Privacy policy

PRIVACY POLICY

 

This Privacy Policy is a legally binding document governing the collection, use, storage, and disclosure of personal data by Gambit Enclave LLC. Please read it carefully before using this Platform.

1. PRELIMINARY PROVISIONS

1.1 Identity of the Data Fiduciary

This Privacy Policy ('Policy') is published by Gambit Enclave LLC, a company established in 2021, having its principal place of business at New Delhi, India ('Company', 'We', 'Us', or 'Our'). The Company operates the website www.gambitenclave.com and all associated subdomains, applications, and digital properties (collectively, the 'Platform').

For purposes of the Digital Personal Data Protection Act, 2023 ('DPDPA'), the Company is the Data Fiduciary responsible for determining the purpose and means of processing personal data collected through the Platform.

1.2 Scope and Applicability

This Policy applies to:

  • All visitors to the Platform, whether or not they engage with any service or create an account;

  • All users who submit inquiries, enroll in programs, or engage with the Company's services, including the Gambit Legal Academy, digital marketing consultancy, podcast, and media features;

  • All individuals whose personal data is processed by the Company in the course of its operations.

This Policy does not apply to third-party websites, platforms, or services that may be linked from the Platform. The Company assumes no responsibility for the privacy practices of such third parties.

1.3 Definitions

For the purposes of this Policy, the following terms shall have the meanings ascribed to them below:

  1. 'Personal Data': means any data about an individual who is identifiable by or in relation to such data, as defined under the DPDPA, 2023 and includes 'personal information' as defined under the IT (Amendment) Act, 2008.

  2. 'Sensitive Personal Data or Information' ('SPDI'): means such personal information as specified under Rule 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, including passwords, financial information, physical, physiological, and mental health conditions, and biometric information.

  3. 'Data Principal': means the natural person to whom the personal data relates.

  4. 'Data Fiduciary': means the Company, which alone or in conjunction with other persons determines the purpose and means of processing of personal data.

  5. 'Data Processor': means any person who processes personal data on behalf of a Data Fiduciary.

  6. 'Processing': means wholly or partly automated operations or set of operations performed on digital personal data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment, combination, indexing, sharing, disclosure, or erasure.

  7. 'Consent': means any free, specific, informed, unconditional, and unambiguous indication of the Data Principal's agreement to the processing of their personal data.

  8. 'Cookies': means small data files placed on a user's device by a website to enable certain functionalities and track browsing behavior.

  9. 'Grievance Officer': means the officer designated under this Policy and under applicable law to address complaints and grievances related to the processing of personal data.

2. INFORMATION WE COLLECT

2.1 Categories of Personal Data

The Company collects the following categories of personal data, depending on the nature of the user's interaction with the Platform:

2.1.1 Data Provided Directly by the User

  • Full name, as submitted through the contact or inquiry form;

  • Email address, for correspondence and service delivery;

  • Nature of inquiry selected from a dropdown menu (e.g., Strategic Consulting, Legal Academy Enrollment, Digital Marketing Consultation);

  • Message content describing the user's objectives, submitted through the contact form;

  • Academic and professional background, where voluntarily shared in connection with program enrollment inquiries;

  • Any other information voluntarily disclosed by the user in their communications with the Company.

2.1.2 Data Collected Automatically

  • Internet Protocol (IP) address and approximate geolocation derived therefrom;

  • Browser type, version, and language settings;

  • Operating system and device type;

  • Referring URLs and exit pages;

  • Pages visited, time spent on each page, and click-stream data;

  • Date and time of access;

  • Unique device identifiers and session tokens.

2.1.3 Data Collected Through Cookies and Tracking Technologies

The Platform uses cookies, web beacons, pixel tags, and similar tracking technologies to collect data about user behaviour. For detailed information, please refer to Section 7 (Cookies and Tracking Technologies) of this Policy.

2.2 Data We Do Not Intentionally Collect

The Platform is not directed at children below the age of 18 years. The Company does not knowingly collect personal data from minors. If we become aware that personal data of a minor has been collected without verifiable parental or guardian consent, we will take immediate steps to delete such data. Any person who believes that a minor's data has been submitted to us is requested to contact the Grievance Officer immediately.

The Company does not intentionally collect Sensitive Personal Data or Information (SPDI) through its standard data collection mechanisms. However, if a user voluntarily discloses SPDI in the message field of the contact form or in direct communications, such data shall be treated with the heightened level of protection mandated under the SPDI Rules, 2011.

3. PURPOSE AND LEGAL BASIS FOR PROCESSING

3.1 Purposes of Processing

The Company processes personal data only for the following specified, lawful, and legitimate purposes:

  1. To respond to and process inquiries submitted through the Platform's contact form;

  2. To assess eligibility and facilitate enrollment into the Gambit Legal Academy programs;

  3. To deliver digital marketing, strategic consulting, and brand development services as engaged by the user;

  4. To send transactional communications, including confirmation of inquiry receipt, program enrollment updates, and service delivery correspondence;

  5. To send marketing and promotional communications regarding the Company's services, programs, podcast episodes, and events, subject to the user's consent;

  6. To improve, optimize, and personalize the Platform's features and user experience;

  7. To conduct internal analytics, research, and reporting for business development purposes;

  8. To detect, investigate, and prevent fraudulent transactions, misuse, and other illegal activities;

  9. To comply with applicable legal obligations, including obligations under the IT Act, DPDPA, SPDI Rules, and any order of a competent authority or court;

  10. To establish, exercise, or defend legal claims.

3.2 Legal Basis for Processing

The Company relies on the following lawful bases for processing personal data:

  1. Consent: Where the user has provided free, specific, informed, unconditional, and unambiguous consent to the processing of their personal data, including through the act of submitting the contact or inquiry form.

  2. Contractual Necessity: Where processing is necessary for the performance of a contract to which the user is a party, including the provision of legal academy programs or consulting services.

  3. Legitimate Interests: Where processing is necessary for the purposes of the legitimate interests pursued by the Company, including analytics, security, fraud prevention, and platform improvement, provided such interests are not overridden by the fundamental rights and freedoms of the Data Principal.

  4. Legal Obligation: Where processing is necessary for compliance with a legal obligation to which the Company is subject under applicable Indian law.

3.3 Principle of Purpose Limitation

Personal data collected for a specified purpose shall not be processed for any other purpose that is incompatible with the original purpose of collection, without obtaining fresh consent from the Data Principal. The Company shall not repurpose personal data in any manner that would be unexpected or objectionable to the Data Principal.

4. DATA SHARING AND DISCLOSURE

4.1 Third-Party Disclosure

The Company does not sell, rent, or trade personal data to third parties for commercial purposes. Personal data may be shared only in the following circumstances:

4.1.1 Service Providers and Data Processors

The Company may engage third-party service providers who process personal data on its behalf as Data Processors. These include:

  • Email service providers and communication platforms;

  • Website hosting and cloud infrastructure providers;

  • Analytics and performance monitoring tools;

  • Payment gateway operators (where applicable for program enrollment fees);

  • Customer relationship management (CRM) software providers.

All Data Processors engaged by the Company are bound by data processing agreements that require them to process personal data only on the Company's documented instructions, implement appropriate security measures, and comply with applicable data protection law.

4.1.2 Legal and Regulatory Disclosure

The Company may disclose personal data to governmental authorities, law enforcement agencies, or regulatory bodies where required to do so by applicable law, court order, or governmental regulation, or where such disclosure is necessary to protect the rights, property, or safety of the Company, its users, or the public.

4.1.3 Business Transfers

In the event of a merger, acquisition, restructuring, sale of assets, or any other form of business combination involving the Company, personal data may be transferred to the acquirer or successor entity, subject to the same level of data protection as provided under this Policy. The Company shall notify affected users of any such transfer.

4.2 Cross-Border Transfers

The Company is based in India and processes personal data primarily within India. However, certain Data Processors engaged by the Company may be located outside India, including in the United States and the European Union. Where personal data is transferred outside India, the Company shall ensure that such transfer complies with the provisions of Section 16 of the DPDPA, 2023, and that the recipient country or entity provides an adequate level of data protection comparable to Indian standards.

By using the Platform and submitting personal data, the user consents to the transfer of their personal data to countries outside India as described in this Policy, subject to the safeguards described herein.

5. DATA RETENTION

The Company retains personal data only for as long as is necessary to fulfil the purposes for which it was collected, as described in this Policy, or as required by applicable law. The following retention periods apply:

  • Inquiry and contact form data: Retained for a period of three (3) years from the date of submission, or until the resolution of any pending matter arising from such inquiry, whichever is later.

  • Program enrollment and student data: Retained for a period of seven (7) years from the date of program completion or termination, in accordance with applicable record-keeping requirements.

  • Marketing and communication preferences: Retained until the user withdraws consent or opts out of such communications.

  • Automatically collected usage data and logs: Retained for a period of twelve (12) months from the date of collection.

  • Legal hold data: Retained for the duration of any legal proceeding, investigation, or regulatory inquiry in which such data is relevant.

Upon expiry of the applicable retention period, personal data shall be securely deleted, anonymized, or archived in a manner that prevents identification of the Data Principal, unless retention is required by law.

6. SECURITY SAFEGUARDS

The Company implements reasonable security practices and procedures as mandated under Rule 8 of the SPDI Rules, 2011 and in accordance with the security standards prescribed under the DPDPA, 2023. These include:

  • Encryption of data in transit using industry-standard Transport Layer Security (TLS) protocols;

  • Access controls and authentication mechanisms to restrict access to personal data to authorised personnel only;

  • Regular security assessments, vulnerability testing, and system audits;

  • Physical and logical security controls for servers and data storage infrastructure;

  • Employee training and awareness programs on data protection obligations;

  • Incident response and breach notification procedures.

Notwithstanding the foregoing, no method of transmission over the internet or electronic storage is completely secure. The Company cannot guarantee the absolute security of personal data and shall not be liable for any breach of security that occurs despite reasonable precautions, except to the extent required by applicable law.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of Data Principals, the Company shall notify the Data Protection Board of India (upon its constitution) and affected users in accordance with the timelines prescribed under the DPDPA, 2023.

7. COOKIES AND TRACKING TECHNOLOGIES

7.1 Types of Cookies Used

The Platform uses the following categories of cookies:

(a) Strictly Necessary Cookies: These cookies are essential for the Platform to function and cannot be switched off. They are typically set in response to actions taken by the user, such as setting privacy preferences or filling in forms.

(b) Performance and Analytics Cookies: These cookies collect information about how visitors use the Platform, including which pages are most frequently visited and whether users receive error messages. This information is used to improve the Platform's performance.

(c) Functionality Cookies: These cookies allow the Platform to remember choices made by the user, such as language preferences, and provide enhanced, personalised features.

(d) Targeting and Advertising Cookies: These cookies may be set by advertising partners to build a profile of the user's interests and deliver relevant advertisements on other platforms.

7.2 Management of Cookies

Users may control and manage cookies through their browser settings. Most browsers allow users to refuse cookies, delete cookies that have already been set, and receive alerts before cookies are stored. Please note that disabling certain cookies may affect the functionality of the Platform.

Where consent is required for the placement of non-essential cookies, such consent shall be obtained through a cookie consent mechanism upon the user's first visit to the Platform. Users may withdraw their consent to the use of non-essential cookies at any time by adjusting their browser settings or using the cookie management tool available on the Platform.

8. RIGHTS OF DATA PRINCIPALS

Subject to applicable law and the DPDPA, 2023, Data Principals have the following rights with respect to their personal data:

  1. Right to Access: The right to obtain confirmation as to whether the Company is processing their personal data and, if so, to access such data and information about the processing.

  2. Right to Correction: The right to request the correction of inaccurate or incomplete personal data.

  3. Right to Erasure: The right to request the deletion of personal data where it is no longer necessary for the purpose for which it was collected, or where consent has been withdrawn and there is no other lawful basis for processing.

  4. Right to Withdraw Consent: The right to withdraw consent to the processing of personal data at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

  5. Right to Grievance Redressal: The right to have grievances addressed by the Company's Grievance Officer in a timely and effective manner.

  6. Right to Nominate: Under the DPDPA, 2023, Data Principals have the right to nominate another individual to exercise their rights on their behalf in the event of death or incapacity.

To exercise any of the rights listed above, Data Principals may submit a request to the Grievance Officer at the contact details provided in Section 10 of this Policy. The Company shall respond to all valid requests within thirty (30) days of receipt.

9. WITHDRAWAL OF CONSENT

Where the legal basis for processing is consent, Data Principals may withdraw their consent at any time by submitting a written request to the Grievance Officer. Withdrawal of consent shall not affect the lawfulness of any processing carried out before such withdrawal.

Upon receipt of a valid withdrawal request, the Company shall cease processing the relevant personal data for the purpose(s) for which consent was given, within a reasonable period not exceeding thirty (30) days, subject to the Company's legal obligations and legitimate interests.

Data Principals who wish to unsubscribe from marketing communications may do so by clicking the unsubscribe link in any marketing email or by submitting a request to hello@gambitenclave.com.

10. GRIEVANCE REDRESSAL

In accordance with the IT Act, 2000, SPDI Rules, 2011, and DPDPA, 2023, the Company has designated a Grievance Officer to address complaints and concerns related to the processing of personal data.

Grievance Officer: Nihshank Upadhyay

Organisation: Gambit Enclave LLC

Email: hello@gambitenclave.com

Address: New Delhi, India

Any user who has a complaint, concern, or query in relation to the Company's data processing practices may submit a written grievance to the Grievance Officer. The Grievance Officer shall acknowledge receipt of the grievance within five (5) business days and endeavour to resolve the grievance within thirty (30) days of receipt.

If the user is not satisfied with the resolution provided by the Grievance Officer, they may escalate the matter to the Data Protection Board of India, upon its constitution under the DPDPA, 2023.

11. AMENDMENTS TO THIS POLICY

The Company reserves the right to amend this Policy at any time to reflect changes in applicable law, regulatory requirements, or the Company's data processing practices. Any material changes to this Policy shall be notified to users through a prominent notice on the Platform or by direct communication, at least fifteen (15) days prior to the effective date of such changes.

Continued use of the Platform following the effective date of any amended Policy constitutes acceptance of the revised terms. If a user does not agree to the amended Policy, they must discontinue their use of the Platform and may exercise their rights as described in Section 8 of this Policy.

CONTACT & GRIEVANCE OFFICER

Gambit Enclave LLC  |  New Delhi, India  |  hello@gambitenclave.com

www.gambitenclave.com

© 2026 Gambit Enclave LLC. All Rights Reserved.