Privacy Policy.

1. Who we are

CertiTrust Consulting ("we", "us", "our") is a professional services firm providing ISO 27001:2022, ISO 27701:2025, SOC 2, IT audit, and cybersecurity advisory services. Our registered office is at 305, Vihav Business Square, Nr. HCG Cancer Hospital, Sun Pharma Road, Atladara, Vadodara — 390012, Gujarat, India.

For data protection queries, contact us at: audit@itauditor.co.in

2. What personal data we collect

We collect only the personal data necessary to respond to your enquiry or deliver our services:

• Name and job title
• Business email address and phone number
• Organisation name and nature of engagement
• Any details you voluntarily provide in enquiry forms or email correspondence

We do not collect sensitive personal data (as defined under the DPDP Act), payment card information, or government-issued identification numbers through this website.

3. How we use your data

We use your personal data solely to:

• Respond to your enquiry or readiness review request
• Communicate scope, timelines, and proposals for consulting engagements
• Deliver contracted services and fulfil legal or regulatory obligations
• Improve our website and service quality (in anonymised, aggregate form only)

We do not use your data for automated profiling, targeted advertising, or sale to third parties.

4. Legal basis for processing

We process your personal data on the following bases under the DPDP Act: (a) consent — provided when you submit a contact form or email us; (b) legitimate interest — to respond to business enquiries; and (c) contractual necessity — where data processing is required to deliver agreed services.

5. Third-party services

This website uses the following third-party services that may process limited technical data:

• Web3Forms (web3forms.com) — processes contact form submissions to deliver them to our inbox. Subject to their own privacy policy.
• Google Fonts — fonts are loaded from Google servers. Google may collect basic access data. See Google Privacy Policy.
• Microsoft Bookings — if you use the booking link, Microsoft processes scheduling data subject to their privacy policy.

We do not use tracking pixels, third-party advertising networks, or any analytics platform on this website.

6. Data retention

We retain enquiry data for up to 24 months from the date of last contact, or as required by applicable law or the terms of a signed engagement. Data is securely deleted or anonymised thereafter.

7. Your rights under the DPDP Act

As a data principal under the DPDP Act, you have the right to:

• Access the personal data we hold about you
• Correct inaccurate or incomplete personal data
• Withdraw consent at any time (without affecting prior processing)
• Nominate a person to exercise rights on your behalf
• Raise a grievance with us, and escalate to the Data Protection Board of India if unresolved

To exercise any of these rights, email us at audit@itauditor.co.in. We will respond within 30 days.

8. Security

We apply technical and organisational measures proportionate to the risk — including HTTPS transmission, access controls, and data-minimisation practices — to protect your personal data. As an information security consulting firm, the same standards we advise our clients to adopt are applied internally.

9. Cookies

This website does not use tracking cookies, analytics cookies, or advertising cookies. Only technically necessary session behaviour is maintained in your browser during your visit. No cookie consent banner is required.

10. Changes to this policy

We may update this policy to reflect changes in law or our practices. The "last updated" date at the top of this page will reflect any revision. Continued use of the website after an update constitutes acceptance of the revised policy.

11. Contact & grievance

For any privacy-related query or grievance, contact: