Legal
Privacy Policy
Last updated: 21 April 2026
This Privacy Policy explains how VITI Security LLP ("VITI Security", "we", "us", "our") collects, uses, stores, shares, and protects your personal data when you use our website vitisecurity.com or our products and services (together, the "Service"). We comply with India's Digital Personal Data Protection Act, 2023 (DPDPA), the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), and other applicable data-protection laws in jurisdictions where we operate.
1. Who we are
VITI Security LLP is a Limited Liability Partnership incorporated under the Limited Liability Partnership Act, 2008 of India, with registered office in Patna, Bihar, India. We provide cybersecurity, VICIdial cloud hosting, managed communications, and related IT services.
- Website: https://vitisecurity.com
- General contact: [email protected]
- Data Protection contact: [email protected]
For the purposes of the DPDPA, we act as a Data Fiduciary. For the purposes of the GDPR, we act as a Data Controller in respect of personal data collected directly from you, and as a Data Processor when we process data on behalf of business customers under a separate data processing agreement.
2. Personal data we collect
2.1 Data you provide directly
- Identity data: name, job title, company name.
- Contact data: email address, postal address, telephone number.
- Account data: username, hashed password, profile preferences.
- Transaction data: products purchased, order history, invoice details. Card/bank details are handled by our payment processor (see Section 6) and are not stored on our servers.
- Communication data: content of emails, support tickets, and live-chat conversations with us.
- Marketing preferences: newsletter subscriptions and promotional opt-ins.
2.2 Data collected automatically
- Usage data: pages visited, time on page, referring URL, search terms.
- Device and technical data: IP address, browser type and version, device type, operating system, screen resolution, language.
- Approximate location derived from IP address (city/country level only).
- Cookie and similar-technology data - see our Cookie Policy.
2.3 Data from third parties
Occasionally we receive data from publicly available sources (e.g., business directories), our business partners, or platforms on which you have interacted with us (e.g., LinkedIn).
3. Children
Our Service is intended for adults aged 18 and over. We do not knowingly collect personal data from individuals under 18. If you believe a minor has provided us with personal data, contact [email protected] and we will delete it.
4. Legal bases for processing
- Consent - for marketing communications, non-essential cookies, and certain optional features.
- Performance of a contract - to deliver products, subscriptions, and services you have purchased.
- Legitimate interests - for security, fraud prevention, service improvement, and B2B marketing where you have an existing relationship with us, provided these do not override your rights.
- Legal obligation - for tax, accounting, anti-money-laundering, and lawful requests from authorities.
Under the DPDPA, we process your personal data on the basis of your consent or for legitimate uses as defined under the Act. You may withdraw consent at any time as described in Section 9.
5. How we use your data
- provide, operate, and maintain our Service and the products you have subscribed to;
- process payments, issue invoices, and manage subscriptions including renewals and cancellations;
- respond to support requests and communicate with you about your account;
- send service-related notices (security alerts, billing, policy changes);
- send marketing and promotional communications where you have opted in, or where we have a legitimate interest and you have not opted out;
- conduct analytics to improve our Service, understand user behaviour, and develop new features;
- detect, prevent, and investigate security incidents, fraud, and abuse;
- comply with legal, regulatory, and law-enforcement obligations.
6. Third-party processors we use
We share personal data with the following categories of third-party processors, each bound by appropriate contractual obligations:
| Processor | Purpose | Data shared | Location |
|---|---|---|---|
| PayPal | Payment processing | Name, email, billing address, transaction amount | Global |
| Google LLC (Analytics, Site Kit) | Website analytics | Usage data, pseudonymised IP | US / EU |
| tawk.to | Live chat support | Chat content, IP, browser info | US |
| Brevo (Sendinblue) | Newsletter and transactional email | Name, email, subscription status | EU |
| Akismet (Automattic) | Comment spam filtering | Comment content, IP, email | US |
| Gravatar (Automattic) | Commenter avatar display | Hashed email | US |
| Hosting provider / LiteSpeed | Site hosting, caching | Server-side data at rest | India |
| AWS / Microsoft Azure | Encrypted off-site backups | Encrypted snapshots | Mumbai / Frankfurt / Singapore |
We do not sell your personal data to any third party for monetary consideration.
7. Cookies and tracking
We use cookies and similar technologies to run our Service, measure engagement, and (with your consent) deliver personalised content. See our Cookie Policy for a full inventory and instructions on managing your preferences.
8. International data transfers
VITI Security is based in India. When you use our Service, your personal data may be transferred to and stored in countries where our third-party processors operate, including the United States, the European Economic Area, Singapore, and others.
- From the EEA/UK: we rely on European Commission adequacy decisions where available, and otherwise on Standard Contractual Clauses (SCCs) with supplementary safeguards.
- From India: we transfer personal data only to jurisdictions not specifically restricted by the Government of India under the DPDPA.
- From California: such transfers are covered by the notice and opt-out provisions of the CCPA/CPRA.
9. Your rights
Subject to applicable law, you have the right to:
- Access - obtain a copy of the personal data we hold about you.
- Correct - ask us to correct inaccurate or outdated information.
- Delete - request deletion of your personal data (subject to legal retention obligations).
- Port - receive your data in a structured, machine-readable format and have it transferred where technically feasible.
- Restrict or object - ask us to restrict processing or object to processing carried out under legitimate interests or for direct marketing.
- Withdraw consent - withdraw any consent you have previously given, without affecting the lawfulness of processing before withdrawal.
- Nominate - under the DPDPA, nominate another individual to exercise your rights in the event of your death or incapacity.
- Non-discrimination - under the CCPA/CPRA, we will not discriminate against you for exercising your privacy rights.
- Opt out of "sale" or "sharing" - under the CCPA/CPRA. We do not sell personal data, but certain analytics or advertising cookies may constitute "sharing". Opt out via our cookie banner.
- Lodge a complaint - with your local supervisory authority (e.g., the Data Protection Board of India, or your EU supervisory authority under GDPR).
To exercise any of these rights, contact [email protected]. We will respond within 30 days (or the shorter period required by applicable law).
10. Data retention
- Account data: for the duration of your account, plus 3 years after deletion for legal records.
- Transaction and billing records: 8 years, as required by Indian tax and accounting law.
- Support and communications: 3 years from last contact.
- Marketing lists: until you unsubscribe, plus 1 year in suppression lists to honour opt-out.
- Website analytics: anonymised after 14 months.
- Encrypted backups: rotated every 30 days.
11. Security
We implement administrative, technical, and physical safeguards appropriate to the risks involved, including TLS encryption in transit, encryption at rest for sensitive data, role-based access controls, regular security reviews, and firewall/WAF protection. However, no system is 100% secure; by using the Service you acknowledge this inherent risk.
In the event of a personal data breach likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authorities as required by applicable law (within 72 hours under GDPR; without undue delay under the DPDPA).
12. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be notified by email to registered users and by a prominent notice on the Service at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.
13. Contact us
- Privacy & data requests: [email protected]
- Data Protection / Grievance Officer: [email protected]
- Legal notices: [email protected]
- Security disclosures: [email protected]
- General inquiries: [email protected]
- Post: VITI Security LLP, Patna, Bihar, India
