Data Protection Policy

Last Updated: December 5, 2024

This Data Protection Policy ("Policy") outlines how Lumiotech Private Limited ("Company") protects data in compliance with:

  • The Digital Personal Data Protection Act, 2023 (DPDP Act)
  • Information Technology Act, 2000
  • CERT-In Directions and guidelines pertaining to cyber security
  • Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
  • Other applicable data protection laws and regulations

1. Data Classification

1.1 Categories of Data

We classify data into the following categories:

  • Digital Personal Data: Data pertaining to a Data Principal that is processed digitally.
  • Sensitive Personal Data: Passwords, financial information, biometric data, etc.
  • Corporate Data: Company information and business records
  • Public Data: Information available in public domain

1.2 Special Categories

We handle the following special categories of data:

  • Share ownership records
  • Financial transactions
  • Corporate governance documents
  • Regulatory filings

2. Data Collection and Processing

2.1 Lawful Basis

We collect and process data based on:

  • Explicit user consent
  • Contractual obligations
  • Legal requirements
  • Legitimate business interests

2.2 Purpose Limitation

Data is collected and processed only for:

  • Providing platform services
  • Regulatory compliance
  • Service improvement
  • Security purposes

3. Data Storage and Security

3.1 Storage Location

All data is stored on servers located in India, in compliance with data localization requirements.

3.2 Security Measures

We implement the following security measures:

  • End-to-end encryption
  • Access control and authentication
  • Regular security audits
  • Intrusion detection systems
  • Data backup and recovery
  • Employee security training

4. Data Retention

4.1 We retain data for the following periods:

  • Active account data: Throughout the service period
  • Transaction records: 8 years (as per Companies Act)
  • Audit logs: 5 years
  • Communication records: 3 years

4.2 Data may be retained longer if required by law or for legitimate business purposes.

5. Data Access and Rights

Users have the following rights regarding their data:

  • Right to access (obtain summary of data processed)
  • Right to correction of inaccurate/incomplete data
  • Right to data portability
  • Right to erasure of data
  • Right to withdraw consent
  • Right to nominate a representative
  • Right to grievance redressal

6. Data Sharing and Transfers

6.1 Internal Sharing

Data is shared internally on a need-to-know basis with:

  • Authorized employees
  • System administrators
  • Security personnel

6.2 External Sharing

Data may be shared with:

  • Regulatory authorities
  • Service providers
  • Legal advisors
  • Auditors

7. Data Breach Protocol

In the event of a data breach:

  • Immediate internal notification and mitigation procedures.
  • Assessment of the breach scope and impact.
  • Notification to the Data Protection Board of India and affected Data Principals without undue delay.
  • Notification to CERT-In within 6 hours of discovery, where applicable.
  • Implementation of remedial measures and system hardening.

8. Contact Information

Data Protection Queries

For any questions regarding data protection:
Data Protection Officer
Email: [email protected]