Privacy Policy
Last Updated: April 2026
1. Who We Are
This Privacy Policy is issued by Eveningside Labs (“Company,” “we,” “us,” or “our”), a software and artificial-intelligence services firm incorporated and operating out of Ahmedabad, Gujarat, India. We act as the data controller (under the GDPR) or the business (under the CCPA/CPRA) with respect to the personal data we collect through our website at eveningsidelabs.com(the “Site”) and any related services, communications, or engagements.
Our registered office is located in Ahmedabad, Gujarat 380015, India. If you have questions or concerns about this Policy, you may reach our Data Protection point of contact at privacy@eveningsidelabs.com.
2. What Data We Collect
The categories of personal data we may collect depend on how you interact with us:
- Contact & Inquiry Data. Name, email address, company name, phone number, and the contents of any message you submit through our contact or booking forms.
- Career Application Data. Name, email, phone, resume or CV, portfolio links, and any supplemental information you provide when applying for a position.
- Usage & Analytics Data. IP address (truncated where technically feasible), browser type and version, device type, operating system, referring URL, pages visited, time spent on pages, click paths, and general geolocation at the city level.
- Cookie & Tracking Data. Cookie identifiers, local-storage tokens, and similar technologies as described in our Cookie Policy.
- Communication Data. Email addresses collected through our newsletter subscription, and records of correspondence between you and our team.
- Scheduling Data. Calendar availability, meeting preferences, time zone, and any notes you provide when booking a consultation through Calendly.
We do not intentionally collect sensitive personal data such as racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, or sexual orientation.
3. How We Use Your Data
We process personal data for the following purposes:
- Responding to inquiries. To review, respond to, and manage communications you initiate through our contact forms, email, or scheduled consultations.
- Service delivery. To enter into, perform, and administer our contractual engagements, including issuing statements of work, invoicing, and project communications.
- Recruitment. To evaluate career applications, conduct interviews, and communicate hiring decisions.
- Site improvement and analytics. To understand how visitors use the Site so that we can improve its content, performance, and user experience.
- Marketing communications. To send newsletters, product updates, or promotional content where you have opted in or where we have a legitimate interest to do so (with an unsubscribe mechanism in every communication).
- Legal compliance. To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.
4. Legal Basis for Processing
Where the EU/UK General Data Protection Regulation applies, we rely on the following legal bases:
- Consent (Art. 6(1)(a)). For analytics cookies, marketing emails, and any processing for which we explicitly ask for your opt-in.
- Contractual Necessity (Art. 6(1)(b)). For processing required to perform a contract with you or to take pre-contractual steps at your request (e.g., responding to an inquiry, delivering services under a statement of work).
- Legitimate Interest (Art. 6(1)(f)). For website analytics (in aggregate), fraud prevention, IT security, and direct marketing to existing clients, provided such interests are not overridden by your rights.
- Legal Obligation (Art. 6(1)(c)). Where processing is necessary to comply with tax, accounting, or other regulatory requirements.
5. Third-Party Processors
We share personal data with the following categories of third-party processors, each of which is bound by data processing agreements:
| Processor | Purpose | Data Location |
|---|
| Supabase, Inc. | Database hosting for contact form submissions, newsletter subscriptions, and career applications | United States |
| Google LLC (Google Analytics) | Website traffic analytics and audience measurement | United States |
| Calendly LLC | Scheduling and calendar management for consultations and audit bookings | United States |
| Resend, Inc. | Transactional and marketing email delivery | United States |
We do not sell your personal data to any third party. We do not share personal data with third parties for their own independent marketing purposes.
6. International Data Transfers
Because our third-party processors are located in the United States, personal data originating from the European Economic Area (EEA), the United Kingdom, Switzerland, or other jurisdictions with cross-border transfer restrictions may be transferred to the US. We ensure an adequate level of protection through one or more of the following mechanisms:
- Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our data processing agreements.
- Processor participation in the EU-US Data Privacy Framework, the UK Extension, or the Swiss-US Data Privacy Framework, where applicable.
- Your explicit consent to the transfer, where no other safeguard applies and you have been informed of the potential risks.
7. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, unless a longer retention period is required or permitted by law. Our standard retention periods are:
- Contact and inquiry records:24 months from the date of last interaction, unless the inquiry converts into an active engagement.
- Analytics data:14 months (aligned with Google Analytics’ default retention window), after which data is aggregated and anonymised.
- Career applications and resumes:12 months from the date of submission, to allow for consideration in future openings unless you request earlier deletion.
- Client engagement records:Retained for the duration of the contractual relationship plus any period required by applicable tax and commercial law (typically 7–8 years under Indian tax law).
At the end of each retention period, data is securely deleted or irreversibly anonymised.
8. Your Rights by Jurisdiction
Depending on where you reside, you may be entitled to specific data protection rights. We honour all verifiable requests within the timeframes mandated by the applicable law.
8.1 European Economic Area & United Kingdom (GDPR / UK GDPR)
If you are located in the EEA or the UK, you have the right to:
- Access the personal data we hold about you.
- Request rectification of inaccurate or incomplete data.
- Request erasure (“right to be forgotten”) where there is no compelling reason for continued processing.
- Restrict processing in certain circumstances.
- Object to processing based on legitimate interest or direct marketing.
- Data portability — receive your data in a structured, commonly used, machine-readable format.
- Withdraw consent at any time (without affecting the lawfulness of processing prior to withdrawal).
- Lodge a complaint with your local supervisory authority.
8.2 California, USA (CCPA / CPRA)
If you are a California resident, you have the right to:
- Know what personal information we collect, use, disclose, and sell or share.
- Request deletion of your personal information.
- Request correction of inaccurate personal information.
- Opt out of the sale or sharing of personal information. We do not sell personal information. To the extent that analytics cookies constitute “sharing” under the CPRA, you may opt out via the “Do Not Sell or Share My Personal Information” link in our footer or by adjusting your cookie preferences.
- Non-discrimination for exercising your rights.
To submit a verifiable consumer request, email privacy@eveningsidelabs.com with the subject line “CCPA Request.” We will verify your identity before responding and will fulfil requests within 45 days (extendable by an additional 45 days with notice).
8.3 India (Digital Personal Data Protection Act, 2023 — DPDPA)
If you are a Data Principal under the DPDPA, you have the right to:
- Obtain confirmation of whether your personal data is being processed and a summary of such processing.
- Request correction and erasure of personal data, subject to statutory retention obligations.
- Nominate another individual to exercise your rights in the event of your death or incapacity.
- Register a grievance with us; if unresolved, escalate to the Data Protection Board of India.
8.4 Australia (Privacy Act 1988)
If you are located in Australia, you have the right to:
- Access the personal information we hold about you under Australian Privacy Principle (APP) 12.
- Request correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading information under APP 13.
- Complain about an interference with your privacy; if you are dissatisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).
9. Children’s Privacy
Our Site and services are not directed to individuals under the age of 16 (or the minimum digital age of consent in your jurisdiction). We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@eveningsidelabs.com, and we will promptly delete such data.
10. Changes to This Policy
We may revise this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will update the “Last Updated” date at the top of this page and, where required by law, notify you by email or through a prominent notice on the Site prior to the change taking effect. Your continued use of the Site after the revised Policy has been posted constitutes your acknowledgement of the changes.
11. Contact
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Eveningside Labs
Ahmedabad, Gujarat 380015, India
Email: privacy@eveningsidelabs.com