Privacy Policy
Effective date: 1 April 2026 · Last updated: 1 April 2026
Blackfyre Consulting (“we”, “us”, or “our”), Chennai, India, operates the BLACKFYRE security platform and related professional services. This policy explains how we collect, use, store, and protect personal data. We are committed to compliance with the EU General Data Protection Regulation (GDPR) and India's Digital Personal Data Protection Act 2023 (DPDPA).
1. Data We Collect
Contact Form Submissions
Name, email address, company name, and the message content you provide when reaching out to us. This data is collected solely to respond to your inquiry.
Platform Usage Data
For registered platform users: login events, feature interactions, audit log entries, and session metadata. This data is associated with your tenant account and never shared across tenants.
Scan Results and Evidence
Vulnerability scan outputs, compliance evidence artefacts, and assessment reports that you or our consultants upload or generate on the platform. You own this data — see Section 10.
Technical Data
IP addresses, browser type, and access timestamps collected automatically for security monitoring and abuse prevention. This data is not used for advertising.
2. How We Use Your Data
- Service delivery — provisioning and operating the platform and professional services you have engaged.
- Communication — responding to inquiries, sending service notifications, and delivering reports.
- Security operations — detecting and investigating threats, abuse, and unauthorised access.
- Product improvement — aggregated, anonymised analytics to improve platform features. No individual profiling.
- Legal compliance — meeting obligations under applicable Indian and international law.
We process data on the legal bases of contractual necessity, legitimate interest (security monitoring), and — where required — your explicit consent.
3. Data Retention
| Data Category | Retention Period |
|---|---|
| Contact form data | 2 years from submission |
| Platform usage logs | 90 days rolling |
| Scan results — Comply Tier | 12 months from scan date |
| Scan results — Protect Tier | 24 months from scan date |
| Scan results — Defend Tier | 36 months or as agreed in contract |
| Billing records | 7 years (statutory requirement) |
| Audit logs | 2 years |
Upon account termination you may request a full data export. Data is purged within 30 days of the export window closing, except where retention is required by law.
4. Your GDPR Rights
If you are located in the European Economic Area or UK, you have the following rights:
Right of Access
Request a copy of the personal data we hold about you.
Right to Rectification
Ask us to correct inaccurate or incomplete data.
Right to Erasure
Request deletion of your data where no legitimate basis for retention exists.
Right to Portability
Receive your data in a structured, machine-readable format.
Right to Object
Object to processing based on legitimate interests.
Right to Restrict
Ask us to pause processing while a dispute is resolved.
To exercise any of these rights, email founder@blackfyre.tech. We will respond within 30 days.
5. DPDPA Compliance (India)
Blackfyre Consulting is a Data Fiduciary under the Digital Personal Data Protection Act 2023. We process personal data of Indian residents in accordance with the Act, including:
- Collecting data only for a specified, lawful purpose with your consent or on legitimate grounds.
- Appointing a Data Protection Officer reachable at founder@blackfyre.tech.
- Implementing appropriate technical and organisational safeguards.
- Notifying the Data Protection Board and affected individuals of a personal data breach within 72 hours.
- Honouring grievance redressal requests within 30 days.
6. Data Processing Agreement
Enterprise customers who require a Data Processing Agreement (DPA) for GDPR or contractual compliance can request one by emailing founder@blackfyre.tech. We will provide a DPA within five business days.
7. Third-Party Processors
We engage the following sub-processors. All are bound by data processing agreements and appropriate security standards:
| Processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Infrastructure, compute, and encrypted storage | ap-south-1 (Mumbai) |
| AWS S3 WORM | Immutable evidence storage | ap-south-1 (Mumbai) |
We do not sell, rent, or trade your personal data to any third party, ever.
8. Cookie Policy
We use only strictly necessary cookies required for platform authentication and session management. We do not use advertising cookies, third-party tracking pixels, or behavioural analytics. Cookies set:
| Cookie | Purpose | Duration |
|---|---|---|
| session_id | Authenticated session token (httpOnly, Secure, SameSite=Strict) | Session |
| csrf_token | Cross-site request forgery prevention | Session |
9. Security
We protect your data using AES-256 encryption at rest, TLS 1.3 in transit, row-level security for tenant isolation, and immutable audit logs. For a full account of our security practices visit our Security Practices page.
10. Changes to This Policy
We may update this policy from time to time. Material changes will be notified via email to registered account holders at least 14 days before taking effect. The current version is always available at this URL.
Contact Us
For any privacy-related question, data subject request, or to report a concern: