1. Who we are — Data Controller.
Data Controller / Data Fiduciary:
Shyam Sundar MV, operating as SSUNDAR
Hyderabad, Telangana, India
privacy@ssundar.com
SSUNDAR is the data controller for personal data collected through this Site. As a sole proprietorship headquartered in India serving a global audience, SSUNDAR processes personal data in accordance with Indian law (DPDP Act 2023) and, where applicable to EU/EEA residents, in accordance with the GDPR.
For GDPR purposes, if you are located in the EU/EEA, you may contact us at the email above with any data protection enquiries. We do not currently have a designated EU Representative or Data Protection Officer, as our processing activities do not meet the thresholds requiring mandatory appointment under Articles 27 and 37 of the GDPR. This position will be reviewed as the volume of EU data subject interactions grows.
2. Data we collect and legal basis for processing.
We collect personal data only when you actively provide it or through automated means necessary to operate the Site. We process each category of data on a specific legal basis as set out below.
2a. Enquiry and contact form data
Data collected: Company name, your role/title, organisation size, challenge description, email address, and timeline (as entered by you in the engagement form).
How collected: When you submit the engagement form on ssundar.com/engage. Form data is transmitted via Formspree (formspree.io) and delivered to shyam@ssundar.com.
Purpose: To review your enquiry and respond with a preliminary assessment or engagement scope.
Legal basis (GDPR): Article 6(1)(b) — processing necessary for pre-contractual steps taken at your request; and Article 6(1)(f) — legitimate interests of SSUNDAR in responding to business enquiries.
Legal basis (DPDP Act 2023): Consent provided at point of form submission; and legitimate uses under Section 7.
Retention: Retained for the duration of the business enquiry and up to 3 years thereafter for record-keeping, unless you request earlier deletion.
2b. Analytics data — Google Analytics 4
Data collected: Anonymised behavioural data including pages visited, session duration, traffic source, approximate geographic location (country/city level), browser type, device type, and interaction events. IP addresses are anonymised before storage. SSUNDAR does not enable Google Signals or cross-device tracking.
How collected: Via the Google Analytics 4 measurement tag (ID: G-17GGZ3QCQF), loaded only after you provide explicit consent via our cookie banner.
Purpose: To understand how visitors use the Site and improve content and experience.
Legal basis (GDPR): Article 6(1)(a) — your explicit consent, obtained before any analytics tag is loaded.
Legal basis (DPDP Act 2023): Consent — explicit opt-in via cookie banner.
Processor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Data may be transferred to Google servers in the United States under Standard Contractual Clauses (SCCs) approved by the European Commission.
Retention: 14 months. Opt out at any time via our cookie banner or Google's opt-out tool.
2c. Session recording — Microsoft Clarity
Data collected: Anonymised session recordings, mouse movements, click patterns, and scroll behaviour. Clarity masks all text inputs by default and does not collect personally identifiable information from page content.
How collected: Via Microsoft Clarity tag (ID: venlbqedo4), loaded only after you provide explicit consent via our cookie banner.
Purpose: To identify usability issues and improve the Site experience.
Legal basis (GDPR): Article 6(1)(a) — your explicit consent.
Legal basis (DPDP Act 2023): Consent — explicit opt-in.
Processor: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA. Transfers to the USA are covered by Standard Contractual Clauses.
Retention: 30 days per Microsoft's default configuration.
2d. Bot protection — hCaptcha
Data collected: Technical signals for bot detection including IP address, browser characteristics, and interaction patterns with the engagement form. hCaptcha operates in passive/invisible mode — it does not present visual challenges to real users.
How collected: Via hCaptcha widget on the /engage page (Site Key: 16ec905c-b510-4e06-afa8-12ee634e35a6). The secret validation key is held solely by Formspree and is never exposed to the browser.
Purpose: Security — protecting the engagement form from automated spam and malicious bots.
Legal basis (GDPR): Article 6(1)(f) — legitimate interests in protecting infrastructure and enquiry integrity.
Legal basis (DPDP Act 2023): Legitimate uses — security and fraud prevention under Section 7(g).
Processor: Intuition Machines, Inc. (hCaptcha), USA. See hcaptcha.com/privacy.
2e. Server and hosting logs
Data collected: Standard server logs including IP address, browser type, OS, referring URL, pages accessed, and timestamps — collected automatically by Netlify (our hosting provider).
Purpose: Site security, uptime monitoring, and troubleshooting.
Legal basis (GDPR): Article 6(1)(f) — legitimate interests in maintaining Site security and operational integrity.
Processor: Netlify, Inc., 512 2nd Street, Suite 200, San Francisco, CA 94107, USA.
Retention: ~30 days per Netlify's standard log policy.
3. Cookies.
This Site uses cookies and similar tracking technologies. Analytics and session recording cookies are only activated after you provide explicit consent via our cookie consent banner. Declining cookies will not affect your ability to browse any Content on this Site.
You may withdraw your cookie consent at any time by clearing your browser cookies and revisiting the Site — the consent banner will reappear and you may select "Decline".
For the complete list of cookies used on this Site — including name, provider, purpose, type, and expiry — see our Cookie Policy.
4. How we use your data.
SSUNDAR uses personal data exclusively for:
- Responding to enquiries and engagement requests submitted through the Site
- Assessing whether a prospective engagement aligns with SSUNDAR's practice areas
- Sending communications you have specifically requested
- Improving Site content and usability via anonymised analytics
- Protecting the Site from spam, bots, and security threats
- Complying with legal obligations
We do not sell, rent, lease, or commercially disclose your personal data to any third party. We do not use your data for profiling, automated decision-making, or targeted advertising of any kind.
5. Data sharing and processors.
We share personal data only with the following processors, strictly for the purposes described above:
- Formspree — form submission processing and delivery to our inbox
- Google (Analytics 4) — anonymised site analytics
- Microsoft (Clarity) — anonymised session recording
- Intuition Machines / hCaptcha — bot protection on enquiry forms
- Netlify — site hosting, CDN delivery, and access logs
All processors are contractually bound to process data only as directed and to maintain appropriate security. We do not share data with any third party for their own marketing or commercial purposes.
We may disclose personal data if required by applicable law, court order, or government authority.
6. International data transfers.
SSUNDAR is based in India. Your data may be transferred to and processed in countries outside your country of residence, including the United States (Google, Microsoft, Netlify, hCaptcha, Formspree).
For EU/EEA residents: Transfers from the EU/EEA to the USA and India are covered by Standard Contractual Clauses (SCCs) adopted by the European Commission. Our processors have executed SCCs as part of their standard Data Processing Agreements.
For India residents: Data transfers outside India occur only through the processors listed above and are governed by those processors' compliance frameworks.
7. Data retention.
- Enquiry/form data: Duration of enquiry plus up to 3 years
- GA4 analytics data: 14 months
- Clarity session recordings: 30 days
- Server/hosting logs: ~30 days
- hCaptcha data: Per hCaptcha's policy
Data is deleted or anonymised at the end of its retention period. Deletion requests are actioned within 30 days, subject to any legal retention obligations.
8. Your rights.
Depending on your location and applicable law, you may have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you
- Rectification: Request correction of inaccurate or incomplete data
- Erasure: Request deletion of your data where there is no legitimate basis for continued processing
- Restriction: Request that we limit processing of your data in certain circumstances
- Portability: Receive your data in a structured, machine-readable format (where processing is based on consent or contract)
- Object: Object to processing based on legitimate interests at any time
- Withdraw consent: Withdraw consent at any time without affecting the lawfulness of prior processing
- Nominate (DPDP Act 2023): Nominate another individual to exercise your rights in the event of death or incapacity
To exercise any right, email privacy@ssundar.com with subject "Data Rights Request". We respond within 30 days. Identity verification may be required.
Supervisory authority complaints (EU/EEA): You have the right to lodge a complaint with your local data protection authority. See edpb.europa.eu for contact details. For India residents, you may approach the Data Protection Board of India once operational under the DPDP Act 2023.
9. Children's data.
This Site is directed at business professionals aged 18 and above. We do not knowingly collect personal data from persons under 18. If you believe a person under 18 has submitted data to us, please contact privacy@ssundar.com immediately and we will delete it promptly.
10. Security.
We implement appropriate technical and organisational measures including HTTPS/TLS encryption, Content Security Policy headers, HSTS preload, form submission encryption, bot protection, and strict access controls. In the event of a data breach likely to risk your rights and freedoms, we will notify affected individuals and relevant authorities as required by law.
11. Third-party links.
This Site links to external platforms including LinkedIn and www.treeng.ai. SSUNDAR is not responsible for the privacy practices of any third-party site. Review their policies before providing personal data.
12. Changes to this policy.
We may update this Privacy Policy at any time. The "Last updated" date at the top reflects the most recent revision. Material changes will be communicated via a notice on the Site where practicable. Continued use of the Site after any change constitutes acceptance of the revised policy.
13. Contact.
Shyam Sundar MV
SSUNDAR
Hyderabad, Telangana, India
privacy@ssundar.com
We will respond to all enquiries within 30 days.
Related policies: Terms of Service | Cookie Policy | Disclaimer
Last updated: 25 May 2026. This policy supersedes all prior versions.