Your data. You are in control.

Who we are.

In the language of the DPDP Act, the "Data Fiduciary" is the entity that decides why and how personal data is processed. That's us.

What this policy covers.

This Privacy Policy applies to personal data we process when you:

• Visit and interact with this website (enstera.in);
• Contact us by phone, WhatsApp, or email;
• Engage us for a project, consultation, or product deployment;
• Use our productised solutions where we host or operate them on your behalf.

Some of our products — such as ensTram, TeraDFS, and Stock-C — are deployed entirely on your own infrastructure and process data locally. In those cases, we do not collect, see, or store the data flowing through those products. The personal data that flows inside such products is governed by your own data-handling policies, not ours.

What we collect.

We collect personal data in three contexts. We've listed them itemised below, as required under the DPDP Rules, 2025.

(a) When you visit our website

Our website does not set tracking cookies, does not run analytics scripts, and does not build profiles of visitors. The only data your browser sends automatically is the standard request information needed to deliver web pages — and that data is not retained or analysed by us.

(b) When you contact us

If you call, message, or email us, we collect:

• Identifying details you choose to share: name, designation, company;
• Contact details: phone number, email address;
• The content of your message: what you're asking about or trying to solve.

(c) When you engage us for a project

During scoping, contracting, build, and delivery, we may receive additional personal data about you and your team — names, designations, work emails, project-related correspondence, sample data shared for testing, and so on. We collect only what's necessary for the engagement, and we agree the scope of data handling with you in writing before any sensitive data is shared.

Why we collect it.

Each purpose is listed below itemised, as required by the DPDP Rules. We do not use your data for any purpose outside this list without your explicit consent.

1. To respond to your inquiry. When you reach out, we use your contact information and message to reply and follow up.
2. To deliver our services. When you engage us, we use the data shared to scope, build, deploy, and support your solution.
3. To send service-related communications. Updates about your project, deployment, or support — never marketing without your consent.
4. To comply with legal and regulatory obligations. Tax records, contractual records, statutory documentation required under Indian law.
5. To improve our services. Anonymised, aggregated insights from how clients use our solutions — never tied to identifiable individuals.

The lawful basis for processing.

Under the DPDP Act, personal data may be processed only on a clearly stated lawful basis. Ours are:

• Your consent — for most interactions through the website and inquiry channels. Your act of contacting us, knowing this policy is published, signifies informed consent under Section 6 of the Act.
• Performance of a contract — when we are formally engaged for a project or product deployment, and processing your data is necessary to deliver what was agreed.
• Legal or regulatory obligation — where Indian law requires us to retain or share specific information.

You may withdraw consent at any time. Withdrawal is as easy as giving consent — a single email or call to our Grievance Officer is sufficient. Withdrawal does not affect the lawfulness of any processing carried out before the withdrawal.

Third-party services we use.

Our website and operations rely on a small number of third-party services. Each operates under its own privacy policy:

• Google Fonts — to deliver typography (Plus Jakarta Sans, Fraunces, JetBrains Mono). Your browser fetches font files from Google's servers, which may log standard request data per their privacy policy.
• Google Maps — embedded on our Contact page so you can find our office. Maps is loaded only on that page, and Google may collect interaction data per their privacy policy.
• WhatsApp (Meta) — when you click our WhatsApp links, you're handed over to WhatsApp's service operated by Meta Platforms, governed by their WhatsApp Privacy Policy.
• Email providers — when you email us, the email transits and is stored on the email infrastructure we use (Google Workspace). Their handling is subject to Google's privacy terms.

We do not embed advertising trackers, social-media widgets, or third-party analytics on this site. If that ever changes, this Policy will be updated and you will be notified through this page.

How we protect it.

We implement reasonable security safeguards in line with Rule 6 of the DPDP Rules, 2025. These include:

• Access controls — personal data is accessible only to authorised personnel on a need-to-know basis;
• Encryption — for data in transit (HTTPS / TLS) and at rest where applicable;
• Logical and physical safeguards against unauthorised access to systems and devices that hold personal data;
• Audit trails — meaningful logging of access and changes to personal data;
• Backups with comparable safeguards;
• Reasonable measures to detect, contain, and recover from any unauthorised access.

We are not a "Significant Data Fiduciary" as defined under Section 10 of the DPDP Act, and therefore do not carry the additional obligations specific to SDFs. We do, however, treat the safeguards listed above as a continuous discipline — not a one-time exercise.

Who we share with.

We share personal data only in the following narrow circumstances:

• Data Processors under contract — third-party services we use to operate (e.g., email infrastructure). These are bound by data processing terms requiring them to handle data only for our defined purposes.
• Where you have explicitly authorised it — for example, sharing a project brief with a sub-contractor we've named to you.
• Legal compliance — when required by court order, summons, regulation, or other lawful authority.
• Protection of rights — to enforce our agreements or defend legal claims.

We do not sell, rent, or trade personal data. We do not share it with marketers or data brokers under any circumstance.

Cross-Border Transfers

ensTera Automations LLP is based in India and primarily processes personal data within India. Some third-party services we use (Google, Meta) may process data on servers outside India under their own published policies. Where any cross-border transfer of personal data is necessary for delivering a service to you, it will be carried out in accordance with Section 16 of the DPDP Act and any notifications issued by the Central Government from time to time.

How long we keep it.

We retain personal data only for as long as necessary for the purpose it was collected, and we delete or anonymise it thereafter. Specific retention periods are:

• Inquiry conversations (calls, WhatsApp, email): up to 24 months from the last interaction, unless a project follows.
• Active project / engagement records: for the duration of the engagement plus a reasonable post-completion support window.
• Financial and contractual records: retained for the period required by Indian tax and corporate law — typically 8 years.
• Records held under legal obligation: for the period mandated by the applicable law.

You may request earlier erasure at any time by contacting our Grievance Officer, except where retention is required by law. Where erasure applies, you will be notified before deletion — in line with Rule 8 of the DPDP Rules, 2025.

Your rights as a Data Principal.

Under the DPDP Act, 2023, you — the Data Principal — have the following rights with respect to your personal data:

1. Right to access (Section 11) — to obtain a summary of the personal data we hold about you and the processing activities we carry out.
2. Right to correction and erasure (Section 12) — to have inaccurate, incomplete, or outdated data corrected, completed, updated, or erased.
3. Right of grievance redressal (Section 13) — to raise a complaint with us through our designated Grievance Officer (see section 13 below).
4. Right to nominate (Section 14) — to nominate another person to exercise these rights in the event of your death or incapacity.
5. Right to withdraw consent — to withdraw your consent at any time, with the same ease with which you gave it. Prior lawful processing is not affected.

How to exercise your rights

Send an email to ensteraautomations@gmail.com or call +91 81487 78286 with the subject "Data Principal Request — [Access / Correction / Erasure / Withdrawal / Nomination]". We may need to verify your identity before acting on your request.

We will respond to all rights requests within the timelines specified under the DPDP Rules, 2025 — and within 90 days at the outside, as required for grievance redressal.

Personal data of children.

Our services are designed for businesses and adults. We do not knowingly collect personal data of children (under 18 years of age) or persons with disabilities who have a lawful guardian — without first obtaining verifiable consent from the parent or lawful guardian, in line with Section 9 of the DPDP Act and Rule 10 of the DPDP Rules, 2025.

We do not undertake any tracking, behavioural monitoring, or targeted advertising directed at children. If you believe a child's personal data has been shared with us inadvertently, please contact our Grievance Officer immediately so we can delete it.

If something goes wrong.

In the event of a personal data breach affecting your information, we will:

• Notify the Data Protection Board of India without undue delay upon becoming aware of the breach, as required by Section 8(6) of the DPDP Act and Rule 7 of the DPDP Rules, 2025;
• Notify you directly — using the contact details you've shared with us — within the timelines specified by the Rules;
• Tell you in plain language what happened, what data was involved, what steps you can take to protect yourself, and what we are doing to contain and remediate the breach;
• Cooperate fully with the Board and other authorities in their investigation, if any.

Our Grievance Officer.

As required under Section 8(9) of the DPDP Act and Rule 9 of the DPDP Rules, 2025, we have designated a Grievance Officer to handle any complaints, questions, or requests relating to your personal data.

If you're not satisfied with our response

If your grievance remains unresolved or you are dissatisfied with how we've handled it, you have the right to escalate the matter to the Data Protection Board of India, the statutory body constituted under Chapter V of the DPDP Act. Complaints can be filed through the Board's digital portal once operational.

Updates and revisions.

We may update this Privacy Policy from time to time — for example, when our services change, when new third-party processors are introduced, or when legal requirements evolve.

Material changes will be reflected in an updated effective date at the top of this page and, where the change significantly affects how your personal data is handled, we will take reasonable steps to notify you directly through the contact details you've shared with us.

We encourage you to revisit this page periodically. Continued use of our website or services after a material update constitutes acknowledgement of the updated policy.