Privacy Policy

GroovyMark WebX (a division of GroovyMark PVT Ltd; trading as "GroovyMark WebX", "we", "us", or "our") is committed to protecting the privacy and personal data of our website visitors, clients, project partners, and prospective customers. This Privacy Policy explains how we collect, use, store, and protect your personal data in compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679, the UK GDPR, and applicable data protection laws in Sri Lanka.

This policy applies to all personal data processed through our website, enquiry and project intake forms, CRM system, analytics tools, project management platforms, and any other services we provide.

The data controller responsible for processing your personal data is:

If you have any questions about this Privacy Policy or our data practices, please contact us at webx@groovymark.com.

We collect and process the following categories of personal data:

3.1 Data You Provide Directly

• Full name, email address, phone number, and company name (via contact, project enquiry, and intake forms)
• Job title, role, business information, and project requirements shared during discovery calls or onboarding
• Technical specifications, design preferences, and content assets submitted as part of project delivery
• Communication records including emails, virtual meetings, messages, project notes, and call recordings
• Payment and billing information where applicable (processed via secure third-party payment providers)
• Any other information you voluntarily submit through our website or service interactions

3.2 Data Collected Automatically

• IP address, browser type, operating system, and device information
• Pages visited, time spent on pages, referral source, and navigation paths
• Cookie data and tracking identifiers (see Section 8 for Cookie Policy)
• Technical logs and error reports generated during service delivery

3.3 Project & CRM Data

• Client project history, delivery milestones, and feedback records
• Lead and prospect engagement data including content interactions, form submissions, and email opens
• AI automation project details, workflow configurations, and system integration data
• Buyer journey data from first contact to contract and delivery

Under the GDPR, we process your personal data based on the following lawful bases:

We use your personal data for the following purposes:

• Project delivery: scoping, designing, developing, testing, and deploying web development and AI automation solutions
• Client management: onboarding, account management, project progress tracking, and delivery of performance reports
• Lead management: capturing, qualifying, scoring, and prioritizing inbound enquiries through our CRM
• Communication: responding to enquiries, sending project updates, and providing after-delivery support
• AI system development: processing project specifications and technical requirements to build custom automation workflows
• Marketing: sending newsletters, case studies, and service updates (only with your explicit consent)
• Analytics: understanding website traffic, optimizing content, and improving our conversion and delivery processes
• Business operations: invoicing, internal reporting, subcontractor coordination, and process improvement
• Security and fraud prevention: protecting our systems, clients, and data from unauthorized access or misuse

We do not sell, rent, or trade your personal data to any third party. We may share your data with:

6.1 Service Providers (Data Processors)

• Our internal CRM system (hosted and managed by GroovyMark WebX)
• Cloud hosting and infrastructure providers for project development environments and data backup
• Project management and collaboration platforms used during delivery (e.g., task tracking, file sharing)
• Email service providers for transactional and marketing communications
• Third-party AI platforms or APIs used in the delivery of AI automation projects (disclosed on a per-project basis)

All data processors are bound by Data Processing Agreements (DPAs) that ensure GDPR-compliant handling of your data.

6.2 Legal & Regulatory Disclosures

We may disclose your data when required by law, court order, or regulatory authority, or to protect our legal rights and the safety of our clients and staff.

6.3 International Data Transfers

As we are based in Sri Lanka and serve global clients, your data may be transferred to and processed in countries outside the European Economic Area (EEA). When this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, to protect your data in line with GDPR requirements.

We retain your personal data only for as long as necessary to fulfil the purposes outlined in this policy:

You may request deletion of your data at any time by contacting webx@groovymark.com, subject to our legal retention obligations.

Our website uses cookies and similar tracking technologies to enhance your browsing experience, analyze website traffic, and support our client and lead management services. We obtain your consent before placing any non-essential cookies on your device.

8.1 What Are Cookies?

Cookies are small text files stored on your device when you visit our website. They help us recognize your device and remember your preferences, actions, and browsing patterns across visits.

8.2 Cookie Consent

When you first visit our website, you will be presented with a cookie consent banner that allows you to:

• Accept all cookies
• Reject all non-essential cookies
• Customize your cookie preferences by category

You can change your preferences at any time via the cookie settings link in our website footer. Essential cookies cannot be disabled as they are required for the website to function.

8.3 Types of Cookies We Use

8.4 Managing Cookies

In addition to our cookie consent tool, you can control cookies through your browser settings. Please note that disabling certain cookies may affect website functionality and our ability to deliver personalized project recommendations and relevant content.

If you are in the EEA, UK, or where applicable law grants similar rights, you have the following rights regarding your personal data:

• Right of Access (Art. 15): Request a copy of the personal data we hold about you.
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
• Right to Restrict Processing (Art. 18): Request that we limit how we process your data in certain circumstances.
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format and transfer it to another controller.
• Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time for consent-based processing, without affecting prior lawful processing.
• Right to Lodge a Complaint: File a complaint with a supervisory authority if you believe your data rights have been violated.

To exercise any of these rights, please contact us at webx@groovymark.com. We will respond within 30 days. For complex requests requiring additional time (up to 60 days), we will inform you of the extension and reasons.

We take the security of your personal data seriously and implement appropriate technical and organizational measures to protect it, including:

• Encryption of data in transit (TLS/SSL) and at rest
• Access controls limiting data access to authorized personnel only
• Secure development environments and code repositories for client projects
• Regular security reviews of internal systems and third-party integrations
• Secure cloud storage with redundancy and backup protocols
• Employee confidentiality agreements and data protection training
• Incident response procedures for data breach detection and notification

In the event of a personal data breach that poses a risk to your rights, we will notify the relevant supervisory authority within 72 hours and inform affected individuals without undue delay, as required by GDPR Articles 33 and 34.

As a provider of AI system automation services, we may process client-supplied data as part of designing, building, and testing automated workflows. In these cases:

• We act as a Data Processor on your behalf and process only the data necessary for the agreed project scope
• Client data used in AI system development is handled under the terms of a Data Processing Agreement (DPA), provided upon request
• We do not use client project data to train our own AI models or share it with third-party AI providers beyond what is necessary for delivery
• Any third-party AI APIs or platforms used in your project will be disclosed in advance and governed by appropriate data protection safeguards

If your project involves the processing of personal data through automated systems we build for you, we will work with you to ensure your own GDPR compliance obligations are met through appropriate technical and contractual measures.

Our internal lead scoring system uses automated processes to classify enquiries and leads as High, Medium, or Low priority based on behavioral and firmographic data. This profiling helps us allocate resources and tailor our communications.

This automated scoring does not produce legal effects or similarly significant effects on you. However, under GDPR Article 22, you have the right to:

• Request human review of any automated decision that significantly affects you
• Express your point of view and contest the decision
• Receive an explanation of the logic involved in the scoring process

To request a review, contact us at webx@groovymark.com.

Our services are designed for businesses and professional individuals and are not directed at persons under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will delete it promptly. If you believe a child has provided us with personal data, please contact webx@groovymark.com immediately.

Our website and content may contain links to third-party websites, platforms, or services (such as GitHub, LinkedIn, YouTube, or partner sites). We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing any personal data.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. When we make material changes:

• We will update the "Last Updated" date at the top of this policy
• We will notify existing clients and active leads via email
• We will display a prominent notice on our website

We encourage you to review this policy periodically. Continued use of our website and services after changes are posted constitutes your acknowledgment of the updated policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us:

For EU/UK residents, you may also lodge a complaint with your local Data Protection Authority (DPA) if you believe your data protection rights have been infringed.