How ERBrains IT Solutions collects, uses, shares, transfers, retains, and protects personal data — and the rights available to you under applicable data protection laws.
ERBrains IT Solutions Pvt Ltd (“ERBrains”, “we”, “us”, or “our”) is a business transformation and information-technology consulting organisation specialising in Microsoft Dynamics 365 ERP and CRM solutions, cloud migration, implementation, and managed support services. We operate the website www.erbrains.com and provide services to clients across India, the United Arab Emirates, the United States, Australia, and other markets.
We respect your privacy and are committed to protecting the personal data we handle. This Privacy Policy explains how we collect, use, disclose, transfer, retain, and safeguard personal data, and describes the rights available to you under applicable data protection laws.
This Policy applies to:
By using our website or engaging our services, you acknowledge that you have read and understood this Privacy Policy.
Because of the nature of our business, ERBrains processes personal data in two distinct capacities. It is important to understand the difference, as different rules and responsibilities apply.
We act as a controller when we determine why and how personal data is processed. This applies to data we collect directly for our own purposes — for example, website-visitor data, marketing and newsletter subscriptions, enquiries, client relationship management, recruitment, and vendor management. Sections 4 to 12 of this Policy primarily describe our activities as a controller.
We act as a processor when we handle personal data on behalf of and under the instructions of our clients while delivering services such as Dynamics 365 implementation, ERP/CRM consulting, on-premise-to-cloud migration, data integration, and ongoing application support (AMC). In these engagements, our client is the controller and determines the purposes and means of processing; ERBrains processes the data only to perform the contracted services.
Where we act as a processor, the relevant client’s privacy policy — not this one — governs the underlying personal data, and our processing is additionally governed by the data processing terms in our services agreement (see Section 13). If you are an individual whose data has been provided to us by one of our clients and you wish to exercise your rights, please contact that client (the controller) directly; we will assist them as required.
We collect personal data in the following categories, depending on how you interact with us.
When you visit our website, we may automatically collect Usage Data, including IP address, device and browser type and version, operating system, referring URLs, pages viewed, time and date of visit, time spent on pages, and other diagnostic data, primarily through cookies and similar technologies (see Section 6).
If you apply for a role with us, we collect data relevant to your application — such as your CV/résumé, employment and education history, professional qualifications and certifications, references, and any information you choose to share. Where lawful and necessary, this may extend to identity and right-to-work documentation during onboarding.
In the course of delivering ERP and CRM services, we may process personal data contained within our clients’ systems and datasets — for example, employee records, customer and contact records, financial and transactional data, and other business data — strictly on our clients’ instructions and for the purpose of providing the contracted services. ERBrains does not determine the purposes of this processing and does not use such data for its own purposes (see Sections 2.2 and 13).
We do not seek to collect sensitive personal data (such as data revealing health, financial account details, government identifiers, or similar) through our website. Where such data is processed — for example, within a client’s dataset during an implementation, or as required for employment — it is handled only where there is a lawful basis and with appropriate safeguards.
We use personal data for the purposes below. Where required by law (for example, under the GDPR), we rely on one or more of the following legal bases: performance of a contract, legitimate interests, consent, and compliance with a legal obligation.
| Purpose | Typical legal basis |
|---|---|
| Respond to enquiries and provide requested information | Legitimate interests / steps prior to a contract |
| Provide, maintain, and improve our Service | Performance of a contract / legitimate interests |
| Deliver consulting, implementation, migration, and support services | Performance of a contract |
| Manage the client relationship, billing, and contractual obligations | Performance of a contract / legal obligation |
| Send newsletters, marketing, and information about our offerings | Consent and/or legitimate interests |
| Process job applications and manage recruitment | Steps prior to a contract / legitimate interests |
| Analyse and improve website performance and user experience | Consent (where required) / legitimate interests |
| Detect, prevent, and address security and technical issues | Legitimate interests / legal obligation |
| Comply with applicable laws and respond to lawful requests | Legal obligation |
You may withdraw consent at any time where processing is based on consent (for example, by using the unsubscribe link in our emails). Withdrawal does not affect processing carried out before withdrawal.
We use cookies and similar technologies to operate our website, remember your preferences, secure the Service, and understand how it is used. The categories we use include:
You can control or disable cookies through your browser settings and, where presented, through our cookie consent banner. Disabling certain cookies may affect website functionality. Where required by law, non-essential cookies are set only with your consent.
We do not sell your personal data. We may share personal data in the following limited circumstances:
When acting as a processor, we disclose client data only as instructed by the relevant client or as required by law, and we engage sub-processors only in accordance with our agreement with that client.
To deliver our Service, we rely on a limited number of carefully selected sub-processors and service providers, which may include providers of cloud hosting and infrastructure (including Microsoft Azure), business-application platforms (including Microsoft Dynamics 365), website and CRM tooling, email and communications services, analytics, and development and deployment (CI/CD) tools.
Each sub-processor is bound by contractual obligations to: process personal data only as instructed, implement appropriate technical and organisational security measures, maintain confidentiality, and assist with data-subject requests and breach handling. When we act as a processor for a client, we engage sub-processors in line with the data processing terms agreed with that client, including any rights to be informed of, or to object to, new sub-processors.
ERBrains operates across India (headquarters), the United Arab Emirates, the United States, and Australia, and works with clients and providers worldwide. As a result, personal data may be transferred to, stored in, and processed in countries other than your own, including India, where data-protection laws may differ from those in your jurisdiction.
Where we transfer personal data across borders, we implement appropriate safeguards required by applicable law — which may include standard contractual clauses, adequacy determinations, intra-group data transfer agreements, or your explicit consent — to ensure your personal data remains protected. By submitting your information or engaging our services, where lawful you consent to such transfers as described in this Policy.
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to provide the Service, comply with legal, tax, accounting, and regulatory obligations, resolve disputes, and enforce our agreements.
Retention periods vary by data type and purpose: enquiry and marketing data is retained while a relationship or consent is active and for a reasonable period thereafter; contractual and financial records are retained for the periods required by law; recruitment data is retained for the duration of the process and, where permitted, for a limited period afterward. Usage data is generally retained for a shorter period, except where needed for security, service improvement, or legal compliance.
When acting as a processor, we retain and delete or return client data in accordance with our agreement with the relevant client. When personal data is no longer required, we securely delete, anonymise, or de-identify it.
The security of personal data is important to us. We maintain appropriate technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, loss, or destruction. These measures may include access controls and role-based permissions, encryption in transit and, where appropriate, at rest, network and infrastructure security, secure development practices, logging and monitoring, confidentiality obligations for personnel, and regular review of our safeguards.
No method of transmission over the Internet or method of electronic storage is completely secure. While we strive to use commercially acceptable means to protect personal data, we cannot guarantee its absolute security. In the event of a personal data breach that is likely to result in a risk to affected individuals, we will notify the relevant authorities and affected parties as required by applicable law and, where we act as a processor, will promptly notify the relevant client in accordance with our agreement.
Subject to applicable law and to verification of your identity, you may have the following rights in respect of your personal data:
To exercise any of these rights, please contact us using the details in Section 17. We will respond within the timeframes required by applicable law. We do not discriminate against you for exercising your rights.
If we process your personal data on behalf of a client (as a processor), please direct your request to that client; we will support them in responding.
When ERBrains delivers consulting, implementation, migration, or support services, we typically process personal data contained in our clients’ systems as a processor. In these engagements:
These commitments are set out in greater detail in a Data Processing Agreement (DPA) or equivalent data-protection terms within our services contract, which governs in the event of any conflict with this Policy in respect of client data.
Our Service is intended for businesses and professionals and is not directed at children. We do not knowingly collect personal data from children under the age of 18 (or the age defined as a minor in your jurisdiction). If you believe a child has provided us with personal data, please contact us, and we will take appropriate steps to delete it.
Our website may contain links to third-party websites and services that we do not operate or control. This Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party sites you visit. We are not responsible for the content or privacy practices of third parties.
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. We will post the updated Policy on this page and revise the “Last Updated” date above. Where changes are material, we will provide a more prominent notice (which may include email notification or a notice on our website). We encourage you to review this Policy periodically.
If you have questions, requests, or complaints regarding this Privacy Policy or our handling of your personal data, please contact us:
Email (privacy enquiries): info@erbrains.com
Recommended: establish a dedicated address such as privacy@erbrains.com or dpo@erbrains.com.For data-protection requests, we may need to verify your identity before responding. We aim to respond within the timeframes required by applicable law.