Privacy Policy | Skypath Consulting Group LLP

Version1.0

Effective Date18 May 2026

Last Reviewed18 May 2026

Next Review17 May 2027

Governing LawDigital Personal Data Protection Act, 2023 (India)

Table of Contents

Section 01

Identity and Contact Details of the Data Fiduciary

Skypath Consulting Group LLP (hereinafter referred to as "SCG", "we", "us", or "our") is a Limited Liability Partnership registered under the Limited Liability Partnership Act, 2008, and duly constituted under the laws of India. SCG operates as a Data Fiduciary within the meaning of Section 2(i) of the Digital Personal Data Protection Act, 2023 ("DPDP Act") in respect of all personal data processed through this Website and in the course of delivering its consultancy services.

Particulars	Details
Legal Entity Name	Skypath Consulting Group LLP
Entity Type	Limited Liability Partnership
Registered Office	WeWork Lightbridge, 6th Floor, Hiranandani Business Park, Mumbai, Sakinaka Police Station, Mumbai – 400072, Maharashtra, India
Administration Office	33, 1st Floor, Madhuban Industrial Estate, Off Mahakali Caves Rd, Near Paper Box Road, Satya Darshan Colony, Gundavali, Andheri East, Mumbai – 400093, Maharashtra, India
Email (Data Enquiries)	connect@skypathcg.com
Phone	+91 70393 15731
Website	www.skypathcg.com

Section 02

Scope and Applicability

This Privacy Policy ("Policy") applies to all natural persons ("Data Principals" as defined under Section 2(j) of the DPDP Act) who:

Access or browse the SCG website at www.skypathcg.com ("Website");
Submit an enquiry, assessment request, or any form of communication through the Website's contact page or any digital intake mechanism operated by SCG;
Engage with SCG via email, telephone, or any other electronic channel for the purpose of seeking professional consultancy services;
Subscribe to SCG's newsletter, regulatory digest, or any marketing communications; or
Otherwise provide personal data to SCG in connection with a professional engagement, pre-engagement, or exploratory interaction.

This Policy does not apply to: (a) anonymised or aggregated data from which no individual can reasonably be identified; (b) data processed solely by SCG's clients on their own infrastructure, subject to a separate data processing agreement; or (c) personal data of SCG's employees and partners governed by separate internal HR policies.

Territorial ApplicabilityThis Policy applies to the processing of personal data of individuals located within the territory of India, consistent with Section 3 of the DPDP Act. Where SCG processes personal data of individuals located outside India in connection with any activity directed at offering consultancy services within India, such processing shall equally be governed by this Policy to the extent required by applicable law.

Section 03

Categories of Personal Data We Collect

SCG collects personal data only to the extent strictly necessary for the identified purposes set out in this Policy ("purpose limitation"). The following categories of personal data may be collected through the Website's contact and assessment request form, email correspondence, or other digital channels:

Category	Specific Data Elements	Collection Method
Identity Data	First name, last name, salutation/designation	Contact form, email
Contact Data	Work email address, mobile/office telephone number	Contact form, email, phone
Professional / Organisational Data	Organisation/company name, industry sector, organisation size, job title/role	Contact form
Enquiry & Communication Data	Free-text description of compliance needs, nature of enquiry, attachments voluntarily shared	Contact form, email
Technical & Usage Data	IP address, browser type and version, operating system, referring URL, pages visited, session duration, device identifiers (via cookies where applicable)	Automated — server logs, analytics
Marketing Preference Data	Subscription status, communication preferences, opt-in/opt-out records with timestamps	Newsletter subscription form
Engagement Data	Records of prior consultations, assessment outputs, email correspondence related to service delivery	Generated during engagement

SCG does not intentionally collect or process any personal data pertaining to the following sensitive categories: racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data for unique identification, health data, sexual orientation, or financial account credentials. If any such data is inadvertently disclosed by a Data Principal during the course of correspondence, SCG shall promptly notify the individual and, unless essential to service delivery and consented to explicitly, shall delete such data without retention.

Section 04

Purposes of Processing and Lawful Basis

SCG processes personal data only for specified, clear, and lawful purposes as required under the DPDP Act. Each processing activity is grounded in one or more of the following lawful bases under Section 4 of the DPDP Act:

Purpose of Processing	Lawful Basis	Data Categories Used
Responding to a contact form submission or enquiry regarding our consultancy services	Consent [S.6, DPDP Act] — provided at the point of form submission	Identity, Contact, Enquiry Data
Conducting a complimentary DPDP readiness assessment as requested	Consent; Legitimate use for performance of service requested by the Data Principal	Identity, Contact, Professional, Enquiry Data
Communicating service proposals, engagement letters, and follow-up correspondence	Consent; Legitimate use arising from a pre-contractual relationship	Identity, Contact, Professional Data
Delivering contracted consultancy services and maintaining client engagement records	Contract performance [S.7(a), DPDP Act]; Consent	All relevant categories
Sending regulatory updates, newsletter, and thought leadership content	Consent — explicit opt-in required; withdrawal available at any time	Identity, Contact, Marketing Preference Data
Maintaining internal records, financial/tax compliance, and statutory obligations	Compliance with applicable law [S.7(b), DPDP Act]	Identity, Contact, Professional Data
Improving the Website, analytics, and user experience	Consent (where cookies are used); Legitimate use for operational improvement	Technical & Usage Data
Preventing fraud, misuse, and maintaining information security	Legitimate use; Compliance with applicable law	Technical & Usage Data, Identity Data
Responding to regulatory, judicial, or governmental requests	Compliance with applicable law [S.7(b), DPDP Act]	As required by the authority

No Secondary Use Without Fresh ConsentSCG shall not process personal data for any purpose beyond those listed above, or for any purpose that is incompatible with the original stated purpose, without obtaining fresh, specific, and informed consent from the Data Principal prior to such processing.

Section 05

Consent — How We Obtain, Manage and Record It

Where SCG relies on consent as the lawful basis for processing, it shall comply fully with the requirements of Section 6 of the DPDP Act. Consent obtained by SCG shall be:

Free: given voluntarily, without coercion, undue influence, or conditioning of service access on consent to unnecessary data use;
Specific: tied to one or more clearly identified and described processing purposes;
Informed: provided only after the Data Principal has been furnished with a clear, plain-language privacy notice describing the data collected, purposes, and their rights;
Unambiguous: evidenced by a clear affirmative act (e.g., checking an explicit opt-in checkbox, clicking a clearly labelled "Submit" button accompanied by a consent statement, or responding affirmatively by email); and
Revocable: capable of being withdrawn by the Data Principal at any time, with ease, through the methods described in Section 11 of this Policy.

Consent Record-Keeping: SCG maintains electronic records of consent for each Data Principal, capturing: the identity of the Data Principal, the date and time of consent, the specific purpose(s) consented to, the version of the privacy notice presented at the time, and the method of consent. These records are retained for the duration of the processing activity plus any legally mandated retention period thereafter.

Effect of Withdrawal: Upon withdrawal of consent, SCG shall cease all processing for the purpose(s) to which the withdrawal relates. Withdrawal shall not affect the lawfulness of processing carried out prior to the withdrawal. Where consent withdrawal renders service delivery impossible, SCG shall notify the Data Principal accordingly and provide clarity on the consequences.

Important — Contact Form SubmissionBy submitting SCG's Website contact or assessment request form, you provide informed consent for SCG to process the personal data submitted therein for the purpose of responding to your enquiry and, where applicable, providing professional consultancy services. This consent statement is presented to you at the point of submission and constitutes your acknowledgement of this Privacy Policy.

Section 06

How We Use Your Personal Data

In addition to the processing activities mapped in Section 4, SCG uses personal data in the following specific operational contexts:

Initial Contact & Assessment: When you submit the Website contact form requesting a free DPDP readiness assessment, SCG uses your name, organisation, email address, and the description of your compliance needs to: (i) contact you within one business day by email or telephone; (ii) prepare contextually relevant observations about your stated compliance challenge; and (iii) schedule and conduct the assessment conversation;
Service Proposal & Engagement: Where an assessment leads to a service proposal, SCG uses your professional and contact data to prepare, send, and follow up on engagement proposals, project scopes, and fee arrangements;
Project Delivery: During a live engagement, SCG may collect and process additional personal data provided by you as part of project deliverables (e.g., names of your data protection officer, compliance personnel, or other stakeholders). Such data is processed solely within the engagement scope;
Newsletter & Insights: If you have opted in to receiving SCG's newsletter, we use your email address and name to send regulatory updates, articles, and event invitations. Each communication includes a clearly visible one-click unsubscribe mechanism;
Relationship Management: SCG may retain contact data of past enquirers and clients to: (i) respond to future enquiries; (ii) send relevant service updates (where consent has been provided); and (iii) fulfil any ongoing advisory retainer obligations.

Section 07

Disclosure and Sharing of Personal Data

SCG operates as a professional advisory firm and handles personal data with confidentiality as a core principle. SCG does not sell, rent, trade, or license personal data to any third party. Disclosure of personal data is limited strictly to the following circumstances:

Data Processors: SCG may engage third-party service providers acting as Data Processors (within the meaning of Section 2(k) of the DPDP Act) for limited operational purposes, including: email delivery platforms, website hosting and infrastructure providers, CRM software vendors, and document management services. All Data Processors are bound by written data processing agreements requiring them to: (i) process data only on SCG's documented instructions; (ii) implement appropriate technical and organisational security measures; (iii) not engage sub-processors without SCG's prior written authorisation; and (iv) assist SCG in meeting its DPDP Act obligations;
Professional Advisors: SCG's legal counsel, auditors, and insurers, strictly on a need-to-know basis and subject to professional confidentiality obligations;
Regulatory & Governmental Authorities: Where required to comply with a legal obligation, court order, or direction from a competent governmental or regulatory authority, including the Data Protection Board of India, SCG may disclose personal data to the extent strictly necessary to comply with such obligation. SCG shall, where legally permissible, notify the affected Data Principal of such disclosure;
Business Transfers: In the event of a merger, acquisition, restructuring, or sale of all or a substantial part of SCG's business, personal data may be transferred to the successor entity, subject to equivalent or superior data protection obligations being imposed on such successor. Affected Data Principals shall be notified of any such transfer prior to its completion.

No Disclosure for Commercial GainSCG expressly confirms that personal data submitted through this Website or in the course of consultancy engagements shall never be disclosed, shared, or transferred to any third party for commercial, advertising, or marketing purposes without the separate, specific, and prior written consent of the Data Principal concerned.

Section 08

Cross-Border Transfers of Personal Data

SCG's primary operations, data storage, and processing activities are conducted within the territory of India. However, certain third-party Data Processors engaged by SCG (such as cloud hosting providers or email delivery platforms) may process or store data on servers located outside India.

Any transfer of personal data to a country or territory outside India shall be conducted only:

To countries or territories notified by the Central Government of India as permissible destinations under Section 16 of the DPDP Act;
Subject to appropriate contractual safeguards (including standard data protection clauses) ensuring that the recipient provides a level of protection to the personal data that is at least equivalent to that required under the DPDP Act; and
Where required, with the informed consent of the Data Principal for such cross-border transfer.

SCG shall maintain an up-to-date register of cross-border data flows and shall update this Policy accordingly whenever a material change to transfer destinations or safeguards is made.

Section 09

Data Retention and Erasure

SCG retains personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law, whichever is longer. The following retention schedules apply:

Data Category	Retention Period	Basis for Retention
Contact form submissions — no engagement	12 months from submission date	Legitimate use; consent for follow-up
Contact form submissions — engagement initiated	Duration of engagement + 7 years	Legal, regulatory, and professional indemnity obligations
Client engagement records (project files, correspondence)	7 years from end of engagement	Statutory record-keeping; professional liability requirements
Newsletter subscriber data	Until unsubscribe request, + 30 days for processing	Consent — withdrawal terminates retention basis
Financial and invoicing records	8 years from financial year end	Income Tax Act, 1961; Companies Act, 2013 (as applicable)
Technical/server log data	90 days rolling	Security monitoring; fraud prevention
Consent records	Duration of consent + 3 years	DPDP Act compliance; audit trail

Upon expiry of the applicable retention period, personal data shall be securely deleted or irreversibly anonymised using industry-standard methods. Deletion requests made by Data Principals (under Section 11 below) shall be honoured within 30 days, subject to any legal obligation requiring continued retention.

Section 10

Security Safeguards

SCG implements and maintains appropriate technical and organisational security measures, commensurate with the nature, volume, and sensitivity of the personal data processed, to protect against unauthorised access, disclosure, alteration, loss, or destruction. These measures include, without limitation:

Technical Controls: TLS/HTTPS encryption for all data in transit to and from the Website; encryption of personal data at rest where appropriate; access controls based on the principle of least privilege; multi-factor authentication for internal systems; regular vulnerability assessments and patching;
Organisational Controls: Confidentiality obligations for all personnel handling personal data; internal data protection training; documented data handling procedures; vendor due diligence and contractual safeguards for all Data Processors;
Incident Response: A documented data breach response procedure enabling detection, containment, assessment, and notification of personal data breaches without undue delay, and in any event within the timeframes required by the DPDP Act and any directions of the Data Protection Board of India.

Data Breach NotificationIn the event of a personal data breach that is likely to result in risk to the rights of Data Principals, SCG shall notify the Data Protection Board of India and the affected Data Principals in accordance with Section 8(6) of the DPDP Act and any rules or directions made thereunder. SCG shall provide affected individuals with: (a) the nature of the breach; (b) the categories of personal data affected; (c) likely consequences; and (d) measures taken or proposed to address the breach.

Section 11

Rights of Data Principals

As a Data Principal under the DPDP Act, you are entitled to exercise the following rights in respect of your personal data processed by SCG. All requests may be submitted to connect@skypathcg.com with the subject line "Data Principal Rights Request".

Right	Description	SCG Response Timeframe
Right to Information [S.11, DPDP Act]	You have the right to obtain a summary of the personal data SCG holds about you, the processing activities carried out, and the identities of any Data Processors and third parties to whom your data has been disclosed.	Within 30 days of request
Right to Correction [S.12(a), DPDP Act]	You have the right to request correction of personal data that is inaccurate, incomplete, or outdated. SCG shall effect corrections within the specified timeframe after verification.	Within 30 days of request
Right to Completion [S.12(a), DPDP Act]	Where personal data held by SCG is incomplete, you may request that SCG supplement it with the information required to make it complete and accurate.	Within 30 days of request
Right to Erasure [S.12(b), DPDP Act]	You have the right to request deletion of your personal data where: (i) the purpose for which it was collected has been fulfilled; (ii) you have withdrawn consent and there is no other lawful basis for retention; or (iii) the data is no longer necessary. Erasure may be declined where retention is required by applicable law.	Within 30 days of request
Right to Grievance Redressal [S.13, DPDP Act]	You have the right to raise a grievance with SCG's designated Grievance Officer. Where you are unsatisfied with SCG's response, you have the right to escalate to the Data Protection Board of India.	Acknowledgement within 48 hours; resolution within 30 days
Right of Nomination [S.14, DPDP Act]	You have the right to nominate another individual who shall, in the event of your death or incapacity, exercise your rights as a Data Principal in respect of the personal data held by SCG.	As directed by the Data Principal
Right to Withdraw Consent [S.6(4), DPDP Act]	You may withdraw consent for any processing activity based on consent at any time. Withdrawal shall not affect the lawfulness of prior processing. SCG shall cease the relevant processing activity within 30 days of withdrawal.	Within 30 days of withdrawal request

SCG shall verify the identity of any individual making a Data Principal rights request prior to processing the request, to prevent unauthorised access to or modification of personal data. SCG shall not charge any fee for processing rights requests unless the requests are manifestly unfounded or excessive in volume, in which case a reasonable administrative fee may be levied after notifying the Data Principal.

Section 12

Grievance Redressal Mechanism

SCG has designated a Grievance Officer to receive and address complaints and enquiries from Data Principals regarding the processing of their personal data. The Grievance Officer's contact details are as follows:

Particulars	Details
Role	Grievance Officer — Data Protection
Organisation	Skypath Consulting Group LLP
Email	connect@skypathcg.com (Subject: "Grievance — Data Protection")
Address	WeWork Lightbridge, 6th Floor, Hiranandani Business Park, Mumbai – 400072
Phone	+91 70393 15731

Upon receipt of a grievance, SCG shall: (i) acknowledge the grievance in writing within 48 hours; (ii) investigate the matter diligently; and (iii) provide a substantive written response or resolution within 30 days of receipt. Where the grievance cannot be resolved within 30 days, SCG shall communicate the reasons for the delay and an expected resolution timeline.

If you remain dissatisfied with SCG's response or handling of your grievance, you have the right to escalate your complaint to the Data Protection Board of India in accordance with the provisions of the DPDP Act and the rules framed thereunder.

Section 13

Cookies and Tracking Technologies

The Website may use cookies and similar tracking technologies (collectively "Cookies") to enhance user experience, measure website performance, and where applicable, support analytics. The following categories of Cookies may be used:

Strictly Necessary Cookies: Essential for the Website to function correctly. These Cookies do not require consent and cannot be disabled without affecting the Website's core functionality;
Analytics/Performance Cookies: Used to understand how visitors interact with the Website (e.g., pages visited, session duration, error messages). These Cookies collect aggregated, anonymised data and require your consent prior to activation;
Functional Cookies: Allow the Website to remember user preferences. These require consent where not strictly necessary for service delivery.

SCG does not use third-party advertising or behavioural profiling cookies. Where consent-based cookies are deployed, a cookie consent mechanism shall be presented to users on their first visit, and consent records shall be maintained. You may withdraw cookie consent at any time by adjusting your browser settings or through the cookie preference centre where available.

Section 14

Children's Personal Data

The Website and SCG's consultancy services are directed exclusively at business professionals, corporate entities, and individuals acting in a professional capacity. SCG does not knowingly collect personal data from children (individuals below the age of eighteen (18) years, or such other age as may be prescribed under the DPDP Act).

In the event that SCG discovers that personal data of a child has been collected without verifiable parental or guardian consent, it shall: (i) immediately cease processing such data; (ii) delete it from all systems without delay; and (iii) where applicable, notify the parent or guardian. If you believe SCG has inadvertently collected data relating to a child, please contact us immediately at connect@skypathcg.com.

Section 15

Limitation of Liability

While SCG employs all reasonable and proportionate technical and organisational measures to protect personal data, no data transmission over the internet or electronic storage system can be guaranteed to be entirely secure. Accordingly, SCG does not warrant or represent that personal data transmitted to or from the Website will be free from interception, corruption, or unauthorised access during transmission.

To the maximum extent permissible under applicable law, SCG shall not be liable for any loss, damage, or unauthorised access arising from: (i) circumstances beyond SCG's reasonable control, including force majeure events, acts of third-party hackers, or systemic infrastructure failures; (ii) the Data Principal's own failure to maintain the security of their devices, credentials, or communications; or (iii) voluntary disclosure of personal data by the Data Principal to third parties outside of SCG's platforms.

Nothing in this Section shall be construed to limit SCG's liability for gross negligence, wilful misconduct, or breach of the DPDP Act or any applicable data protection law where such liability cannot be excluded by law.

Section 16

Amendments to This Policy

SCG reserves the right to amend, update, or revise this Privacy Policy at any time to reflect: (i) changes in applicable law, including amendments to the DPDP Act, Rules, or directions of the Data Protection Board of India; (ii) changes in SCG's data processing activities or technology infrastructure; or (iii) regulatory guidance or best practice developments in data protection.

Any material amendments — being amendments that alter the nature of processing, the categories of data collected, the purposes of processing, or the rights of Data Principals — shall be communicated to existing Data Principals by email to the address on record, at least 15 days prior to the revised Policy taking effect. Non-material amendments (such as clarifications of existing provisions or typographical corrections) shall take effect upon publication on the Website.

The version number and effective date displayed at the top of this Policy shall be updated upon each revision. Continued interaction with the Website or SCG's services following the effective date of a revised Policy shall constitute acceptance of the revised terms, except where fresh consent is required under the DPDP Act, in which case SCG shall seek such consent explicitly.

Section 17

Governing Law and Jurisdiction

This Privacy Policy shall be governed by and construed in accordance with the laws of the Republic of India, including but not limited to the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000 (and the rules framed thereunder), the Indian Contract Act, 1872, and any other applicable legislation relating to data protection and privacy.

Any dispute, controversy, or claim arising out of or in connection with this Privacy Policy, including any question regarding its existence, validity, interpretation, breach, or termination, shall be subject to the exclusive jurisdiction of the competent courts located at Mumbai, Maharashtra, India, without prejudice to SCG's rights to seek injunctive or interim relief in any court of competent jurisdiction.

Data Principals also retain the right to file complaints with the Data Protection Board of India in accordance with the DPDP Act, which right is not affected by this governing law clause.

Section 18

Contact the Data Fiduciary

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data by SCG, please contact us using the following details:

Channel	Details
Email	connect@skypathcg.com — Subject line: "Privacy Enquiry / Data Rights Request"
Phone	+91 70393 15731 (Monday–Friday, 9:00 AM – 6:00 PM IST)
Post	Skypath Consulting Group LLP, WeWork Lightbridge, 6th Floor, Hiranandani Business Park, Mumbai – 400072

SCG is committed to responding to all data protection enquiries promptly, respectfully, and in accordance with its obligations under the DPDP Act. We welcome questions from Data Principals and treat every interaction with the seriousness and professionalism that data protection deserves.

DisclaimerThis Privacy Policy has been prepared by Skypath Consulting Group LLP in its capacity as a Data Fiduciary. While SCG is a specialist DPDP Act advisory firm, this document does not constitute legal advice. Data Principals requiring independent legal advice on their rights under the DPDP Act are encouraged to consult their own legal counsel. This Policy is subject to the DPDP Act 2023 and the DPDP Rules 2025 as currently in force and shall be interpreted accordingly.