Last Updated: May 06, 2025

1. Privacy Commitment

At Convertpolo Professional Services Private Limited, we place the utmost importance on safeguarding your privacy and ensuring the highest level of security for your personal data, recognizing that your trust is fundamental to our relationship with you as a user, client, or partner engaging with our services from anywhere in the world. We are a company dedicated to providing specialized services such as Landing Page Optimization (LPO), which involves testing and improving website elements to enhance user experience, Conversion Rate Optimization (CRO), which focuses on increasing the percentage of visitors who take desired actions like making a purchase, and Brand Elevation Consultation Services, which include strategic audits and recommendations to strengthen your brand’s market presence globally. These activities often require the collection, storage, and processing of personal data, which may include sensitive details such as your name, email address, phone number, browsing behaviour, or interaction patterns on websites we optimize for our clients worldwide. We fully understand the sensitivity of this information and are unwavering in our commitment to handle it with the greatest care, transparency, and responsibility, ensuring that your privacy is never compromised at any stage of our service delivery, whether we are optimizing a landing page for an e-commerce business or conducting a brand audit for a global corporation. Our pledge to protect your data is not merely a legal requirement but a core principle that guides every aspect of our operations, from the technologies we deploy to the policies we enforce, ensuring that your personal information is always treated with the highest respect, regardless of your location. We are fully committed to complying with the Digital Personal Data Protection Act, 2023 (DPDP Act), which is the governing data protection law for our operations, setting stringent standards for how personal data must be collected, processed, stored, and shared. The DPDP Act, as an Indian law, mandates that we process your data lawfully, fairly, and transparently, and we align all our practices with these principles to ensure full compliance for users worldwide, whether you are accessing our services from North America, Europe, Asia, or any other region. We strive to exceed the minimum requirements of the DPDP Act by adopting best practices in data security, such as implementing robust encryption methods to protect your data from unauthorized access, conducting regular security audits to identify and address vulnerabilities, and training our staff to handle your data ethically and responsibly in accordance with Indian legal standards. By choosing to engage with our services, you can be confident that your personal information is managed with the utmost integrity, and we will always prioritize your rights and preferences under the DPDP Act, such as your right to access, correct, or delete your data, ensuring that you remain in control of your personal information, no matter where you are located. This Privacy Policy is a testament to our dedication to transparency, providing you with a clear, detailed, and comprehensive understanding of how we collect, use, share, and protect your data in compliance with Indian law, empowering you to make informed decisions about your privacy while engaging with our services from anywhere in the world.

2. Overview

This Privacy Policy serves as a comprehensive and detailed document that outlines the practices and procedures we follow regarding the collection, use, storage, sharing, and protection of your personal data when you interact with any of our services globally, whether as a website visitor browsing a site we optimize, a client seeking to improve your online performance through our LPO or CRO services, or a partner collaborating with us on brand elevation initiatives from any part of the world. Our services encompass Landing Page Optimization (LPO), which focuses on enhancing the effectiveness of web pages through techniques like A/B testing of elements such as headlines, images, and call-to-action buttons, Conversion Rate Optimization (CRO), which aims to increase the percentage of visitors who take desired actions such as filling out a form or making a purchase, and Brand Elevation Consultation Services, which involve in-depth audits of your brand’s online presence and strategic recommendations to strengthen your market position globally. This policy applies to all individuals who engage with us, including but not limited to users who visit websites we optimize on behalf of our clients, such as an e-commerce platform, clients who contract our services to improve their website’s conversion rates, such as a tech startup, and partners who collaborate with us on various projects, such as a marketing agency, ensuring that everyone interacting with our services worldwide is covered under this policy. It is designed to provide you with a thorough understanding of how your data is handled at every stage of our engagement, from the moment you first visit a website we manage to the delivery of detailed reports and recommendations as part of our consultation services, ensuring that you are fully informed about our data practices, regardless of your location. We aim to be as transparent as possible, detailing not only what data we collect, such as your IP address or behavioral patterns, but also why we collect it, such as to improve website performance, how we use it to benefit you, such as by increasing conversions, and the measures we take to ensure its security against unauthorized access or misuse, such as encryption and access controls, for users across the globe. Furthermore, this policy outlines your rights regarding your personal data under the DPDP Act, such as the right to access your data, request corrections, or have it deleted, and provides clear instructions on how to exercise these rights, ensuring you have full control over your information while engaging with our services from any country. Our services often involve processing data to achieve specific goals, such as optimizing websites to load faster for users on various networks, improving user journeys to reduce friction points for global consumers, and providing strategic insights to elevate your brand against competitors in the international market, and this policy ensures you are fully informed about these processes and their implications for your privacy. By reading this document, you will gain a complete picture of our data handling practices, the Indian legal framework we adhere to, specifically the DPDP Act, and the options available to you to manage your privacy preferences, empowering you to engage with our services with confidence and clarity from anywhere in the world.

3. What Information do we collect or maintain?

We collect and maintain a wide variety of information to deliver, enhance, and personalize our services globally, ensuring that we can provide the most effective solutions for Landing Page Optimization (LPO), Conversion Rate Optimization (CRO), and Brand Elevation Consultation Services while complying with the DPDP Act as our governing law. The types of data we collect can be broadly categorized into personal data, non-personal data, and data obtained from third parties, each serving a distinct purpose in our operations for users worldwide.

• Personal Data:
• Identity and Contact Data: We collect detailed identifying information such as your full name, email address, phone number, and postal address, which you may provide voluntarily when you reach out to us through our website’s contact forms, sign up for our services, or request a consultation to discuss how we can help improve your website’s performance or brand strategy, regardless of your location. For example, if you are a business owner and fill out a form on our website to inquire about our CRO services, we will store your name, email address, and phone number to follow up with you and provide the requested information or services, ensuring we can communicate effectively with you from anywhere in the world. Additionally, if you are a client engaging with us for a long-term project, such as optimizing an e-commerce website targeting a global audience, we may collect further details like your job title, company name, and billing address to facilitate smooth communication, project management, and invoicing processes, ensuring all interactions are tailored to your needs, whether you are based in New York, London, or Sydney.
• Website Interaction Data: When you visit a website we manage or optimize for a client, we collect a range of technical data, including your IP address, which identifies your device on the internet and may indicate your general geographic region, the type of browser you are using, such as Google Chrome, Mozilla Firefox, or Safari, the type of device you are accessing the site from, such as a desktop computer, a tablet, or a smartphone, the operating system running on your device, such as Android, iOS, or Windows, and unique device identifiers that help us distinguish your device from others to ensure accurate tracking for global users. We also track detailed interaction metrics, such as timestamps of your visits, the specific pages you viewed on the website, the links you clicked on, and the amount of time you spent on each page, which helps us understand how users interact with the site from various parts of the world. For instance, during an A/B test for a client, we might record that you interacted with Version A of a landing page for 3 minutes, clicked on a specific call-to-action button to make a purchase, and then exited the site, allowing us to analyze which version performs better in terms of user engagement and conversion for a global audience.
• Behavioral Data: We gather in-depth data about your behavior on websites we manage, including mouse movements, scrolling patterns, clicks on various elements like buttons or images, form submissions, and inferred preferences based on your interactions, which provide insights into how users navigate online platforms globally. This data helps us understand how you interact with a website, where you encounter difficulties, and what elements capture your attention, ensuring we can optimize sites for users worldwide. For example, we might record that you scrolled halfway down a page, hesitated on a form field asking for your address, and then abandoned the form, which could indicate a usability issue, such as the form being too lengthy for mobile users, prompting us to recommend simplifying it through our optimization services for a global audience. We also infer preferences, such as whether users prefer a minimalist layout over a more visually dense one, based on your interaction patterns across multiple pages, ensuring our optimizations are effective for a diverse, international user base.
• Communication Data: We maintain comprehensive records of all communications you have with us, including emails you send, messages submitted through our website’s contact forms, feedback provided in surveys or during consultations, and notes taken during meetings or calls, which are often conducted with clients worldwide to discuss project progress or recommendations. For example, if you provide feedback on our brand elevation recommendations during a consultation call, such as suggesting a more modern design to appeal to a global audience, we will store your comments to ensure we can address your concerns and tailor our recommendations to better meet your needs internationally. This also includes any responses you provide to surveys we may send to gauge your satisfaction with our services or to gather insights for future improvements, such as a survey asking how our LPO services impacted your website’s performance for users worldwide.
• Non-Personal Data:
• Aggregated Data: We compile statistical data that does not identify you personally, such as the total number of visitors to a website, the average time spent on a specific page by users globally, or the overall conversion rates across different user groups, such as desktop versus mobile users. For instance, we might report that 65% of users preferred Version A of a landing page over Version B during an A/B test, or that the average bounce rate on a website decreased by 10% after optimization for a global audience, providing valuable insights into user behavior trends worldwide. This aggregated data helps us identify trends, measure the effectiveness of our services for clients, and provide actionable insights, such as recommending faster load times for users on mobile devices, without compromising individual privacy, regardless of where users are located.
• Anonymized Data: We also maintain data that has been stripped of all identifiable elements, such as anonymized user journey maps or click patterns, which we use for internal analysis and research purposes to improve our services for a global market. For example, we might create an anonymized report showing the typical path users take through a website, from landing on the homepage to completing a purchase, without linking this data to any specific individual, allowing us to identify common friction points, such as slow loading times on mobile devices, and develop solutions to address them while ensuring your privacy is protected for users worldwide.
• Data from Third Parties:
• Analytics Providers: We work with third-party analytics providers, such as Google Analytics, to collect aggregated data about user behavior on websites we manage for clients, including metrics like bounce rates, traffic sources (e.g., whether users arrived via a search engine like Google, social media platforms like Instagram, or direct links), and the geographic distribution of visitors across the globe, such as users from the United States, Germany, or Japan. For example, Google Analytics might inform us that 40% of a website’s traffic comes from organic search, with a significant portion from mobile users, helping us tailor our optimization strategies to focus on SEO improvements and mobile responsiveness for a global audience.
• Marketing Partners: If you were referred to us through a marketing campaign, such as an email campaign targeting businesses or a social media advertisement on platforms like Instagram, we may receive data from our marketing partners, such as your email address or details about your interaction with the campaign (e.g., whether you clicked on an ad promoting our CRO services). This helps us understand the effectiveness of our marketing efforts globally and ensures we can follow up with you appropriately, such as by sending a personalized email to discuss how our services can benefit your business, whether you are in Brazil, Australia, or Canada.
• Public Sources: During brand elevation consultations for clients, we may collect publicly available information about your company, such as details from your website, social media profiles on platforms like LinkedIn or Instagram, or public business registries, to better understand your brand’s current market position and competitive landscape on a global scale. For example, we might review your company’s website to identify your target audience, such as young professionals, and assess how your brand is perceived online through reviews or social media mentions, which informs our consultation recommendations to strengthen your presence in the international market.

4. How do we use your information?

We utilize the information we collect for a variety of purposes, all aimed at delivering high-quality services, improving your experience, and ensuring compliance with the DPDP Act for users worldwide. Below is a detailed breakdown of how we use your data:

• Service Delivery and Improvement:
• We use your data to conduct A/B testing, a process where we create multiple versions of a website element, such as a call-to-action button, headline, or layout, and test them with different user groups globally to determine which version performs better in terms of engagement, clicks, or conversions, ensuring that the optimizations are tailored to the preferences of a diverse, international audience. For example, we might test whether a green CTA button or a blue CTA button leads to more sign-ups on a landing page for a client targeting users worldwide, using your interaction data to measure the results and recommend the most effective version. This helps us optimize landing pages to reduce bounce rates, improve load times for users on various networks, and enhance overall user experience, ultimately increasing the likelihood that visitors will take the desired action, such as making a purchase or filling out a form, regardless of their location.
• For Conversion Rate Optimization (CRO), we analyze your behavioral data to identify friction points in user journeys specific to a global audience, such as a complicated checkout process that leads to cart abandonment due to limited payment options, or a form that users find too lengthy to complete on mobile devices with varying screen sizes. Based on this analysis, we provide recommendations to streamline the process, such as integrating multiple payment methods or reducing the number of form fields to accommodate mobile users, thereby increasing conversion rates for our clients, such as an e-commerce business looking to improve sales internationally.
• In our Brand Elevation Consultation Services, we use the data we collect to perform in-depth audits of your brand’s current state in the global market, examining factors like your website’s user experience for an international audience, your social media presence on platforms like Instagram or LinkedIn, and your competitive positioning against other brands worldwide. We then provide actionable recommendations to strengthen your brand, such as redesigning your website to include multilingual options to appeal to users in different regions, adjusting your messaging to resonate with diverse cultural values, or identifying new opportunities to differentiate yourself from competitors in the international market, such as focusing on sustainability to appeal to environmentally conscious consumers globally.
• Analytics and Research:
• We use website interaction and behavioral data to generate detailed insights for clients, such as heatmaps that visually represent where users click, scroll, or hover on a webpage, helping us understand which elements are most engaging for a global audience and which may need improvement, such as a CTA button that is not visible on smaller screens. For example, a heatmap might reveal that users are ignoring a key CTA button because it’s placed too far down the page on a mobile device, prompting us to recommend moving it higher up to improve visibility and engagement for users worldwide.
• We analyze aggregated data to identify broader trends globally, such as determining that e-commerce websites tend to have higher conversion rates when using a specific color for CTA buttons, or that users in certain regions prefer video content over text due to varying internet speeds. These insights allow us to provide data-driven recommendations to our clients, ensuring that our optimization strategies are based on real-world evidence specific to a global market, such as recommending video tutorials for a product page targeting users with high-speed internet.
• We also conduct internal research to develop new methodologies and tools for LPO, CRO, and brand elevation tailored to the global market, using anonymized data to test hypotheses and refine our approaches. For instance, we might study anonymized user journeys to identify common patterns in how users navigate e-commerce websites, such as a preference for quick checkout options, which could lead to the development of a new optimization framework that we can apply to future projects for clients worldwide.
• Communication:
• We use your contact data to respond to inquiries you send us, whether through email, phone, or our website’s contact form, ensuring that we can provide you with the information or assistance you need in a timely manner, regardless of your location. For example, if you are a business owner and email us to ask about the potential benefits of CRO for your e-commerce website targeting a global audience, we will use your email address to send a detailed response outlining how our services can help increase your sales and improve user experience for your international customers.
• We also use your data to send updates about ongoing projects, such as providing a detailed report on the results of an A/B test we conducted on your website, including metrics like click-through rates, conversion rates, and user feedback from a global user base, so you can see the impact of our optimization efforts on your target audience worldwide, such as increased conversions among users in different regions.
• Additionally, we may use your contact information to notify you of changes to our policies, terms of service, or other important updates that may affect your engagement with us, ensuring that you are always informed about how your data is being handled and what rights you have under the DPDP Act, such as your right to withdraw consent for certain types of data processing, no matter where you are located.
• Marketing:
• With your explicit consent, as required by the DPDP Act, we use your contact data to send marketing communications tailored to a global audience, such as newsletters that provide updates on digital marketing trends, promotional offers for our services, or invitations to events like webinars and workshops focused on the international business landscape. For example, we might invite you to a webinar on “Maximizing Conversions Through CRO for Global Businesses,” where we share best practices and case studies from our work with other clients worldwide, helping you learn how to improve your own website’s performance for an international audience.
• We also use aggregated data to create targeted marketing campaigns for a global audience, such as identifying that businesses in the e-commerce sector are most likely to benefit from our CRO services and tailoring our outreach efforts accordingly, while ensuring that no individual data is used in these campaigns, maintaining your privacy in compliance with the DPDP Act for users worldwide.
• Legal Compliance and Security:
• We use your data to comply with legal obligations under the DPDP Act, such as responding to a lawful request from a regulatory authority, which may require us to provide certain information as part of an audit or investigation, even if you are located outside India. For example, if a regulatory authority requests data as part of a compliance check under the DPDP Act, we will ensure that we provide only the necessary information and follow all legal procedures to protect your privacy, such as anonymizing data where possible before sharing, regardless of your location.
• We also use your data to protect our services from fraudulent activities globally, such as detecting and preventing cyberattacks, unauthorized access, or other security threats that could compromise the integrity of our systems and the data we manage for clients worldwide. For instance, we might analyze IP addresses to identify and block suspicious activity, such as repeated failed login attempts that could indicate a potential hacking attempt, ensuring that our services remain secure for all users, whether they are in South Africa, Japan, or the United States.

5. Legal basis for processing

We process your personal data based on legal grounds outlined in the DPDP Act, ensuring that we have a legitimate and lawful basis for every data processing activity we undertake for users worldwide, as the DPDP Act is our governing law. Below is a detailed explanation of the legal bases we rely on under Indian law:

• Consent: We rely on your explicit consent for certain processing activities, as required by the DPDP Act, such as when you agree to the use of cookies on our website by clicking “Accept” on our cookie banner, which allows us to track your behavior for LPO and CRO purposes to improve websites for a global audience. Consent is also the basis for sending you marketing communications, such as newsletters or promotional emails, where you have actively opted in by checking a box or providing your email address for this purpose during an interaction with us. For example, if you sign up for our newsletter during a consultation, we will use your consent as the legal basis to send you regular updates about our services and digital marketing trends relevant to a global market. You can withdraw your consent at any time by following the unsubscribe instructions in our emails or by contacting us directly, and we will immediately cease processing your data for those purposes, ensuring your rights under the DPDP Act are respected, regardless of your location.
• Legitimate Interest: The DPDP Act allows processing based on legitimate interests, and we use this basis for activities like website optimization, analytics, and fraud prevention, provided that such processing is necessary and does not unduly impact your rights as a user, whether you are in Europe, Asia, or elsewhere. For instance, we have a legitimate interest in analyzing user behavior on a website to improve its performance for a global audience, such as determining which layout leads to higher conversions, as this directly benefits both us and our clients by enhancing the effectiveness of our services. We also rely on legitimate interest to protect our systems from security threats, such as monitoring for suspicious activity that could indicate a cyberattack, ensuring that our services remain secure and reliable for all users worldwide. Before relying on legitimate interest, we assess the necessity of the processing and its impact on your rights, ensuring that it aligns with the principles of the DPDP Act, such as transparency and fairness, for users globally.
• Contractual Necessity: We process your data when it is necessary to fulfill a contract with you, such as when you engage us to provide LPO, CRO, or brand elevation services for your business, no matter where you are located. For example, if you sign a contract for us to optimize your website targeting a global audience, we will need to process your website interaction data to conduct A/B tests and deliver the agreed-upon results, such as a report detailing the performance improvements we achieved for your international audience. This also includes processing your contact data to communicate with you about the project, such as sending updates on our progress or scheduling consultation meetings to discuss our recommendations, ensuring we can meet our contractual obligations effectively. Without processing this data, we would be unable to perform our contractual duties, making this a necessary basis for processing under the DPDP Act for users worldwide.
• Legal Obligation: We process your data when required to comply with legal obligations under the DPDP Act, which may mandate that we retain certain data for a specified period or provide it to authorities upon request, even if you are located outside India. For example, under Indian tax laws, we may need to retain billing information, including your name and address, for a period of several years to comply with audit requirements, ensuring that we can meet our legal obligations while protecting your privacy, regardless of your location. Similarly, under the DPDP Act, we may be required to notify you and the relevant authority in India in the event of a data breach, which would involve processing your contact data to fulfill this legal obligation, ensuring that we comply with Indian legal standards while keeping you informed, no matter where you are.

6. International Transfers of Personal Information

As a service provider operating under Indian law, your personal data may be transferred to and processed in countries outside India, depending on where our service providers are located and where you access our services from, but we ensure that all such transfers comply with the DPDP Act. This is a common practice for companies like ours that rely on cloud-based technologies and international partnerships to deliver our services effectively to a global audience. Below is a detailed explanation of how we manage international data transfers under Indian law:

• Locations of Data Transfers: Your data may be transferred to India, where our primary operations and headquarters are based, and where we manage the majority of our data processing activities, such as analyzing A/B test results and generating CRO reports for clients worldwide. We may also transfer data to countries like the United States, where some of our service providers, such as Amazon Web Services (AWS), host their data centers, which we use for secure storage and processing of your data, or to Singapore, where we might use a vendor for analytics services, ensuring that your data is accessible for optimization purposes while maintaining security for users globally.
• Compliance with DPDP Act: Under the DPDP Act, cross-border data transfers are permitted only to countries that provide an adequate level of data protection, as determined by the Indian government, or under specific conditions such as contractual safeguards approved by the Data Protection Authority of India. We ensure that any transfer of your data outside India complies with these requirements, either by transferring data only to jurisdictions approved by the Indian government as having adequate data protection laws or by implementing robust contractual agreements with our service providers, such as data processing agreements (DPAs) that outline their obligations to protect your data in accordance with Indian law. For example, if we transfer your website interaction data to a cloud provider in the United States to store it securely, we will ensure that the provider has signed a DPA that aligns with DPDP Act standards, guaranteeing that your data is handled responsibly and that your rights under Indian law are protected, whether you are accessing our services from Germany, Brazil, or any other country.
• Safeguards for Transfers: To further protect your data during international transfers, we implement additional safeguards, such as encrypting all data in transit using Transport Layer Security (TLS) 1.3, ensuring that your data cannot be intercepted by unauthorized parties during transfer, and encrypting data at rest using AES-256 encryption, ensuring that it remains secure even when stored on servers outside India. We also conduct due diligence on all service providers to verify their security practices, such as reviewing their certifications (e.g., ISO 27001) and ensuring they have robust data protection policies in place, to ensure that your data is handled with the same level of care as it would be in India, maintaining compliance with the DPDP Act for users worldwide, whether you are in South Korea, the United Kingdom, or Mexico.

7. How to Exercise Your Data Protection Rights

We are committed to empowering you with full control over your personal data, providing you with a range of rights under the DPDP Act, which applies to all users globally as our governing law, along with clear and accessible methods to exercise these rights. Below is a detailed explanation of your rights and how to exercise them under Indian law:

• Right to Access: You have the right to request a comprehensive overview of the personal data we hold about you, including the categories of data we process, such as your identity data, website interaction data, and behavioral data, the purposes for which we process it, such as to optimize your website for a global audience, and the recipients with whom we have shared it, such as analytics providers we use to improve our services. For example, you can request a report detailing all the data we collected during an A/B test on your website, including your IP address, click patterns, and time spent on the site, to understand how we used it to improve your site’s performance for users worldwide. This right ensures you have full transparency into how your data is being handled by us, whether you are in Canada, Australia, or any other country.
• Right to Correction: If any of your data is inaccurate or incomplete, you can request that we correct it, ensuring that our records are accurate and up to date for your interactions with us, no matter where you are located. For instance, if you notice that we have recorded your email address incorrectly in our system, such as a typo in the domain name, you can ask us to amend it to ensure we can communicate with you effectively for project updates or consultations, maintaining the integrity of our records for users globally.
• Right to Erasure: You can request that we delete your personal data, such as your contact information or behavioral data, if you no longer wish for us to retain it, subject to exceptions where we are legally required to keep it under Indian law, such as for tax purposes. For example, if you decide to discontinue our services, you can ask us to delete all data we collected about your website interactions, such as your browsing history on a site we optimized, and we will comply unless we need to retain it for legal reasons, ensuring your privacy preferences are respected under the DPDP Act, whether you are in France, Japan, or elsewhere.
• Right to Nominate: Under the DPDP Act, you have the right to nominate an individual to manage your data rights on your behalf in case of incapacity or death, ensuring that your privacy preferences are respected even in such circumstances, regardless of your location. For example, you might nominate a trusted colleague to handle your data rights due to a medical emergency, and we will work with that individual to fulfill your requests, such as accessing or deleting your data, ensuring continuity of your privacy rights under Indian law for users worldwide.
• Right to Withdraw Consent: You can withdraw your consent for any processing activity at any time, as provided by the DPDP Act, such as opting out of marketing emails or stopping the use of cookies for analytics purposes on websites we manage. For instance, if you initially agreed to receive our newsletter but later decide you no longer want it, you can click the “unsubscribe” link in the email or contact us directly, and we will immediately stop sending you marketing communications, ensuring your consent preferences are honored in compliance with Indian law, whether you are in South Africa, the United States, or any other region.
• Right to Grievance Redressal: You have the right to lodge a complaint with our Grievance Officer if you have concerns about how we handle your data, and we will address your complaint promptly and transparently, as detailed in Section 14 below, no matter where you are located. For example, if you believe we have not adequately responded to a data access request, you can escalate the issue to our Grievance Officer, who will investigate and resolve the matter within 30 days, as required by the DPDP Act, ensuring your rights are upheld for users globally.

To exercise any of these rights, you can contact us at [Your Contact Email], providing your name, contact details, and the specific right you wish to exercise, such as requesting access to your data or withdrawing consent for marketing. We will respond to your request within 30 days, as mandated by the DPDP Act, and may require additional information to verify your identity, such as asking you to confirm details only you would know (e.g., the email address you used to contact us), to ensure that we are responding to the correct individual and protecting your data from unauthorized access, regardless of your location.

8. What are our security and confidentiality levels for your Information?

We implement a range of measures to ensure the security and confidentiality of your personal data, protecting it from unauthorized access, loss, misuse, or disclosure, in compliance with the DPDP Act for users worldwide. Below is an overview of our security practices:

• Encryption: We use industry-standard encryption to protect your data both during transmission and when stored, ensuring it remains secure and inaccessible to unauthorized parties, no matter where you are located.
• Access Controls: We limit access to your data to authorized personnel only, using secure methods to ensure that only those who need to handle your information for their role can access it, protecting your privacy globally.
• Security Monitoring: We regularly monitor our systems for potential threats and vulnerabilities, taking swift action to address any issues and maintain the integrity of your data, ensuring safety for users worldwide.
• Data Anonymization: Where possible, we anonymize your data before using it for analytics or sharing it, removing identifiable elements to protect your privacy while still allowing us to gain insights for our services, in compliance with the DPDP Act.
• Employee Training: We train our staff to handle your data responsibly, ensuring they understand and follow best practices for data protection, maintaining a high standard of care for users globally.

In the event of a data breach, we will notify affected users and the Data Protection Authority of India as required by the DPDP Act, and take immediate steps to mitigate the impact, ensuring your data remains protected, no matter where you are.

9. Information Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by the DPDP Act, after which we securely delete or anonymize it to ensure your privacy is protected for users globally. Below is a detailed explanation of our retention periods for different types of data:

• Website Interaction Data: We retain website interaction data, such as your IP address, pages viewed, and time spent on a website, for a period of 12 months to allow for longitudinal analysis of A/B tests and CRO performance for clients, which helps us identify trends over time, such as seasonal variations in user behavior or the impact of an optimization on users in different regions. For example, we might retain data showing that users spent an average of 2 minutes on a landing page over the past year, allowing us to compare this with the results of a new optimization to measure improvement for a global audience. After 12 months, we either delete this data using secure deletion methods, such as overwriting it with random data to prevent recovery, or anonymize it by removing all identifiable elements, ensuring it can no longer be linked to you in compliance with the DPDP Act, whether you are in Spain, South Korea, or elsewhere.
• Behavioral Data: Behavioral data, such as mouse movements, scrolling patterns, and form submissions, is retained for up to 6 months to enable us to analyze short-term trends and identify immediate opportunities for improvement for a global audience, such as pinpointing a form field that causes users to abandon the process due to varying internet speeds. For instance, we might retain data showing that 70% of users hesitated on a specific field in a signup form, allowing us to recommend simplifying that field to improve conversions for users worldwide. After 6 months, we delete this data using secure methods or anonymize it to ensure it cannot be used to identify you, aligning with the DPDP Act’s principles of data minimization for users globally.
• Identity and Contact Data: We retain identity and contact data, such as your name, email address, and phone number, for the duration of our business relationship with you, plus an additional 3 years to comply with legal obligations under Indian law, such as tax and accounting requirements, which may require us to retain billing information for auditing purposes. For example, if you engaged us for a CRO project in 2025, we will retain your contact data until 2028 to ensure we can address any legal or financial inquiries that may arise, whether you are in Argentina, the United Kingdom, or any other country. After this period, we will securely delete your data unless you request otherwise, ensuring that it is no longer accessible in our systems and complying with the DPDP Act.
• Communication Data: We retain communication data, such as emails and feedback, until you withdraw your consent for us to hold this data or until the purpose for which it was collected is fulfilled, whichever occurs earlier, as per the DPDP Act. For example, if you send us an email inquiring about our services and later withdraw your consent for us to retain your communications, we will delete your email from our systems immediately, ensuring that your privacy preferences are respected, whether you are in Germany, Japan, or elsewhere.
• Anonymized Data: Anonymized data, which cannot be linked back to you, may be retained indefinitely for statistical and research purposes, such as analyzing long-term trends in user behavior or developing new optimization strategies for the global market. For example, we might retain anonymized data showing that users in the e-commerce sector prefer a certain type of layout, using this insight to inform future projects for clients without compromising any individual’s privacy, in line with the DPDP Act for users worldwide.

We comply with retention periods mandated by the DPDP Act, ensuring that we do not retain your data longer than necessary and that we have clear policies in place for data deletion and anonymization. When deleting data, we use industry-standard methods, such as secure erasure tools that overwrite data multiple times to prevent recovery, and we maintain logs of deletion activities to ensure accountability and compliance with Indian legal requirements for users globally.

10. What are our practices regarding cookies?

We use cookies and similar tracking technologies to enhance your experience, optimize websites, and deliver our services effectively to users worldwide, and we are committed to being transparent about our practices and giving you control over how these technologies are used, in compliance with the DPDP Act. Below is a detailed overview of our cookie practices:

• Types of Cookies We Use:
• Essential Cookies: These cookies are necessary for the basic functionality of our website and the websites we manage for clients, enabling features such as session management, user authentication, and navigation between pages, ensuring that you can use the site effectively, regardless of your location. For example, an essential cookie might store your session ID to ensure that you remain logged in as you move from one page to another on a website we optimize, preventing you from having to re-enter your credentials repeatedly, which is particularly important for users on varying network conditions globally. Without these cookies, our website would not function properly, and you would not be able to access certain features, such as submitting a contact form or viewing personalized content tailored to a global audience.
• Analytics Cookies: We use analytics cookies to track user behavior for Landing Page Optimization (LPO) and Conversion Rate Optimization (CRO), collecting data such as which pages you visit, how long you spend on each page, and which links you click, helping us understand how users interact with websites worldwide. For example, an analytics cookie might record that you visited a product page on an e-commerce site, spent 2 minutes reading the description, and then clicked on a “Buy Now” button, allowing us to analyze the effectiveness of that page in driving conversions for a global audience. These cookies help us generate insights, such as identifying which elements of a page are most engaging for users, and provide data that we can use to improve user experience and conversion rates for our clients, such as optimizing a page for mobile users internationally.
• Marketing Cookies: With your explicit consent, as required by the DPDP Act, we use marketing cookies to deliver personalized advertisements and track the performance of our marketing campaigns, such as determining whether you clicked on an ad we placed on a platform like Instagram. For example, a marketing cookie might track that you saw an ad for our CRO services on a social media platform, clicked on it, and then visited our website, allowing us to measure the effectiveness of that ad and tailor future campaigns to your interests as a global user. These cookies are only used if you have explicitly opted in, and you can withdraw your consent at any time, ensuring compliance with Indian law for users worldwide.
• Other Tracking Technologies:
• Web Beacons and Pixels: We use web beacons and tracking pixels, which are small images or pieces of code embedded in our website or emails, to track user interactions, such as whether you opened an email we sent or clicked on a link within it, helping us improve our communications with users globally. For example, if we send you an email campaign promoting our brand elevation services, a tracking pixel might record that you opened the email and clicked on a link to schedule a consultation, helping us measure the success of the campaign and improve future communications for a global audience.
• Local Storage: We use local storage to store preferences that enhance your user experience, such as your preferred language, theme (e.g., light or dark mode), or settings you have chosen on our website, ensuring that your experience is tailored to your preferences as a global user. For example, if you select a specific language on our website, we will store this preference in local storage so that the website displays in your chosen language each time you visit, without requiring you to reselect your preference, which is useful for users worldwide.
• Managing Cookies:
• You can manage your cookie preferences through your browser settings, where you can block or delete cookies, set your browser to notify you before accepting cookies, or configure it to accept only certain types of cookies, giving you control over your data globally. For example, in Google Chrome, you can go to “Settings” > “Privacy and Security” > “Cookies and other site data” to customize your preferences, such as blocking third-party cookies or clearing cookies when you close your browser, which is a common practice for users concerned about privacy worldwide.
• We also provide a cookie banner on our website that allows you to manage your preferences directly, giving you the option to accept all cookies, reject non-essential cookies, or customize your settings by selecting which categories of cookies you allow, ensuring that you have full control over your data as required by the DPDP Act. For instance, you might choose to accept essential and analytics cookies but reject marketing cookies, ensuring that your data is not used for advertising purposes, whether you are in Thailand, the United States, or any other region.
• Note that disabling cookies may impact the functionality of our services, such as preventing us from tracking A/B test results or remembering your preferences, which could affect your experience on our website or the websites we manage for our clients. For example, if you disable analytics cookies, we may not be able to measure the effectiveness of a landing page optimization for a client, which could limit our ability to provide the best possible results for a global audience.
• Transparency and Consent:
• We are committed to transparency about our use of cookies, providing clear information in our cookie banner and this Privacy Policy about the types of cookies we use, the purposes for which we use them, and the third parties (e.g., Google Analytics) that may receive data collected through cookies, ensuring you are fully informed as a global user. For example, we will inform you that analytics cookies are used to track page views and that this data may be shared with Google Analytics to generate aggregated reports for our clients targeting users worldwide.
• We obtain your explicit consent for non-essential cookies, such as analytics and marketing cookies, before deploying them, as required by the DPDP Act, ensuring that you have the opportunity to make an informed choice about whether to allow them, no matter where you are. For example, when you first visit our website, you will see a pop-up banner explaining our use of cookies and asking for your consent, with links to this Privacy Policy for more details, ensuring compliance with Indian law for users globally.
• You can withdraw your consent at any time by revisiting our cookie banner or clearing your cookies through your browser, and we will immediately stop using non-essential cookies for your interactions, ensuring that your preferences are respected at all times under the DPDP Act, whether you are in Australia, Germany, or any other country.

11. How we collect and share your personal information?

We collect and share your personal information in a variety of ways to deliver our services, improve your experience, and comply with the DPDP Act for users worldwide, and we are committed to being transparent about these practices and ensuring that your data is handled responsibly. Below is a detailed explanation of our collection and sharing practices:

• How We Collect Your Information:
• Directly from You: We collect information directly from you when you provide it to us through interactions, such as filling out contact forms on our website, signing up for our services, or participating in consultations or surveys tailored to a global market. For example, if you are a business owner and complete a form to request a quote for our CRO services, you might provide your name, email address, phone number, and details about your website targeting an international audience, which we will use to respond to your request and provide the requested services, ensuring we can meet your needs, whether you are in Sweden, Brazil, or any other country.
• Automatically via Cookies and Tracking Technologies: We collect data automatically when you interact with our website or the websites we manage for clients, using cookies, web beacons, and other tracking technologies to gather information such as your IP address, browser type, device information, and behavioral data like clicks and scrolling patterns, which help us optimize websites for a global audience. For instance, when you visit a landing page we are optimizing for a client, we might use a cookie to track how long you spend on the page and whether you click on a specific call-to-action button, helping us measure the page’s effectiveness and identify areas for improvement for users worldwide, such as ensuring faster load times on mobile devices.
• From Third Parties: We receive data from third-party sources, such as analytics providers like Google Analytics, which provide aggregated data about user behavior, such as the number of visitors to a website, their geographic location, and the sources of their traffic (e.g., organic search, social media). We also receive data from marketing partners, such as if you were referred to us through a campaign on a platform like Instagram, and from public sources, such as your company’s website or social media profiles on platforms like LinkedIn, which we use during brand elevation consultations to better understand your business in the global market.
• How We Share Your Information:
• Service Providers: We share your data with trusted third-party service providers who assist us in delivering our services, such as analytics providers (e.g., Google Analytics) that help us analyze user behavior for clients, cloud storage providers (e.g., Amazon Web Services) that store your data securely, and email service providers that help us send communications like project updates or newsletters to users worldwide. For example, we might share your website interaction data with Google Analytics to generate a report on your site’s performance for a client, which we use to provide optimization recommendations tailored to an international audience. All service providers are bound by data processing agreements (DPAs) that require them to protect your data in accordance with the DPDP Act, and to use it only for the purposes we specify, ensuring that your data is not misused or accessed by unauthorized parties, whether they are based in India, the United States, or any other country.
• Business Partners: During brand elevation consultations for clients, we may share aggregated, non-identifiable data with business partners to benchmark your brand against industry standards or competitors in the global market, helping us provide you with insights into how your brand performs relative to others internationally. For example, we might share that “a client in the e-commerce sector achieved a 20% conversion increase after optimization,” without revealing your identity, to demonstrate the potential impact of our services to other partners or clients worldwide. We ensure that any data shared in this manner is fully anonymized, using techniques like aggregation and masking to remove all identifiable elements, protecting your privacy while still allowing us to derive valuable insights for the global market, in compliance with the DPDP Act.
• Legal Authorities: We may share your data with legal or regulatory authorities if required by law under the DPDP Act, such as under a court order, subpoena, or other legal process, even if you are located outside India. For example, if a regulatory authority requests data as part of an investigation under the DPDP Act, we will provide only the data that is legally required, following strict procedures to ensure compliance while protecting your privacy to the greatest extent possible, such as anonymizing data where feasible, whether you are in Mexico, Japan, or any other country. We may also share your data to protect our rights, such as in the case of a legal dispute or to prevent fraud, ensuring that we can defend ourselves against claims or threats while minimizing the impact on your privacy for users globally.
• With Your Consent: We may share your data with other parties if you provide explicit consent, as required by the DPDP Act, such as agreeing to have your feedback included in a case study or testimonial that we publish on our website or share with prospective clients worldwide. For example, if you are satisfied with the results of our CRO services and agree to be featured in a case study, we might share your company name, a quote from you, and aggregated data about the project’s success, but only after obtaining your written consent to ensure that you are fully comfortable with the sharing, aligning with Indian legal standards for users globally.
• No Sale of Data: We do not sell your personal data to any third party under any circumstances, and we are committed to ensuring that your data is never used for purposes other than those outlined in this Privacy Policy or for which you have given consent, as per the DPDP Act. For example, we will never sell your email address to a marketing company for advertising purposes, as we believe strongly in protecting your privacy and maintaining your trust in our services, no matter where you are located.

12. Notice to Users of our Customers and End Users of Websites

If you are an end user of a website operated by one of our customers—for example, a visitor to an e-commerce site, a blog, or a corporate website for which we provide Landing Page Optimization (LPO) or Conversion Rate Optimization (CRO) services—we may process your personal data on behalf of our customer as a data processor, while our customer acts as the data fiduciary (equivalent to a data controller) responsible for determining the purposes and means of processing your data under the DPDP Act, which applies globally as our governing law. This section provides a detailed explanation of our role, the data we process, and your rights in this context for users worldwide:

• Our Role as a Data Processor: As a data processor under the DPDP Act, we act under the instructions of our customer (the data fiduciary), who has engaged us to optimize their website’s performance, improve user experience, and increase conversions for a global audience through techniques like A/B testing, behavioral analysis, and website enhancements. For example, if our customer is an online retailer, we might analyze user interactions on their website to determine which version of a product page leads to more sales among international consumers, but we do so only as directed by the retailer, who decides how the data is ultimately used and for what purposes, regardless of where you are located.
• Data We Process: On behalf of our customer, we collect and process website interaction and behavioral data for users worldwide, such as your IP address, browser type, device information, pages viewed, time spent on each page, clicks, scrolling patterns, and form submissions, which help us optimize the website for a global audience. For example, we might track that you visited a product page, added an item to your cart, but abandoned the checkout process at the payment stage due to limited payment options, allowing us to recommend adding more international payment methods to reduce abandonment rates. This data is collected using cookies, web beacons, and other tracking technologies, as described in Section 10, and is used solely to fulfill our obligations to our customer, such as generating reports on user behavior or testing different website layouts to improve performance for users globally.
• Our Customer’s Responsibilities: As the data fiduciary under the DPDP Act, our customer is responsible for ensuring that they have a lawful basis for processing your data, such as obtaining your consent to use cookies or providing you with their own privacy policy that explains how your data is handled. For example, the website you visited might display a cookie banner asking for your consent to track your behavior, and our customer is responsible for ensuring that this banner complies with the DPDP Act’s requirements for transparency and consent, no matter where you are. Our role is to process the data in accordance with their instructions and to implement appropriate security measures to protect it, but we do not determine the purposes or legal basis for the processing for users globally.
• Your Rights: To exercise your data protection rights under the DPDP Act, such as the right to access, correct, or delete your data, you should generally contact our customer directly, as they are the data fiduciary and have primary responsibility for managing your data. For example, if you want to request a copy of the data collected about you on an e-commerce website we optimize, you should reach out to the website owner, who can provide you with the information or instruct us to do so on their behalf, whether you are in Italy, Brazil, or any other country. However, you can also contact us at [Your Contact Email], and we will work with our customer to address your request, ensuring that your rights are respected and that your request is handled promptly and appropriately in compliance with Indian law for users worldwide.
• Transparency and Accountability: We are committed to transparency in our role as a data processor, providing clear information in this Privacy Policy about the types of data we process and the purposes for which we process it, even when acting on behalf of our customers for a global audience. We also maintain detailed records of our processing activities, as required by the DPDP Act, to ensure accountability and to assist our customers in responding to your requests or regulatory inquiries. For example, we keep logs of the data we process for each customer, the security measures we apply, and any data subject requests we receive from users, allowing us to provide a full audit trail if needed by the Data Protection Authority of India, regardless of where the user is located.

13. Children’s Information

Our services, which include Landing Page Optimization (LPO), Conversion Rate Optimization (CRO), and Brand Elevation Consultation Services, are designed for business clients and adult users. As a company policy, we do not intend our services to be used by individuals under the age of 13. However, under the Digital Personal Data Protection Act, 2023 (DPDP Act), which applies globally as our governing law, a child is defined as any individual under the age of 18. We are committed to protecting the privacy of children and ensuring compliance with the DPDP Act for users worldwide, and we take active steps to prevent the collection of personal data from individuals under 18 without verifiable parental consent, as well as from anyone under 13 in any case, regardless of their location.

• No Intentional Collection: We do not knowingly collect personal data from individuals under 18 without obtaining verifiable parental consent, as mandated by the DPDP Act, nor do we collect any data from individuals under 13 as per our company policy. This includes data such as names, email addresses, phone numbers, or behavioral data like browsing patterns or interaction metrics, which we might otherwise collect for optimization purposes on websites we manage for our clients globally. For example, if a 12-year-old were to visit a website we optimize for a client, such as an e-commerce platform selling professional software, we would not knowingly collect their data, as our services are targeted at adult users and business professionals, not children, whether the user is in Canada, Japan, or any other country. Similarly, if a 16-year-old visits the same website, we would only collect their data if we have obtained verifiable parental consent, ensuring compliance with the DPDP Act. Our websites and services are designed to focus on professional or commercial content—such as optimizing landing pages for software sales or providing brand elevation strategies for corporations—rather than content that might appeal to children, such as games, toys, or child-oriented entertainment, ensuring that we do not inadvertently attract younger audiences globally.
• Verifiable Parental Consent for Users Under 18: For users aged 13 to 18, the DPDP Act requires us to obtain verifiable parental consent before processing their personal data, unless the processing is necessary for a legal obligation or other lawful basis that does not require consent. For example, if a 15-year-old submits a contact form on a website we manage for a client, such as a form requesting more information about a product, we will first seek parental consent through methods like requiring a signed consent form from a parent or guardian, or using a payment verification method (e.g., a small charge to a credit card to confirm the parent’s identity), before processing their data for purposes like responding to the inquiry or tracking their behavior for optimization. We also ensure that we do not engage in tracking, behavioral monitoring, or targeted advertising directed at users under 18 without such consent, as prohibited by the DPDP Act. For instance, we would not use cookies to track the browsing habits of a 17-year-old on a website we optimize, nor would we serve them personalized ads based on their behavior, unless we have explicit parental consent to do so, protecting their privacy in compliance with Indian law for users worldwide.
• Immediate Deletion: If we become aware that we have inadvertently collected personal data from an individual under 13, or from someone under 18 without verifiable parental consent, we will take immediate steps to delete that data from our systems, ensuring it is not used for any purpose and is securely erased in compliance with the DPDP Act. For example, if a 12-year-old submits a contact form on our website requesting information about our CRO services, or if a 16-year-old does the same without us having obtained parental consent, we will delete their data—such as their name, email address, and any associated interaction data—as soon as we identify their age. This deletion process involves using industry-standard secure erasure methods, such as overwriting the data with random characters multiple times to prevent recovery, and we maintain logs of such deletions to ensure accountability under the DPDP Act. We will also refrain from responding to such inquiries to avoid further engagement, protecting the privacy of the child, whether they are in Germany, Brazil, or any other country.
• How to Report: If you believe that we have collected personal data from an individual under 13, or from someone under 18 without proper parental consent, we encourage you to contact us immediately at saurabh@convertpolo.com, providing as much detail as possible to help us investigate and resolve the issue. For example, you might inform us that a child submitted a form on a specific website we manage, including details like the website URL, the date of the submission, and the type of data provided (e.g., an email address or phone number). Upon receiving your report, we will promptly investigate by reviewing our data collection logs, identifying any records associated with the child, and deleting the data using secure methods as described above. We will also take steps to prevent future occurrences, such as auditing our data collection processes to identify any gaps—e.g., ensuring that forms on websites we manage include age verification prompts—and implementing additional safeguards, such as enhanced filtering to block submissions from users under 13, ensuring compliance with both our company policy and the DPDP Act for users worldwide.
• Compliance with Indian Law: We align our practices with the DPDP Act, which requires that personal data be processed in a manner that protects the rights of all individuals, including children, globally. The DPDP Act mandates specific protections for children under 18, such as obtaining verifiable parental consent and prohibiting tracking or targeted advertising without such consent, and we extend these protections by adding our stricter company policy of not targeting users under 13. For example, while the DPDP Act allows certain processing of children’s data with parental consent, we go further by aiming to exclude users under 13 entirely from our services, ensuring that our websites and services are not directed at or appealing to younger audiences, such as by avoiding child-oriented features like animated characters or games. By implementing these measures, we uphold the principles of data protection under Indian law, ensuring that children’s privacy is safeguarded, whether they are in South Africa, the United States, or any other region.

14. Data Protection Officer

To ensure compliance with the DPDP Act, which applies to all users globally as our governing law, we have appointed a Grievance Officer, as required by the Act, to oversee our data handling practices and address any concerns you may have about your personal data, no matter where you are located. Below is a detailed overview of our Grievance Officer’s role and how to contact them:

• Grievance Officer (DPDP Act Compliance):
• Name: Saurabh Patwa, a senior member of our team with expertise in the DPDP Act and data protection laws, appointed specifically to comply with the requirements of the Act, which mandates that organizations processing data designate a Grievance Officer to handle user complaints and ensure timely resolution of issues for users worldwide.
• Email: saurabh@convertpolo.com, a dedicated email address for lodging grievances related to your data, monitored regularly to ensure that your concerns are addressed within the 30-day timeframe required by the DPDP Act, with a commitment to providing clear and detailed responses to your inquiries, ensuring you have a reliable point of contact, whether you are in the United States, Germany, or any other country.
• Role and Responsibilities: Our Grievance Officer is responsible for receiving, investigating, and resolving complaints related to your personal data, such as concerns about how we have handled your data, delays in responding to a data access request, or any other issues that may arise under the DPDP Act. For example, if you believe we have not adequately responded to a request to delete your data, you can contact our Grievance Officer, who will investigate the matter, liaise with the relevant teams to address the issue, and provide you with a detailed resolution within 30 days, ensuring that your rights are fully upheld under Indian law, whether you are in Brazil, Japan, or any other country. The Grievance Officer also serves as a point of contact for the Data Protection Authority of India, ensuring that we remain accountable for our data processing activities and can respond to regulatory inquiries, even for users outside India.
• How to Contact: When contacting our Grievance Officer, we encourage you to provide as much detail as possible about your concern, such as the nature of your request, the data involved, and any previous communications with us, to help us address your issue efficiently. For example, if you are requesting access to your data, you might include your email address and the date you interacted with our website, allowing us to locate your data quickly and respond to your request without delay, ensuring a smooth process under the DPDP Act for users worldwide.

15. Contact Us

We are committed to being accessible and responsive to your questions, concerns, or requests regarding this Privacy Policy, your personal data, or our services, and we provide multiple channels for you to reach us to ensure your needs are met promptly and effectively, no matter where you are located. Below are the detailed ways to contact us:

• Email: saurabh@convertpolo.com, a dedicated email address monitored daily by our customer support team, available for you to send inquiries, requests, or complaints about your data, our services, or any other matter, with a commitment to responding within 48 hours of receiving your message, unless additional time is needed to address complex issues for users globally. For example, if you have a question about how we use your data for A/B testing, you can email us, and we will provide a detailed explanation of our practices and how they benefit you, ensuring transparency, whether you are in the United Kingdom, South Africa, or any other country.

By engaging with our services, you acknowledge that you have read, understood, and agree to the terms of this Privacy Policy, and you consent to the collection, use, and sharing of your data as described herein, subject to your rights to withdraw consent or exercise other data protection rights under the DPDP Act as outlined above, which applies to all users globally as our governing law.