Privacy Policy – nuerolytica.com

Privacy Policy of Nuerolytica Consulting Private Limited

Introduction

Nuerolytica Consulting Private Limited (“Nuerolytica”, “we”, “us” or “our”) is a global technology corporation headquartered in Gurugram, Haryana, India. We are committed to safeguarding the privacy of all individuals and entities who entrust us with information. This Privacy Policy demonstrates our dedication to handling personal data responsibly and in compliance with applicable laws, including the Indian Digital Personal Data Protection Act, 2023 (the “DPDP Act”) and relevant global data protection standards (such as the EU General Data Protection Regulation, GDPR). By using Nuerolytica’s websites (including our main site www.nuerolytica.com) and any affiliated platforms or services (“Services”), or by providing any personal information to us, you acknowledge that you have read and understood this Privacy Policy. We process personal data in accordance with foundational privacy principles of lawfulness, fairness, and transparency, with a commitment to purpose limitation, data minimisation, accuracy, storage limitation, security safeguards, and accountability. This Policy is intended to be comprehensive and protective, addressing the needs of a high-tech, intellectual property-intensive company operating globally. It covers what data we collect from various stakeholders, how we use and protect that data, and the rights and choices you have.

Scope and Applicability

This Privacy Policy applies to all personal data processed by Nuerolytica across our websites, products, consulting services, research activities, and other business operations worldwide. It governs the handling of information from all categories of stakeholders, including but not limited to:

Clients and Customers: Individuals or organizations who use our consulting, robotics, deep-tech, industrial, or research services.
Website Users: Visitors to our websites or users of our online platforms and applications.
Employees and Job Applicants: Current and former employees, interns, contractors working in an employee-like capacity, as well as applicants for employment.
Vendors, Suppliers, and Contractors: Third parties who provide services or products to Nuerolytica, or who collaborate with us under contract (including independent consultants, subcontractors, and researchers partnering with us).
Research Participants and Collaborators: Individuals who take part in R&D studies, surveys, user experience trials, or other research initiatives we conduct, as well as external research partners or institutions we collaborate with.
Business Partners (B2B Partners): Representatives of our business-to-business partners, such as corporate clients, alliance partners, or joint venture participants whose personal data (e.g., business contact information) we may process in the course of our partnership.

This Policy covers all forms of personal data processing – whether the data is collected through our website (e.g., via forms or cookies), obtained offline, received from clients or partners, or generated through our products and services. It applies to personal data in digital form (or in physical form that is subsequently digitized) as defined under the DPDP Acten.wikipedia.org. Please note that this Policy does not apply to information that cannot be used to identify an individual (anonymous data, aggregated data, or otherwise non-personal data). However, we treat even non-personal information with care when it is linked to confidential business information or intellectual property.

By accessing or using our Services, or by entering into a contract with us that references this Privacy Policy, you consent to the practices described herein. If you do not agree with any part of this Policy, you should refrain from using our Services or providing us with your personal data. We may provide additional privacy disclosures or notices to you at the time of data collection for specific activities (for example, an employment privacy notice for employees, or a research-specific consent form for research participants). Such notices are to be read in conjunction with this Policy.

Definitions

For clarity, we set out the meaning of key terms used in this Privacy Policy:

Personal Data: Any information that relates to an identified or identifiable individual (“data principal” under Indian law, or “data subject” under other laws). This includes obvious identifiers like name, contact details, identification numbers, but also information that can be linked to a person (such as device ID, location data, IP address when it can be associated with you, etc.). If data is truly anonymous and cannot be linked back to an individual, it is not considered Personal Data under this Policy.
Sensitive Personal Data: While the DPDP Act 2023 does not formally distinguish a category of “sensitive” personal data, in practice we recognise certain personal data as highly sensitive and afford it extra protection. This includes information such as passwords, financial information (bank account details, credit card numbers), health and medical data, biometric identifiers (e.g. fingerprints, facial recognition data, iris scans), official government identifiers (e.g. Social Security, Aadhaar or PAN numbers), information about sexual orientation, religious or political beliefs, or any other information that by its nature requires a higher level of security and confidentiality.
Biometric Data: A subset of sensitive data referring to personal data resulting from specific technical processing of an individual’s physiological or biological characteristics (e.g., fingerprints, facial images, retinal scans) which are used for identification or authentication purposes.
Processing: Any operation performed on personal data, whether automated or manual, such as collecting, recording, organizing, storing, using, analyzing, sharing, transmitting, or deleting data.
Data Fiduciary / Data Controller: The entity that determines the purpose and means of the processing of personal data. Under the DPDP Act we are a “Data Fiduciary”, which is analogous to a “Data Controller” under GDPR – essentially, Nuerolytica in most cases, as we decide how and why personal data is processed in our business.
Data Processor: A party that processes personal data on behalf of a data fiduciary/controller. This could be our vendors or service providers who handle personal data per our instructions.
Stakeholders: In this Policy, stakeholders include all individuals about whom we process data in the context of our operations – this encompasses clients, users, employees, vendors, researchers, partners, and others as described in the Scope.
Digital Personal Data Protection Act, 2023 (DPDP Act): The Indian law enacted in August 2023 that governs processing of digital personal data. The DPDP Act establishes rights of individuals (data principals) and obligations of entities like us (data fiduciaries), which are reflected throughout this Policy.
Global Standards: International data protection laws and standards that may apply to our operations, such as the GDPR (European Union), CCPA (California Consumer Privacy Act, USA) and similar laws in other jurisdictions. “Global standards” also refers to widely accepted principles of privacy and data security that we uphold, many of which overlap with the principles of the DPDP Act and GDPR (for example, fairness, transparency, data minimization, etc.).

Unless defined above, terms used in this Policy shall have the meaning assigned to them in applicable law. We have avoided excessive legal jargon, but given the regulatory nature of this document, some formal terms are used for precision.

Personal Data We Collect

We collect or receive personal data in the course of our various business activities. The type and volume of data collected depend on the context of your interactions with us (whether you are a client, website visitor, employee, etc.) and on legal requirements. Below, we outline the categories of stakeholders and the typical data we collect from each:

Clients and Customers

If you are a client or customer of Nuerolytica (for instance, engaging us for robotics solutions, deep-tech consulting, industrial consulting, or R&D services), we will collect personal data necessary to deliver our products and services and manage our relationship. This may include:

Contact Information: Name, business title, company name, postal address, phone number, email address of client representatives or individual clients.
Professional Information: For B2B clients, details about your role, department or team, and organizational preferences relevant to the project. For individual clients, any information you provide about your industry, interests or needs.
Communication Records: Emails, meeting notes, chat transcripts or call recordings (with notice where required) that you exchange with us during the course of our consulting or support services.
Project Data: Any data you provide to us for purposes of our engagement. For example, if we are consulting on a project that requires analyzing your company’s operations or data sets, you might provide proprietary information that could include personal data (such as a list of your employees or customers, sensor data from your facilities that incidentally contain personal information, etc.). We treat all such client-provided data as confidential and use it only for the agreed purpose.
Financial and Billing Information: Billing address, taxpayer identification (like GST number for Indian clients or VAT for EU clients), and payment details (bank account, wire transfer details). If payments are made through our site, we or our payment processor may collect credit/debit card numbers or other payment instrument details. These are handled with stringent security.
Site Usage Data (for client users): If you access any client portal or use our online platforms as part of our service delivery, we may collect usage metrics, login credentials, IP address, and activity logs for security and functionality.
Feedback and Survey Data: If we solicit feedback or conduct satisfaction surveys with client personnel, any opinions or information you provide may be stored. This could include personal views but is generally kept separate from core service data.

We emphasize that in our consulting and project engagements, we often handle data that is proprietary to our clients. Such data might include personal data about third parties (e.g., our client’s employees or end-users). In those cases, we process that data strictly as per our contract with the client and applicable law. We act as a data processor on behalf of our client (the data controller) for such project data, meaning we will not use or disclose that data except as instructed by the client and as allowed by law. We also ensure intellectual property contained in client data remains protected and confidential.

Website Visitors and Users

When you visit our websites or interact with us online (including social media pages we operate), we collect certain data about your device and usage, as well as any information you actively submit through forms or account portals. This may include:

Browsing Data: IP address, browser type and version, device identifiers, operating system, date and time of visit, pages viewed, links clicked, the previous site visited (referrer URL), and other standard web log information. This data is typically collected through cookies or similar tracking technologies. Our website may use cookies to remember user preferences and to analyze how our site is used. For details, please refer to our Cookie Notice (if provided) or cookie-related disclosures on our site. Such behavioral data helps us understand user engagement and improve our web presence.
Account Information: If our website offers account creation (for example, a client login area or newsletter signup), we collect whatever information you provide during registration or login. This could include name, email, organization, username/password, and any profile information you choose to provide.
Contact Form and Inquiry Data: If you fill out a “Contact Us” form, request a demo, or download a whitepaper from our site, we will collect your contact details (name, email, phone) and any information you choose to include in your message. For example, messages may contain your company details and the nature of your request. We use this information to respond to you and keep a record of our correspondence. Rest assured, information shared via our web forms is handled with strict confidentiality and subject to our security measures.
Newsletter or Marketing Subscription: If you subscribe to newsletters or marketing communications, we collect your contact details (name, email) and communication preferences. We may also note your areas of interest based on the subscription or your interactions (e.g., which newsletters you open).
Usage Analytics: We use third-party analytics tools (such as Google Analytics or equivalent) that deploy cookies or pixels to gather information about site traffic and user interactions. This includes data on how long you stay on a page, what content you view or download, and your general geographic location (e.g., city, country derived from IP address). This information is aggregated and does not directly identify you by name, but if it can be linked or if local law treats identifiers like IP as personal data, we treat it as personal data.
Automated Decisions and Profiling: Our websites generally do not make any decisions about you that would have legal or significant effects without human intervention. We may, however, use profiling in a limited sense for analytics and marketing – for instance, analyzing what content a user has viewed to suggest relevant services. You have rights to opt-out of such profiling for marketing (see the Your Rights section below).
Third-Party Data on Website: Sometimes we receive personal data indirectly via our website – for instance, if someone registers you for an event or refers you to us. In such cases, we will inform you within a reasonable time and provide a copy of this Privacy Policy.

Our website is not intended to collect Sensitive Personal Data from general visitors. We ask that you do not submit sensitive information (like passwords, financial, health, or biometric data) via public website forms. If such information is required for a specific service (for example, secure client login or payment), we will provide a dedicated secure channel and appropriate notices.

Employees and Job Applicants

We collect and process personal data of our workforce as necessary for employment and human resource management purposes, as well as data from individuals who apply to join our team. This category includes:

Identification and Contact Data: Full name, date of birth, photograph, personal email, phone number, residential address, and emergency contact details. For applicants, this is collected through resumes/CVs or application forms; for employees, additional personal identifiers (father’s name, etc.) may be collected as required by law.
Employment-Related Data: Resume/CV details such as education, work history, skills, certifications, language proficiencies; references and background check information (only where lawful and with consent as required); interview notes for candidates; and for employees, job title, employee ID, department, work location, supervisor, performance evaluations, and career development information.
Government IDs and Work Authorization: For HR records and payroll compliance, we may collect government-issued identity numbers or documents (e.g., PAN, Aadhaar, passport, work visa, Social Security or equivalent in other countries) and maintain copies as required by law. These are highly sensitive and protected.
Financial and Payroll Data: Bank account details for salary deposits, salary and benefit information, tax-related information, insurance and provident fund details, investment declarations (for tax), and any other financial data needed for compensation and benefits.
Biometric or Attendance Data: In some offices, we may use biometric attendance systems or badge swipes for secure entry. Where used, fingerprints or other biometric identifiers are collected for authentication. Biometric data is encrypted and used solely for security/timekeeping; we comply with applicable biometric data laws and obtain consent if required.
Health and Welfare Information: We may process certain health data of employees in specific situations – for instance, medical certificates for sick leave, disability accommodations, occupational health records, or health insurance enrollment data. Any health or medical information is handled as sensitive and only accessed by authorized HR or medical personnel with privacy safeguards.
Background Verification and Compliance Data: As part of hiring or periodically during employment, we might collect data for verification (such as criminal record checks, credit checks, drug testing results) – but only as allowed by law and with knowledge/consent. Also, if your role requires security clearance or compliance vetting (e.g., export control compliance), we will process relevant data as needed.
Work Product and Usage Data: Employees generate data during their work, such as business emails, documents, code, research notes, and other work products. While this is generally considered company intellectual property rather than personal data, it can incidentally contain personal data (e.g., an email signature with your name and phone, or personal opinions expressed in communications). We monitor and access work product and IT usage in accordance with our internal policies (for reasons like ensuring productivity, IT security, and IP protection), but we do so lawfully and with respect for employee privacy. Any monitoring is proportionate and, where required by law, we will inform and/or obtain consent from employees.
CCTV Footage: In our offices or facilities, CCTV cameras may operate for security. These could capture employee images or movements. Signs are placed where CCTV is in use as per legal requirements. Footage is stored securely and accessed only when necessary (e.g., for security incidents) and is routinely overwritten or deleted as per retention policy.
Post-Employment Data: If you leave Nuerolytica, we retain basic information such as your tenure, last position, and reason for leaving, along with any continuing obligations (e.g., non-disclosure agreements). We also may retain contact details to maintain alumni relations if appropriate. Legal requirements (like maintaining payroll records, gratuity, provident fund, or pension details) will dictate retention of some data.

For job applicants, we use your data to evaluate your candidacy. If you are not selected, we may keep your resume on file for a certain period to consider you for future opportunities (you will be informed and can opt out). All employee and applicant data is used strictly for HR purposes and internal requirements. Employees are also provided with an internal Employee Privacy/Policy Notice that further details how their data is handled and their obligations.

Vendors, Suppliers, and Contractors

When we engage third-party vendors or independent contractors, we collect personal data about their personnel as needed to manage the business relationship and ensure compliance. This includes:

Business Contact Information: Names, work emails, phone numbers of key contacts or account managers working for our suppliers or service providers.
Due Diligence Information: For certain vendors (especially if they will handle confidential data or have access to our facilities), we may perform due diligence or background checks. This could involve collecting identity documentation of the vendor’s personnel, qualifications, certifications, or references. We only do this as necessary and in line with anti-corruption, security, or supplier qualification protocols.
Contract and Compliance Data: Details included in contracts or legal documents (which may contain personal data like names and signatures of signing authorities, contractor’s professional license numbers, etc.). Also, if a vendor is an individual consultant, we collect data similar to what we collect for employees (e.g., bank details for payments, tax ID, etc.).
Activity Logs and Access Data: If contractors or vendor personnel have access to our IT systems or premises, we will collect data on their usage and access for security (similar to employee IT and building access logs). For example, if a support vendor logs into our network, that access is recorded; if a maintenance contractor visits our office, CCTV or entry logs will note their presence.
Invoices and Financial Details: We maintain records of payments to vendors which include personal data of payees or points of contact (names on invoices, bank account details if it’s a sole proprietor or individual consultant, etc.).

Vendor and contractor data is used only for business administration, fulfilling our obligations, and complying with law (such as tax reporting). We also require our vendors and contractors to adhere to privacy and confidentiality obligations through contractual clauses, which means that any personal data we share with them (for example, if a cloud service provider hosts our data) must be protected by them in line with this Policy and applicable laws.

Research Participants and Collaborators

Nuerolytica is an R&D-driven organization, meaning we often engage in cutting-edge research projects. Some of these projects involve human participants or the use of data that originates from individuals. We are deeply committed to ethical research practices and privacy in this context. Data we may collect includes:

Participant Data for Studies or Trials: If you participate in a user study, pilot program, survey, experiment, or any research initiative (for example, testing a new robotics interface or answering a questionnaire about industrial process improvements), we will collect data necessary for the research. This could range from contact information and informed consent forms to the data you generate during the study (e.g., responses to survey questions, behavioral data such as how you interact with a prototype device, or physiological data if you’re testing a wearable sensor). We will always explain what data is being collected for research and seek your consent where required. Participation in research is voluntary.
Inferred and Analyzed Data: Research often yields derived data. For instance, if we conduct a study on human-robot interaction, we might infer patterns or preferences from participant behavior. Such AI/ML-inferred data or research-derived data (e.g., an efficiency score, or a model trained on dataset including personal data) will be treated with the same care as raw personal data. If we publish research results, we will ensure they are aggregated or anonymized so that individual participants are not identifiable.
Collaborator Data: If we collaborate with external researchers or institutions (such as a university research partner or a co-investigator), we may collect personal data of the collaborating researchers (names, qualifications, contact info) for project coordination. We also may receive personal data from collaborators. For example, a university might share raw study data with us for joint analysis – we will handle such data under the same strict protocols as if we collected it ourselves.
Ethics and Compliance Documentation: Research involving personal data may require additional safeguards such as Institutional Review Board (IRB) approvals, ethics committee clearance, or special consent forms. We will collect and store any such documentation (which might include personal data of researchers and participants signatories) as part of our compliance record.
Biometric or Sensitive Research Data: In some advanced R&D (say, neuroscience-inspired AI or biometric security), we might work with sensitive personal data like brain wave readings, fingerprints, or health indicators. Any collection of sensitive data for research will be done with explicit consent and in secure, controlled environments. We may employ techniques like data anonymization, pseudonymization, or even synthetic data generation to minimize use of real personal data. Where feasible, we prefer to use privacy-preserving techniques(such as data anonymization or aggregation) in research to protect individual privacy.

We want to assure research participants that your rights and welfare are our top priority. We will provide you with detailed information before you partake in any study, including the purpose of the research, what data will be collected, how it will be used, and any risks involved. You will typically have to sign a consent form. You may also have the right to withdraw from a study and request deletion of the data you contributed, to the extent that it is identifiable and deletion is feasible (bearing in mind that in some cases research results are aggregated). Our research endeavors abide not only by privacy laws but also by ethical guidelines for human subjects research. Data collected is used only for the stated research purposes, and any re-use for other purposes will be subject to new consent or stringent anonymization.

Business Partners (B2B Partners)

We work with various strategic partners, resellers, joint venture partners, or alliance companies in the course of business. If you are an employee or representative of one of our business-to-business (B2B) partners, we may collect your personal data in the course of partnership management. This includes:

Contact and Identity Information: Your name, position/title, work contact details, and verification of your authorization to represent your company.
Communications and Relationship Data: Emails, meeting notes, partnership agreements which bear your name and signature, or any preferences you express in joint planning sessions.
Joint Marketing or Events: If we co-host events or initiatives with partners, we may collect participant lists that include partner employees’ For example, a webinar co-presented with a partner might involve sharing the registration list with that partner, including names and emails. We will only do such sharing with notice and, if required, consent of the individuals.
Systems Access: If partner personnel are given access to our resources (like a shared development environment or a partner portal), we will collect login credentials and monitor usage similarly to how we treat vendors/contractors.
Financial & Legal Info: Banking details for invoicing between us and the partner (if the partner is an individual, but typically partners are companies), and data in legal docs like Memoranda of Understanding which include partner contact persons.

We treat partner personnel data with the same confidentiality as client data. It is used for facilitating the partnership (e.g., coordinating projects, paying commissions, joint customer support) and not for unrelated purposes. If a partnership involves exchanging personal data of customers (for example, referring potential clients to each other), we will ensure compliance with all applicable data protection laws in doing so, including entering into appropriate data sharing agreements if required.

Purposes of Processing Personal Data

Nuerolytica processes personal data for a variety of legitimate business and legal purposes. We always strive to limit our use of personal data to what is necessary and relevant for the intended purpose, and we ensure those purposes are transparent to you. The purposes for which we collect and use personal data include:

Service Delivery and Business Operations: To provide our products and consulting services to clients. This encompasses using personal data in project execution (e.g., analyzing client-supplied data to produce consulting insights, deploying robotics solutions which may capture data, or conducting research studies). We use data to communicate with clients about project status, to adapt solutions to their needs, and to ensure quality control.
Account Management and Customer Support: To create and maintain client accounts, manage subscriptions or access to platforms, and provide support or troubleshooting. Personal data is used to identify authorized users, reset passwords, respond to inquiries, and provide technical assistance. For example, if a client user reports an issue, we will use their contact and usage data to resolve it and follow up.
Improvement of Services and R&D: To develop and improve our offerings. We analyze usage data and feedback (e.g., how clients interact with a software interface, or what issues are frequently raised) to refine our technology. We might use machine learning on collected data (under appropriate legal basis) to derive insights that help us innovate (for instance, improving an AI model for robotics by training it on operational data). Any AI/ML-inferred data generated in this process that relates back to an individual (e.g., a user’s behavioral profile) is considered personal data and protected as such.
Marketing and Business Development: To send promotional communications about our services, new product features, newsletters, industry insights, or events that we believe may be of interest. We only send marketing communications to you if you have not opted out (or opted in, if required by law). We might personalize these communications based on your past interactions or preferences. For example, if you downloaded a whitepaper on deep-tech consulting, we may later inform you of a new deep-tech service offering. We also use personal data to manage event invitations and participation (e.g., if you RSVP to a Nuerolytica-hosted conference). You have the choice to unsubscribe from marketing at any time.
Recruitment and Talent Management: To process job applications and manage our talent pipeline. We use applicant data to evaluate candidates, arrange interviews, and extend offers. For employees, we use personal data to administer payroll and benefits, conduct performance reviews, provide training, and plan career growth. We may also use certain employee data for internal directories so colleagues can contact each other.
Legal Compliance and Regulatory Obligations: To comply with applicable laws and regulations. This includes using personal data for: verifying identity (Know-Your-Customer or KYC requirements), maintaining records for audit and taxation, complying with labor laws (employee records, social benefits), fulfilling data retention mandates, responding to government requests, or reporting to authorities as required (e.g., reporting a cybersecurity incident if required by law). Under the DPDP Act, for instance, we have an obligation to notify the Data Protection Board of India in the event of a personal data breach. We also may process data to meet court orders or to exercise/defend legal claims.
Security and Risk Management: To ensure the security of our IT systems, premises, intellectual property, and stakeholders. We use personal data (like access logs, CCTV footage, and network activity data) to detect and prevent fraud, unauthorized access, hacking, or other security threats. If you are an employee or visitor, we use your data to authenticate access to facilities or equipment. We also analyze some data (like device information or browsing patterns on our network) to identify malicious activity or policy violations.
Intellectual Property Protection: As an IP-intensive company, we must protect our trade secrets, patents, and proprietary research. Personal data may be used to manage confidentiality agreements (e.g., collecting signatures of those who access sensitive projects) and to investigate any suspected IP leaks or infringements. If an employee or contractor leaves, we may retain their contact info to enforce post-termination IP or non-disclosure obligations if needed.
Corporate Transactions: In the event of a business transaction such as a merger, acquisition, investment, or asset sale involving Nuerolytica, it may be necessary to disclose relevant personal data to prospective or actual purchasers or other parties involved, under appropriate confidentiality agreements. This would be done for purposes of evaluating and completing the transaction. We will ensure any such sharing is lawful and minimized to what’s necessary.
Grievance and Dispute Resolution: To address complaints or disputes. If you file a privacy complaint or a legal claim, we will use your personal data (and potentially data about you from our systems) to investigate and resolve the issue. We maintain a grievance redressal mechanism as required by law, and personal data is essential to follow up on grievances and communicate outcomes.
Other Legitimate Business Interests: We may process personal data for additional legitimate purposes not incompatible with the ones listed above, such as conducting internal audits, training and quality assurance, compiling anonymized statistics, or any purpose for which we obtain your consent. If we need to use your data for a new purpose, we will update our Privacy Policy or provide a just-in-time notice, and if required, seek your consent.

We will not use personal data for decisions that produce legal or similarly significant effects on you without ensuring either your consent or another lawful basis and human review as appropriate. Automated decisions, if any (for example, an automated system to flag anomalous network logins for security), are primarily for protecting our systems and do not profile individuals in a way that would negatively impact them without recourse.

Legal Bases for Processing and Consent

We process personal data only when we have a valid legal basis to do so. Depending on the applicable law (DPDP Act, GDPR, etc.) and the context of processing, our legal bases include:

Consent: In many cases, we rely on your consent to collect and use your personal data. Under the DPDP Act, consent must be free, informed, specific, clear, and affirmativeWe seek consent, for example, before sending marketing emails, when enrolling participants in research studies, or when processing sensitive personal data in situations where law does not automatically allow it. You have the right to withdraw your consent at any time. Withdrawal will not affect the lawfulness of processing done before your withdrawal, but we will act on withdrawal promptly for future processing. For children (minors under 18 in India), we obtain consent from a parent or guardian before processing the child’s personal data.
Performance of a Contract: When we enter into a contract with you (or your organization), processing of personal data might be necessary to fulfill that contract. For instance, if you are a client, we process your data to provide consulting services as per our agreement. If you are an employee or contractor, we process your data to pay you and provide benefits under your employment contract. Similarly, if you request services through our website, processing your data for delivering those services or products is based on contractual necessity.
Legal Obligation: We will process personal data when necessary for compliance with a legal obligation to which we are subject. This covers a broad array of activities: generating invoices that comply with tax laws (requiring your official name and address), maintaining employment records per labor laws, verifying identity for anti-money laundering laws if applicable, or disclosing data to authorities when mandated (such as responding to a lawful subpoena or government order). We carefully review any such requests and only disclose what is required by law.
Legitimate Interests: We may process personal data as necessary for our (or a third party’s) legitimate interests, provided such processing is fair, proportionate, and does not override your rights or interests. Our legitimate interests include many of the purposes outlined in the previous section, such as improving our services, securing our systems, preventing fraud, protecting our intellectual property, and running our business efficiently. For example, it is in our legitimate interest to track website analytics to understand usage patterns and improve user experience. When relying on this basis, we ensure there is no less intrusive way to achieve the same result and that we have balanced our interests with your privacy expectations. Under the DPDP Act, the concept of “legitimate uses” is recognised (akin to legitimate interests) – e.g., processing of personal data that you voluntarily provided for a certain purpose can be deemed a legitimate use. We only invoke legitimate interest where consent is not feasible or not required, and always give you the right to object when required by law.
Vital Interests: In rare cases, we might need to process personal data to protect someone’s life or physical safety. For instance, if a medical emergency occurs at our office, we might share an employee’s known medical history with first responders if relevant. This basis is used only for critical, life-threatening situations.
Public Interest or Official Functions: This basis is generally applicable when processing is needed for tasks in the public interest or under official authority. As a private company, this would only be relevant if we were assisting in a public program or research project of broad societal benefit, and even then, we would likely rely on consent or legal obligation. If any processing in public interest is done (e.g., using personal data for research aimed at public good), it will be in accordance with applicable law and likely with consent or anonymisation.

Special Category and Sensitive Data: When it comes to sensitive personal data (financial, biometric, health, etc.), we generally process such data only with explicit consent or as strictly allowed by law. For example, health data of employees is processed under employment law obligations or with consent for specific programs (like an employee wellness program). Biometric data for attendance is processed with consent and for security (legitimate interest in safeguarding our premises). We do not process sensitive personal data for secondary purposes that are incompatible with the original purpose without obtaining consent again.

Cookies and Similar Technologies: For processing of personal data via cookies (like analytics or advertising cookies on our site), we follow applicable laws regarding consent. Where required, we present a cookie consent banner to let you choose your preferences. You can also control cookies through your browser settings. See our cookie disclosures for details.

If you have questions about the legal basis of any specific processing, or if you need more clarity on how we interpret our obligations under a particular jurisdiction’s law, please contact us (see Contact Us section). We will gladly explain how your data is handled in line with law.

Disclosure of Personal Data

We treat your personal data with care and confidentiality. Within Nuerolytica, access to personal data is restricted to those who need to know that information for the purposes described. However, in the normal course of business, we may share personal data with certain third parties. We do so under strict conditions and with appropriate safeguards. Here are the categories of parties with whom we may share data and why:

Affiliates and Subsidiaries: Nuerolytica may share data with other companies within our corporate group (for instance, a branch office or a subsidiary in another country) as needed to provide our services or for corporate governance. All our affiliates are bound to protect personal data in accordance with this Policy and our internal data protection standards. For example, if a project is executed jointly by our Gurugram HQ and a subsidiary in Europe, relevant client data may be accessed by both teams, each of which will handle it securely.
Service Providers (Processors): We employ trusted third-party companies and individuals to perform functions on our behalf, consistent with the purposes of use outlined earlier. These include:
- IT and Cloud Service Providers: Hosting providers for our websites or cloud infrastructure (where we might store data), email service providers, data storage/backup services, CRM (Customer Relationship Management) platforms, and IT support services. For instance, if our website is hosted on a third-party data center, any data you submit through the site will pass through that host. We ensure such providers implement robust security and, if they process personal data, we sign Data Processing Agreements (DPAs) obligating them to only use the data for our purposes and to protect it.
- Analytics and Marketing Partners: We may use external analytics services (that collect usage data via our site) or marketing agencies that help us manage communications. They might process some personal data (like your email for sending a newsletter on our behalf). These parties are not allowed to use your data for their own marketing unless you separately consent with them; they act on our instructions.
- Professional Advisors: We may share necessary personal data with our auditors, lawyers, insurers, accountants, or other professional advisors in the course of the professional services they render to us. For instance, if there’s a legal dispute or an audit, relevant data (which might include personal data of certain individuals) will be reviewed under confidentiality by these advisors to provide us guidance.
- HR and Admin Services: If we use third-party payroll processors, HR systems, travel booking companies, or benefit providers, employee personal data will be shared with them to facilitate those services. For example, an insurance provider will receive employees’ personal details to issue health insurance policies. We ensure these providers are bound by confidentiality and data protection obligations.
- Research or Development Partners: In some R&D projects, we might collaborate with a university or another tech company. With your consent or as allowed by law, we may share research data (potentially including personal data) with these partners for joint analysis or product development. Any such sharing for research is typically done in a pseudonymized or anonymised format whenever feasible, and partners are required to maintain confidentiality and ethical standards.
Business Transfers: If Nuerolytica undergoes a business transaction such as a merger, acquisition by another company, reorganisation, or sale of all or part of our assets, personal data may be transferred as part of that deal. We will ensure that any receiving party agrees to respect personal data in a manner consistent with this Privacy Policy. We will also notify you of any such change in ownership or control of your personal information either through the website or by other means, as required by law. You will have the opportunity to discontinue your relationship with us before your data becomes subject to a different privacy policy.
Legal and Regulatory Disclosures: We may disclose personal data to courts, law enforcement, regulatory authorities, government agencies or other third parties when we believe such disclosure is (i) permitted or required by law, or (ii) necessary to exercise, establish, or defend our legal rights, or (iii) necessary to protect vital interests of any person. For example:
- Under the DPDP Act and other laws, we might be required to respond to an order from a regulatory body or produce information to a lawful authority. We will verify the authenticity of such requests and only provide the minimum data necessary.
- We may disclose data to the Data Protection Board of India if reporting a significant data breach or compliance issue.
- If a user violates our Terms of Use or is involved in fraudulent or illegal activity affecting us, we may share data with investigators or pursue legal action, which might involve sharing data as evidence.
- During litigation or arbitration, it may be necessary to disclose relevant personal data to legal counterparts following due process.
Consent-Based Sharing: There may be instances where you explicitly request or consent to sharing your data with a third party. For example, if you ask us to introduce you to one of our partners or if you consent to our sharing your testimonial (which has your name and title) on our website. In such cases, we will share accordingly, and you can revoke consent for future sharing when feasible.

Importantly, what we do not do: We do not sell or rent your personal data to third parties for their own marketing or other independent use. We do not share personal data with advertisers or ad networks in a way that identifies you directly, nor do we engage in third-party data brokering. Any third-party advertising on our website (if any) would be contextual or generic. If we ever offer targeted advertising, it would be based on aggregate segments and either done by us or by using platforms where you have the ability to control your ad preferences.

All third parties who process personal data on our behalf are contractually bound to handle it securely and only for the purposes we specify. We take steps to ensure these partners provide at least the same level of protection for personal data as we do. If a third party can no longer meet this obligation, we will either step in to protect the data or cease cooperation with that party.

Cross-Border Data Transfers and Data Sovereignty

Nuerolytica operates globally, and the personal data we collect may be transferred to or accessed by Nuerolytica offices, affiliates, partners, or service providers in countries other than where the data originated. For example, data collected in India might be stored on servers in the United States, or a client in the EU might have their data accessed by our team in India. We understand that cross-border transfers carry certain risks, and we take measures to ensure that such transfers comply with applicable data protection laws and uphold the principles of data sovereignty.

Transfers under Indian Law: The DPDP Act, 2023 currently permits cross-border transfer of personal data to most countries by default, except those that may be specifically restricted by the Indian government via notification. We keep apprised of any government notifications designating certain countries where personal data transfer is prohibited or conditioned, and we will not transfer your personal data to any such country in violation of that restriction. Additionally, sectoral regulators in India (such as the Reserve Bank of India for financial data) might impose data localisation requirements; we will comply with those for relevant data (for instance, certain financial data may be stored only in India as required). In essence, we respect India’s data sovereignty principles: personal data of Indian individuals is protected under Indian law regardless of where it is processed. If we do transfer data out of India, we remain accountable for its protection and we ensure that the recipient country or entity provides comparable data protection standards or that we have contractual and technical safeguards in place.

Transfers under Global Standards (e.g., GDPR): For personal data originating from the European Economic Area (EEA) or United Kingdom, we will ensure the transfer is lawful under GDPR and similar regimes. This typically means:

Transferring to countries that have been deemed “adequate” by the European Commission (or UK authorities) which ensures an adequate level of data protection. India is not currently on the EU adequacy list, so if data goes from the EEA to India, we treat it under the other mechanisms below.
Implementing Standard Contractual Clauses (SCCs) or equivalent contractual safeguards in our agreements with the receiving entity. For instance, if our EU subsidiary sends data to our Indian headquarters, we have intra-group data transfer agreements incorporating SCCs to contractually oblige the Indian entity to protect EU personal data to GDPR standards.
In some cases, utilizing Binding Corporate Rules (BCRs) if applicable (though currently we rely on SCCs, we may adopt BCRs as our global policy in the future).
Applying supplementary measures as needed – encryption, pseudonymization, and strict access controls – to ensure that data remains secure during and after transfer.
Obtaining your consent for the transfer in situations where that is required or more appropriate (with clear notice of potential risks), for example if none of the above safeguards are feasible for a specific one-off transfer.
Transferring under an allowed derogation in GDPR for specific scenarios, such as when the transfer is necessary to perform a contract with you or in your interest (e.g., booking a hotel abroad for an employee, which requires sending their name to that hotel).

Data Sovereignty Principles: We acknowledge that data is subject to the laws of the jurisdiction in which it is stored or processed. This means that when personal data is moved across borders, it could become subject to foreign laws (for example, data stored in a server in another country may be subject to lawful access requests by that country’s government). We carefully choose reputable service providers and infrastructure locations with stable legal systems. Whenever possible, we prefer to store data in jurisdictions with strong privacy protections. For critical or highly sensitive data, and in line with client expectations or legal requirements, we offer options to localize data storage. For example, if an EU client requires that their data remain within the EU, we can arrange EU-based hosting. Similarly, for Indian personal data, unless there is a business need for cross-border transfer, we endeavor to keep data within India or ensure that any external storage still falls under robust protections.

If we transfer your personal data across borders, we remain accountable to you for its protection. We will notify you, where required by law, that your data may be processed in another country and indicate how we safeguard it. By using our Services or submitting information to us, you understand that your personal data may be transferred internationally. However, this does not diminish your rights or our obligations. We maintain uniform data protection policies across our global operations, meaning no matter where your data flows, it will receive the same level of protection outlined in this Privacy Policy.

In summary, cross-border data flows are essential to our global services, but they are managed with a high degree of oversight, legal safeguards, and technical security to ensure continuity of privacy protection and respect for data sovereignty.

Data Security Measures

Security of personal data is of paramount importance to Nuerolytica. We implement a comprehensive range of technicaland organizational security measures to protect your data against unauthorized access, disclosure, alteration, and destruction. Our approach to cybersecurity is multilayered and aligns with industry best practices and standards:

Encryption: Personal data handled by us is protected in transit and at rest with strong encryption protocols. For instance, our websites and web services enforce HTTPS (TLS encryption) for all data transmission, which guards against eavesdropping. Sensitive fields (like passwords, financial details, biometric templates) are stored in encrypted form or hashed with modern cryptographic algorithms so that even in the unlikely event of a system breach, the data remains unintelligible without the encryption keys.
Access Control and Authentication: We restrict access to personal data strictly to authorized personnel and on a need-to-know basis. Our employees and service providers access systems via secure authentication methods (strong passwords, multi-factor authentication, and/or biometric access for sensitive systems). Role-based access control ensures individuals can only see the data necessary for their role. For example, HR staff can view employee data but not client project data, and vice versa. Administrator and privileged access is tightly controlled and monitored.
Network and System Security: Our IT infrastructure is secured through firewalls, intrusion detection and prevention systems, anti-malware tools, and continuous network monitoring. We regularly update and patch our software to protect against vulnerabilities. We employ techniques like network segmentation to isolate sensitive data environments. Additionally, we use endpoint protection on devices and have policies for secure configurations of servers and computers. Remote access to our network (for employees or vendors) is done via encrypted VPN and is closely managed.
Physical Security: Our offices and data centers (including third-party hosting facilities) maintain physical security controls. This includes 24/7 security personnel or surveillance in data center facilities, badge or biometric access to secured areas, CCTV cameras in critical zones, and visitor entry logs. Servers are kept in controlled environments with fire suppression and backup power. Physical media containing personal data (like backups on tapes or portable drives) are stored securely or encrypted.
Data Minimization and Pseudonymization: Wherever feasible, we employ pseudonymization or anonymization on personal data sets, especially for development, testing, or research purposes. For example, before using production data for internal testing, we mask or remove personal identifiers. We also strive to collect only the data that is needed for a given purpose (data minimization), which inherently reduces security risk.
Employee Training and Policies: We maintain internal policies on data protection, confidentiality, and acceptable use of IT systems. All employees and contractors with access to personal data are required to sign confidentiality agreements. We conduct regular training and awareness programs on topics such as phishing prevention, secure data handling, and recognizing social engineering attempts. By fostering a culture of security, we ensure that our personnel are the first line of defense in protecting your data.
Vendor Security Assessments: Before engaging service providers who may process personal data, we assess their security practices. We choose reputable vendors with proven security credentials (many of them hold certifications like ISO 27001 or SOC 2). We include specific data protection and security requirements in our contracts with these vendors. Periodically, we review their compliance (through audits or certifications) to ensure our data remains safe in their hands.
Advanced Security Measures: As a high-tech company, we also leverage advanced security techniques. This may include deployment of Privacy-Enhancing Technologies (PETs) such as differential privacy and federated learning for certain data analysis tasks – ensuring that individual-level data or intellectual property remains secure even while deriving aggregate insights. We continuously explore and adopt cutting-edge security tools, including AI-based threat detection (which can identify unusual patterns potentially indicative of a breach) and data loss prevention systems (to prevent unauthorized egress of data).
Testing and Audit: We conduct regular security testing of our systems, including vulnerability assessments, penetration testing by independent experts, and code reviews focused on security for our software products. Our systems and processes are subject to periodic audits (internal and external) to verify that security controls are effective and up to date. Any findings are remediated with high priority. We maintain logs of system activities and conduct audit trails which help in forensic analysis if needed without infringing on user privacy beyond what is necessary.
Incident Response Plan: Despite best efforts, no system is immune to all threats. That’s why we have a well-defined incident response plan. If we suspect any security incident or breach, we will immediately activate our incident response team to contain and investigate the issue. This includes steps like isolating affected systems, patching vulnerabilities, recovering from backups, and engaging cybersecurity experts if needed. Our plan is regularly drilled and updated to incorporate new threat scenarios.

We are committed to continuous improvement of our cybersecurity posture. Security is not a one-time effort but an ongoing process. We align with frameworks such as the NIST Cybersecurity Framework and ISO/IEC 27001 standard to guide our practices. We also take into account guidance from regulatory bodies in different jurisdictions to ensure compliance (for example, SEBI’s cybersecurity guidelines if relevant, or EU’s GDPR security expectations).

While we work tirelessly to protect your data, it is important to note that no method of transmission or storage is 100% secure. We thus cannot warrant absolute security of information. However, we can assure you that we follow state-of-the-art practices and respond swiftly to any potential threats. We also encourage you to play a part in security – for instance, if you have credentials to access our systems, keep them confidential and notify us immediately if you suspect any unauthorized access to your account or data.

Data Retention and Deletion

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required or permitted by law. Our retention practices are guided by the principle of storage limitation and data minimization. This means we strive not to keep personal data in identifiable form indefinitely unless there is a continuing legitimate need to do so.

Our data retention approach varies based on the category of data and the context:

Client and Business Data: For our clients, we retain personal data for the duration of the contractual relationship and thereafter as needed for legitimate business purposes (such as maintaining records of the services provided, or as required for tax and accounting). Once the relationship ends, we will archive or delete personal data after a reasonable period, typically defined by the statute of limitations for any legal claims (for example, we might keep contract and communications data for X years post contract end, to address any disputes or audits). If a client asks us to delete or return certain data at contract termination (as often stipulated in data processing agreements), we will do so, provided no law requires us to retain a copy. Aggregated or anonymized data (which no longer identifies individuals) may be retained indefinitely for analytics.
Website Users and Marketing Data: Web analytics data is usually retained for a shorter period, often 6 to 24 months, to spot trends over time and then automatically deleted or anonymized. For example, server logs may be kept for a few months for security analysis and then purged. If you registered on our site or subscribed to communications, we keep that data until you delete your account or unsubscribe (and for a short period thereafter to honor opt-out). If you are inactive for a long period, we may remove your data as part of routine clean-up. We also comply with specific legal requirements, such as India’s IT Act rules that might require certain web logs to be kept for a minimum duration (e.g., 180 days under some regulations).
Employee and HR Data: Employee records are retained according to labor laws and our internal policies. Many jurisdictions require retaining certain employment records for a number of years after an employee leaves (e.g., payroll records, pension/provident fund records, tax filings). We typically retain core HR files for the legally mandated period (which can range from 3 years to 7 years or more, depending on the jurisdiction and type of record). Personal data that is no longer needed (like CCTV footage from office or routine emails of a departed employee) is securely deleted or overwritten in accordance with our internal data retention schedule. Where feasible, we anonymize parts of HR data for statistical purposes (e.g., diversity metrics) so we can keep the statistics without retaining identifiable data.
Vendor and Partner Data: Similar to client data, we retain vendor and partner personal data for the duration of the relationship and then as needed for legal or business purposes. Contracts and invoices, which include personal contact data, might be kept for a number of years as part of financial records. Information about vendor performance or due diligence is kept as long as relevant (for example, if a vendor is disqualified for some reason, we may keep that information to avoid re-engaging them).
Research Data: Data collected in research projects is retained as per the research protocol approved and any consent given by participants. If we promise to delete identifiable research data after concluding the study, we will do so (perhaps retaining only de-identified or summary results). In other cases, research data may be kept for longer to allow scientific validation or follow-up studies, but typically such data would be anonymized. We also follow any legal requirements for research data retention (for instance, clinical trial data has specific retention mandates in some contexts). In absence of specific rules, we weigh the scientific value of retaining data against the privacy impact. If research data is stored for long periods, we strive to store it in a form that no longer directly identifies individuals.
Legal and Compliance Data: Some data must be retained for fixed periods by law. For example, company law and tax law may require retaining certain records (that contain personal data) for a minimum of 7 or 10 years. If a legal claim is anticipated, we may place a “litigation hold” on relevant data, meaning we preserve it until the matter is resolved (even if it would otherwise be deleted). Data related to complaints or grievances might be kept for a certain period after resolution to ensure the issue does not recur and for reporting purposes (under DPDP Act, we might need to show our grievance redressal track record to authorities).
Backup and Archival Copies: Even after active databases purge data, copies might exist in backups or archives. We have retention schedules for backups too. Typically, backups are rotated and overwritten after a set cycle (e.g., incremental backups retained for X months, full backups Y months, unless specified otherwise for disaster recovery). If we delete data from production on your request, we will also endeavor to remove it from backups within a reasonable time frame, or ensure that backups eventually expire and are destroyed. We do not restore deleted data from backups unless required for security or legal reasons.
Deletion Process: When data surpasses its retention period or is no longer needed, we delete it in a secure manner. This may involve permanent erasure from databases, shredding of physical documents, and secure wiping of electronic storage. For structured databases, deletion might be automated based on date fields. For unstructured data (like emails, documents), we rely on periodic audits and user diligence under our policies to archive or delete old content. We also honor specific deletion requests (such as a user invoking their right to erasure, see Individual Rights below) provided there’s no overriding need to keep the data.

In implementing retention and deletion, we factor in the consent and expectations of data principals. If you withdraw consent for a certain processing, we will stop that processing and delete the related data unless we have another lawful basis to keep it. For instance, if you consented to a newsletter and then unsubscribe, we will remove your email from the mailing list; however, we might retain a record that you unsubscribed (email address in a suppression list) to ensure we don’t accidentally send you emails again.

Our goal is to not retain personal data in identifiable form longer than necessary. Determining “necessary” duration depends on the context – we have internal guidelines to help ensure consistency. If you have specific questions about how long we keep a certain type of data, you can contact us for more information. Furthermore, if no legal requirement applies, and the data is not needed, we either delete it or anonymize it (for example, rather than delete a whole dataset, we might strip it of personal identifiers so it can no longer be linked to individuals, thus retaining the value of data while protecting privacy).

Individual Rights and Choices

We respect that individuals (“data principals” under the DPDP Act, or “data subjects” under GDPR) have certain rights regarding their personal data. We have established processes to enable you to exercise these rights. The exact rights available to you depend on the laws applicable to your data (for example, Indian law, EU law, etc.), but we aim to honor any legitimate request to the extent possible in a consistent manner. Below we outline key rights and how you can exercise them:

Right to Access: You have the right to know whether we process personal data about you, and to request access to that data. This typically includes the right to receive a copy of the personal data we hold about you, or to view it, as well as supplementary information about how we process it. For example, an employee can request to see what data is in their HR file, or a client user can ask for a copy of their profile and activity on our platform. Under the DPDP Act, individuals have a right to obtain a summary of their personal data that we process and to know which other entities their data has been shared with. We will provide the relevant information in a concise and intelligible form, usually within a reasonable time (as per law, such as within 30 days, subject to extensions if permitted).
Right to Correction and Rectification: It is important that the personal data we have is accurate and up-to-date. If you believe that any data we hold about you is incorrect or incomplete, you have the right to request that we correct or update it. Under DPDP and other laws, this extends to the right to have incomplete data completed (for instance, adding a new phone number if the old one changed). Upon verification, we will make the necessary corrections promptly and notify any third parties who received incorrect data if required. In cases where we disagree that data is incorrect (rare, but e.g., if our record is a historically accurate fact), we will inform you and you may have the right to add a statement of dispute to the file.
Right to Erasure (Right to be Forgotten): You may request deletion of your personal data in certain circumstances. For example, if the data is no longer needed for the original purpose, if you withdraw consent and no other legal basis exists, or if you believe we have processed your data unlawfully. We will assess such requests and, if justified, will erase your data. Under Indian law, you can request erasure of data that was collected based on your consent (upon withdrawal, data must be erased unless retention is required by law) or if retention is unnecessary. Under GDPR, the right to be forgotten is subject to some exceptions (we might refuse erasure if the data is needed for free expression, legal claims, or compliance with a legal obligation, etc.). We will inform you of the outcome of your erasure request. If we have made data public (unlikely in most cases except perhaps a testimonial you agreed to post), we will take reasonable steps to inform other controllers processing that data of your erasure request.
Right to Data Portability: For jurisdictions that provide this right (like GDPR), you can request a copy of certain personal data in a structured, commonly used, machine-readable format, and you have the right to have that data transmitted to another data controller where technically feasible. This usually applies to data you provided to us directly and that is processed by automated means on the basis of consent or contract. For instance, if you gave us a set of information and want to transfer it to a competitor’s service, we will provide it in a CSV or similar format on request. Under DPDP Act, an explicit portability right isn’t spelled out as strongly as in GDPR, but we strive to assist with any legitimate request to transfer your data.
Right to Withdraw Consent: Where we rely on your consent to process data, you have the right to withdraw that consent at any time. Once we receive notification of withdrawal, we will stop the processing for which consent was given, unless we have another lawful basis to continue (for example, retention for legal obligations). Withdrawal will not affect processing already carried out but will prevent future processing. For example, you can opt-out of marketing emails by withdrawing consent (via an unsubscribe link or contacting us) and we will cease sending you such emails. If you consented to a research study and then change your mind, you can withdraw and we will cease collecting further data from you; we will also remove your data from the study to the extent possible without compromising the study’s integrity or legal requirements.
Right to Object to Processing: In certain cases, you have the right to object to our processing of your personal data. Under GDPR, you can object when processing is based on legitimate interests or for direct marketing. If you object to direct marketing, we will honor that absolutely (stop all marketing to you). If you object to processing based on our legitimate interests, we will evaluate your objection and unless we have a compelling legitimate ground to continue (or the processing is needed for legal claims), we will stop processing that data. For instance, you might object to us using your data for analytics – we would then exclude your data from such analysis if possible. Indian law doesn’t explicitly enumerate a general right to object, but you always have the ability to raise concerns and we will consider them in line with applicable rights.
Right to Restriction of Processing: This right (under GDPR and some other laws) allows you to ask us to limit processing of your data in certain scenarios, e.g., while a dispute over accuracy is being resolved or if processing is unlawful and you prefer limitation over deletion. When processing is restricted, we will store your data but not use it until the restriction is lifted (except for certain things like legal claims or protecting others’ rights). We’ll inform you when a restriction is lifted.
Right in relation to Automated Decision-Making: If we ever engage in fully automated decision-making (including profiling) that produces legal effects or similarly significant effects for you, you have the right not to be subject to such a decision, unless it’s necessary for a contract with you, authorized by law, or based on your explicit consent. In practice, Nuerolytica does not typically make such automated decisions about individuals without human involvement. If this changes, we will inform you and provide avenues for you to obtain human intervention or to contest the decision.
Right to Grievance Redressal: The DPDP Act specifically gives individuals the right to seek redress for grievances. We have a Grievance Officer (see Contact Us / Grievance Redressal section) whom you can approach if you have any complaints about how we handle your data. We commit to acknowledging and resolving complaints within the timelines prescribed by law (currently the draft DPDP rules suggest an acknowledgement within 24 hours and resolution within 15 days for grievances). If you are not satisfied with our resolution, you may escalate the complaint to the Data Protection Board of India as per the DPDP Act, or to other relevant authorities/courts. Under other laws like GDPR, you have the right to lodge a complaint with a supervisory authority (such as an EU Data Protection Authority) if you believe we have infringed your data protection rights. We encourage you to contact us first so we can try to address your concerns directly.
Right to Nominate (DPDP Act specific): Uniquely, the DPDP Act allows you to nominate another individual to exercise your rights on your behalf in case of your death or incapacity. If you wish to designate such a nominee, please contact us with the necessary details and proof of authorization. We will ensure that the nominee (such as a family member or legal heir) can then act on your behalf regarding your data with us.

How to Exercise Your Rights: You can exercise these rights by reaching out to us through the contact details provided in the Contact Us / Grievance Redressal section of this Policy. For efficiency, you may use a subject line like “Data Subject Request – [Your Name]” and specify which right you wish to exercise. We may need to verify your identity before fulfilling the request (to ensure we don’t give your data to an impostor). Verification could be done by asking for certain information that we can match with our records, or other appropriate means.

There is generally no fee for exercising your rights. However, if a request is unfounded or excessive (for example, repetitive requests without reason), we may either refuse or charge a reasonable fee as allowed by law. We will explain our reasoning in such cases.

We will respond to your request within the timeframe mandated by applicable law. Under GDPR, it’s typically one month (extendable by two more months if necessary, with notice); under the upcoming DPDP regime, similar or shorter timelines may apply as per rules. If we need more time, we will let you know the reason (e.g., complex request, large volume of data).

Please note, these rights are not absolute. There are circumstances where we might not be able to fully comply with your request, such as:

We cannot provide data that involves others’ privacy without appropriate measures or consent from them.
We may decline a deletion request if we are required to keep the data by law (e.g., transaction records) or if the data is necessary for legal claims.
We might not correct data if it is an opinion (like a performance review) or if it was accurate at the time of processing (historical data), but we would allow you to add your counter-statement.
For access requests, we might redact or omit information that is proprietary (like our trade secrets or confidential logic) or that reveals personal data of third parties.

Rest assured, even if we must refuse a request, we will provide you with a clear explanation unless prohibited by law. We believe in transparency and will do our utmost to enable you to exercise control over your information.

Children’s Privacy

Protecting the privacy of minors is especially important to Nuerolytica. Our Services are generally not directed at children under 18 years of age (or the relevant age of majority in your jurisdiction). We do not knowingly collect personal data from children without appropriate consent. Under the DPDP Act and other global regulations, a “child” is typically defined as someone under 18 years old, and processing of children’s data is subject to stricter standards.

Key points regarding children’s data:

Parental Consent: If a child under 18 (in India, or under the applicable age threshold elsewhere, e.g., under 13 in some U.S. contexts for COPPA, under 16 in certain EU countries unless lowered by member state) attempts to use our Services or provide personal data, we require verifiable consent from their parent or legal guardian. For example, if we ever host an online forum or learning platform that might attract younger audiences, we will put in place a mechanism to obtain parental consent before collection or use of any personal data from the child. Without such consent, we aim to not collect or process children’s personal data.
No Targeted Advertising or Profiling of Children: We abide by legal prohibitions on tracking and targeting minors. The DPDP Act explicitly disallows behavioral monitoring or targeted advertising directed at children. Accordingly, we do not profile children for marketing purposes, nor do we serve personalised ads to known minors through our websites or services. We also do not knowingly allow third-party advertising networks to collect data on children through our platforms.
Educational or Research Programs Involving Minors: In some cases, our R&D or community initiatives might involve students or minors (for example, a robotics workshop for high school students or a study on educational technology). In such cases, we will obtain written consent from parents/guardians and, where feasible, assent from the minors themselves. Data from such programs will be used only for the defined educational/research purpose and safeguarded with extra care (treated as sensitive). We adhere to any additional legal requirements, such as appointing a guardian or ensuring anonymity in published results.
Content and Language: We strive to ensure that any content on our websites that might be accessible to children is appropriate. Our website terms also discourage use by children without supervision. If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us immediately. We will take steps to delete the data as soon as possible (unless we have a lawful reason to keep it, which is unlikely for unsolicited child data).
Age Verification: Where relevant, we may implement age gating or age verification for parts of our services. For example, if we have a community forum, we might ask users to confirm they are above a certain age to proceed. This relies on good faith, but if we discover someone is underage, we will suspend or terminate their account until proper consent is obtained or they reach the requisite age.

We encourage parents and guardians to be involved in their children’s online activities. We are not liable for any unauthorised use of our Services by minors where parental consent was required but not obtained; however, we will certainly work with parents to rectify any such issues. If content or data aimed at children is collected, we treat it with heightened security and privacy considerations, knowing that misuse of children’s data can be particularly harmful.

In summary, our policy is not to knowingly engage in any processing of personal data of children without consent of a parent/guardian and compliance with applicable child privacy laws. Any exceptions (such as a health emergency involving a minor at our premises, where processing is vital) would be handled strictly under legal allowances and with notification to the guardian as soon as possible.

Employee, Contractor, and Vendor Obligations

Privacy protection is not just a matter of corporate policy at Nuerolytica—it’s a responsibility that every employee, contractor, and vendor we work with must uphold. We have instituted clear obligations and guidelines for anyone who handles personal data on Nuerolytica’s behalf, to ensure data is respected and protected at all stages of processing.

Employee Obligations:
All Nuerolytica employees are required to adhere to confidentiality and data protection obligations as a condition of their employment. This includes:

Confidentiality Agreements: Every employee signs a confidentiality or non-disclosure agreement (NDA) when joining, which covers protecting personal data and company confidential information (including client and partner data). These obligations extend beyond the term of employment, meaning even after an employee leaves Nuerolytica, they are legally bound not to disclose or misuse personal data they had access to.
Code of Conduct and Policies: We have an internal Code of Conduct and specific Information Security and Data Protection policies. These documents outline expected behavior in handling data—such as not sharing accounts, not emailing data to personal addresses, properly using encryption, etc. Employees must annually reaffirm their understanding of these policies and undergo refresher training. Any breach of data protection policy can result in disciplinary action, up to and including termination and legal action if warranted.
Role-Based Access and Least Privilege: Employees are instructed to access only the data they need for their job and to refrain from curiosity browsing. We enforce technical access controls, but we also rely on employee integrity. It is made clear that prying into records without authorisation (for example, looking up a celebrity client’s data out of personal curiosity) is a serious violation.
Data Handling and Classification: Employees are trained to classify data (public, internal, confidential, highly confidential) and handle it accordingly. Personal data is at least “confidential”, with sensitive personal data as “highly confidential.” Printouts containing personal data must be promptly collected from printers and shredded after use. Electronic files should be stored in secure folders and not downloaded to unsecured devices.
Device and Workspace Security: Employees must ensure that laptops and other devices are encrypted, have up-to-date security software, and are locked when not in use. They should not leave sensitive documents unattended on desks (clean desk policy) and should report any lost or stolen device immediately so we can take mitigating action (like remote wiping).
Incident Reporting: We require employees to immediately report any suspected data breach, security incident, or policy violation to the appropriate internal team (such as the IT security team or the Data Protection Officer). There is no blame in reporting—employees are encouraged to speak up so we can address issues swiftly.
Need-to-Know Sharing: Within the company, employees should only share personal data with colleagues who have a legitimate need for it. If an employee is asked to provide data to a colleague, they must ensure that the colleague is authorised for that data. This prevents internal oversharing.

Contractor Obligations:
Contractors (including consultants, freelancers, and researchers engaged by us) who have access to personal data are held to virtually the same standards as employees. Our contracts with such individuals include clauses requiring:

Maintenance of confidentiality and data security (often by incorporating our full NDA terms by reference).
Use of data only for the purposes of the engagement and in line with our instructions. The contractor should not use or disclose personal data for any personal or unauthorized purposes.
Return or secure deletion of personal data upon completion of the contract (unless retention is required by law). For example, if a contractor was given a dataset to analyze, they must return all copies and wipe any local storage after finishing the project.
Compliance with our policies: we often provide contractors with a copy of relevant policies or require them to complete our data protection training if their engagement is extended. If contractors use our IT systems, they must abide by the same IT usage rules.
Notification of incidents: contractors must immediately inform us if they suspect any data compromise or if they realize they handled data in violation of the terms (e.g., accidentally emailing a file to the wrong person).
Subcontractor restrictions: A contractor cannot pass personal data to any sub-contractor or third party without our approval. If they do, we ensure similar obligations are cascaded down.

We reserve the right to audit or monitor contractors’ activities (to a reasonable extent) to ensure compliance. A breach by a contractor can lead to contract termination and potential legal action for damages.

Vendor Obligations:
When we engage vendors or service providers (companies or individuals) who will process personal data on our behalf (making them “data processors” under laws), we put in place rigorous contractual safeguards:

Data Processing Agreements (DPAs): These are contract addenda that specifically outline how the vendor may process personal data, including limits on use (only for our purposes, not for the vendor’s own purposes), security requirements, confidentiality, breach notification obligations, and assistance with data subject rights. For example, our DPA will require the vendor to notify us within a very short time (e.g., 24-48 hours) if they experience a data breach affecting our data, so that we can take action and notify regulators or individuals as needed.
Compliance with Laws: Vendors must comply with applicable data protection laws (DPDP Act, GDPR if relevant, etc.). If we operate in multiple jurisdictions, we often include clauses for compliance with those regimes (like clauses on cross-border transfer if the vendor is overseas). Vendors are required to abide by any specific regulations in our industry too, if applicable.
Security Measures: We mandate that vendors implement appropriate technical and organizational measures to protect personal data. We often ask about and rely on their security certifications or audits. In some cases, we might conduct our own assessment or request the right to audit their facilities or practices (especially for critical or high-risk vendors).
Confidentiality by Vendor Staff: The vendor must ensure that anyone in their organization who accesses our personal data is bound by confidentiality obligations (for instance, by employee contracts or internal policies).
Sub-processing: Vendors are not allowed to subcontract data processing to another party without our consent. If consent is given, the sub-processor must be held to the same standards via a contract. We typically require vendors to provide a list of approved sub-processors and notify us of any intended changes, giving us a chance to object if we have concerns.
Data Return/Deletion: Upon end of service, the vendor must return or delete all personal data we provided (and certify deletion) as per our instruction. If they need to retain data for legal reasons (e.g., backups, or logs for compliance), that must be communicated and they must continue to protect it.
Liability and Indemnity: We include liability clauses in case the vendor’s actions cause harm (like a breach due to their negligence). This is to ensure they have a strong incentive to maintain high standards and so we can recover costs if we face claims due to a vendor’s fault.
Oversight: Depending on the risk, we keep close oversight on vendors’ We may schedule review meetings, require periodic security reports, or integrate their systems with ours in a way that we can see logs of data access. For cloud providers or big established vendors, we rely on their standardized certifications and shared responsibility models, but still continuously monitor updates they provide about security or privacy issues.

Enforcement and Accountability:
Nuerolytica has a Data Protection Officer (or equivalent function) and an internal compliance team who oversee adherence to these obligations. We maintain records of processing activities and can demonstrate compliance (for example, through audit logs, training records, and policy acknowledgments). If an employee, contractor, or vendor is found to violate data protection requirements:

For employees: disciplinary procedures will be initiated, which may result in warnings, mandatory re-training, suspension, or termination depending on severity.
For contractors: breaches typically result in termination of contract and depending on the circumstances, possible legal action (if the breach caused us regulatory fines or lawsuits from individuals, we may seek indemnification).
For vendors: similarly, breach of contract terms can lead to termination of services, and if significant harm is caused, we will pursue remedies available under the contract (like indemnities). We will also evaluate if the vendor should be reported to authorities or listed in any warning portals (some industries have mechanisms to warn others of rogue vendors).

Our commitment is to foster a culture where everyone handling personal data understands their duty to protect it. Privacy is built into our onboarding, our daily operations, and our third-party engagements. By ensuring these obligations, we aim to minimize human error or misconduct, which are often the weakest link in data breaches.

Sector-Specific Privacy Practices

Nuerolytica’s business spans several verticals – robotics solutions, deep-tech consulting, industrial consulting, and research & development initiatives. While our core principles of privacy and data protection apply across all areas, each vertical has unique contexts and data considerations. Below, we outline specific privacy and data protection measures or clauses tailored to these verticals:

Robotics and AI Solutions

Our Robotics division involves the development and deployment of advanced robotics systems, which often include AI-driven components (for example, autonomous drones, industrial robots with computer vision, or service robots). Privacy considerations in this field include:

Sensor Data and Environmental Capture: Robots are frequently equipped with sensors such as cameras, LiDAR, or microphones to navigate and perform tasks. These sensors might inadvertently capture personal data – e.g., video feed of people in a factory, or audio in a workspace. We design our robotic systems to minimize personal data capture when not needed. For instance, if a security robot has a camera, we might implement on-device processing that detects anomalies (like an intruder) without streaming or storing continuous footage, unless an event triggers a recording. When our robots operate in public or client environments, we provide clear notice (signage or announcements) that surveillance or data capture is occurring, if required.
Facial Recognition or Biometric Use: If a robotics solution includes biometric identification (like a facial recognition feature for access control), we handle that biometric data with extreme care. Such features are only implemented when explicitly required by the client and in compliance with local laws. Biometric templates are encrypted and stored either only on the user’s device or in a secure server environment with restricted access. We also typically require an opt-in consent from individuals whose biometrics will be enrolled. For example, employees in a facility might have to consent to facial recognition entry systems. We also provide an alternative method when possible (for those who don’t consent, like a keycard entry alternative). Biometric data is treated as sensitive personal data and not used for any purpose other than the specific authentication/identification.
Autonomous Decision-Making: Our AI-enabled robots might make autonomous decisions (like navigating a route or sorting objects). However, any decisions that significantly affect humans (for instance, a security robot alerting law enforcement after “deciding” someone is trespassing) are carefully governed and typically involve a human in the loop for verification. We ensure that AI models embedded in robotics are trained on appropriate data and do not perpetuate bias or unlawfully profile individuals. If a robot interacts with members of the public (for instance, a customer service kiosk robot), we ensure it only collects necessary information (like voice input to answer a question) and that such information is not retained beyond the interaction unless consented (like opting to provide contact info).
Data Generated by Robots: Robots can generate large volumes of operational data (telemetry, logs of activities, performance metrics). If any of this data qualifies as personal (e.g., timestamps and locations a security robot encountered a person), we treat it as personal data. Typically, operational logs are used for maintenance and improvement of the robot’s functioning. We anonymize or aggregate this data whenever feasible. For example, we might collect how many humans were detected by a robot each hour (without storing footage or identities) to optimize patrol routes – this would be done in a privacy-preserving way.
Embedded Privacy Features: We integrate privacy by design into robotics. This includes features like data minimization settings (configurable by clients to limit what data is collected/stored by the robot), secure data transmission (robots sending data back to control centers via encrypted channels), and automatic deletion (robots purging local cache of sensor data after processing). For instance, a delivery drone might have short-term memory of its camera feed for navigation, but not retain that feed long-term, unless an incident occurs.
Client Collaboration: Many robotics deployments are at client sites. We work closely with clients to ensure that our robotics solutions meet their privacy compliance needs. If a client site is in a jurisdiction with stringent surveillance laws, we adapt our system (e.g., blur faces in real-time if required, or restrict camera usage in certain areas). Contractually, we clarify responsibilities: Nuerolytica provides the tool with privacy features, and the client must operate it within the legal framework (like putting up notices or obtaining consents if needed from their employees). We often provide documentation and training to clients on how to use the robotics system in a privacy-compliant manner.
Emergencies and Exceptions: In cases where robotics data could help in emergencies (e.g., footage of an accident captured by a factory robot), our system allows authorized personnel to extract that data. Such access is logged and audited. We advise that such uses should still respect individual dignity (for example, footage used for investigation should be handled confidentially).

Overall, our robotics vertical strives to push innovation without compromising individual privacy. We see privacy protection as a key component of trustworthy AI and robotics, which ultimately benefits user acceptance and safety.

Deep-Tech and Industrial Consulting Services

Our consulting services in deep-tech and industrial domains involve providing expert advice, solutions, and implementation support to businesses often in sectors like manufacturing, infrastructure, energy, and high-tech. These projects can entail handling sensitive corporate data and sometimes personal data as well. Key privacy aspects:

Corporate Data and IP: Much of the data we handle in consulting is corporate in nature (process designs, machine data, business strategies). While this might not be personal data, it is highly confidential intellectual property (IP) of the client. We treat such data with the same care as personal data in terms of security and confidentiality. Our consulting agreements include strict confidentiality clauses to protect client IP. Any personal data embedded within corporate data (e.g., a report listing names of plant managers along with production stats) is equally protected. We often sign Non-Disclosure Agreements (NDAs) even at the pre-sales stage to assure potential clients that their information will remain confidential.
On-Site Data Collection: In industrial consulting, our team might visit client facilities and observe operations. We might collect data by interviewing employees or through sensors we deploy. For example, we might conduct time-motion studies requiring filming of workers (with their knowledge) to optimize workflows. In such cases, we ensure transparency – affected employees would be informed of the purpose of data collection and how it will be used for process improvement. Personal identities are typically not relevant to our analysis, so we aim to anonymize individuals in the data (e.g., analyzing task durations without needing to know which specific employee did it). Any data collected on-site is taken back securely (devices encrypted, transfer over VPN, etc.), and we often agree contractually that all raw data belongs to the client and will be returned or destroyed at project end.
Use of Client’s Customer or Employee Data: Deep-tech consulting might involve analyzing our client’s datasets, which could include personal data of their customers or employees. For instance, we might be tasked to analyze user logs from a software product to advise on enhancements, or to examine employee performance data to suggest training programs. When we act in such capacity, we are usually a data processor for our client. We make sure a proper data processing agreement is in place, so the responsibilities are clear: we only process the data as instructed by the client, we ensure our personnel accessing it are minimal and bound by confidentiality, and we apply any special handling the client requires (e.g., perhaps they want us to only work on anonymized data – we accommodate that). If we need to transfer data off client premises (like to our secure cloud for analysis), we get client approval and ensure secure transfer and storage.
Data Analysis and AI Recommendations: In deep-tech domains, we frequently employ advanced data analytics and AI to derive insights (which is why clients hire us). When we build models or analytics for a client using their data, we clarify ownership and privacy aspects. Generally, the model (if it embeds their data patterns) is considered their IP or joint IP per contract, and any personal data in training is either pre-anonymized or the model is built in a way that individual identities are not discernible (like using aggregated features). If the consulting output includes recommendations involving personal data (say, advising that certain employees should be re-skilled based on performance data), we handle that sensitively and usually deliver it directly to client management, who then take appropriate HR action in line with their policies. We do not make decisions on behalf of clients about individuals – we present findings and the client decides any action affecting their employees or customers.
Cross-Border Consulting Teams: Our consulting projects may involve team members from multiple countries (e.g., a domain expert in Germany working with a project lead in India). This can result in cross-border data flow of client information. We address this by contract (ensuring the client is aware and approves) and by internal safeguards (secure collaboration tools, least privilege access). We also abide by any data transfer restrictions the client has; for instance, if a client from Europe says personal data cannot leave Europe, we will ensure any analysis is done on servers in Europe or via remote access that doesn’t export the data. We leverage our global presence in a compliant way.
On-Premise Work and Devices: Often consultants might work on client-provided systems or networks while on-site. We train our consultants to follow the stricter of either our security policies or the client’s policies when working on-site. If using client equipment, their IT policies apply, and we ensure no data is taken out without permission. If using our equipment, we may partition client project data on encrypted containers and ensure it’s wiped after project completion. We also address physical security – for example, not leaving notebooks with client info unattended, and respecting any photography restrictions in facilities (which ties to privacy of workers there too).
Outcome and Report Publishing: Sometimes, consulting outcomes are published as case studies or part of our research reports (with client permission). We ensure that no personal data is included in any publication without explicit consent. Typically, case studies anonymize the client or use only business-level information (“a leading automotive manufacturer increased efficiency by X%”). If testimonial quotes or names are used, we get written approval from those individuals and the company.
Compliance Advisory: As part of consulting, we might also advise clients on compliance including data protection. We ensure our own house is in order as we do so, serving as a role model. If engaged to audit or design a client’s privacy program, any personal data we review (like reviewing their records or systems) is treated confidentially just like our own data would be. We would contractually clarify that we’re not to use any personal data seen in such audits for any purpose other than providing advice.

In essence, our consulting verticals embed privacy as a fundamental component of high-quality consulting: protecting our clients’ data and any personal data within it is critical to maintaining trust and delivering effective solutions.

Research and Development Initiatives

R&D is at the heart of Nuerolytica’s innovation. We undertake research projects both internally (to drive new technologies in AI, robotics, etc.) and in collaboration with external partners (universities, consortia, etc.). Our approach to data in R&D emphasizes ethics and privacy:

Ethical Oversight: We have an internal review process for R&D projects that involve human data. This functions similar to an Institutional Review Board (IRB) where we assess the ethical implications and privacy impact before starting. High-risk research (e.g., involving human subjects or sensitive personal data) undergoes a Privacy Impact Assessment and may require external ethical review or approval. We abide by principles of research ethics such as informed consent, beneficence, and confidentiality.
Informed Consent in Research: If we collect personal data directly from individuals for research (be it a usability test, a survey, or an experimental technology trial), we obtain informed consent. Participants are told in clear terms what data will be collected, for what purpose, who will have access, how it will be stored, and what their rights are (including the right to withdraw). We do not use research data for purposes outside the scope of the given consent. For example, if we collected data for an academic study, we won’t later use those participants’ data for marketing, unless they separately consented.
Anonymization and Pseudonymization: Whenever possible, research data is anonymized. For instance, if we collect raw data (like video footage of interactions for analysis), once we’ve extracted the needed insights, we might blur faces or replace names with codes. In publications or shared datasets, we remove direct identifiers. We also use aggregation – e.g., publishing that “20% of participants experienced X” rather than listing individual outcomes. We may also employ techniques like differential privacy if we release any dataset, to prevent re-identification of individuals from aggregate data.
Data Security in Research: Research data, especially if it includes personal or sensitive information, is stored in secure, access-controlled environments. Access is limited to the research team. For collaborative projects, data-sharing agreements are put in place with partners, stipulating security and privacy requirements. If we use cloud-based research notebooks or platforms, those are vetted for security. We also consider location when storing research data – e.g., EU research data might be kept on EU servers if needed for compliance.
AI/ML Model Development: A lot of our R&D involves training machine learning models on datasets. We ensure that if personal data is used in training, it’s done lawfully (with consent or other legal basis). Moreover, we try to design models that don’t memorize personal data or output personal details. We test our models to avoid unintended privacy issues (like a text-generation model spitting out part of someone’s personal data from training – we mitigate that by training processes and using techniques to reduce overfitting to specific personal info). If we open-source any code or publish findings, we ensure no private data is embedded.
Collaborative Research Data Sharing: If partnering with an academic institution, we often share data under a Data Sharing Agreement that restricts usage to the research purpose, prohibits attempts to re-identify individuals, and requires deletion or return of data after. Similarly, if we receive data from a partner (say a hospital providing anonymized patient data for an AI project), we ensure it’s properly anonymized or that we handle it under strict confidentiality, and use it only for the project. Any publication arising will be vetted to ensure it doesn’t inadvertently expose personal details.
Participant Rights: Research participants typically have the same rights (access, correction, deletion) unless a waiver was obtained for specific scientific reasons (which is rare and would be per law allowances). We allow participants to withdraw and will remove their data if withdrawal is requested (to the extent possible — sometimes data already analyzed in aggregate cannot be separated, but we ensure no further analysis on that individual’s data). We also typically share results with participants if they’re interested (transparency and respect).
Data Retention in Research: We keep identifiable research data only as long as needed for the research. Some research data might be valuable for future studies; in those cases, we either get consent for long-term storage or we anonymize it so it can be stored without identifying people. Any personally identifying links (like a key linking participant codes to names) are stored separately and securely, and destroyed once the connection is no longer needed.
Regulatory Compliance: If our R&D touches regulated areas (like medical data or clinical research), we comply with those specific regulations (for example, we might then also be subject to HIPAA in the US for health data, or the Clinical Trials Rules in India). Our research team consults with legal/regulatory experts to ensure compliance in specialized fields.
IP Considerations: Research often leads to intellectual property like patents or trade secrets. We ensure that any personal data is not disclosed in patent filings (which become public). If an invention relies on a dataset of personal information, we describe it in generalized terms. Personnel who contribute to research sign IP assignment agreements so that outputs are owned by Nuerolytica (or shared with partners as agreed), and they also agree to maintain confidentiality of any underlying data.

In all, our R&D privacy practices aim to balance the advancement of knowledge and technology with the fundamental rights of individuals. We believe innovation should not come at the expense of privacy, and by embedding ethical considerations into research, we create technologies that are socially responsible and trustworthy.

Confidentiality and Intellectual Property Protection

As a high-tech, innovation-driven company, Nuerolytica places utmost importance on the protection of both personal data and intellectual property (IP). We recognize that in many cases these overlap: information we generate or handle can be simultaneously personal and proprietary. Therefore, we maintain a robust regime of confidentiality that covers all sensitive information, ensuring that neither personal privacy nor our company’s (or our clients’) intellectual assets are compromised.

Confidential Information: We broadly define confidential information to include any non-public information we handle, whether it pertains to individuals (employees, clients, etc.) or to business matters (technical know-how, business plans, strategies). This obviously includes all personal data discussed in this Policy, and extends to data like algorithms, source code, product designs, financial projections, trade secrets, and research data. Our employees, contractors, and partners are contractually obligated to keep all such information confidential. This obligation is indefinite – it does not lapse simply because, say, an employee leaves or a project ends. We only allow disclosure of confidential information to third parties under specific conditions (like a need-to-know basis with equivalent confidentiality obligations in place, or if required by law with protective measures).

Intellectual Property (IP) Rights: Nuerolytica retains ownership of its IP and respects the IP of clients and partners. This has several privacy-related implications:

If we gather or create a dataset during a project, the question of who owns that dataset is addressed in the contract. Typically, client-provided data remains client’s property; data we independently collect or generate might be owned by us or jointly, depending on agreements. Regardless of ownership, any personal data within is protected per privacy laws. Ownership does not trump privacy rights – for instance, even if we “own” a compiled dataset of user behavior, we still cannot misuse personal elements of it contrary to privacy commitments.
Employees and contractors sign IP assignment agreements for work created during their engagement, meaning any inventions, code, or writings they develop for Nuerolytica become Nuerolytica’s IP (or as contractually agreed for client projects). They also agree not to misappropriate our IP (like taking code or data to a new employer, or releasing trade secrets). We enforce these clauses to prevent leakage of sensitive information. In practice, we use access controls and monitoring (as described in Security and Internal Obligations sections) to deter and detect any exfiltration of IP. For example, copying large amounts of data from a secure repository triggers alerts.
When sharing information with clients or vendors, we often use need-to-know and segregation principles to protect our IP and personal data. If a client wants to audit our data practices (a legitimate request especially under DPDP or GDPR for processors), we share just enough information to satisfy the query without exposing unrelated IP or other clients’
If third parties (like auditors, or regulators) need access to systems containing personal data or IP, we supervise and ensure it’s covered by appropriate confidentiality. For instance, if a certification auditor reviews our processes, they might see some data – we have them sign NDAs and limit what they can take away.

Data Sovereignty and IP: We acknowledge that certain data may be subject to national laws (data sovereignty) while also being a valuable intellectual asset. We manage this by complying with localization laws (if any) – e.g., if certain sensitive data is required to remain in India, we ensure it’s stored on Indian servers even if it’s part of a larger intellectual dataset. We do not relocate data in violation of such laws just for convenience, as that could not only breach law but also risk IP being seized or accessed under foreign jurisdictions. Essentially, respecting data sovereignty also protects the IP embedded in that data from extraterritorial access.

Exclusive Use of Data and IP: We include clauses in our client contracts that any personal data shared with us remains under restricted use – we won’t use it to develop our own products or for other clients, except in an aggregated, anonymized form that no longer identifies or is attributable to the client. Similarly, if we incorporate our pre-existing IP into a deliverable, we retain ownership of that, but we license it to the client. All of these arrangements are made with a view to avoid ambiguity that could lead to unauthorized use of data or IP. From a privacy angle, it ensures that personal data provided by one client isn’t visible to another or repurposed for unrelated projects.

Cultural Emphasis: We foster a culture where both privacy and IP security are seen as complementary values. Our teams understand that leaking personal data could cause harm to individuals and legal penalties, while leaking IP could cause competitive harm and loss of trust. Both have serious consequences, and thus careful handling of all sensitive information is second nature in our operations. We do not, for example, tolerate “curiosity” or gossip about projects internally – need-to-know means employees should not seek information on projects or data outside their assignment.

Incident Handling for IP: In the unfortunate event of an intellectual property leak or suspected theft (for instance, a code leak or an insider taking confidential files), we investigate thoroughly. Often, personal data could be part of that leak (like an internal document might contain names or customer info). Our incident response then covers notifying affected parties as needed (just like a data breach) and taking legal action for IP theft. We might involve law enforcement for serious breaches (e.g., trade secret theft can be a criminal matter). Meanwhile, we plug the security gaps that allowed the leak, which might involve revoking accesses, enhancing monitoring, or improving employee vetting/training.

Transparency with Clients and Users: Even though we keep information confidential, we remain transparent with the rightful owners or providers of data. For example, if a client asks “what did you do with our data during the project?”, we will provide a detailed accounting (it’s their data after all). If users ask how their data is used in our products, we explain in this Policy and in any user-facing interface (like a mobile app might have a pop-up explaining data usage). For IP-related questions, such as a client wanting to ensure we aren’t using their data to train AI for other purposes, we provide contractual and, if requested, technical evidence (like an architecture description showing separation of data).

In summary, confidentiality and IP protection are deeply ingrained in Nuerolytica’s ethos. By safeguarding IP, we also protect any personal data entwined with it, and by protecting personal data diligently, we inherently shield a valuable class of information assets. This dual focus ensures trust from both our clients (who care about their business secrets) and individuals (who care about their personal info), reinforcing our reputation and legal compliance.

Data Breach Response and Notification

Despite all our precautions, we acknowledge the possibility that a security incident or data breach could occur. Nuerolytica has a well-defined Incident Response Plan to deal with such events effectively, minimise harm, and fulfill our obligations to notify stakeholders and authorities.

Incident Identification and Containment:
Our IT security systems and processes are designed to detect anomalies that could indicate a breach (unauthorised access, malware infections, data exfiltration attempts, etc.). The moment a potential incident is detected or reported (be it by an automated alert, an employee, or an external source), our incident response team springs into action. The team comprises members from IT security, legal, operations, and senior management as needed. The first steps include:

Assessment: Quickly assess what happened – e.g., is it a ransomware attack locking our data, a lost laptop, a hacker in the network, an email sent to the wrong person? Determine the nature and scope of the incident.
Containment: Stop the bleeding. This may involve isolating affected systems (taking servers offline, revoking compromised credentials, applying emergency patches), stopping any ongoing data leakage, and preserving evidence for analysis. For instance, if we discover an unauthorized database access, we might change access keys, block certain network traffic, and take a backup of logs for forensics.
Incident Classification: We classify the severity of the incident (low, medium, high, critical) based on factors like the sensitivity of data involved, the number of records affected, whether the data is encrypted, and potential impacts (financial, legal, operational, reputational).

Investigation and Eradication:
Our team will thoroughly investigate the incident to understand how it occurred, what data was affected, and whether the threat has been neutralised. We may engage external cybersecurity experts if needed for complex incidents (like APT attacks). The investigation aims to answer critical questions: Whose data was compromised? What personal data elements were involved (names, emails, financial info, etc.)? Has the data been lost, stolen, or altered? Can we recover/restore any lost data? We also look into whether the incident is ongoing or fully contained. Once investigation gives a clear picture, we work on eradicating the root cause (e.g., removing malware, closing vulnerabilities, changing processes to prevent recurrence).

Notification to Affected Parties:
If a data breach is confirmed that likely results in harm to individuals (e.g., risk of identity theft, financial loss, personal safety risk, or other significant impacts), we will notify the affected individuals and relevant parties in accordance with law and as a matter of transparency. Our notification protocol is as follows:

Data Protection Board of India (DPB): The DPDP Act requires that data fiduciaries intimate the DPB of a personal data breach in a prescribed manner. We will prepare a breach report containing details as required (likely including the nature of personal data affected, number of people impacted, measures being taken, etc.) and submit it to the DPB within the timeline that the law or rules specify (current best practice is within 72 hours of becoming aware of the breach, similar to GDPR, although DPDP rules might specify exact times).
Other Regulators: If the breach involves data of individuals in other jurisdictions, we may also need to notify foreign regulators (for example, the EU GDPR requires notifying the relevant Data Protection Authority within 72 hours for significant breaches). We will comply with all such applicable requirements. If it’s a large breach of say, US persons’ data, we might notify state Attorneys General as required by various US state laws.
Individuals (Data Principals): We will notify affected individuals as soon as practicable if the breach is likely to result in a “risk of harm” or as mandated by law. Our communication will be done via appropriate channels – e.g., email, letter, phone, or public announcement, depending on what contact info we have and the urgency. The notification will be in clear language and include helpful details: what happened (in general terms), what data was involved (to the extent known), what we are doing about it, and what individuals can do to protect themselves (like changing passwords, watching out for phishing, contacting credit bureaus, etc., as relevant). We will also provide contact details for our helpdesk or incident response team so that individuals can get more information or assistance.
Clients or Partners: If the breach involves data we handle on behalf of a client (i.e., we’re a processor), we will first notify that client without undue delay, as per our contractual obligations. We’ll provide them all necessary details so they can comply with their own legal duties to notify authorities or individuals. If a partner’s or vendor’s actions contributed to the breach, we will inform them and coordinate on response.
Public Communication: For significant incidents that might hit media or require public reassurance (especially if a large number of individuals or high-profile data is involved), we will consider issuing a public statement or press release. We’ll also update our website with a notice if appropriate. The aim is to be transparent and control the narrative with accurate information to avoid panic or misinformation.

We comply with any legal specifics – for example, some laws specify that breach notices to individuals should include toll-free numbers or how to contact credit monitoring services; we will incorporate such details as needed.

Post-Incident Actions:
After the immediate crisis is handled, we conduct a post-mortem analysis to learn and improve. This includes:

Remediation: Fixing any security weaknesses that were revealed. That could mean applying additional encryption, changing processes, or maybe disciplining or re-training staff if human error was a cause. We update our security policies and tools accordingly.
Documentation: We document the incident, our response, and outcomes in an incident log. This documentation is important for compliance (e.g., DPDP’s expected accountability records, or internal audits). It also helps in any future legal or insurance matters.
Follow-up with Affected Parties: We may issue follow-up communications to individuals or clients updating them on further findings or confirming that the issue has been resolved. For instance, if initially we notified individuals to reset passwords as a precaution, later we might confirm the source of breach and that no further action is needed beyond what they’ve done. If we promised specific support (like credit monitoring for a year in case of a financial info breach), we will set that up and provide instructions on how to use it.
Cooperation with Authorities: We cooperate fully with any investigations by regulators or law enforcement. If a breach involved criminal activity (like hacking), we file requisite reports (e.g., FIR in India if needed, or reports to cyber crime units) and assist investigations. We also consider if the breach triggers any obligations under contracts (some clients might have contractual security incident report requirements beyond the legal ones, and we fulfill those too).
Evaluation of Liability: We review if the breach has exposed us to legal claims (perhaps individuals may sue or regulators may fine). Our legal team prepares defenses or negotiations for such outcomes. While this is more legal strategy, from a data protection standpoint, it underscores the need to have handled things properly. Often regulators are more lenient if a company can show they had good protections and responded responsibly versus if negligence is found. We thus compile evidence of our due diligence.

No Retaliation and Encouragement of Reporting: We encourage our employees to report potential vulnerabilities or incidents as soon as they notice them, without fear of blame. A culture of prompt reporting can significantly reduce breach impact. We treat inadvertent mistakes as opportunities to improve (unless there was willful or gross negligence, which is handled through HR actions as needed).

In sum, our stance is that while prevention is key, preparedness is crucial. By having clear steps to follow in the event of a breach, we aim to maintain control, reduce harm to affected individuals, comply with all legal duties, and preserve the trust that stakeholders place in us. We view timely and transparent breach response not just as a compliance checkbox, but as an ethical obligation to those whose data we hold.

Limitation of Liability

While Nuerolytica is deeply committed to safeguarding personal data and complying with all relevant privacy laws, it is important to clarify the extent of our responsibilities and liabilities in relation to this Privacy Policy and the use of our Services. By reading and using this Privacy Policy (and by using our Services), you acknowledge and agree to the following limitations of liability to the maximum extent permitted by applicable law:

No Absolute Security Guarantee: We employ rigorous security measures to protect your data. However, we cannot guarantee that our safeguards will never be overcome by unauthorised third parties (for example, in the event of sophisticated cyber-attacks beyond industry-standard prevention). Therefore, you understand that any transmission or storage of data is done at your own risk. We will not be liable for any damages that you may incur as a result of unauthorised access, hacking, or theft of your data, provided we have adhered to the standards described in this Policy and applicable law. In any event, our liability for security breaches will be limited in accordance with the terms below and any service agreements in place.
Indirect Damages: Nuerolytica shall not be liable for any indirect, incidental, consequential, or special damages, or for any loss of profits, revenue, data, or business opportunities, arising out of or related to the use of our websites, products, or services, or from this Privacy Policy. This includes, for example, damages resulting from the interruption of business, or from inability to use the data or services, even if we have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion of incidental or consequential damages, so this exclusion may not fully apply to you, but it will apply to the fullest extent allowed.
Limitation of Total Liability: To the extent permitted by law, Nuerolytica’s total cumulative liability for any claims arising from or related to this Privacy Policy or our handling of your personal data (whether in contract, tort, negligence, strict liability, or otherwise) shall not exceed the amount (if any) you paid us to use the service in the 12 months preceding the event giving rise to liability, or Indian Rupees [X] (or equivalent in your local currency), whichever is greater. If you use free services, our total liability shall not exceed a nominal amount (like INR 1000 or equivalent), recognizing that no fees were paid for the service. This cap on liability reflects the allocation of risk as part of our relationship.
Third-Party Services and Links: Our websites or services may contain links to third-party sites or services (for example, a client portal might link to a third-party analytics dashboard, or our website might link to social media or partner websites). This Privacy Policy does not cover third-party sites or services, and Nuerolytica does not control and is not responsible for the privacy practices or content of those third parties. If you click on a link to another site, you do so at your own risk. We encourage you to review the privacy policies of any third-party sites or services before providing them with your information. We disclaim any liability for the actions of third parties or for any harm or losses arising from your use of third-party websites or services.
Force Majeure: Nuerolytica is not liable for any delay or failure in performance of any part of this Privacy Policy (including protecting personal data or fulfilling individual rights requests) to the extent such delay or failure is caused by events beyond our reasonable control. This includes, but is not limited to, acts of God, natural disasters, pandemics, war, terrorism, civil disorder, cyber-attacks by state actors or extraordinarily skilled hackers, technical failures that are not foreseeable or preventable despite reasonable care (such as zero-day vulnerabilities in widely used software), power grid failures, or government actions. We will, however, make reasonable efforts to mitigate the effect of a force majeure event and resume full performance as soon as practicable.
Your Responsibility: You are responsible for ensuring that any personal data you provide to us is accurate and up-to-date, and you must use our Services in compliance with applicable laws. If you share any login credentials or personal data with others, or fail to adequately protect your own devices or accounts, we cannot be held responsible for how that data is then used. For example, if you reuse a password that gets compromised in an unrelated breach, and that leads to unauthorised access to your data in our system, that is outside of our control. We advise using unique, strong passwords and safeguarding your account information.
No Waiver of Legal Protections: We do not seek to limit our liability beyond what is permissible by law. Certain jurisdictions provide non-waivable rights to consumers or impose certain liabilities that cannot be disclaimed. In such cases, nothing in this section is intended to waive any rights or liabilities which cannot be legally waived. Instead, this section is meant to clarify the extent to which we are accepting liability. If any part of this limitation is deemed invalid by a competent court, our liability will be limited to the fullest extent allowed by the applicable law.

By continuing to use our Services and provide personal data, you indicate your understanding and acceptance of these liability limitations. This section of the Policy is intended to allocate risk between you and us; the pricing (if any) of our services reflects this allocation of risk and the liability limitations specified herein.

It’s also worth noting that in our Terms of Service or contracts with clients, there may be additional liability limitations and indemnity clauses. Those terms work in conjunction with this Privacy Policy. In the event of a conflict between this Policy and a signed contract regarding privacy or data security liabilities, the contract terms would typically prevail for that specific relationship.

We remain committed to making things right in the event of any lapse on our part – limitation of liability is not an escape from responsibility, but a fair boundary so that we can operate and innovate without unbounded legal risk. We carry insurance for certain liabilities and will always strive first and foremost to avoid incidents that could cause harm or loss to anyone.

Governing Law and Dispute Resolution

This Privacy Policy, and any disputes arising from or relating to the interpretation thereof, or to the processing of personal data by Nuerolytica, shall be governed by and construed in accordance with the laws of India. In particular, we adhere to the provisions of the Indian Information Technology Act, 2000 and its rules, and the Digital Personal Data Protection Act, 2023 (once in force) among other applicable laws, as the primary legal framework for data protection in our operations.

In the event of any controversy, claim, or dispute arising out of or relating to this Privacy Policy or the use of personal data, we encourage you first to contact us directly to attempt in good faith to resolve the issue promptly and amicably. You can reach our Grievance Officer or Data Protection Officer as detailed in the Contact Us / Grievance Redressal section below. We will do our best to address your concerns to your satisfaction.

However, if we are unable to reach a mutually agreeable resolution, the following provisions will apply:

Exclusive Jurisdiction: You expressly agree that all such disputes shall be subject to the exclusive jurisdiction of the competent courts in Gurugram, Haryana, India. This means that if you wish to pursue legal action against Nuerolytica (or vice versa) in relation to personal data or privacy matters, it must be filed in the appropriate court located in Gurugram, and no other court (except any higher appellate court) shall have jurisdiction. Both you and Nuerolytica waive any objection to the venue of such courts on grounds of inconvenient forum or otherwise, and we consent to the exercise of personal jurisdiction by those courts.
Applicable Law: All proceedings shall be conducted in accordance with Indian law. If you are accessing our services from outside India, we make no representation that this Privacy Policy complies with the laws of any other country. While we endeavour to adhere to global standards as a courtesy and best practice, our legal commitments are defined by Indian law. If you are in a jurisdiction where you have additional rights or our practices conflict with local law, please bring it to our attention – we will try to accommodate without conflicting with Indian law, but ultimately your recourse might be limited to stopping use of our services if we cannot reconcile those differences.
Legal Remedies: Remedies available under Indian law (including those under the DPDP Act once operational, and any rules thereunder) shall apply. The DPDP Act may provide for a Data Protection Board which can adjudicate complaints and levy penalties. Using our services doesn’t restrict you from approaching such statutory bodies. However, for any civil disputes or claims for damages, Gurugram courts are the forum as stated.
Equitable Relief: Notwithstanding the above, Nuerolytica reserves the right to seek injunctive or equitable relief in any jurisdiction if necessary to protect its confidential information or intellectual property (for instance, if there is an IP theft, we might need to act wherever the material is being used). But as far as personal data disputes with users are concerned, we expect these to be resolved in Gurugram.
Arbitration (if applicable): (Note: If our general Terms of Service contain an arbitration clause, that may apply to privacy disputes as well. If so, this section would reflect that.) At present, we have specified court jurisdiction. If we ever choose arbitration for dispute resolution, we will update this Policy or relevant terms accordingly. Unless otherwise stated, we do not require arbitration, but we remain open to it if both parties mutually agree to arbitrate a specific dispute to expedite resolution. In any arbitration, the seat would likely be Gurugram as well, and Indian arbitration laws would apply.

By agreeing to this Privacy Policy, you explicitly agree to the Gurugram forum selection and Indian governing law. We emphasize that this clause is meant to provide predictability and consistency in handling disputes, and is not intended to deprive any party of a fair hearing. Gurugram is where our headquarters and key operations are located, and having disputes resolved there helps us manage and respond effectively (which can also benefit you in timely resolution).

If you are a consumer in a jurisdiction that mandates a different approach (for example, some countries might not enforce foreign jurisdiction clauses for consumer contracts), then this clause will apply to the extent permitted. But for business clients or partners, this clause is typically enforceable as written.

Updates to This Policy

Nuerolytica may update or revise this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. We are committed to keeping you informed in a transparent manner:

Notice of Changes: If we make material changes to this Policy, we will provide a prominent notice. This might include posting a notice on our website’s homepage, sending you an email notification (if we have your contact on file and such contact is permitted), or alerting you through the user interface of our services. The notice will outline the key changes and direct you to the updated Policy. For minor changes (such as clarifications or typographical corrections that do not significantly affect your rights or our obligations), we may not send out notifications, but we will still post the latest Policy on our site with the new effective date.
Effective Date: We will indicate at the top of this Policy the date of the latest revision. All changes are effective when posted unless a later date is specified. If you continue to use our Services after the updated Policy is in effect, it will constitute acceptance of the changes.
Your Review: We encourage you to periodically review this Privacy Policy to stay informed about how we are protecting the personal data we collect. If you do not agree with any updates or changes, you should stop using our Services and may request us (via the contact information below) to remove your data as per your rights. We will not retroactively reduce your rights under this Privacy Policy without your consent. Any changes that could materially affect previously collected data will either not apply to that data or we will seek consent or allow opt-out, unless it’s something that is legally required.
Archived Versions: For transparency, we maintain archives of past versions of this Policy. Upon request, we can provide earlier versions so you can see how our policies have evolved. In any event, we keep a change log internally of what was changed in each version.

Contact Us / Grievance Redressal

Nuerolytica has appointed a dedicated official to address any questions or concerns regarding personal data and this Privacy Policy. In accordance with the DPDP Act and other applicable laws, this person serves as our Grievance Officer(and may also function as our Data Protection Officer).

If you have any questions, concerns, complaints, or wish to exercise your rights regarding your personal data, please contact:

Grievance Officer – Nuerolytica Consulting Pvt. Ltd.
Address: C.W-55, First Floor, Malibu Towne, Gurugram, Haryana 122018, India
Email: info@nuerolytica.com (Please use subject line “Privacy Query/Concern”)

(Note: The contact details above are provided for the purposes of this Policy. If there are updates to our Grievance Officer’s contact or designation, we will update this section accordingly. As of the effective date of this Policy, the Grievance Officer is the point of contact for all data protection related communications.)

We will acknowledge receipt of your query or complaint as soon as possible, typically within 24 hours. We strive to resolve all grievances expeditiously and in compliance with applicable timelines. Under the DPDP Act draft rules, for instance, we endeavour to address your complaint within 15 days. If a delay is expected or further information is needed from you, we will inform you.

In your communication, please provide as much detail as possible about your concern. If you are making a request to exercise a specific right, please outline your request clearly (e.g., “I request access to my personal data in your systems” or “Please correct my email address to…”). Also include a way to verify your identity (for example, send the request from the email associated with your account, or provide an identification detail we have on file) so we can ensure we are dealing with the right person.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, and you are entitled under law to seek further redress, you may contact the appropriate data protection authority. In India, once the DPDP Act is fully operational, unresolved grievances can be taken up with the Data Protection Board of India. For those in other jurisdictions, you may contact your local data protection regulator. We sincerely hope it never reaches that stage and commit to working with you in good faith to resolve any issue.

Language: You may reach out to us in English or Hindi (or any language you are comfortable with; we will arrange translation if needed). We aim to make our communication accessible.

Thank you for entrusting Nuerolytica with your personal data. We value your privacy and your inquiries, and we are here to help ensure you feel safe and informed in all your engagements with us.

How may we assist you today?

Contact our team or locate the nearest Nuerolytica office.

Know about us

Industries we serve

Our offerings

Our offerings

Our offerings

Our offerings

Our potential

Latest in the market

Opportunities

Get in touch

Know about us

Industries we serve

Our offerings

Our potential

Latest in the market

Opportunities

Get in touch

Privacy Policy of Nuerolytica Consulting Private Limited

How may we assist you today?

How Deep Tech Drives Green Growth

AI Infrastructure: Strategic Rise of Data Centers

Reimagining Industrial Strategy

Strategic Consulting for Tomorrow’s Factories

Strategic Imperatives for Critical Materials

Subscribe to Our Newsletter