1.1 In this Privacy Policy (the "Policy"), the following terms have the meanings set out below. Words denoting the singular include the plural and vice versa.

"Applicable Laws" means, collectively, the Digital Personal Data Protection Act, 2023 of India (the "DPDP Act"), the General Data Protection Regulation (EU) 2016/679 and the United Kingdom equivalent (together, "GDPR"), the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act ("CCPA/CPRA"), the Information Technology Act, 2000 of India and rules thereunder, and any successor or analogous legislation that applies to the Processing of Personal Data through the Site or the Services.

"AI Tools" means any artificial-intelligence-based or machine-learning-based system, including third-party large language models and conversation assistants, used by the Practice to triage enquiries, draft routine correspondence, schedule appointments, or interact with Data Subjects through chat or voice interfaces.

"Data Subject", "You" or "Your" means the natural person to whom the Personal Data relates.

"Grievance Officer" means the individual designated by the Practice under section 10 of the DPDP Act to receive and dispose of complaints concerning the Processing of Personal Data, identified in clause 16 of this Policy.

"Personal Data" means any information relating to an identified or identifiable natural person, as defined under the Applicable Laws.

"Practice", "we", "us" or "our" means Naresh J. Dulani, a sole proprietor practising under the trade name "Dr. Naresh J. Dulani – Global Scientific Vastu Advisory", further identified in clause 2.

"Processing" has the meaning given to it under the GDPR and the DPDP Act and includes, without limitation, the collection, recording, storage, structuring, retrieval, consultation, use, disclosure, transfer, restriction, erasure, and destruction of Personal Data.

"Services" means the advisory engagements, consultations, reports, and ancillary services offered by the Practice.

"Site" means the website operated at the domain nareshdulani.com and any subdomain thereof.

"Subprocessor" means any third party engaged by the Practice to Process Personal Data on the Practice's behalf, listed in the Schedule appended to this Policy.

2.1 The Practice acts as the Data Fiduciary under the DPDP Act and as the Controller under the GDPR in respect of all Personal Data Processed through the Site and in the course of providing the Services.

2.2 Identity of the Practice.

2.3 The Practice does not, as of the effective date of this Policy, meet the thresholds for designation as a Significant Data Fiduciary under section 10 of the DPDP Act and has not been so designated. A Data Protection Officer is not appointed at present; the Grievance Officer named in clause 16 discharges the functions of receiving and disposing of complaints.

2.4 The Practice has no establishment in the European Economic Area or the United Kingdom and, where required, may appoint a representative under Article 27 of the GDPR. Until such appointment, enquiries from Data Subjects in those jurisdictions are to be addressed to the Grievance Officer.

3.1 The Practice Processes the following categories of Personal Data.

3.1.1 Identification and contact data – name, email address, postal address, telephone number, salutation, and language preference.

3.1.2 Engagement data – the nature of the enquiry, property address, floor plans, architectural drawings, photographs, business plans, and other materials voluntarily submitted in connection with a consultation.

3.1.3 Communication data – the content of emails, chat messages, voice transcripts (where recorded with notice and consent), and any other communications between the Data Subject and the Practice, including communications conducted through AI Tools.

3.1.4 Transaction data – billing name, invoice address, transaction identifier, transaction amount, currency, transaction status, payment-instrument type (without the underlying instrument credentials), and tax identifiers where relevant. The Practice does not collect, view, or store full payment-card numbers, card verification values, expiry dates, internet-banking credentials, or unified-payments-interface PINs; these are handled exclusively within the PCI-DSS-certified environment of the payment processor.

3.1.5 Booking data – appointment date, time, time-zone, attendee names, and meeting metadata received from the appointment-scheduling Subprocessor.

3.1.6 Device and usage data – internet-protocol address, approximate geographic location derived therefrom, device identifier, operating system, browser type and version, screen resolution, referring uniform resource locator, pages accessed, time spent on each page, clickstream, and form interactions.

3.1.7 Consent and preference data – cookie preferences, marketing preferences, language and accessibility preferences, and the timestamped record of consent grants and withdrawals.

3.2 The Practice does not knowingly collect Personal Data that is classified as sensitive under any Applicable Law (including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning sex life or sexual orientation), unless the Data Subject voluntarily and unambiguously discloses such data in the course of an enquiry. Where such disclosure occurs, the Practice Processes the data only to the extent necessary to respond to the enquiry and erases it on conclusion of the engagement or sooner where requested.

4.1 The Practice Processes Personal Data for the following purposes, and for no other purpose, save where required or permitted by law.

4.1.1 To provide the Services, including responding to enquiries, scheduling and conducting consultations, preparing and delivering reports, and conducting follow-up correspondence.

4.1.2 To process payments and tax obligations, including the issuance of invoices and the maintenance of accounts and records required by Indian taxation law.

4.1.3 To operate, secure, and improve the Site, including the diagnosis of technical issues, prevention of fraud, and assessment of the effectiveness of content and functionality.

4.1.4 To communicate operational and transactional notices that are necessary or incidental to the Services, including booking confirmations, rescheduling notices, payment receipts, security notices, and updates to this Policy.

4.1.5 To deliver, where consent has been obtained, marketing communications about the Practice's services, publications, and events; consent may be withdrawn at any time without affecting the lawfulness of Processing before withdrawal.

4.1.6 To comply with legal obligations, including responding to lawful requests from public authorities, enforcing the Practice's Terms of Service, and protecting the legal rights, property, and safety of the Practice, its Data Subjects, and third parties.

4.1.7 To establish, exercise, or defend legal claims, including the retention of records required for the assertion of, or defence against, statutory or contractual claims.

5.1 For Data Subjects to whom the GDPR or UK GDPR applies, the Practice relies on the following legal bases under Article 6(1):

5.1.1 Performance of a contract, or steps taken at the request of the Data Subject prior to entering a contract, in respect of the provision of the Services (clauses 4.1.1, 4.1.2, 4.1.4).

5.1.2 Legitimate interests of the Practice in operating and securing the Site, preventing fraud, conducting anonymised analytics, defending legal claims, and conducting first-party performance measurement (clauses 4.1.3, 4.1.6, 4.1.7), subject to a documented balancing test that gives due weight to the rights and freedoms of the Data Subject.

5.1.3 Consent, for non-essential cookies, marketing communications, the activation of analytics and marketing-attribution tools, and any other Processing for which consent is the appropriate basis (clause 4.1.5; clause 6).

5.1.4 Compliance with a legal obligation to which the Practice is subject (clause 4.1.6).

5.2 For Data Subjects to whom the DPDP Act applies, Processing is undertaken on the basis of (a) the Data Subject's consent, freely given and notified in the manner required by section 5 of the DPDP Act, or (b) a "legitimate use" recognised under section 7 of the DPDP Act.

5.3 For California consumers, the Practice processes Personal Information consistent with the disclosures and purposes set out in this Policy and does not sell or share Personal Information for cross-context behavioural advertising except where consent for marketing cookies has been granted as described in clause 6.

6.1 The Site uses cookies, browser local storage, and similar technologies (together, the "Tracking Technologies"). They are grouped into four categories, which correspond to the four choices presented in the Practice's consent-management interface.

6.1.1 Strictly necessary technologies – required for the basic operation and security of the Site, including load-balancing, protection against fraudulent activity, and the storage of the Data Subject's own consent choice. These are always active, are exempt from the consent requirement under each Applicable Law, and cannot be switched off through the consent-management interface.

6.1.2 Functional technologies – remember the choices a Data Subject makes in order to personalise the Site, such as colour theme, language, text size, region, and reduced-motion preference. These are activated only after the Data Subject has granted consent to the functional category.

6.1.3 Analytics technologies – measure how the Site is found and used, including visitor numbers, traffic sources, pages viewed, scroll depth, site speed, and interactions with on-page elements. These are activated only after the Data Subject has granted consent to the analytics category.

6.1.4 Marketing and advertising technologies – measure the effectiveness of advertising, construct audiences, and enable the re-engagement of past visitors on third-party platforms. These are activated only after the Data Subject has granted consent to the marketing category.

6.2 The choice made through the consent-management interface is recorded in a strictly necessary first-party identifier named dnd_consent, stored both as a cookie and in the browser's local storage. The record contains the categories granted or refused, a version number, and the date and time of the choice, so that the Practice can evidence the consent on which its Processing relies. It remains in effect on the Data Subject's device until the Data Subject changes or withdraws the choice, clears the browser's cookies and local storage, or this Policy is materially revised, on which last event the choice is sought afresh. The "Consent and preference data" described in clause 3.1.7 consists of this record.

6.3 On a first visit, the non-essential Tracking Technologies remain inactive until the Data Subject responds to the consent notice presented on the Site. The Data Subject may grant, refuse, or change consent for any category at any time, through the preferences interface reached from the utility belt on the Site, or by clearing cookies and local storage in the browser. A refusal or withdrawal takes effect immediately in respect of subsequent Processing and does not impair access to the core functions of the Site.

6.4 Consent Mode. The Practice operates Google Consent Mode (version 2) in its advanced configuration. Before a consent choice is made, tags supplied by Google are present on the page but operate in a restricted state: they do not read from or write to cookies or local storage, and they do not collect identifiers. They may transmit to Google a limited, cookieless, and non-identifying signal recording that a page was viewed. Once the Data Subject grants consent, the corresponding measurement is enabled in full; where consent is refused, the restricted state continues. A Data Subject who wishes to prevent even the cookieless signal may use the browser controls described in clause 6.6.

6.5 Measurement and advertising data shared with Google. Where the analytics or marketing category is active, the Device and Usage Data described in clause 3.1.6 is shared with Google LLC for the measurement of the Site and, where the marketing category is active, for advertising attribution and the construction of audiences. The Practice has additionally enabled, within its Google Analytics configuration, the facility to transmit user-provided identifiers, such as an email address or telephone number that the Data Subject has given to the Practice, to Google in a hashed and irreversibly transformed form, in order to improve the accuracy of measurement and audience matching. Such an identifier is transmitted only where each of the following conditions is met: the Data Subject has provided the identifier to the Practice; the relevant consent, being analytics consent or marketing consent, is in force; and the Practice has activated the corresponding data flow within the Site. As at the effective date of this Policy that data flow is not active, and no user-provided identifier is transmitted to Google. The Data Subject may prevent this Processing at any time by refusing or withdrawing analytics and marketing consent.

6.6 Independently of the consent-management interface, the Data Subject may block or delete cookies and clear local storage through the settings of the browser or the device. Doing so prevents the non-essential Tracking Technologies from operating and may also remove the stored consent record, in which case the consent notice is shown again on the next visit.

6.7 A description of the specific Tracking Technologies in use, the Subprocessor to which each relates, and the purpose and duration of each, is made available within the consent-management interface. The Subprocessors that set or receive data through these technologies are identified in the Schedule to this Policy.

7.1 The Practice does not sell Personal Data, in the sense of any Applicable Law. The Practice discloses Personal Data only as set out in this clause.

7.2 Subprocessors. Personal Data is shared with the Subprocessors identified in the Schedule, in each case for the limited purposes set out against that Subprocessor and pursuant to written terms incorporating obligations of confidentiality, security, and Processing only on documented instructions of the Practice.

7.3 Legal and regulatory recipients. Personal Data may be disclosed to public authorities, regulators, courts, or law-enforcement agencies where such disclosure is required by law, court order, or a binding regulatory request, or where such disclosure is necessary to protect the legal rights, property, or safety of the Practice, the Data Subject, or a third party.

7.4 Successors. In the event of a corporate restructuring, sale of substantially all of the assets of the Practice, or transfer of the practice to a successor entity, Personal Data may be transferred to that successor, subject to obligations no less protective than those set out in this Policy. Data Subjects will be notified of any such transfer where required by Applicable Law.

7.5 Professional advisers. Personal Data may be disclosed to the Practice's auditors, accountants, bankers, insurers, and legal counsel under obligations of professional confidentiality where reasonably necessary for the conduct of the Practice.

8.1 Certain Subprocessors are located outside India, the European Economic Area, and the United Kingdom. Where Personal Data is transferred to a jurisdiction that has not been recognised as providing an adequate level of protection, the Practice relies on the following mechanisms, as applicable.

8.1.1 The Standard Contractual Clauses adopted by the European Commission under Commission Implementing Decision (EU) 2021/914, with any module-specific selections and country addenda required for the receiving jurisdiction.

8.1.2 The International Data Transfer Agreement and the International Data Transfer Addendum approved by the Information Commissioner's Office of the United Kingdom under section 119A of the Data Protection Act, 2018.

8.1.3 Any adequacy decision in force at the time of transfer in respect of the recipient jurisdiction.

8.2 Transfers from India are conducted in accordance with the DPDP Act and any restrictions on cross-border transfers notified by the Central Government from time to time. The Practice does not transfer Personal Data of Indian Data Subjects to any jurisdiction included in a "negative list" notified under the DPDP Act.

9.1 The Practice may deploy AI Tools to assist with the triage of incoming enquiries, the scheduling of consultations, the drafting of routine correspondence, the qualification of fit between an enquirer's needs and the Services, and other administrative tasks.

9.2 The output of any AI Tool is treated as an assistive draft for review by an authorised member of the Practice. Final advisory output and final operational decisions (including engagement, scheduling, and refund determinations) are made by a natural person.

9.3 The Practice does not subject Data Subjects to decisions based solely on automated Processing, including profiling, that produce legal effects concerning them or similarly significantly affect them, within the meaning of Article 22 of the GDPR. Any change to this position will be notified through an update to this Policy and, where required, the obtaining of fresh consent.

9.4 Conversations conducted through any chat or AI-assistant interface are recorded and stored to maintain context across sessions, to improve the quality of responses, to meet record-keeping obligations, and to defend against disputes. Such conversations are treated with the same confidentiality as other client communications and are subject to the retention period set out in clause 10.

9.5 A Data Subject may, at any time, request that their enquiry be handled by a natural person rather than an AI Tool, by writing to the Grievance Officer named in clause 16.

10.1 The Practice retains Personal Data only for such period as is necessary for the purposes for which the data was collected, and to comply with legal, accounting, and contractual obligations. The retention periods applicable to each category of data are as follows.

10.1.1 Engagement records, including notes and reports: seven (7) years from the date of last engagement, consistent with prevailing record-keeping norms for professional service providers in India.

10.1.2 Payment and tax records: eight (8) financial years from the relevant assessment year, as required under the Income-tax Act, 1961 and the Central Goods and Services Tax Act, 2017.

10.1.3 Chat and AI-assistant conversation logs: twenty-four (24) months from the date of last interaction.

10.1.4 Marketing consent records: for so long as consent remains in force, and for three (3) years following its withdrawal, for the limited purpose of evidencing the lawful basis of prior Processing.

10.1.5 Server logs and anonymised analytics: fourteen (14) months from the date of collection.

10.1.6 Cookie consent records: retained on the Data Subject's device until the choice is changed or withdrawn, the browser's cookies and local storage are cleared, or this Policy is materially revised, on which last event fresh consent is sought.

10.2 On the expiry of the applicable retention period, Personal Data is securely deleted or anonymised. The Practice may retain Personal Data for a longer period where required to establish, exercise, or defend a legal claim, in which case the data is held in restricted access until the claim is concluded.

11.1 The Practice implements and maintains technical and organisational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, having regard to the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk to the rights and freedoms of Data Subjects.

11.2 Such measures include, without limitation: transport-layer encryption for all data in transit between the Data Subject and the Site; access controls and multi-factor authentication for administrative interfaces; the principle of least privilege applied to staff and Subprocessors; logical segregation of production and development environments; and periodic review of the security posture of the Practice and its material Subprocessors.

11.3 No method of transmission over the internet or method of electronic storage is fully secure. The Practice cannot guarantee absolute security and disclaims liability for any loss arising from a breach of security measures of a Subprocessor, save where such loss is directly attributable to the Practice's own failure to discharge its obligations under this Policy.

12.1 Subject to the limitations and conditions of the relevant Applicable Law, Data Subjects have the following rights in respect of their Personal Data.

12.1.1 Right of access – to obtain confirmation of, and a copy of, Personal Data Processed by the Practice.

12.1.2 Right of rectification – to require the correction of inaccurate or incomplete Personal Data.

12.1.3 Right of erasure ("right to be forgotten") – to require deletion of Personal Data in the circumstances permitted by the Applicable Law.

12.1.4 Right to restriction of Processing – to require the restriction of Processing in the circumstances permitted by the Applicable Law.

12.1.5 Right of data portability – to receive Personal Data in a structured, commonly used, and machine-readable format, and to require its transmission to another controller where technically feasible.

12.1.6 Right to object – to object to Processing based on legitimate interests, and to object to Processing for direct marketing.

12.1.7 Right to withdraw consent – to withdraw consent at any time without affecting the lawfulness of Processing carried out before withdrawal.

12.1.8 Right not to be discriminated against(CCPA/CPRA) – Data Subjects in California will not be denied Services, charged different prices, or provided a different level of Service on account of the exercise of their rights.

12.1.9 Right to lodge a complaint – Data Subjects in the European Economic Area or the United Kingdom may lodge a complaint with their local supervisory authority; Data Subjects in India may approach the Data Protection Board of India after first raising the matter with the Grievance Officer.

12.2 A request to exercise any right under this clause 12 shall be addressed to the Grievance Officer named in clause 16 and shall include sufficient information to permit identification of the Data Subject. The Practice will respond within the period prescribed by the Applicable Law to the request, and in any event without undue delay.

13.1 The Services are directed exclusively to natural persons aged eighteen (18) years and above. The Practice does not knowingly collect Personal Data from a child.

13.2 Where Processing of Personal Data of a child is permitted by Applicable Law (including under section 9 of the DPDP Act), it shall be undertaken only with the verifiable consent of the parent or lawful guardian, and subject to the additional restrictions on tracking, behavioural monitoring, and targeted advertising prescribed by section 9 of the DPDP Act.

13.3 If the Practice becomes aware that it has inadvertently collected Personal Data of a child without lawful basis, the data will be erased without undue delay.

14.1 In the event of a Personal Data breach that is likely to result in a risk to the rights and freedoms of Data Subjects, the Practice shall notify the relevant supervisory authority and the affected Data Subjects within the periods prescribed by the Applicable Law, including:

14.1.1 seventy-two (72) hours of becoming aware of the breach, for notifications to a supervisory authority under the GDPR;

14.1.2 the period prescribed by rules made under the DPDP Act, in respect of notifications to the Data Protection Board of India and to affected Data Subjects in India.

14.2 Each notification shall include the information required by the Applicable Law, including the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its possible adverse effects.

15.1 The Practice may amend this Policy from time to time to reflect changes in its Processing activities, in Applicable Law, or for other operational reasons.

15.2 Where an amendment is material, the Practice shall update the "Last reviewed" date displayed on the Site and, where required by Applicable Law, notify Data Subjects by email or a prominent notice on the Site. Continued use of the Site or the Services after the effective date of the amendment shall constitute acceptance of the amended Policy, save where a separate fresh consent is required by the Applicable Law.

16.1 Any question, request, or complaint concerning this Policy or the Processing of Personal Data by the Practice shall be addressed to the Grievance Officer named below. The Grievance Officer has been designated for the purpose of section 10 of the DPDP Act.

16.2 The Grievance Officer shall acknowledge receipt of a complaint within seven (7) working days and shall endeavour to dispose of the complaint within the period prescribed by the Applicable Law to the complaint, and in any event within a reasonable period.

16.3 Refund and cancellation requests are not handled by the Grievance Officer in the first instance. Such requests shall be addressed to payments@nareshdulani.com in accordance with the Refund and Cancellation Policy. The Grievance Officer may be approached only on escalation where a refund decision is alleged to give rise to a contravention of the Applicable Law.

17.1 The following Subprocessors are engaged by the Practice as of the effective date of this Policy. The Practice may add or replace Subprocessors from time to time; material changes shall be reflected by an update to this Schedule.

• Vercel, Inc. (United States) – website hosting, content delivery network, and edge functions.
• Supabase, Inc. (United States) – database and customer-relationship records.
• Google LLC (United States) – electronic mail (Google Workspace); on consent, analytics (Google Analytics 4 and Google Tag Manager).
• Microsoft Corporation (United States) – on consent, session analytics (Microsoft Clarity).
• Meta Platforms, Inc. (United States) – on consent, advertising attribution and audience construction (Meta Pixel).
• LinkedIn Corporation (United States) – on consent, advertising attribution (LinkedIn Insight Tag).
• Calendly LLC (United States) – appointment scheduling.
• Razorpay Software Private Limited (India) – payment processing for transactions denominated in Indian Rupees.
• Stripe, Inc. (United States) – disclosed as a planned Subprocessor for payment processing of transactions in foreign currency. This entry shall be confirmed upon activation of the integration and a notice shall be displayed on the Site.
• AI conversation and assistant providers – the specific provider shall be identified by name and country of establishment upon activation of any chat or AI-assistant interface, and a notice shall be displayed on the Site.