Privacy Policy
DASTUTE TECHNOLOGIES LIMITED is committed to protecting your privacy and complying with GDPR, HIPAA, CCPA, and ISO 27001:2022 standards.
Effective Date
February 15, 2026
ISO Certified
ISO 27001:2022
DPO Contact
Available on the Contact page
1. Introduction & Scope
This Privacy Policy governs the processing of personal data by DASTUTE TECHNOLOGIES LIMITED ("DASTUTE," "we," "us," or "our") in connection with our enterprise software development, blockchain infrastructure, artificial intelligence solutions, cybersecurity services, and dedicated development team provisions ("Services").
This policy applies to:
- Client Data: Personal data processed on behalf of our enterprise clients (GDPR Article 28 Processor activities)
- Employee/Contractor Data: HR and payroll data (Controller activities)
- Website Visitors: Analytics and marketing data
- End-Users: Data processed within applications we develop (as directed by clients)
Regulatory Frameworks: This policy complies with UK GDPR, Data Protection Act 2018, CCPA/CPRA, HIPAA, and ISO 27001:2022.
2. Data Controller Identity
Legal Entity: DASTUTE TECHNOLOGIES LIMITED
Registered Office: 128 City Road, London, United Kingdom, EC1V 2NX
Registered in: England & Wales
DPO Contact: Available on the Contact page
Supervisory Authority: Information Commissioner's Office (ICO), UK
3. Categories of Personal Data Processed
3.1 Business Contact Data (B2B)
- Identifiers: Name, corporate email, job title, department, business address, direct dial numbers
- Technical: IP addresses, device identifiers, cookies, access logs
- Communication: Email correspondence, meeting recordings (with consent)
3.2 Employee & Contractor Data
- HR Data: CVs, national insurance numbers, bank details, tax codes, right-to-work documents
- Performance: Appraisals, time records, disciplinary records
- Health Data: Occupational health records (GDPR Article 9(2)(b) - employment law)
3.3 Client-Provided Data (Processor Activities)
- End-User Data: As specified in Data Processing Agreements (DPAs)
- Special Categories: Health data (HIPAA PHI), biometric data, or racial/ethnic data if processing for healthcare/identity clients
- Blockchain Content: Cryptographic wallet addresses, transaction metadata
4. Legal Basis for Processing
| Purpose | Legal Basis | Data Categories |
|---|---|---|
| Service Delivery | Contract Performance (Art. 6(1)(b)) | Client contact data, project specs |
| Payroll & Tax | Legal Obligation (Art. 6(1)(c)) | Employee financial data, tax codes |
| Marketing | Consent / Legitimate Interest | Business email addresses |
| Security & Fraud Prevention | Legitimate Interest (Art. 6(1)(f)) | Access logs, IP addresses |
5. International Data Transfers
As a UK-based company with global delivery centers, we transfer data internationally under these safeguards:
5.1 UK to USA (Cloud Services/AI APIs)
- Standard Contractual Clauses (SCCs): UK Addendum to EU SCCs implemented for AWS, Azure, GCP, OpenAI/Anthropic
- Supplementary Measures: Encryption in transit (TLS 1.3) and at rest (AES-256)
- HIPAA Specific: Business Associate Agreements (BAAs) executed with all US healthcare-facing subprocessors
5.2 UK to India/Other Delivery Centers
- SCCs with Transfer Impact Assessments: Assessing local surveillance laws
- ISO 27001 Certification: All offshore centers maintain current ISMS certification
- Encryption: End-to-end encryption for all development environments
6. Blockchain & Immutability Clause
Critical GDPR Alignment: Public blockchain technology creates tension with GDPR Article 17 (Right to Erasure). We record only cryptographic hashes or anonymized identifiers on public chains. Personal data remains in off-chain databases with encryption. For enterprise clients requiring GDPR compliance, we deploy private blockchains (Hyperledger Fabric, Quorum) with access controls and key revocation capabilities.
7. Security Measures (ISO 27001 & NIST Aligned)
We implement technical and organizational measures per ISO 27001:2022 Annex A and NIST Cybersecurity Framework:
- Encryption: AES-256 at rest, TLS 1.3 in transit, end-to-end for sensitive communications
- Access Control: Role-based access control (RBAC), Multi-Factor Authentication (MFA) mandatory, Zero Trust Architecture
- Code Security: OWASP SAMM maturity level 3, HashiCorp Vault for secrets management, automated vulnerability scanning
- Incident Response: 24/7 SOC monitoring, GDPR Article 33 compliance (72-hour notification)
8. Data Subject Rights
Under GDPR and CCPA, you have the following rights:
| Right | Description | How to Exercise |
|---|---|---|
| Access | Request copy of your personal data | Contact Us page |
| Rectification | Correct inaccurate data | Client portal or email |
| Erasure | "Right to be forgotten" | Written request (blockchain limitations apply) |
| Portability | Receive data in machine-readable format | JSON/XML export within 30 days |
| Objection | Opt-out of marketing/legitimate interest processing | Unsubscribe link or written request |
Response Time: 30 days (GDPR), 45 days (CCPA), 60 days (HIPAA - for access)
9. Data Retention Periods
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Client Project Data | Contract duration + 7 years | UK Limitation Act |
| Employee HR Records | Employment + 6 years | HMRC regulations |
| Financial Records | 6 years | Companies Act 2006 |
| Blockchain Transactions | Indefinite | Technical immutability |
| Security Logs | 12 months | ISO 27001, NIST SP 800-92 |
10. Cookies & Tracking Technologies
- Essential Cookies: Required for platform functionality (session management, CSRF protection)
- Analytics Cookies: Google Analytics 4 (anonymized IP, 14-month retention)
- Marketing Cookies: LinkedIn Insight Tag (consent required)
CCPA "Do Not Sell/Share": We do not sell personal data. We share data only with service providers under contract.
11. Subprocessors & Third Parties
We engage the following categories of subprocessors (GDPR Article 28):
- Infrastructure: Amazon Web Services (UK, EU, US regions), Microsoft Azure, Google Cloud Platform
- Development Tools: GitHub, GitLab, Jira, Slack
- AI/ML Services: OpenAI (GPT-4), Anthropic (Claude) - Zero Data Retention agreements in place
- Security: CrowdStrike, Splunk, Snyk
All subprocessors maintain ISO 27001 certification and execute Standard Contractual Clauses.
12. Data Breach Notification
Detection to Containment: < 4 hours (24/7 SOC)
ICO Notification: Within 72 hours of discovery (GDPR Article 33)
Affected Individuals: Without undue delay if high risk (GDPR Article 34)
Communication Method: Encrypted email + registered post for critical breaches
13. Complaints & Supervisory Authorities
If you believe we have violated your privacy rights:
UK Residents
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, SK9 5AF
ico.org.uk/make-a-complaint/
California Residents
California Attorney General
California Privacy Protection Agency
14. Changes to This Policy
We review this policy quarterly. Material changes will be notified via:
- Email to registered clients (30 days' notice)
- Website banner notification
- Version control at /privacy-policy-versions/
Version 2.0 (February 2026)
15. Contact Information
Data Protection Officer
Entity: DASTUTE TECHNOLOGIES LIMITED
Registered Office: 128 City Road, London, EC1V 2NX, United Kingdom
Contact: Available on the Contact page