LEGAL

Privacy Policy.

Effective date: 24 May 2026

Last updated: 24 May 2026

This Privacy Policy explains how Shyam Sundar MV, operating as SSUNDAR ("SSUNDAR", "we", "us", "our"), collects, uses, stores, and protects personal data when you visit ssundar.com and app.ssundar.com (the "Site"). This policy complies with the General Data Protection Regulation (GDPR), the EU ePrivacy Directive, the India Digital Personal Data Protection Act 2023 (DPDP Act), and other applicable data protection laws.

1. Who we are — Data Controller.

Data Controller / Data Fiduciary:
Shyam Sundar MV, operating as SSUNDAR
Bangalore, Karnataka, India
shyam@ssundar.com

SSUNDAR is the data controller for personal data collected through this Site. As a sole proprietorship headquartered in India serving a global audience, SSUNDAR processes personal data in accordance with Indian law (DPDP Act 2023) and, where applicable to EU/EEA residents, in accordance with the GDPR.

For GDPR purposes, if you are located in the EU/EEA, you may contact us at the email above with any data protection enquiries. We do not currently have a designated EU Representative or Data Protection Officer, as our processing activities do not meet the thresholds requiring mandatory appointment under Articles 27 and 37 of the GDPR. This position will be reviewed as the volume of EU data subject interactions grows.

2. Data we collect and legal basis for processing.

We collect personal data only when you actively provide it or through automated means necessary to operate the Site. We process each category of data on a specific legal basis as set out below.

2a. Enquiry and contact form data

Data collected: Company name, your role/title, organisation size, challenge description, email address, and timeline (as entered by you in the engagement form).

How collected: When you submit the engagement form on ssundar.com/engage. Form data is transmitted via Formspree (formspree.io) and delivered to shyam@ssundar.com.

Purpose: To review your enquiry and respond with a preliminary assessment or engagement scope.

Legal basis (GDPR): Article 6(1)(b) — processing necessary for pre-contractual steps taken at your request; and Article 6(1)(f) — legitimate interests of SSUNDAR in responding to business enquiries.

Legal basis (DPDP Act 2023): Consent provided at point of form submission; and legitimate uses under Section 7.

Retention: Retained for the duration of the business enquiry and up to 3 years thereafter for record-keeping, unless you request earlier deletion.

2b. Analytics data — Google Analytics 4

Data collected: Anonymised behavioural data including pages visited, session duration, traffic source, approximate geographic location (country/city level), browser type, device type, and interaction events. IP addresses are anonymised before storage. SSUNDAR does not enable Google Signals or cross-device tracking.

How collected: Via the Google Analytics 4 measurement tag (ID: G-17GGZ3QCQF), loaded only after you provide explicit consent via our cookie banner.

Purpose: To understand how visitors use the Site and improve content and experience.

Legal basis (GDPR): Article 6(1)(a) — your explicit consent, obtained before any analytics tag is loaded.

Legal basis (DPDP Act 2023): Consent — explicit opt-in via cookie banner.

Processor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Data may be transferred to Google servers in the United States under Standard Contractual Clauses (SCCs) approved by the European Commission.

Retention: 14 months. Opt out at any time via our cookie banner or Google's opt-out tool.

2c. Session recording — Microsoft Clarity

Data collected: Anonymised session recordings, mouse movements, click patterns, and scroll behaviour. Clarity masks all text inputs by default and does not collect personally identifiable information from page content.

How collected: Via Microsoft Clarity tag (ID: venlbqedo4), loaded only after you provide explicit consent via our cookie banner.

Purpose: To identify usability issues and improve the Site experience.

Legal basis (GDPR): Article 6(1)(a) — your explicit consent.

Legal basis (DPDP Act 2023): Consent — explicit opt-in.

Processor: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA. Transfers to the USA are covered by Standard Contractual Clauses.

Retention: 30 days per Microsoft's default configuration.

2d. Bot protection — hCaptcha

Data collected: Technical signals for bot detection including IP address, browser characteristics, and interaction patterns with the engagement form. hCaptcha operates in passive/invisible mode — it does not present visual challenges to real users.

How collected: Via hCaptcha widget on the /engage page (Site Key: 16ec905c-b510-4e06-afa8-12ee634e35a6). The secret validation key is held solely by Formspree and is never exposed to the browser.

Purpose: Security — protecting the engagement form from automated spam and malicious bots.

Legal basis (GDPR): Article 6(1)(f) — legitimate interests in protecting infrastructure and enquiry integrity.

Legal basis (DPDP Act 2023): Legitimate uses — security and fraud prevention under Section 7(g).

Processor: Intuition Machines, Inc. (hCaptcha), USA. See hcaptcha.com/privacy.

2e. Server and hosting logs

Data collected: Standard server logs including IP address, browser type, OS, referring URL, pages accessed, and timestamps — collected automatically by Netlify (our hosting provider).

Purpose: Site security, uptime monitoring, and troubleshooting.

Legal basis (GDPR): Article 6(1)(f) — legitimate interests in maintaining Site se