Privacy policy

This Privacy Policy explains how Hemanth S, operating professionally as Hemanth Lal ("I", "me", "my"), collects, uses, stores, and protects your personal information when you visit hemanthlal.com (the "Website"), interact with my services, or otherwise share information with me.

I take privacy seriously. This document is written to be read, not buried. If anything here is unclear, write to me directly at [email protected].

1. Who I am

I am Hemanth S, an independent Strategic Brand Consultant operating under the professional name Hemanth Lal. I am the data controller responsible for the personal information collected through this Website and my professional engagements.

Contact for all privacy matters:

Email: [email protected]

Address: #402, 108 AR Mane, Duo City Layout, Basapura Main Road, Bangalore, Karnataka, PIN 560068, India

Grievance Officer: Hemanth S (myself)

For India-specific data protection grievances under the Digital Personal Data Protection Act, 2023 (DPDP Act), you may contact the Grievance Officer at the address above. Grievances are acknowledged within 72 hours and resolved within 30 days.

2. What information I collect

I collect only the information necessary to provide my services, communicate with you, and operate this Website. The categories are:

Information you provide directly

Name, email address, company, role, and message content submitted through contact forms

Email address and any optional fields submitted through newsletter signup forms

Information you share during consultation calls, project briefs, or written correspondence

Billing and invoicing details when an engagement begins (legal name, address, GSTIN if applicable, payment reference)

Information collected automatically

Device, browser, and operating system data

IP address and approximate location (city or region, not precise location)

Pages visited, time on site, scroll depth, click patterns, and referral source

Cookie identifiers (subject to your consent — see Section 7)

Information from third parties

Lead enrichment data from tools such as Apollo, which may add publicly available professional information (job title, company size, LinkedIn URL) to records I already hold

Payment confirmation data from Stripe, PayPal, Razorpay, or cryptocurrency processors when you book a paid engagement through Cal.com

I do not knowingly collect sensitive personal data (health, biometric, financial account numbers, government identifiers) through the Website. If such data is shared during a paid engagement, it is handled under the separate engagement agreement.

3. Why I collect this information

I process your data on the following legal bases:

Purpose

Legal Basis

Responding to inquiries you submit

Contract / Legitimate interest

Delivering services you have engaged me for

Contract

Sending the newsletter you subscribed to

Consent

Invoicing, accounting, and tax records

Legal obligation

Outreach to potential clients (cold and warm)

Legitimate interest, subject to opt-out

Website analytics and improvement

Consent (where required) / Legitimate interest

Behavioral analysis to improve user experience and sales process

Consent (where required) / Legitimate interest

Detecting fraud, abuse, or security incidents

Legitimate interest

You can withdraw consent or object to legitimate-interest processing at any time. See Section 9 for how.

4. AI and automated processing

I use AI tools to analyze aggregated and individual website behavior, content engagement, and communication patterns. The purpose is to improve the Website, sharpen content, and refine my sales and service processes.

What this means in practice:

I may analyze how visitors interact with content to decide what to write next

I may segment subscribers based on engagement to send more relevant emails

I may use AI to draft personalized outreach based on publicly available professional information

What I do not do:

I do not make automated decisions that have legal or significant effects on you without human review

I do not use AI to discriminate, score creditworthiness, or determine pricing

I do not sell your data to AI training providers

If you are based in the EU/UK and object to this processing, you may opt out by emailing [email protected].

5. Who I share your information with

I share your data only with parties who help me operate the practice. Each is bound by confidentiality and data protection obligations.

Service providers (sub-processors):

HubSpot — CRM, marketing automation, email tracking

Apollo — Outreach and lead enrichment

Mailchimp (or equivalent newsletter platform) — Email broadcasts

Google Analytics, Microsoft Clarity — Website analytics and behavior insight

Cal.com — Booking and scheduling

Stripe, PayPal, Razorpay, and cryptocurrency processors — Payments (via Cal.com)

Zoho Books — Invoicing and accounting

Cloud hosting and email infrastructure providers — Operational backbone

Team members and specialist collaborators:

Some engagements are delivered with a hand-picked team of specialists or partner agencies. When your project requires this:

I will notify you in advance before sharing your information with any specialist or partner

Specialists are bound by written confidentiality and data protection terms

You may object to a specific specialist; I will arrange an alternative or refund any unused engagement value

Legal disclosures:

I may disclose information when legally required — court orders, lawful government requests, tax authorities, or to protect against fraud and harm. I will challenge overbroad requests where reasonable.

I do not sell your personal data. I do not rent your email list to third parties. I do not share your data for purposes unrelated to those listed above.

6. International data transfers

I operate from India. Some service providers listed above are based in the United States, European Union, United Kingdom, or other jurisdictions. Your data may therefore be transferred outside your country of residence.

For transfers from the EU, UK, or other regulated jurisdictions, I rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission

UK International Data Transfer Addendum where applicable

Adequacy decisions where available

Provider-specific data processing agreements with equivalent protections

If you are in the EU, UK, or Australia and want to understand the safeguards for a specific transfer, write to [email protected].

7. Cookies and tracking technologies

The Website uses cookies and similar technologies for three purposes:

Strictly necessary cookies — Required for the Website to function (session management, security). These do not require consent.

Analytics cookies — Google Analytics and Microsoft Clarity, used to understand how the Website is used. Set only after you grant consent through the cookie banner.

Marketing cookies — HubSpot tracking pixels, used to understand interest in services and personalize communication. Set only after you grant consent.

You will see a cookie consent banner on your first visit. You can accept all, reject non-essential cookies, or manage your preferences. You can change your preferences at any time through the cookie settings link in the Website footer.

If you reject non-essential cookies, the Website will still function — you will simply not be tracked beyond what is strictly necessary.

8. How long I keep your data

Data Type

Retention Period

Contact form submissions (no engagement)

2 years from submission

Newsletter subscriber data

Until you unsubscribe + 2 years

CRM records of leads and prospects

3 years from last meaningful interaction

Client engagement records

Duration of engagement + 3 years

Invoices, tax records, financial documents

8 years (Indian tax law requirement)

Website analytics data

14 months (Google Analytics default), then aggregated

Cookie consent records

12 months

After the retention period, data is deleted or fully anonymized. You may request earlier deletion at any time (see Section 9), subject to legal obligations I must continue to honor.

9. Your rights

Regardless of where you are based, you have the following rights:

Access — Request a copy of the personal data I hold about you

Correction — Ask me to correct inaccurate data

Deletion — Ask me to delete your data ("right to be forgotten")

Restriction — Ask me to pause processing while a concern is resolved

Objection — Object to processing based on legitimate interest or for direct marketing

Portability — Receive your data in a portable format

Withdraw consent — Withdraw consent for any processing based on consent

Complaint — Lodge a complaint with your local data protection authority

How to exercise rights:

Email [email protected] with your request and enough information for me to verify your identity. I respond within 30 days. There is no charge unless the request is manifestly unfounded or excessive.

10. How I protect your information

I use commercially reasonable security measures:

Encrypted connections (HTTPS) on the Website

Access controls on CRM, email, and storage systems

Two-factor authentication on all critical accounts

Vetting of service providers for their security practices

Regular review of who has access to what

No system is perfectly secure. If a data breach occurs that is likely to result in risk to your rights, I will notify you and the relevant authority within 72 hours, as required by GDPR and the DPDP Act.

11. Children's data

This Website and my services are not directed at individuals under 18. I do not knowingly collect data from minors. If you believe a minor has submitted information through the Website, contact [email protected] and the data will be deleted.

12. Third-party links

The Website may link to third-party websites, articles, or tools. I am not responsible for the privacy practices of those sites. Read their privacy policies before sharing information with them.

13. Changes to this policy

I may update this Privacy Policy as the practice grows, tools change, or laws evolve. When I make material changes:

The "Last updated" date at the top will change

Active subscribers will be notified by email at least 14 days before changes take effect

The previous version will remain available on request

Continued use of the Website after the effective date constitutes acceptance of the revised policy.

14. Governing law and disputes

This Privacy Policy is governed by the laws of India. Any dispute arising from this policy or my data practices is subject to the exclusive jurisdiction of the competent courts in Bangalore, Karnataka.

This jurisdiction clause does not limit your statutory right to file a complaint with the data protection authority in your country of residence, including the European Data Protection Board, the UK Information Commissioner's Office, the Office of the Australian Information Commissioner, or relevant U.S. state authorities.

15. Contact

For any question, request, or grievance related to this policy:

Hemanth S (operating as Hemanth Lal) Email: [email protected] Address: #402, 108 AR Mane, Duo City Layout, Basapura Main Road, Bangalore, Karnataka, PIN 560068, India

I read every message personally. Expect a response within 5 working days for general inquiries and within 72 hours for grievances.