This Privacy Policy sets (hereinafter known as “Policy”) out how the information provided to M/S D2C Consulting Services Private Limited is collected, processed, protected, stored, transferred, and used. For the purposes of this Privacy Policy, ‘We’, ‘Us’, ‘Our’, ‘DCSPL’ and “Company” refer to M/S D2C Consulting Services Private Limited, it’s representatives, and affiliates. ‘You’ or ‘Your’ or ‘Yourself’ or ‘User’ which term shall include persons who are accessing the website / mobile application merely as visitors or undertaking any of the Services provided by DCSPL across all levels in addition to all the employees (permanent or contractual) or contractors, associates, and vendors. By accessing the website or using any of our services, you agree to be bound by all the terms of this Privacy Policy. DCSPL "Affiliate" means any Person directly, or indirectly through one or more intermediaries, that i) controls, ii) is controlled by or iii) is under common control of DCSPL. "control," as used in the immediately preceding sentence, shall mean with respect to any person, the possession, directly or indirectly, of the power, through the exercise of voting rights, contractual rights or otherwise, to direct or control the decision-making of the management or policies of the controlled person. "Person" includes any natural person, corporation, partnership, Limited Liability Company, trust, unincorporated association, or any other entity.

This Privacy Policy has been designed and developed to help you to understand the following:

The type of Personal Data (including digital personal data or information and physical personal data uploaded digitally) that we collect from the Users; The purpose of collection, means and modes of usage of such Personal Data by the Company; how and to whom the Company will disclose such information; how the Company will protect the Personal Data that is collected from the Users; and how Users may access and/or modify their Personal Data.

This Policy defines requirements in line with Digital Personal Data Protection Act, 2023 (“The DPDP Act”) to help ensure compliance with laws and regulations applicable to DCSPL’s’ collection, processing, storage, use, transmission, disclosure to third parties and retention of Personal Data.

While using our Services, we may collect the following categories of Personal Data from the Users:

1. Name
2. User ID
3. Email address
4. Address (including country and ZIP/postal code)
5. Gender
6. Age
7. Phone Number
8. Password chosen by the User
9. Geographical location through the IP address of the Users
10. Financial account information like bank account details, GST certificate, PAN Card, Credit Card details and tokenisation henceforth etc. and transactional information in relation to transactions where the Company is involved
11. Personal information pertaining to the health of the User;
12. Personal Data of Child (under 18 years of age) along with Guardian/parental consent
13. Vehicle details i.e. Registration certificate, Insurance policies (current and previous), Transfer Certificate, Challans, Driving license.
14. Any of the aforesaid information pertaining to the customer/buyer of the User; and
15. All other Personal Data the User may share from time to time (including personally identifiable information/details)

To avail the services, the Users may also be required to upload/share certain documents (for instance, Aadhaar, PAN Card, GST certificate, etc.), on the platform and/or e-mail the same to the Company. We may also keep records of telephone calls received and made for making inquiries, orders, or other purposes necessary for the administration of services.

We may also receive and/or hold information about the User’s browsing history including the Uniform Resource Locator (URL) of the site that the User visited prior to visiting the platform as well as the Internet Protocol (IP) address of each User's computer (or the proxy server a User used to access the World Wide Web), User's computer operating system and type of web browser the User is using as well as the name of User's Internet Service Provider (ISP). The platform may use temporary cookies to store certain data (that is not Personal Data) that is used by us for the technical administration of the platform, research, and development, and for User administration. In addition, we may in future include other optional requests for information from the User including through User surveys to help Us customise the platform to deliver personalised information to the User and for other purposes as mentioned herein. Such information may also be collected during surveys conducted by us. Any such additional Personal Data will also be processed in accordance with this Privacy Policy.

We will retain Personal Data only to the extent it is necessary to provide one or more services. By providing your information, you consent to the collection, sharing, disclosure and usage of the information in accordance with this Privacy Policy. The information, which we collect may be utilised for various business and/or regulatory purposes including but not limited to the following purposes:

1. Registration of the User on the platform;
2. Processing the User’s orders/requests and provision of various services;
3. Sending timely/periodical updates to the User and its customers;
4. Completing transactions with Users effectively and billing for the products/Services provided;
5. Technical administration and customisation of the platform, improvement of services, features and functionality of the platform;
6. Ensuring that the platform content is effectively presented to the Users;
7. Delivery of personalised information and targeted as well as non-targeted advertisements by the Company to the User;
8. Research and development and for User administration (including conducting user surveys);
9. For marketing purposes and promotional activities;
10. For purposes of research, analysis, business intelligence, reporting and improvement/development/advancement of the Company’s business, platform, and/or the services;
11. Dealing with requests, enquiries, complaints or disputes and other customer care related activities including those arising out of the Users’ request of the Services and all other general administrative and business purposes;
12. Communicate any changes in our Services or this Privacy Policy or the Terms of Use to the Users;
13. Verification of identity of Users and to perform checks to prevent fraud;
14. Sharing of Your Personal Data to third-party services in lieu of service / product delivery;
15. Investigating, enforcing, resolving disputes, and applying our terms of use and Privacy Policy, either ourselves or through Third-Party service providers;
16. To comply with applicable legal requirements and our various policies/terms; and
17. Any other purpose that may be necessary to provide the services that you have opted for.

This policy is applicable to the following:

1. Customers who provide their personal data to DCSPL.
2. All DCSPL employees, contractors, vendors, interns, and business partners who provide/receive personal data to /from DCSPL, have access to personal data collected or processed by or on behalf of DCSPL.

This policy covers the treatment of personal data gathered and used by DCSPL for lawful purposes and covers the personal data we share with authorised Third Parties or that Third Parties share with us.

The main objectives of the Privacy Policy are:

1. To ensure that all the personal data in DCSPL custody is adequately protected against threats to maintain its security.
2. To ensure that DCSPL employees are fully aware of the contractual, statutory, or regulatory implications of any privacy breaches.
3. To limit the use of personal data to identify business purposes for which it is collected.
4. To create an awareness of privacy requirements to be an integral part of the day-to-day operation of every employee and ensure that all employees understand the importance of privacy practices and their responsibilities for maintaining privacy.
5. To make all the employees and users aware of the processes that need to be followed for collection, lawful usage, disclosure/ transfer, retention, archival, and disposal of personal data.
6. To ensure that all third parties collecting, storing, and processing personal data on behalf of DCSPL provide adequate data protection.
7. To ensure that applicable regulations and contracts regarding the maintenance of privacy, protection and cross-border transfer of personal data are adhered to.

1. Compliance with this policy is mandatory for all DCSPL employees involved in processing DCSPL’s personal data.
2. The Data Protection Officer will monitor and report on the level of compliance that DCSPL employees achieve with respect to this policy and the requirements set out within this document.
3. Non-compliance with this policy will require explicit authorisation from the DCSPL Data Protection Officer.
4. Prior approval should be obtained from the Data Protection Officer before this document is provided to any third parties.

As per The DPDP Act, DCSPL shall provide the notice only where consent is the basis of processing data. The Notice shall entail the purpose of processing, the manner for accessing rights and the manner of making a complaint. Privacy Notice shall be published in languages as specified in the Eighth Schedule of the Indian Constitution as per The DPDP Act.

As per The DPDP Act, notice which shall be issued by DCSPL shall have the following contents:

1. Information regarding the nature of personal data being collected.
2. The purpose for which it is collected.
3. The mechanism in which consent may be withdrawn.
4. Information regarding grievance redressal.
5. The mechanism in which a complaint may be made to enforcement authority.

Appropriate notice shall be provided to data principals at the time personal data is collected.

Period for which personal data shall be retained as per identified business purpose or as mandated by regulations, whichever is later.

That personal data shall only be collected for the identified purposes.

Methods employed for collection of personal data, including cookies and other tracking techniques, and third-party agencies.

That an individual’s personal data shall be disclosed to Third Parties only for identified lawful purposes and with the consent of the individual, wherever possible

Consequences of withholding or withdrawing consent to the collection, use and disclosure of personal data for identified purposes.

Data principals are responsible for providing DCSPL with accurate and complete personal data, and for contacting the entity if correction of such information is required.

Process for an individual to view and update their personal data records.

Process for an individual to register a complaint or grievance with regard to privacy practices at DCSPL.

Contact information of the person in charge of privacy practices and responsible for privacy concerns with address at DCSPL

Process for an individual to withdraw consent for the collection, use and disclosure of their personal data for identified purposes; and

That implicit or explicit consent is required to collect, use, and disclose personal data unless a law or regulation specifically requires or allows otherwise.

Data principals shall be provided a Privacy Notice in case any new purpose is identified for using or disclosing personal data before such information is used for purposes not previously identified

Lawful purpose after obtaining the consent of the data principal or for certain legitimate uses. These legitimate cases include:

1. Voluntarily provided personal data by data principal.
2. Data principal has not explicitly indicated that they do not provide consent to use personal data.
3. By the state and any of its instrumentalities for any function under any law for the time being in force in India.
4. For matters concerning public interest, e.g., medical emergency, judicial use.
5. For the purposes of employment or those related to safeguarding the employer from loss or liability.

By using our website and submitting your information, you are required to provide your explicit consent on this site for the collection and use of your personal data, as described in this Privacy Policy, including but not limited to, your explicit consent for sharing this information as per this Privacy Policy. We recommend that You do not use/access and/or continue to use/access the website/app if You do not agree to the terms and conditions of this Privacy Policy. We obtain Your consent depending on our relationship with You. Thus, the consent is obtained in the following manner:

1. Consent of prospects/customers: Consent of the customer is taken on the proposal form/ through acceptance of the terms and conditions of our application or website.
2. Consent of Partners: Consent of the Partner is obtained at the time of joining the company or accepting the terms and conditions of our app or website during the enrolling stage.
3. Consent of Vendors/Suppliers: Consent of the vendor/supplier is obtained through signed written contracts along with supporting legal documents like affidavits.
4. Consent of the Employees: Consent of an employee is obtained through the forms filled up by an employee at the time of joining through the joining documents and/ or through self-attested testimonials and other KYC documentation.

You have an option to refuse to give Your consent or withdraw Your consent in a way as specified below:

1. Customers can choose to approach our offices for a more private and protected meeting further leading to safe completion of the transaction or choose to make transactions through the website/app.
2. Vendors have the right to choose to terminate the contract or modify the terms of the contract as mutually agreed upon by the Company and the vendor.
3. Partners can drop the decision to become a Partner or after becoming a Partner, request for termination can be made and NOC can be taken from us with respect to the same.
4. Employee has the option to not join the Company or if the employee has joined the Company, they can modify the information submitted to us.”
5. In case of termination of Partners, Vendors or employment, data of the respective individual may be kept as mandated by any regulations abided by DCSPL.

The DPDP Act outlines the requirements for obtaining valid explicit consent for processing personal data.

1. DCSPL shall seek consent, which is freely given, specific, informed, and unambiguous by a clear affirmative action. An option to access Consent in English or languages specified in the Eighth Schedule of the Indian Constitution shall be provided. A record shall be maintained of explicit consent obtained from data principals
2. DCSPL shall seek consent, which is freely given, specific, informed, and unambiguous by a clear affirmative action. An option to access Consent in English or languages specified in the Eighth Schedule of the Indian Constitution shall be provided. A record shall be maintained of explicit consent obtained from data principals.
3. Consent shall be obtained from data principals before their personal information is used for purposes not previously identified.
4. DCSPL shall seek verifiable parental consent before processing any personal data related to children.

The DPDP Act introduces the concept of "consent managers," registered with the Data Protection Board, who assist data principals in managing their consent.

The Data Principal through a Consent Manager may give, review, or withdraw their consent. DCSPL shall appoint a Consent Manager to fulfil the purpose defined above.

Consent Manager Details are provided below:

Name: Brijendra Chauhan

Email:Brijendra.chauhan@renewbuy.com

Personal data shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by The DPDP Act. Personal Data retention shall be only for the duration necessary to fulfil the identified lawful purposes or as prescribed by law. We may need to disclose/transfer User’s Personal Data to certain third-party service providers in order to provide Users with the Services they have opted for. We may need to disclose / transfer User’s Personal Data to government and judicial institutions/authorities, to the extent required:

1. Under the laws, rules, and regulations and/or under orders of any relevant judicial or quasi-judicial authority;
2. To protect and defend the rights or property of the Company;
3. To fight fraud and credit risk;
4. To enforce the Company's Terms of use (to which this Privacy Policy is also a part); or
5. When the Company, in its sole discretion, deems it necessary in order to protect its rights or the rights of others.

The Company may also make all Personal Data accessible to its employees and data processors/Third-Party vendors only on a need-to-know basis and for the purposes set out in this Privacy Policy. The Company takes adequate steps to ensure that all the employees and data processors/Third-Party vendors, who have access to, and are associated with the processing of Personal Data, respects its confidentiality and that such data processors/Third-Party vendors adopt at least such reasonable level of security practices and procedures as required under applicable law. However, the Company does not disclose information, individually labelled, or aggregated, obtained through Marketplace application programming interface on behalf of a User to other Users or any third parties, unless required by law.

Non-personally identifiable information may be disclosed to Third-Party ad servers, ad agencies, technology vendors and research firms to serve non-targeted advertisements to the Users. The Company may also share its aggregate findings (not specific information) in a non- personally identifiable form based on information relating to the User’s internet use (to the extent set out in this Privacy Policy) to prospective, investors, strategic partners, sponsors, and others in order to help the growth of the Company's business. We may also disclose or transfer the Personal Data, to another Third-Party as part of reorganisation or a sale of the assets or business of Company. Any Third-Party to which the Company transfers or sells its assets will have the right to continue to use.

1. Provide a clear, concise, and comprehensible notice to data principals.
2. Ensure data collected is accurate, complete, and consistent.
3. Process personal data for which data principal has given consent or for certain legitimate uses.
4. Report Personal Data Breaches to Data Protection Board and Data Principals within 24 hours of breach.
5. Erase Your personal data unless retention of the same is necessary as per any other applicable regulations abided by DCSPL.
6. Implement technical and organisational measures to ensure protection of personal data and effective adherence with to The DPDP Act.

Data principals under the DPDP Act have the below rights:

Right to Information - Individuals have the right to seek more information on how their data is processed, available in clear and understandable way from DCSPL.

Right to correction and erasure - Individuals have the right to correct inaccurate/ incomplete data and erase data that is no longer required for processing.

Right to grievance redressal - Individuals have the right to readily available means of registering a grievance with DCSPL.

Right to nominate - Individuals may nominate any other individual to exercise these rights in the event of death or incapacity.

To exercise any of the above rights or raise grievances, Data Principals may contact the Consent Manager at DCSPL by sending an email to the contact address provided in the policy. The policy also contains details of other designated officers such as the Data Protection Officer and Grievance Redressal Officer for further support. [Refer to Section 9]

Significant data fiduciaries are required to appoint a Data Protection Officer and Data Protection Auditor (DPA) responsible for ensuring DPDP compliance.

Consent Manager Details are provided below:

Name: Brijendra Chauhan

Email:Brijendra.chauhan@renewbuy.com

In case of a personal data breach (Data breach refers to any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data), DCSPL is obligated to notify the Data Protection Board of India and affected data principals promptly.

Data principals must first seek redressal with DCSPL before lodging a complaint with the Data Protection Board or courts.

Data Grievance Officer Details are provided below:

Name: Mr. Sanchit Baveja

Email:data-grievance@renewbuy.com

The links to third-party advertisements, Third-Party websites or any third-party electronic communication services (referred to as “Third-Party Links”) may be provided on the platforms which are operated by third parties and are not controlled by, or affiliated to, or associated with the Company, unless expressly specified on the platform. If You access any such Third-Party Links, we request You to review the concerned website’s privacy policy. We shall not be responsible for the policies or practices of such third parties

Personal data shall be disclosed to third parties only for identified lawful purposes and after obtaining appropriate consent from the data principals unless a law or regulation allows or requires otherwise.

Where reasonably possible, DCSPL shall ensure that third parties collecting, storing, or processing personal data on behalf of DCSPL have:

1. Signed agreements to protect personal data consistent with DCSPL Privacy Policy and information security practices or implemented measures as prescribed by law.
2. Signed non-disclosure agreements or confidentiality agreements which include privacy clauses in the contract; and
3. Established procedures to meet the terms of their agreement with DCSPL to protect personal data.

Personal data may be transferred across geographies from where DCSPL operates for storage or processing where any of the following apply:

1. The individual has given consent to the transfer of information.
2. The transfer is necessary for the performance of a contract between the individual and DCSPL, or the implementation of pre-contractual measures taken in response to the individual’s request.
3. The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between DCSPL and Third-party.
4. The transfer is necessary or legally required on important public interest grounds or for the establishment, exercise, or defence of legal claims.
5. The transfer is required by law.
6. The transfer is necessary in order to protect the vital interests of the individual.
7. The transfer is made under a data transfer agreement.
8. The transfer is otherwise legitimised by applicable law.

Remedial action shall be taken in response to misuse or unauthorised disclosure of personal data by a Third-Party collecting, storing, or processing personal data on behalf of DCSPL.

For the purpose of providing the Services and for other purposes identified in this Privacy Policy, we are required to collect and host certain data and information of the Users. We are committed to protecting Your Personal Data, and to that end, the Company adopts reasonable security practices and procedures to implement technical, operational, managerial and physical security control measures in order to protect the Personal Data in its possession from loss, misuse and unauthorised access, disclosure, alteration and destruction. While we try our best to provide security that is commensurate with the industry standards, due to the inherent vulnerabilities of the internet, we cannot ensure or warrant complete security of all information that is being transmitted to Us.

The Company takes adequate steps to ensure that third parties to whom the Personal Data may be transferred adopt at least such reasonable level of security practices and procedures as required under applicable law to ensure security of Personal Data.

You hereby acknowledge that the Company is not responsible for any information sent via the internet that has been intercepted beyond Our control after having adopted reasonable security practices and procedures, and You hereby release Us from any and all claims arising out of or related to the use of intercepted information in any unauthorised manner.

DCSPL has a statutory duty to keep certain records for a minimum of 12 years or longer if mandated by any other applicable laws. A data fiduciary shall, unless retention is necessary for compliance with any law, erase personal data upon the data principal withdrawing his/her consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier.