Privacy Policy

Last Updated: January 2, 2026

1. Introduction

Welcome to Brandwick (“we,” “us,” “our,” or “Brandwick”). We are a digital agency headquartered in Delhi, India, providing comprehensive digital services including strategy, design, technology, branding, UX/UI design, and web/mobile application development to clients worldwide.

Company Details:

  • Registered Address: Delhi, India
  • Website: brandwick.com
  • Contact: hello@brandwick.com

This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you visit our website, use our services, or interact with us in any capacity. This policy applies to all visitors, prospective clients, active clients, and users of our services globally.

We are committed to protecting your privacy and handling your personal data responsibly in compliance with applicable data protection laws, including:

  • India’s Digital Personal Data Protection (DPDP) Act, 2023 and the DPDP Rules, 2025
  • The European Union’s General Data Protection Regulation (GDPR) for users in the EU/EEA
  • The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) for California residents

By using our website or services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our website or services.

2. Data Controller and Contact Information

Data Controller:
Brandwick, headquartered in Delhi, India, is the data controller responsible for processing your personal data under this Privacy Policy.

Data Protection Officer (DPO):
For matters related to data protection, privacy concerns, or to exercise your rights, please contact our Data Protection Officer at:

  • Email: hello@brandwick.com
  • Subject Line: “Data Protection Query” or “Privacy Rights Request”
  • Response Time: We aim to respond to all privacy-related inquiries within 72 hours during business days, in accordance with DPDP requirements.

For grievances related to data processing under the DPDP Act, you may contact us using the same channels. If your concern is not resolved satisfactorily, you have the right to approach the Data Protection Board of India.

3. Personal Data We Collect

We collect various categories of personal data depending on how you interact with us. The data we collect includes:

3.1 Categories of Personal Data

A. Identifiers and Contact Information:

  • Full name
  • Email address
  • Phone number
  • Company name and job title
  • Physical address (for billing or project delivery)
  • LinkedIn profile or professional social media handles (if provided)

B. Professional and Business Information:

  • Industry sector
  • Business requirements and project specifications
  • Company size and budget information
  • Service preferences and inquiry details

C. Technical and Usage Data:

  • IP address and geolocation data
  • Browser type and version
  • Device information (type, operating system, screen resolution)
  • Referring website URLs
  • Pages visited on our website
  • Time and date of visits
  • Click-stream data and navigation patterns

D. Payment and Financial Information:

  • Payment card details (processed securely through third-party payment processors)
  • Billing addresses
  • Transaction history and invoice records
  • Bank account information (for wire transfers, stored securely)

E. Communications Data:

  • Email correspondence
  • Chat messages and support tickets
  • Feedback and testimonials
  • Call recordings (with prior consent, for quality assurance)

F. Project-Related Data:

  • Client briefs and creative assets
  • Design files, content, and media uploaded by clients
  • Access credentials for third-party platforms (encrypted)
  • Project feedback and approval documentation

G. Cookies and Similar Technologies:

  • Session cookies and persistent cookies
  • Web beacons and tracking pixels
  • Analytics identifiers (Google Analytics client IDs)
  • Marketing and advertising cookies (with consent)

3.2 Sources of Personal Data

We collect personal data from the following sources:

  • Directly from you: When you fill out contact forms, request quotes, sign contracts, communicate with us, or use our services
  • Automatically: Through cookies, analytics tools, and server logs when you visit our website
  • Third parties: From business partners, referral sources, or publicly available professional networks (LinkedIn) with appropriate permissions
  • Payment processors: Transaction confirmations from Stripe, PayPal, or other payment gateways

4. Legal Basis and Purposes for Processing

We process your personal data only when we have a valid legal basis under applicable laws. Our legal bases and purposes include:

4.1 Legal Bases (DPDP Act and GDPR)

A. Consent (Primary basis under DPDP Act):
We obtain your explicit consent before processing your personal data for specific purposes. You may withdraw consent at any time by contacting us.

B. Contractual Necessity:
Processing is necessary to perform our contract with you, deliver services, and fulfill our contractual obligations.

C. Legitimate Interests (GDPR):
We may process data based on our legitimate business interests (such as fraud prevention, network security, and business development), provided these interests do not override your fundamental rights.

D. Legal Obligations:
We process data to comply with legal and regulatory requirements, including tax laws, accounting standards, and government orders.

4.2 Purposes of Processing

We use your personal data for the following purposes:

A. Service Delivery:

  • Responding to inquiries and service requests
  • Providing quotes, proposals, and consultations
  • Executing projects and delivering digital solutions
  • Managing client accounts and project communications
  • Providing customer support and technical assistance

B. Business Operations:

  • Processing payments and managing billing
  • Maintaining accurate financial and business records
  • Managing contracts and legal documentation
  • Conducting internal quality assurance and training

C. Marketing and Communications:

  • Sending newsletters, case studies, and service updates (with consent)
  • Promoting relevant services and special offers
  • Conducting customer satisfaction surveys
  • Building and maintaining client relationships

D. Analytics and Improvement:

  • Analyzing website traffic and user behavior
  • Improving website functionality and user experience
  • Conducting market research and trend analysis
  • Developing new services and features

E. Security and Compliance:

  • Protecting against fraud, unauthorized access, and security threats
  • Enforcing our terms of service and policies
  • Complying with legal obligations and responding to lawful requests
  • Preventing misuse of our services

F. Legal and Regulatory:

  • Maintaining records for tax and accounting purposes
  • Responding to legal processes and government inquiries
  • Defending legal claims and protecting our rights

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data to third parties for their marketing purposes. We share your data only in the following circumstances:

5.1 Service Providers and Processors

We engage trusted third-party service providers to support our business operations. These processors have access to personal data only to perform specific tasks on our behalf and are contractually obligated to protect your data:

A. Cloud Hosting and Infrastructure:

  • Amazon Web Services (AWS) – Servers located in India and EU regions
  • Hostinger – Servers located in India and EU
  • Google Cloud Platform – Backup and storage services

B. Business and Productivity Tools:

  • Google Workspace – Email, document storage, and collaboration
  • Slack – Internal team communication
  • Notion/Asana – Project management and task tracking

C. Analytics and Tracking:

  • Google Analytics – Website traffic analysis and user behavior insights
  • Hotjar – Heatmaps and session recordings (with anonymization)
  • Meta Pixel / LinkedIn Insight Tag – Advertising analytics (with consent)

D. Payment Processing:

  • Stripe – Credit card and online payment processing
  • PayPal – Alternative payment gateway
  • Razorpay – Payment processing for Indian clients

E. Marketing and Communications:

  • Mailchimp / SendGrid – Email marketing campaigns
  • HubSpot – CRM and marketing automation
  • Intercom – Customer support and live chat

F. Professional Services:

  • Legal advisors, accountants, and auditors (under confidentiality obligations)
  • Insurance providers (for coverage purposes)

5.2 Legal and Regulatory Disclosure

We may disclose your personal data when required by law or when we believe in good faith that disclosure is necessary to:

  • Comply with legal obligations, court orders, or government requests
  • Enforce our terms of service and protect our legal rights
  • Protect the safety, security, and rights of Brandwick, our clients, or the public
  • Detect, prevent, or address fraud, security, or technical issues

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred to the successor entity. We will notify you of any such change and provide options regarding your data.

5.4 With Your Consent

We may share your data with third parties when you have given explicit consent for specific purposes, such as featuring your project in our portfolio or testimonials.

6. International Data Transfers

As a digital agency serving clients globally, we may transfer your personal data outside India to countries where our service providers operate or where our clients are located.

6.1 Transfers from India

Under the DPDP Act 2023, we ensure that international data transfers are conducted with appropriate safeguards:

  • Adequacy Determinations: We transfer data to countries recognized by the Indian government as providing adequate data protection
  • Contractual Safeguards: We use Standard Contractual Clauses (SCCs) or similar mechanisms approved under Indian law
  • Consent: Where required, we obtain your explicit consent for transfers to specific jurisdictions

6.2 Transfers to the EU/EEA (GDPR Compliance)

For EU/EEA clients and users, we comply with GDPR requirements for international transfers:

  • Adequacy Decisions: We transfer data to countries with EU adequacy decisions
  • Standard Contractual Clauses (SCCs): We implement EU-approved SCCs with our processors
  • Additional Safeguards: We conduct Transfer Impact Assessments and implement supplementary security measures where needed

6.3 Transfers to the United States (CCPA/CPRA)

For California residents, we ensure that service providers processing data in the U.S. comply with CCPA/CPRA requirements and provide equivalent protections.

6.4 Security During Transfer

All international data transfers are encrypted during transmission using industry-standard protocols (TLS 1.3 or higher). We regularly review and update our transfer mechanisms to ensure ongoing compliance.

7. Data Retention and Deletion

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy or as required by law.

7.1 Retention Periods

A. Active Clients:
During the project lifecycle and for the duration of our contractual relationship, plus applicable warranty periods.

B. Prospective Clients:
Inquiry and contact data is retained for up to 3 years from last contact, unless you request earlier deletion.

C. Marketing Communications:
Until you unsubscribe or withdraw consent, plus 30 days for processing.

D. Financial and Tax Records:
For 7 years from the end of the financial year, as required by Indian tax laws and accounting standards.

E. Legal Disputes:
Data relevant to legal claims is retained until the matter is resolved and all appeal periods have expired.

F. Technical Logs:
Server logs and analytics data are typically retained for 12-24 months for security and performance monitoring.

7.2 Secure Deletion

When retention periods expire or you request deletion of your data, we:

  • Permanently delete personal data from active systems using secure deletion methods
  • Remove data from backups within the next backup cycle (typically 90 days)
  • Anonymize data that must be retained for statistical or analytical purposes
  • Maintain deletion logs for audit and compliance purposes

7.3 User-Requested Deletion

You may request deletion of your personal data at any time by contacting hello@brandwick.com. We will process deletion requests within 30 days, subject to legal retention requirements.

8. Your Rights and Choices

Depending on your location and applicable laws, you have various rights regarding your personal data:

8.1 Rights Under the DPDP Act (India)

A. Right of Access:
You may request confirmation of whether we process your personal data and obtain a copy of such data.

B. Right to Correction:
You may request correction of inaccurate or incomplete personal data.

C. Right to Erasure:
You may request deletion of your personal data when it is no longer necessary or when you withdraw consent.

D. Right to Grievance Redressal:
You may lodge a complaint regarding data processing through our grievance mechanism (hello@brandwick.com) with a guaranteed 24-hour acknowledgment.

E. Right to Nominate:
You may nominate another individual to exercise your rights in the event of death or incapacity.

8.2 Rights Under GDPR (EU/EEA Users)

A. Right to Access:
Request a copy of your personal data in a commonly used format.

B. Right to Rectification:
Correct inaccurate personal data.

C. Right to Erasure (“Right to be Forgotten”):
Request deletion of your data under certain circumstances.

D. Right to Restriction of Processing:
Limit how we process your data in specific situations.

E. Right to Data Portability:
Receive your data in a machine-readable format and transmit it to another controller.

F. Right to Object:
Object to processing based on legitimate interests or for direct marketing purposes.

G. Right to Withdraw Consent:
Withdraw consent at any time without affecting prior processing.

H. Right to Lodge a Complaint:
File a complaint with your local supervisory authority (Data Protection Authority).

8.3 Rights Under CCPA/CPRA (California Residents)

A. Right to Know:
Request disclosure of personal information collected, sources, purposes, and third parties with whom it’s shared.

B. Right to Delete:
Request deletion of personal information, subject to exceptions.

C. Right to Correct:
Request correction of inaccurate personal information.

D. Right to Opt-Out:
Opt-out of the sale or sharing of personal information (Note: We do not sell personal information).

E. Right to Limit Use of Sensitive Personal Information:
Limit use of sensitive personal information to specified purposes.

F. Right to Non-Discrimination:
Receive equal service and pricing regardless of exercising privacy rights.

8.4 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

  • Email: hello@brandwick.com
  • Subject Line: Specify your request (e.g., “Data Access Request,” “Deletion Request,” “GDPR Rights”)
  • Verification: We may request identity verification to protect against unauthorized access

Response Time:

  • DPDP requests: Within 72 hours (acknowledgment), completed within 30 days
  • GDPR requests: Within 1 month (extendable to 2 months for complex requests)
  • CCPA requests: Within 45 days (extendable to 90 days)

We will not charge fees for rights requests unless they are manifestly unfounded, excessive, or repetitive.

9. Security Measures

We implement comprehensive technical and organizational security measures to protect your personal data against unauthorized access, loss, destruction, alteration, or disclosure.

9.1 Technical Security Measures

A. Encryption:

  • Data in transit: TLS 1.3 encryption for all web communications
  • Data at rest: AES-256 encryption for databases and file storage
  • End-to-end encryption for sensitive client communications

B. Access Controls:

  • Role-based access control (RBAC) limiting data access to authorized personnel
  • Multi-factor authentication (MFA) for all administrative accounts
  • Regular access reviews and immediate revocation upon employee departure

C. Network Security:

  • Firewalls and intrusion detection/prevention systems
  • Regular security patching and vulnerability assessments
  • DDoS protection and rate limiting

D. Application Security:

  • Secure coding practices and regular code reviews
  • Input validation and protection against common attacks (SQL injection, XSS)

9.2 Organizational Security Measures

A. Data Protection Policies:

  • Comprehensive internal data protection and security policies
  • Mandatory employee training on data privacy and security
  • Confidentiality agreements with all employees and contractors

B. Incident Response:

  • 24/7 security monitoring and incident detection
  • Documented incident response procedures
  • Regular security drills and tabletop exercises

C. Vendor Management:

  • Due diligence assessments for all third-party processors
  • Data processing agreements with strict security obligations
  • Regular vendor security audits and compliance reviews

9.3 Data Breach Notification

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms:

  • GDPR (EU Users): We will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay
  • DPDP Act (Indian Users): We will notify the Data Protection Board of India and affected individuals as required
  • CCPA (California Residents): We will provide notice in accordance with California breach notification laws

Notifications will include the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed to address the breach.

10. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to enhance your browsing experience, analyze website traffic, and deliver personalized content and advertising.

10.1 What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They enable websites to recognize your device and remember information about your visit.

10.2 Types of Cookies We Use

A. Strictly Necessary Cookies:
Essential for website functionality (e.g., security, session management). These cookies do not require consent under GDPR.

B. Performance and Analytics Cookies:

  • Google Analytics (tracking page views, session duration, bounce rates)
  • Hotjar (anonymized session recordings and heatmaps)

C. Functional Cookies:
Remember your preferences (language, region, display settings).

D. Marketing and Advertising Cookies:

  • Google Ads remarketing
  • LinkedIn Insight Tag
  • Meta Pixel (Facebook/Instagram advertising)

10.3 Cookie Consent and Management

A. Consent Banner:
Upon your first visit, we display a cookie consent banner allowing you to accept or customize cookie preferences. We use tools compliant with GDPR and ePrivacy Directive requirements.

B. Managing Cookies:
You can manage or delete cookies through:

  • Our Cookie Preferences Center: Available in the website footer
  • Browser Settings: Configure your browser to block or delete cookies
  • Opt-Out Links: Use industry opt-out tools (e.g., Network Advertising Initiative, Digital Advertising Alliance)

C. Consequences of Disabling Cookies:
Blocking certain cookies may limit website functionality or prevent access to personalized features.

10.4 Do Not Track Signals

Some browsers offer “Do Not Track” (DNT) settings. Our website currently does not respond to DNT signals due to lack of industry consensus. You can control tracking through cookie preferences instead.

10.5 Third-Party Tracking

Third-party services (Google, Meta) may set their own cookies for analytics and advertising. Please review their privacy policies for details on data collection and opt-out options.

11. Children’s Privacy

Brandwick’s services are intended for businesses and professionals. We do not knowingly collect personal data from individuals under 18 years of age.

If you are under 18, please do not provide any personal information through our website or services. If we become aware that we have inadvertently collected data from a minor, we will delete such information promptly.

Parents or guardians who believe we have collected data from a minor should contact us immediately at hello@brandwick.com.

Under the DPDP Act, we require verifiable parental consent before processing data of individuals under 18 in India.

12. Third-Party Websites and Services

Our website may contain links to third-party websites, platforms, or services (e.g., social media, partner sites, client websites) for your convenience and information.

Important Notice:
We are not responsible for the privacy practices, content, or security of third-party websites. These sites operate independently and have their own privacy policies.

We encourage you to review the privacy policies of any third-party sites you visit. Clicking on third-party links is at your own risk, and we do not endorse or make representations about external content.

13. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, services, legal requirements, or industry standards.

13.1 Notification of Changes

A. Website Notice:
We will post the updated policy on our website (brandwick.com) with a revised “Last Updated” date.

B. Email Notification:
For material changes that significantly affect data processing or your rights, we will send email notifications to registered users and active clients.

C. Consent for Material Changes:
Where required by law (e.g., DPDP Act, GDPR), we will seek your renewed consent for significant changes before continuing to process your data.

13.2 Your Responsibility

We encourage you to review this Privacy Policy periodically. Continued use of our website or services after changes are posted constitutes acceptance of the updated policy, except where additional consent is required.

14. Contact Us and Grievance Redressal

For any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

Email: hello@brandwick.com
Subject Line: “Privacy Policy Inquiry” or “Data Rights Request”

Data Protection Officer / Grievance Officer:
Available at the same email address for privacy-related matters.

Response Time:
We aim to acknowledge all inquiries within 72 hours during business days (as required under DPDP Act) and provide substantive responses within applicable legal timeframes.

14.1 Grievance Redressal (DPDP Act)

If you are located in India and have concerns about our data processing activities:

  1. Contact our Grievance Officer at hello@brandwick.com
  2. We will acknowledge your grievance within 72 hours
  3. We will investigate and respond with a resolution within 30 days
  4. If unresolved, you may escalate to the Data Protection Board of India

14.2 Supervisory Authorities

For EU/EEA Users:
You have the right to lodge a complaint with your local Data Protection Authority if you believe our processing violates GDPR.

For California Residents:
You may contact the California Attorney General’s office for CCPA-related concerns.

15. Your Consent

By using our website, submitting forms, engaging our services, or otherwise providing your personal data to Brandwick, you consent to the collection, use, and processing of your information as described in this Privacy Policy.

You have the right to withdraw your consent at any time by contacting us at hello@brandwick.com. Withdrawal of consent does not affect the lawfulness of processing conducted prior to withdrawal.

Thank you for trusting Brandwick with your personal data. We are committed to protecting your privacy and ensuring transparent, lawful, and respectful data processing practices.