Privacy Policy

Annealir Advancements · Last updated: 3 July 2026 · hello@annealir.com

This Privacy Policy explains, completely and in plain language, what information Annealir collects through this website, how it is collected, why, who can see it, how long it is kept, where it travels, and the rights and controls you hold. It is written to be read. What it says is what we do; if our practices ever change, this document changes first.

1. Who we are, and what this policy covers

"Annealir Advancements" ("Annealir", "we", "us", "our") is the working name of a technology venture established and operated from Gurugram, Haryana, India. A private limited company may later be incorporated in India to carry on this venture; Section 14 explains how this policy survives that change. We are the data fiduciary (the party that determines the purpose and means of processing) for the personal data described here.

This policy covers this website and every page on it (the "Site"), the register-interest forms it carries, our measurement of how the Site is used, and email correspondence with the addresses we publish. It does not cover third-party platforms you may reach through links, or documents you host elsewhere and merely link to us. This policy is an electronic record under the Information Technology Act, 2000; it requires no physical signature. Contact for everything in this document: hello@annealir.com.

2. The short version

  • We collect what you submit on our forms, correspondence you send us, and first-party usage measurement (which pages are read, for how long, which sections, how far people scroll), together with coarse, network-level context — the approximate region and the connecting organisation, derived at our server in place of your IP address, which we do not store. None of it is tied to your name or identity, and none of it follows you across other websites.
  • We set no third-party trackers of any kind: no advertising pixels, no social-media tags, no fingerprinting, no session-replay, no data brokers. Our measurement talks only to our own address on our own domain.
  • We show no cookie banner because we do nothing that requires one: nothing we store on your device tracks you across sites, and we honour the Global Privacy Control signal (Section 6).
  • We never sell, rent, trade, or barter your information — to anyone, for anything.
  • Your details are used for exactly one family of purposes: operating the Site and following up on the interest you registered.
  • One email shows, corrects, or deletes everything we hold about you (Section 12).

3. Information you give us

Nothing on the public Site requires an account or a login (the separate, invitation-only investor briefing is described at the end of this section). The only information you give us is what you choose to type. When you submit a register-interest form, we collect what that form asks, which depends on the audience:

FormFields
All formsName; email address; any free-text note you add; which form you used and when.
BuyersDesignation; company; company website (optional).
SuppliersDesignation; company; your role in the supply chain; item categories; company website (optional); GSTIN (optional — a business tax identifier, treated with the same care as personal data).
InvestorsFirm; LinkedIn profile (optional); your answers to the questions on that page.
Join usLinkedIn profile (optional); qualification; field of study; institution; area of interest; the work you describe.

Where submissions go. When you submit a form, your submission travels over HTTPS, same-origin, to our own endpoint on this domain and is recorded in a database we run on Cloudflare (Cloudflare D1, in our own account, encrypted at rest) so that we can act on it. The record is access-restricted and never public. No advertising network, data broker, form-builder, CRM, or other third party sits in this path — it is our endpoint and our database, both on the infrastructure described in Section 8.

How we are told. A submission also triggers a short, content-free notification to our own inbox — sent through our infrastructure provider's native email service (Cloudflare), so no third-party email or marketing platform is involved. By default that notification contains no contact details: it only says a registration of a given type arrived and to open our internal dashboard to read it. The dashboard itself is access-restricted to the founding team.

Bot protection. To keep the forms usable and resist automated abuse, we use Cloudflare Turnstile — a privacy-preserving, first-party human-check. When you register interest, a brief verification step appears on the form to confirm you are human; it sets no tracking cookie and no cross-site identifier. It is part of the same infrastructure that serves the Site, not a third-party tracker, and we do not use it to profile you.

If a submission cannot reach us. If the network or our endpoint is momentarily unavailable when you submit, your entry is held only in your own browser's session storage, on your device, as a temporary outbox — so nothing you typed is lost — and is resent automatically within that same browsing session, then removed. On a successful submission nothing you typed is written to your device. See Cookies & Tracking for the exact storage entry.

Correspondence. If you write to hello@, careers@, or security@, we keep the thread for as long as the matter needs it.

Accuracy and authority. Submit only information that is accurate and that you have the right to submit — about yourself, or about an organisation you are genuinely authorised to represent. Do not submit another person's personal data without their authority.

The investor briefing (invitation only). Separately from the public Site, we run a small, invitation-only briefing area for prospective investors. There is no public sign-up: access is by a personal, expiring invitation we issue directly. To sign in, an invited investor enters the email and access code from their invitation (and, where we set one, a passphrase). We verify this entirely on our own server; an unrecognised email or code is never told apart from any other — every unsuccessful attempt receives the same generic response — and the briefing pages are served only after a successful sign-in. While you are signed in we set a single strictly-necessary, first-party session cookie (__Host-annealir_briefing) so the area knows you are authenticated; it carries no advertising or cross-site identifier and expires with the session (see Cookies & Tracking). We keep a brief access log — which invitation was used, when, and the coarse network and place it connected from (the same network-derived context described in Section 4, never your raw IP) — so we can see who has viewed the briefing. To limit guessing, failed sign-ins are rate-limited using a one-way salted hash of the connection, exactly as for the forms; the raw address is never stored. No third party sits in any part of this.

4. Information collected automatically (first-party measurement)

We measure how the Site is used so we can make it better and understand interest ahead of deployment. This measurement is first-party only: it is collected by our own code, sent only to our own endpoint on this domain, stored in our own analytics dataset, and shared with no advertising or data-broker ecosystem of any kind. Per visit it records:

  • the page viewed, the referring page (if your browser sends one), and your browser's language setting;
  • time on the page, time the page was actually visible, and time spent on each titled section of the page;
  • the deepest point you scrolled to (as a percentage);
  • counts of interactions — for example that a share button, an engine plate, or a register button was used (never the content you typed);
  • viewport size and display scale (so we know which layouts to improve);
  • in standard regions, a random anonymous visitor identifier stored in your browser's local storage and a per-tab session identifier — random strings we generate, connected to no name, no email, and no identity, used only to count returning browsers and group a session's pages;
  • at our server, derived from the network connection rather than from your device, the approximate location of the request (country, region, and city) and the organisation or network operator the connection belongs to — the kind of context any web server sees. We record this in place of your IP address, which we do not store. It lets us understand, in aggregate, which regions and kinds of organisation engage with our work; it describes the network the request came from, not you, and we do not use it to identify the individual visitor.
  • at our server, a coarse client family — the approximate browser family, operating system, and device type (for example "Chrome", "iOS", "mobile") — derived by parsing the User-Agent header your browser already sends to every web server. Only the coarse family is stored; the full User-Agent string is not retained. This is not used for fingerprinting or cross-site tracking; it simply tells us which broad categories of browser and device are in use, so we can make the Site work well across them. It sits within the same first-party, no-third-party, no-raw-IP posture as everything else in this section.
  • Page performance signals (Core Web Vitals and related): the time until the largest content element painted, the time until the first content painted, the first input delay, cumulative layout shift, and the time to first byte — standard, browser-supplied metrics measuring how quickly the page loaded and responded. These are collected by our own code, folded into the same single measurement we already send, and never transmitted separately. They are anonymous, carry no personal data, and are used only to understand and improve how the Site performs across devices and connections.
  • Interaction quality signals: the count of rapid repeated clicks on an element that was not responding (rage clicks), the count of clicks on elements that have no registered action (dead clicks), and — on devices with a mouse — a count of the times the pointer left past the top edge of the window (an exit-intent signal), all as simple integers. These tell us where the interface is confusing or where attention drops off. No element content, no text you typed, no cursor path, and no personally identifying detail is captured — only the counts.
  • Time to first interaction: how long after the page loaded until you first clicked, tapped, or typed — a single integer in milliseconds, used to understand whether the page felt ready in time. No record of what was clicked or typed is made.
  • Connection type: the coarse network category your browser reports (for example "4g") — a single low-entropy string used to understand which network conditions affect performance. This is not used for fingerprinting; it is as coarse as knowing whether a connection is broadly mobile or wired.
  • Reduced-motion preference: whether your browser has signalled a preference for reduced motion (a single 0 or 1). This is used only to understand what proportion of visitors benefit from our reduced-motion design adaptations. It is not used to identify you.
  • Form interaction behaviour (never form values): for each register-interest form on the page, a record of which fields received focus, which field (if any) was the last one active before the form was abandoned without submitting, the count of validation errors encountered, and whether the form was submitted — structured as a small JSON object, one entry per form, keyed by a generic form identifier. The values you type into any field are never captured, stored, or transmitted under any circumstances. This behaviour record exists only to show us where forms are difficult to complete, so we can improve them.

Minimisation is our default, not a special case. Unless you are in one of a short list of regions where a fuller approach is clearly appropriate, we set and read no identifier on your device, record no precise coordinates, and retain the resulting measurement for a shorter period (Section 10). This applies automatically to every region with stringent data-protection or e-privacy laws — for example the European Economic Area, the United Kingdom, and Switzerland, among others — and to anywhere we are not certain. Your measurement there is anonymous and entirely server-side.

Separately, our hosting infrastructure (Cloudflare) processes standard request logs — IP address, user-agent string, requested URL, timestamps — as virtually all web infrastructure does, to deliver the Site, balance load, and resist attack. We do not use logs or measurement to identify visitors, and we do not attempt to re-identify anyone from them.

When you submit a form, we additionally record, alongside your submission, a few security and context details derived from the connection: the approximate location of the request (country, region, and city) and the organisation or network it belongs to, your browser's user-agent string, and the referring page. Because you have identified yourself on the form, this simply places your registration in its professional context. We do not store your raw IP address. Instead, to limit abuse and the rate of submissions, we keep only a one-way salted hash of it — a value from which the original IP cannot be recovered — used solely to detect and slow repeated automated submissions, never to identify or track you.

5. What we deliberately do not do

  • No third-party advertising, analytics, or social-media trackers; no tracking pixels; no session-recording or replay; no fingerprinting; no cross-site or cross-device tracking; no data-broker feeds in or out.
  • No sale, rental, sharing-for-value, or trade of personal data — and no "sharing" of data for cross-context behavioural advertising, in the meaning any privacy law gives those words.
  • No consent-requiring cookies, which is why there is no cookie banner (full reasoning at Cookies & Tracking).
  • No profiling that produces legal or similarly significant effects about you; no automated decision-making about you at all.
  • No collection aimed at children — the Site's forms are for people 18 and over (Section 13).
  • No seeking of sensitive personal data (health, biometric, financial account, caste, religion, sexual orientation, and the like). Please do not submit it; if you do, we delete it when we see it.
  • All fonts and content assets are self-hosted: loading the Site calls no font services, tag managers, advertising networks, or social widgets. The one component served from beyond our own files is Cloudflare Turnstile — our infrastructure provider's own privacy-preserving bot check on the register forms (Section 3), which sets no tracking cookie and follows no one across sites.

6. Your signals: Global Privacy Control and Do Not Track

If your browser sends the Global Privacy Control signal or the legacy Do Not Track flag, our measurement code does not run at all for you — no beacon, no anonymous identifier. We treat these signals as a valid expression of preference, without requiring you to ask.

7. Why we process your information, and on what legal basis

PurposeData usedBasis
Recording and acting on the interest you registered; contacting you about it as registration and deployment openYour form submissionYour consent, given by submitting after the notice that links here
Evaluating expressions of interest in working with usJoin-us submissions and what they link toYour consent; taking steps at your request prior to any engagement
Maintaining a record of investor interestInvestor submissionsYour consent
Replying to you and keeping records of the exchangeCorrespondenceYour request; our legitimate interest in keeping records
Understanding and improving how the Site is used, including which regions and kinds of organisation engage with itFirst-party measurement and the network-derived context in Section 4Legitimate interest in operating, securing, and improving the Site — implemented with data minimisation (no raw IP stored, anonymous identifiers, and a privacy-maximising default that lightens the footprint outside a short list of clearly-permissive regions) and honouring GPC/DNT
Securing the Site and resisting abuseInfrastructure logsLegitimate interest in security; legal obligations
Establishing, exercising, or defending legal claims; complying with lawThe minimum necessaryLegal obligation; legitimate interest

Our processing is governed by Indian law, including the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the Information Technology Act, 2000. Where the DPDP Act requires consent, your submission of a form — made after seeing the notice beneath it — is that consent, and Section 12 explains withdrawal. As the DPDP Act provides, this notice is available in English and in any language listed in the Eighth Schedule to the Constitution of India: write to hello@annealir.com for a copy in the language you prefer, and we will provide one within a reasonable time. If you are in the EEA, the United Kingdom, or another jurisdiction whose data-protection law applies to you despite the Site being operated from India and not targeted at any particular country: the bases above map to consent and legitimate interests under that law, and you hold whatever further rights it grants, exercised through the same contact in Section 12.

8. Where your information lives, and who can see it

  • Infrastructure. The Site is hosted and delivered by Cloudflare, whose network is global; our form records and measurement dataset reside on infrastructure that may be located outside India, protected by the safeguards our providers contractually offer. We choose providers with strong, published security and privacy practices.
  • Inside Annealir. Access is limited to the people who need it for the purposes in Section 7 — at present, that is the founding team.
  • Professional advisers (legal, accounting, audit) under duties of confidentiality, where needed.
  • Authorities and courts, where a law, regulation, court order, or binding government request requires disclosure — we disclose the minimum required, and where the law allows it we will tell you.
  • Protection of rights. Where necessary to investigate or stop abuse of the Site, enforce our Terms of Use, or establish, exercise, or defend legal claims.
  • A successor entity, as described in Section 14.
  • We never publish your information, and we never give it to advertisers, data brokers, or "partners" — we have none.

9. International transfers

We operate from India. Because our infrastructure providers run global networks, data handled by them may be stored or processed outside India. We permit this only with providers that commit to recognised security and data-protection safeguards, and we comply with any restriction the Government of India notifies under the DPDP Act regarding transfers to specific countries. Wherever your data is processed, this policy follows it.

10. How long we keep things

CategoryKept for
Interest registrations (buyers, suppliers, investors)Until our registration programme concludes or you ask us to delete them — whichever is earlier
Join-us submissionsUp to 12 months, unless you ask sooner or we agree otherwise with you
CorrespondenceAs long as the matter it concerns requires
Measurement data (Section 4)Reviewed in aggregate; raw rows kept no longer than 24 months — and no longer than 12 months under our default, privacy-maximising posture, which applies in every stricter region (for example the EEA, the UK, and Switzerland) and wherever a fuller approach is not clearly appropriate
Infrastructure security logsPer our providers' standard short retention

We may retain a minimal record longer where a law requires it, where it is needed to honour your own request (for example, a suppression record so we stop contacting you), or to establish or defend a legal claim — and then only that minimum. When retention ends, data is deleted or irreversibly anonymised.

11. Security, and what happens if it fails

The Site is served entirely over HTTPS. There is no login system, no payment processing, and no publicly reachable database. We apply reasonable and appropriate technical and organisational measures to everything we hold: encryption in transit, least-privilege access, reputable infrastructure, and minimal collection in the first place — data we do not hold cannot leak. No system on earth is perfectly secure; if a breach nonetheless affects your personal data, we will notify you and the authorities as the DPDP Act and its rules require, with what we know, what it means for you, and what we are doing. Security researchers: security@annealir.com — we engage in good faith with coordinated disclosure.

12. Your rights, and exactly how to use them

You can, at any time and free of charge, ask us to:

  • show you the personal data of yours we hold, and a summary of how it has been processed;
  • correct or complete it;
  • delete it and stop contacting you;
  • withdraw consent you previously gave (effective from then on — withdrawal does not undo processing already lawfully done, and is as easy as giving consent was: one email);
  • nominate a person to exercise these rights for you in the event of death or incapacity, as the DPDP Act provides;
  • raise any grievance about our handling of your data.

Write to hello@annealir.com with "Privacy" in the subject line, from the email address your request concerns (or with enough detail for us to verify it is you — we may ask a clarifying question, because acting on an impostor's request would itself be a breach). We acknowledge promptly and respond within the timelines applicable law prescribes, and in any event within 30 days. If you are in India and remain unsatisfied, you may approach the Data Protection Board of India; elsewhere, your local supervisory authority. Every marketing-type message we ever send will also carry its own working opt-out.

Grievance Office. We operate a designated Grievance Office for complaints about how we handle your personal data. To raise a grievance, write to hello@annealir.com with "Grievance" in the subject line; we will acknowledge promptly and resolve the matter within 30 days. If you remain unsatisfied, you may escalate to the Data Protection Board of India (or, outside India, your local supervisory authority). While this venture operates under a working name, the Grievance Office is reached through this address rather than a named person; upon incorporation of the private limited company that will carry on the venture (Section 14), we will publish the name and designation of the Grievance Officer here.

13. Children

The Site is not directed at children. Our forms are for people 18 or older; we do not knowingly collect personal data from anyone younger, and we do not process children's data, behavioural monitoring, or advertising directed at children in any form. If you believe a minor has submitted data, write to us and we will delete it.

14. If our legal form changes

Annealir intends to incorporate a private limited company in India to carry on this venture. If and when that happens — or in any later reorganisation, financing, merger, or transfer of the venture — the information we hold may be transferred to the entity continuing the venture, which becomes bound by this policy (or one no less protective) for that information, and which honours every right in Section 12 and every promise in Sections 5 and 6. Your rights travel with your data; a change of our legal form never reduces them, and the purposes in Section 7 do not silently expand.

15. Links and platforms we do not control

If you give us a link — a LinkedIn profile, a company site — we open it only to assess the interest you registered. The platforms hosting those materials, and any external sites the Site links to, have their own privacy practices we neither control nor answer for. Share only what you are comfortable sharing and have the right to share.

16. Changes to this policy

When we change this policy, the change appears here with a new "Last updated" date, and the current version always lives at this address. A material change is not applied retroactively to information we already hold without telling you and, where law requires, seeking fresh consent. Earlier versions are available on request.

17. Contact

Annealir Advancements · Gurugram, Haryana, India · hello@annealir.com (privacy and grievances) · security@annealir.com (vulnerability reports). This document should be read with the Terms of Use, Cookies & Tracking, and the Disclaimer.