This Privacy Policy explains how REALMRISK NG Pvt. Ltd. (“RealmRisk,” “we,” “us,” or “our”) collects, uses, stores, and protects your personal data when you visit our website, request access to our software (including REOS™), or interact with us through any of our services.

We are committed to safeguarding your privacy in accordance with the Digital Personal Data Protection Act, 2023 (India) and, where applicable, the General Data Protection Regulation (EU) 2016/679 (GDPR).

1. Data Controller

The data controller responsible for your personal data under this policy is:

For day-to-day privacy inquiries, our CEO acts as the designated point of contact. We are not currently classified as a Significant Data Fiduciary under the DPDP Act 2023 and are not required to appoint a formal Data Protection Officer.

2. What We Collect and Why

We collect personal data only when you voluntarily provide it. The categories of data, purposes, and legal bases are summarised below:

Data Collected	Purpose	Legal Basis
Name, email address, organization name, intended use of REOS	Processing your beta access request, verifying eligibility, and issuing your license activation file	Consent & legitimate interest (provision of contracted service)
Hardware fingerprint (salted SHA-256 hashes of MAC address, CPU ID, disk serial, motherboard serial, OS UUID)	Generating your cryptographically signed license file bound to a single machine	Contractual necessity (REOS licensing)
Email correspondence content	Responding to your support, feedback, or commercial inquiries	Legitimate interest (customer support)
IP address and basic browser metadata at submission time (collected automatically by Formspree)	Spam prevention and security; not used for analytics or marketing	Legitimate interest (security)

We do not collect: payment card information (handled by third-party processors when applicable), behavioural advertising data, biometric data, health data, or any other special category of personal data under DPDP Act 2023 / GDPR Article 9.

3. Hardware Fingerprint Disclosure

To enable per-machine licensing of REOS, our software generates a one-way salted SHA-256 hash of five hardware identifiers from your machine. These hashes are mathematically irreversible — we cannot recover the original hardware identifiers from them, and they cannot be used to identify your hardware to any third party.

The hashes are transmitted only when you voluntarily submit them to us during License Activation. They are stored in our records solely to issue and renew your license file. They are never used for tracking, profiling, marketing, or any other purpose.

4. Third-Party Processors

We use the following third-party service to process beta access requests:

Formspree (form submission)

• Provider: Formspree Inc., based in the United States
• Purpose: Receiving and forwarding submissions from our website’s beta access form
• Data shared: Name, email, organization, intended use (as submitted by you)
• Safeguards: Formspree is contractually committed to GDPR compliance through Standard Contractual Clauses. Their privacy policy is available at https://formspree.io/legal/privacy-policy/
• Data retention: Form submissions are retained on Formspree servers per their stated retention policy and are deleted from our records upon your request

We do not use third-party advertising trackers, behavioural analytics, social media pixels, or remarketing services on our website.

5. NTP Time-Synchronization Communications

The REOS software performs periodic time-synchronization checks against public Network Time Protocol (NTP) servers to detect system clock manipulation. The NTP servers used are:

• pool.ntp.org
• time.google.com
• time.cloudflare.com
• time.windows.com

These checks transmit no personal data, no model content, and no hardware identifiers. The communication consists only of a standard NTP timestamp request. These public time services have their own privacy policies, over which REALMRISK has no control.

6. Data Retention

We retain personal data for the following periods, after which it is securely deleted:

• Beta access requests that did not result in activation: 12 months from submission
• Active license records (name, email, organization, hardware hashes): For the duration of your license plus 3 years thereafter, for renewal, support, audit, and tax compliance purposes
• Email correspondence: Up to 3 years from the date of last interaction
• Financial/billing records: 8 years, as required under Indian Companies Act and tax law

You may request earlier deletion under Section 9 (Your Rights), subject to our legitimate retention obligations.

7. Data Security

We implement the following technical and organisational safeguards:

• Data in transit is protected by TLS encryption (HTTPS) on our website and form submission endpoints
• Hardware identifiers are salted and SHA-256 hashed before transmission; original values never leave your machine
• Our RSA-2048 private signing key is stored offline and is never transmitted across networks
• Access to customer records is restricted to authorised personnel of REALMRISK on a need-to-know basis
• Backup copies of customer records are encrypted at rest

While we take reasonable measures to protect your data, no electronic transmission or storage system is 100% secure. We cannot guarantee absolute security but will notify you and the appropriate regulators in the event of a personal data breach in accordance with applicable law.

8. International Data Transfers

Your data is primarily stored on servers located in India. When you submit a form through Formspree, your submission may transit through servers located in the United States before reaching us. Formspree has implemented Standard Contractual Clauses approved by the European Commission as a safeguard for international data transfers.

If you are located in the European Economic Area, United Kingdom, or other jurisdictions with data export restrictions, by submitting your data you consent to this transfer.

9. Your Rights

You have the following rights regarding your personal data under DPDP Act 2023 and, where applicable, GDPR:

• Right of access: Request a copy of the personal data we hold about you
• Right to rectification: Request correction of inaccurate or incomplete data
• Right to erasure: Request deletion of your personal data, subject to our legal retention obligations
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time (note: this will result in termination of your REOS license)
• Right to data portability (GDPR): Request your data in a structured, commonly used, machine-readable format
• Right to object (GDPR): Object to processing based on legitimate interests
• Right to lodge a complaint: File a complaint with the Data Protection Board of India or your local data protection authority

To exercise any of these rights, email reos@realmrisk.com. We will respond within 30 days. We may request reasonable proof of identity before fulfilling certain requests.

10. Children’s Data

REOS and the RealmRisk website are intended for professional use by qualified engineers and researchers. We do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently collected data from a minor, please contact us immediately at reos@realmrisk.com and we will delete it promptly.

11. Cookies

The RealmRisk website uses only essential session cookies required for basic site functionality. We do not use tracking cookies, advertising cookies, or analytics cookies that require consent under EU ePrivacy regulations.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our services, or applicable law. The “Last Updated” date at the top of this page indicates when the policy was last revised. For material changes, we will notify active license holders by email at least 30 days before the changes take effect.

13. Governing Law and Jurisdiction

This Privacy Policy is governed by the laws of the Republic of India, without regard to its conflict of law principles. Any legal action arising from this policy shall be brought exclusively in the courts located in Roorkee, Uttarakhand, India.

Where the GDPR applies to our processing of your data, the GDPR’s provisions shall apply in addition to those described above.

14. Contact Us

For any questions about this Privacy Policy or our data practices, contact:

← Back to RealmRisk