Home Notices Privacy Policy
§ Privacy Policy

How we collect, use, and protect your information.

This policy explains what personal and business data we collect, why we collect it, how it is used, stored, shared, and protected, and the rights available to you under applicable data protection law.

1. Introduction and Scope

This Privacy Policy (“Policy”) applies to all personal and business information collected by RiskDesk, a risk advisory and statutory interpretation consultancy operated by Md Hussain, BA., LLB, with its registered office at Flat No 201, WG Apartments, NGGO’s Colony, Visakhapatnam – 530016, Andhra Pradesh, India (“RiskDesk”, “we”, “us”, or “our”).

This Policy covers information collected through:

  • the website at riskdesk.in (the “Website”);
  • the intake form and any other forms on the Website;
  • email, phone, and WhatsApp communications;
  • pre-engagement and engagement correspondence;
  • any other interaction with RiskDesk services.

By accessing the Website, submitting information through any form, or engaging with our services, you consent to the collection, use, and processing of your information as described in this Policy. If you do not agree with this Policy, please do not use the Website or submit any information.

2. Data Controller / Data Fiduciary

For the purposes of the Digital Personal Data Protection Act, 2023 (“DPDPA”) and applicable Indian data protection law, the data fiduciary responsible for your personal data is:

RiskDesk
Md Hussain, BA., LLB — Principal Advisor
Flat No 201, WG Apartments, NGGO’s Colony
Visakhapatnam – 530016, Andhra Pradesh, India
Email: intake@riskdesk.in

For users in the European Economic Area (EEA) or the United Kingdom, RiskDesk is the “data controller” within the meaning of the General Data Protection Regulation (GDPR) and the UK GDPR respectively.

3. Information We Collect

3.1 Information You Provide Directly

When you interact with our Website or services, you may provide us with:

  • Identity information — full name, designation or job title, organisation or entity name;
  • Contact information — email address, telephone number, WhatsApp number, postal address;
  • Business information — entity type, approximate annual turnover range, jurisdiction(s) of interest, industry sector;
  • Engagement information — the type of engagement sought, the confidential brief or matter description, supporting documents, and subsequent correspondence;
  • Financial information — billing details and payment information where required for engagement fee processing;
  • Consent records — records of your acknowledgement of the disclaimer, privacy policy, and terms of service.

3.2 Information Collected Automatically

When you visit the Website, we may automatically collect:

  • Device and browser information — IP address, browser type and version, operating system, device type, screen resolution, and language preference;
  • Usage information — pages visited, time and date of visit, time spent on pages, referring URL, and navigation paths;
  • Server logs — HTTP request headers, timestamps, response codes, and data transfer volumes;
  • Bot-defence data — timing tokens and honeypot field states used solely to detect automated submissions.

3.3 Information from Third Parties

We may receive limited information about you from third-party sources, including:

  • publicly available business registries and regulatory filings (in the course of due diligence engagements);
  • referral sources who introduce you to RiskDesk (with your knowledge);
  • analytics and advertising platforms (see Section 7 below).

4. How We Use Your Information

We use the information collected for the following purposes:

  • Service delivery — to review intake briefs, perform conflict checks, communicate regarding potential or active engagements, deliver advisory services, and provide deliverables;
  • Communication — to respond to your enquiries, send engagement-related correspondence, provide updates, and send administrative notices;
  • Legal and regulatory compliance — to comply with applicable laws, regulations, court orders, or regulatory directives, including record-keeping obligations under Indian law;
  • Business operations — to manage billing, maintain records, improve our services, and conduct internal analysis;
  • Website operation — to maintain, protect, and improve the Website, monitor performance, diagnose technical issues, and prevent abuse;
  • Security — to protect against unauthorised access, fraud, abuse, and other illegal activities;
  • Analytics — to understand how the Website is used and to improve user experience (using anonymised or aggregated data where possible).

We do not use your personal information for automated decision-making, profiling, or targeted advertising.

5. Legal Basis for Processing

We process personal data on the following lawful bases, as applicable under DPDPA, GDPR, and other applicable data protection law:

  • Consent — where you have given clear, informed consent for a specific purpose (e.g., submitting the intake form, accepting the disclaimer);
  • Performance of a contract — where processing is necessary for the performance of an engagement governed by a written engagement letter, or to take pre-contractual steps at your request;
  • Legitimate interest — where processing is necessary for our legitimate business interests (such as fraud prevention, network security, business improvement, and maintaining records of correspondence), provided those interests are not overridden by your rights and freedoms;
  • Legal obligation — where processing is necessary for compliance with applicable law, regulation, or court order.

Where consent is the basis of processing, you may withdraw consent at any time by contacting us. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

6. Cookies and Tracking Technologies

6.1 Cookies We Use

The Website uses a limited number of cookies:

  • Disclaimer acknowledgement cookie (rd_disclaimer_v1) — a strictly necessary first-party cookie that records your acknowledgement of the BCI entrance disclaimer. Valid for thirty (30) days. Without this cookie, the disclaimer modal appears on every page visit.

6.2 Third-Party Analytics

We may use third-party analytics services such as Google Analytics to help us understand how the Website is used. These services may set their own cookies and collect information such as your IP address (anonymised where possible), browser type, pages visited, and time of visit. This data is processed in aggregate form to improve the Website.

Google Analytics data processing is governed by Google’s privacy policy. Where Google Analytics is active, we use IP anonymisation to reduce the precision of IP addresses before they are stored by Google.

6.3 Cookie Preferences

You may control cookies through your browser settings. Disabling cookies may affect the functionality of the Website (e.g., the disclaimer modal will appear on every visit). For details on managing cookies, refer to your browser’s help documentation.

7. Sharing and Disclosure

Your personal information is held in confidence and is not sold, rented, traded, or otherwise made available to third parties for their marketing or advertising purposes. We may share your information only in the following circumstances:

  • Service providers — with trusted third-party service providers who assist in operating the Website or delivering our services (e.g., hosting providers, email service providers, payment processors), under contracts that require them to protect your information and use it solely for the purposes specified by us;
  • Legal requirements — where required by applicable law, regulation, court order, subpoena, or binding directive of a regulatory or governmental authority;
  • Legal defence — where strictly necessary to establish, exercise, or defend legal rights, or to respond to legal proceedings;
  • Professional referrals — where you have expressly consented to a referral to third-party professionals (e.g., enrolled advocates, auditors, or specialists), limited to the information necessary for the referral;
  • Business transfers — in connection with a merger, acquisition, restructuring, or sale of assets, provided that the acquiring entity assumes the obligations of this Policy with respect to the transferred data.

8. International Data Transfers

Your information is primarily stored and processed in India. Where information is transferred to, stored in, or processed in a country outside India, we ensure that appropriate safeguards are in place, including:

  • use of service providers in jurisdictions recognised as providing adequate data protection;
  • standard contractual clauses or equivalent data protection agreements;
  • compliance with the data transfer provisions of the DPDPA and, where applicable, the GDPR.

If you are located in the EEA, United Kingdom, or another jurisdiction with data transfer restrictions, by using the Website and submitting your information, you consent to the transfer of your information to India for processing in accordance with this Policy.

9. Data Retention

We retain personal information for only as long as necessary to fulfil the purposes for which it was collected, including:

  • Intake briefs and pre-engagement correspondence — retained for the period necessary to process the enquiry and for a subsequent period of three (3) years for record-keeping, conflict-checking, and compliance purposes;
  • Engagement records — retained for the duration of the engagement and for a subsequent period of seven (7) years, or longer where required by applicable law, regulation, or professional standards;
  • Server logs and analytics data — retained for up to twelve (12) months for security and performance analysis, after which they are deleted or anonymised;
  • Cookie data — retained for the duration specified in Section 6 above.

At the end of the applicable retention period, information is securely deleted or anonymised such that it can no longer be associated with an individual.

10. Your Rights

10.1 Rights under Indian Law (DPDPA)

If you are a data principal under the DPDPA, you have the right to:

  • Access — obtain confirmation of whether your personal data is being processed and a summary of such data;
  • Correction and erasure — request correction of inaccurate data and erasure of data that is no longer necessary for the stated purpose;
  • Withdraw consent — withdraw consent at any time, subject to the consequence that processing for that purpose will cease;
  • Grievance redressal — raise a grievance with our Grievance Officer (see Section 14 below);
  • Nominate — nominate another individual to exercise rights on your behalf in the event of your death or incapacity.

10.2 Rights under GDPR (EEA / UK Users)

If you are located in the European Economic Area or the United Kingdom, you additionally have the right to:

  • Rectification — request correction of inaccurate or incomplete personal data;
  • Erasure (“right to be forgotten”) — request deletion of personal data where there is no compelling reason for continued processing;
  • Restriction — request restriction of processing in certain circumstances (e.g., while the accuracy of data is contested);
  • Data portability — receive your personal data in a structured, commonly used, machine-readable format;
  • Object — object to processing based on legitimate interest or for direct marketing purposes;
  • Automated decision-making — not be subject to decisions based solely on automated processing (we do not engage in such processing);
  • Lodge a complaint — lodge a complaint with a supervisory authority in your jurisdiction.

10.3 Exercising Your Rights

To exercise any of the above rights, please contact us at intake@riskdesk.in with sufficient information to identify yourself and describe your request. We will respond within thirty (30) days of receipt, or within the period prescribed by applicable law. We may request additional information to verify your identity before processing the request.

11. Children’s Privacy

The Website and our services are not directed at children under the age of eighteen (18). We do not knowingly collect personal information from anyone under the age of eighteen. If we become aware that we have inadvertently collected personal information from a child under eighteen, we will take reasonable steps to delete such information promptly. If you believe we have collected information from a child, please contact us immediately.

12. Security Measures

We implement reasonable technical, administrative, and organisational security measures to protect your information against unauthorised access, alteration, disclosure, or destruction. These measures include:

  • transport-layer encryption (HTTPS / TLS) for all data in transit;
  • HTTP Strict Transport Security (HSTS) to prevent protocol downgrade attacks;
  • file-system access controls restricting access to stored data;
  • application-layer rate limiting and bot-defence mechanisms;
  • regular security review and patching of server infrastructure;
  • principle of least privilege for all data access.

No method of transmission over the internet or electronic storage is completely secure. While we take reasonable precautions, we cannot guarantee absolute security. You acknowledge that you provide information at your own risk.

13. Third-Party Services

The Website may integrate with or link to the following categories of third-party services:

  • Hosting and infrastructure — the Website is hosted on a third-party server infrastructure;
  • Analytics — Google Analytics or similar services for website usage analysis;
  • Fonts — Google Fonts for typography rendering;
  • Maps — Google Maps for location display;
  • Communication — email servers and WhatsApp for correspondence.

Each third-party service is governed by its own privacy policy. We encourage you to review the privacy policies of any third-party services you interact with through our Website. We are not responsible for the privacy practices of third-party services.

14. Grievance Officer

In accordance with the Information Technology Act, 2000, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the Digital Personal Data Protection Act, 2023, the designated Grievance Officer for the purposes of this Policy is:

Md Hussain
Principal Advisor, RiskDesk
Flat No 201, WG Apartments, NGGO’s Colony
Visakhapatnam – 530016, Andhra Pradesh, India
Email: intake@riskdesk.in
Phone: +91 79815 41795

Grievances will be acknowledged within twenty-four (24) hours and resolved within thirty (30) days of receipt. If you are not satisfied with the resolution, you may approach the Data Protection Board of India or the appropriate regulatory authority.

15. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. The updated Policy will be posted on this page with a revised “Last updated” date. We encourage you to review this Policy periodically. Your continued use of the Website after the posting of changes constitutes your acceptance of the revised Policy.

16. Contact

For any questions, concerns, requests, or complaints regarding this Privacy Policy or our data practices, please contact:

RiskDesk
Md Hussain, BA., LLB — Principal Advisor & Grievance Officer
Flat No 201, WG Apartments, NGGO’s Colony
Visakhapatnam – 530016, Andhra Pradesh, India
Email: intake@riskdesk.in
Phone: +91 79815 41795
WhatsApp: +91 98665 31520

Last updated: 27 May 2026. Read together with the Disclaimer & Bar Council Notice and the Terms of Service.