Privacy Policy
This Privacy Policy explains how ASTRAQ CYBER DEFENCE PRIVATE LIMITED(CIN: U62090PN2025PTC244094), a company incorporated under the laws of India with its registered office in Akola, Maharashtra ("AstraQ," "we," "us," "our"), collects, uses, shares, and protects information when you visit astraqcyberdefence.com (the "Site"), interact with us, or use any of our products and services — Phoebe, Athena CTF, Metis Mail, and Morpheus(collectively, the "Services").
We are committed to handling personal data lawfully, fairly, and transparently. Our information-security practices are independently certified to ISO/IEC 27001:2022 and our quality management to ISO 9001:2015.
1. Scope & roles
For Site visitors and individuals who contact us directly, AstraQ acts as the data fiduciary (under the Digital Personal Data Protection Act, 2023, India) / controller (under the GDPR) of your personal data.
For our enterprise customers, AstraQ generally acts as the data processorwith respect to the personal data that customers upload, index, or process through the Services. The customer's own privacy policy governs end-user personal data within their account, and our processing is governed by the applicable Data Processing Addendum ("DPA").
2. Information we collect
2.1 Information you provide
- Account & contact data — name, business email, company, role, phone number when you create an account, request a demo, or contact us.
- Communications — the content of messages you send us via the contact form, email, or scheduled meetings.
- Customer content — files, documents, prompts, mailbox content, suspect artefacts, or other data you submit to a Service. We treat this as confidential and process it only to provide the Services, as further described in the DPA.
- Billing & tax data — for paid Services, billing name, address, GSTIN, and payment-method metadata. Payment card numbers are processed by our PCI-DSS-compliant payment partners and are not stored on AstraQ infrastructure.
2.2 Information we collect automatically
- Usage & device data — IP address, browser type, device identifiers, referring/exit pages, pages visited, and timestamps, collected via standard server logs.
- Cookies & similar technologies — strictly necessary cookies to operate the Site, plus limited analytics cookies described in Section 7.
- Bot & abuse-prevention signals — we use Cloudflare Turnstile on our contact form; it may collect technical signals to confirm the request is not automated.
2.3 Information from third parties
We may receive limited information from our service providers (e.g., analytics, email delivery, calendar/booking) and from publicly available sources (e.g., your professional profile when you contact us from a business email). When you connect a third-party mailbox to Metis Mail, we receive scoped tokens via OAuth from the provider — we never receive your provider passwords.
3. How we use information
- To provide, maintain, and improve the Site and the Services.
- To respond to your enquiries, fulfil demo requests, and provide customer support.
- To send transactional and service-related communications (e.g., security alerts, billing notices, material changes to terms).
- To send marketing communications about AstraQ products you have shown interest in — you can opt out at any time.
- To monitor and prevent fraud, abuse, security incidents, and violations of our Terms.
- To comply with applicable laws and to establish, exercise, or defend legal claims.
- With your consent, to train or fine-tune AI models. We do not train foundation models on enterprise customer content by default.
4. Legal bases for processing (GDPR)
Where the GDPR applies, we rely on the following legal bases: performance of a contract (to deliver the Services); legitimate interests (to secure, improve, and market our offering); consent (for non-essential cookies and certain marketing); and legal obligation (for tax, accounting, and regulatory requirements).
5. How we share information
We do not sell personal data. We share personal data only as described below:
- Sub-processors — vetted infrastructure, analytics, email-delivery, and support providers acting under written processing agreements. A current list is available on request.
- Within your organisation — administrators in your account may see account-level usage and content.
- Compliance & law enforcement — where required by valid legal process. We narrowly construe such requests and challenge overbroad demands where appropriate.
- Business transfers — in a merger, acquisition, or asset sale, subject to confidentiality and at least equivalent privacy protections.
- With your consent — for any other purpose disclosed to you.
6. International data transfers
Our primary infrastructure is located in India. Where personal data is transferred outside its jurisdiction of origin, we rely on lawful transfer mechanisms, including Standard Contractual Clauses (SCCs) where applicable, and we apply supplementary technical measures (encryption in transit and at rest, access controls, audit logging) consistent with our ISO/IEC 27001 programme. For regulated industries, Phoebe supports fully air-gapped, on-premise deployment — in which case customer data never leaves the customer's environment.
7. Cookies & analytics
We use a minimal set of cookies. Strictly necessary cookies are required to operate the Site (e.g., session, security, load balancing). We may use privacy-respecting analytics to understand aggregate usage. Where required by law, we ask for your consent before setting non-essential cookies. You can control cookies through your browser settings.
8. Data retention
We retain personal data only as long as necessary for the purposes described in this Policy, to comply with our legal obligations, to resolve disputes, and to enforce our agreements. Customer content is retained per the DPA and your account configuration; on termination, we delete or return customer content as set out in the DPA.
9. Security
We protect personal data using administrative, technical, and physical safeguards aligned with our ISO/IEC 27001:2022 certification, including encryption in transit (TLS 1.2+) and at rest, least- privilege access controls, multi-factor authentication, secrets management, continuous monitoring, and audit logging. No system is perfectly secure; if we become aware of a personal data breach, we will notify affected individuals and regulators as required by applicable law. Read more at /trust.
10. Your rights
Subject to applicable law (including the DPDP Act, 2023 and the GDPR), you have rights with respect to your personal data, which may include:
- Access to the personal data we hold about you.
- Correction of inaccurate or incomplete data.
- Erasure ("right to be forgotten").
- Restriction of, or objection to, certain processing.
- Portability of data you provided to us.
- Withdrawal of consent where processing is based on consent.
- The right to nominate another individual (under the DPDP Act).
- The right to grievance redressal and to lodge a complaint with the Data Protection Board of India (or, in the EEA/UK, your local supervisory authority).
To exercise these rights, contact us at privacy@astraqcyberdefence.com. We will verify your identity and respond within the timelines required by applicable law.
11. Children
The Services are not directed at children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, please contact us so we can delete it.
12. Changes to this policy
We may update this Policy from time to time. Material changes will be notified through the Site, by email, or via the Services. The "Last updated" date above reflects the most recent revision.
13. Contact & grievance officer
For privacy enquiries, data-subject requests, or to contact our Grievance Officer under the Information Technology Rules, 2011 and the DPDP Act, 2023:
ASTRAQ CYBER DEFENCE PRIVATE LIMITED
Attn: Grievance / Data Protection Officer
Akola, Maharashtra, India
Email: privacy@astraqcyberdefence.com
Security disclosures: security@astraqcyberdefence.com