This DATA PROTECTION POLICY is created for REWARTKART TECHNOLOGIES INTERNATIONAL PRIVATE LIMITED on 3rd November 2022 and shall be amended from time to comply with legal regulations in India.

In this Policy, “We”, “Us”, “Our” and “REWARDKART” refers to REWARTKART TECHNOLOGIES INTERNATIONAL PRIVATE LIMITED.

A. PURPOSE OF THE POLICY

REWARDKART DATA PROTECTION POLICY is our commitment to treat information of our clients, suppliers, service providers, partner entities and their employees, customers, stakeholders and other interested parties with the utmost care and confidentiality.

Through this policy, REWARDKART aims to ensure that it gathers, stores, and handles data legally, fairly, transparently and with respect towards individual rights.

B. SCOPE OF THIS POLICY

The REWARDKART DATA PROTECTION POLICY applies to the collection and processing of Personal Data collected by REWARDKART from all Parties directly or indirectly, from all individuals including, but not limited to REWARDKART’s current, past or prospective job applicants, employees, clients, partner entities, consumers / customers, suppliers / vendors, contractors / sub-contractors, shareholders or any third parties, with “Personal Data” being defined as any data that relates to an identified or an identifiable individual or a person who may be identified by means reasonably likely to be used for the conduct of business transactions or availing services directly or indirectly through any of our products.

C. WHO IS COVERED UNDER THE DATA PROTECTION POLICY?

1. Employees of our company and its subsidiaries must strictly follow this policy.
2. Any other external entity, consultants, suppliers / vendors, contractors / sub-contractors, service providers such as delivery agents, order processors, outsourced or temporary staff, aggregators, and partner entities with whom we share this data are also covered.
3. Generally, our policy refers to anyone we collaborate with or authorize to act on our behalf and may need occasional access to our data.

D. STANDARDS OF COMPLIANCE

As a startup company in India have registered our business with the Registrar of Companies (RoC) and we adhere to the Companies Act, 2013.

As REWARDKART operates only in India, its Data Protection Policy presently complies with the Information Technology Act, 2000 (hereinafter referred to as the “IT Act”) of India and the Information Technology Rules, 2011 (hereinafter referred to as the “IT Rules”) of India.

As part of the compliances required under the Information Technology Act, 2000, REWARDKART adheres to guidelines related to data protection and privacy, cyber security, and intellectual property rights.

1. We obtain consent before data collection and give individuals the option to revoke such consent.
2. We gather and use information solely for the purpose of rendering services to the individual as per the contractual terms with our clients for the purpose of fulfillment.
3. We control and regulate the transferring of data for e-commerce and fulfilment of services as per the legal framework.
4. We do not collect data pertaining to sexual orientation, health information, biometric data, and other sensitive data.

E. COLLECTION OF PERSONAL DATA AND USAGE

As part of our day-to-day business operations, we obtain and process information. This information includes any offline or online data that makes any individual person “identifiable” such as names, emails, mobile numbers, addresses, usernames and passwords, designations, roles, digital footprints, photographs, PAN / Adhaar Card Numbers (if required), financial data, and transaction data.

We do not collect data related to sexual orientation, health information, biometrics, or other sensitive data.

We ensure that Personal Data is collected and processed in accordance with applicable data protection law in India.

F. TRANSPARENCY, FAIRNESS, LEGALITY AND MORAL OBLIGATIONS

REWARDKART collects this information in a transparent way and only with the full cooperation and knowledge of interested parties. Once this information is available to us, the following rules apply.

We do not collect or process Personal Data without having a lawful reason to do so. We may have to collect and process Personal Data where necessary for the performance of a contract, or when it is necessary for compliance with a legal obligation to which we are subject or where required, with prior consent of our clients and individuals connected to that client company. We may also collect and process Personal Data for REWARDKART’s legitimate interests without infringement of fundamental rights and freedoms of an individual.

1) The data obtained by us will be…

• Collected fairly and for business purposes as allowed by legal regulations and for legal compliances such as Know Your Customer (KYC).
• Verified and validated at the request of our client by duly notifying the individuals when contacted by our agents and kept up to date in our databases.
• Always protected through encryption, firewalls and inaccessible by any unauthorized internal or external parties.
• Not shared with any third-party reasons other than the willful knowledge of the client or individuals linked to that client company.

2) The data we collect will not be…

• NOT be communicated informally either internally or externally.
• NOT be stored for more than the specified amount of time it is authorized and required.
• NOT transferred to organizations, states or countries that do not have adequate data protection policies.
• NOT distributed to any party other than the ones agreed upon by the data's owner (other than valid and legitimate requests from law enforcement authorities)

3) In addition to ways of handling the data REWARDKART has direct obligations towards individuals to whom the data belongs and specifically:

• Inform the individuals which of their data is collected.
• Inform individuals about how we process their data.
• Inform individuals about who has access to their information.
• Have made provisions in cases of lost, corrupted, or compromised data.
• Allow individuals to modify, erase, reduce or request for their data to be corrected.

G. LEGITIMACY, DATA MINIMIZATION AND LIMITATION

• Personal Data is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
• While sharing personal data of an individual with third parties to fulfill our client obligations we will share the bare minimum data as required and ensure that it is processed within legal, contractual, and moral boundaries.
• When REWARDKART acts for its own purposes, the Personal Data of an individual is processed mainly for, but not limited to, the following purposes: recruitment management, human resources management, accounting and financial management and related controls and reporting, finance, treasury and tax management, risk management, provision of active directory, IT tools or internal websites and any other digital solutions or collaborative platforms, IT support management, including infrastructure management, systems management, product applications, information security management, client relationship management, bids, sales and marketing management, supply management, internal and external communication and events management, compliance with anti- money laundering obligations or any other legal requirements, data analytics operations, legal corporate management and implementation of compliance processes.

H. DATA ACCURACY AND STORAGE LIMITATION

REWARDKART will keep Personal Data that is processed accurate and, where necessary, up to date. We will only retain Personal Data for as long as necessary for the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements and, where required for REWARDKART to assert or defend against legal claims, until the end of the relevant retention period or until the claims in question have been settled. Upon expiry of the applicable retention period, we will securely destroy your personal data in accordance with applicable laws and regulations.

I. SECURITY OF PERSONAL DATA

• We implement appropriate technical and organizational measures to protect Personal Data against accidental or unlawful alteration or loss, or from unauthorized use, disclosure, or access, in accordance with our Information and Systems Security Policy.
• We take, when appropriate, all reasonable measures based on Privacy by design and Privacy by default principles to implement the necessary safeguards and protect the Processing of Personal Data.
• We also carry out, depending on the level of risk raised by the processing, a Privacy Impact Assessment (“PIA”) to adopt appropriate safeguards and ensure the protection of the Personal Data.
• We also provide additional security safeguards for data considered to be Sensitive Personal Data.

J. DISCLOSURE OF PERSONAL DATA

We share Personal Data, under the following circumstances:

• with other REWARDKART product applications for the purposes of single sign-on.
• with third parties including certain service providers we have retained in connection with the services we provide.
• with courts, law enforcement authorities, regulators, government officials or attorneys or other parties where it is reasonably necessary for the establishment, exercise, or defense of a legal or equitable claim, or for the purposes of a confidential alternative dispute resolution process.
• with companies or government agencies providing services for money laundering and terrorist financing checks and other fraud and crime prevention purposes and companies providing similar services, including financial institutions and regulatory bodies with whom such Personal Data is shared.
• with service providers who we engage within or outside of REWARDKART, domestically, for example, shared service centers, to process Personal Data for any of the purposes listed above on our behalf and in accordance with our instructions only.
• In case we sell or buy any business or assets, in which case we may disclose Personal Data to the prospective seller or buyer of such business or assets to whom we assign or novate any of our rights and obligations.

K. DISCLOSURE WHILE COLLECTING PERSONAL DATA

• When collecting and processing Personal Data, we will provide a full and fair information notice or privacy statement to the individual about the purposes for which the Personal Data will be used, who is responsible for the processing of Personal Data, who the likely recipients are, what are the rights of the individual sharing the data with us and how to exercise them, etc.
• We do not collect data related to sexual orientation, health information, biometrics, or other sensitive data.
• We collect Sensitive Personal Data only when required by applicable law, after seeking prior consent from the individual. Example: Before collecting Adhaar Card or PAN details and verifying it for KYC purposes.
• Personal Data is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

L. OTHER COMPLIANCES

As part of the Payment Card Industry Data Security Standard (PCI DSS) and Payments & Settlements Act of 2007 compliance wherever we collect the data of clients and end customers using Payment cards including debit cards, credit cards & prepaid cards we ensure that our Payment Gateway ATOM managed by NTT DATA has incorporated adequate customers data protection by securely processing, storing, and transmitting the card data through tokenization.

M. OUR COMMITMENT TO ACTIONS

To exercise data protection REWARDKART is committed to:

• Restrict and monitor access to sensitive data.
• Develop transparent data collection procedures.
• Train employees in online privacy and security measures.
• Build secure networks to protect online data from hackers and cyberattacks.
• Establish clear procedures for reporting privacy breaches or data misuse.
• Include contract clauses or communicate statements on how we handle data.
• Establish data protection practices such as document shredding, secure locks, data encryption, frequent backups, authorization to access information, etc.

Our data protection provisions will appear on our website.

N. CONSEQUENCES UPON BREACH OR FAILURE TO COMPLY

All principles described in this policy must be strictly followed. A breach of data protection guidelines will invoke disciplinary action against the erring Employee or the Party including termination of contract and possibly legal action including indemnification.