Privacy Policy

1. Introduction

Ownux Global ("we," "our," or "us") is a cybersecurity services company specializing in Vulnerability Assessment and Penetration Testing (VAPT), compliance consulting, and endpoint monitoring. We are committed to protecting the privacy and security of the personal information we collect, process, and store.

This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit our website at https://ownuxglobal.com or engage us for our services. It also describes how we comply with applicable data protection laws including the EU and UK General Data Protection Regulation (GDPR and UK GDPR), the UK Privacy and Electronic Communications Regulations (PECR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth), and the Digital Personal Data Protection Act, 2023 of India (DPDP Act).

This Privacy Policy applies to personal information we control or process as a controller. Where we process personal data on behalf of a Client during the delivery of services, the Client is the controller and our processing is governed by the relevant engagement letter, Master Services Agreement (MSA), or Data Processing Addendum (DPA).

2. Information We Collect

2.1 Information You Provide Directly

We may collect the following information when you contact us, request a quote, subscribe to our newsletter, or engage our services:

• Full name
• Company name and role
• Email address and phone number
• Country or region (for routing inquiries and tailoring regulatory advice)
• Newsletter subscription preferences via our Ghost-powered blog
• Any other information you voluntarily provide via forms, email, or live communication

2.2 Information Collected Automatically

When you visit our website, we may automatically collect:

• IP address and approximate geographic location
• Browser type, language, and operating system
• Pages visited, time spent on pages, and clickstream
• Referring URL and search terms (if available)
• Device type and screen dimensions
• Cookie identifiers and similar tracking technologies (see Section 6)

2.3 Information Collected as Part of Service Delivery

In the course of providing VAPT, compliance consulting, and endpoint monitoring services to our clients, we may process personal data on behalf of those clients (acting as a data processor or sub-processor). This may include:

• Personally Identifiable Information (PII) provided as compliance evidence
• Employee or system user data required for security assessments
• Network, infrastructure, and configuration details that may contain personal data
• Telemetry, alerts, and log data from monitored endpoints

Such data is governed by the terms of our service agreements, Master Services Agreements, Data Processing Addenda, and Non-Disclosure Agreements (NDAs) with our clients. Where you are an employee or contact of one of our clients and have questions about this processing, please contact your employer or the relevant data controller.

3. How We Use Your Information

We use the information we collect for the following purposes:

• To respond to inquiries and provide requested services
• To deliver, manage, and improve our cybersecurity, compliance, and endpoint monitoring services
• To communicate with you regarding your engagements, including reports, findings, and alerts
• To send our newsletter and blog updates where you have opted in
• To measure the effectiveness of our website, content, and marketing activities
• To comply with applicable legal and regulatory obligations including DPDP Act, GDPR, UK GDPR, CCPA/CPRA, and APPs
• To detect, prevent, and respond to fraud, abuse, and security incidents on our own systems
• To enforce our Terms of Service and other agreements

4. Legal Basis for Processing Personal Data

Where the GDPR, UK GDPR, or DPDP Act applies, we rely on the following lawful bases:

• Contractual necessity: to fulfil our obligations under an engagement letter, SOW, MSA, or other written agreement with you or your employer.
• Legal obligation: where processing is required by law or regulation, including responding to lawful requests from public authorities and meeting audit and record-keeping requirements.
• Legitimate interests: to operate and improve our business, secure our systems, prevent fraud, and pursue commercial activities, provided these interests do not override your fundamental rights and freedoms.
• Consent: where you have explicitly provided it, for example by opting in to our newsletter or accepting analytics or marketing cookies. You may withdraw consent at any time without affecting prior lawful processing.

5. Marketing Communications

Ownux Global operates a blog and email newsletter through Ghost (Ghost Foundation) at blog.ownuxglobal.com. When you subscribe via our website or the blog, information you provide (email address, optional name, and subscription preferences) is processed by Ghost as our sub-processor for the purpose of delivering newsletter emails.

All marketing emails are sent on an opt-in basis. Where required by PECR, GDPR, the Australian Spam Act 2003, or similar laws, we obtain prior consent before sending promotional communications. You may unsubscribe at any time using the unsubscribe link in any newsletter email or by contacting us using the details in Section 17.

In future, we may send transactional or product update emails related to engagements you have with us. These are not promotional and are necessary for the performance of our services.

6. Cookies and Tracking Technologies

Our website uses cookies and similar technologies grouped into three categories:

• Essential cookies that are required for the site to function (Cloudflare security and your cookie preference itself).
• Analytics cookies placed by Microsoft Clarity to help us understand how visitors use the site.
• Marketing cookies reserved for future Google Ads and Meta Pixel integrations. Not active today.

Analytics and marketing cookies are only set after you grant consent through our cookie banner. You may change your choice at any time using the Cookie Preferences link in the footer of every page.

For a complete list of cookies with names, providers, purposes, and expiry, see our dedicated Cookie Policy.

7. Advertising and Analytics Partners

We use Microsoft Clarity for product analytics. We do not currently run advertising campaigns. We expect to activate Google Ads and the Meta Pixel for measurement and remarketing in the near future. When we do, these integrations will only operate after you grant marketing consent.

• Microsoft Clarity receives pageview events, click and scroll telemetry, and masked session recordings. Form field contents are masked by default. Clarity may set cookies including _clck, _clsk, and CLID.
• Google Ads (when activated) will use conversion tracking and remarketing cookies such as _gcl_au and IDE. Hashed user identifiers, page interactions, and conversion events may be shared with Google for ad measurement and audience building.
• Meta Pixel (when activated) will use _fbp, _fbc, and similar cookies to support Custom Audiences and conversion measurement on Meta platforms (Facebook and Instagram).

You can opt out at the platform level using industry resources: Google Ads Settings, Meta Ad Preferences, Digital Advertising Alliance opt-out, Your Online Choices (EU), Your Online Choices (AU).

8. How We Share Information

We do not sell personal information. We do not share personal information for cross-context behavioral advertising except as expressly described in Section 7 and only after applicable consent. We may share personal data in the following circumstances:

• With trusted third-party service providers and sub-processors who assist in our operations (see Section 9), under written confidentiality and data protection obligations
• With client organizations, strictly within the scope of the engagement
• With professional advisors (lawyers, accountants, insurers) under duties of confidentiality
• With acquirers in connection with a merger, acquisition, or sale of all or a portion of our business
• As required by applicable law, regulation, lawful request from public authorities, or court order
• To establish, exercise, or defend legal claims and to protect the rights, safety, and property of Ownux Global, our clients, or others

9. Sub-Processors and Service Providers

We engage the following sub-processors and service providers to operate this website and our services. This list reflects current state and may change. Material changes will be reflected in updates to this Privacy Policy.

All sub-processors are engaged under written agreements that contain appropriate confidentiality, security, and data protection obligations. Engagement-specific sub-processors used during the delivery of client services are disclosed in the relevant engagement letter or DPA.

10. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including:

• Duration of the client engagement and a reasonable period thereafter
• Periods required by applicable law (for example, tax, audit, or compliance records)
• Newsletter subscriptions until you unsubscribe or we discontinue the newsletter
• Website analytics data for the periods listed in our Cookie Policy
• Until you request deletion, where applicable

VAPT reports, engagement records, and compliance documentation are retained in line with our contractual obligations and ISO 27001-aligned data retention procedures.

11. Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, or destruction. Our security practices include:

• Access controls and role-based permissions for all systems
• Multi-factor authentication for administrative access
• Company-issued devices with endpoint protection
• Encryption in transit (TLS) and at rest where supported
• Secure storage on centrally managed systems with restricted access
• Use of NDAs with all personnel and third parties handling sensitive data
• Ongoing security awareness and training for our team
• Regular internal security reviews aligned with ISO 27001 standards

While we take all reasonable precautions, no method of transmission or storage is 100% secure. If a security incident affects your personal data, we will notify you and the relevant supervisory authority as required by applicable law, including the Notifiable Data Breaches scheme in Australia and the breach notification obligations under the DPDP Act, GDPR, and UK GDPR.

12. International Data Transfers

Ownux Global operates primarily from India. Several of our sub-processors operate in the United States, the United Kingdom, the European Union, and global cloud regions. Personal data may be transferred to, and processed in, jurisdictions outside your country of residence.

Where personal data is transferred from the European Economic Area, United Kingdom, or Switzerland to a country that has not received an adequacy decision, we rely on appropriate safeguards including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• The UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs
• Supplementary technical, contractual, and organizational measures where required by the Schrems II decision

Where the DPDP Act applies to a cross-border transfer, we comply with the requirements specified by the Central Government of India. Where Australian Privacy Principle 8 applies, we take reasonable steps to ensure overseas recipients do not breach the APPs.

13. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Right to access: request a copy of the personal data we hold about you
• Right to correction or rectification: request correction of inaccurate or incomplete data
• Right to deletion or erasure: request erasure of your personal data, subject to legal obligations
• Right to restrict or object to processing: in certain circumstances, including objection to direct marketing
• Right to data portability: where technically feasible
• Right to withdraw consent: at any time, where processing is based on consent
• Right to opt out of sale or sharing: we do not sell personal information; you may opt out of sharing for cross-context behavioral advertising via our cookie banner
• Right to nominate: under the DPDP Act, the right to nominate another individual to exercise your rights in the event of your death or incapacity
• Right to lodge a complaint: with the relevant data protection authority in your jurisdiction

To exercise any of these rights, contact us using the details in Section 17. We may need to verify your identity before responding. We will respond within the timeframe required by applicable law (typically 30 days under GDPR and DPDP Act, 45 days under CCPA).

14. Regional Privacy Disclosures

15. Children's Privacy

Our website and services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us immediately and we will take steps to delete it. Under the DPDP Act, where we process personal data of a child, we will obtain verifiable consent of the parent or lawful guardian as required.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, sub-processors, or legal requirements. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, notify you by email or through a prominent notice on our website. We encourage you to review this policy periodically.