GDPR

Controller

For personal data described here, the controller is Innovant Zone. You can reach us for privacy matters at info@innovantzone.com. Our business is operated from Islamabad, Pakistan; we work with clients internationally. We have not appointed a Data Protection Officer under Article 37 GDPR, as we are not currently required to do so; privacy requests are handled using the contact details above.

When this notice applies

This notice applies where we process personal data about individuals in the EEA or UK in relation to the Site (for example when you browse, submit our contact form, or book a call where that feature is available) and when we communicate with you about our services before a contract is concluded. It does not cover processing where another company is solely responsible (for example your employer's systems).

Categories of personal data

Depending on how you interact with us, we may process:

• Identity and contact data you provide (such as name, email address, company name, and the contents of your message, service interest, and indicative budget range when you use the contact form).
• Technical and usage data relating to your device and visit (such as IP address, browser type, general geographic region derived from IP, pages viewed, referring URL, and timestamps), collected via our hosting and infrastructure.
• Analytics data in aggregate form (for example page views and performance metrics via Vercel Web Analytics) to understand how the Site is used.
• Scheduling data if you use a calendar or meeting booking flow (such as name, email, preferred time, and notes), processed to arrange the meeting.

We do not aim to collect special categories of data (such as health data) via the Site. Please do not send us such information unless we explicitly request it under a separate engagement.

Purposes and legal bases

We process personal data for the following purposes and on the following legal bases under Article 6 GDPR:

• Operating and securing the Site (hosting, delivery, fraud prevention, abuse detection, and maintaining logs for security): legitimate interests (Article 6(1)(f)) in running a secure, reliable website; where required, performance of a contract or steps at your request (Article 6(1)(b)).
• Responding to enquiries and assessing potential projects: predominantly legitimate interests in communicating with prospective clients; where you become a client, performance of a contract or pre-contractual steps at your request (Article 6(1)(b)).
• Aggregate analytics to improve content and performance: legitimate interests in understanding how the Site is used, where we use privacy-conscious, aggregate tools and do not sell personal data.
• Arranging calls or meetings when you request them: legitimate interests and, as applicable, performance of a contract or pre-contractual steps (Article 6(1)(b)).
• Compliance with law (for example responding to lawful requests from authorities): legal obligation (Article 6(1)(c)) or legitimate interests in establishing, exercising, or defending legal claims (Article 6(1)(f)), as applicable.
• Where we rely on consent (for example for optional non-essential cookies or marketing, if we offer those mechanisms separately), processing is based on consent (Article 6(1)(a)), which you may withdraw at any time without affecting the lawfulness of processing before withdrawal.

Legitimate interests

Where we rely on legitimate interests, we consider your rights and expectations. Our interests include: providing and improving the Site; responding to business enquiries; securing our systems; and understanding aggregate usage. You may object to processing based on legitimate interests as explained under "Your rights" below.

Recipients and processors

We use trusted service providers who process data on our instructions ("processors"), including for example cloud hosting and deployment (such as Vercel), analytics as described in our Privacy Policy, and calendar or productivity tools if you book a meeting. We may also share data with professional advisers (lawyers, accountants, insurers) when necessary, or with public authorities when required by law. We do not sell personal data.

Transfers outside the EEA and UK

Innovant Zone is established outside the EEA/UK. Your data may be accessed from Pakistan or processed in other countries where our providers operate (including the United States). Where the GDPR or UK GDPR requires safeguards for such transfers, we rely on mechanisms such as the European Commission's standard contractual clauses, the UK International Data Transfer Addendum or UK IDTA as applicable, or other valid transfer tools offered by our vendors, together with supplementary measures where appropriate.

Retention

We keep personal data only as long as necessary for the purposes above. Enquiry and contact information is typically retained for up to twenty-four (24) months after our last meaningful interaction unless a longer period is required by law or an ongoing contract. Technical and security logs are retained for shorter periods in line with our hosting provider's practices. We may retain minimal records longer where needed for legal claims or compliance.

Your rights

Subject to applicable law and exceptions, you may have the right to:

• Access (Article 15) — obtain confirmation of processing and a copy of your personal data.
• Rectification (Article 16) — correct inaccurate data.
• Erasure ("right to be forgotten", Article 17) — ask us to delete data in certain situations.
• Restriction (Article 18) — ask us to limit processing in certain situations.
• Data portability (Article 20) — receive data you provided in a structured, machine-readable format where processing is based on consent or contract and is automated.
• Object (Article 21) — object to processing based on legitimate interests or for direct marketing (we do not use the Site for unsolicited marketing without an appropriate consent or legal basis).
• Withdraw consent at any time, where processing is based on consent, without affecting lawfulness before withdrawal.
• Lodge a complaint with a supervisory authority (see below).

To exercise these rights, email info@innovantzone.com. We may need to verify your identity. We will respond within the timeframes required by law (typically within one month, subject to extension in complex cases).

Supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority in your country of habitual residence, place of work, or place of an alleged infringement. A list of EU supervisory authorities is available from the European Data Protection Board. In the UK, the supervisory authority is the Information Commissioner's Office (ICO).

Statutory or contractual requirement

You are not generally required by law to provide personal data to use the Site. Some fields in our contact form may be necessary for us to respond meaningfully to your request; if so, we indicate required fields at the point of collection.

Automated decision-making and profiling

We do not use the personal data described here for automated decision-making or profiling that produces legal or similarly significant effects within the meaning of Article 22 GDPR.

Changes

We may update this page from time to time. The "Last updated" date at the top will change when we do. Please review this page periodically; material changes may also be reflected in our Privacy Policy.