Legal · ERBrains IT Solutions Pvt Ltd

Privacy Policy

How ERBrains IT Solutions collects, uses, shares, transfers, retains, and protects personal data — and the rights available to you under applicable data protection laws.

Effective Date 18-06-2026
Last Updated 18-06-2026
Supersedes Policy dated 14 May 2020

1. Introduction

ERBrains IT Solutions Pvt Ltd (“ERBrains”, “we”, “us”, or “our”) is a business transformation and information-technology consulting organisation specialising in Microsoft Dynamics 365 ERP and CRM solutions, cloud migration, implementation, and managed support services. We operate the website www.erbrains.com and provide services to clients across India, the United Arab Emirates, the United States, Australia, and other markets.

We respect your privacy and are committed to protecting the personal data we handle. This Privacy Policy explains how we collect, use, disclose, transfer, retain, and safeguard personal data, and describes the rights available to you under applicable data protection laws.

This Policy applies to:

  • Visitors to our website and users of our online forms, newsletters, and marketing channels;
  • Prospective and existing clients, and their personnel and authorised representatives;
  • Job applicants and candidates;
  • Vendors, partners, and other business contacts; and
  • Individuals whose personal data we process on behalf of our clients in the course of delivering our services.

By using our website or engaging our services, you acknowledge that you have read and understood this Privacy Policy.

2. The Two Capacities in Which We Process Data

Because of the nature of our business, ERBrains processes personal data in two distinct capacities. It is important to understand the difference, as different rules and responsibilities apply.

2.1 As a Data Controller / Data Fiduciary

We act as a controller when we determine why and how personal data is processed. This applies to data we collect directly for our own purposes — for example, website-visitor data, marketing and newsletter subscriptions, enquiries, client relationship management, recruitment, and vendor management. Sections 4 to 12 of this Policy primarily describe our activities as a controller.

2.2 As a Data Processor

We act as a processor when we handle personal data on behalf of and under the instructions of our clients while delivering services such as Dynamics 365 implementation, ERP/CRM consulting, on-premise-to-cloud migration, data integration, and ongoing application support (AMC). In these engagements, our client is the controller and determines the purposes and means of processing; ERBrains processes the data only to perform the contracted services.

Where we act as a processor, the relevant client’s privacy policy — not this one — governs the underlying personal data, and our processing is additionally governed by the data processing terms in our services agreement (see Section 13). If you are an individual whose data has been provided to us by one of our clients and you wish to exercise your rights, please contact that client (the controller) directly; we will assist them as required.

3. Definitions

  • Personal Data / Personal Information: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation performed on personal data, such as collection, recording, storage, use, disclosure, transfer, or deletion.
  • Controller / Data Fiduciary: The person or entity that determines the purposes and means of processing personal data.
  • Processor / Data Processor: A person or entity that processes personal data on behalf of, and on the instructions of, a controller.
  • Data Principal / Data Subject: The individual to whom the personal data relates.
  • Sub-processor: A third party engaged by a processor to assist in processing personal data.
  • Usage Data: Data collected automatically through use of our website or infrastructure (e.g., IP address, browser type, pages visited).
  • Cookies: Small files placed on your device to enable certain functionality and analytics.
  • Service: The www.erbrains.com website and the consulting, implementation, migration, and support services provided by ERBrains.

4. Information We Collect

We collect personal data in the following categories, depending on how you interact with us.

4.1 Information you provide directly

  • Identity and contact details: name, job title, company, email address, telephone number, postal address (country, state, city, ZIP/postal code).
  • Enquiry and communication content: information you submit through contact forms, demo or pricing requests, support tickets, emails, and chat or messaging channels.
  • Marketing preferences: newsletter subscriptions and consent records.
  • Account and engagement information: details required to scope, deliver, and bill for our services.

4.2 Information we collect automatically

When you visit our website, we may automatically collect Usage Data, including IP address, device and browser type and version, operating system, referring URLs, pages viewed, time and date of visit, time spent on pages, and other diagnostic data, primarily through cookies and similar technologies (see Section 6).

4.3 Recruitment data

If you apply for a role with us, we collect data relevant to your application — such as your CV/résumé, employment and education history, professional qualifications and certifications, references, and any information you choose to share. Where lawful and necessary, this may extend to identity and right-to-work documentation during onboarding.

4.4 Client and engagement data processed as a Processor

In the course of delivering ERP and CRM services, we may process personal data contained within our clients’ systems and datasets — for example, employee records, customer and contact records, financial and transactional data, and other business data — strictly on our clients’ instructions and for the purpose of providing the contracted services. ERBrains does not determine the purposes of this processing and does not use such data for its own purposes (see Sections 2.2 and 13).

4.5 Special-category and sensitive data

We do not seek to collect sensitive personal data (such as data revealing health, financial account details, government identifiers, or similar) through our website. Where such data is processed — for example, within a client’s dataset during an implementation, or as required for employment — it is handled only where there is a lawful basis and with appropriate safeguards.

5. How We Use Your Information and Our Legal Bases

We use personal data for the purposes below. Where required by law (for example, under the GDPR), we rely on one or more of the following legal bases: performance of a contract, legitimate interests, consent, and compliance with a legal obligation.

PurposeTypical legal basis
Respond to enquiries and provide requested informationLegitimate interests / steps prior to a contract
Provide, maintain, and improve our ServicePerformance of a contract / legitimate interests
Deliver consulting, implementation, migration, and support servicesPerformance of a contract
Manage the client relationship, billing, and contractual obligationsPerformance of a contract / legal obligation
Send newsletters, marketing, and information about our offeringsConsent and/or legitimate interests
Process job applications and manage recruitmentSteps prior to a contract / legitimate interests
Analyse and improve website performance and user experienceConsent (where required) / legitimate interests
Detect, prevent, and address security and technical issuesLegitimate interests / legal obligation
Comply with applicable laws and respond to lawful requestsLegal obligation

You may withdraw consent at any time where processing is based on consent (for example, by using the unsubscribe link in our emails). Withdrawal does not affect processing carried out before withdrawal.

6. Cookies and Tracking Technologies

We use cookies and similar technologies to operate our website, remember your preferences, secure the Service, and understand how it is used. The categories we use include:

  • Strictly necessary / session cookies — required for core website functionality.
  • Preference cookies — remember your settings and choices.
  • Security cookies — help protect the Service and its users.
  • Analytics cookies — help us measure and improve website performance.
  • Advertising / remarketing cookies — may be used to deliver and measure relevant advertising, including remarketing to visitors after they leave our site.

You can control or disable cookies through your browser settings and, where presented, through our cookie consent banner. Disabling certain cookies may affect website functionality. Where required by law, non-essential cookies are set only with your consent.

7. How We Share and Disclose Information

We do not sell your personal data. We may share personal data in the following limited circumstances:

  • Service providers and sub-processors: With trusted third parties who perform functions on our behalf — such as cloud hosting, software platforms, IT infrastructure, analytics, communications, and customer-support tools — under contractual confidentiality and data-protection obligations (see Section 8).
  • Microsoft and platform providers: As a Microsoft partner, our service delivery involves Microsoft Dynamics 365, Microsoft Azure, and related Microsoft cloud services. Personal data may be hosted and processed within these platforms in accordance with Microsoft’s own data-protection commitments.
  • Within our group and affiliates: With our offices and affiliated entities to deliver and administer the Service.
  • Professional advisers and authorities: Where necessary to comply with law, legal process, or a lawful request, or to establish, exercise, or defend legal rights.
  • Business transfers: In connection with a merger, acquisition, reorganisation, or sale of assets, in which case personal data may be transferred to the successor entity, subject to this Policy.
  • With your consent: For any other purpose disclosed to you at the time of collection.

When acting as a processor, we disclose client data only as instructed by the relevant client or as required by law, and we engage sub-processors only in accordance with our agreement with that client.

8. Sub-processors and Service Providers

To deliver our Service, we rely on a limited number of carefully selected sub-processors and service providers, which may include providers of cloud hosting and infrastructure (including Microsoft Azure), business-application platforms (including Microsoft Dynamics 365), website and CRM tooling, email and communications services, analytics, and development and deployment (CI/CD) tools.

Each sub-processor is bound by contractual obligations to: process personal data only as instructed, implement appropriate technical and organisational security measures, maintain confidentiality, and assist with data-subject requests and breach handling. When we act as a processor for a client, we engage sub-processors in line with the data processing terms agreed with that client, including any rights to be informed of, or to object to, new sub-processors.

9. International Data Transfers

ERBrains operates across India (headquarters), the United Arab Emirates, the United States, and Australia, and works with clients and providers worldwide. As a result, personal data may be transferred to, stored in, and processed in countries other than your own, including India, where data-protection laws may differ from those in your jurisdiction.

Where we transfer personal data across borders, we implement appropriate safeguards required by applicable law — which may include standard contractual clauses, adequacy determinations, intra-group data transfer agreements, or your explicit consent — to ensure your personal data remains protected. By submitting your information or engaging our services, where lawful you consent to such transfers as described in this Policy.

10. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to provide the Service, comply with legal, tax, accounting, and regulatory obligations, resolve disputes, and enforce our agreements.

Retention periods vary by data type and purpose: enquiry and marketing data is retained while a relationship or consent is active and for a reasonable period thereafter; contractual and financial records are retained for the periods required by law; recruitment data is retained for the duration of the process and, where permitted, for a limited period afterward. Usage data is generally retained for a shorter period, except where needed for security, service improvement, or legal compliance.

When acting as a processor, we retain and delete or return client data in accordance with our agreement with the relevant client. When personal data is no longer required, we securely delete, anonymise, or de-identify it.

11. Data Security

The security of personal data is important to us. We maintain appropriate technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, loss, or destruction. These measures may include access controls and role-based permissions, encryption in transit and, where appropriate, at rest, network and infrastructure security, secure development practices, logging and monitoring, confidentiality obligations for personnel, and regular review of our safeguards.

No method of transmission over the Internet or method of electronic storage is completely secure. While we strive to use commercially acceptable means to protect personal data, we cannot guarantee its absolute security. In the event of a personal data breach that is likely to result in a risk to affected individuals, we will notify the relevant authorities and affected parties as required by applicable law and, where we act as a processor, will promptly notify the relevant client in accordance with our agreement.

12. Your Privacy Rights

Subject to applicable law and to verification of your identity, you may have the following rights in respect of your personal data:

  • Access — to obtain confirmation of whether we process your data and a copy of it.
  • Rectification / correction — to have inaccurate or incomplete data corrected or updated.
  • Erasure / deletion — to request deletion of your data in certain circumstances.
  • Restriction — to request that we limit our processing in certain circumstances.
  • Objection — to object to processing based on legitimate interests or to direct marketing.
  • Portability — to receive certain data in a structured, commonly used, machine-readable format.
  • Withdraw consent — where processing is based on consent.
  • Nominate — where available under applicable law, to nominate another person to exercise your rights in the event of death or incapacity.
  • Complain — to lodge a complaint with the competent supervisory or data-protection authority.

To exercise any of these rights, please contact us using the details in Section 17. We will respond within the timeframes required by applicable law. We do not discriminate against you for exercising your rights.

If we process your personal data on behalf of a client (as a processor), please direct your request to that client; we will support them in responding.

Jurisdiction-specific provisions

  • India (Digital Personal Data Protection Act, 2023) Where ERBrains is the Data Fiduciary, you may exercise your rights of access, correction, completion, updating, erasure, grievance redressal, and nomination. You may contact our Grievance Officer (Section 17). You also have a duty to provide accurate information and to exercise your rights in good faith.
  • European Economic Area / United Kingdom (GDPR / UK GDPR) Where applicable, you have the rights listed above and the right to lodge a complaint with your local supervisory authority. Our legal bases are described in Section 5.
  • United Arab Emirates (Federal Decree-Law No. 45 of 2021 on Personal Data Protection) Where applicable, you may exercise the rights of access, correction, deletion, restriction, portability, and objection, and may file a complaint with the competent authority.
  • United States (including California / CCPA-CPRA) Where applicable, you may request to know, access, correct, and delete personal information, and to opt out of the “sale” or “sharing” of personal information and of targeted advertising. ERBrains does not sell personal information for money. You may also designate an authorised agent to act on your behalf.
  • Australia (Privacy Act 1988 / Australian Privacy Principles) Where applicable, you may request access to and correction of your personal information and may complain to the Office of the Australian Information Commissioner.

13. Processing on Behalf of Clients (Data Processing Terms)

When ERBrains delivers consulting, implementation, migration, or support services, we typically process personal data contained in our clients’ systems as a processor. In these engagements:

  • We process personal data only on the documented instructions of the client (the controller).
  • We ensure that personnel authorised to process the data are bound by confidentiality.
  • We implement appropriate technical and organisational security measures.
  • We engage sub-processors only as permitted by our agreement with the client.
  • We assist the client, to the extent reasonable, with data-subject requests, security, breach notification, and compliance obligations.
  • We delete or return personal data at the end of the engagement, as agreed, except where retention is required by law.

These commitments are set out in greater detail in a Data Processing Agreement (DPA) or equivalent data-protection terms within our services contract, which governs in the event of any conflict with this Policy in respect of client data.

14. Children’s Privacy

Our Service is intended for businesses and professionals and is not directed at children. We do not knowingly collect personal data from children under the age of 18 (or the age defined as a minor in your jurisdiction). If you believe a child has provided us with personal data, please contact us, and we will take appropriate steps to delete it.

15. Links to Other Sites

Our website may contain links to third-party websites and services that we do not operate or control. This Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party sites you visit. We are not responsible for the content or privacy practices of third parties.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. We will post the updated Policy on this page and revise the “Last Updated” date above. Where changes are material, we will provide a more prominent notice (which may include email notification or a notice on our website). We encourage you to review this Policy periodically.

17. Contact Us

If you have questions, requests, or complaints regarding this Privacy Policy or our handling of your personal data, please contact us:

ERBrains IT Solutions Pvt Ltd

Email (privacy enquiries): info@erbrains.com

Recommended: establish a dedicated address such as privacy@erbrains.com or dpo@erbrains.com.
India · Headquarters / Grievance Officer
Ground Floor, Anthill IQ, 20 Cunningham Road, Vasanth Nagar, Bengaluru, Karnataka 560001, India
Tel: 080-4167-3099
United Arab Emirates
Unit No. 101, 6th Floor, One Business Centre, OneJLT, JLT, Dubai, UAE
Tel: +971 58 927 5579
United States
14 Wall Street, 20th Floor, New York, NY 10005, USA
Tel: +1 212-618-1363
Australia
Ground Floor, 470 St Kilda Road, Melbourne, VIC 3004, Australia

For data-protection requests, we may need to verify your identity before responding. We aim to respond within the timeframes required by applicable law.

This Privacy Policy is provided for general informational purposes and should be reviewed by qualified legal counsel before publication to ensure it meets your specific obligations and operational practices.