01. Who We Are
Gigaflop Techlab is a data and AI engineering practice operated under DiscoverWebTech Pvt. Ltd., a company registered in India. We provide data engineering, AI engineering, audit, and retainer services to SaaS and D2C companies globally.
- Trading name: Gigaflop Techlab
- Legal entity: DiscoverWebTech Pvt. Ltd.
- Registered jurisdiction: India
- Website: gigafloptechlab.com
- Data controller contact: hello@gigafloptechlab.com
For the purposes of the EU GDPR, UK GDPR, and India’s Digital Personal Data Protection Act, 2023 (DPDPA), DiscoverWebTech Pvt. Ltd. is the data controller for personal data collected via the Website and in the course of client Engagements.
02. Data We Collect
We collect only what is necessary for the purposes described in this policy.
Data you give us directly
| Data | When collected | Purpose |
|---|---|---|
| Name | Discovery call booking, email, contact form | Identify you and personalise communications |
| Email address | Any inbound communication | Respond to enquiries; project communications |
| Company name & role | Discovery calls, proposals | Qualify and scope Engagements |
| Phone / calendar availability | Cal.com booking (optional) | Schedule discovery calls |
| Project or technical context | Email, intake forms, calls | Assess fit; prepare proposals |
| CV / work history | Engineering bench applications | Evaluate candidacy |
Data we collect automatically
| Data | Source | Purpose |
|---|---|---|
| IP address | Website server logs | Security and fraud prevention |
| Browser type, OS, device | Analytics (GA4) | Understand how the Website is used |
| Pages visited, time on page | Analytics | Improve Website content |
| Referral source | Analytics | Understand where visitors come from |
| Cookies (see §06) | Website | Session management, analytics |
Data we do not collect
- We do not collect payment card details — all payments are processed by third-party platforms; we never see raw card numbers.
- We do not collect special-category personal data (health, biometric, racial/ethnic origin, political opinions, etc.) in ordinary Website use or Engagements.
- We do not knowingly collect personal data from individuals under 18 (see §12).
03. How We Use Your Data
- Responding to enquiries — replying to emails, calls, and contact forms.
- Running discovery calls — scheduling, preparing for, and following up via Cal.com.
- Scoping and delivering Engagements — preparing proposals, SOWs, NDAs; delivering active work; communicating project progress.
- Invoice and payment administration — issuing and tracking invoices; maintaining financial records as required by law.
- Legal and compliance obligations — retaining records as required by Indian law; responding to lawful regulatory requests.
- Website analytics — understanding Website usage to improve content and performance.
- Security — detecting and preventing unauthorised access, fraud, or misuse.
- Recruiting — reviewing engineering bench applications and communicating with candidates.
We do not sell personal data to third parties. We do not use personal data for automated decision-making that produces legal or similarly significant effects. We do not send marketing newsletters — we only communicate on matters directly related to an enquiry or active Engagement.
04. Legal Bases for Processing
| Processing activity | Legal basis |
|---|---|
| Responding to enquiries and discovery calls | Legitimate interests (responding to a direct request) |
| Delivering contracted Engagements | Performance of a contract |
| Invoicing and financial records | Legal obligation (Indian tax and accounting law) |
| Website analytics | Legitimate interests / Consent (where required by cookie law) |
| Security and fraud prevention | Legitimate interests |
| Responding to regulatory / legal requests | Legal obligation |
| Candidate data (engineering bench) | Legitimate interests / Consent |
05. Who We Share Data With
We share personal data only where necessary. We do not sell, rent, or broker your data.
Service providers (processors)
- Cal.com — scheduling. Processes name, email, calendar availability. Privacy policy at cal.com/privacy.
- Google Workspace — email, project communication, document storage.
- Google Analytics / Tag Manager (GA4) — website analytics. Anonymised where possible.
- Slack — shared project channels with active Clients. Processes names, emails, and project messages.
- Invoicing / payment platform — name, company, billing address. Card data processed directly by the platform; we do not receive it.
- WordPress / hosting provider — Website hosting and CMS; server-level access to traffic logs.
Engineering bench Engagements are delivered by the in-house DiscoverWebTech engineering bench — all on-payroll employees, not contractors. We do not pass client data to external subcontractors. The full subprocessor list for enterprise Engagements is available in the DPA (see §11).
Legal and regulatory disclosures We may disclose personal data to regulators or courts where required by applicable law. We will inform you where legally permitted to do so.
Business transfers If DiscoverWebTech Pvt. Ltd. undergoes a merger or acquisition, personal data may transfer to the successor entity. You will be notified before your data is subject to a different privacy policy.
06. Cookies & Tracking
| Cookie / Technology | Type | Purpose | Duration |
|---|---|---|---|
| Google Analytics (_ga, _gid) | Analytics | Track page views and session data | Up to 2 years |
| Google Tag Manager | Analytics infrastructure | Fire analytics and marketing tags | Session |
| WordPress session cookies | Functional | CMS / admin session management | Session |
| Cal.com cookies | Functional | Booking widget state | Session |
Where required by applicable law (EU Cookie Directive, UK PECR), non-essential cookies will only be set with your consent. You can manage or withdraw consent at any time through your browser settings. Refusing cookies may affect certain Website features but will not prevent you from viewing content.
07. How Long We Keep Data
| Data category | Retention period | Reason |
|---|---|---|
| Enquiry / pre-engagement communications | 3 years from last contact | Legitimate interests; statute of limitations |
| Engagement project data | 7 years from Engagement close | Indian accounting and tax law |
| Client data on our systems (as processor) | 90 days post-handoff (default) | Contractual / DPA obligation |
| Invoice and financial records | 7 years | Indian Companies Act / Tax law |
| Website analytics (GA4) | 14 months | Operational analytics |
| Candidate / CV data (no offer) | 1 year from application | Potential future openings |
| Server / access logs | 90 days | Security and fraud prevention |
After the applicable retention period, data is securely deleted or anonymised. You may request earlier deletion where legally permitted — see §10.
08. Security
We implement technical and organisational measures appropriate to the risk:
- Encryption in transit: All Website traffic over HTTPS (TLS 1.2+). Email and project communications via Google Workspace.
- Access controls: Personal data accessible only to team members who need it for delivery.
- Cyber liability insurance: $1M aggregate (in process; current placeholder $500K).
- SOC 2 Type 2: In process; target Q3 2026. Current security posture available for enterprise diligence on request.
- Incident response: In the event of a breach affecting your personal data, we will notify you and, where required, the relevant supervisory authority within 72 hours (GDPR requirement).
- No subcontractors: The engineering bench is fully in-house and on-payroll. Client data is never handed to external contractors.
If you discover a security vulnerability affecting the Website or our systems, please report it responsibly to hello@gigafloptechlab.com with subject “Security disclosure.” We acknowledge within 1 business day.
09. International Data Transfers
Gigaflop Techlab is headquartered in India and serves clients across the US, UK, EU, Australia, and Singapore. Personal data may be transferred to and processed in India.
For transfers of personal data from the EU or UK to India, we rely on the following safeguards as applicable:
- Standard Contractual Clauses (SCCs): EU-approved SCCs incorporated into the Data Processing Addendum (DPA) for EU/EEA client Engagements.
- UK International Data Transfer Addendum (IDTA): Used for UK client Engagements.
- Supplementary technical and organisational measures: Including encryption, access controls, and data minimisation, as described in the DPA.
You may request a copy of the applicable transfer safeguards by emailing hello@gigafloptechlab.com.
10. Your Privacy Rights
| Right | Description | Applies under |
|---|---|---|
| Access | Request a copy of the personal data we hold about you | GDPR · UK GDPR · DPDPA |
| Rectification | Request correction of inaccurate or incomplete data | GDPR · UK GDPR · DPDPA |
| Erasure | Request deletion of your data (subject to legal retention obligations) | GDPR · UK GDPR · DPDPA |
| Restriction | Request that we limit processing in certain circumstances | GDPR · UK GDPR |
| Portability | Receive your data in a structured, machine-readable format | GDPR · UK GDPR |
| Object | Object to processing based on legitimate interests | GDPR · UK GDPR |
| Withdraw consent | Where processing is consent-based, withdraw at any time | GDPR · UK GDPR · DPDPA |
| Complaint | Lodge a complaint with us or your local supervisory authority | GDPR · UK GDPR · DPDPA |
How to exercise your rights Email hello@gigafloptechlab.com with subject “Privacy Request.” We will respond within 30 days. We may ask you to verify your identity before fulfilling a request.
Supervisory authority complaints EU residents may contact the supervisory authority in their member state. UK residents may contact the Information Commissioner’s Office (ICO). India residents may contact the Data Protection Board of India under the DPDPA once operational. We would appreciate the opportunity to address your concern directly first.
11. Client Data & Data Processing Addendum (DPA)
In the course of delivering Engagements, we may process personal data on behalf of Clients — for example, data in a Client’s database, data warehouse, or AI model inputs/outputs. In this context, the Client is the data controller and we act as a data processor.
Our processor commitments
- We process Client data only on documented instructions from the Client, as set out in the signed Proposal and/or DPA.
- We do not use Client data for any purpose beyond the Engagement scope — including internal analytics, model training, or product development.
- Client data on our systems is retained for a default of 90 days post-Engagement handoff, after which it is securely deleted, unless the signed DPA specifies otherwise.
- We will notify the Client without undue delay if we become aware of a personal data breach affecting Client data.
- We maintain a record of processing activities as required by GDPR Article 30.
Data Processing Addendum (DPA) For EU, UK, HIPAA, and other regulated-jurisdiction Engagements, a formal DPA is signed alongside the Proposal. The DPA includes: processor obligations; subprocessor list; international transfer mechanisms (SCCs / IDTA); technical and organisational security measures; and audit rights.
We currently serve two HIPAA-covered Engagements. Business Associate Agreements (BAAs) are available and signed as a standard step for any Engagement involving Protected Health Information. Contact hello@gigafloptechlab.com with subject “BAA request.”
To request a DPA, subprocessor list, or security questionnaire, email hello@gigafloptechlab.com with subject “Procurement.” We respond within 2 business days.
12. Children’s Privacy
The Website and Services are directed at businesses and professionals and are not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data without appropriate parental consent, please contact us at hello@gigafloptechlab.com and we will delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the “Effective” date at the top of this page;
- Post a notice on the Website where reasonable;
- Notify active Clients by email for changes that materially affect how we process their data.
Continued use of the Website after a policy update constitutes acceptance of the revised policy. For ongoing Engagements governed by a signed DPA, policy changes do not alter the DPA without a written amendment.
14. Contact & Data Requests
For any privacy-related questions, rights requests, data incidents, or procurement diligence:
- Email: hello@gigafloptechlab.com
- Privacy requests: subject line “Privacy Request” — response within 30 days
- DPA / BAA / procurement: subject line “Procurement” — response within 2 business days
- Security disclosure: subject line “Security disclosure” — acknowledged within 1 business day
- Legal entity: DiscoverWebTech Pvt. Ltd., India
There is no separate Data Protection Officer (DPO) appointment required under current applicable law for our processing scale. Privacy matters are handled directly by the founders. If this changes, we will update this policy accordingly.