1.1 In this Privacy Policy (the "Policy"), the following terms have the meanings set out below. Words denoting the singular include the plural and vice versa.

"Applicable Laws" means, collectively, the Digital Personal Data Protection Act, 2023 of India (the "DPDP Act"), the General Data Protection Regulation (EU) 2016/679 and the United Kingdom equivalent (together, "GDPR"), the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act ("CCPA/CPRA"), the Information Technology Act, 2000 of India and rules thereunder, and any successor or analogous legislation that applies to the Processing of Personal Data through the Site or the Services.

"AI Tools" means any artificial-intelligence-based or machine-learning-based system, including third-party large language models and conversation assistants, used by the Practice to triage enquiries, draft routine correspondence, schedule appointments, or interact with Data Subjects through chat or voice interfaces.

"Data Subject", "You" or "Your" means the natural person to whom the Personal Data relates.

"Grievance Officer" means the individual designated by the Practice under section 10 of the DPDP Act to receive and dispose of complaints concerning the Processing of Personal Data, identified in clause 16 of this Policy.

"Personal Data" means any information relating to an identified or identifiable natural person, as defined under the Applicable Laws.

"Practice", "we", "us" or "our" means Naresh J. Dulani, a sole proprietor practising under the trade name "Dr. Naresh J. Dulani – Global Scientific Vastu Advisory", further identified in clause 2.

"Processing" has the meaning given to it under the GDPR and the DPDP Act and includes, without limitation, the collection, recording, storage, structuring, retrieval, consultation, use, disclosure, transfer, restriction, erasure, and destruction of Personal Data.

"Services" means the advisory engagements, consultations, reports, and ancillary services offered by the Practice.

"Site" means the website operated at the domain nareshdulani.com and any subdomain thereof.

"Subprocessor" means any third party engaged by the Practice to Process Personal Data on the Practice's behalf, listed in the Schedule appended to this Policy.

2.1 The Practice acts as the Data Fiduciary under the DPDP Act and as the Controller under the GDPR in respect of all Personal Data Processed through the Site and in the course of providing the Services.

2.2 Identity of the Practice.

2.3 The Practice does not, as of the effective date of this Policy, meet the thresholds for designation as a Significant Data Fiduciary under section 10 of the DPDP Act and has not been so designated. A Data Protection Officer is not appointed at present; the Grievance Officer named in clause 16 discharges the functions of receiving and disposing of complaints.

2.4 The Practice has no establishment in the European Economic Area or the United Kingdom and, where required, may appoint a representative under Article 27 of the GDPR. Until such appointment, enquiries from Data Subjects in those jurisdictions are to be addressed to the Grievance Officer.

3.1 The Practice Processes the following categories of Personal Data.

3.1.1 Identification and contact data – name, email address, postal address, telephone number, salutation, and language preference.

3.1.2 Engagement data – the nature of the enquiry, property address, floor plans, architectural drawings, photographs, business plans, and other materials voluntarily submitted in connection with a consultation.

3.1.3 Communication data – the content of emails, chat messages, voice transcripts (where recorded with notice and consent), and any other communications between the Data Subject and the Practice, including communications conducted through AI Tools.

3.1.4 Transaction data – billing name, invoice address, transaction identifier, transaction amount, currency, transaction status, payment-instrument type (without the underlying instrument credentials), and tax identifiers where relevant. The Practice does not collect, view, or store full payment-card numbers, card verification values, expiry dates, internet-banking credentials, or unified-payments-interface PINs; these are handled exclusively within the PCI-DSS-certified environment of the payment processor.

3.1.5 Booking data – appointment date, time, time-zone, attendee names, and meeting metadata received from the appointment-scheduling Subprocessor.

3.1.6 Device and usage data – internet-protocol address, approximate geographic location derived therefrom, device identifier, operating system, browser type and version, screen resolution, referring uniform resource locator, pages accessed, time spent on each page, clickstream, and form interactions.

3.1.7 Consent and preference data – cookie preferences, marketing preferences, language and accessibility preferences, and the timestamped record of consent grants and withdrawals.

3.2 The Practice does not knowingly collect Personal Data that is classified as sensitive under any Applicable Law (including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning sex life or sexual orientation), unless the Data Subject voluntarily and unambiguously discloses such data in the course of an enquiry. Where such disclosure occurs, the Practice Processes the data only to the extent necessary to respond to the enquiry and erases it on conclusion of the engagement or sooner where requested.

4.1 The Practice Processes Personal Data for the following purposes, and for no other purpose, save where required or permitted by law.

4.1.1 To provide the Services, including responding to enquiries, scheduling and conducting consultations, preparing and delivering reports, and conducting follow-up correspondence.

4.1.2 To process payments and tax obligations, including the issuance of invoices and the maintenance of accounts and records required by Indian taxation law.

4.1.3 To operate, secure, and improve the Site, including the diagnosis of technical issues, prevention of fraud, and assessment of the effectiveness of content and functionality.

4.1.4 To communicate operational and transactional notices that are necessary or incidental to the Services, including booking confirmations, rescheduling notices, payment receipts, security notices, and updates to this Policy.

4.1.5 To deliver, where consent has been obtained, marketing communications about the Practice's services, publications, and events; consent may be withdrawn at any time without affecting the lawfulness of Processing before withdrawal.

4.1.6 To comply with legal obligations, including responding to lawful requests from public authorities, enforcing the Practice's Terms of Service, and protecting the legal rights, property, and safety of the Practice, its Data Subjects, and third parties.

4.1.7 To establish, exercise, or defend legal claims, including the retention of records required for the assertion of, or defence against, statutory or contractual claims.

5.1 For Data Subjects to whom the GDPR or UK GDPR applies, the Practice relies on the following legal bases under Article 6(1):

5.1.1 Performance of a contract, or steps taken at the request of the Data Subject prior to entering a contract, in respect of the provision of the Services (clauses 4.1.1, 4.1.2, 4.1.4).

5.1.2 Legitimate interests of the Practice in operating and securing the Site, preventing fraud, conducting anonymised analytics, defending legal claims, and conducting first-party performance measurement (clauses 4.1.3, 4.1.6, 4.1.7), subject to a documented balancing test that gives due weight to the rights and freedoms of the Data Subject.

5.1.3 Consent, for non-essential cookies, marketing communications, the activation of analytics and marketing-attribution tools, and any other Processing for which consent is the appropriate basis (clause 4.1.5; clause 6).

5.1.4 Compliance with a legal obligation to which the Practice is subject (clause 4.1.6).

5.2 For Data Subjects to whom the DPDP Act applies, Processing is undertaken on the basis of (a) the Data Subject's consent, freely given and notified in the manner required by section 5 of the DPDP Act, or (b) a "legitimate use" recognised under section 7 of the DPDP Act.

5.3 For California consumers, the Practice processes Personal Information consistent with the disclosures and purposes set out in this Policy and does not sell or share Personal Information for cross-context behavioural advertising except where consent for marketing cookies has been granted as described in clause 6.

6.1 The Site uses cookies, local storage, and similar tracking technologies. These are categorised as follows.

6.1.1 Strictly necessary technologies – required for the basic operation of the Site, including security, load-balancing, and the storage of consent state. These are activated by default and do not require consent under any Applicable Law.

6.1.2 Analytics technologies – measure the performance of the Site and the manner in which it is used. These are activated only after the Data Subject has granted consent through the Practice's consent-management interface.

6.1.3 Marketing and advertising technologies – enable the measurement of advertising effectiveness, audience construction, and re-engagement on third-party platforms. These are activated only after the Data Subject has granted consent.

6.2 The Data Subject may grant, refuse, or modify consent at any time through the preferences interface accessible from the utility belt on the Site, or by clearing cookies in the browser. A refusal of non-essential technologies does not impair access to the core functions of the Site.

6.3 A list of the specific technologies in use, the purposes they serve, their duration, and the Subprocessors to which they relate, is set out in the Schedule and within the consent-management interface.

7.1 The Practice does not sell Personal Data, in the sense of any Applicable Law. The Practice discloses Personal Data only as set out in this clause.

7.2 Subprocessors. Personal Data is shared with the Subprocessors identified in the Schedule, in each case for the limited purposes set out against that Subprocessor and pursuant to written terms incorporating obligations of confidentiality, security, and Processing only on documented instructions of the Practice.

7.3 Legal and regulatory recipients. Personal Data may be disclosed to public authorities, regulators, courts, or law-enforcement agencies where such disclosure is required by law, court order, or a binding regulatory request, or where such disclosure is necessary to protect the legal rights, property, or safety of the Practice, the Data Subject, or a third party.

7.4 Successors. In the event of a corporate restructuring, sale of substantially all of the assets of the Practice, or transfer of the practice to a successor entity, Personal Data may be transferred to that successor, subject to obligations no less protective than those set out in this Policy. Data Subjects will be notified of any such transfer where required by Applicable Law.

7.5 Professional advisers. Personal Data may be disclosed to the Practice's auditors, accountants, bankers, insurers, and legal counsel under obligations of professional confidentiality where reasonably necessary for the conduct of the Practice.

8.1 Certain Subprocessors are located outside India, the European Economic Area, and the United Kingdom. Where Personal Data is transferred to a jurisdiction that has not been recognised as providing an adequate level of protection, the Practice relies on the following mechanisms, as applicable.

8.1.1 The Standard Contractual Clauses adopted by the European Commission under Commission Implementing Decision (EU) 2021/914, with any module-specific selections and country addenda required for the receiving jurisdiction.

8.1.2 The International Data Transfer Agreement and the International Data Transfer Addendum approved by the Information Commissioner's Office of the United Kingdom under section 119A of the Data Protection Act, 2018.

8.1.3 Any adequacy decision in force at the time of transfer in respect of the recipient jurisdiction.

8.2 Transfers from India are conducted in accordance with the DPDP Act and any restrictions on cross-border transfers notified by the Central Government from time to time. The Practice does not transfer Personal Data of Indian Data Subjects to any jurisdiction included in a "negative list" notified under the DPDP Act.

9.1 The Practice may deploy AI Tools to assist with the triage of incoming enquiries, the scheduling of consultations, the drafting of routine correspondence, the qualification of fit between an enquirer's needs and the Services, and other administrative tasks.

9.2 The output of any AI Tool is treated as an assistive draft for review by an authorised member of the Practice. Final advisory output and final operational decisions (including engagement, scheduling, and refund determinations) are made by a natural person.

9.3 The Practice does not subject Data Subjects to decisions based solely on automated Processing, including profiling, that produce legal effects concerning them or similarly significantly affect them, within the meaning of Article 22 of the GDPR. Any change to this position will be notified through an update to this Policy and, where required, the obtaining of fresh consent.

9.4 Conversations conducted through any chat or AI-assistant interface are recorded and stored to maintain context across sessions, to improve the quality of responses, to meet record-keeping obligations, and to defend against disputes. Such conversations are treated with the same confidentiality as other client communications and are subject to the retention period set out in clause 10.

9.5 A Data Subject may, at any time, request that their enquiry be handled by a natural person rather than an AI Tool, by writing to the Grievance Officer named in clause 16.

10.1 The Practice retains Personal Data only for such period as is necessary for the purposes for which the data was collected, and to comply with legal, accounting, and contractual obligations. The retention periods applicable to each category of data are as follows.

10.1.1 Engagement records, including notes and reports: seven (7) years from the date of last engagement, consistent with prevailing record-keeping norms for professional service providers in India.

10.1.2 Payment and tax records: eight (8) financial years from the relevant assessment year, as required under the Income-tax Act, 1961 and the Central Goods and Services Tax Act, 2017.

10.1.3 Chat and AI-assistant conversation logs: twenty-four (24) months from the date of last interaction.

10.1.4 Marketing consent records: for so long as consent remains in force, and for three (3) years following its withdrawal, for the limited purpose of evidencing the lawful basis of prior Processing.

10.1.5 Server logs and anonymised analytics: fourteen (14) months from the date of collection.

10.1.6 Cookie consent records: thirteen (13) months from the date of grant, after which fresh consent is sought.

10.2 On the expiry of the applicable retention period, Personal Data is securely deleted or anonymised. The Practice may retain Personal Data for a longer period where required to establish, exercise, or defend a legal claim, in which case the data is held in restricted access until the claim is concluded.

11.1 The Practice implements and maintains technical and organisational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, having regard to the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk to the rights and freedoms of Data Subjects.

11.2 Such measures include, without limitation: transport-layer encryption for all data in transit between the Data Subject and the Site; access controls and multi-factor authentication for administrative interfaces; the principle of least privilege applied to staff and Subprocessors; logical segregation of production and development environments; and periodic review of the security posture of the Practice and its material Subprocessors.

11.3 No method of transmission over the internet or method of electronic storage is fully secure. The Practice cannot guarantee absolute security and disclaims liability for any loss arising from a breach of security measures of a Subprocessor, save where such loss is directly attributable to the Practice's own failure to discharge its obligations under this Policy.

12.1 Subject to the limitations and conditions of the relevant Applicable Law, Data Subjects have the following rights in respect of their Personal Data.

12.1.1 Right of access – to obtain confirmation of, and a copy of, Personal Data Processed by the Practice.

12.1.2 Right of rectification – to require the correction of inaccurate or incomplete Personal Data.

12.1.3 Right of erasure ("right to be forgotten") – to require deletion of Personal Data in the circumstances permitted by the Applicable Law.

12.1.4 Right to restriction of Processing – to require the restriction of Processing in the circumstances permitted by the Applicable Law.

12.1.5 Right of data portability – to receive Personal Data in a structured, commonly used, and machine-readable format, and to require its transmission to another controller where technically feasible.

12.1.6 Right to object – to object to Processing based on legitimate interests, and to object to Processing for direct marketing.

12.1.7 Right to withdraw consent – to withdraw consent at any time without affecting the lawfulness of Processing carried out before withdrawal.

12.1.8 Right not to be discriminated against(CCPA/CPRA) – Data Subjects in California will not be denied Services, charged different prices, or provided a different level of Service on account of the exercise of their rights.

12.1.9 Right to lodge a complaint – Data Subjects in the European Economic Area or the United Kingdom may lodge a complaint with their local supervisory authority; Data Subjects in India may approach the Data Protection Board of India after first raising the matter with the Grievance Officer.

12.2 A request to exercise any right under this clause 12 shall be addressed to the Grievance Officer named in clause 16 and shall include sufficient information to permit identification of the Data Subject. The Practice will respond within the period prescribed by the Applicable Law to the request, and in any event without undue delay.

13.1 The Services are directed exclusively to natural persons aged eighteen (18) years and above. The Practice does not knowingly collect Personal Data from a child.

13.2 Where Processing of Personal Data of a child is permitted by Applicable Law (including under section 9 of the DPDP Act), it shall be undertaken only with the verifiable consent of the parent or lawful guardian, and subject to the additional restrictions on tracking, behavioural monitoring, and targeted advertising prescribed by section 9 of the DPDP Act.

13.3 If the Practice becomes aware that it has inadvertently collected Personal Data of a child without lawful basis, the data will be erased without undue delay.

14.1 In the event of a Personal Data breach that is likely to result in a risk to the rights and freedoms of Data Subjects, the Practice shall notify the relevant supervisory authority and the affected Data Subjects within the periods prescribed by the Applicable Law, including:

14.1.1 seventy-two (72) hours of becoming aware of the breach, for notifications to a supervisory authority under the GDPR;

14.1.2 the period prescribed by rules made under the DPDP Act, in respect of notifications to the Data Protection Board of India and to affected Data Subjects in India.

14.2 Each notification shall include the information required by the Applicable Law, including the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its possible adverse effects.

15.1 The Practice may amend this Policy from time to time to reflect changes in its Processing activities, in Applicable Law, or for other operational reasons.

15.2 Where an amendment is material, the Practice shall update the "Last reviewed" date displayed on the Site and, where required by Applicable Law, notify Data Subjects by email or a prominent notice on the Site. Continued use of the Site or the Services after the effective date of the amendment shall constitute acceptance of the amended Policy, save where a separate fresh consent is required by the Applicable Law.

16.1 Any question, request, or complaint concerning this Policy or the Processing of Personal Data by the Practice shall be addressed to the Grievance Officer named below. The Grievance Officer has been designated for the purpose of section 10 of the DPDP Act.

16.2 The Grievance Officer shall acknowledge receipt of a complaint within seven (7) working days and shall endeavour to dispose of the complaint within the period prescribed by the Applicable Law to the complaint, and in any event within a reasonable period.

16.3 Refund and cancellation requests are not handled by the Grievance Officer in the first instance. Such requests shall be addressed to payments@nareshdulani.com in accordance with the Refund and Cancellation Policy. The Grievance Officer may be approached only on escalation where a refund decision is alleged to give rise to a contravention of the Applicable Law.

17.1 The following Subprocessors are engaged by the Practice as of the effective date of this Policy. The Practice may add or replace Subprocessors from time to time; material changes shall be reflected by an update to this Schedule.

• Vercel, Inc. (United States) — website hosting, content delivery network, and edge functions.
• Supabase, Inc. (United States) — database and customer-relationship records.
• Google LLC (United States) — electronic mail (Google Workspace); on consent, analytics (Google Analytics 4 and Google Tag Manager).
• Microsoft Corporation (United States) — on consent, session analytics (Microsoft Clarity).
• Meta Platforms, Inc. (United States) — on consent, advertising attribution and audience construction (Meta Pixel).
• LinkedIn Corporation (United States) — on consent, advertising attribution (LinkedIn Insight Tag).
• Calendly LLC (United States) — appointment scheduling.
• Razorpay Software Private Limited (India) — payment processing for transactions denominated in Indian Rupees.
• Stripe, Inc. (United States) — disclosed as a planned Subprocessor for payment processing of transactions in foreign currency. This entry shall be confirmed upon activation of the integration and a notice shall be displayed on the Site.
• AI conversation and assistant providers – the specific provider shall be identified by name and country of establishment upon activation of any chat or AI-assistant interface, and a notice shall be displayed on the Site.