Privacy Policy
Privacy & Data Protection Commitment
SecNinjaz Technologies LLP (“the Company”) is committed to protecting personal data in accordance with applicable data protection laws, including the Digital Personal Data Protection Act, 2023 (India) and the General Data Protection Regulation (EU) 2016/679 (“GDPR”).
The Company acts as a Data Fiduciary under the DPDP Act and as a Data Controller and/or Data Processor under applicable global data protection laws including GDPR, depending on the nature of processing.
1. Introduction
This Privacy Policy describes how SecNinjaz (“we,” “us,” “our”), operating as a Data Fiduciary under the DPDP Act and as a Data Controller or Data Processor under applicable global data protection laws including GDPR, collects, processes, stores, and protects your personal data when you use our website and services.
By using our services, you acknowledge that you have read and understood this Privacy Policy.
2. Definitions
For the purposes of this Privacy Policy:
- "Data Principal" means the individual to whom the personal data relates (you, the user) — as defined under Section 2(j) of the DPDP Act.
- "Data Fiduciary" means the entity that determines the purpose and means of processing personal data (SecNinjaz) — as defined under Section 2(i) of the DPDP Act.
- "Personal Data" means any data about an individual who is identifiable by or in relation to such data — as defined under Section 2(t) of the DPDP Act.
- "Processing" means any operation performed on personal data, including collection, storage, use, sharing, and erasure — as defined under Section 2(x) of the DPDP Act.
- "Consent Manager" means a person registered with the Data Protection Board who acts as a single point of contact for Data Principals to manage their consent — as defined under Section 2(g) of the DPDP Act. SecNinjaz does not currently use a registered Consent Manager. Should one be appointed in the future, this policy will be updated accordingly.
- "Data Processor" means any person who processes personal data on behalf of a Data Fiduciary — as defined under Section 2(k) of the DPDP Act.
The Company may act as a Data Processor when processing personal data on behalf of its clients, including enterprise and government entities, in accordance with contractual obligations and applicable laws.
3. Data We Collect
2.1 Personal Data Provided by You
| Data Element | Purpose | Legal Basis (DPDP & GDPR) |
|---|---|---|
| Email Address | Email verification (OTP), report delivery, domain ownership validation. Note: Only business/organizational email addresses are accepted; free/personal email providers (e.g., Gmail, Yahoo, Outlook) are not permitted. | Consent — Section 6(1) |
| Domain / Target URL | Vulnerability assessment scanning of your authorized domain | Consent — Section 6(1) |
2.2 Personal Data Collected Automatically
| Data Element | Purpose | Legal Basis (DPDP & GDPR) |
|---|---|---|
| IP Address | Rate limiting, abuse prevention, security audit logging | Legitimate Use — Section 7(b) (security of platform) |
| User-Agent String | Bot detection, abuse prevention, security anomaly detection | Legitimate Use — Section 7(b) (security of platform) |
| Browser Session Data | Maintaining session state during scan workflow | Legitimate Use — Section 7(b) (functionality) |
2.3 Data Generated During Service Use
| Data Element | Purpose | Legal Basis (DPDP & GDPR) |
|---|---|---|
| Scan Results & Vulnerability Findings | Delivery of vulnerability assessment report to you | Consent — Section 6(1) |
| Domain Verification Tokens | Proving your ownership/authorization over the scanned domain | Consent — Section 6(1) |
| OTP Verification Records | Email verification audit trail | Legitimate Use — Section 7(b) |
| AI Chat Interactions (if used) | Questions you ask about scan findings via the optional AI chat feature | Consent — Section 6(1) |
2.4 Data We Do NOT Collect
- We do not collect your name, phone number, physical address, or government identifiers.
- We do not require account creation — no usernames or passwords are stored.
- We do not use tracking cookies, advertising cookies, or third-party analytics trackers.
- We do not collect financial or payment data on our platform.
- We do not process data of children (persons under 18 years of age). If we become aware that a child's data has been collected, we will delete it promptly in compliance with Section 9 of the DPDP Act.
3. How We Use Your Data
We process your personal data strictly for the following purposes:
- Service Delivery — To perform the vulnerability assessment you requested on your authorized domain.
- Email Verification — To verify your identity and association with the domain being scanned via OTP.
- Domain Ownership Verification — To confirm you are authorized to request a scan of the target domain (via DNS TXT record, HTML meta tag, or file upload verification).
- Report Generation & Delivery — To compile scan findings into a report and deliver it to your verified email address.
- AI Chat Analysis — To enable you to ask questions about your scan findings and receive AI-generated explanations and recommendations (optional feature; scan findings are processed through our AI service for this purpose).
- Security & Abuse Prevention — To enforce rate limits, detect automated abuse, prevent unauthorized scanning, and maintain platform integrity.
- Audit Logging — To maintain security audit trails as required for information security compliance.
We will never use your personal data for:
- Marketing or promotional communications (unless you explicitly opt in)
- Selling or renting to third parties
- Profiling or automated decision-making
- Purposes unrelated to the services described above
4. Legal Basis for Processing
4.1 How We Obtain Consent
In compliance with Section 6 of the DPDP Act and Rule 3 of the DPDP Rules, 2025:
- Before submitting your email and domain for scanning, you are presented with a clear consent notice in plain English.
- The consent notice specifies:
- The personal data being collected
- The specific purpose of processing
- Your right to withdraw consent at any time
- How to file a grievance with our Grievance Officer
- How to file a complaint with the Data Protection Board of India
- Consent is obtained through an affirmative action (checking a consent checkbox) before form submission.
- Consent is freely given, specific, informed, and unconditional — it is not bundled with acceptance of other terms.
4.2 Withdrawal of Consent
You may withdraw your consent at any time by:
- Emailing our Data Protection Officer at dpo@secninjaz.com
- Using the data deletion request process described in Section 8 below
Upon withdrawal:
- We will cease processing your personal data within 72 hours.
- Any data already processed before withdrawal remains lawfully processed.
- Withdrawal will result in immediate termination of any ongoing or scheduled scans.
4.3 We process personal data based on
- Consent
- Legitimate Use
- Contractual necessity
- Legal obligations
- Legitimate interests
Where applicable under GDPR, processing is carried out in accordance with Article 6 lawful bases.
5. Data Storage & Security
5.1 Where Your Data Is Stored
- All personal data is stored on servers located in India.
- Database: PostgreSQL with encrypted storage.
- Temporary data (OTPs, session tokens): Redis with automatic expiry.
5.2 Security Measures
We implement reasonable security safeguards as required under Section 8(4) of the DPDP Act:
| Security Control | Implementation |
|---|---|
| Encryption at Rest | AES-256-GCM field-level encryption for email addresses and IP addresses |
| Encryption in Transit | TLS 1.2+ for all data transmission |
| OTP Security | HMAC-SHA256 hashing of OTP codes before storage |
| Session Management | UUID-based session tokens stored in browser sessionStorage (cleared on tab close) |
| Access Control | No traditional user accounts; UUID-based access tokens with 72-hour expiry |
| Rate Limiting | 30 requests/minute global; 3 OTP sends/minute; 5 verifications/10 minutes per email |
| PII Masking in Logs | Emails masked as u***@domain.com; IPs masked as IP*** |
| SSRF Prevention | Domain blocklists, private IP range blocking, DNS rebinding protection |
| Network Isolation | Docker network isolation between application and scanning services |
| HTTP Security Headers | Helmet, Content Security Policy, HSTS, X-Frame-Options, X-Content-Type-Options |
| Input Validation | Joi schema-based validation on all API inputs |
| Automated Data Cleanup | Background job runs every 6 hours to purge expired data |
5.3 Breach Notification
In the event of a personal data breach, we will:
CERT-In Reporting (Information Technology Act, 2000):
- Report the cyber security incident to CERT-In within 6 hours of becoming aware of it, as required under the CERT-In Directions dated 28 April 2022 issued under Section 70B of the IT Act, 2000.
Data Protection Board Notification (DPDP Act, 2023):
- Notify the Data Protection Board of India within 72 hours of becoming aware of the breach, as required under Section 8(6) of the DPDP Act and Rule 7 of the DPDP Rules, 2025.
Data Principal Notification:
- Notify affected Data Principals without undue delay, providing:
- Nature of the breach
- Categories of personal data affected
- Likely consequences
- Measures taken to address the breach
- Contact details of our Data Protection Officer
6. Data Retention & Deletion
We follow a strict, automated data lifecycle:
| Stage | Duration | What Happens |
|---|---|---|
| Active Access | 0–72 hours after scan completion | Reports accessible via your session token |
| Grace Period | 72–144 hours | Reports return HTTP 410 (Gone); data awaiting deletion |
| Auto-Deletion | After 144 hours (6 days) | All personal data, scan results, findings, and reports permanently deleted |
Specifics:
- OTP codes: Expire in Redis after 10 minutes; hashed copies deleted on verification.
- Email verification tokens: Expire after 30 minutes.
- Session tokens: Cleared when browser tab closes (sessionStorage).
- Domain verification tokens: Deleted with the parent submission.
- Automated cleanup: A background job runs every 6 hours to purge all data older than 144 hours.
We do not retain personal data beyond the retention periods stated above. There is no archival or backup retention of personal data after deletion.
This is in compliance with Section 8(7) of the DPDP Act — data is erased when consent is withdrawn or the specified purpose is no longer being served.
7. Data Sharing & Third Parties
7.1 Third-Party Data Processors
We engage the following Data Processors who process personal data on our behalf, governed by written agreements as required under Section 8(2) of the DPDP Act:
| Third Party | Data Shared | Purpose |
|---|---|---|
| Email Service Provider (e.g., Google Workspace SMTP) | Email address | Sending OTP verification emails and scan reports |
| AI Service Provider (optional, configurable) | Scan findings (non-PII) | Generating executive summaries, remediation steps, compliance mappings, and interactive chat-based analysis of scan findings. We currently support multiple AI providers and plan to transition to an in-house LLM in the future to eliminate external AI data processing. When deployed in sovereignty mode, all AI processing is performed locally with no data sent to external providers. |
| Cloud Infrastructure Provider | All data (encrypted at rest) | Hosting and infrastructure |
7.2 What We Do NOT Share
- We never sell, rent, or trade your personal data to any third party.
- We never share your personal data with advertisers or data brokers.
- We never share raw vulnerability findings with anyone other than the authorized Data Principal who initiated the scan.
- Scan findings for unauthorized (demo) users are redacted server-side — synthetic/placeholder data is shown instead of real findings.
7.3 Legal Disclosures
We may disclose personal data if required by:
- An order of the Data Protection Board of India
- A court of competent jurisdiction in India
- Any obligation under applicable Indian law
8. Your Rights as a Data Principal
Under the DPDP Act, 2023, you have the following rights:
8.1 Right to Access Information (Section 11)
You have the right to:
- Obtain a summary of your personal data being processed
- Know the processing activities undertaken with your data
- Know the identities of all Data Processors and third parties with whom your data has been shared
How to exercise: Email dpo@secninjaz.com with subject line "Data Access Request."
8.2 Right to Correction (Section 12(1))
You have the right to:
- Correct inaccurate or misleading personal data
- Complete incomplete personal data
- Update personal data that is no longer current
How to exercise: Email dpo@secninjaz.com with subject line "Data Correction Request."
8.3 Right to Erasure (Section 12(2))
You have the right to request deletion of your personal data. Given our automated 144-hour deletion cycle, most data is automatically erased. For immediate deletion:
How to exercise: Email dpo@secninjaz.com with subject line "Data Erasure Request." We will process your request within 72 hours.
8.4 Right to Grievance Redressal (Section 13)
You have the right to register a grievance with our Grievance Officer. See Section 13 of this policy for the full grievance redressal process.
8.5 Right to Nominate (Section 14)
You have the right to nominate another individual to exercise your rights under the DPDP Act in the event of your death or incapacity.
How to exercise: Email dpo@secninjaz.com with subject line "Nomination Request" along with the nominee's details.
8.6 Right to Complaint (Section 13(2))
If you are not satisfied with our response to your grievance, you have the right to file a complaint with the Data Protection Board of India.
Response Timelines:
- We will acknowledge your request within 48 hours.
- We will fulfill your request within 7 days (or inform you of any delay and the reason).
9. Cross-Border Data Transfers
- By default, all personal data is processed and stored within India.
- We do not transfer personal data outside India unless:
- It is transferred to a country or territory notified by the Central Government as permissible under Section 16(1) of the DPDP Act.
- The transfer is necessary to fulfil the service you requested (e.g., email delivery via a global email service provider), and appropriate safeguards are in place.
- Data Sovereignty Configuration: Our platform architecture supports deployment configurations where all processing — including scanning infrastructure — remains entirely within Indian jurisdiction. Contact us at contact@secninjaz.com for details on data sovereignty deployment options.
- Where applicable, cross-border transfers are carried out using legally approved safeguards such as adequacy decisions or Standard Contractual Clauses (SCCs) or equivalent mechanisms under applicable laws.
10. Your Rights as a Data Principal / Data Subject
Under Section 10 of the DPDP Act, the Central Government may notify certain Data Fiduciaries as Significant Data Fiduciaries (SDF) based on the volume and sensitivity of personal data processed, risk to Data Principals, and other factors.
As of the date of this policy, SecNinjaz has not been notified as a Significant Data Fiduciary. However, we voluntarily adopt the following SDF-level practices as a matter of good governance:
- Data Protection Officer — Appointed and contactable at dpo@secninjaz.com
- Periodic Data Protection Impact Assessments — Conducted for new features and processing activities
- Annual Data Audit — Internal review of data processing practices and compliance
Additional Rights (GDPR)
If you are located in jurisdictions such as the European Economic Area (EEA), you may also have the following rights:
- Right to Data Portability
- Right to Restrict Processing
- Right to Object to Processing
- Right to Withdraw Consent
If SecNinjaz is notified as an SDF in the future, we will comply with all additional obligations including appointing an independent data auditor and publishing audit reports as required.
11. Children's Data
- We do not knowingly collect or process personal data of children (individuals under 18 years of age) as defined under Section 9 of the DPDP Act.
- We do not offer services directed at children.
- If we become aware that a child's personal data has been collected without verifiable parental/guardian consent, we will delete such data immediately.
- We do not engage in tracking, behavioral monitoring, or targeted advertising directed at children.
12. Duties of Data Principal
In accordance with Section 15 of the DPDP Act, as a Data Principal you have the following duties:
- You shall not impersonate another person while providing personal data.
- You shall not suppress any material information when submitting data.
- You shall not register a frivolous or false grievance or complaint.
- You shall furnish only authentic and verifiable information when exercising your rights under this policy.
- You warrant that the domain submitted for scanning is owned or authorized by you.
13. Grievance Redressal Mechanism
In compliance with Section 13 of the DPDP Act and Rule 6 of the DPDP Rules, 2025:
Data Protection Officer:
- Name: Arjun Singh
- Email: dpo@secninjaz.com
- Postal Address: 512-514 Best Business Park Plot No.: P2, Netaji Subhash Place, Delhi, 110034
Process:
- Submit your grievance via email to dpo@secninjaz.com with the subject "Grievance: [Brief Description]."
- You will receive an acknowledgement within 48 hours with a unique grievance reference number.
- We will investigate and respond to your grievance within 7 days of acknowledgement.
- If you are unsatisfied with our resolution, you may escalate to the Data Protection Board of India as per Section 13(2) of the DPDP Act.
14. Changes to This Policy
- We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
- Material changes will be communicated via:
- A prominent notice on our website
- Email notification to active users (where applicable)
- The "Last Updated" date at the top of this policy will reflect the latest revision.
- Continued use of our services after a policy update constitutes your acceptance of the revised policy. Where required under the DPDP Act, we will obtain fresh consent for material changes.
15. Contact Us
For any questions, concerns, or requests related to this Privacy Policy or your personal data:
SecNinjaz Cybersecurity Services
- Website: https://secninjaz.com
- Data Protection Officer: dpo@secninjaz.com
- General Enquiries: contact@secninjaz.com
- Postal Address: 512-514 Best Business Park Plot No.: P2, Netaji Subhash Place, Delhi, 110034
16. Governing Law & Jurisdiction
This Privacy Policy is governed by and construed in accordance with the laws of India, including the Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Rules, 2025. Any disputes arising under this policy shall be subject to the exclusive jurisdiction of courts in New Delhi, India, and the Data Protection Board of India as applicable.
This Privacy Policy was last reviewed and published on 25 March 2026.