This DATA PROTECTION POLICY is created for REWARTKART TECHNOLOGIES
INTERNATIONAL PRIVATE LIMITED on 3rd November 2022 and shall be amended from time
to comply with legal regulations in India.
In this Policy, “We”, “Us”, “Our” and “REWARDKART” refers to REWARTKART TECHNOLOGIES
INTERNATIONAL PRIVATE LIMITED.
A. PURPOSE OF THE POLICY
REWARDKART DATA PROTECTION POLICY is our commitment to treat information of our
clients, suppliers, service providers, partner entities and their employees, customers,
stakeholders and other interested parties with the utmost care and confidentiality.
Through this policy, REWARDKART aims to ensure that it gathers, stores, and handles data
legally, fairly, transparently and with respect towards individual rights.
B. SCOPE OF THIS POLICY
The REWARDKART DATA PROTECTION POLICY applies to the collection and processing of
Personal Data collected by REWARDKART from all Parties directly or indirectly, from all
individuals including, but not limited to REWARDKART’s current, past or prospective job
applicants, employees, clients, partner entities, consumers / customers, suppliers / vendors,
contractors / sub-contractors, shareholders or any third parties, with “Personal Data” being
defined as any data that relates to an identified or an identifiable individual or a person who
may be identified by means reasonably likely to be used for the conduct of business
transactions or availing services directly or indirectly through any of our products.
C. WHO IS COVERED UNDER THE DATA PROTECTION POLICY?
- Employees of our company and its subsidiaries must strictly follow this policy.
- Any other external entity, consultants, suppliers / vendors, contractors / sub-contractors,
service providers such as delivery agents, order processors, outsourced or temporary staff,
aggregators, and partner entities with whom we share this data are also covered.
- Generally, our policy refers to anyone we collaborate with or authorize to act on our behalf
and may need occasional access to our data.
D. STANDARDS OF COMPLIANCE
As a startup company in India have registered our business with the Registrar of Companies
(RoC) and we adhere to the Companies Act, 2013.
As REWARDKART operates only in India, its Data Protection Policy presently complies with the
Information Technology Act, 2000 (hereinafter referred to as the “IT Act”) of India and the
Information Technology Rules, 2011 (hereinafter referred to as the “IT Rules”) of India.
As part of the compliances required under the Information Technology Act, 2000,
REWARDKART adheres to guidelines related to data protection and privacy, cyber security,
and intellectual property rights.
- We obtain consent before data collection and give individuals the option to revoke such
consent.
- We gather and use information solely for the purpose of rendering services to the
individual as per the contractual terms with our clients for the purpose of fulfillment.
- We control and regulate the transferring of data for e-commerce and fulfilment of
services as per the legal framework.
- We do not collect data pertaining to sexual orientation, health information, biometric
data, and other sensitive data.
E. COLLECTION OF PERSONAL DATA AND USAGE
As part of our day-to-day business operations, we obtain and process information. This
information includes any offline or online data that makes any individual person “identifiable”
such as names, emails, mobile numbers, addresses, usernames and passwords, designations,
roles, digital footprints, photographs, PAN / Adhaar Card Numbers (if required), financial data,
and transaction data.
We do not collect data related to sexual orientation, health information, biometrics, or other
sensitive data.
We ensure that Personal Data is collected and processed in accordance with applicable data
protection law in India.
F. TRANSPARENCY, FAIRNESS, LEGALITY AND MORAL OBLIGATIONS
REWARDKART collects this information in a transparent way and only with the full cooperation
and knowledge of interested parties. Once this information is available to us, the following
rules apply.
We do not collect or process Personal Data without having a lawful reason to do so. We may
have to collect and process Personal Data where necessary for the performance of a contract,
or when it is necessary for compliance with a legal obligation to which we are subject or where
required, with prior consent of our clients and individuals connected to that client company.
We may also collect and process Personal Data for REWARDKART’s legitimate interests
without infringement of fundamental rights and freedoms of an individual.
1) The data obtained by us will be…
- Collected fairly and for business purposes as allowed by legal regulations and for legal
compliances such as Know Your Customer (KYC).
- Verified and validated at the request of our client by duly notifying the individuals when
contacted by our agents and kept up to date in our databases.
- Always protected through encryption, firewalls and inaccessible by any unauthorized
internal or external parties.
- Not shared with any third-party reasons other than the willful knowledge of the client or
individuals linked to that client company.
2) The data we collect will not be…
- NOT be communicated informally either internally or externally.
- NOT be stored for more than the specified amount of time it is authorized and required.
- NOT transferred to organizations, states or countries that do not have adequate data
protection policies.
- NOT distributed to any party other than the ones agreed upon by the data's owner (other
than valid and legitimate requests from law enforcement authorities)
3) In addition to ways of handling the data REWARDKART has direct obligations towards
individuals to whom the data belongs and specifically:
- Inform the individuals which of their data is collected.
- Inform individuals about how we process their data.
- Inform individuals about who has access to their information.
- Have made provisions in cases of lost, corrupted, or compromised data.
- Allow individuals to modify, erase, reduce or request for their data to be corrected.
G. LEGITIMACY, DATA MINIMIZATION AND LIMITATION
- Personal Data is collected for specified, explicit and legitimate purposes and not further
processed in a manner that is incompatible with those purposes.
- While sharing personal data of an individual with third parties to fulfill our client
obligations we will share the bare minimum data as required and ensure that it is
processed within legal, contractual, and moral boundaries.
- When REWARDKART acts for its own purposes, the Personal Data of an individual is
processed mainly for, but not limited to, the following purposes: recruitment
management, human resources management, accounting and financial management and
related controls and reporting, finance, treasury and tax management, risk management,
provision of active directory, IT tools or internal websites and any other digital solutions
or collaborative platforms, IT support management, including infrastructure management,
systems management, product applications, information security management, client
relationship management, bids, sales and marketing management, supply management,
internal and external communication and events management, compliance with anti-
money laundering obligations or any other legal requirements, data analytics operations,
legal corporate management and implementation of compliance processes.
H. DATA ACCURACY AND STORAGE LIMITATION
REWARDKART will keep Personal Data that is processed accurate and, where necessary, up to
date. We will only retain Personal Data for as long as necessary for the purposes we collected
it for, including for the purposes of satisfying any legal, accounting or reporting requirements
and, where required for REWARDKART to assert or defend against legal claims, until the end
of the relevant retention period or until the claims in question have been settled. Upon expiry
of the applicable retention period, we will securely destroy your personal data in accordance
with applicable laws and regulations.
I. SECURITY OF PERSONAL DATA
- We implement appropriate technical and organizational measures to protect Personal
Data against accidental or unlawful alteration or loss, or from unauthorized use,
disclosure, or access, in accordance with our Information and Systems Security Policy.
- We take, when appropriate, all reasonable measures based on Privacy by design and
Privacy by default principles to implement the necessary safeguards and protect the
Processing of Personal Data.
- We also carry out, depending on the level of risk raised by the processing, a Privacy Impact
Assessment (“PIA”) to adopt appropriate safeguards and ensure the protection of the
Personal Data.
- We also provide additional security safeguards for data considered to be Sensitive
Personal Data.
J. DISCLOSURE OF PERSONAL DATA
We share Personal Data, under the following circumstances:
- with other REWARDKART product applications for the purposes of single sign-on.
- with third parties including certain service providers we have retained in connection with the
services we provide.
- with courts, law enforcement authorities, regulators, government officials or attorneys or other
parties where it is reasonably necessary for the establishment, exercise, or defense of a legal or
equitable claim, or for the purposes of a confidential alternative dispute resolution process.
- with companies or government agencies providing services for money laundering and terrorist
financing checks and other fraud and crime prevention purposes and companies providing similar
services, including financial institutions and regulatory bodies with whom such Personal Data is
shared.
- with service providers who we engage within or outside of REWARDKART, domestically, for
example, shared service centers, to process Personal Data for any of the purposes listed above on
our behalf and in accordance with our instructions only.
- In case we sell or buy any business or assets, in which case we may disclose Personal Data to the
prospective seller or buyer of such business or assets to whom we assign or novate any of our
rights and obligations.
K. DISCLOSURE WHILE COLLECTING PERSONAL DATA
- When collecting and processing Personal Data, we will provide a full and fair information
notice or privacy statement to the individual about the purposes for which the Personal
Data will be used, who is responsible for the processing of Personal Data, who the likely
recipients are, what are the rights of the individual sharing the data with us and how to
exercise them, etc.
- We do not collect data related to sexual orientation, health information, biometrics, or
other sensitive data.
- We collect Sensitive Personal Data only when required by applicable law, after seeking
prior consent from the individual. Example: Before collecting Adhaar Card or PAN details
and verifying it for KYC purposes.
- Personal Data is collected for specified, explicit and legitimate purposes and not further
processed in a manner that is incompatible with those purposes.
L. OTHER COMPLIANCES
As part of the Payment Card Industry Data Security Standard (PCI DSS) and Payments &
Settlements Act of 2007 compliance wherever we collect the data of clients and end
customers using Payment cards including debit cards, credit cards & prepaid cards we ensure
that our Payment Gateway ATOM managed by NTT DATA has incorporated adequate
customers data protection by securely processing, storing, and transmitting the card data
through tokenization.
M. OUR COMMITMENT TO ACTIONS
To exercise data protection REWARDKART is committed to:
- Restrict and monitor access to sensitive data.
- Develop transparent data collection procedures.
- Train employees in online privacy and security measures.
- Build secure networks to protect online data from hackers and cyberattacks.
- Establish clear procedures for reporting privacy breaches or data misuse.
- Include contract clauses or communicate statements on how we handle data.
- Establish data protection practices such as document shredding, secure locks, data encryption,
frequent backups, authorization to access information, etc.
Our data protection provisions will appear on our website.
N. CONSEQUENCES UPON BREACH OR FAILURE TO COMPLY
All principles described in this policy must be strictly followed. A breach of data protection
guidelines will invoke disciplinary action against the erring Employee or the Party including
termination of contract and possibly legal action including indemnification.