate uses — to respond to communications you initiate (including via the "Let's talk" link that opens WhatsApp), to provide services you have requested, and for employment, employment-related benefits, and similar uses as permitted under Section 7 of the DPDP Act.
• Performance of contract — to perform our obligations under a Statement of Work or other written agreement with you.
• Legal obligation — to comply with applicable tax, accounting, anti-money-laundering, and other statutory requirements.

The specific purposes include:

1. Responding to project enquiries and providing proposals.
2. Negotiating, executing, and performing engagements.
3. Issuing invoices and processing payments.
4. Maintaining books of account and statutory records.
5. Operating, securing, and improving the Site.
6. Sending service communications (e.g., delivery notifications, scheduled maintenance).
7. Sending occasional marketing updates — only where you have opted in, and with an unsubscribe mechanism in each message.
8. Establishing, exercising, or defending legal claims.

04Cookies & Similar Technologies

The Site is a static single-page website and does not use tracking cookies, advertising pixels, cross-site trackers, or behavioural analytics. Your browser may retain standard technical data (cache, local storage for fonts) that is essential to rendering the Site. If we introduce analytics in future, this Policy will be updated and, where required, consent will be sought through a cookie banner.

05Third parties & sharing

We do not sell, rent, or trade personal data. We share it only with:

• Processors acting on our behalf — such as hosting providers (Cloudflare), email providers, accounting and invoicing platforms, and secure communication tools. These processors are bound by written agreements requiring confidentiality, purpose limitation, and appropriate security measures.
• Professional advisors — our lawyers, auditors, and tax consultants, where required.
• Regulators and authorities — where disclosure is required by law, court order, or lawful request from an authority with appropriate jurisdiction.
• Successors — in the event of a merger, acquisition, reorganisation, or sale of substantially all our assets, personal data may be transferred as part of that transaction, subject to equivalent protections.

06Cross-border transfers

Some of our processors (e.g., hosting, email) may process personal data on servers located outside India. Where this occurs, we ensure that the transfer is to a jurisdiction that is not restricted by the Central Government under the DPDP Act, and that appropriate contractual safeguards are in place with the processor.

07Data retention

We retain personal data only for as long as is necessary for the purposes set out in this Policy:

• Enquiries that do not lead to engagement — deleted or anonymised within 24 months of the last interaction.
• Client engagement records — retained for the duration of the engagement and for eight (8) years thereafter, or such longer period as may be required under the Income-tax Act, 1961, the Companies Act, 2013, the GST Act, or other applicable law.
• Statutory records (invoices, tax filings) — retained for the period prescribed by applicable law.
• Marketing preferences — retained until you withdraw consent, plus a short record of the opt-out to honour your preference.

On expiry of the applicable retention period, we delete or irreversibly anonymise the data, unless continued retention is required by law or to establish, exercise, or defend legal claims.

08Your rights

Under the DPDP Act, you have the following rights in respect of your personal data:

1. Right to access — to obtain confirmation of processing, a summary of the personal data held, the processing activities undertaken, and the identities of processors and third parties with whom the data has been shared.
2. Right to correction and erasure — to have inaccurate or misleading data corrected, incomplete data completed, out-of-date data updated, and data no longer necessary for the stated purpose erased (subject to legal retention obligations).
3. Right to grievance redressal — to raise concerns with our Grievance Officer (Section 11) before approaching the Data Protection Board of India.
4. Right to nominate — to nominate another individual to exercise your rights in the event of your death or incapacity.
5. Right to withdraw consent — where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal or processing that relies on a separate lawful basis.

To exercise any of these rights, write to info@avythera.com with the subject line "Data Principal Request". We will respond within the timelines prescribed under applicable law.

09Security

We take reasonable security safeguards, appropriate to the nature of the data and the risks involved, to protect personal data against unauthorised access, disclosure, alteration, or loss. Measures include TLS encryption in transit, restricted access on a need-to-know basis, segregation of client data, periodic credential rotation, and secure storage for contractual records.

Despite these measures, no method of transmission or storage is entirely secure. In the event of a personal data breach, we shall notify the affected Data Principals and the Data Protection Board of India as required under the DPDP Act.

10Children's data

Our services are not directed at children (persons under 18 years of age). We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected such data, we will delete it promptly and, where required, obtain verifiable parental consent in accordance with Section 9 of the DPDP Act.

11Grievance Officer & contact

In compliance with Rule 5(9) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and Section 8(9) of the DPDP Act, the contact details of our Grievance Officer are:

If your concern is not resolved to your satisfaction, you may approach the Data Protection Board of India as constituted under the DPDP Act.

12Changes to this Policy

We may update this Policy from time to time to reflect changes in law, technology, or our practices. The version number at the top of this Policy will be incremented on each material revision. Material changes will be communicated by updating the Policy on the Site and, where appropriate, through a direct notice.