Who we are
Larissa InfoTech Pvt. Ltd. (“Larissa InfoTech”, “we”, “us”) is a private limited company incorporated in India, with its registered office at 302, Techno Park, Andheri East, Mumbai – 400069, Maharashtra, India. CIN: U58200MH2024PTC421780. GSTIN: 27ABCDE1234F1Z5.
We are the data fiduciary (DPDP Act terminology) and data controller (GDPR terminology) for the personal data described in this policy. For data we process on behalf of client engagements, we may instead act as a data processor — see our GDPR & Data Protection page for details on those roles.
What we collect
We collect only what we need. Concretely:
From the website & enquiries
- Contact details you provide voluntarily — name, work email, phone number, company.
- Project briefs, attachments and messages you send via email, WhatsApp or call.
- Information you choose to share during a discovery call.
From engagements
- Billing & accounting information — entity name, GST/VAT IDs, billing address, bank or wallet details for invoicing.
- Names and contact details of your stakeholders we collaborate with.
- Any client data processed under a signed Data Processing Agreement (DPA) — handled under the DPA, not this policy.
Automatic / technical
- Server logs (timestamp, IP, user agent, requested URL) retained for security and abuse prevention.
- Strictly-necessary cookies. We do not currently run analytics or marketing cookies — see our Cookie Policy.
We do not knowingly collect data from children under 18, sensitive personal data (health, biometrics, religion, sexuality), or financial account credentials.
Why we process it
- Respond to enquiries — reply to your message, schedule a discovery call.
- Deliver services — scope, plan, build, and ship the engagement.
- Billing & tax compliance — raise invoices, accept payment, maintain accounts under the Companies Act 2013 and Indian GST law.
- Legal & regulatory obligations — respond to lawful requests; maintain records required by Indian and EU law.
- Security & abuse prevention — investigate suspicious activity, prevent fraud, protect our systems.
Legal bases (GDPR Art. 6)
For data subjects in the European Economic Area / UK, we rely on the following bases:
| Activity | Basis |
|---|---|
| Responding to your enquiry | Consent and Pre-contract steps |
| Delivering an engagement | Contract |
| Invoicing, accounting, tax records | Legal obligation |
| Securing our systems, log retention | Legitimate interest |
| Reviews, references (after explicit opt-in) | Consent |
You can withdraw consent at any time without affecting prior processing. To do so, write to info@larissainfotech.com.
Retention periods
| Data category | Retention |
|---|---|
| Unconverted enquiries & project briefs | 24 months from last contact |
| Active engagement records | For the engagement + 12 months |
| Invoices, accounting & tax records | 8 years (Companies Act 2013 / Income Tax Act) |
| Server & security logs | 90 days (rolling) |
| Backups | Up to 90 days after primary deletion |
Your rights
Subject to the conditions of the DPDP Act 2023 and the GDPR, you have the right to:
- Access a copy of the personal data we hold about you.
- Rectify inaccurate or incomplete data.
- Erase data we no longer have a lawful reason to keep.
- Restrict or object to processing based on legitimate interest.
- Portability — receive your data in a structured, machine-readable format.
- Withdraw consent at any time.
- Nominate another person to exercise rights on your behalf (DPDP Act).
- Complain to a supervisory authority (see below).
To exercise any right, email info@larissainfotech.com with enough detail for us to identify you. We respond within 30 days, free of charge, except where requests are manifestly unfounded or excessive.
International transfers
Our servers and team are based in India. If you reach us from the EU/EEA/UK, your personal data will be transferred to India and, in some cases, to subprocessors in the United States or other jurisdictions.
For these transfers, we rely on the EU Commission's Standard Contractual Clauses (SCCs) (Decision 2021/914) and, where required, supplementary technical and organisational measures including encryption at rest and in transit and pseudonymisation in non-production environments. A copy of the SCCs we use is available on request.
Security measures
We treat data security the same way we treat production code: with defence in depth.
- Encryption in transit — TLS 1.2+ on all endpoints.
- Encryption at rest — AES-256 on databases, backups and object storage.
- Access controls — role-based, principle of least privilege, MFA for all staff.
- Audit logging — immutable activity logs on production systems.
- Vulnerability management — regular dependency review, secret scanning, periodic third-party penetration testing on client systems where contracted.
- Incident response — documented playbooks with named on-call owners.
No security programme is perfect. If you believe you've found a vulnerability, please write to info@larissainfotech.com.
Contact & complaints
For any privacy-related question or to exercise your rights, contact our Privacy Officer:
Attn: Privacy Officer
302, Techno Park, Andheri East, Mumbai – 400069, Maharashtra, India
Email: info@larissainfotech.com
Phone: +91 97697 61782
If we cannot resolve your concern, you have the right to lodge a complaint with:
- India — the Data Protection Board of India (once notified under the DPDP Act 2023).
- EU/EEA — your local Supervisory Authority (e.g. CNIL in France, AEPD in Spain, BfDI in Germany).
- UK — the Information Commissioner's Office (ICO).
Changes to this policy
We may update this policy as our services or the law evolves. The "Last updated" date at the top reflects the most recent material change. For substantive changes, we will notify active clients by email at least 30 days before they take effect.
Questions or a privacy request?
We answer every request from a real person, not a ticket bot. Most replies come within one business day.