Zintlr is committed to ensuring full compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act) while delivering high-quality data intelligence services to our clients. This document describes our obligations and practices as a Data Fiduciary and, where applicable, as a Data Processor under the DPDP Act.

The Digital Personal Data Protection Act, 2023 is India's principal legislation governing the processing of digital personal data. It establishes rights for Data Principals (individuals whose data is processed) and obligations for Data Fiduciaries (entities that determine the purpose and means of processing). The Act is administered and enforced by the Data Protection Board of India (DPB).

Depending on the context of data processing, Zintlr may act as:

1. Data Fiduciary — when Zintlr independently determines the purpose and means of processing personal data (e.g., maintaining the Zintlr Business Database).

2. Data Processor — when Zintlr processes personal data on behalf of and under the instructions of a client (Licensee) acting as a Data Fiduciary.

The DPDP Act has significant implications for sales and marketing operations. Key considerations include:

1. Consent: Processing of personal data requires free, specific, informed, unconditional, and unambiguous consent, preceded by a clear notice to the Data Principal.

2. Data Principal Rights: Individuals hold enforceable rights over their personal data, including rights of access, correction, erasure, grievance redressal, and nomination.

3. Cross-Border Transfers: Personal data may be transferred outside India only to countries and territories notified by the Central Government under §16 of the DPDP Act.

4. Children's Data: Processing of data belonging to individuals under 18 years of age requires verifiable consent from a parent or lawful guardian.

The DPDP Act recognises two primary bases for lawful processing:

1. Consent (§6)

   Zintlr processes personal data on the basis of consent where:

   1. The Data Principal has been given a clear and plain-language Notice, describing the data to be collected and the purpose of processing.

   2. Consent is given through a clear affirmative action — it is not bundled, implied, or pre-ticked.

   3. Consent is specific to a defined purpose, free from coercion, and revocable at any time.

   Example: Zintlr obtains consent from individuals to process their professional contact information for the purpose of delivering marketing communications relevant to their business role.

2. Legitimate Uses — Deemed Consent

   Where processing does not rely on explicit consent, Zintlr may process personal data under the deemed consent provisions of section 7, which include, among others:

   1. Compliance with a judgment, order, or legal obligation under Indian law.

   2. Purposes related to employment or the safeguarding of employer interests.

   3. Processing necessary to respond to a medical emergency or public health situation.

   4. Processing voluntarily provided by the Data Principal for a specific and self-evident purpose.

   Note: Zintlr does not rely on a general "legitimate interests" basis. All non-consent processing is anchored to one or more of the specific legitimate use categories under section 7 of the DPDP Act.

Before collecting personal data - or, where data is collected from a source other than the Data Principal - before first using such data, Zintlr provides a Notice that:

1. Describes the personal data proposed to be collected.

2. States the purpose for which the data will be processed.

3. Informs the Data Principal of their right to withdraw consent and the grievance redressal mechanism available to them.

4. Is presented in clear, plain English (and other languages as may be prescribed).

The Notice is accessible at all times.

Under the DPDP Act, Data Principals hold the following rights, all which Zintlr is committed to facilitating promptly and without undue burden:

To exercise any of the above rights, Data Principals may contact Zintlr's Grievance Officer at [email protected]. Zintlr will acknowledge and respond to all requests within the timelines prescribed under the DPDP Act and applicable Rules.

Zintlr's services are directed at business professionals and are not intended for use by individuals under the age of 18. Zintlr does not knowingly collect or process personal data of minors. Where Zintlr has reason to believe it has received data relating to a person under 18, such data will not be processed without verifiable consent from the parent or lawful guardian, and will be deleted upon discovery of the minor's age if consent cannot be obtained.

Personal data held by Zintlr is retained only for the period necessary to fulfil the purpose for which it was collected or as required by applicable law:

1. Data lake (unstructured format): Retained for up to 3 years solely for the purpose of verifying, validating, and collating information to create or update a Business Contact in the Zintlr Business Database. Upon expiry of this period, or upon fulfillment of the purpose (whichever is earlier), the data is deleted.

2. Opt-out list: Contact identifiers of individuals who have requested removal from the Zintlr Business Database are retained for as long as necessary to honour the opt-out and prevent inadvertent re-processing.

3. Licensee data: Data processed on behalf of Licensees (clients) is retained strictly as per the terms of the applicable Data Processing Agreement and deleted upon its expiry or on the Licensee's instruction.

Zintlr may transfer personal data outside India only to countries and territories notified by the Central Government of India as permissible destinations for data transfer under section 16 of the DPDP Act. Zintlr maintains an updated record of transfer destinations and ensures that appropriate contractual or technical safeguards are in place before any cross-border transfer occurs.

As a Data Fiduciary, Zintlr is obligated to implement reasonable security safeguards to prevent personal data breaches. Zintlr's security programme includes:

1. Encryption of personal data in transit and at rest.

2. Access controls and role-based permissions.

3. Regular security assessments and vulnerability testing.

4. Employee training on data protection obligations.

5. Vendor due diligence for Data Processors engaged by Zintlr.

In the event of a personal data breach, Zintlr will:

1. Notify the Data Protection Board of India in the form and manner prescribed under the DPDP Act.

2. Notify affected Data Principals of the nature of the breach, the data affected, and remedial steps taken.

3. Conduct a root-cause analysis and implement corrective measures to prevent recurrence.

Notification will be made without undue delay upon discovery of a breach.

Where Zintlr acts as a Data Processor on behalf of a Licensee, personal data is processed strictly in accordance with the Licensee's instructions and the terms of the applicable Data Processing Agreement. Zintlr does not process such data for its own purposes. Zintlr ensures that any sub-processors it engages are bound by equivalent data protection obligations.

Zintlr maintains transparency in all data processing activities. This Policy is publicly accessible and is updated whenever there is a material change in Zintlr's data processing practices or applicable legal requirements.

For any inquiries, rights requests, or complaints related to Zintlr's processing of your personal data under the DPDP Act, please contact:

Grievance Officer — Data Protection, Zintlr — [email protected]

If your grievance is not resolved to your satisfaction within the prescribed period, you may escalate it to the Data Protection Board of India in accordance with §13(2) of the DPDP Act.

Zintlr is fully committed to upholding the privacy and data protection rights of all Data Principals under the Digital Personal Data Protection Act, 2023. This Policy reflects our ongoing commitment to lawful, transparent, and purpose-limited processing of personal data.