GDPR Practices Alignment Statement
Wytmode Cloud Private Limited
Created Date: September 15, 2025
Last Reviewed Date: September 15, 2025
1. Introduction and Scope
Wytmode Cloud Private Limited (“Wytmode”, “we”, “our”, or “us”) is committed to protecting personal data in line with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the United Kingdom GDPR, and other equivalent data protection laws globally. This statement sets out our GDPR alignment practices across all business lines, platforms, and supporting operations. It provides assurance to customers, users, candidates, employees, vendors, partners, and regulators that we process personal data lawfully, fairly, and transparently, and that we implement appropriate technical and organizational measures to safeguard the rights and freedoms of natural persons
2. Controller and Processor Roles
Wytmode acts as a Controller when we determine the purposes and means of processing, such as in relation to user accounts, candidate lifecycle management, marketing, or internal compliance. Wytmode may also act as a Processor where we process data strictly on the written instructions of a client. In such cases, roles, responsibilities, and conditions are clearly defined in our contracts, which specify the subject matter, duration, nature, and purpose of processing, the categories of personal data and data subjects involved, the security measures applied, and the terms for engaging sub-processors
3. Lawful Bases for Processing
Wytmode identifies and documents a valid lawful basis before initiating any processing activity. Contractual necessity applies when data must be processed to deliver services or perform pre-contractual steps requested by a data subject. Legal obligation applies when processing is required by statutory requirements such as employment law, tax law, immigration, or fraud prevention. Consent is obtained where required for non-essential cookies, specific categories of data, or certain communications, and may be withdrawn at any time without affecting the lawfulness of prior processing. Legitimate interests are relied upon only when our interests in securing services, improving features, or operating efficiently are not overridden by the rights and freedoms of individuals. In such cases, we perform and retain legitimate interest assessments for accountability
4. Transparency and Privacy Notices
We provide clear, accessible privacy notices at or before the point of data collection. These notices describe the purpose of processing, the lawful basis, categories of recipients, retention practices, transfer mechanisms, rights of data subjects, and channels for submitting complaints. Notices are updated regularly to reflect changes in our practices, ensuring that individuals always have an accurate understanding of how their information is handled
5. Data Minimization, Purpose Limitation, and Retention
Wytmode collects and processes only the data necessary for specific, lawful purposes. We do not repurpose personal data in a way that is incompatible with the original reason for collection unless a valid legal basis exists. Documented retention schedules define how long each category of personal data is kept, based on statutory requirements and business needs. Once retention obligations expire, data is securely deleted or irreversibly anonymized from active systems and backups within reasonable timeframes
6. Security of Processing
We implement a layered approach to security consistent with Article 32 of GDPR. Our technical measures include encryption in transit and at rest, network segmentation, role-based access control, hardened cloud infrastructure, secure software development practices, multi-factor authentication for privileged accounts, vulnerability management, and continuous monitoring. Organizational measures include written policies, staff confidentiality undertakings, regular security training, and oversight by senior leadership. Our security program is aligned with ISO/IEC 27001 principles, and we maintain continuous improvement through audits, risk assessments, and remediation plans
7. Vendors and Sub-processors
Wytmode engages third-party vendors and sub-processors only after conducting due diligence on their privacy, security, reliability, and compliance practices. All vendors operate under binding agreements that incorporate Article 28 GDPR obligations, including confidentiality, breach notification, and cooperation with audits. We maintain an updated register of sub-processors and provide notice of material changes in accordance with contractual requirements
8. International Data Transfers
Where personal data is transferred outside the European Economic Area (EEA) or the United Kingdom, Wytmode applies appropriate safeguards under Chapter V of the GDPR. These safeguards may include reliance on adequacy decisions, execution of the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, and supplementary measures informed by transfer risk assessments. We monitor legal developments to ensure transferred data continues to receive protections equivalent to those guaranteed within the EU/EEA
9. Data Subject Rights
Wytmode supports the full spectrum of rights under Articles 12–23 GDPR, including the rights of access, rectification, erasure, restriction, portability, and objection. Individuals may also exercise rights related to automated decision-making and profiling. Requests are verified proportionately, documented for accountability, and fulfilled without undue delay, normally within one month unless extensions are justified. Where processing is performed in our role as Processor, we assist the relevant Controller in meeting their obligations. No charges are applied for handling rights requests unless permitted by law in the case of manifestly unfounded or excessive requests
10. Special Category Data and Children
Wytmode processes special category data only when strictly necessary and lawful, for example in employment-related or compliance contexts, and always with appropriate safeguards. These safeguards include encryption, access restrictions, and enhanced monitoring. Our services are designed for adults and business users. We do not knowingly collect personal data from children below the minimum age permitted by applicable law, and if such data is identified, we take immediate steps to delete it
11. Privacy by Design and Governance
Privacy is embedded into Wytmode’s product and process development through structured reviews, data flow mapping, and minimization principles. We conduct Data Protection Impact Assessments (DPIAs) where high-risk processing is contemplated, and we implement remediation measures to mitigate identified risks. Governance is maintained through leadership oversight, integration of privacy risks into enterprise risk management, and maintenance of records of processing activities under Article 30 GDPR
12. Incident Response and Breach Notification
Wytmode maintains an incident response plan with defined escalation paths, containment measures, and recovery protocols. Where a personal data breach creates a risk to individuals’ rights and freedoms, we notify the competent supervisory authority without undue delay and, where feasible, within seventy-two (72) hours of becoming aware. Where the breach poses a high risk to individuals, we also notify affected data subjects promptly in clear, plain language, including guidance to mitigate potential harm
13. Training and Accountability
All Wytmode staff with access to personal data receive mandatory privacy and security training upon onboarding and at regular intervals thereafter. Staff are subject to confidentiality obligations and disciplinary action for violations. Accountability is demonstrated through documentation of decisions, audit logs, vendor oversight records, and continuous improvement actions
14. Contact and Supervisory Authorities
Questions or requests regarding this GDPR alignment statement may be directed to legal@wytmode.com, by phone at (+91) 8884557972, or by writing to:
Wytmode Cloud Private Limited
#63, H Colony, 2nd Main, 1st Stage, Indira Nagar
Bengaluru, Karnataka, India – 560038
Where required, Wytmode will appoint an EU or UK representative and, if applicable, a Data Protection Officer for specific processing contexts. Data subjects always retain the right to lodge a complaint with their local supervisory authority without prejudice to any other remedy available under law
15. Updates to this Statement
This GDPR Practices Alignment Statement is reviewed regularly to reflect changes in legislation, regulatory guidance, technology, or business operations. Updates will be communicated through Wytmode’s websites or via direct notices where appropriate. The “Last Reviewed On” date at the top of this document reflects the effective date of the most recent update. Continued use of Wytmode’s services after changes are published constitutes acknowledgment of the updated practices
Closing Statement
This Statement reflects Wytmode’s strong commitment to safeguarding personal data and aligning our practices with the GDPR. While Wytmode is not certified under GDPR, our operational and technical measures are carefully designed to honor the regulation’s principles of fairness, transparency, accountability, and respect for individual rights.