Privacy Notice

Madras Advisory Services & Solutions Pvt Ltd (MAS) is the Data Fiduciary (under the Digital Personal Data Protection Act, 2023) and the Data Controller (under the GDPR / UK GDPR) responsible for the personal data described in this notice.

Registered office: Chennai, Tamil Nadu, India. General contact: info@madrasadvisory.com.

We collect only the minimum personal data necessary to respond to your enquiry and operate the site. Categories include:

Contact data — name, organisation, role, email address — submitted via the contact form.

Enquiry content — the message you choose to send us, including any information you voluntarily disclose about your organisation or matter.

Technical data — IP address (collected transiently for security), browser type, device type, referring URL, and pages visited. Where cookies are used, only strictly-necessary cookies are set without your consent; analytics or marketing cookies are set only after you grant consent via the cookie banner.

We do not knowingly collect data from children under 18, and we do not process special-category / sensitive personal data through the public site.

Under the DPDP Act, 2023, we process personal data on the lawful ground of your consent (for enquiry processing and optional cookies) or as a legitimate use specifically permitted under Section 7 of the Act.

Under the GDPR / UK GDPR, our lawful bases are: (a) consent (Art. 6(1)(a)) for enquiry processing and non-essential cookies; (b) legitimate interests (Art. 6(1)(f)) for site security, fraud prevention, and aggregated usage analysis; and (c) legal obligation (Art. 6(1)(c)) where we must retain records under tax, anti-money-laundering or company law.

Purposes are limited to: responding to your enquiry; sending follow-up correspondence about a potential engagement; operating and securing the site; complying with legal obligations; and, where you have separately opted in, sending occasional firm publications.

We do not sell, rent, or trade personal data, and we do not share personal data with advertising networks or data brokers.

We may disclose personal data only to: (a) carefully selected service providers acting as Data Processors under written contract (for example, hosting, email infrastructure, and analytics if you consent); (b) professional advisers (lawyers, auditors, insurers) bound by confidentiality; and (c) authorities where required by binding law, court order, or to protect the rights, safety, or property of MAS.

MAS is headquartered in India and our personal-data processing primarily takes place in India. Where personal data of EU or UK residents is transferred outside the European Economic Area or the United Kingdom, we rely on the European Commission's Standard Contractual Clauses (Module 1, controller-to-controller, or Module 2, controller-to-processor) and the UK International Data Transfer Addendum, together with appropriate supplementary measures including transport-layer encryption and contractual access controls.

Under the DPDP Act, transfers outside India are permitted except to countries notified as restricted by the Central Government; we monitor such notifications and adjust transfers accordingly.

Personal data is retained only for as long as necessary for the purpose for which it was collected, or as required by law. Indicative retention periods are:

Enquiry data — up to 24 months from last contact, then deleted or anonymised.

Engaged-client communications — for the duration of the engagement plus the statutory limitation period applicable in India (typically up to 8 years for tax and 7 years under the Companies Act, 2013).

Technical logs — 90 days for security and incident-response purposes, except where retained longer for a specific investigation.

Subject to applicable law and to verification of your identity, you may exercise the following rights free of charge by writing to info@madrasadvisory.com:

India (DPDP Act, 2023): right to access a summary of personal data and processing; right to correction, completion, updating and erasure; right to grievance redressal through our Grievance Officer; right to nominate another person to exercise rights in the event of death or incapacity.

EU / UK (GDPR): right of access; rectification; erasure; restriction of processing; data portability; objection (including to processing based on legitimate interests); right to withdraw consent at any time; and the right to lodge a complaint with your local supervisory authority (in the UK, the Information Commissioner's Office).

California (CCPA / CPRA): right to know what personal information is collected, used, shared or sold; right to delete; right to correct inaccurate personal information; right to opt out of the sale or sharing of personal information (we do not sell or share personal information as those terms are defined under the CCPA); right to limit use of sensitive personal information; and right to non-discrimination for exercising any of these rights.

We implement reasonable security practices and procedures consistent with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and recognised international standards such as ISO/IEC 27001. Controls include encryption in transit (TLS 1.2+), access controls on a need-to-know basis, secure development practices, regular vulnerability review, and personnel confidentiality obligations.

No system is impervious. In the event of a personal-data breach we will notify the Data Protection Board of India and affected Data Principals as required under the DPDP Act, and the relevant supervisory authorities and data subjects within the timeframes required by the GDPR (72 hours where feasible).

In accordance with Section 8(10) of the DPDP Act, 2023 and Rule 5(9) of the Information Technology (Reasonable Security Practices) Rules, 2011, MAS has designated a Grievance Officer:

Name: Senthil Muthu

Email: grievance@madrasadvisory.com

Office: Chennai, India

We will acknowledge any grievance within 72 hours and resolve it within the statutory timeframe.

Information about the cookies we use, the choices available to you, and how to manage your preferences is set out in our Cookie Policy.

We may update this notice to reflect changes in law, technology, or our practices. The current version is identified by the Updated date at the top of this page. Material changes will be flagged on the site for a reasonable period.