Privacy Policy

We collect and process personal data only where it is lawful, necessary, and proportionate to the purpose for which it is obtained. The categories of data collected through the Platform, and the legal basis for such collection, are set out below:

a. Personally Identifiable Information (PII)

We collect PII that enables identification or contact of a user, including but not limited to:

• Full legal name
• Date of birth and age
• Gender identity
• Residential or correspondence address
• Government-issued identification number (e.g., Aadhaar, PAN, or other acceptable identity proofs) for authentication or regulatory compliance
• Contact details including phone number and email address
• Encrypted login credentials and authentication tokens

Legal Basis: Consent and Contractual Necessity. This data is essential for user registration, authentication, and provision of Platform functionality.

b. Sensitive Personal Data or Information (SPDI)

Given the nature of our services, we may collect the following categories of SPDI:

• Mental and emotional health disclosures including but not limited to conditions, symptoms, behavioral patterns, and historical clinical data
• Therapy session notes, clinical observations, and treatment plans recorded or shared by therapists and/or users
• Emergency contact or nominated third-party details for urgent care situations
• Information disclosed voluntarily by the user during engagement with mental health professionals

Legal Basis: Explicit, Prior, and Informed Consent. Processing of such SPDI is contingent on the user's unambiguous affirmative action indicating consent for specific, lawful purposes. Such consent is revocable at any time, subject to applicable legal restrictions.

c. Device and Technical Information

To ensure the integrity, reliability, and security of the Platform, we automatically collect certain technical data:

• Internet Protocol (IP) address
• Browser type, version, and language preferences
• Operating system and device specifications
• Log data such as time of access, session duration, activity logs, and referring URLs
• Cookies, beacons, and similar tracking technologies (explained in our Cookies Policy)

Legal Basis: Legitimate Interests and Consent. Such data helps improve system performance, conduct security audits, and enhance user experience, provided these interests are not overridden by user rights.

d. Voluntary Disclosures and Communications

Users may choose to disclose additional information via feedback forms, in-app queries, service ratings, or surveys. Such submissions may include qualitative feedback, suggestions, or reports regarding therapist interactions.

Legal Basis: Consent. Users opt in to share such information and may decline without consequence to core Platform services.

e. Data of Independent Therapists

We collect and verify professional credentials, qualifications, license documents, banking and tax information, and professional experience details of therapists registered on our Platform.

Legal Basis: Legal Obligation and Contractual Necessity. This is essential for compliance, disbursement of payments, and service quality assurance.

f. Legal Justifications for Processing

We process the above-mentioned categories of data in accordance with the following legal grounds:

• Consent: Freely given, informed, specific, and unambiguous consent of the user, especially for SPDI and optional data.
• Contractual Obligation: Where processing is required for the performance of a contract to which the data principal is a party.
• Legitimate Interests: Where the processing is necessary for our legitimate business purposes (such as fraud prevention and product development) and does not prejudice the fundamental rights and freedoms of users.
• Legal or Regulatory Requirement: Where data processing is mandated under applicable laws, including health, taxation, cybercrime, and dispute resolution regulations.
• Vital Interests: In extraordinary circumstances, data may be processed to protect the life or physical integrity of a data principal or another person.

The Company processes personal data solely for legitimate, lawful, and pre-defined purposes, ensuring adherence to the principles of necessity, proportionality, fairness, transparency, and accountability. All data processing operations are carried out in accordance with applicable statutory requirements, and data shall not be processed in a manner incompatible with the original purpose for which it was collected.

a. Provision and Delivery of Core Services

• To establish, manage, and maintain user accounts on the Platform
• To facilitate booking, rescheduling, and cancellation of therapy sessions
• To enable secure, end-to-end encrypted communication between users and mental health professionals
• To store and manage user-submitted health data, therapy history, and personal preferences
• To provide access to mental health resources and recommendations based on user interaction

All processing activities are subject to strict internal access controls, encrypted storage, and are periodically reviewed for compliance with necessity and proportionality principles.

b. Personalisation and Enhanced User Experience

• To analyse user behaviour and preferences in order to suggest relevant therapists or services
• To customise Platform interfaces, layouts, and content according to user needs and previous activity
• To retain user preferences and improve Platform usability during repeat visits

Users shall be informed when personalization features are enabled, and shall be provided a mechanism to disable such features.

c. Ensuring Platform Security and Integrity

• To detect, investigate, and prevent fraudulent or unauthorised access and activities
• To verify user identities and protect against impersonation and misuse
• To implement and monitor technical safeguards, including encryption, intrusion detection systems, and secure data transfer protocols

Regular security audits and penetration testing shall be conducted. Breach detection systems shall log and alert anomalous access patterns.

d. Legal and Regulatory Compliance

• To comply with mandatory legal requirements under applicable health, tax, consumer protection, and information technology laws
• To comply with judicial, quasi-judicial, administrative, or regulatory directives or orders
• To preserve and furnish data when required under law, including to law enforcement authorities and courts of law

Legal obligations include mandatory reporting under mental health laws, taxation norms, and consumer grievance redressal frameworks.

e. Transactional Purposes and Financial Administration

• To process payments for services rendered via third-party payment gateways adhering to PCI-DSS compliance
• To calculate, process, and disburse fees payable to therapists engaged through the Platform
• To retain financial records and supporting documentation in accordance with accounting, audit, and taxation laws

All financial information shall be processed through PCI-DSS compliant channels only, and shall not be stored beyond regulatory retention timelines.

f. Platform Evaluation and Development

• To conduct internal audits, reviews, and performance evaluations
• To anonymise and aggregate data for research and statistical analysis aimed at improving clinical outcomes and user satisfaction
• To develop, pilot, and roll out new services or functionalities based on observed user behaviour and system usage

g. Emergency Response and Protection of Vital Interests

• To assess indications of mental health crisis or immediate risk to life or health, and initiate appropriate emergency protocols
• To notify nominated emergency contacts or relevant public authorities when such action is deemed necessary to protect the life or physical integrity of any person, in accordance with legal and ethical obligations

All emergency contact details shall be subject to encryption and role-based access controls.

h. Direct Marketing and Informational Outreach (Based on Prior Consent)

• To send users newsletters, product updates, well-being tips, service offerings, and other informational content
• To contact users about Platform features, events, or promotions, provided they have explicitly opted in
• To ensure all such communications provide simple, accessible mechanisms to opt out or manage preferences

Users shall be provided with opt-in consent boxes and an easily accessible dashboard to modify or revoke their communication preferences at any time.

Security Note: All processing operations are subject to strict role-based access controls, encryption protocols, audit trails, and logging mechanisms to prevent misuse or unauthorised access. Data shall only be accessed by personnel or authorised processors who require it for fulfilling their assigned lawful function.

The Company shall retain personal data in a structured, secure, and auditable manner strictly for the duration necessary to fulfil the explicit and lawful purposes for which it was collected, including the discharge of contractual obligations, compliance with legal mandates, and protection of vital interests. Retention shall always be limited to the shortest period required unless a longer retention period is mandated by applicable law or is necessary for the establishment, exercise, or defence of legal claims.

Data retention shall be periodically reviewed, and obsolete data shall be permanently deleted through cryptographic erasure and secure wiping methods. A public data retention schedule will be made available upon request.

In compliance with the DPDP Act and best practices under global data protection frameworks, retention periods are categorised as follows:

a. User Account and Profile Data

Personal information used for identification, authentication, and personalisation (such as name, contact details, preferences, and user-generated data) shall be retained for the duration of the user's active relationship with the Platform and for a period of five (5) years following termination or last activity, whichever is later, unless a longer period is required by law.

b. Health and Therapy-Related Data

Sensitive personal data, including mental health assessments, therapy notes, diagnosis information, and communication with therapists, shall be retained for eight (8) years from the last user interaction or termination of services. Where applicable, data shall be retained longer if mandated by healthcare regulations. Such data shall be subject to enhanced access restrictions and encryption.

c. Transactional and Financial Data

Records of payments, disbursements, invoices, tax documentation, and other financial instruments shall be retained for eight (8) years from the date of the relevant transaction, in compliance with applicable financial and taxation laws, including audit and anti-money laundering obligations.

d. Communication Logs and Customer Support Records

All communications between users and therapists or support representatives, including written correspondence, audio interactions, or other support tickets, shall be retained for a period of three (3) years from the date of closure of the relevant issue or service instance.

e. Consent Records

Records of user consent, including timestamps and context of opt-in/opt-out actions, shall be retained throughout the period of applicable processing activities and for at least five (5) years thereafter for evidentiary, compliance, and audit purposes.

f. Emergency and Crisis Protocol Records

All data arising from critical mental health incidents, alerts, or interventions involving user safety or the engagement of emergency contacts or authorities shall be retained for a period of ten (10) years, or longer where required under public safety, medical, or judicial obligations.

g. Retention Upon Account Deletion or Termination

In the event a user initiates account deletion or terminates use of the Platform:

• Personal data shall be securely deleted, anonymised, or placed in restricted archival storage for the applicable retention period.
• Anonymisation, where applied, shall be irreversible and comply with globally recognised standards to ensure complete non-identifiability.
• The Company shall not retain any personal data beyond what is legally necessary or for purposes of legal defence, regulatory compliance, or fraud prevention.

h. Review and Disposal

The Company shall institute automated and manual review processes to periodically verify the necessity of data retention. Data that has surpassed its retention period shall be permanently deleted using verifiable secure destruction methods, including cryptographic erasure, secure wiping, and certified destruction of physical media, in accordance with ISO/IEC 27001 and other applicable standards.

The Company is committed to ensuring that personal data, particularly sensitive personal data, is not shared, disclosed, transferred, or otherwise made accessible to any third party except in strict compliance with applicable legal mandates, contractual safeguards, and user consent. Data sharing practices are governed by the principles of data minimisation, purpose limitation, accountability, and transparency.

a. Authorised Third Parties

Personal data may be disclosed to trusted and contractually bound third-party service providers strictly for the purpose of enabling or enhancing the delivery of our services. Such third parties may include:

• Licensed therapists or mental health professionals engaged through the Platform
• Cloud storage and hosting partners ensuring secure infrastructure management
• Payment gateway providers facilitating financial transactions
• Customer support and communication tools (e.g., help desk services)
• Legal, tax, audit, or other professional advisors

Third parties are subject to pre-contractual privacy due diligence, including verification of their compliance with ISO 27001 or equivalent.

Each third party shall be bound by a legally enforceable data processing agreement requiring adherence to confidentiality, security, and data protection obligations in accordance with the DPDP Act and other applicable laws.

b. Cross-Border Data Transfers

Where personal data is transferred to jurisdictions outside India, such transfers shall be conducted only:

• In compliance with applicable restrictions and standards under the DPDP Act
• Subject to adequacy decisions or contractual safeguards that ensure an equivalent level of data protection
• With explicit, informed consent of the user, where required

We shall implement appropriate technical and organisational safeguards, including encryption, pseudonymisation, and data access controls.

Cross-border transfers shall only be made to jurisdictions approved by the Government of India and shall include Standard Contractual Clauses (SCCs).

c. Government and Legal Disclosures

We may disclose personal data to governmental authorities, law enforcement agencies, regulators, or courts of competent jurisdiction:

• Where such disclosure is required under applicable law or judicial order
• For the purpose of preventing, detecting, investigating, or prosecuting criminal offences or breaches of law
• In connection with legal claims, enforcement of terms, or protection of the rights, property, or safety of the Company, its users, or the public

All such disclosures shall be documented and available for audit by the Data Protection Board and shall be subject to principles of necessity, proportionality, and due process.

d. Aggregated or Anonymised Data

The Company may generate and share anonymised, aggregated statistical data that does not identify any individual for the purposes of research, academic collaboration, policy formulation, or public health analysis. Such data shall be irreversibly anonymised in compliance with applicable standards.

e. Prohibition on Unauthorised Commercial Use

Under no circumstances shall the Company sell, lease, trade, or otherwise monetise user personal data for unauthorised advertising, profiling, or commercial exploitation.

f. Due Diligence and Oversight

All third parties receiving personal data shall be subject to robust vetting procedures, including security audits, risk assessments, and ongoing monitoring. The Company shall maintain a register of all data disclosures and sharing arrangements, accessible to data protection authorities upon request.

Users shall be notified of material changes to third-party sharing practices and shall have the right to withdraw consent where such consent forms the legal basis for such disclosures.

We recognize and uphold the right of every individual to exercise full control over their personal data. In accordance with the Digital Personal Data Protection Act, 2023 and international best practices, the following rights are guaranteed to users (Data Principals), which the Company shall honor with due diligence, legal compliance, and procedural fairness:

a. Right to Access

Every user shall have the unequivocal right to obtain confirmation as to whether personal data concerning them is being processed. Where such processing exists, the user shall have the right to access the following information:

• The nature, category, and purpose of personal data being processed
• The lawful basis for such processing
• The recipients or categories of recipients to whom the personal data has been disclosed
• The period for which the data is intended to be retained
• The source of the data, if not collected directly from the user

Such access shall be facilitated in a concise, intelligible, and machine-readable format.

b. Right to Correction and Erasure

Users shall have the right to request the rectification of any personal data that is inaccurate, misleading, incomplete, or outdated. Additionally, users may request erasure of personal data where:

• The data is no longer necessary for the purposes for which it was collected
• The user withdraws consent upon which the processing was based and there exists no other legal basis for continued processing
• The user objects to the processing and there are no overriding legitimate grounds for such processing
• The data has been unlawfully processed
• Erasure is required to comply with a legal obligation

The Company shall process such requests within fifteen (15) business days, unless legal or regulatory retention requirements necessitate otherwise. Refusals to erase data shall be justified in writing with an explanation of legal grounds.

c. Right to Withdraw Consent

Users may, at any time and without assigning any reason, withdraw their consent for the processing of personal data, in whole or in part. Upon withdrawal of consent:

• The Company shall immediately cease all processing activities reliant solely on such consent, except where such processing is otherwise permitted by law
• Services dependent on the withdrawn data may be suspended or terminated, with prior written notice to the user
• Withdrawal shall not affect the lawfulness of processing prior to such withdrawal

Consent may be withdrawn through:

• The Platform’s user dashboard or account settings
• Submission of a formal request to the designated Grievance Officer via email or post

d. Right to Data Portability

Users have the right to receive their personal data in a structured, commonly used, and machine-readable format, and, where technically feasible, to have such data transmitted directly to another service provider, provided such processing is based on consent or a contract.

e. Right to Restriction of Processing and to Object

Users may:

• Object to the processing of personal data for purposes such as direct marketing or profiling related to such marketing
• Request that the Company restrict processing where:
• The user contests the accuracy of the data
• The processing is unlawful, and the user opposes deletion
• The Company no longer needs the data, but it is required by the user for the establishment, exercise, or defence of legal claims
• The user has objected to processing and the Company is verifying whether legitimate grounds override those of the user

f. Procedural Framework for Exercising Rights

To exercise any of the aforementioned rights, users shall:

• Use the privacy management tools made available on the Platform
• Submit a written request to the designated Grievance Officer at [Insert Email] or the postal address listed on our Platform

All such requests shall be acknowledged within seven (7) business days and resolved within fifteen (15) business days, barring legally justifiable exceptions. The Company reserves the right to verify the identity of the requester to prevent fraudulent or unauthorized access.

Where a request is denied, the user shall be provided with a written explanation and informed of their right to appeal to the Data Protection Board of India. The Company shall maintain a secure and auditable log of all such requests and actions taken pursuant to them, available for inspection by relevant authorities upon lawful demand.

No user shall be discriminated against or denied services solely for exercising any of their statutory or contractual rights under this Policy. Requests for access, correction, erasure, and consent withdrawal may also be submitted via our user dashboard, available within account settings. We maintain logs of all such requests and actions taken, which are available for user inspection.

Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our Platform to enhance user experience, provide personalized content, analyze site usage, and improve our services. By using our Platform, users consent to the use of such technologies in accordance with this Policy.

a. Types of Cookies Used

• Strictly Necessary Cookies: Required for the legitimate and secure operation of the Platform, including enabling authentication, fraud prevention, and ensuring network and information security.
• Performance Cookies: Collect anonymized information to help us measure and improve the performance and functionality of the Platform. This includes tracking page load times, error messages, and usage analytics.
• Functionality Cookies: Enable the Platform to remember user choices, such as language, region, and user credentials, to provide a customized experience.
• Targeting/Advertising Cookies: Employed, where permitted, to deliver advertisements that are more relevant to the user’s interests. These cookies may be deployed by authorized third parties and include mechanisms for user profiling and interest-based advertising.

b. Legal Basis for Use

• Consent: For non-essential cookies, such as targeting and analytics, we obtain explicit consent from users prior to deployment.
• Legitimate Interests: For essential and strictly necessary cookies, processing is justified by our legitimate interest in ensuring the safe and effective operation of the Platform.
• Legal Obligation: Where the deployment of certain cookies is necessary to comply with legal or regulatory obligations.

c. User Control and Cookie Management

Users are provided with clear, granular choices at the point of first access to the Platform via a cookie consent banner, and may update or withdraw consent at any time via the Platform’s cookie settings panel. Additionally, users may configure their browsers to:

• Block all cookies
• Block third-party cookies
• Notify before a cookie is stored
• Delete existing cookies

Please be advised that restricting or disabling certain cookies may impair core functionalities of the Platform and limit the user experience.

d. Third-Party Cookies

Our Platform may incorporate services provided by third-party vendors who may set their own cookies and tracking technologies, such as:

• Analytics providers (e.g., Google Analytics)
• Advertising networks
• Social media integrations

We do not exercise control over these third-party cookies and disclaim all responsibility for the data processing practices of such third parties. Users are encouraged to review the individual privacy and cookie policies of each respective third-party provider.

e. Retention Period of Cookie Data

Cookie data shall be retained for no longer than necessary to fulfill the purposes outlined herein. The specific duration may vary by type of cookie and its function, and will be disclosed in the Platform’s Cookie Consent Tool. Upon expiry of the retention period, cookie data will be securely deleted or anonymized.

f. Withdrawal of Consent

Users retain the absolute right to withdraw consent granted for any non-essential cookies at any time. Such withdrawal can be effected by adjusting cookie preferences through the Platform’s cookie settings interface. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

For all cookie-related concerns or to exercise any related rights under applicable data protection laws, users may contact the designated Grievance Officer at the contact details listed below.

Grievance Redressal and Data Breach Protocols

If you believe your data has been mishandled or your rights violated:

Grievance Officer:
Name: Anil Arora
Email: support@samyaonline.com
Response Time: Within 7 working days

In case of a data breach, affected users will be notified promptly, and required regulatory authorities will be informed in accordance with applicable law. We have a detailed incident response plan to investigate, mitigate, and remediate breaches.

We recognize the particular importance of protecting the privacy of children and minors. The Platform is not intended for use by individuals under the age of 18 years. We do not knowingly collect, process, or solicit personal data from individuals under 18 without verified parental or guardian consent, as required under the DPDP Act, 2023 and relevant international data protection laws.

a. Age Verification and Consent Mechanism

Access to the Platform requires users to affirm that they are 18 years of age or older. Where a user is identified or suspected to be under 18, we shall take reasonable steps to:

• Prevent further access to the Platform
• Promptly delete any data collected from such user, unless parental consent has been duly verified
• Notify the user and, if feasible, the parent or guardian regarding the data removal action

b. Parental Consent Requirements

In cases where a minor seeks to access mental health services through the Platform, processing of the child’s personal data shall be conditional upon the verifiable consent of the parent or legal guardian, obtained through mechanisms compliant with regulatory standards (e.g., digital signature, government-issued ID verification).

c. Nature of Data Collected from Children (with Consent)

Where consent is validly obtained from a parent or guardian, data collected from children may include:

• Identifying and contact information
• Health and wellness information disclosed during sessions
• Device and usage data for technical support

Such data shall be processed exclusively for the provision of mental health services, and never for profiling, marketing, or any form of automated decision-making.

d. Data Minimization and Special Safeguards

Data pertaining to children shall be:

• Collected only when necessary for providing services requested by the parent or guardian
• Subject to enhanced protection, encryption, and strict access control protocols
• Regularly reviewed and purged in accordance with our data retention policy

e. Right to Review and Delete Child Data

Parents or legal guardians shall retain the right to:

• Access and review the personal data of their ward
• Revoke previously given consent at any time
• Request deletion or correction of the data
• Lodge a complaint with the Data Protection Board or relevant supervisory authority

Such requests may be directed to our Grievance Officer at [Insert Email Address]. We shall respond to such requests in a timely manner and in accordance with applicable law.

f. Enforcement and Compliance

We maintain robust technical and organizational measures to ensure compliance with children’s privacy requirements. Any breach or unauthorized access involving a child’s data will be handled in accordance with our data breach response protocols and duly reported to the Data Protection Board and affected guardians as required by law.

We recognize the global nature of digital services and acknowledge the necessity, in some instances, to transfer personal data across national borders. Such international data transfers shall be executed strictly in accordance with the provisions of the Digital Personal Data Protection Act, 2023, and applicable international data protection standards, and shall only occur where adequate safeguards are in place to ensure continued protection of personal data.

a. Permissible Grounds for Cross-Border Transfers

Cross-border transfers of personal data shall occur only under the following legal bases:

• Adequacy Decisions: The Central Government has by notification approved the recipient country or territory as ensuring an adequate level of data protection.
• Explicit Consent: The Data Principal has been informed in a clear, specific, and unambiguous manner regarding the transfer and has provided explicit, affirmative consent.
• Performance of Contract: The transfer is necessary for the performance of a contract to which the Data Principal is a party or to undertake pre-contractual steps at the request of the Data Principal.
• Legal or Regulatory Obligation: The transfer is required for compliance with applicable laws or orders of competent legal authorities.

b. Mandatory Safeguards

All cross-border data transfers shall be subject to enforceable and legally binding safeguards, including:

• Standard Contractual Clauses (SCCs): Incorporating model clauses approved by relevant authorities to bind the overseas recipient to uphold equivalent privacy standards.
• Binding Corporate Rules (BCRs): For intra-group transfers, BCRs approved by competent authorities that ensure uniform application of data protection principles.
• Technical Safeguards: Use of robust encryption, secure channels of transmission, pseudonymization, and other industry-standard security protocols.
• Organizational Safeguards: Imposition of access limitations, employee confidentiality obligations, and mandatory privacy training for overseas personnel.

c. Jurisdictional Due Diligence

Prior to any data transfer, the Company shall conduct a thorough legal and operational assessment of the recipient country’s data protection regime to ensure compliance with the DPDP Act, including the presence of:

• Independent data protection authorities
• Effective legal remedies and enforcement mechanisms
• Protections against unlawful surveillance or misuse

d. Transparency and Consent Protocols

Users shall be provided with:

• Specific notice identifying the nature and purpose of the proposed transfer
• The identity and location of the data recipient
• A mechanism to either affirm or decline such transfer where consent is the legal basis

The Company shall document and retain proof of such consent in a verifiable format.

e. Third-Party and Sub-Processor Obligations

All third parties and sub-processors who receive personal data across borders shall be contractually obligated to:

• Use the data solely for specified, lawful purposes
• Implement equivalent data protection, confidentiality, and security measures
• Submit to audit rights and provide assurances of compliance

Breach of these contractual obligations shall trigger immediate remedial action, including suspension of transfers and potential contract termination.

f. Accountability and Redress Mechanisms

The Company remains fully accountable for any international transfer of personal data and the acts or omissions of the foreign recipient. We shall:

• Maintain detailed logs of all such transfers
• Conduct periodic audits and impact assessments
• Offer accessible grievance redress mechanisms through our Grievance Officer
• Provide Data Principals with timely notification and remedial measures in the event of a breach or misuse arising from a transfer

g. Regulatory Cooperation and Reporting

The Company undertakes to cooperate fully with the Data Protection Board of India, respond to inquiries concerning international data transfers, and promptly report any unauthorized transfer or breach involving foreign jurisdictions.

We may use automated processing technologies, including Artificial Intelligence (AI), to enhance the quality, accuracy, and efficiency of services offered through our Platform. Such processing may involve data-driven recommendations, analytics, triage of mental health needs, and matching users to therapists or resources.

a. Scope and Nature of Automated Processing

Automated systems may process personal data to:

• Match users with therapists based on their profile and preferences
• Analyze anonymized usage patterns to improve user experience and platform reliability
• Provide preliminary mental wellness assessments or resource suggestions (not constituting clinical diagnosis)
• Detect anomalies or risks in accordance with safety protocols

b. Legal Basis for Automated Processing

All automated processing activities are conducted on lawful bases, including:

• The Data Principal's explicit consent
• Fulfilment of contractual obligations for service delivery
• Pursuit of legitimate interests, provided such interests do not override the fundamental rights of the Data Principal

c. Human Oversight and Transparency

We do not make decisions that produce legal or similarly significant effects on users solely on the basis of automated processing. Any decision impacting a user's rights, freedoms, or access to services shall be subject to meaningful human intervention. Data Principals shall be informed when automated tools are in use and shall retain the right to:

• Request human review of any decision
• Obtain an explanation of the logic involved
• Object to such processing, where permissible

d. Safeguards and Risk Mitigation

To ensure fairness, transparency, and non-discrimination, we implement:

• Periodic audits and validation of AI models
• Algorithmic impact assessments
• Training data reviews to avoid bias
• Logging of AI outputs for accountability

All automated processing systems adhere to principles of purpose limitation, data minimization, and accuracy.

e. Restrictions on Profiling

We do not engage in profiling that leads to discriminatory outcomes or is used for behavioral advertising, nor do we permit profiling of minors or other vulnerable categories of users without express consent and oversight.

The Company maintains and regularly updates a comprehensive and verifiable Record of Processing Activities (RoPA) in compliance with Section 10 of the Digital Personal Data Protection Act, 2023 and Article 30 of the GDPR (where applicable), as part of our accountability and governance obligations.

a. Scope and Content of Records

Our RoPA includes, but is not limited to, the following details:

• The categories of personal data and sensitive personal data processed
• The categories of Data Principals whose data is processed
• The purposes for which each category of data is processed
• The legal basis relied upon for each processing activity
• The categories of third parties or recipients to whom personal data has been disclosed or may be disclosed
• The details of cross-border data transfers, including recipient countries and safeguards implemented
• The applicable data retention periods for each data category
• The description of security and organizational measures implemented to safeguard the data
• The name and contact details of the Data Protection Officer (if appointed)
• Records of consent obtained, modifications to consent, and withdrawal of consent
• Records of data protection impact assessments conducted, where required

b. Maintenance and Access

The RoPA shall be:

• Maintained in written and electronic form
• Reviewed and updated periodically or upon significant changes in processing activities
• Accessible to regulatory authorities, including the Data Protection Board of India, upon lawful request
• Subject to internal audit and verification as part of our compliance framework

c. Responsibility and Oversight

The designated Data Protection Officer (or appointed compliance personnel) shall:

• Ensure the accuracy and completeness of the RoPA
• Monitor changes in processing operations to trigger necessary updates
• Coordinate with relevant internal departments to ensure data minimization and lawful processing

Failure to maintain accurate records or refusal to provide access to regulators shall constitute a breach of this Policy and may lead to appropriate remedial and disciplinary measures.

Updates to This Privacy Policy

We may update this Privacy Policy from time to time. Users will be notified via email or app notifications about material changes. Continued use of the Platform indicates your acceptance of the updated policy.