1. Legal Framework and Compliance
Our data protection practices are designed to comply with:
- Digital Personal Data Protection Act, 2023 - India's primary data protection law
- Information Technology Act, 2000 and related rules
- Information Technology (Reasonable Security Practices) Rules, 2011
- Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021
- Consumer Protection Act, 2019 - Consumer data protection
- Companies Act, 2013 - Corporate data governance
- Foreign Exchange Management Act (FEMA), 1999 - Cross-border data transfers
- Reserve Bank of India (RBI) Guidelines - Financial data protection
2. Data Protection Principles
We adhere to the following fundamental data protection principles:
Lawfulness and Fairness
Data processing is lawful, fair, and transparent to the data principal.
Purpose Limitation
Personal data is collected for specified, explicit, and legitimate purposes.
Data Minimization
We collect only data that is necessary for the specified purpose.
Accuracy
Personal data is accurate, complete, and kept up to date.
Storage Limitation
Data is retained only for as long as necessary for the purpose.
Security of Processing
Appropriate technical and organizational measures protect personal data.
3. Types of Personal Data We Process
We process different categories of personal data based on our business needs:
Basic Personal Data
- Name and contact information
- Email addresses and phone numbers
- Postal addresses
- Company/organization details
- Job titles and professional information
Service-Related Data
- Service preferences and requirements
- Property details and specifications
- Service history and records
- Communication preferences
- Feedback and survey responses
Technical Data
- IP addresses and device identifiers
- Browser type and version
- Operating system information
- Website usage patterns
- Cookies and tracking data
Financial Data
- Billing and payment information
- Bank account details (for payments)
- GST and tax information
- Transaction records
- Credit verification data
Sensitive Personal Data
- Health information (if relevant to services)
- Security clearance information
- Biometric data (if used for access)
- Background verification data
- Emergency contact information
Employee Data
- Employee personal and professional details
- Performance and training records
- Attendance and scheduling data
- Health and safety information
- Payroll and benefits data
4. Legal Basis for Processing
We process personal data based on the following legal grounds:
4.1 Consent
- Free Consent: Given freely without coercion
- Specific Consent: For clearly defined purposes
- Informed Consent: With clear information about processing
- Unambiguous Consent: Through clear affirmative action
- Withdrawable Consent: Can be withdrawn at any time
4.2 Legitimate Interests
- Contract performance and service delivery
- Business operations and administration
- Legal compliance and regulatory requirements
- Fraud prevention and security measures
- Direct marketing (with appropriate safeguards)
4.3 Legal Obligations
- Compliance with labour laws and regulations
- Tax and financial reporting requirements
- Health and safety obligations
- Anti-money laundering and KYC requirements
- Court orders and legal proceedings
5. Data Subject Rights Under DPDP Act 2023
As a data principal under the Digital Personal Data Protection Act, 2023, you have the following rights:
Right to Information
Know what personal data we hold about you and how it's processed
- Purposes of processing
- Categories of personal data
- Recipients of your data
- Retention periods
- Your rights and how to exercise them
Right to Correction
Update, correct, or complete your personal data
- Correct inaccurate information
- Complete incomplete data
- Update outdated information
- Verify data accuracy
- Request confirmation of corrections
Right to Erasure
Request deletion of your personal data in certain circumstances
- Data no longer necessary
- Consent withdrawn
- Unlawful processing
- Legal obligation to erase
- Public interest grounds
Right to Grievance Redressal
Lodge complaints about data processing
- Internal grievance mechanism
- Data Protection Board complaints
- Consumer forum complaints
- Civil court remedies
- Compensation for damages
Right to Nomination
Nominate another person to exercise rights in case of death or incapacity
- Designate a nominee
- Specify rights to be exercised
- Update nomination details
- Revoke nomination
- Multiple nominees for different rights
Right of Parents/Guardians
Exercise rights on behalf of children
- Consent to processing
- Access child's data
- Correct child's information
- Request erasure
- File complaints
6. Data Security Measures
Technical Security Measures
Encryption
- AES-256 encryption for data at rest
- TLS 1.3 for data in transit
- End-to-end encryption for sensitive communications
- Database field-level encryption
Access Controls
- Role-based access control (RBAC)
- Multi-factor authentication
- Principle of least privilege
- Regular access reviews
Network Security
- Firewalls and intrusion detection
- Virtual private networks (VPNs)
- Network segmentation
- DDoS protection
Monitoring
- 24/7 security monitoring
- Audit logs and trails
- Anomaly detection
- Incident response procedures
Organizational Security Measures
- Data Protection Officer (DPO): Designated DPO for privacy oversight
- Privacy by Design: Privacy considerations in all system designs
- Staff Training: Regular data protection training for all employees
- Vendor Management: Due diligence on third-party data processors
- Incident Response: Comprehensive breach response procedures
- Regular Audits: Internal and external security assessments
- Compliance Reviews: Periodic compliance and risk assessments
- Physical Security: Secure facilities and document handling
7. Data Breach Management
Data Breach Response Procedure
In the event of a personal data breach, we follow a comprehensive response procedure:
7.1 Detection and Assessment (0-24 hours)
- Immediate containment and mitigation measures
- Assessment of breach scope and impact
- Identification of affected data and individuals
- Risk assessment for data subjects
- Documentation of incident details
7.2 Notification Requirements (72 hours)
- Data Protection Board: Notification within 72 hours if likely to result in risk
- Affected Individuals: Direct notification if high risk to rights and freedoms
- Supervisory Authorities: Compliance with sector-specific requirements
- Law Enforcement: If criminal activity is suspected
- Insurance Providers: As per insurance policy requirements
7.3 Remediation and Recovery
- Security measures to prevent further breaches
- Recovery of compromised systems and data
- Support and assistance to affected individuals
- Credit monitoring services if applicable
- Regular updates to affected parties
7.4 Post-Incident Review
- Root cause analysis and investigation
- Lessons learned and process improvements
- Security measure enhancements
- Staff training updates
- Policy and procedure revisions
8. Cross-Border Data Transfers
8.1 Data Localization Requirements
We comply with Indian data localization requirements:
- Critical Personal Data: Processed only within India
- Sensitive Personal Data: One copy of data stored in India
- Financial Data: Payment system data stored in India (RBI guidelines)
- Government Data: All government-related data processed within India
- Health Data: Medical and health data stored locally
8.2 International Transfer Safeguards
When transferring data outside India, we ensure:
- Adequacy Decisions: Transfers to countries with adequate protection
- Standard Contractual Clauses: Legal agreements with recipients
- Binding Corporate Rules: Internal data transfer policies
- Explicit Consent: Your consent for transfers to non-adequate countries
- Derogations: Limited transfers for specific circumstances
8.3 Third Country Assessment
We assess the data protection standards of recipient countries:
- Legal framework evaluation
- Enforcement mechanisms assessment
- Government surveillance laws review
- Individual rights protection analysis
- Redress mechanisms availability
9. Data Protection Impact Assessments (DPIA)
9.1 When We Conduct DPIAs
- High-risk processing activities
- New technology implementations
- Large-scale processing of special categories
- Systematic monitoring of public areas
- Automated decision-making processes
- Processing of vulnerable groups' data
- Cross-border data transfers
9.2 DPIA Process
- Necessity Assessment: Evaluation of processing necessity
- Proportionality Analysis: Balance between purpose and impact
- Risk Identification: Identification of potential risks
- Mitigation Measures: Measures to reduce risks
- Stakeholder Consultation: Input from relevant parties
- Documentation: Comprehensive DPIA documentation
- Review and Update: Regular DPIA reviews
10. Children's Data Protection
10.1 Special Protection Measures
- Age Verification: Robust age verification mechanisms
- Parental Consent: Verifiable parental consent for under-18s
- Data Minimization: Minimal data collection from children
- Purpose Limitation: Strict purpose limitation for children's data
- Enhanced Security: Additional security measures
- Limited Retention: Shorter retention periods
- No Profiling: Prohibition on automated profiling
10.2 Parental Rights
- Access to child's personal data
- Correction of child's information
- Deletion of child's data
- Withdrawal of consent
- Object to processing
- Data portability rights
- Complaint and grievance rights
11. Employee Data Protection
11.1 Lawful Basis for Employee Data
- Employment Contract: Performance of employment contract
- Legal Obligation: Compliance with labour laws
- Legitimate Interest: HR administration and management
- Consent: Optional benefits and activities
- Vital Interests: Health and safety emergencies
11.2 Employee Data Types
- Personal and contact information
- Employment history and qualifications
- Performance and appraisal data
- Training and development records
- Attendance and leave records
- Payroll and benefits information
- Health and safety data
- Background verification results
11.3 Employee Rights
- Right to information about data processing
- Right to access personal data
- Right to correct inaccurate data
- Right to erasure (in limited circumstances)
- Right to restrict processing
- Right to data portability
- Right to object to processing
- Right to file grievances
12. Vendor and Third-Party Data Protection
12.1 Due Diligence Process
- Privacy Assessment: Evaluation of vendor data practices
- Security Review: Technical and organizational measures assessment
- Legal Compliance: Verification of regulatory compliance
- Contract Negotiation: Data protection clauses in agreements
- Ongoing Monitoring: Regular vendor performance reviews
12.2 Data Processing Agreements
- Clear purpose and scope of processing
- Data protection obligations and responsibilities
- Security measures and breach notification
- Data retention and deletion requirements
- Data subject rights facilitation
- Audit and inspection rights
- Liability and indemnification clauses
12.3 Vendor Categories
- Technology Providers: Cloud services, software vendors
- Service Providers: Cleaning suppliers, equipment vendors
- Professional Services: Legal, accounting, consulting
- Marketing Partners: Advertising and promotional services
- Financial Services: Banks, payment processors, insurers
13. Data Retention and Deletion
13.1 Retention Principles
- Purpose Limitation: Retain only for original purpose
- Legal Requirements: Comply with statutory retention periods
- Business Necessity: Retain for legitimate business needs
- Minimal Retention: Shortest period necessary
- Regular Review: Periodic retention period assessment
13.2 Retention Schedules
- Customer Data: 7 years after contract termination
- Employee Data: 7 years after employment end
- Financial Records: 8 years as per Companies Act
- Tax Records: 8 years as per Income Tax Act
- Marketing Data: Until consent withdrawal
- Website Analytics: 26 months maximum
- CCTV Footage: 30-90 days unless incident
13.3 Secure Deletion
- Cryptographic erasure for encrypted data
- Multi-pass overwriting for magnetic storage
- Physical destruction of storage media
- Certificate of destruction for sensitive data
- Verification of complete deletion
- Documentation of deletion activities
14. Contact Information and Requests
This Data Protection Policy demonstrates our commitment to protecting your privacy and personal data. We continuously update our practices to maintain the highest standards of data protection in compliance with Indian and international laws.