Effective 14 May 2026

Privacy Policy

Effective: 14 May 2026

This policy explains how Hotreloads Digital (“Hotreloads”, “we”, “us”, or “our”) collects, uses, shares, and protects personal data when you interact with our website at hotreloads.com, our marketing communications, our consultations, and the engagements that follow them. It is written to satisfy both the Digital Personal Data Protection Act, 2023 (“DPDP Act”) of India and, where applicable, the EU and UK General Data Protection Regulation (“GDPR”). For visitors based outside these jurisdictions, we apply the higher of the two standards by default.

We are the data fiduciary under the DPDP Act, and the data controller under the GDPR, for the personal data we collect through the channels described in this policy. Our Indian Corporate Identification Number (CIN) and GST Identification Number (GSTIN) are listed in the site footer.

1. Scope

This policy covers personal data collected through the hotreloads.com website, including any forms (lead enquiries, newsletter sign-ups, waitlist captures, contact requests), bookings made through linked third-party tools, marketing emails we send, our LinkedIn and GitHub presences when you interact with our staff in their professional capacity, and any direct communications you initiate with us. It does not cover personal data we receive from our clients in the course of an engagement; that data is handled under a separate Data Processing Agreement that the client and Hotreloads sign before the engagement begins.

2. Information we collect

We collect personal data in three ways.

Information you provide directly. When you complete a form or send us an email, you may provide your full name, business email address, telephone number, employer, role, country, the focus area or service you are interested in, a description of the problem you would like to discuss, your preferred timeline or budget range, and any other information you choose to share in free-text fields. When you book a consultation through our scheduling tool, you provide your name, email, the time slot you have selected, your time zone, and any context you supply in the booking form.

Information collected automatically. When you visit hotreloads.com, our edge network records the following for security, abuse prevention, and operational diagnostics: IP address, user agent, referring URL, timestamp, the resource requested, the HTTP response code, and approximate region derived from your IP. We use cookieless analytics (Plausible) to record aggregate usage; this does not identify you. With your consent, we may load additional analytics (Google Analytics 4) that uses cookies and identifiers as described in our Cookie Policy.

Information from third parties. If you reach us via a LinkedIn message or a referral, we may receive the basic professional information your referring contact has shared with us, together with the publicly visible parts of your LinkedIn profile. If you have applied for a job with us, we may receive information from the channels you have used to apply (job boards, referrers, your own published work). We do not buy contact lists.

3. Purposes for which we use your data

We use personal data only for purposes that are reasonable, necessary, and proportionate to the relationship we have with you. The principal purposes are:

  • Responding to enquiries you have made, including scoping conversations and follow-up correspondence.
  • Scheduling and conducting consultations, including sending you reminders and meeting links.
  • Sending you communications you have explicitly subscribed to, such as our newsletter, with a clear unsubscribe option in every message.
  • Operating and securing the website, including detecting and preventing fraud, abuse, scraping, and credential-stuffing attacks.
  • Producing aggregate, non-identifying analytics to understand how visitors use the site and where it can be improved.
  • Complying with our legal, regulatory, and tax obligations under Indian law and any applicable foreign law.
  • Establishing, exercising, or defending legal claims if the need arises.

We do not use personal data for automated decision-making that produces legal or similarly significant effects on you. We do not sell personal data, and we do not share it for behavioural advertising on third-party platforms.

4. Lawful bases

Under the GDPR (where it applies to you), we rely on the following lawful bases:

  • Consent for marketing communications, optional analytics cookies, and the use of identifiers that go beyond what is strictly necessary for the site to function. You may withdraw consent at any time, with effect for the future.
  • Performance of a contract or pre-contractual steps to respond to your enquiries and to conduct consultations and proposal work that may lead to a signed engagement.
  • Legitimate interests for operating and securing the website, preventing abuse, communicating with you in your professional capacity at the email address you provided in a business context, and conducting our normal commercial activity. We have assessed each legitimate-interest reliance against your interests, rights, and freedoms; you can request the underlying balancing assessment by writing to us.
  • Legal obligation for the parts of our processing that follow from Indian statutory requirements, including company-law record-keeping, tax accounting, and lawful requests from authorities.

Under the DPDP Act, we process personal data on the basis of your consent (for example, when you fill in a form) and on the basis of specified legitimate uses set out in section 7 of the Act, including responding to your communications and complying with law.

5. Sharing and disclosure

We share personal data only with the parties listed below.

Service providers that process personal data on our behalf under written contractual obligations. These are listed in Section 7.

Professional advisers (legal, tax, accounting, audit) when their advice or services require it, under their own duties of confidentiality.

Authorities and regulators, in response to a lawful request, or where disclosure is required by law, court order, or to protect rights, property, or safety.

Successors in interest, in the event of a corporate transaction (merger, acquisition, asset sale, or reorganisation), with notice to you and, where required, your consent.

6. International data transfers

We are based in India. Some of our service providers process personal data outside India and outside the European Economic Area. Where personal data is transferred from the EEA, the United Kingdom, or Switzerland, we rely on the European Commission’s Standard Contractual Clauses (or the UK International Data Transfer Agreement / Addendum) and supplement them with any further measures the local supervisory authority requires. Where personal data is transferred out of India, we comply with the cross-border transfer requirements that the Indian government notifies under the DPDP Act from time to time. A current list of the countries personal data may be transferred to is available on request.

7. Subprocessors

The following service providers may process personal data on our behalf. We perform due diligence on each one, sign written agreements that include appropriate data-protection terms, and review the list at least annually.

ProviderPurposeRegion
Cloudflare, Inc.Edge hosting, DDoS protection, Turnstile bot challenge, R2 object storageGlobal edge
Neon, Inc.Primary lead and submission databaseSingapore
HubSpot, Inc.CRM and marketing operations for outbound communicationsUnited States, EU
Resend, Inc.Transactional emailUnited States
Buttondown, LLCNewsletterUnited States
Cal.com, Inc.Booking and consultation schedulingUnited States, EU
Plausible Insights OÜCookieless website analyticsEuropean Union
Google LLCGoogle Analytics 4 (loaded only after consent)Global

If you would like a copy of the Data Processing Agreement we have signed with any of these providers, write to us at the address in Section 13.

8. Retention

We keep personal data only for as long as we need it for the purpose we collected it.

  • Lead and enquiry records are retained for up to 24 months from your last interaction with us, after which we delete or anonymise them. Records that have become part of a signed engagement are retained for the duration of that engagement and for the statutory limitation periods that follow.
  • Booking metadata is retained for 24 months for record-keeping and conflict-of-interest checks.
  • Newsletter subscriptions are retained until you unsubscribe, plus a short suppression record afterwards so that we do not accidentally re-add you.
  • Server logs are retained for 90 days for security and abuse-investigation purposes.
  • Business records (invoices, contracts, tax filings) are retained for the period required by Indian law (currently a minimum of eight years for financial records).

Where you have a right to deletion (Section 9), we will delete the underlying personal data even where we would otherwise retain it, except to the extent we are required to keep it by law.

9. Your rights

Where the DPDP Act applies to you, you have the right to:

  • access the personal data we hold about you;
  • correct or update inaccurate or incomplete personal data;
  • erase personal data that is no longer necessary or has been withdrawn from consent;
  • nominate another individual to exercise these rights on your behalf in the event of your death or incapacity; and
  • complain to the Data Protection Board of India if you believe we have not handled your data correctly.

Where the GDPR (or the UK GDPR) applies to you, you also have the right to:

  • restrict processing in specified circumstances;
  • object to processing carried out on the basis of legitimate interests, and to direct marketing at any time;
  • data portability for personal data you have provided to us and which we process by automated means on the basis of consent or contract; and
  • lodge a complaint with your local supervisory authority.

To exercise any of these rights, write to us at the address in Section 13. We will respond within one month for GDPR rights, and within the timelines the Data Protection Board notifies under the DPDP Act (currently a target of 30 days). We may ask you to verify your identity before fulfilling a request. We will not charge a fee for the first request in any twelve-month period; subsequent requests that are manifestly unfounded or excessive may be subject to a reasonable administrative charge or refused, in which case we will explain why.

10. Security

We apply the technical and organisational measures that a small senior engineering team would apply to its own production systems. These include encryption in transit, encryption at rest for the lead database, principle-of-least-privilege access controls, single-sign-on with hardware-key-backed multi-factor authentication for staff accounts, audit logging on administrative actions, separate environments for development and production, and incident-response runbooks that are tested at least once a year. No system is perfectly secure; we do not warrant that ours is. If you believe you have found a security issue, please email us at the contact address below and we will respond within two business days.

11. Children’s privacy

The website is intended for an adult professional audience and we do not knowingly collect personal data from children under 18. If you believe a child has provided us with personal data, please contact us and we will delete it.

12. Changes to this policy

We may update this policy from time to time. When we make material changes, we update the “Effective” date at the top, summarise the change at the foot of this section, and where appropriate notify you by email or through the site itself. Continued use of the website after a change becomes effective constitutes acceptance of the updated policy.

13. Contact and grievance officer

For any privacy question, request, or complaint, including the exercise of your rights described above, please contact:

Sunny Sharma — Grievance Officer (DPDP Act) and Data Protection contact for GDPR purposes Hotreloads Digital Bangalore, Karnataka, India hello@hotreloads.com

We aim to respond to every privacy enquiry within seven business days, and to resolve substantive requests within the statutory timelines described above. If you are not satisfied with our response, you have the right to escalate to the Data Protection Board of India (under the DPDP Act) or to your local supervisory authority (under the GDPR).

Last reviewed 14 May 2026