GDPR Statement

We are committed to protecting the personal data of individuals in the European Economic Area (EEA) and the United Kingdom in compliance with the General Data Protection Regulation (GDPR).

Our GDPR commitments

Lawful, fair, and transparent data processing
Data minimisation — we collect only what we need
Full support for EEA & UK data subject rights

Submit a Request Contact Us

Effective date: 1 January 2025 • Last updated: 1 March 2025

1. Overview

The General Data Protection Regulation (EU) 2016/679 (“GDPR”) is a regulation in EU law on data protection and privacy. It also applies to the processing of personal data of individuals in the United Kingdom under the UK GDPR (as retained in UK law post-Brexit).

DataMatrix Technology Solutions Pvt. Ltd. (“we”, “us”, or “our”) is an India-based IT services company. While we are not established in the EEA or UK, the GDPR applies to us when we process personal data of individuals located in those regions — for example, when an EEA or UK-based organisation engages our services or when EEA/UK residents visit our website. This statement explains how we meet those obligations.

2. Our role under GDPR

Depending on the context, we act in one of two capacities under the GDPR:

Data Controller

When we determine the purposes and means of processing personal data — for example, when we collect enquiry form submissions, demo requests, or website analytics data. We are the Controller for data we collect about prospective and current clients.

Data Processor

When we process personal data on behalf of a client who determines the purpose — for example, when we build and operate an exam platform and the client’s candidates submit their data. In this role, we act only on documented instructions from the Controller.

Where we act as a Processor, we enter into a Data Processing Agreement (DPA) with the Controller that sets out our obligations in line with Article 28 GDPR. Please contact us to request our standard DPA.

3. Lawful bases for processing

We process personal data only when we have a lawful basis under Article 6 GDPR. The bases we rely on are:

Article 6(1)(a) — Consent: For non-essential cookies, marketing communications, and any processing where we have explicitly asked for and received your consent. You may withdraw consent at any time.
Article 6(1)(b) — Contract: For processing necessary to perform a contract with you or to take pre-contractual steps at your request — for example, setting up a project engagement or a platform account.
Article 6(1)(c) — Legal obligation: Where we must process data to comply with applicable law — for example, retaining financial records for tax purposes.
Article 6(1)(f) — Legitimate interests: For website security monitoring, fraud prevention, and improving our services, provided our interests are not overridden by your fundamental rights and freedoms.

Where we process special category data (Article 9 GDPR), we identify an additional condition under Article 9(2) and document it accordingly. We do not routinely process special category data.

4. Data subject rights

If you are located in the EEA or UK, you have the following rights under the GDPR. We will respond to all verified requests within one calendar month (extendable by two further months for complex requests, with notice).

Right of access

Request a copy of the personal data we hold about you and information about how we use it (Article 15).

Right to rectification

Ask us to correct inaccurate or complete incomplete personal data without undue delay (Article 16).

Right to erasure

Request deletion of your personal data where it is no longer necessary, consent is withdrawn, or processing was unlawful (Article 17).

Right to restriction

Ask us to restrict processing in certain circumstances — for example, while accuracy is contested (Article 18).

Right to portability

Receive personal data you provided to us in a structured, commonly used, machine-readable format (Article 20).

Right to object

Object to processing based on legitimate interests or for direct marketing purposes at any time (Article 21).

Withdraw consent

Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing (Article 7).

Automated decision-making

Not be subject to solely automated decisions that produce significant legal effects (Article 22). We do not conduct such processing.

To exercise any of these rights, submit a written request to business@dmtspl.com. We may need to verify your identity before processing the request.

5. International data transfers

DataMatrix Technology Solutions Pvt. Ltd. is based in India. When we process personal data of EEA or UK residents, this constitutes an international transfer of personal data to a third country. We ensure adequate safeguards are in place for such transfers, including:

Standard Contractual Clauses (SCCs): Where required, we incorporate the European Commission’s approved SCCs (2021 edition) or the UK International Data Transfer Addendum (IDTA) into our data processing agreements.
Transfer Impact Assessments (TIAs): We conduct TIAs where required to assess whether SCCs provide effective protection in the context of data transfers to India.
Sub-processors: Where we engage sub-processors (e.g., AWS for cloud infrastructure), we ensure appropriate transfer mechanisms are in place with those parties.

You may request a copy of the relevant transfer safeguards by contacting us at business@dmtspl.com.

6. Data retention

We retain personal data for the minimum period necessary to fulfil the purpose for which it was collected or as required by law. Our general retention schedule:

Data category	Retention period	Basis
Contact & enquiry form submissions	24 months	Legitimate interests
Client account data	Duration of contract + 12 months	Contract / Legal obligation
Financial & billing records	7 years	Legal obligation
Marketing consent records	Until consent is withdrawn + 3 years	Legal obligation (accountability)
Website analytics data	26 months (Google Analytics default)	Consent / Legitimate interests
Server & security logs	90 days	Legitimate interests

7. Security measures

We implement appropriate technical and organisational measures (TOMs) as required by Article 32 GDPR to ensure a level of security appropriate to the risk. These include:

Encryption of personal data in transit (TLS 1.2+) and at rest where applicable.
Role-based access controls limiting data access to authorised personnel only.
Regular security assessments and vulnerability testing of our platforms.
AWS infrastructure with ISO 27001-certified data centres.
Staff training on data protection and information security.
Incident response procedures including breach notification processes.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of EEA/UK data subjects, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (Article 33 GDPR) and affected individuals without undue delay where required (Article 34 GDPR).

8. Sub-processors

Where we act as a Data Processor, we engage sub-processors only with prior written authorisation from the Controller and ensure they are bound by data protection obligations no less protective than those in our DPA. Key sub-processors we use in service delivery:

Sub-processor	Purpose	Location
Amazon Web Services (AWS)	Cloud hosting, storage, and infrastructure	India / Global
Google Analytics	Website analytics and traffic measurement	USA (SCCs in place)
Google Workspace	Business email and internal collaboration	USA (SCCs in place)

Clients may request an up-to-date list of sub-processors relevant to their specific engagement by contacting us.

9. Data Processing Agreement

If you engage DataMatrix Technology Solutions Pvt. Ltd. to process personal data on your behalf and you are a Controller subject to the GDPR or UK GDPR, we are required under Article 28 to enter into a written Data Processing Agreement (DPA). Our standard DPA incorporates the 2021 EU Standard Contractual Clauses (Module 3: Processor-to-Processor) where applicable. To request a copy of our DPA or to initiate the signing process, please contact us at business@dmtspl.com.

10. Supervisory authority & complaints

If you are located in the EEA or UK and believe we have not handled your personal data in compliance with the GDPR, you have the right to lodge a complaint with the relevant supervisory authority:

EEA residents: Contact the data protection authority in your EU member state. A list is available at edpb.europa.eu.
UK residents: Contact the Information Commissioner’s Office (ICO) at ico.org.uk or by phone on 0303 123 1113.

We would appreciate the opportunity to address your concerns before you contact a supervisory authority. Please reach out to us first at business@dmtspl.com and we will respond within 30 days.

11. Changes to this statement

We review and update this GDPR Statement periodically to reflect changes in our practices, applicable law, or guidance from supervisory authorities. When we make material changes, we will update the “Last updated” date above. We encourage you to review this page regularly. Continued use of our website or services after changes are posted constitutes acceptance of the updated statement.

12. Contact & data requests

For all GDPR-related enquiries, data subject access requests, DPA requests, or to raise a data protection concern, please contact us:

DataMatrix Technology Solutions Pvt. Ltd. — business@dmtspl.com
+91 9717822034
C-49, LGF, Block C, Kalkaji, New Delhi

Contents

GDPR at a glance

We act as Controller or Processor depending on context
SCCs / UK IDTA used for international transfers
72-hour breach notification to supervisory authority
DSARs responded to within one calendar month
DPA available on request (Article 28)

Related policies

Submit a data request

Access, correct, or erase your data. We respond within one calendar month.

Email Us Contact Form