Privacy Policy

Last Updated: September 19, 2025

Our Commitment to Your Privacy

This Privacy Policy sets out the obligations of Tharva Group (“Tharva”, “we”, “us”, “our”). We are committed to safeguarding personal data collected in the course of our business and to processing it in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws. For the purposes of this Policy, personal data means any information relating to an identified or identifiable natural person (“Data Subject”, “you”, “your”). This Policy outlines the principles and practices that govern our handling of personal data. All employees, contractors, agents, and third parties working on behalf of Tharva are required to comply with it.

Data Protection Principles

Tharva ensures that all personal data is processed lawfully, fairly, and transparently; collected for specified, explicit, and legitimate purposes; adequate, relevant, and limited to what is necessary; accurate and kept up to date; retained no longer than necessary; and processed securely, using technical and organizational safeguards.

Lawful Basis for Processing

Personal data will only be processed where a lawful basis exists, including your consent, performance of a contract or steps prior to entering into one, compliance with legal obligations, protection of vital interests, performance of a task in the public interest, or pursuit of legitimate business interests not overridden by your rights.

Purposes of Processing

We collect and process personal data solely for legitimate business purposes, which may include providing services and fulfilling contractual obligations, managing business relationships with clients, partners, and investors, complying with legal and regulatory obligations, communicating with you about our services or updates, protecting the security and integrity of our systems, and maintaining internal business records. Where required, purposes will be clearly communicated at the time of collection.

Data Minimization

We ensure that personal data collected is adequate, relevant, and limited to what is strictly necessary for the purposes stated.

Accuracy of Data

We take all reasonable steps to ensure personal data is accurate and kept up to date. Where inaccuracies are identified, they will be rectified or erased without undue delay.

Data Retention

Personal data is retained only for as long as is necessary for the purposes for which it was collected, or as required by law. When no longer needed, it will be securely deleted or anonymized.

Security of Processing

We implement appropriate technical and organizational measures to protect personal data, including restricted access to authorized personnel only, secure storage and encryption where appropriate, staff training and supervision, regular reviews of collection and storage practices, and contractual obligations for third parties handling data on our behalf.

Accountability

Tharva maintains internal records of all data processing activities, particularly where such activities present risks to the rights and freedoms of data subjects.

Data Protection Impact Assessments

Where processing activities are likely to result in high risks to data subjects, Tharva will conduct Data Protection Impact Assessments, which include assessment of purpose, necessity and proportionality, risks involved, and mitigation measures to safeguard rights and freedoms.

Rights of Data Subjects

Under GDPR, you have the right to be informed, to access your personal data, to rectify inaccurate or incomplete data, to request erasure (“right to be forgotten”), to restrict processing, to data portability, to object to processing, and not to be subject to automated decision-making without safeguards.

Access Requests

You may submit a Subject Access Request at any time. We will normally respond within one month, extendable by two months for complex cases. Requests are free of charge unless manifestly unfounded, excessive, or repetitive.

Rectification

If personal data is found to be inaccurate or incomplete, you may request correction. Rectifications will be carried out without undue delay, and any third parties with whom the data has been shared will be notified where possible.

Erasure

You may request deletion of your personal data where it is no longer needed for its original purpose, consent is withdrawn, you object to processing and no overriding grounds exist, processing was unlawful, or erasure is required by law. Unless grounds for refusal exist, we will comply within one month.

Restriction of Processing

You may request restriction of processing. In such cases, we will only store your data and suspend active processing, unless processing is required for legal claims or to protect rights.

Data Portability

Where processing is based on consent or contract and carried out by automated means, you may request to receive your data in a structured, commonly used, machine-readable format and transmit it to another controller.

Objections

You may object at any time to processing based on legitimate interests, processing for direct marketing, or processing for research and statistical purposes unless in the public interest.

Automated Decision-Making

Where decisions are made solely by automated means and have significant legal effects, you have the right to obtain human intervention, express your viewpoint, and challenge the decision. This right does not apply where processing is necessary for contract, authorized by law, or based on explicit consent.

Categories of Personal Data

The personal data we may collect, hold, and process includes your full name, nationality, and contact details; residential or business address; date and place of birth; identification documents such as passport or ID card; professional or occupational details; bank account or payment information; email correspondence and telephone records; and online identifiers such as IP addresses. We will only collect such data where necessary for the purposes stated.

Data Protection Measures

We adopt measures including ensuring that all staff are trained and aware of obligations, limiting access on a “need-to-know” basis, ensuring contractors and agents are contractually bound to GDPR standards, and periodically reviewing compliance with data protection requirements.

Organizational Measures

Additional safeguards include written agreements with third-party processors, supervision and evaluation of staff handling personal data, and contractual indemnity obligations for service providers failing to meet data protection standards.

Cross-Border Data Transfers

Where personal data is transferred outside the European Economic Area, we ensure compliance through recognized safeguards, such as adequacy decisions, standard contractual clauses, or equivalent protections.

Changes to This Policy

Tharva may amend this Privacy Policy at any time. Updated versions will be posted on our website, with material changes communicated directly where appropriate.

Don't Hesitate to Contact Us!

For any questions regarding our Privacy Policy, please reach out to us via email.