Home Services Book
§
§ · privacy

Privacy policy.

Plain-English first, statute-grade where it matters. Covers digitalheroes.co.in, our free tools, our careers form, and our client engagements.

Email us about privacy

last updated: 9 May 2026

This policy covers digitalheroes.co.in, the free tools at /tools/, the booking and careers forms, and any pre-engagement contact you have with us. We are Digital Heroes, operating as Digital Marketing Heroes Pvt. Ltd., DUNS No. 650878346. Our staffed offices are in New York and Delhi, with satellite teams in London, Lucknow, and Sydney. For any privacy question or data-rights request: privacy@digitalheroes.co.in.

What this policy covers and what it does not

This document covers personal data we collect and process directly through our public website, our free tools, our public-facing forms (booking a call, applying to a role, general contact), and any pre-engagement marketing communications. It does not cover personal data inside our internal systems used by paying clients (the client portal at business.digitalheroes.co.in and the team portal at portal.digitalheroes.co.in run under separate, signed Master Services Agreements and Data Processing Agreements with each client). Where a paid engagement makes us a data processor for a client, that client's privacy notice and our DPA with them govern that processing, not this page.

Data we collect

The data we collect depends on how you interact with the site. We collect the minimum we need for each interaction; we do not collect more so that we have it later.

When you visit any page: with your consent (granted via the cookie banner that appears on your first visit), Google Analytics 4 collects standard web-analytics data including a randomized client identifier, the URL of the page you viewed, the URL that referred you, your approximate region (resolved from your IP address with the IP itself anonymized before storage), your device type, browser type, operating system, viewport size, and basic interaction events. If you reject analytics or accept only essential cookies, no analytics identifier is set and no analytics requests are sent.

When you book a call at /book/: the name, work email, phone or WhatsApp number, company name (optional), service of interest, budget range, country your business operates in, the date and time you selected, your free-text notes, your browser timezone, and (best-effort, only if you grant the browser geolocation prompt) your approximate latitude and longitude. We also receive a server-side IP-derived approximate location (city, region, country) from our hosting layer for context. Submission contents are emailed to our team and a copy of the confirmation is emailed back to you.

When you apply to a role at /careers/: the role you selected, your full name, email, phone or WhatsApp, city, current and expected compensation if you provide them, notice period, employment status, a link to your resume, an optional portfolio or profile link, and a free-text "why this role" message. The application is written into our hiring system and a notification is emailed to our HR inbox.

When you use a free tool at /tools/: in almost every tool, nothing reaches our servers. Inputs you paste are processed entirely in your browser and the results render locally. A small number of tools call public third-party APIs and the URL or domain you enter is sent to that API only. Each such tool discloses the third-party endpoint on its own page.

When you email us at any of our published addresses: the contents of the email, your email address, and any attachments. Email is processed by our standard business email provider.

How we use it

Three lawful bases, three purposes, no fourth. Legitimate interest: operating the website, responding to inbound inquiries, vetting applications, and protecting against fraud and abuse. Consent: the analytics and marketing cookies that fire only after you accept them, and any newsletter or marketing communication you opt in to. Contract: data we process to scope, propose, deliver, invoice, and support a paid engagement once you sign with us.

We do not sell, rent, license, or disclose personal data to advertisers, data brokers, or any third party for their own marketing purposes. We do not use the personal data we collect through this website to train our own AI models or to enrich any commercial AI training corpus. We do not run cross-site advertising trackers (no Meta Pixel, no Google Ads remarketing tag, no LinkedIn Insight Tag, no TikTok Pixel) on this site.

Cookies and browser storage

We use a small, documented set of cookies and browser-storage entries. The first time you visit, a banner asks you to accept all cookies, accept only analytics, or reject everything except essentials. Your choice is stored in your browser as a localStorage entry named dh-consent and respected on every subsequent visit; you can change it any time by clearing your site data and reloading.

Strictly necessary (always set, no consent required): a localStorage entry named dh-theme remembers whether you selected dark or light mode. The consent record itself (dh-consent) is also strictly necessary because it records your statutory choice.

Functional (set with consent, used by individual tools): some tool pages persist your last-used inputs in localStorage so you do not have to re-enter them. Keys are prefixed with dh- and are scoped to the originating tool. None of this state leaves your browser.

Analytics (set only after you accept all cookies or analytics-only): Google Analytics 4 sets identifiers used to count unique visitors and sessions. We have enabled IP anonymization (the IP address is anonymized in transit before Google stores any record of it) and Google Consent Mode v2, which means even after consent, ad-personalization and remarketing remain denied unless you specifically accept all.

A more detailed cookie inventory lives at /cookies/.

Sub-processors and third parties

The vendors below are involved in operating the site and our forms. Each is bound by its own published data-processing terms, which are linked from each entry.

  • Vercel — site hosting, serverless functions for the booking and applications endpoints, edge geolocation headers. vercel.com/legal/privacy-policy
  • Supabase — backend database for job openings and applications submitted from the careers form. supabase.com/privacy
  • Resend — transactional email delivery for booking confirmations, application notifications, and one-to-one team replies. resend.com/legal/privacy-policy
  • Google Analytics 4 — privacy-conscious web analytics with Consent Mode v2 and IP anonymization. Fires only with your consent. policies.google.com/privacy
  • Google Fonts — typography (Space Grotesk, Inter, Instrument Serif, JetBrains Mono) served from Google's CDN. The font request is a standard HTTP request that Google logs per its privacy policy.
  • Cloudflare CDN (cdnjs) — third-party JavaScript libraries (GSAP) loaded from cdnjs.cloudflare.com. cloudflare.com/privacypolicy
  • Google PageSpeed Insights API — used by the Website Audit tool only, when you explicitly run an audit on a URL you provide. The URL goes from your browser to Google; we do not proxy or log it.

If you operate as a corporate buyer and need a signed Data Processing Agreement covering personal data we process for you under a paid engagement, email legal@digitalheroes.co.in. We sign GDPR Article 28 DPAs as a standard part of any engagement that requires one.

International transfers

As a dual-HQ company with offices in the United States, India, the United Kingdom, and Australia, we routinely transfer personal data internationally between our offices and our sub-processors. Where data on a person resident in the European Economic Area, the United Kingdom, or Switzerland is transferred to a country without an adequacy decision, the transfer is protected by the European Commission's Standard Contractual Clauses (the 2021 SCC modules, including the UK Addendum where the UK is involved) executed with each sub-processor. Where data on a person resident in India is transferred outside India, the transfer is conducted under the cross-border transfer mechanisms set out in the Digital Personal Data Protection Act, 2023 and any rules notified under it.

Your rights — GDPR, UK GDPR, CCPA, DPDP

If you are in the European Economic Area (GDPR), you have the right to access, rectify, erase, restrict, port, and object to the processing of your personal data, and to withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal. You also have the right to lodge a complaint with your national data protection authority.

If you are in the United Kingdom (UK GDPR + Data Protection Act 2018), you have the same rights as EEA residents, plus the right to complain to the Information Commissioner's Office at ico.org.uk.

If you are a California resident (CCPA as amended by CPRA), you have the right to know what personal information we collect about you, the right to delete, the right to correct, the right to opt out of sale or sharing of personal information, and the right not to be discriminated against for exercising these rights. We do not sell your personal information and we do not share it for cross-context behavioral advertising. There is no "Do Not Sell or Share My Personal Information" link on this site because there is nothing to opt out of; if that ever changes, the link will be added at that time.

If you are in India (Digital Personal Data Protection Act, 2023), you have the right to obtain confirmation and access, the right to correction and erasure, the right to grievance redressal, and the right to nominate another individual to exercise these rights on your behalf in case of incapacity or death.

To exercise any right above, email privacy@digitalheroes.co.in from the address on file (or, if that address has changed, with sufficient detail to verify your identity through alternate means). We respond within thirty days for GDPR / UK GDPR requests, forty-five days for CCPA requests (extendable once by another forty-five days where reasonably necessary), and within the timelines required by the Indian DPDP Rules once notified. There is no fee for exercising a right; we may charge a reasonable fee or refuse the request only where it is manifestly unfounded or excessive, as permitted by the applicable statute.

Data retention

Analytics data is retained for the default Google Analytics 4 retention window (currently fourteen months for event-level data, after which it is automatically deleted by Google). Booking-form submissions and applicant data are retained for the duration of the active conversation plus twelve months thereafter for record-keeping; applicant resumes that do not lead to an offer are deleted on request, otherwise they are retained for up to twelve months in case a relevant role opens. Email correspondence is retained for the operating-business reasonable period (we do not bulk-delete inboxes). Marketing-list subscribers are retained until you unsubscribe, after which we keep a minimal suppression record so we do not accidentally re-add you.

Security

The site is served over HTTPS only with HSTS enabled. Form submissions are encrypted in transit. Server-side endpoints validate inputs and rate-limit by IP. Personal data inside our hosting and database providers is protected by access controls native to those platforms; only employees and contractors who need access for a documented purpose receive it. We never store credit card or banking information on our infrastructure; if a paid engagement requires payment, we issue an invoice and you pay through your banking channel of choice or a payment processor (Stripe or Razorpay) where the card data goes directly to the processor and never touches our servers.

No system on the public internet is invulnerable. If you become aware of a security issue affecting personal data on this site, please email legal@digitalheroes.co.in with the details and we will respond within five business days. We will notify affected users and the relevant supervisory authority as required by GDPR Article 33, the Indian DPDP Act, and any other applicable breach-notification rule.

Children

Our services are not directed at children under sixteen. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact privacy@digitalheroes.co.in and we will delete it.

Automated decision-making

We do not make decisions that produce legal or similarly significant effects on you using solely automated processing. Applicant review, pricing decisions, and engagement scoping are reviewed by a human before a decision is communicated.

Changes to this policy

We update this policy when our practices change. The last updated date at the top reflects the most recent revision, and the page is version-controlled in our public git repository so prior revisions are auditable. Material changes (anything that would make us collect more, share more, or retain longer) will be flagged at the top of the page for at least thirty days after publication.

Contact

Privacy questions, data-rights requests, complaints: privacy@digitalheroes.co.in. General contact: support@digitalheroes.co.in. Legal notices: legal@digitalheroes.co.in. We are reachable through any of these inboxes from any of our offices in New York, Delhi, London, Lucknow, or Sydney.

Published · Last updated .