Privacy Policy

1. Who We Are

Specus Labs ("we", "our", "us") operates the DPDP compliance assessment platform available at specuslabs.com. We are a data fiduciary as defined under the Digital Personal Data Protection Act, 2023 (DPDP Act), with respect to personal data collected through this platform.

For any data-related queries, contact us at: girija@specuslabs.com

2. What Personal Data We Collect

When you use the Specus Labs platform, we may collect the following:

• Identity data: Your full name, when provided through the lead capture form after your assessment.
• Contact data: Your work email address and company name, when provided voluntarily.
• Assessment responses: Your answers to the DPDP compliance questionnaire. These responses relate to your organisation, not to you personally.
• Usage data: Basic technical information such as browser type and session identifiers, collected automatically to keep the platform functional.

We do not collect sensitive personal data as defined under the DPDP Act (such as health, financial, biometric, or caste-related data) about you as an individual user.

3. Why We Collect This Data

We collect and process your personal data for the following purposes:

• To deliver your DPDP compliance assessment and generate your readiness report.
• To contact you with your compliance roadmap and follow-up support, where you have requested this.
• To improve our platform and the accuracy of our assessments.
• To respond to your enquiries and provide customer support.

We do not use your personal data for automated decision-making that produces legal or similarly significant effects on you as an individual.

4. Legal Basis for Processing

Under the DPDP Act, we process your personal data on the basis of your consent. By submitting your details through our lead capture form, you consent to us contacting you with your compliance roadmap and related communications.

You may withdraw your consent at any time by writing to us at girija@specuslabs.com. Withdrawal of consent will not affect the lawfulness of processing carried out before withdrawal.

5. How Long We Keep Your Data

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

• Assessment data: Retained for 12 months from the date of assessment to allow you to track your compliance progress.
• Contact data: Retained for as long as you remain in an active business relationship with us, or until you request deletion.
• Usage data: Retained for 90 days for platform operations and security purposes.

6. Who We Share Your Data With

We do not sell your personal data. We may share it with:

• Supabase: Our database provider, used to store assessment responses and contact details. Data is stored on servers in India.
• Anthropic: The AI provider whose API we use to generate your compliance score and recommendations. Assessment responses are sent to their API for processing. Anthropic's privacy policy applies to this processing.

All third-party providers are contractually required to process data only as instructed and to maintain appropriate security safeguards.

7. Your Rights Under the DPDP Act

As a data principal under the DPDP Act, you have the following rights:

• Right to access: You may request a summary of the personal data we hold about you.
• Right to correction: You may request correction of inaccurate or incomplete personal data.
• Right to erasure: You may request deletion of your personal data, subject to our legal obligations.
• Right to grievance redressal: You may raise a complaint with our Grievance Officer if you believe your data has been mishandled.
• Right to withdraw consent: You may withdraw consent for processing at any time.

To exercise any of these rights, write to us at girija@specuslabs.com. We will respond within 30 days.

8. Grievance Officer

In accordance with the DPDP Act, we have designated a Grievance Officer to address data protection concerns:

9. Security

We implement reasonable technical and organisational safeguards to protect your personal data from unauthorised access, loss, or misuse. These include encrypted data transmission (HTTPS), access controls, and secure cloud infrastructure.

In the event of a personal data breach affecting you, we will notify you and the Data Protection Board of India as required under the DPDP Act.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. Continued use of the platform after changes constitutes acceptance of the updated policy.