Privacy Policy

This Privacy Policy is published by Appther Technologies Private Limited ("Appther," "we," "us," or "our"), a software and technology company registered in India with its principal office at H-160, H Block, Sector 63, Noida, Uttar Pradesh 201301, India. We also operate representative offices in China Grove, North Carolina (USA) and Southport, Queensland (Australia).

Appther designs, develops, and delivers custom software solutions including mobile applications, web platforms, enterprise systems, and AI/ML products for clients across the globe. In the course of operating our website (www.appther.com), responding to business enquiries, and delivering client projects, we process personal data about website visitors, prospective clients, and project clients.

For the purposes of the General Data Protection Regulation (GDPR) and the UK GDPR, Appther Technologies Private Limited is the data controller of personal data collected through this website. For data processed in the context of delivering client projects, Appther may act as either a data controller or a data processor depending on the nature of the processing arrangement agreed with the client.

If you have any questions about this Privacy Policy or about how we handle your personal data, please contact our privacy team at privacy@appther.com.

We collect personal data in the following ways and categories:

A. Data you provide directly

• Contact form submissions: When you complete the enquiry or contact form on our website, we collect your full name, email address, phone number (optional), and the message you submit. This data is provided voluntarily and is the primary mechanism by which prospective clients initiate a conversation with us.
• Email correspondence: If you email us directly at any of our published addresses (e.g., sales@appther.com, privacy@appther.com, legal@appther.com), we process your name, email address, and any personal information contained in your message.
• Project and client data: Once you become a client and a Statement of Work is executed, we collect and process the data necessary to deliver the agreed services. This may include your business contact details, billing information, project-related materials, and any personal data contained in assets you provide for development purposes.

B. Data collected automatically

• Website usage data: When you visit www.appther.com, our web server and analytics systems automatically collect your IP address (anonymised after collection), browser type and version, operating system, referring URL, pages viewed, time on site, and click paths. This data is collected via Google Analytics 4 (GA4).
• Cookies and tracking technologies: We use first-party and third-party cookies to understand website usage patterns. Full details are provided in Section 5 (Cookies & Tracking) of this Policy and in our separate Cookie Policy.
• Server logs: Our hosting infrastructure automatically records access logs containing IP addresses, request timestamps, HTTP status codes, and file sizes. These logs are retained for a maximum of 30 days for security and diagnostic purposes and are not used for marketing profiling.

C. Data we do NOT collect

• We do not collect payment card details directly — all payments are processed by our banking partners via bank transfer or payment gateway, and card data never passes through our servers.
• We do not intentionally collect sensitive personal data (special categories under GDPR) such as racial or ethnic origin, health data, religious beliefs, or biometric data through our website.
• We do not purchase or source personal data from data brokers or third-party list providers.

We use the personal data we collect for the following specific purposes:

• Responding to enquiries: When you submit a contact form or email us, we use your name and contact details to respond to your query, send a project proposal, schedule a discovery call, or otherwise communicate with you regarding our services. Emails are sent via Amazon Web Services Simple Email Service (AWS SES), a cloud-based transactional email platform.
• Delivering contracted services: For active clients, we use contact and project data to manage the engagement, communicate project updates, deliver milestone outputs, raise invoices, and provide post-delivery support.
• Website analytics and improvement: We use aggregated and anonymised analytics data collected via Google Analytics 4 to understand how visitors navigate our website, which pages attract the most traffic, and where we can improve the content and user experience. We use this data in aggregate — we do not make individual-level decisions based on website analytics.
• Legal compliance and record-keeping: We retain client contract data, invoices, and correspondence as required by applicable tax, accounting, and commercial law in India (and, where relevant, in the USA and Australia).
• Security and fraud prevention: Server log data and security monitoring tools are used to detect and prevent malicious activity, spam form submissions, and unauthorised access to our systems.
• Marketing communications: Where you have expressly opted in, we may send you newsletters, case studies, or service updates by email. You can unsubscribe at any time via the unsubscribe link in any such communication or by emailing privacy@appther.com.

If you are based in the European Union, the United Kingdom, or the European Economic Area, we process your personal data only where we have a valid legal basis under Article 6 of the GDPR. The applicable legal bases for each processing activity are as follows:

• Contractual necessity (Art. 6(1)(b)): When you engage our services by signing a Statement of Work or project agreement, we process your contact and project data because it is necessary to perform our contractual obligations to you — including project management, communication, invoicing, and delivery.
• Legitimate interests (Art. 6(1)(f)): We process website usage analytics data (via Google Analytics) on the basis of our legitimate interest in improving our website and understanding our audience. We have conducted a legitimate interests assessment (LIA) and concluded that this processing does not override your rights and freedoms, given that the data is anonymised at the IP level, is not used for automated individual decision-making, and can be opted out of via our cookie preference controls.
• Legal obligation (Art. 6(1)(c)): We retain client invoices, contracts, and accounting records where required by the Indian Companies Act, 2013, the Goods and Services Tax Act, or other applicable tax and corporate law.
• Consent (Art. 6(1)(a)): Where we send you marketing communications (newsletters, case study updates), we rely on your express prior consent. You can withdraw your consent at any time without detriment. We also rely on consent for non-essential cookies (analytics and marketing) — this consent is managed via our cookie banner.

Where we rely on legitimate interests, you have the right to object to that processing. Please see Section 9 (Your Rights) for details on how to exercise this right.

We use cookies and similar tracking technologies on www.appther.com. The main categories of cookies we set are:

• Strictly necessary cookies: These are essential for the website to function correctly and cannot be disabled. They include session management cookies (PHPSESSID) and security cookies set by our infrastructure provider (Cloudflare's __cf_bm cookie).
• Analytics cookies: We use Google Analytics 4 (GA4) with IP anonymisation enabled. GA4 sets cookies including _ga (2-year duration), _gid (24 hours), and _gat (1 minute) to track page views, session duration, bounce rate, and traffic sources. This data is processed in aggregate and is not used to identify individual users.
• Functional cookies: These remember your preferences and settings to enhance your experience on repeat visits.
• Marketing cookies: Where you have consented, third-party advertising platforms (including Google Ads, Meta/Facebook, and LinkedIn) may set cookies to enable remarketing and measure ad campaign effectiveness.

For a complete and granular breakdown of every cookie we use — including cookie names, providers, durations, and opt-out instructions — please read our dedicated Cookie Policy.

You can manage or withdraw your cookie consent at any time by adjusting your browser settings or using the cookie preference controls described in our Cookie Policy. Withdrawing consent for analytics or marketing cookies does not affect the lawfulness of any processing that occurred prior to withdrawal.

We share personal data only where strictly necessary for the purposes described in this Policy, and only with trusted service providers bound by appropriate data protection obligations. We do not sell personal data to any third party.

• Amazon Web Services (AWS SES): We use AWS Simple Email Service to deliver transactional emails, including responses to contact form submissions, project notifications, and invoices. AWS processes the recipient email address, sender information, and email content on our behalf as a data processor. AWS's data processing is governed by the AWS Data Processing Addendum (DPA), which incorporates Standard Contractual Clauses for international transfers. More information: aws.amazon.com/privacy.
• Google LLC (Analytics): Google Analytics 4 processes anonymised website usage data on our behalf. We have configured GA4 with IP anonymisation enabled and have executed a Data Processing Agreement with Google. Google may process this data on servers located in the United States, subject to Standard Contractual Clauses. More information: policies.google.com/privacy.
• Hosting and infrastructure providers: Our website is hosted on servers managed by our hosting provider. This provider processes server log data (including IP addresses) on our behalf as a data processor and is bound by appropriate contractual data protection obligations.
• Professional advisors: We may share limited personal data (e.g., client contact details) with our legal advisors, accountants, or auditors where required for legal, tax, or compliance purposes. These advisors are bound by professional confidentiality obligations.
• Law enforcement and regulatory authorities: We may disclose personal data to competent public authorities (courts, police, regulators) where required by applicable law or a valid court order. We will notify you of such disclosure where legally permitted to do so.
• Business transfers: In the event of a merger, acquisition, restructuring, or sale of all or part of Appther's business, personal data held by us may be transferred to the acquiring entity as part of that transaction. We will provide advance notice of any such transfer where required by law and will ensure the transferee is bound by obligations equivalent to those in this Policy.

Appther is a global company with operations and clients spanning India, the United States, Australia, and Europe. In the normal course of delivering our services and operating our website, personal data may be transferred to and processed in countries outside of the European Economic Area (EEA) or the United Kingdom, including India and the United States.

We take the following measures to ensure that international transfers of personal data are carried out lawfully and with appropriate safeguards:

• Standard Contractual Clauses (SCCs): Where we transfer personal data from the EEA or UK to third-party processors in countries not recognised as providing an adequate level of data protection (including the USA), we rely on the European Commission's Standard Contractual Clauses (SCCs) as the lawful transfer mechanism. All relevant data processing agreements with our service providers (including Google and AWS) incorporate SCCs.
• Adequacy decisions: Where the European Commission has issued an adequacy decision in respect of the destination country, we may rely on that decision as a basis for transfer.
• India: Our principal data processing operations take place in India. The Indian Digital Personal Data Protection Act, 2023 (DPDPA) applies to personal data of Indian residents processed in India. Appther complies with the DPDPA and the Information Technology Act, 2000, as applicable.
• Australia: Our Southport QLD office may process personal data of Australian residents. We comply with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs) in respect of such data.

If you would like further information about the specific safeguards applicable to any particular transfer of your personal data, please contact us at privacy@appther.com.

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law. Our standard retention periods are as follows:

• Contact form enquiries (no engagement): If you submit a contact form but do not proceed to a client engagement, we retain your name, email, and message for up to 12 months from the date of submission, after which it is securely deleted. This period allows us to follow up on enquiries and supports business continuity for ongoing conversations.
• Client project data: Personal data associated with an active or completed client engagement (including contracts, correspondence, and project materials) is retained for 7 years from the date of the final invoice. This period reflects statutory requirements under the Indian Companies Act and tax regulations, and mirrors the limitation period for contractual claims in most applicable jurisdictions.
• Accounting and invoicing records: Financial records, including invoices containing client contact details, are retained for 8 years in accordance with applicable tax and accounting law in India (Income Tax Act, 1961; GST Act, 2017).
• Website analytics data (GA4): Google Analytics retains anonymised usage data for a maximum of 14 months under our configured retention settings. We do not retain raw IP addresses beyond the anonymisation step performed at collection.
• Marketing email consents and suppression lists: Records of marketing consent (opt-in) are retained for as long as we continue to send marketing communications, plus an additional 3 years. Unsubscribe/opt-out records (suppression lists) are retained indefinitely to ensure we do not inadvertently re-contact individuals who have opted out.
• Server access logs: Web server access logs are retained for a maximum of 30 days for security diagnostics and then automatically overwritten.

When the applicable retention period expires, personal data is securely deleted or anonymised using industry-standard methods. Where a legal hold or ongoing dispute requires us to retain data beyond the standard period, we will retain only what is necessary for the duration of that hold or dispute.

Depending on your location and the legal framework that applies to you, you may have some or all of the following rights in relation to your personal data. We are committed to honouring these rights promptly and without undue complication.

CCPA Rights (California residents): If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including: the right to know what categories of personal information we collect and with whom we share it; the right to delete personal information we hold about you; the right to opt out of the sale or sharing of personal information (note: we do not sell personal information); the right to correct inaccurate personal information; and the right to limit the use of sensitive personal information. To exercise CCPA rights, email privacy@appther.com with the subject line "CCPA Request."

To exercise any of the above rights, please email privacy@appther.com with sufficient detail to identify your request. We will respond within 30 calendar days (or within the timeframe required by applicable law). We may need to verify your identity before processing your request.

We implement appropriate technical and organisational measures to protect the personal data we process against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:

• Transport encryption: All data transmitted between your browser and our website is encrypted using TLS 1.2 or higher (HTTPS). Email delivery via AWS SES uses TLS encryption in transit.
• Access controls: Access to systems that process personal data is restricted to authorised personnel on a need-to-know basis. We use role-based access control (RBAC) and multi-factor authentication (MFA) for administrative access to our infrastructure and cloud platforms.
• Secure credential management: API keys, database credentials, and other sensitive configuration data are stored in encrypted secret management systems and are never committed to source code repositories in plaintext.
• Regular security reviews: We conduct periodic internal security assessments of our web infrastructure and update our security practices in response to emerging threats and vulnerabilities.
• Staff training and policies: All Appther employees and contractors who handle personal data receive data protection training and are required to adhere to our internal data handling policies and confidentiality obligations.
• Vendor security: We evaluate the security posture of third-party service providers before engaging them and require them to maintain appropriate technical and organisational security measures.

Despite these measures, no method of transmission over the internet or electronic storage is 100% secure. If you have reason to believe that your data has been compromised or if you discover a security vulnerability on our website, please notify us immediately at privacy@appther.com.

Our website and services are directed exclusively at businesses and professionals and are not intended for use by individuals under the age of 18. We do not knowingly collect, solicit, or process personal data from anyone under 18 years of age.

If you are under 18, please do not submit any personal information through our website or contact forms. If we become aware that we have inadvertently collected personal data from a person under the age of 18, we will take prompt steps to delete that information from our systems.

If you are a parent or guardian and believe that your child under the age of 18 has provided personal data to us without your consent, please contact us immediately at privacy@appther.com and we will investigate and take appropriate action.

We may update this Privacy Policy from time to time to reflect changes in our data processing practices, applicable law, or the services we offer. All updates will be published on this page with a revised "Last updated" date at the top of the Policy.

• Material changes: If we make changes that materially affect how we process your personal data — for example, introducing a new purpose for processing, adding new categories of data, or changing our data-sharing arrangements — we will notify you proactively. Where we have your email address, we will send a notification to your registered email. We will also display a prominent notice on our website for a period of at least 30 days following the change.
• Minor changes: Minor clarifications, grammatical corrections, or formatting updates will be published on this page without individual notification.
• Consent-based processing: Where a change to this Policy affects processing that relies on your consent, we will re-seek your consent before applying the updated processing practices to your data.
• Continued use: Your continued use of our website or services after the effective date of an updated Policy constitutes your acknowledgment of the changes. If you do not agree with any changes, you should discontinue use of our website and contact us to exercise your rights.

We recommend bookmarking this page and reviewing it periodically. The version date at the top of this Policy indicates when it was last substantively revised. A summary of significant changes is available on request by emailing privacy@appther.com.

If you have any questions, concerns, or requests relating to this Privacy Policy, the processing of your personal data, or the exercise of your data protection rights, please contact us using the details below. We aim to respond to all privacy-related enquiries within 5 business days and to resolve data subject requests within the timeframes required by applicable law (no more than 30 calendar days in most cases).

• Privacy & Data Protection Contact:
  privacy@appther.com
  Please include "Privacy Request" or "Data Subject Request" in the subject line of your email.
• Registered Office (India):
  Appther Technologies Private Limited
  H-160, H Block, Sector 63,
  Noida, Uttar Pradesh 201301, India
• USA Office:
  PO Box 455,
  China Grove, NC 28023, USA
• Australia Office:
  Southport, QLD, Australia
• General Enquiries: sales@appther.com

Supervisory Authority Complaints: You have the right to lodge a complaint with a data protection supervisory authority at any time. We would, however, appreciate the opportunity to address your concern directly before you approach a supervisory authority. Relevant authorities include:

• European Union: Your national data protection authority (e.g., CNIL in France, BfDI in Germany, DPC in Ireland).
• United Kingdom: The Information Commissioner's Office (ICO) — ico.org.uk.
• India: The Data Protection Board of India (under the Digital Personal Data Protection Act, 2023) — meity.gov.in.
• Australia: The Office of the Australian Information Commissioner (OAIC) — oaic.gov.au.
• California (USA): The California Privacy Protection Agency (CPPA) — cppa.ca.gov.