Last updated: 03 Oct 2025
Disclaimer: This is a practical legal/ops template set to accelerate compliance. It is not legal advice. Please have local counsel review before publication, especially if you target the EU/UK or US states with privacy laws.
1) Privacy Policy (GDPR • UK GDPR • India DPDP 2023 compatible)
Who we are (Controller)
RKSoft Solutions
112C, Agrasen Colony, Assandh Road, Near Bharat Petroleum,
Panipat, Haryana 132103, India
Phone: +91 99922 41284 • Email: admin@rksoft.co.in
Website: https://www.rksoft.co.in/
EU/UK Representative (if applicable): [Insert appointed representative name, address, email]
Data Protection Officer (if required): [Not required for us at present / Insert DPO details if appointed]
Grievance Officer (India DPDP): [Insert name & email / default: admin@rksoft.co.in]
Scope
This Policy explains how we collect, use, disclose, and safeguard personal data when you visit our website, interact with us, or use our services (including ERP integrations, software development, server/cloud management, and support).
What data we collect
Identity & Contact — name, company, job title, email, phone, postal address.
Business & Account — project details, service usage, logs, support tickets, invoices, contract documents.
Technical — IP address, device/browser info, cookies, pages viewed, timestamps, referral URLs.
Communications — emails, chat messages, call notes, feedback.
Support/Recovery — system snapshots, filenames/metadata, limited content needed for diagnostics or data recovery (never more than necessary).
Recruitment — CV/resume, application details.
Sources of data
Directly from you; your employer; publicly available sources (e.g., business directories); and service providers (e.g., analytics, payment, hosting) as permitted by law.
Purposes & legal bases (GDPR Art. 6)
| Purpose | Examples | Legal basis |
|---|---|---|
| Provide services & support | Deploy ERP, manage servers, respond to tickets | Contract (Art.6(1)(b)) |
| Improve & secure services | Monitoring, debugging, analytics, backups | Legitimate interests (Art.6(1)(f)) |
| Marketing communications | News, offers (opt‑in consent where required) | Consent (Art.6(1)(a)) / Legitimate interests (B2B) |
| Compliance & record‑keeping | Invoices, tax, AML/KYC if required | Legal obligation (Art.6(1)(c)) |
| Recruitment | Process applications, interviews | Contract / Legitimate interests |
For India DPDP: our bases are Consent and Legitimate Uses; we honor Data Principal rights (access, correction, erasure, grievance redressal).
Sharing of data
We share personal data with:
Processors: hosting, email, analytics, payment, ticketing, logging, security, and subcontracted specialists.
Partners/Clients (at your instruction) to deliver projects.
Authorities when required by law or to defend legal claims.
All processors are bound by data protection terms. Sub‑processors are listed on request.
International transfers
Your data may be processed outside your country. Where GDPR/UK GDPR applies, we use appropriate safeguards (e.g., Standard Contractual Clauses, UK Addendum) and risk assessments.
Retention
We keep data only as long as necessary for the purposes above:
Contracts, invoices, and support records: 7 years (or local tax law)
Marketing contacts: until opt‑out or 24 months of inactivity
Web analytics: 14–26 months (configurable)
Diagnostic snapshots/logs: ≤ 90 days unless required for incidents
We then delete or irreversibly anonymize.
Security
We implement access controls, encryption in transit, hardened infrastructure, backups, MFA for admin access, change logs, and regular patching. No internet system is 100% secure; we maintain incident response procedures.
Your rights
Depending on your location, you may have rights to access, correct, delete, restrict, port, object, and withdraw consent.
EU/UK: You can complain to your supervisory authority.
India (DPDP): You can contact our Grievance Officer for redressal.
To exercise your rights, email privacy@rksoft.co.in (or admin@rksoft.co.in) with subject “Data Request”. We’ll respond within the legal timeframe (normally 30 days).
Children
Our services are B2B and not directed to children under applicable age thresholds; we do not knowingly collect such data.
Automated decisions
We do not conduct automated decision‑making that produces legal or similarly significant effects.
Changes
We may update this Policy; material changes will be posted with a new “Last updated” date.
2) Cookie Policy
What are cookies
Cookies and similar technologies (local storage, pixels) are small files that store information on your device to enable core functionality, remember preferences, measure performance, and personalize content.
Types we use
Strictly Necessary — essential site functions (security, navigation, forms).
Preferences — remember settings (e.g., language, layout).
Analytics — traffic and performance metrics.
Marketing — personalize content/ads; frequency capping.
Examples (to customize)
| Cookie | Provider | Purpose | Type | Duration |
| __cf_bm | Cloudflare | Bot management | Strictly necessary | 30 min |
| _ga / _ga_* | Google Analytics 4 | Site usage metrics | Analytics | 2 yrs / 24 mo |
| _gid | Google Analytics 4 | Session differentiation | Analytics | 24 hrs |
| consent_choice | RKSoft | Stores your cookie preferences | Preferences | 6–12 mo |
Audit your live site and replace this table with actual cookies. Block non‑essential cookies until consent is given.
Managing cookies
Use our banner to Accept All, Reject Non‑essential, or Manage Choices. You can also clear cookies in your browser settings.
Contact
Questions? Email privacy@rksoft.co.in.
3) Cookie Banner Text (Short & Long)
Short (banner)
“We use cookies to make our site work, improve performance, and personalize services. Manage choices anytime.”
Detailed (first layer)
“We use cookies and similar technologies for essential site functions, analytics, and optional personalization. Click Accept all to agree, Reject non‑essential, or Manage choices to select categories. We only set non‑essential cookies with your consent.”
Buttons: Accept all • Reject non‑essential • Manage choices
Categories: Strictly necessary (always on), Preferences (opt‑in), Analytics (opt‑in), Marketing (opt‑in)
4) Data Processing Addendum (DPA) — Template
Parties: (a) Client (Controller) and (b) RKSoft Solutions (Processor).
Subject matter & duration: Provision of IT, ERP integration, development, server/cloud management, and support services during the main Agreement term.
Nature & purpose: Processing personal data as necessary to provide the Services per documented instructions of Client.
Categories of data subjects: Client employees, contractors, end‑customers, vendors.
Categories of personal data: Identity/contact, business/account, technical logs, limited content needed for support.
1. Roles & instructions — RKSoft processes personal data only on Client’s documented instructions, including transfers, unless required by law (notice to Client unless legally prohibited).
2. Confidentiality — Personnel are bound by confidentiality and trained in data protection.
3. Security — RKSoft implements appropriate technical and organizational measures (access controls, MFA, encryption in transit, backups, change logs, vulnerability management). See Annex 2.
4. Sub‑processors — RKSoft may engage sub‑processors (hosting, email, logging, ticketing). RKSoft remains liable and will maintain contracts with equivalent protections. Current list available on request; Client may subscribe to change notifications and object on reasonable grounds.
5. International transfers — Where required, Parties incorporate the EU Standard Contractual Clauses (Modules 2/3) and UK Addendum for restricted transfers.
6. Assistance — RKSoft assists Client in responding to data subject requests, security assessments, DPIAs, and consultations, considering the nature of processing.
7. Breach notification — RKSoft notifies Client without undue delay and provides information to support compliance with notification obligations.
8. Deletion/return — Upon termination, at Client’s choice, RKSoft deletes or returns personal data (unless retention is legally required). Certification available on request.
9. Audits — RKSoft provides audit reports or allows audits with reasonable notice, scope, and frequency (protecting confidentiality and security).
10. Liability & order of precedence — As per the main Agreement; if conflict, DPA prevails regarding data protection.
Annex 1 — Details of Processing: purposes, categories, duration, transfers (complete per project).
Annex 2 — Security Measures: access control, authentication, encryption, backup/DR, logging/monitoring, secure development, incident response.
5) Data Subject Request (DSR) SOP (1‑month SLA)
Intake — Accept via privacy@rksoft.co.in or web form; log request ID, date, requester identity, right invoked.
Verify identity — Reasonable verification (email link, business domain, additional details if needed).
Triage — Determine if we are Controller or Processor. If Processor, forward to Client and assist.
Locate data — Search ticketing, CRM, email, logs, backups (avoid over‑collection).
Respond — Within 30 days (extend once by 60 days for complexity, with notice). Provide copy, correction, deletion confirmation, restriction, or rationale if exempt.
Record — Keep an internal log of request, actions, dates, and decisions.
No discrimination — Do not deny services solely for exercising rights (subject to service feasibility).
6) Security Incident & Breach Response (72‑hour clock)
Detect & contain — Activate IR playbook, isolate affected systems, preserve evidence.
Assess risk — Identify personal data involved, likely risks to individuals, and scope.
Notify — If likely risk to individuals (GDPR standard): notify authority within 72 hours and affected individuals without undue delay when high risk. India DPDP: notify Data Protection Board as prescribed (when rules in force).
Inform — Nature of breach, categories/volume of data, impacts, measures taken, contact point.
Remediate — Patch, rotate credentials/keys, harden controls.
Document — Maintain a breach register with root cause analysis and corrective actions.
7) Records of Processing Activities (ROPA) — Template
| Controller/Processor | Purpose | Categories of data subjects | Categories of data | Recipients | Transfers | Retention | Security measures |
| Controller | Website operations, sales, support | Prospects, customers, vendors, staff | Identity/contact, usage, logs | Hosting, email, analytics | SCCs (if any) | 24 mo web analytics; 7 yrs invoices | MFA, TLS, backups |
| Processor (on behalf of clients) | ERP/IT services | Client employees/customers | Business/account, logs | Sub‑processors per project | As agreed (SCCs if needed) | Per client instructions | Access control, encryption in transit |
8) Data Retention Schedule (baseline)
Contracts, invoices, project files — 7 years (or statutory requirement)
Support tickets & diagnostics — 24 months (unless incident related)
Server & app logs — 90–180 days (security logs may be longer)
Marketing contacts — until withdrawal of consent or 24 months inactivity
Recruitment data — 12 months unless hired (then per HR policy)
Backups — rotating cycles; ensure deletion within max 90 days after data removal
9) Consent & Preference Log — Fields to Store
Consent ID, user identifier (hashed if possible), timestamp, categories consented, consent surface (banner, form), version of policies, IP/country (approx), user agent, opt‑out timestamp(s), proof of notice shown.
10) Website & Product Compliance Checklist
11) CCPA/CPRA (Optional, if targeting California)
If you “sell” or “share” personal information or use cross‑context advertising, add:
A “Do Not Sell or Share My Personal Information” link.
A Notice at Collection outlining categories and purposes.
Rights to know, delete, correct, opt‑out; non‑discrimination statement.
Notice at Collection (example)
“We collect identifiers (e.g., contact details), internet activity (usage logs), and professional information to provide and secure our services. See our Privacy Policy for details. We do not sell personal information. You can opt out of sharing for cross‑context behavioral advertising via our preferences link.”
Publication Instructions
Publish Privacy Policy at /privacy-policy/ and Cookie Policy at /cookie-policy/.
Add Manage Cookies link in footer that re‑opens your banner.
Replace placeholders (EU representative, DPO if appointed, grievance officer).
Audit your cookies and update the table.
Configure your consent platform (CookieYes/OneTrust/others) to block non‑essential scripts until consent.
Contact for privacy matters
privacy@rksoft.co.in • admin@rksoft.co.in • +91 99922 41284