Skip to content
Home Services Book
§
§ · privacy

Privacy policy.

Plain-English first, statute-grade where it matters. Every data flow on the public site documented by name, every sub-processor listed by endpoint, every right we owe you spelled out per jurisdiction.

Email us about privacy

last updated: 20 May 2026 · version: 1.1 · change history

This policy covers digitalheroesco.com, the free tools at /tools/, our booking and careers forms, and any pre-engagement contact you have with us. We are Digital Heroes, operating as Digital Marketing Heroes Pvt. Ltd., DUNS No. 650878346. Our staffed offices are in New York and Delhi, with satellite teams in London, Lucknow, and Sydney. For any privacy question or data-rights request: privacy@digitalheroes.co.in.

in short
  • We collect the minimum we need for each interaction — visit, book a call, apply to a role, use a free tool, email us.
  • Analytics is consent-gated (Google Analytics 4 with Consent Mode v2 + IP anonymization). Reject and nothing fires.
  • We do not sell, rent, or share data with advertisers. No cross-site tracking pixels (no Meta Pixel, no LinkedIn Insight, no TikTok Pixel, no Google Ads remarketing).
  • We do not use data from this website to train AI models or feed it into commercial AI corpora.
  • Three sub-processors handle the public site: Vercel (hosting), Supabase (application database for jobs), Resend (transactional email). Plus Google Fonts + Google Analytics + Cloudflare cdnjs for static assets.
  • Your rights under GDPR, UK GDPR, CCPA, Australia Privacy Act, and India's DPDP Act are honoured at privacy@digitalheroes.co.in. Standard response window thirty days.

What this policy covers and what it does not

This document covers personal data we collect and process directly through our public website, our free tools, our public-facing forms (booking a call, applying to a role, general contact), and any pre-engagement marketing communications.

It does not cover personal data inside our internal systems used by paying clients. The client portal at business.digitalheroesco.com and the team portal at portal.digitalheroesco.com each run under separately signed Master Services Agreements and Data Processing Agreements with each client. Where a paid engagement makes us a data processor for a client, that client's own privacy notice and our DPA with them govern that processing, not this page.

Who we are

Digital Heroes is the public-facing brand of Digital Marketing Heroes Pvt. Ltd. — a privately held company incorporated in India, registered as a global supplier (DUNS No. 650878346), and listed on the UN Global Marketplace at Tier 1.

We are the controller of personal data described in this policy under GDPR / UK GDPR terminology, the business under CCPA terminology, the data fiduciary under India's DPDP Act, and the APP entity under Australia's Privacy Act 1988.

Staffed offices: New York (US) and Delhi (India). Satellite teams: London (UK), Lucknow (India), Sydney (Australia). Mail any of the inboxes at the bottom of this page — they reach the same team regardless of which office responds.

Data we collect

The data we collect depends on how you interact with the site. We collect the minimum we need for each interaction; we do not collect more so that we have it later.

When you visit any page

With your consent (granted via the cookie banner that appears on your first visit), Google Analytics 4 collects standard web-analytics data: a randomised client identifier, the URL of the page you viewed, the URL that referred you, your approximate region (resolved from your IP address with the IP itself anonymised before storage), your device type, browser type, operating system, viewport size, and basic interaction events. If you reject analytics or accept only essential cookies, no analytics identifier is set and no analytics requests are sent.

When you book a call

From the form at /book/, we collect: your name, work email, phone or WhatsApp number, company name (optional), the service of interest you selected, budget range, the country your business operates in, the date and time slot you chose, your free-text notes, and your browser timezone. If you grant the browser geolocation prompt (best-effort, optional), your approximate latitude and longitude are included so we can suggest a better-aligned overlap window.

Our hosting layer also receives a server-side IP-derived approximate location (city, region, country) for routing context. The submission is written to our database, emailed to our intake inbox, and a confirmation copy is emailed back to you.

When you apply to a role

From the form at /careers/, we collect: the role you selected (job ID), full name, email, phone or WhatsApp, city, current and expected compensation if you provide them, notice period, employment status, a link to your resume, an optional portfolio or profile link, and a free-text "why this role" message. The application is written to our hiring database and a notification is emailed to our HR inbox.

When you use a free tool

In almost every tool at /tools/, nothing reaches our servers. The inputs you paste are processed entirely in your browser and the results render locally — no network round-trip, no server log, no database write.

A small number of tools call public third-party APIs on your explicit click. In every such case the URL or domain you enter is sent only to the named API endpoint; we do not proxy it, we do not log it, and we do not store the response. The complete list of tools that hit third-party APIs lives in the "Tool APIs" section below.

When you email us

If you write to any of our published addresses, we receive the contents of the email, your email address, and any attachments. Email is processed by our standard business email provider.

How we use it

Three lawful bases, three purposes, no fourth.

  • Legitimate interest: operating the website, responding to inbound inquiries, vetting applications, and protecting against fraud and abuse.
  • Consent: the analytics and marketing cookies that fire only after you accept them, and any newsletter or marketing communication you opt in to.
  • Contract: data we process to scope, propose, deliver, invoice, and support a paid engagement once you sign with us.

What we don't do

These promises are unconditional. They apply with or without your consent and override any future ambiguity in the rest of this policy.

  • We do not sell, rent, license, or disclose personal data to advertisers, data brokers, or any third party for their own marketing purposes.
  • We do not use the personal data we collect through this website to train our own AI models or to enrich any commercial AI training corpus.
  • We do not run cross-site advertising trackers on this site. No Meta Pixel, no Google Ads remarketing tag, no LinkedIn Insight Tag, no TikTok Pixel, no Twitter / X Pixel, no Pinterest Tag, no Reddit Pixel, no Snapchat Pixel.
  • We do not fingerprint your browser, device, or canvas. The "device type" and "browser type" Google Analytics records are bucketed (mobile / tablet / desktop; Chrome / Firefox / Safari / etc.) — not the dense fingerprint vector that anti-tracker tools warn about.
  • We do not set persistent third-party cookies for marketing purposes. The cookies we set are listed under "Cookies" below.
  • We do not track you across other sites. We have no relationship with the ad-tech identity graph and we do not buy or ingest any third-party identifier.

Cookies and browser storage

We use a small, documented set of cookies and browser-storage entries. The first time you visit, a banner asks you to accept all, accept analytics only, or reject everything except essentials. Your choice is stored in your browser as a localStorage entry named dh-consent and respected on every subsequent visit. You can change your choice any time by clearing your site data and reloading.

Strictly necessary

Always set, no consent required. A localStorage entry named dh-theme remembers whether you selected dark or light mode. The consent record itself (dh-consent) is also strictly necessary because it records your statutory choice.

Functional

Set with consent, used by individual tools. Some tool pages persist your last-used inputs in localStorage so you do not have to re-enter them. Keys are prefixed with dh- and are scoped to the originating tool. None of this state leaves your browser.

Analytics

Set only after you accept all cookies or analytics-only. Google Analytics 4 sets identifiers used to count unique visitors and sessions. We have enabled IP anonymisation (the IP address is anonymised in transit before Google stores any record of it) and Google Consent Mode v2, which means even after consent, ad-personalisation and remarketing signals remain denied unless you specifically accept all.

A more detailed cookie inventory lives at /cookies/.

Sub-processors and third parties

The vendors below are involved in operating the site and our forms. Each is bound by its own published data-processing terms, linked from each entry. This list reflects the actual production environment of digitalheroesco.com at the date above.

Core infrastructure

  • Vercel Inc. (San Francisco, CA, USA) — static site hosting, edge CDN, and serverless functions for the /api/book and /api/apply endpoints. Provides edge geolocation headers for context. vercel.com/legal/privacy-policy
  • Supabase Inc. (Delaware, USA) — Postgres database that stores open job listings and applications submitted via the careers form. supabase.com/privacy
  • Resend Inc. (San Francisco, CA, USA) — transactional email delivery for booking confirmations, application notifications, and one-to-one team replies sent from @digitalheroes.co.in addresses. resend.com/legal/privacy-policy

Front-end assets and analytics

  • Google LLC — Analytics 4 (Mountain View, CA, USA) — privacy-conscious web analytics with Consent Mode v2 and IP anonymisation. Fires only with your consent. policies.google.com/privacy
  • Google LLC — Fonts (Mountain View, CA, USA) — Space Grotesk, Inter, Instrument Serif, and JetBrains Mono served from fonts.googleapis.com and fonts.gstatic.com. The font request is a standard HTTP request that Google logs per its privacy policy.
  • Cloudflare, Inc. — cdnjs (San Francisco, CA, USA) — open-source JavaScript libraries (currently GSAP) served from cdnjs.cloudflare.com. cloudflare.com/privacypolicy

If you operate as a corporate buyer and need a signed Data Processing Agreement covering personal data we process for you under a paid engagement, email legal@digitalheroes.co.in. We sign GDPR Article 28 DPAs as a standard part of any engagement that requires one.

Third-party APIs called by free tools

Most tools at /tools/ run entirely in your browser. The handful that need to look up live external data make a single fetch directly from your browser to a public third-party API when you click "run". We do not proxy these calls — your browser talks to the API directly — and we do not store the URL you submitted or the response we receive.

  • Google PageSpeed Insights API (googleapis.com/pagespeedonline/v5/runPagespeed) — used by the Website Audit, Lighthouse Score Checker, Core Web Vitals Checker, Mobile-Friendly Test, Multi-URL Audit, Page Weight Analyzer, CSS Size Checker, JavaScript Size Checker, HTTP Status Checker, and Domain Health Checker tools. The URL you enter is sent to Google. policies.google.com/privacy
  • Cloudflare DNS-over-HTTPS (cloudflare-dns.com/dns-query) — used by the DNS Lookup tool and the Domain Health Checker. The domain you enter is sent to Cloudflare. cloudflare.com/privacypolicy
  • RDAP (Registration Data Access Protocol) (rdap.org/domain/) — the modern, ICANN-coordinated replacement for WHOIS. Used by the WHOIS Lookup, Domain Age Checker, Domain Availability Checker, and Domain Health Checker tools. The domain you enter is sent to the relevant RDAP server. about.rdap.org
  • Internet Archive — Wayback Availability API (archive.org/wayback/available) — used by the Domain Age Checker and Domain Health Checker to estimate the first time a domain appeared on the public web. The domain you enter is sent to Internet Archive. archive.org/about/terms

Each tool that triggers one of the above calls names the destination API in its own "Privacy" line beneath its input form, before you submit anything. You can read what will happen before you press the button.

International transfers

As a dual-HQ company with offices in the United States, India, the United Kingdom, and Australia, we routinely transfer personal data internationally between our offices and our sub-processors.

Where data on a person resident in the European Economic Area, the United Kingdom, or Switzerland is transferred to a country without an adequacy decision, the transfer is protected by the European Commission's Standard Contractual Clauses (the 2021 SCC modules, including the UK Addendum where the UK is involved) executed with each sub-processor.

Where data on a person resident in India is transferred outside India, the transfer is conducted under the cross-border transfer mechanisms set out in the Digital Personal Data Protection Act, 2023 and any rules notified under it.

Where data on a person resident in Australia is transferred outside Australia, we comply with Australian Privacy Principle 8 — meaning either the recipient is bound by substantially similar protections, or you have been informed of the disclosure and have consented.

Your rights — per jurisdiction

European Economic Area (GDPR)

You have the right to access, rectify, erase, restrict, port, and object to the processing of your personal data, and to withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal. You also have the right to lodge a complaint with your national data protection authority — a directory is maintained by the European Data Protection Board.

United Kingdom (UK GDPR + Data Protection Act 2018)

You have the same rights as EEA residents, plus the right to complain to the Information Commissioner's Office.

California (CCPA as amended by CPRA)

You have the right to know what personal information we collect about you, the right to delete, the right to correct, the right to opt out of sale or sharing of personal information, and the right not to be discriminated against for exercising these rights. We do not sell your personal information and we do not share it for cross-context behavioural advertising. There is no "Do Not Sell or Share My Personal Information" link on this site because there is nothing to opt out of; if that ever changes, the link will be added at that time.

Other US states (Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, and beyond)

We honour the substantive rights granted by every US state privacy law currently in force — access, correction, deletion, portability, opt-out of targeted advertising and sale (neither of which we do), and appeal of a refused request. Mail privacy@digitalheroes.co.in with your state of residence and we will route accordingly.

India (Digital Personal Data Protection Act, 2023)

You have the right to obtain confirmation and access, the right to correction and erasure, the right to grievance redressal, and the right to nominate another individual to exercise these rights on your behalf in case of incapacity or death. Our designated grievance contact is privacy@digitalheroes.co.in.

Australia (Privacy Act 1988 + Australian Privacy Principles)

You have the right to access personal information we hold about you, to seek correction, and to make a complaint. If we cannot resolve a complaint to your satisfaction, you may escalate to the Office of the Australian Information Commissioner.

How to exercise any of these rights

Email privacy@digitalheroes.co.in from the address on file (or, if that address has changed, with sufficient detail to verify your identity through alternate means). We respond within thirty days for GDPR / UK GDPR / DPDP requests, forty-five days for CCPA requests (extendable once by another forty-five days where reasonably necessary), and within the timelines required by Australian Privacy Principle 12. There is no fee for exercising a right; we may charge a reasonable fee or refuse the request only where it is manifestly unfounded or excessive, as permitted by the applicable statute.

Data retention

  • Analytics: retained for the default Google Analytics 4 retention window (currently fourteen months for event-level data), after which it is automatically deleted by Google.
  • Booking submissions: retained for the duration of the active conversation plus twelve months thereafter for record-keeping. Delete-on-request honoured at any time.
  • Applicant data: resumes that do not lead to an offer are deleted on request, otherwise retained for up to twelve months in case a relevant role opens. Resumes for hired candidates move into our employee-record system under a separate retention schedule.
  • Email correspondence: retained for the operating-business reasonable period (we do not bulk-delete inboxes). Specific thread deletion available on request.
  • Marketing-list subscribers: retained until you unsubscribe, after which we keep a minimal suppression record (your email address only) so we do not accidentally re-add you.

Security

The site is served over HTTPS only with HSTS enabled. Form submissions are encrypted in transit. Server-side endpoints validate inputs and rate-limit by IP. Personal data inside our hosting and database providers is protected by access controls native to those platforms; only employees and contractors who need access for a documented purpose receive it.

We never store credit card or banking information on our infrastructure. If a paid engagement requires payment, we issue an invoice and you pay through your banking channel of choice or a payment processor (Stripe or Razorpay) where the card data goes directly to the processor and never touches our servers.

No system on the public internet is invulnerable. If you become aware of a security issue affecting personal data on this site, please email legal@digitalheroes.co.in with the details and we will respond within five business days. We will notify affected users and the relevant supervisory authority as required by GDPR Article 33, the Indian DPDP Act, and any other applicable breach-notification rule.

Children

Our services are not directed at children under sixteen. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact privacy@digitalheroes.co.in and we will delete it.

Automated decision-making

We do not make decisions that produce legal or similarly significant effects on you using solely automated processing. Applicant review, pricing decisions, and engagement scoping are reviewed by a human before a decision is communicated.

Changes to this policy

We update this policy when our practices change. The last updated date at the top reflects the most recent revision, and the page is version-controlled in our public git repository so prior revisions are auditable — see the change history. Material changes (anything that would make us collect more, share more, or retain longer) will be flagged at the top of the page for at least thirty days after publication.

Contact

We are reachable through any of these inboxes from any of our offices in New York, Delhi, London, Lucknow, or Sydney.

Glossary

Controller / Business / Data Fiduciary
The entity that decides why and how personal data is processed. We are this entity for the personal data described in this policy.
Processor / Service Provider / Data Processor
An entity that processes personal data on the controller's behalf, under contract. We act as a processor for our paying clients — that work is governed by a separate Data Processing Agreement.
Sub-processor
A vendor we use to deliver part of our service. Each one we use is named in the Sub-processors section.
Consent Mode v2
A Google-defined framework that lets analytics adjust its behaviour based on the consent state you select on the cookie banner. Even after granting analytics consent, ad-personalisation signals remain off unless you specifically accept all cookies.
Standard Contractual Clauses (SCCs)
A set of model contract terms approved by the European Commission for transferring personal data from the EEA / UK to a country without an adequacy decision. We execute the 2021 SCC modules with each affected sub-processor.
DPA (Data Processing Agreement)
A contract specifically governing the processor relationship — Article 28 of GDPR, equivalent provisions in UK GDPR / DPDP / CCPA. We sign these as a standard part of any paid engagement that requires one.

see also

Published · Last updated .