DPDPA 2023 · GDPR · Disclosure

How we handle your data.

Every third-party data flow this website initiates, the purpose it serves, the lawful basis under India's Digital Personal Data Protection Act 2023 and the EU GDPR, and how long the data is retained. We publish this in full because B2B consultants, architects and government buyers ask before they fill our enquiry form or download a deliverable — and because DPDPA requires it.

Third-party data flows

Each service below receives data when you interact with the site in a specific way (submitting a form, accepting analytics cookies). Services not in this list do not receive your data through this website.

Resend (email delivery)

Deliver contact-form, brief-wizard and newsletter submissions to the practice inbox.

Data category: Name · email · phone · enquiry message
Lawful basis: Consent (form submission) + legitimate interest (responding to enquiry)
Retention: Resend retains delivery logs 30 days; we retain enquiry emails up to 36 months in the practice CRM
Region: United States (Resend infrastructure) · India (our inbox)

Cloudflare Turnstile (bot protection)

Verify that contact-form submissions originate from a human rather than an automated bot, before the message is processed.

Data category: Behavioural signals · IP address · challenge response (no PII)
Lawful basis: Legitimate interest (preventing spam, abuse and credential-stuffing on our endpoints)
Retention: Cloudflare retains challenge logs for 24 hours; we retain the success/failure outcome only for the duration of the submission
Region: Global (Cloudflare edge network)

Google Analytics 4 (visitor analytics)

Aggregate page-view counts, session paths and traffic sources to understand which content serves visitors well. IP anonymisation enabled.

Data category: Anonymised IP · device class · browser language · page path · referrer
Lawful basis: Consent — analytics loads only after acceptance in the cookie banner
Retention: Up to 14 months in our GA4 property; aggregated reports retained longer
Region: United States (Google) · India (regional processing)

Microsoft Clarity (session heatmaps)

Record anonymised heatmaps and rage-click telemetry to identify UX failures. We do not record form-field values or sensitive page content.

Data category: Anonymised IP · device class · click/scroll telemetry · session video (masked)
Lawful basis: Consent — Clarity loads only after acceptance in the cookie banner
Retention: Up to 12 months in our Clarity project
Region: United States · Europe (Microsoft Azure)

Google Tag Manager (tag orchestration)

Conditional tag firing for the analytics layer — loads downstream tags only when consent is granted.

Data category: No personal data of its own; orchestrates other tags
Lawful basis: Consent (same gate as the tags it loads)
Retention: Configuration only — no personal data retained at the GTM layer
Region: United States (Google)

IndexNow (Bing / Yandex search submission)

Notify search engines when published content is updated, so changes are crawled faster. Server-only — does not initiate from the visitor's browser.

Data category: URL list (no personal data)
Lawful basis: Legitimate interest (search-engine optimisation)
Retention: URL submission logs retained 7 days on our server logs
Region: Bing (Microsoft) · Yandex · Seznam

Vercel (hosting)

Host and deliver the website. Access logs are retained for operational and security purposes.

Data category: IP address · user agent · request path · response status
Lawful basis: Legitimate interest (operational hosting, security investigations)
Retention: 30-day rolling access-log window on the Vercel platform
Region: Global edge network · India (Mumbai / Singapore POPs serve Indian traffic)

Your rights as a data principal

Under the Digital Personal Data Protection Act 2023 you hold the following rights. Equivalent rights apply under the EU GDPR and California's CCPA for visitors from those jurisdictions.

Right to access: Request a copy of the personal data we hold about you. Reply within 30 days.
Right to correction: Request correction of inaccurate or out-of-date personal data.
Right to erasure: Request deletion of personal data where we have no continuing lawful basis to retain it.
Right to withdraw consent: Withdraw consent for analytics or marketing at any time — the cookie banner re-opens on request and your selection is honoured immediately.
Right to grievance redressal: Complain to our Data Protection Officer (below) or to the Data Protection Board of India. We respond to a formal grievance within 30 days.

Architect & consultant data sharing

Many B2B consultants — architects, MEP consultants, principal contractors, government departments — will not download a deliverable from a website without a written assurance about how the project information shared with us is handled. This is the assurance we offer:

Project data is held under confidentiality by default. Architectural drawings, BOQs, scope notes and email correspondence shared with us are treated as confidential under the same discipline as a signed NDA — irrespective of whether an NDA has been signed.
No third-party disclosure without consent. We do not share project information with vendors, partners or directories without the originating party's written consent. Brand-rep enquiries we make on a customer's behalf are scoped to the minimum information necessary.
Drawings and BOQs are not used as marketing material. The case studies on this site are limited to projects where we have either an explicit written permission to publish or a documented public-record source (e.g. published government tenders). Private projects are not surfaced.
Data resident in India where possible. Our CRM, email archive and project files are held in India-region cloud services. Where a service does not offer an India region (e.g. Resend, Microsoft Clarity), the data flow is disclosed in the table above and the cross-border transfer is documented.
Retention is bounded and reviewed annually. Project communications are retained for 36 months from project completion to support warranty, AMC and audit needs; older records are archived or anonymised. Personal data not tied to a project (newsletter subscribers, casual enquiries) is reviewed annually for relevance.

For projects involving classified or otherwise restricted information, contact us before sending anything — we will route the exchange through a signed NDA and an alternative submission channel rather than the public website.

Seven disciplines, held by one hand.

Smart Automation

Where the work actually goes.10 sectors · one practice

Residential

Hospitality

Commercial & Corporate

Education & Institutions

Healthcare

Government & Public Safety

Retail & Malls

Places of Worship

Restaurants, Bars & Clubs

Industrial & Warehousing