Privacy Policy

1. Who We Are

EnsureHR ("we", "our", "us") is a compliance and payroll consulting firm operated by Winfort Services Private Limited, registered in India. Our registered office is at Janakpuri District Center, Janakpuri, New Delhi – 110058.

Our website is https://ensurehr.com. For the purposes of GDPR, EnsureHR acts as the Data Controller for personal data collected through this website.

You can contact our data representative at: ensurehr.consulting@gmail.com or +91 99713 70732.

2. Data We Collect

2.1 Data you give us directly

• Contact & enquiry forms: Full name, email address, phone number, company name, service required, message content.
• Lead funnel (get-started.html): Country, service type, company size, contact details.
• Client dashboard: Login email, password (stored as a hashed value), role, and any documents or data you upload.
• Consultation booking: Name, email, phone, preferred time slot.

2.2 Data collected automatically

• Usage data: Pages visited, time on site, scroll depth, button clicks — collected via Google Analytics 4.
• Traffic source: UTM parameters (source, medium, campaign) from the URL when you arrive.
• Device data: Browser type, operating system, screen size, device type (mobile/tablet/desktop).
• IP address: Collected by our hosting provider and Google Analytics (anonymised where required).
• Cookies: See Section 5 for full details.

2.3 Data we do NOT collect

• We do not collect payment card numbers — payments are processed by third-party providers.
• We do not collect national identification numbers unless required for a specific service you engage us for.
• We do not collect sensitive personal data (health, religion, ethnicity) through this website.

3. How We Use Your Data

• To respond to your enquiry — we email or call you back within 24 hours of form submission.
• To deliver contracted services — payroll processing, GST filing, accounting, registrations and other services you engage us for.
• To send service communications — deadline reminders, document requests, filing confirmations related to your active engagement.
• To improve our website — analytics help us understand which pages are most useful and where visitors drop off.
• To comply with legal obligations — tax records, audit trails and regulatory requirements under Indian law.
• Marketing — only if you have explicitly consented. We do not send unsolicited marketing emails.

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction where GDPR or equivalent law applies, our legal basis for processing your personal data is:

• Contractual necessity — processing required to deliver a service you have requested (Art. 6(1)(b) GDPR).
• Legitimate interests — responding to enquiries, improving our website, fraud prevention (Art. 6(1)(f) GDPR).
• Consent — for cookies that are non-essential, and for any marketing communications (Art. 6(1)(a) GDPR). You may withdraw consent at any time.
• Legal obligation — where we are required to process data to comply with applicable law (Art. 6(1)(c) GDPR).

5. Cookies & Tracking

We use cookies and similar technologies on this website. A cookie is a small text file stored on your device.

Essential cookies (no consent required)

• ehr_consent — remembers your cookie consent choice. Expires: 1 year.
• ehr_exit_shown — prevents the exit popup from showing repeatedly. Expires: 7 days.
• ehr_scroll_popup — prevents the scroll popup from repeating. Expires: 3 days.
• ehr_sticky_closed — remembers if you closed the sticky CTA bar. Expires: 1 day.

Analytics cookies (consent required)

• Google Analytics 4 (_ga, _ga_*, _gid) — tracks page views, sessions, traffic sources and user behaviour to help us improve the website. Data is sent to Google LLC (USA). Google anonymises IP addresses. See Google's Privacy Policy.

Managing cookies

You can withdraw your cookie consent at any time by clearing cookies in your browser settings. You can also opt out of Google Analytics tracking via the Google Analytics Opt-out Browser Add-on.

6. Who We Share Data With

We do not sell, rent or trade your personal data. We share data only with the following trusted service providers, and only to the extent necessary to operate our services:

• EmailJS — used to send form submission notifications to our team. Data: name, email, phone, message. EmailJS Privacy Policy.
• Google Analytics 4 — website analytics. Data: anonymised usage data, device type, traffic source. Google Privacy Policy.
• HostingRaja (shared hosting) — our website and database are hosted on HostingRaja servers located in India.
• Calendly — if you book a consultation, your name and email are shared with Calendly to manage the booking. Calendly Privacy Policy.

We may also disclose data if required by law, court order, or government authority in India or any jurisdiction where we operate.

7. Data Retention

• Enquiry / lead data: Retained for 2 years from the date of submission, then deleted or anonymised.
• Active client data: Retained for the duration of the engagement plus 7 years (as required by Indian tax and accounting law).
• Dashboard accounts: Retained while the account is active. Inactive accounts with no engagement are deleted after 2 years of inactivity.
• Analytics data: Google Analytics data retention is set to 14 months. We do not store raw analytics data ourselves beyond what is shown in our dashboard.

You may request deletion of your data at any time (see Section 8). We will comply within 30 days unless we are legally required to retain it.

8. Your Rights

Depending on where you are located, you may have the following rights regarding your personal data:

• Right to access — request a copy of the personal data we hold about you.
• Right to rectification — ask us to correct inaccurate or incomplete data.
• Right to erasure ("right to be forgotten") — ask us to delete your personal data.
• Right to restrict processing — ask us to pause processing of your data in certain circumstances.
• Right to data portability — receive your data in a machine-readable format (GDPR users).
• Right to object — object to processing based on legitimate interests or for direct marketing.
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting prior processing.
• Right not to be subject to automated decisions — we do not use automated decision-making or profiling that produces legal effects.

To exercise any of these rights, email us at ensurehr.consulting@gmail.com with the subject line "Data Rights Request". We will respond within 30 days.

UK and EEA residents also have the right to lodge a complaint with their local supervisory authority (e.g. the ICO in the UK at ico.org.uk, or your national data protection authority in the EU).

9. International Data Transfers

EnsureHR is based in India. If you are located in the UK, EU, UAE or another country, your personal data will be transferred to and processed in India.

Where we transfer data to processors outside India (e.g. Google Analytics in the USA, EmailJS), we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Adequacy decisions where applicable.
• Processor agreements containing GDPR-compliant data protection obligations.

India's Digital Personal Data Protection Act 2023 (DPDPA) also applies to processing of Indian residents' personal data.

10. Security

We take reasonable technical and organisational measures to protect your personal data, including:

• HTTPS encryption on all pages (TLS 1.2+).
• Passwords stored as hashed values — never in plain text.
• Role-based access control on our dashboard (clients cannot access other clients' data).
• Sensitive configuration files (config.php) blocked from public access via .htaccess.
• Directory listing disabled on our server.

No method of transmission over the internet is 100% secure. If you believe your data has been compromised, please contact us immediately at ensurehr.consulting@gmail.com.

11. Children's Privacy

Our services are intended for businesses and adults aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a minor has submitted data through our website, please contact us and we will delete it promptly.

12. Indian Law — IT Act 2000 & DPDPA 2023

This privacy policy is also governed by the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, as well as the Digital Personal Data Protection Act, 2023 (DPDPA).

Under Indian law, "sensitive personal data or information" includes passwords, financial information, health data, biometric data and similar categories. We collect such data only when strictly necessary for service delivery and with your explicit consent.

You may contact our Grievance Officer for any data-related complaints:

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology or legal requirements. When we make material changes, we will update the "Last updated" date at the top of this page.

We encourage you to review this page periodically. Continued use of our website after changes are posted constitutes acceptance of the updated policy.

14. Contact & Complaints

For any questions, requests or complaints about this Privacy Policy or how we handle your data, please contact us:

If you are in the UK or EU and are not satisfied with our response, you have the right to complain to your local data protection authority. In the UK this is the Information Commissioner's Office (ICO).