Contact Us

Privacy Policy

Effective Date: January 2026

This Privacy Policy explains how Forty Security ("we," "us," or "Company") collects, uses, shares, and protects your personal information when you use our website, services, or otherwise interact with us. We cover our practices for users worldwide, including people in the European Union (EU), California (USA), and India, in compliance with GDPR, CCPA/CPRA, India’s DPDP Act, and relevant IT Rules. Our policy is written in clear, plain language to ensure transparency.

Scope

This policy applies to personal data we collect through our website, services, and other communications. It covers information about individuals who use our website, engage with our services, or otherwise provide us with personal information. It also applies to information we collect from employees, contractors, or job applicants. By using our website or services, you acknowledge the practices described here.

Definitions

  • "Personal Data" or "personal information" means any data that can identify you as an individual (for example, name, email, IP address, etc.).
  • "Processing" means any use of personal data, such as collection, storage, disclosure, or analysis.
  • "Data Controller" is the entity that determines the purposes and means of processing personal data. Forty Security is the data controller for the personal data we collect.
  • "Data Processor" means any third party that processes personal data on our behalf (for example, cloud hosting or email providers).
  • "User" or "you" refers to any person whose data we process.
  • "Consent" means a clear affirmative act (such as checking a box or clicking "Accept") by which a user agrees to our processing of personal data for a specific purpose.

Information We Collect

We collect information necessary to provide and improve our services. This includes:

  • Identity and Contact Data: Personal identification like name, username, postal address, email address, and phone number.
  • Account and Profile Data: Data associated with your account, such as login credentials, interests, or preferences.
  • Technical Data: IP address, browser type, device information, and usage logs (e.g. pages visited, time on site) collected automatically.
  • Transaction Data: Details of any payments or orders you make through our services, such as payment details (processed securely).
  • Communications Data: Records of your communications with us (e.g. customer service emails, support tickets, feedback).
  • Marketing Data: If you opt in, data used for marketing such as mailing list subscriptions.

We also collect cookies and analytics data when you browse our site (see Cookies and Tracking below). In some cases, we may receive information about you from third-party sources (for example, if you contact us through social media or from publicly available sources), in which case we treat it as part of the data listed above.

How We Use Your Information

We use collected data for these primary purposes:

  • To provide and improve services: We use your data to operate our products and services, process your transactions or requests, and improve our offerings. For example, we use contact and account data to set up your account and deliver requested services.
  • Communication: We use your contact information to send you service-related communications (like order confirmations or customer support) and to respond to your inquiries. With your consent or where permitted by law, we may send you marketing emails or news about new services. You can always opt out of marketing communications.
  • Security and fraud prevention: We use technical data (like IP address and device data) to secure our systems, detect and prevent fraud or abuse, and comply with our legal obligations (such as preventing network intrusions).
  • Analytics and optimization: We analyze usage and behavioral data (including cookie data) to understand how you interact with our website and services. This helps us improve website functionality, diagnose service issues, and enhance the user experience.
  • Legal compliance: We process personal data to comply with applicable laws and regulations (e.g., tax, financial, or IT laws) and to establish, exercise, or defend legal claims.

The purposes for which we process data are specified when we collect that data, and we do not use data for other unrelated purposes without informing you in advance.

Legal Basis for Processing

When processing the personal data of EU or UK residents, we rely on lawful bases under the GDPR. These may include:

  • Consent: Where you have freely given your permission.
  • Contract: When processing is needed to perform a contract with you.
  • Legal obligation: When required by law.
  • Vital interests: In emergencies.
  • Public interest tasks: For tasks in the public interest.
  • Legitimate interests: When we have a genuine business reason that does not override your rights.

We will tell you which basis applies for each processing activity (for example, account management is often contractual; marketing requires consent; security may rely on legitimate interest or legal obligation). For users in India, the Digital Personal Data Protection Act similarly requires us to have a lawful purpose for processing (such as your consent or compliance with a contract or law) and to process data in a fair and transparent manner.

Your Rights

We respect your privacy rights under applicable laws. Below is an overview of rights and how to exercise them. You may contact us (see Contact & DPO) to exercise any of these rights.

  • Access: You can request a copy of the personal data we hold about you.
  • Correction/Rectification: You can ask us to correct inaccurate or incomplete data.
  • Deletion/Erasure: You can request that we delete your personal data when we no longer need it or have no lawful basis to keep it, subject to certain exceptions.
  • Restriction of Processing: In some cases, you can request that we limit how we process your data.
  • Data Portability: You can ask for a machine-readable copy of your data to transfer to another service (when technically feasible).
  • Withdraw Consent: If you have given consent (for example, for marketing emails or cookies), you can withdraw it anytime. We will stop using your data based on consent after you withdraw it, without affecting processing that occurred prior to withdrawal.
  • Object: You can object to processing based on legitimate interests or to direct marketing. If you object to analytics cookies, we will not track your usage beyond strictly necessary cookies.
  • Complaint: You have the right to lodge a complaint with a data protection authority if you believe your rights have been violated. EU residents can contact their local Supervisory Authority; Indian users can refer issues to the Indian Data Protection Board after exhausting our grievance process (see below).

California Privacy Rights

If you are a California resident, you have additional rights under the CCPA/CPRA. You may request: (a) the categories or specific pieces of personal information we have collected about you and details about its use and disclosure; (b) deletion of your personal information; (c) the ability to opt out of the sale or sharing of your personal information (we do not sell personal data, but if this changes you will have a choice); (d) correction of inaccurate personal information we hold; and (e) limitation of use/disclosure of your sensitive personal information. You also have the right to be informed of our privacy practices at or before data collection, and to non-discrimination for exercising these rights.

Indian Data Protection Rights

Under India’s DPDP Act (2023), data principals have rights similar to GDPR. You may request access, correction, or erasure of your data, and you have the right to withdraw consent to processing of your data. You can also nominate someone to exercise rights on your behalf. If you believe your data has been mishandled, you can lodge a grievance with us (see below) and ultimately appeal to the Data Protection Board of India.

How to Exercise Your Rights

To exercise any rights, you can:

Be sure to specify which rights you are exercising and provide enough information to identify yourself and your data (for example, your name and email). We may need to verify your identity for security.

We will respond to verified requests in accordance with applicable timelines (e.g. within one month under GDPR). For India specifically, our Grievance Officer will address complaints within 30 days as required.

Security Measures

We take data security very seriously and use robust technical and organizational safeguards to protect personal data. These measures include:

  • Encryption: We use industry-standard encryption (such as TLS/SSL) for data in transit, and encrypt sensitive data at rest where feasible.
  • Access Controls: We restrict access to personal data to authorized personnel only, and use secure authentication (including two-factor authentication) for employee access.
  • Secure Infrastructure: Our servers and systems are protected by firewalls, intrusion detection systems, and regular security audits.
  • Employee Training: Staff are trained on data security and privacy best practices. We maintain written information security policies and conduct regular awareness training.
  • Policies and Oversight: We maintain an information security policy and incident response plan. We regularly review and update our practices to address new threats and comply with standards (such as ISO/IEC 27001 or industry best practices).

Our approach aligns with the GDPR’s requirement to implement “appropriate technical and organizational measures.” In the unlikely event of a data breach, we follow applicable notification laws (for example, under GDPR we would notify authorities within 72 hours if personal data is at risk).

International Data Transfers

Forty Security is a global company. We may transfer your personal data to service providers or affiliates located outside your country (for example, cloud servers or subsidiaries in other jurisdictions) to fulfill our business purposes. When we transfer personal data internationally (such as from the EU to the United States or India), we do so in compliance with applicable law. For EU personal data, we rely on approved safeguards such as the EU Standard Contractual Clauses or verify that the destination country offers adequate protection under EU law. We also may transfer data under consent or other lawful bases. Wherever transfers occur, we ensure contractual or legal protections are in place to keep your data safe. If you have questions about our data transfer practices, please contact our Data Protection Officer.

Cookies and Tracking

We use cookies and similar technologies on our website. A cookie is a small text file placed on your device. Cookies help our site function properly and improve your experience. The types of cookies we use include:

  • Strictly Necessary Cookies: Essential for website operation (e.g. session cookies that keep items in your cart or remember that you are logged in). Consent is not required for these, but we inform you about their use.
  • Performance/Analytics Cookies: Collect anonymous data on how visitors use the site (for example, Google Analytics). These cookies help us understand site usage and improve performance.
  • Functional Cookies: Remember your preferences (like language or region) so that you don’t have to set them each time.
  • Targeting/Advertising Cookies: Used by us or third parties to deliver relevant ads and track ad performance. We only use these if you consent.

We provide clear, specific information about the cookies we use and their purpose. In compliance with EU privacy rules, we obtain your consent before using any non-essential cookies. You can manage your cookie preferences at any time by clicking the “Cookie Settings” link on our site or by adjusting your browser settings. If you prefer, you may refuse or withdraw consent to non-essential cookies, though this may affect your experience on our website. We make it easy to withdraw consent – for example, you can disable cookies via our cookie banner or browser tools, which is as simple as the way you first gave consent.

Data Retention

We retain personal data only as long as necessary for the purposes described above, unless a longer retention period is required or permitted by law. The criteria we use to determine retention include the following:

  • Data necessary to fulfill contracts or provide services is kept for the duration of the service relationship, plus a reasonable time afterward (for example, to resolve disputes or comply with legal requirements).
  • Information needed for legal or financial obligations (such as billing records or tax documents) is kept for as long as required by law (e.g. typically 7 years for tax records).
  • Marketing data is retained until you opt out or for a fixed period (for example, we may keep email subscriptions until you unsubscribe).
  • Analytics and log data may be stored for a limited time (for example, aggregated analytics for up to 1–2 years), then deleted or anonymized.

We regularly review our retention schedules. When we no longer need your personal data, we securely delete or anonymize it. The GDPR requires us to inform you of our retention policy or criteria, and we make sure to follow that principle.

Third-Party Links

Our website may contain links to third-party sites or services (for example, payment processors, social media, or content partners). This Privacy Policy does not apply to any third-party sites. We are not responsible for the privacy practices or content of those sites. We encourage you to read the privacy policies of any third-party service before providing your personal data to them. For example, if you click on a social media link, that social network’s own privacy rules will govern the use of your data.

Contact & Data Protection Officer

Data Protection Officer (DPO): Forty Security has appointed a Data Protection Officer (or privacy officer). You can reach our DPO or privacy team at dpo@fortysecurity.com or privacy@fortysecurity.com. They are responsible for overseeing privacy compliance and can assist you with data protection questions or requests.

Grievance Officer (India): In accordance with India’s IT Rules (2011) and DPDP Act (2023), we have designated a Grievance Officer for Indian users. Their name and contact information are published on our website. The Grievance Officer can be reached at grievance@fortysecurity.com and will promptly address any data privacy complaints or discrepancies (typically within 30 days, as required). If you are not satisfied with the response, you may escalate the complaint to the Data Protection Board of India.

California and Other Contacts: California residents can contact our California Privacy Officer via the same email addresses above or by calling our toll-free number (listed on our website). We do not knowingly sell your personal information; however, you may contact us to express a privacy preference or opt-out request.

In general, for any questions about this policy or our practices (or to exercise your rights), you may email privacy@fortysecurity.com or write to us at:

Address Forty Security
Attn: Privacy Officer
Brigade Plaza, Bangalore, Karnataka, India

This address and email will be kept up to date on our Contact page. Supervisory Authorities: If you believe your privacy rights have been violated, you also have the right to file a complaint with the relevant data protection authority (for example, an EU data protection regulator, the California Attorney General or Privacy Agency, or the Indian Data Protection Board). We encourage you to contact us first so we can resolve any concerns.

Changes to This Policy

We may update this Privacy Policy from time to time (for example, to reflect changes in law or our data practices). The “Effective Date” at the top will indicate when it was last revised. Significant changes will be communicated by email or notice on our website prior to taking effect. We encourage you to review this policy periodically for any updates.