Privacy Policy

XDepthSense provides professional cybersecurity services including Vulnerability Assessment & Penetration Testing (VAPT), Configuration Assessment, Static Application Security Testing (SAST) & Software Composition Analysis (SCA), Red Teaming & Adversary Simulation, Cloud Security Assessment, Digital Forensics & Incident Response (DFIR), ISO Audit & GRC Advisory, OT/ICS Security, and Maritime Cybersecurity.

This Privacy Policy governs the collection, use, storage, and disclosure of personal information in connection with our website at xdepthsense.com and all client-facing services. We take privacy seriously — as a cybersecurity firm, the protection of information is central to everything we do.

This policy applies to:

• Visitors to our website (xdepthsense.com)
• Individuals who contact us via forms, email, or phone
• Prospective and current clients engaging with any of our cybersecurity services
• Security researchers submitting responsible disclosure reports
• Partners and vendors we work with in connection with service delivery

This policy does not apply to the internal systems, data, or infrastructure of our clients, which are handled under separate engagement agreements and confidentiality obligations.

Information you provide directly:

• Full name and professional designation
• Business email address and phone number
• Company or organization name
• Messages or inquiries submitted through our contact form
• Scope details, technical documentation, or briefing materials shared during engagement initiation

Information collected automatically:

• IP address and approximate geographic location
• Browser type, version, and operating system
• Pages visited, session duration, and referral source
• Device type and screen resolution

Security research & responsible disclosure:

• Researcher contact details (if voluntarily provided)
• Vulnerability description, proof-of-concept, and affected systems
• Communication history related to the disclosure

We use the information we collect solely for legitimate professional purposes:

• Responding to service inquiries, quotes, and scoping requests
• Delivering VAPT, SAST/SCA, Red Team, Cloud Security, DFIR, ISO/GRC, OT/ICS, or Maritime Cybersecurity engagements
• Communicating engagement status, findings, and deliverables to authorized client contacts
• Processing and triaging responsible disclosure submissions
• Improving the security, performance, and usability of our website
• Fulfilling contractual and legal obligations
• Preventing unauthorized access, fraud, or misuse of our services

All client engagement data — including scoping documents, technical findings, vulnerability reports, penetration test results, forensic evidence, audit outcomes, and any client-specific information — is treated as strictly confidential.

• Engagement data is accessible only to the consultant(s) assigned to your project and senior leadership where required
• Findings and reports are not shared with any third party without explicit written authorization from the client
• Client environments, systems, and data accessed during authorized testing are not retained beyond the engagement unless required for retest verification
• We operate under Non-Disclosure Agreements (NDAs) for all client engagements; standalone NDA requests are available upon request

Where applicable under the Digital Personal Data Protection Act (DPDPA) 2023 (India), GDPR (EU/UK), or other applicable data protection regulations, we process personal data on the following bases:

• Consent — where you have explicitly agreed (e.g. contact form submissions)
• Contract performance — to deliver services you have engaged us for
• Legitimate interests — to operate and secure our website and business operations
• Legal obligation — to comply with applicable laws and regulatory requirements

We do not share personal information except in the following limited circumstances:

• Trusted service providers — such as secure hosting providers or email platforms, bound by confidentiality and data processing agreements
• Professional advisors — legal counsel or auditors, under strict confidentiality obligations
• Legal or regulatory requirement — when required by law, court order, or competent authority in India or applicable jurisdiction
• Protection of rights — to protect the security, integrity, or legal rights of XDepthSense or our clients where necessary

As a cybersecurity firm, we hold ourselves to a high standard of information security. Measures we maintain include:

• Encrypted storage and transmission of sensitive information (TLS/HTTPS)
• Role-based access controls — minimum necessary access for all personnel
• Secure, access-controlled environments for engagement deliverables and client data
• Internal security policies and staff confidentiality agreements
• Regular security reviews of our own systems and processes

No system can guarantee absolute security. In the event of a data breach affecting your personal data, we will notify affected individuals in accordance with applicable legal requirements.

We retain personal information only for as long as necessary for the purpose it was collected, or as required by applicable law:

• Website inquiries — retained for up to 12 months from last contact, then deleted or anonymized
• Client engagement records — retained for the duration of the engagement plus up to 3 years for legal and operational records, unless a shorter period is agreed
• Responsible disclosure submissions — retained for documentation and remediation tracking, typically 2 years
• Legal or compliance records — retained for the period required by applicable law

When data is no longer required, it is securely deleted or anonymized.

XDepthSense is based in Mumbai, India. Our website may be accessed globally, and some service providers we use may be located outside India. Where personal data is transferred internationally, we implement appropriate safeguards — including data processing agreements — to ensure compliance with applicable data protection requirements, including India's DPDPA 2023.

Depending on applicable law (DPDPA 2023, GDPR, or other), you may have the following rights regarding your personal data:

• Right of access — request a copy of the personal data we hold about you
• Right to correction — request correction of inaccurate or incomplete data
• Right to erasure — request deletion of your personal data where no longer required
• Right to restrict processing — request that we limit how we use your data
• Right to withdraw consent — where processing is based on consent, withdraw it at any time
• Right to grievance redressal — under DPDPA 2023, lodge a complaint with the Data Protection Board of India

To exercise any of these rights, contact us using the details in Section 15. We will respond within 30 days.

Our website uses minimal, essential cookies required for website functionality (such as session management). We do not use advertising cookies, tracking pixels, or third-party behavioral analytics services that collect personal data. Standard web server logs (IP address, page visited, time of access) are retained temporarily for security and performance purposes.

Third-party links on our website (such as LinkedIn) are governed by those platforms' own privacy policies.

Our website and services are directed exclusively at businesses and cybersecurity professionals. We do not knowingly collect or process personal data from individuals under the age of 18. If we become aware that personal data from a minor has been collected, we will delete it promptly.

We may update this Privacy Policy periodically to reflect changes in law, technology, or our services. When we make material changes, we will update the "Last Updated" date at the top of this page. We encourage you to review this page periodically. Continued use of our website or services after changes are posted constitutes acceptance of the revised policy.

For questions about this Privacy Policy, to exercise your data rights, or to submit an NDA request, please contact us: