Privacy Policy for SUSAN CRM Application

Introduction

This Privacy Policy governs the collection, use, storage, and disclosure of personal information by SUSAN, a Customer Relationship Management (CRM) application designed for Institutional Equity Brokers and Investment Bankers. SUSAN is committed to protecting the privacy and security of your personal information in compliance with applicable data protection laws in India, including the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules), and the Digital Personal Data Protection Act, 2023 (DPDP Act). This policy outlines how we handle personal information collected through the SUSAN application and related services.

By using SUSAN, you consent to the practices described in this Privacy Policy. If you do not agree with this policy, please do not use the application.

Scope

This Privacy Policy applies to all users of the SUSAN application, including Institutional Equity Brokers, Investment Bankers, and their authorized representatives, as well as any personal information collected from clients, prospects, or other individuals entered into the SUSAN platform by its users. This policy covers data processed through the application, website, and any related services provided by SUSAN, under the legal jurisdiction of India.

Definitions

• Personal Information: Any information relating to an identified or identifiable individual, including but not limited to name, contact details, financial information, and professional affiliations, as defined under the DPDP Act and SPDI Rules.
• Sensitive Personal Data or Information (SPDI): Information such as financial data, biometric data, or other categories defined under the SPDI Rules.
• User: Institutional Equity Brokers, Investment Bankers, or their authorized representatives who access or use the SUSAN application.
• Client Data: Personal information about clients, prospects, or other individuals entered into SUSAN by users.
• Data Fiduciary: The entity that determines the purpose and means of processing personal data, as defined under the DPDP Act. For Client Data, the user (e.g., the broker or banker) is the Data Fiduciary, while SUSAN acts as the Data Processor.
• Data Processor: The entity that processes personal data on behalf of the Data Fiduciary.

Information We Collect

Personal Information Provided by Users

• Account Information: When you register your account with SUSAN, we collect your name, email address, job title, employer, contact number, and Aadhaar number (if required for identity verification, with explicit consent).
• Client Data: Users may input personal information about clients or prospects, including names, email addresses, phone numbers, investment preferences, and other professional or personal data relevant to CRM activities.

Automatically Collected Information

• Usage Data: We collect information about how you interact with SUSAN, such as pages visited, features used, and time spent on the application.
• Device Information: We collect data about the devices used to access SUSAN, including IP addresses, browser types, operating systems, and device identifiers.
• Cookies and Tracking Technologies: SUSAN uses cookies and similar technologies to enhance user experience, analyze usage, and improve services. You may manage cookie preferences through your browser settings.

Information from Third Parties

• We may receive information from third-party integrations (e.g., email platforms, financial data providers) authorized by users to connect with SUSAN, subject to compliance with applicable laws.

How We Use Information

SUSAN uses collected information for the following purposes, in accordance with the DPDP Act and SPDI Rules:

• Service Delivery: To provide and maintain the SUSAN application, including CRM functionalities such as contact management, communication tracking, and deal management.
• Personalization: To tailor the application experience based on user preferences and usage patterns.
• Analytics: To analyze usage trends and improve the application’s performance and features.
• Communication: To send service-related notifications, updates, and, with your explicit consent, marketing communications.
• Compliance: To comply with legal obligations under Indian laws, such as responding to requests from regulatory authorities like the Reserve Bank of India (RBI) or the Securities and Exchange Board of India (SEBI).
• Security: To protect the security and integrity of the SUSAN application and its data.

Sharing and Disclosure of Information

SUSAN does not sell personal information. We may share information in the following circumstances, subject to compliance with Indian laws:

• With Service Providers: We engage third-party service providers to perform functions such as hosting, analytics, and customer support. These providers are contractually obligated to comply with the DPDP Act and SPDI Rules and use personal information only for the purposes specified by SUSAN.
• With User Consent: We may share Client Data with third parties as directed by the user (e.g., for integrations with other platforms), with explicit consent where required.
• Legal Obligations: We may disclose information to comply with legal processes, such as court orders, requests from the Ministry of Electronics and Information Technology (MeitY), or other regulatory requirements under Indian law.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, personal information may be transferred as part of the transaction, subject to compliance with the DPDP Act and SPDI Rules.

Data Security

SUSAN implements reasonable security practices and procedures as required under Section 43A of the Information Technology Act, 2000 and the SPDI Rules, including:

• Encryption of data in transit and at rest using TLS 1.3 and AES-256.
• Regular security audits and vulnerability assessments.
• Access controls to limit data access to authorized personnel only.
• Secure authentication mechanisms, including multi-factor authentication (MFA).
• Compliance with ISO/IEC 27001 standards for information security management.

Despite these measures, no system is completely secure. In the event of a data breach, SUSAN will notify affected users and the Data Protection Authority of India within 72 hours, as required under the DPDP Act.

Data Retention

SUSAN retains personal information for as long as necessary to fulfill the purposes outlined in this policy or as required by Indian law (e.g., under the Prevention of Money Laundering Act, 2002, or SEBI regulations). Client Data is retained for the duration of the user’s account or as instructed by the user. Upon account termination, SUSAN will delete or anonymize personal information within 30 days, except where retention is required for legal compliance (e.g., 7 years for financial records under Indian tax laws).

Your Rights

Under the DPDP Act, 2023, you have the following rights regarding your personal information:

• Right to Access: Request confirmation of whether your personal data is being processed and access to such data.
• Right to Correction: Request correction of inaccurate or incomplete personal data.
• Right to Erasure: Request deletion of your personal data, subject to legal obligations.
• Right to Data Portability: Request a copy of your personal data in a structured, machine-readable format.
• Right to Withdraw Consent: Withdraw consent for processing where consent is the legal basis.
• Right to Nominate: Nominate an individual to exercise your rights in the event of your death or incapacity.

To exercise these rights, contact our Data Protection Officer at info@andesoftconsulting.com. We will respond within 30 days, as required under the DPDP Act.

International Data Transfers

SUSAN may transfer personal information to servers or service providers located outside India for processing (e.g., cloud hosting). Such transfers will comply with the DPDP Act and SPDI Rules, including obtaining explicit consent where required and ensuring that recipient countries provide an adequate level of data protection or are subject to appropriate safeguards, such as Standard Contractual Clauses.

Third-Party Integrations

SUSAN may integrate with third-party services (e.g., email providers, financial platforms) at the user’s direction. These third parties have their own privacy policies, and SUSAN is not responsible for their practices. Users should review the privacy policies of any third-party services integrated with SUSAN.

Cookies and Tracking Technologies

SUSAN uses cookies to improve functionality and user experience. Cookies may include:

• Essential Cookies: Necessary for the operation of the application.
• Analytics Cookies: Used to collect usage data for improving services.
• Preference Cookies: Store user preferences to enhance functionality.

Users will be notified of cookie usage upon accessing SUSAN, and explicit consent will be obtained for non-essential cookies, as required under the DPDP Act. You can manage cookies through your browser settings or opt out of non-essential cookies via the SUSAN application settings.

Children’s Privacy

SUSAN is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child has provided personal information, we will delete it immediately in accordance with the DPDP Act.

Changes to This Privacy Policy

SUSAN may update this Privacy Policy to reflect changes in our practices or legal requirements under Indian law. We will notify users of material changes via email or in-app notifications at least 30 days before the changes take effect. The updated policy will be posted on our website at www.susanapp.com/privacy.

Contact Us

For questions, concerns, or to exercise your data protection rights, contact our Data Protection Officer at:

• Email: info@andesoftconsulting.com
• Address: Andesoft Consulting Pvt. Ltd., 33 Film Center Building Annex, 68 Tardeo Road, Mumbai, Maharashtra 400034, India

Grievance Redressal

In compliance with the SPDI Rules and DPDP Act, SUSAN has appointed a Grievance Officer to address complaints regarding personal data handling. Contact the Grievance Officer at:

• Email: grievance@andesoftconsulting.com
• Address: Andesoft Consulting Pvt. Ltd., 33 Film Center Building Annex, 68 Tardeo Road, Mumbai, Maharashtra 400066, India

We will address grievances within 30 days, as required under Indian law. If unresolved, you may approach the Data Protection Authority of India or other competent authorities.

Compliance with Indian Data Protection Laws

SUSAN is committed to compliance with all applicable data protection laws in India, including:

• DPDP Act, 2023: SUSAN acts as a Data Processor for Client Data and ensures compliance with obligations under the DPDP Act, including consent management and data subject rights.
• SPDI Rules, 2011: SUSAN implements reasonable security practices and procedures for handling Sensitive Personal Data or Information.
• Information Technology Act, 2000: SUSAN complies with provisions related to data protection and cybersecurity.

If you believe SUSAN is not complying with this Privacy Policy or applicable Indian law, you may file a complaint with the Data Protection Authority of India or other competent authorities.