Privacy Policy.

Effective: 26 April 2026  ·  Last updated: 4 June 2026  ·  Applies to: works.hephatech.in

1. Who we are & this policy

This Privacy Policy explains how HephaTech ("we", "us", "our"), through its freelance services brand Hepha Works, collects, uses, stores, and protects the personal data of visitors and clients (collectively, "you" or the "Data Principal") of the website at works.hephatech.in (the "Website").

HephaTech acts as the Data Fiduciary for the personal data it collects on or through the Website. By using the Website or engaging us for services, you agree to the practices described in this policy.

2. Scope & legal basis

This policy is issued in compliance with:

  • The Digital Personal Data Protection Act, 2023 ("DPDP Act") and any rules notified under it.
  • The Information Technology Act, 2000 ("IT Act") and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules").
  • The Consumer Protection Act, 2019 and the Consumer Protection (E-Commerce) Rules, 2020 to the extent applicable.
  • Applicable provisions of the Indian Contract Act, 1872 in relation to engagement and consent.

We process personal data only on lawful grounds — primarily your consent (Section 6, DPDP Act) and certain legitimate uses (Section 7, DPDP Act) such as performance of an engagement you have requested, or compliance with law.

3. What we collect

3.1 Information you give us directly

  • Contact form data: the brief-form on this Website collects your name, email, company (optional), budget range (optional), engagement type, project description, timeline (optional), references (optional), and any additional notes you choose to share.
  • WhatsApp messages: if you contact us via the WhatsApp link on the Website (+91 99400 45810), the contents of your message and your WhatsApp profile (display name, optional photo) are received in our WhatsApp Business inbox. Those messages are processed by Meta (WhatsApp's parent) under their own privacy policy.
  • Engagement data: if you proceed to an engagement, we collect billing name and address, GSTIN (if applicable), project briefs, files you share, and any additional information you provide for the purpose of delivering the service.
  • Communications: emails, calls, and messages you exchange with us during an engagement.

3.2 Information collected automatically

  • Server logs: when you visit the Website, our hosting provider (Vercel) automatically logs your IP address, user agent (browser/OS), referring URL, and timestamps. This is used for delivery, security, and abuse prevention.
  • Local storage: a single key (works-theme) stores your light/dark theme preference on your device. It is never transmitted to us. See section 7.
  • Spam-protection telemetry: our contact form uses a hidden honeypot field and a minimum-time check; both run entirely in your browser and produce no server-side telemetry beyond the form submission itself.

3.3 Information from third parties

  • Form delivery (Formspree): receives the contents of your contact-form submission and forwards it to hello@hephatech.in.
  • WhatsApp Business (Meta Platforms): when you initiate a WhatsApp conversation with us, Meta hosts the message thread on its servers under its own privacy terms.

3.4 Payments

We do not run an online payment-link checkout. Every engagement is scoped after a brief conversation, then billed by GST-compliant invoice payable via direct bank transfer (NEFT / IMPS / RTGS), UPI, or — for international clients — wire transfer or international card. We never see, store, or process your card number, CVV, UPI PIN, or net-banking credentials. Your bank or UPI app handles those credentials directly with your financial institution.

4. Why we collect it

We use your data for the following specific, declared purposes:

  • Respond to enquiries: reply to the message you sent through the Website or email.
  • Deliver services: scope, propose, deliver, and invoice the engagement you have hired us for.
  • Process payments & issue invoices: verify payment, issue GST-compliant invoices, and maintain books of account as required under Indian tax law.
  • Comply with law: respond to lawful requests from authorities and meet our obligations under the DPDP Act, IT Act, Income Tax Act, GST law, and other applicable Indian regulations.
  • Security & abuse prevention: detect spam, fraud, and unauthorised access; preserve audit trails of significant events.
  • Improve our services: understand which engagements are most useful, in aggregate, with no individual profiling.

We do not use your personal data to:

  • Build a behavioural profile about you for advertising.
  • Sell, rent, or disclose your data to third parties for their marketing.
  • Send unsolicited marketing communications.

5. Sharing & disclosure

We share personal data only with the following categories of recipients, and only to the extent necessary:

RecipientPurposeData shared
Vercel (hosting)Serving the WebsiteIP address, request metadata, server logs
Formspree (form delivery)Routing contact-form submissions to emailAll contact-form fields
WhatsApp Business / MetaInbound messages you send via the WhatsApp linkYour WhatsApp number, profile, and message content
Email provider (Google Workspace / Zoho)Receiving and replying to enquiriesEmail address, message content
Banking partnerReceiving payments via bank transfer / UPIPayer name, transaction reference (the bank handles all sensitive credentials)
Accounting / tax professionalsBookkeeping, GST & income-tax filingsInvoice data, billing details
Government authoritiesCompliance with lawful requestsOnly what is required by law

Each of these recipients is itself bound by its own privacy obligations, and where required, we have a written agreement that limits how they may use the data we share.

6. Payments & financial data

Hepha Works does not run an online checkout. After we agree on scope, we issue a GST-compliant invoice; you pay by:

  • India: direct bank transfer (NEFT / IMPS / RTGS), UPI, or PO-based invoicing for organisations.
  • International: wire transfer or international card-on-invoice.

We do not store, see, or process your card number, CVV, UPI PIN, or net-banking credentials. What we record is limited to: the payer's name, the transaction reference returned by the bank, and the amount and date of receipt. Your bank handles all credentials directly with you.

Invoice records are retained for at least eight (8) years as required under Section 36 of the CGST Act, 2017, and the Income Tax Act, 1961.

7. Cookies & tracking

The Website itself does not set advertising or analytics cookies. The only client-side storage we use is:

  • Strictly necessary local storage — for example, to remember a launch-countdown date on the main HephaTech site so the timer is consistent across page reloads.

If we ever enable analytics in the future (e.g. Plausible, Umami, or PostHog in cookie-less mode), we will update this policy and request your consent where the law requires it.

8. Cross-border transfers

Some of the service providers we rely on — such as Vercel (hosting), Formspree (form delivery), WhatsApp / Meta (messaging), and our email provider — may host or process data on servers outside India. Where personal data is transferred outside India, we ensure that:

  • The transfer is permitted under Section 16 of the DPDP Act and any rules / notifications of the Central Government.
  • The recipient is bound by privacy obligations at least equivalent to those described in this policy.

9. How long we keep data

  • Enquiry-form data not followed by an engagement: deleted within 180 days of the last interaction.
  • Engagement records (proposals, contracts, briefs, deliverables): retained for the duration of the engagement plus three (3) years for warranty, dispute, and contract-law purposes.
  • Invoices, payment records, and tax data: retained for at least eight (8) years as required by Indian tax law.
  • Server logs: retained for up to 30 days, then deleted or aggregated.

When the retention period ends, we either delete the data securely or anonymise it so that you can no longer be identified.

10. How we secure data

We implement reasonable security practices and procedures as required by Section 43A of the IT Act and Rule 8 of the SPDI Rules. These include:

  • TLS 1.2+ encryption for all data in transit between your browser and our services.
  • Strong access controls and password hygiene for accounts that can access client data.
  • Use of reputable third-party services (Vercel, Formspree) reviewed for security posture.
  • Periodic review of access logs and the principle of least privilege.
  • Confidentiality obligations for any contractor or sub-processor who handles client data.

No system is perfectly secure. If you become aware of a vulnerability, please report it to hello@hephatech.in and we will respond promptly.

11. Your rights as a Data Principal

Under the DPDP Act, you have the following rights with respect to your personal data:

  • Right to information & access (Section 11): obtain a summary of the personal data we process about you and the purposes for which it is processed.
  • Right to correction & erasure (Section 12): request that we correct inaccurate data, complete incomplete data, update outdated data, or erase data that is no longer necessary for the purpose for which it was collected.
  • Right to grievance redressal (Section 13): raise a complaint with our Grievance Officer (see section 14).
  • Right to nominate (Section 14): nominate another individual who may exercise your rights in the event of your death or incapacity.
  • Right to withdraw consent: withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal, and we may continue to retain data where required by law.

To exercise any of these rights, write to us at hello@hephatech.in with the subject "DPDP request" and a description of your request. We will respond within the timelines required by the DPDP Act and its rules. Identity verification may be required to protect your data.

12. Children

The Website and Hepha Works services are not directed to children under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected such data, we will delete it.

Where Indian law permits a parent or guardian to provide consent on behalf of a minor, we will rely on such consent only after taking reasonable steps to verify it.

13. Data breach handling

In the unlikely event of a personal data breach that is likely to result in harm, we will:

  • Notify the Data Protection Board of India in the manner and within the timelines required by the DPDP Act and its rules.
  • Notify each affected Data Principal directly with information about the breach, the data involved, the likely consequences, the measures we have taken, and what they can do to protect themselves.
  • Investigate the cause, contain the impact, and put corrective measures in place.

14. Grievance redressal

If you have a complaint about how we handle your personal data, you may write to our Grievance Officer at the contact below. We will acknowledge your complaint within seven (7) days and aim to resolve it within thirty (30) days, in line with Rule 5(9) of the SPDI Rules and the timelines of the DPDP Act.

Grievance Officer: Privacy Lead, HephaTech

Email: hello@hephatech.in (subject: "Privacy grievance")

Address: India (postal address provided on request)

If you remain dissatisfied with our response, you may approach the Data Protection Board of India in accordance with Section 27 of the DPDP Act.

15. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top of this page will reflect the most recent revision. Material changes will be highlighted on the Website for a reasonable period and, where required, your fresh consent will be requested.

16. Contact

For any privacy-related question, request, or grievance:

© 2026 Hepha Works · A HephaTech studio