Policy

Privacy Policy.

Last updated: June 2026

1. Who we are

somrus Innovations Pvt Limited (“somrus Innovations,” “we,” “us”) is an AI implementation firm incorporated under the laws of India. This policy explains what information we collect from visitors to somrusinnovations.com and from clients we engage with.

Under the DPDP Act, we act as a Data Fiduciary in respect of personal data collected via this website. In respect of personal data processed during client engagements, our role depends on the engagement contract — we may act as a Data Processor on instructions from the client (the Data Fiduciary) or jointly, as specified in the relevant Statement of Work (SOW) or Master Services Agreement (MSA).

2. Scope

This policy covers two distinct contexts:

  • Website visitors and prospects — anyone who visits somrusinnovations.com or contacts us via the audit form, email, phone, or WhatsApp before any engagement contract is in place.
  • Client engagements — once we sign a contract with you (or your organisation), the engagement-specific MSA, SOW, and Data Processing Addendum (DPA) govern how we handle data shared during delivery. Those documents take precedence over this policy for the engagement.

If you are an existing client and want to know how data is handled inside a specific engagement, refer to the DPA attached to your SOW.

3. Information we collect

We collect the minimum information needed to respond to you and operate our business:

  • Contact-form submissions: when you fill out the audit / consultation form, we collect the fields you provide — name, work email, company name, company size, what you need, timeline, and any free-text detail.
  • Direct communications: if you email, WhatsApp, or call us, we retain the conversation history so we can keep context across exchanges.
  • Analytics signals: standard server logs (e.g. IP address, user agent, referring URL) and — if you consent under applicable law — privacy- respecting product analytics (currently Google Analytics 4 and Microsoft Clarity) so we can see which pages are useful.
  • Booking data: if you book an audit slot via our embedded calendar, Google Calendar collects the slot details on our behalf under Google's policies.

We do not collect special-category data (health, biometrics, financial account credentials), and we don't buy data lists or run third-party advertising pixels.

4. How we use information

  • To reply to your enquiry and book your audit / call.
  • To deliver services we've been engaged for, and operate the resulting systems for you (where contracted).
  • To improve the website and our service narrative based on aggregate usage patterns — never to track individuals across the open web.
  • To comply with applicable Indian law, tax obligations, and contractual commitments to our clients and partners.

5. Legal bases for processing

Under India's DPDP Act, we process personal data on the bases of:

  • Consent for analytics, direct-marketing communications, and any optional fields you provide. Submitting the contact form constitutes consent to follow-up.
  • Legitimate uses as defined under the DPDP Act for responding to your request, complying with applicable laws, and protecting our legitimate business interests.

Where the EU GDPR or UK GDPR applies (e.g. if you are based in the European Economic Area or the United Kingdom), our legal bases are:

  • Article 6(1)(b) — performance of a contract or steps prior to entering into a contract, for responding to your enquiry and delivering services.
  • Article 6(1)(f) — our legitimate interests in operating our business, responding to enquiries, and improving the website (balanced against your rights and freedoms).
  • Article 6(1)(a) — consent, for analytics and any direct-marketing communications.

6. Where the data lives (processors & sub-processors)

Website + lead handling (used for every visitor)

  • Google Workspace (Google LLC, USA) — Sheets stores lead records; Gmail delivers our team notifications. Hosted under Google's standard contractual terms.
  • Vercel (Vercel Inc., USA) — hosts somrusinnovations.com and serves static pages globally.
  • Google Analytics 4 & Microsoft Clarity — used when configured, for aggregate usage analytics.
  • Meta (WhatsApp Business) — when you message us via WhatsApp, Meta's infrastructure routes the conversation. Subject to Meta's terms.
  • Google Cloud / Google Calendar — if you book a slot via the embedded calendar, the appointment metadata lives in our Google Workspace tenant.

Client engagement processing (only when contracted)

  • Anthropic (Anthropic PBC, USA) — the Claude API is used to build AI features for our clients. By default, Anthropic does not train Claude models on data sent via the API. We are an Anthropic Claude Partner Network — Preferred Services Partner and follow Anthropic's usage policy.
  • Other AI providers and infrastructure services — listed in the engagement-specific DPA we sign with the client.

We do not transfer your personal data to other parties beyond these processors without your prior written consent.

7. Cookies & analytics

We do not currently display a cookie consent banner. The analytics tools listed above (Google Analytics 4 and Microsoft Clarity) are loaded only when their respective IDs are configured in the site's environment variables; if those are unset, no analytics scripts are loaded at all.

If you would prefer not to be tracked, you can:

  • Use your browser's “Do Not Track” or equivalent privacy setting.
  • Install a browser extension that blocks analytics scripts.
  • Email us at contact@somrusinnovations.com and we'll exclude your IP from aggregate reporting.

We do not run third-party advertising pixels or remarketing tags.

8. Your rights

Under India's DPDP Act — and, where applicable, the EU or UK GDPR — you have the right to:

  • Access the personal data we hold about you.
  • Have inaccurate or incomplete data corrected.
  • Have your data erased once it's no longer needed.
  • Withdraw consent for analytics or marketing use.
  • Nominate a person to exercise these rights on your behalf in the event of your death or incapacity (DPDP Act).
  • Lodge a complaint with the relevant supervisory authority.

To exercise any of these rights, email us at contact@somrusinnovations.com. We aim to acknowledge within 7 days and resolve within 30 days.

9. Data retention

We retain contact-form submissions for as long as the prospect is in active conversation, plus a reasonable post-conversation window for follow-up (currently 18 months). Client engagement data is retained per the engagement contract and for any period required by Indian tax / accounting law (currently 7 years). Server logs are kept for up to 90 days. Analytics data is aggregated and retained per the analytics provider's default retention setting.

10. Security

We rely on the operational security controls of our processors (Google, Vercel, Anthropic) and apply least-privilege access internally: only the operating team can read the leads sheet. Transit is over TLS; storage is encrypted by the upstream processor. We do not store passwords or financial credentials on our infrastructure. In the unlikely event of a personal-data breach materially affecting you, we will notify you and the relevant authorities as required by applicable law.

11. International data transfers

Several of our processors (Google, Vercel, Anthropic, Meta) are based in the United States. When we send personal data to them, it leaves India.

For these transfers we rely on:

  • The standard contractual terms each processor offers (e.g. Google's Data Processing Amendment, Anthropic's Data Processing Addendum).
  • Where applicable, EU-Commission-approved Standard Contractual Clauses (and the equivalent UK Addendum) for EEA / UK personal data.

The Government of India has not yet specified countries for restricted transfer under section 16 of the DPDP Act. If or when it does, we will reassess these arrangements and update this policy.

12. Children's data

Our services are intended for businesses. We don't knowingly collect data from anyone under 18, and we do not process children's data for behavioural monitoring, tracking, or targeted advertising (DPDP Act §9).

13. Changes to this policy

Material changes will be announced by updating the “Last updated” date at the top of this page and, where the change is significant, by emailing recent prospects. Continued use of the site after the change constitutes acceptance.

14. Grievance & contact

For any privacy question, to exercise rights under the DPDP Act or GDPR, or to lodge a grievance, email us at contact@somrusinnovations.com. We aim to acknowledge within 7 days and resolve within 30 days.

If we are unable to resolve your concern, you may escalate to:

  • the Data Protection Board of India (once constituted under the DPDP Act), or
  • the supervisory authority in your country of residence (for EEA / UK residents).

Registered office: somrus Innovations Pvt Limited. (Specific postal address to be updated once we have a fixed registered office.)