Legal

GDPR Compliance

We are committed to protecting your personal data and upholding your rights under the General Data Protection Regulation. This page explains how we comply and what you can expect from us.

Last updated: June 9, 2026

1. What is GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on 25 May 2018 across the European Union (EU) and European Economic Area (EEA). It also applies to organisations outside the EU that process the personal data of EU and UK residents.

GDPR replaces the 1995 EU Data Protection Directive and introduces stronger rules around how businesses collect, store, and use personal data — giving individuals greater control over their information.

Mitra Media Labs is fully committed to GDPR compliance. We collect only the minimum data necessary, process it lawfully, and give you clear control over your information at all times.

2. Our Role as Data Controller

Mitra Media Labs acts as the Data Controller for personal data collected through our website and services. As the Data Controller, we determine the purposes and means of processing your personal data and are responsible for ensuring it is handled lawfully, fairly, and transparently.

Organisation: Mitra Media Labs

Address: 803, Silver Trade Center, Digital Valley, Mota Varachha, Surat, Gujarat 394101, India

Privacy Contact: hello@mimelabs.net

Website: www.mimelabs.net

3. Lawful Bases for Processing

Under GDPR Article 6, we must have a lawful basis for every processing activity. The table below sets out what we do, what data we use, and why we are legally permitted to do so.

Processing ActivityData UsedLawful Basis
Respond to contact form enquiriesName, email, phone, messageLegitimate interest / Contract
Send project proposals & follow-upsName, emailConsent / Legitimate interest
Website analytics & performanceUsage data, session recordingsConsent (analytics cookies)
Security & fraud preventionIP address, usage patternsLegitimate interest
Legal compliance & record-keepingAll applicable dataLegal obligation

4. Your Rights Under GDPR

As a data subject, you have the following rights. These apply to EU/UK residents under GDPR and UK GDPR respectively. We will respond to all valid requests within 30 days.

Right to Access

Request a copy of the personal data we hold about you, free of charge.

Right to Rectification

Ask us to correct any inaccurate or incomplete personal data.

Right to Erasure

Request deletion of your personal data where no legal obligation requires us to retain it.

Right to Restrict Processing

Ask us to pause the processing of your data while a dispute is resolved.

Right to Portability

Receive your data in a structured, machine-readable format to transfer to another provider.

Right to Object

Object to processing based on our legitimate interests. We will stop unless we can demonstrate compelling grounds.

5. Data Retention Policy

We only retain personal data for as long as necessary to fulfil the purpose it was collected for, or as required by law.

Data TypeRetention PeriodReason
Contact form submissions12 monthsFollow-up on business enquiries
Analytics data (Microsoft Clarity)13 monthsWebsite performance analysis
Server logs (Firebase Hosting)30 daysSecurity monitoring & debugging

We do not maintain a marketing database or mailing list. Once your enquiry is resolved, we have no ongoing reason to retain your data beyond the periods stated above.

6. International Data Transfers

Our website is hosted on Google Firebase with servers located in the United States. When personal data is transferred outside the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection.

We use EmailJS to deliver contact form submissions to our team's inbox. EmailJS processes data in accordance with GDPR and maintains appropriate technical safeguards. Microsoft Clarity (analytics, with consent only) stores data in Microsoft Azure datacentres and is governed by Microsoft's Data Processing Agreement.

7. Security Measures

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or destruction:

  • HTTPS / TLS 1.3 — all data in transit is encrypted
  • No personal data database on our website servers — form submissions go directly to email
  • Access control — only authorised team members can access submitted enquiries
  • Consent-gated analytics — Microsoft Clarity only loads after explicit cookie consent
  • Regular security reviews of all third-party integrations and hosting infrastructure

8. How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us at the details below. We will verify your identity and respond within 30 days of receiving your request.

Email: hello@mimelabs.net

Subject line: "GDPR Request — [Your Name]"

Response time: Within 30 days

Requests are free of charge. If your request is complex or you submit multiple requests, we may extend the response period by a further 60 days and will notify you accordingly.

9. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority if you believe we have not handled your data in accordance with applicable law:

  • EU residents — contact your national Data Protection Authority (DPA). A full list is available at edpb.europa.eu
  • UK residents — contact the Information Commissioner's Office (ICO)
  • India — contact the Ministry of Electronics & Information Technology (MeitY) under the Digital Personal Data Protection Act 2023

We would, however, appreciate the opportunity to address your concerns before you contact a supervisory authority — please reach out to us at hello@mimelabs.net first.