Privacy Policy
Effective date: 5 March 2026
Data Controller / Data Fiduciary
Brainstack Technologies, a unit of Aqueduct Advisors Private Limited ("Brainstack," "we," "us"), provides software engineering, AI integration, and consulting services for clients across multiple regions.
Under applicable data protection laws, Aqueduct Advisors Private Limited acts as the data controller (GDPR/UK GDPR), business (CCPA/CPRA), and Data Fiduciary (India DPDP Act 2023).
Registered Address:D-153, Upper Ground Floor, New Delhi – 110065, India
Privacy Contact: [email protected]
General Inquiries: [email protected]
This policy explains the personal data we collect through our website (brainstacktechnologies.com) and related business activities. It covers how we use it, the legal bases for processing, how long we keep it, and the rights available to you under the laws of your jurisdiction.
1. Data We Collect
We collect the following categories of personal data:
| Category | Examples | Source |
|---|---|---|
| Identifiers | Name, email address, phone number, company name | Directly from you via contact forms |
| Commercial information | Selected service, project scope, timeline, budget range | Directly from you via inquiry forms |
| Internet/electronic activity | IP address, browser type, device metadata, timestamps, referrer URL, UTM parameters | Collected automatically when you visit our website |
| Geolocation data | Approximate location derived from IP address | Collected automatically |
| Security/anti-abuse data | Google reCAPTCHA signals — including mouse movements, keystroke timing patterns, browser fingerprinting data, device metadata, and the _grecaptcha persistent cookie (see Section 4 for details) | Collected automatically via Google reCAPTCHA |
| Communication records | Email correspondence and meeting notes related to your inquiry or engagement | Directly from you and generated during our interactions |
We collect data from the following sources: directly from you (forms, emails, meetings), automatically from your device when you visit our website, and from Google reCAPTCHA for security purposes.
We do not collect sensitive personal information as defined under CPRA. We do not knowingly collect personal data from children under 16 years of age (or under 18 in jurisdictions where a higher threshold applies — see Section 11, India). Our services are directed at businesses and business professionals, not minors.
2. How We Use Personal Data
| Purpose | Legal Basis (GDPR) | DPDP Act Basis | Data Categories Used |
|---|---|---|---|
| Respond to inquiries, proposals, and support requests | Performance of a contract / pre-contractual steps | Consent | Identifiers, commercial information, communication records |
| Provide, operate, and improve our services | Legitimate interests (service quality) | Consent | All categories |
| Secure the website, detect abuse, and prevent fraud (reCAPTCHA) | Consent (EU/UK — see Section 4) / Legitimate interests (other regions) | Legitimate use (security) | Internet/electronic activity, security/anti-abuse data, geolocation |
| Comply with legal, regulatory, and contractual obligations | Legal obligation | Compliance with law | As required by applicable law |
| Send business communications (where you request or consent) | Consent | Consent | Identifiers |
| Website analytics and performance measurement | Consent (EU/UK) / Legitimate interests (other regions) | Consent | Internet/electronic activity, geolocation |
Where we rely on legitimate interests under GDPR, we have conducted balancing tests (Legitimate Interest Assessments) to ensure our interests do not override your fundamental rights and freedoms. You may request a copy of the relevant assessment by contacting [email protected].
3. Legal Bases for Processing
Depending on your jurisdiction and the specific processing activity, we rely on the following legal bases:
Under GDPR / UK GDPR (Article 6):
- Consent— where you have given clear, informed consent (e.g., subscribing to communications, accepting non-essential cookies including reCAPTCHA for EU/UK visitors).
- Performance of a contract— where processing is necessary to respond to your inquiry or deliver services you have requested.
- Legitimate interests— where processing is necessary for our legitimate business interests (service operations, fraud prevention in non-EU/UK regions), provided these interests are not overridden by your rights. You may object to processing based on legitimate interests at any time.
- Legal obligation— where processing is required to comply with applicable laws.
Under India DPDP Act 2023:
- Consent— the primary legal basis for processing personal data of Data Principals in India. We obtain consent through clear, affirmative action (e.g., form submission, cookie acceptance).
- Legitimate uses— limited enumerated purposes under the DPDP Act (e.g., compliance with court orders or legal obligations, response to medical emergencies, employment purposes). "Legitimate interests" as understood under GDPR is not a recognised basis under the DPDP Act.
Under CCPA/CPRA: Processing is based on the business purposes disclosed in this policy. We do not sell or share personal information for cross-context behavioural advertising (see Section 11, California, for the definitive position on analytics sharing).
4. Cookies and Similar Technologies
Cookie Categories
| Category | Purpose | Examples | Consent Required? |
|---|---|---|---|
| Strictly necessary | Essential for core website functionality (session management, load balancing) | Session cookies | No — required for site operation |
| Security (reCAPTCHA) | Bot detection and fraud prevention via Google reCAPTCHA | _grecaptcha cookie, reCAPTCHA script | Yes (EU/UK: opt-in consent required). See note below. |
| Analytics | Measure website usage, page views, and user journeys to improve our site | Google Analytics cookies | Yes (EU/UK: opt-in; California: opt-out via GPC; other regions: opt-out) |
Important Note on reCAPTCHA
As of 2 April 2026, Google reCAPTCHA operates under a processor model— Brainstack is the sole data controller for reCAPTCHA Customer Data, and Google acts as a data processor under its Cloud Data Processing terms. reCAPTCHA v3 collects behavioural signals (mouse movements, keystroke timing, scroll patterns), browser fingerprinting data, device metadata, and sets the _grecaptchapersistent cookie. This data may be transferred to Google's servers, including servers in the United States.
European regulators have held that reCAPTCHA's data collection exceeds what is "strictly necessary" for website operation. We therefore classify reCAPTCHA as a consent-required technology for EU/UK visitors and obtain opt-in consent via our cookie consent management platform before loading reCAPTCHA scripts.
We have conducted a Data Protection Impact Assessment (DPIA) for our use of reCAPTCHA. The DPIA documentation is available upon request by contacting [email protected].
Alternative consideration: We are evaluating privacy-friendly alternatives to reCAPTCHA (such as Cloudflare Turnstile or Friendly Captcha) to reduce the compliance burden and improve data minimization. This section will be updated if the implementation changes.
Cookie Details
| Cookie / Technology | Provider | Purpose | Type | Duration |
|---|---|---|---|---|
_grecaptcha | Google (as processor) | reCAPTCHA fraud prevention | Third-party | 6 months |
_ga, _ga_* | Google Analytics | Website analytics | Third-party | Up to 2 years |
Your Cookie Choices
- EU/UK visitors: We use a consent management platform (CMP) to obtain your opt-in consent before placing any non-essential cookies, including reCAPTCHA and analytics cookies. You can change your preferences at any time via the cookie settings link in the website footer.
- California visitors:We honor Global Privacy Control (GPC) signals. You can also opt out of analytics cookies via our cookie settings or the "Do Not Sell or Share My Personal Information" link in the website footer.
- All visitors: You can control cookies through your browser settings. Blocking essential cookies may affect website functionality.
To withdraw cookie consent:Use the cookie settings link in the website footer at any time — this is as easy as giving consent, in accordance with GDPR Article 7(3).
5. Sharing and Subprocessors
We do not sell personal data. We do not sharepersonal data for cross-context behavioural advertising as defined under CPRA. Google Analytics data transmitted to Google constitutes "sharing" under CPRA's broad definition — California residents can opt out via the "Do Not Sell or Share My Personal Information" link or by enabling GPC (see Section 11, California).
We may disclose limited personal data to the following categories of service providers (subprocessors / data processors), who process data solely on our behalf and under contractual confidentiality and security obligations:
| Category | Named Provider(s) | Purpose | Data Shared |
|---|---|---|---|
| Cloud hosting | Amazon Web Services (AWS), Railway | Website and data hosting | All categories as needed for hosting |
| Analytics platform | Google Analytics (Google LLC) | Website usage measurement | Internet/electronic activity, geolocation |
| Spam/fraud protection | Google reCAPTCHA (Google LLC, as processor) | Bot and abuse detection | Security/anti-abuse data, IP address |
| Email delivery | EmailJS | Contact form email delivery | Identifiers, communication records |
We may also disclose personal data where required by law, regulation, legal process, or enforceable governmental request. We have conducted Data Protection Impact Assessments (DPIAs) for our use of Google reCAPTCHA and Google Analytics. DPIA documentation is available upon request.
6. International Data Transfers
Brainstack is based in India. Because we serve clients internationally, personal data may be transferred to and processed in India and other countries where our subprocessors operate (which may include the United States, EU, and Singapore).
For EU/UK data subjects: India does not currently have an EU adequacy decision. Where we transfer personal data from the EU/EEA or UK to India, we rely on the European Commission's Standard Contractual Clauses (SCCs) (and the UK International Data Transfer Addendum, as applicable) as the legal transfer mechanism. We also apply supplementary measures including encryption in transit and at rest, least-privilege access controls, and contractual confidentiality obligations. You may request a copy of the SCCs by contacting [email protected].
For Indian data subjects (DPDP Act): The DPDP Act 2023 permits cross-border transfers of personal data to all countries except those the Central Government explicitly restricts. As of the date of this policy, no restricted country list has been notified. We transfer data to subprocessors in the countries listed above.
For Australian data subjects: Personal data may be processed in India (our primary processing location) and by subprocessors in the United States, EU, and Singapore. We take reasonable steps to ensure overseas recipients handle your information in accordance with the Australian Privacy Principles (APP 8).
7. Data Retention
We retain personal data only as long as necessary for the purposes described in this policy, and in accordance with the following retention schedule:
| Data Category | Retention Period | Rationale |
|---|---|---|
| Contact form inquiries (non-converted leads) | 24 months from last interaction | Lead management; deleted or anonymized after period |
| Client engagement records and contracts | 7 years after end of engagement | Legal, accounting, and dispute-resolution requirements |
| Communication records (emails, meeting notes) | Duration of engagement + 3 years | Business continuity and dispute resolution |
| Website analytics data | 13 months from collection | Analytics measurement cycle |
| Security/anti-abuse data (reCAPTCHA) | 6 months from collection | Fraud prevention review period |
| Cookie consent records | 3 years from consent | Demonstrating valid consent under GDPR |
Consent withdrawal and deletion requests: If you withdraw consent or request deletion of your personal data, we will delete or anonymize it within 30 days unless we are legally required to retain it (e.g., for tax, accounting, or dispute resolution purposes). Where a legal retention obligation applies, we will inform you of the specific reason and the applicable retention period.
Inactive lead data is reviewed quarterly and deleted or anonymized once the applicable retention period expires. When data is no longer needed, it is securely deleted or irreversibly anonymized.
8. Security Measures
We implement industry-standard safeguards to protect personal data, including:
- HTTPS/TLS encryption for all data in transit
- Encryption at rest for stored personal data
- Least-privilege access controls
- Audit logging and monitoring
- Regular security reviews and updates
- Technical and organisational measures as required under APP 11 (Australian Privacy Act, as amended December 2024) and the DPDP Act 2023
No system is 100% secure. We continuously improve our controls to reduce risk and will respond promptly to any suspected security incident.
9. Your Rights
Subject to applicable law, you have the following rights regarding your personal data:
| Right | GDPR | CCPA/CPRA | DPDP Act | Australian Privacy Act |
|---|---|---|---|---|
| Access— obtain a copy of your data | Yes | Yes | Yes | Yes |
| Correction— fix inaccurate data | Yes | Yes | Yes | Yes |
| Deletion / Erasure | Yes | Yes | Yes | Yes |
| Restriction— limit processing | Yes | — | — | — |
| Portability— receive data in machine-readable format | Yes | — | — | — |
| Objection— object to legitimate-interest processing | Yes | — | — | — |
| Withdraw consent | Yes | — | Yes | Yes |
| Opt-out of sale/sharing | — | Yes | — | — |
| Non-discrimination | — | Yes | — | — |
| Nomination— nominate another person to exercise rights on your behalf in the event of death or incapacity | — | — | Yes | — |
| Grievance redressal | — | — | Yes | Yes |
How to Exercise Your Rights
Submit your request by emailing [email protected] with the subject line "Data Subject Request" (or "Data Principal Request" for Indian residents). Please include enough information for us to verify your identity and specify which right(s) you wish to exercise.
Identity verification: We may ask you to confirm your identity before processing your request, to protect against unauthorized access to your data.
Response timeframes:
- GDPR (EU/UK): We will respond within 30 days. This may be extended by up to 60 days for complex requests, with notice to you.
- CCPA/CPRA (California): We will respond within 45 days. This may be extended by up to 45 additional days where reasonably necessary, with notice to you.
- DPDP Act (India): We will respond within the timeframe prescribed by the DPDP Rules (currently under notification).
- Australian Privacy Act: We will respond within 30 days.
How to Withdraw Consent
Withdrawing consent should be as easy as giving it:
- Cookie consent: Use the cookie settings link in the website footer at any time.
- Marketing communications: Use the unsubscribe link included in every marketing email.
- Other consent: Email [email protected].
Under the DPDP Act, Data Principals may withdraw consent at any time through the mechanisms above. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
If you are unsatisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority (see Section 11 below).
10. Automated Decision-Making and AI
reCAPTCHA
We use Google reCAPTCHA (v3) on our website forms for fraud prevention and bot detection. As of April 2026, Google operates as a data processor and Brainstack is the sole controller for reCAPTCHA Customer Data. reCAPTCHA involves automated processing of behavioural signals (mouse movements, keystroke timing, scroll patterns), browser fingerprinting data, and device metadata to generate a risk score determining whether a visitor is likely human. This processing is based on consent (EU/UK) or legitimate interests (other regions) in website security. It does not produce legal effects or similarly significant effects on you beyond determining whether your form submission is accepted.
We do not otherwise engage in automated decision-making or profiling that produces legal or similarly significant effects on individuals.
AI and LLM Tools
Brainstack's business includes AI integration and consulting services. Where AI or large language model (LLM) tools are used internally in connection with personal data collected via this website or during business activities (e.g., for service delivery, internal analysis, or communication drafting), we disclose this here. Any such use is subject to the same data protection safeguards, legal bases, and retention periods described in this policy. We do not feed your personal data into AI training datasets.
Note:The EU AI Act compliance deadline for high-risk AI systems is 2 August 2026. Australia's automated decision-making disclosure requirement under the Privacy Act (2024 amendment) takes effect 11 December 2026. This section will be reviewed and updated as these frameworks come into force.
11. Regional Notices
EU / UK (GDPR / UK GDPR)
If you are located in the European Economic Area or the United Kingdom:
- Data controller: Aqueduct Advisors Private Limited (trading as Brainstack Technologies), contactable at [email protected].
- Data Protection Officer:Given the nature and scale of our current processing activities — which do not involve large-scale regular and systematic monitoring of individuals, nor large-scale processing of special categories of data — a Data Protection Officer is not required under GDPR Article 37. Our designated privacy contact for all data protection matters is [email protected].
- International transfers: We transfer data to India using Standard Contractual Clauses (see Section 6).
- Right to complain: You have the right to lodge a complaint with your local supervisory authority. A list of EU/EEA supervisory authorities is available at edpb.europa.eu. For the UK, contact the Information Commissioner's Office (ICO) at ico.org.uk.
California (CCPA / CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:
Categories of personal information collected in the prior 12 months:
| CCPA Category | Collected? | Examples | Business Purpose | Sold? | Shared? |
|---|---|---|---|---|---|
| Identifiers | Yes | Name, email, phone, IP address | Service delivery, communication | No | No |
| Commercial information | Yes | Service interest, project scope, budget | Service proposals | No | No |
| Internet/electronic activity | Yes | Browser type, pages visited, timestamps | Website analytics, security | No | Yes (opt-out available) |
| Geolocation data | Yes | Approximate location from IP | Analytics, compliance | No | No |
| Professional/employment info | Yes | Company name, job title | Service delivery | No | No |
Sharing disclosure:Our use of Google Analytics transmits Internet/electronic activity data to Google (a third party), which constitutes "sharing" of personal information under CPRA's definition. You can opt out of this sharing using the "Do Not Sell or Share My Personal Information" link in our website footer or by enabling Global Privacy Control (GPC) in your browser. When we detect a GPC signal, we cease sharing for that browser session.
Your California rights include:
- Right to know: What personal information we collect, use, disclose, and sell/share.
- Right to delete: Request deletion of your personal information.
- Right to correct: Request correction of inaccurate personal information.
- Right to opt-out of sale/sharing: We do not sell personal information. To opt out of sharing via analytics, use the cookie settings on our website or enable GPC.
- Right to limit use of sensitive personal information: We do not collect sensitive personal information as defined under CPRA.
- Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.
To exercise your rights: Email [email protected] or use the "Do Not Sell or Share My Personal Information" link in our website footer.
Authorized agents:You may designate an authorized agent to make requests on your behalf. We may require verification of the agent's authority.
Financial incentives: We do not offer financial incentives related to the collection or sale of personal information.
India (Digital Personal Data Protection Act 2023)
If you are located in India, Aqueduct Advisors Private Limited is the Data Fiduciary responsible for your personal data under the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025.
Legal basis: Under the DPDP Act, we process your personal data based on your consent, which you provide through clear, affirmative action (e.g., submitting a contact form, accepting cookies). For certain limited purposes, we may process data under legitimate usesenumerated in the Act (e.g., compliance with legal obligations, response to medical emergencies). "Legitimate interests" as understood under GDPR is not a recognised lawful basis under the DPDP Act.
Your rights as a Data Principal:
- Right of access— obtain a summary of your personal data and processing activities.
- Right to correction— request correction of inaccurate or misleading data.
- Right to erasure— request deletion of personal data that is no longer necessary.
- Right to nomination— nominate another individual to exercise your rights in the event of your death or incapacity.
- Right to grievance redressal— raise complaints about our data handling.
- Right to withdraw consent— withdraw your consent at any time using the mechanisms described in Section 9. Withdrawal does not affect the lawfulness of processing before withdrawal.
Grievance redressal: Our designated grievance officer for DPDP Act purposes is contactable at [email protected]. We will acknowledge your grievance and respond within the timeframe prescribed by the DPDP Rules.
Children's data: Under the DPDP Act, a child is defined as any individual under 18 years of age. We do not knowingly process personal data of individuals under 18 without verifiable parental consent. If we become aware that we have collected data from a child without appropriate consent, we will delete it promptly.
Data breach notification: In the event of a personal data breach, we will notify the Data Protection Board of India within 72 hours of becoming aware of the breach, as required under the DPDP Rules.
Cross-border transfers: The DPDP Act permits transfer of personal data to all countries except those the Central Government explicitly restricts. As of the date of this policy, no restricted country list has been notified. Your data may be processed by subprocessors in the United States, EU, and Singapore in addition to India.
Right to complain: If you are unsatisfied with our grievance response, you may file a complaint with the Data Protection Board of India once it is constituted and operational.
Upcoming compliance milestones: Full DPDP Act compliance (including Consent Manager registration) is required by May 13, 2027. We are proactively aligning our practices ahead of this deadline.
Australia (Privacy Act 1988, as amended 2024)
If you are located in Australia, we handle your personal information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth), including amendments introduced by the Privacy and Other Legislation Amendment Act 2024 (Royal Assent 10 December 2024).
Key provisions under the amended Act:
- Statutory tort for serious invasions of privacy: As of mid-2025, individuals have a statutory right to sue for serious invasions of privacy. We take reasonable steps to prevent unauthorized access to or misuse of your personal information.
- Enhanced data security obligations: In line with the amended APP 11, we implement both technical and organisational measures to protect your personal information.
- Automated decision-making: We use Google reCAPTCHA, which involves automated processing to assess whether a website visitor is human. This does not produce decisions that significantly affect you. When the automated decision-making disclosure requirements take effect on 11 December 2026, we will update this section with any additional disclosures required.
Overseas disclosure (APP 8): Your personal information may be disclosed to recipients in India (our primary processing location) and to subprocessors in countries where our cloud hosting and analytics providers operate, which may include the United States, EU, and Singapore. We take reasonable steps to ensure overseas recipients comply with the APPs.
Complaints (Australia): If you believe we have breached the APPs, please contact our designated Australian Privacy Officer:
Privacy Officer (Australia): Naveen Khanna
Email: [email protected] (also reachable at [email protected])
Postal Address: 251 Frontier Avenue, Aintree VIC 3336, Australia
We will acknowledge your complaint within 7 days and respond substantively within 30 days. If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au. The OAIC now has expanded enforcement powers and a tiered civil penalty system under the 2024 amendments.
12. Data Breach Response
We maintain incident response procedures and will provide notifications as required by applicable law and contractual obligations:
- GDPR (EU/UK): We will notify the relevant supervisory authority within 72 hoursof becoming aware of a personal data breach likely to result in a risk to individuals' rights and freedoms (Article 33). Where the breach is likely to result in a high risk to you, we will also notify you directly without undue delay (Article 34).
- DPDP Act (India): We will notify the Data Protection Board of India within 72 hours of becoming aware of a personal data breach, and notify affected Data Principals as prescribed by the DPDP Rules.
- Australian NDB scheme: We will notify the OAIC and affected individuals as soon as practicable after becoming aware of an eligible data breach likely to result in serious harm.
- CCPA (California):We will provide breach notifications in accordance with California Civil Code §1798.82.
13. Changes to This Policy
We may update this policy from time to time. Material updates will be reflected by revising the effective date at the top of this page. Where feasible and where we have your contact information, we will notify you of material changes by email or through a notice on our website.
14. Contact
For privacy requests, data subject / data principal rights, or questions about this policy:
Privacy Officer (Australia): Naveen Khanna
[email protected]
251 Frontier Avenue, Aintree VIC 3336, Australia
Privacy Contact / Grievance Officer (DPDP, India): [email protected]
D-153, Upper Ground Floor, New Delhi – 110065, India
General Inquiries: [email protected]
For California residents, you may also use the "Do Not Sell or Share My Personal Information" link in our website footer.
This policy describes our data practices and obligations. It is not legal advice to the reader.
Regulatory Timeline — Key Upcoming Deadlines
| Date | Obligation | Framework |
|---|---|---|
| 2 August 2026 | EU AI Act compliance deadline for high-risk AI systems | EU AI Act |
| 13 November 2026 | Consent Manager registration deadline | India DPDP Rules |
| 11 December 2026 | Automated decision-making disclosure requirement in privacy policies | Australian Privacy Act (2024 amendment) |
| 13 May 2027 | Full DPDP Act compliance (consent, notice, rights, breach notification, penalties) | India DPDP Act 2023 |