Privacy Policy

OCIC Research is committed to protecting your privacy and handling your data with integrity, transparency, and accountability. This policy explains what information we process, why we process it, and the rights and choices available to you.

This policy is published by Offensive Cyber & Intelligence Capability Solutions Pvt. Ltd. ("OCIC Research", "we", "us", or "our"), the entity responsible for determining how and why your personal data is processed. It applies to our website, research publications, advisories, and the services we operate, and forms part of our wider governance framework.

By accessing our platform or services you acknowledge that you have read and understood this policy. Where we act as a data processor on behalf of a client engagement, the terms of the relevant agreement and any data processing addendum take precedence over this policy.

We collect information that you provide directly to us, information generated through your use of our services, and information obtained from third-party sources. We collect only what we need for the purposes described in this policy.

We do not intentionally collect special categories of personal data (such as data revealing health, biometrics, or political opinions) through the platform. Please do not submit such information to us unless we have specifically requested it under an appropriate lawful basis.

We use collected information to provide, maintain, and improve our services, communicate with users, ensure the security and integrity of our platform, and comply with our legal and regulatory obligations.

• Delivering research publications, advisories, and newsletters you have requested.
• Operating, securing, and improving our website and services.
• Responding to enquiries, support requests, and disclosure reports.
• Detecting, preventing, and investigating fraud, abuse, and security incidents.
• Meeting legal, regulatory, audit, and contractual requirements.

Our lawful bases for processing include your consent, the performance of a contract, compliance with a legal obligation, and our legitimate interests in operating a secure and reputable research organization. Where we rely on consent, you may withdraw it at any time.

We do not sell your personal data. We share information only where necessary to operate our services, comply with the law, or protect our rights, and always subject to appropriate safeguards.

• Service providers and processors who support our infrastructure, communications, and analytics under contractual confidentiality and security obligations.
• Professional advisers, auditors, and insurers acting in that capacity.
• Authorities, regulators, or law enforcement where required by a valid legal request or to protect against imminent harm.
• A successor entity in the context of a merger, acquisition, or reorganization, subject to this policy.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, audit, or reporting requirements.

Retention periods vary by data type and context. When data is no longer required, we securely delete or irreversibly anonymize it. Aggregated or anonymized information that can no longer identify you may be retained and used indefinitely.

As a security research organization, we hold ourselves to a high standard. We apply technical and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, and loss.

• Encryption of data in transit and, where appropriate, at rest.
• Least-privilege access controls, authentication, and logging.
• Network segmentation, hardening, and continuous monitoring.
• Secure development practices and periodic security review.
• Incident response procedures and breach notification where required.

No method of transmission or storage is completely secure. While we work to protect your information, we cannot guarantee absolute security.

Subject to applicable law, you have rights over your personal data. Under the Digital Personal Data Protection Act, 2023 and, where applicable, the GDPR/UK GDPR, these may include:

• Access to, and a copy of, the personal data we hold about you.
• Correction or completion of inaccurate or incomplete data.
• Erasure of your data where there is no overriding lawful basis to retain it.
• Withdrawal of consent and objection to certain processing.
• Portability of data you have provided to us, where technically feasible.
• Grievance redressal and the right to nominate, as provided under the DPDP Act.

To exercise your rights, contact us using the details in the Contact section. We will respond within the timeframes required by applicable law and may need to verify your identity before acting on a request.

We use a minimal set of cookies and similar technologies to operate the site, remember your preferences, and understand how the platform is used. We do not use cookies for cross-site advertising.

You can control cookies through your browser settings. Disabling certain cookies may affect the functionality of parts of the site. Where required, we request your consent before setting non-essential cookies.

Our platform may rely on, or link to, third-party services such as content delivery, hosting, analytics, and email infrastructure. These providers process data on our behalf under contractual safeguards.

Third-party websites we link to are governed by their own privacy policies. We are not responsible for the practices of services we do not control, and we encourage you to review their terms.

We are based in India and may process and store information in India and in other countries where we or our service providers operate. Where personal data is transferred across borders, we apply safeguards appropriate to the transfer.

For users in the EU/EEA or UK, transfers outside those regions are made under recognized transfer mechanisms, such as adequacy decisions or Standard Contractual Clauses, together with supplementary measures where necessary. We make transfers consistent with applicable Indian law, including any restrictions notified under the DPDP Act.

Our services are intended for professional and organizational audiences and are not directed to children. We do not knowingly collect personal data from children as defined under applicable law.

If you believe a child has provided us with personal data, please contact us and we will take appropriate steps to delete it. Where the DPDP Act applies, we process children’s data only with verifiable parental or guardian consent and do not undertake tracking or targeted advertising directed at children.

We may update this policy from time to time to reflect changes in our practices, technology, or legal requirements. Material changes will be indicated by updating the version number and the "Last Updated" date in the metadata above.

We encourage you to review this policy periodically. Your continued use of our services after an update constitutes acknowledgement of the revised policy.

If you have questions about this policy, wish to exercise your rights, or want to raise a grievance, please contact our privacy team at privacy@ocic.io. For legal matters, contact legal@ocic.io.

Data Fiduciary: Offensive Cyber & Intelligence Capability Solutions Pvt. Ltd. We aim to resolve grievances promptly and, where required under the DPDP Act, will direct you to the relevant grievance redressal mechanism if you are not satisfied with our response.