PRIVACY POLICY

1.1 Purpose

This Privacy Policy explains how Cynical Technology Pvt. Ltd. ("Company", "we", "our", or "us") collects, uses, stores, protects, discloses, and otherwise processes personal information obtained through our website, cybersecurity services, applications, communications, and related platforms.

This Privacy Policy is intended to promote transparency regarding our information handling practices and to assist individuals in understanding their rights concerning personal information.

2.1 Applicability

This Privacy Policy applies to visitors of our website, existing and prospective clients, individuals requesting quotations, business partners, and individuals communicating with us through any channel.

2.2 Jurisdictional Scope

This Privacy Policy applies regardless of whether you access our services from Nepal or another jurisdiction, except where expressly superseded by mandatory applicable local laws governing your specific region.

3.1 Core Terms

"Personal Data" means any information relating to an identified or identifiable natural person.

"Processing" means any operation performed on Personal Data including collection, recording, storage, organization, retrieval, consultation, use, disclosure, transmission, deletion, or destruction.

"Client Data" means information entrusted to the Company during the provision of cybersecurity services.

"Security Engagement" means any penetration test, vulnerability assessment, red team exercise, audit, incident response activity, or related cybersecurity service.

4.1 Information You Provide

We may collect your full name, company name, job title, email address, telephone number, billing information, project requirements, messages submitted through contact forms, files voluntarily uploaded, and recruitment documents.

4.2 Information Collected Automatically

When visiting our website or platforms, we may automatically collect your IP address, browser type, operating system, device identifiers, referring website, pages visited, session duration, security event logs, and diagnostic information.

4.3 Information Obtained from Third Parties

Information may be obtained from business partners, publicly available sources, professional networking platforms, referral partners, and regulatory authorities where legally required.

4.4 Information Collected During Security Engagements

Depending upon the scope of an authorized engagement, we may process vulnerability information, network architecture, authentication mechanisms, technical logs, system metadata, and evidence supporting security findings. Such information is processed strictly under confidentiality obligations.

5.1 Legal Basis for Processing

We process Personal Data based on your explicit consent, to fulfill our contractual obligations to you (such as executing a Security Engagement), to comply with legal and regulatory mandates, or to pursue our legitimate business interests in maintaining secure and operational infrastructure.

5.2 How We Use Your Information

Your information is utilized to deliver requested cybersecurity services, manage portal accounts, process payments, verify identities for bug bounty payouts, respond to inquiries, and continuously improve the threat-detection algorithms of our platforms.

6.1 Analytics and Website Technologies

We utilize "Cookies" (small data files stored on your device) and similar tracking technologies to enable core website functionality, remember your preferences, and secure your session data. We may also use aggregated analytics tools to understand how users interact with our enterprise portals.

7.1 Service Providers and Partners

We may share necessary data with trusted third-party service providers (such as cloud hosting, payment processors, and CRM platforms) solely to support our business operations. These entities are strictly bound by confidentiality agreements.

7.2 Legal and Corporate Transitions

We may disclose Personal Data to legal or regulatory authorities if legally compelled to do so by a valid court order or subpoena. In the event of a corporate transaction, such as a merger or acquisition, Personal Data may be transferred as a business asset under continued privacy obligations.

8.1 Threat Detection Systems

When utilizing our automated monitoring solutions, such as Vigile.AI, we may process system event data and network logs using machine learning and artificial intelligence to proactively detect active security threats. This processing is strictly limited to threat mitigation, and Client Data is never utilized to train public generative AI models.

9.1 Data Retention

We retain Personal Data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, execute contractual agreements, resolve disputes, and comply with mandatory legal retention periods in Nepal.

9.2 International Data Transfers

Given the global nature of cybersecurity, some technical data may be routed or stored on secure cloud infrastructure located outside your country of residence. We ensure that any cross-border transfers comply with appropriate legal safeguards and encryption standards.

10.1 Technical Safeguards

We implement administrative, technical, and organizational safeguards designed to protect information from unauthorized access, disclosure, alteration, and destruction. Security measures include encryption in transit and at rest, role-based access controls, multi-factor authentication, and continuous security logging.

10.2 Transmission Acknowledgment

While we employ commercially reasonable security practices and secure software development lifecycles, no method of electronic transmission or data storage can be guaranteed to be completely secure.

11.1 Statutory Entitlements

Subject to applicable law, including the Individual Privacy Act, 2075 (2018) of Nepal, you have the right to be informed about the collection and use of your personal information, request the correction or update of inaccurate data upon providing necessary evidence, and withhold or withdraw your consent regarding the processing or publication of your data. Furthermore, collected data must be kept confidential and cannot be used for purposes other than those specified at the time of collection without your explicit authorization.

11.2 Exercising Your Rights

To exercise any of these rights, please contact our Data Protection Office using the contact information provided below. We will verify your identity before processing any such requests and will respond within the legally mandated timeframe.

12.1 Confidentiality of Security Reports

All findings, Deliverables, and vulnerability disclosures generated during a Security Engagement are treated as strictly confidential and will not be disclosed to third parties without the Client's explicit written authorization, except where mandated by law.

12.2 Data Breach Notifications

In the unlikely event of a verified data breach compromising your Personal Data, we will notify affected individuals and relevant supervisory authorities without undue delay, in accordance with applicable cybersecurity laws.

13.1 Amendments

We reserve the right to amend this Privacy Policy from time to time to reflect structural changes in our operational procedures or evolving legal frameworks. Material changes will be communicated through appropriate channels, including updates published on our corporate website.

13.2 Acceptance of Changes

Continued use of our services following the publication of the revised Privacy Policy constitutes your acknowledgment and acceptance of the updated terms, to the maximum extent permitted by applicable law.

14.1 Compliance Operations

Questions, concerns, or requests regarding this Privacy Policy or your Personal Data rights may be directed to our internal compliance team at the physical and digital addresses listed below.