This Privacy Policy ("Policy") is published in compliance with:

The Digital Personal Data Protection Act, 2023 (the "DPDP Act");
Section 43A of the Information Technology Act, 2000;
Regulation 4 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules, 2011 (the "SPI Rules");
Regulation 3(1) of the Information Technology (Intermediaries Guidelines) Rules, 2011.

1. Definitions

For the purpose of this Policy:

"Company" (or "Data Fiduciary") means Lumiotech Private Limited, a company incorporated under the Companies Act, 2013 having its registered office in New Delhi, India;
"Data Principal" means the individual to whom the personal data relates;
"Digital Personal Data" means personal data in digital form or non-digital data digitized subsequently;
"Personal Information" means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person;
"Sensitive Personal Information" means personal information as defined under the SPI Rules;
"Services" means the lumioCapital platform and related services;
"User" means any person who accesses or uses the Services.

2. Information We Collect

2.1 Personal Information

We collect the following categories of Personal Information:

Company registration details (CIN, authorized capital, paid-up capital)
Director and authorized signatory information
Contact details (email address, phone number, address)
Shareholder information and records
Financial information related to shareholding
Authentication credentials

2.2 Automatically Collected Information

Our systems automatically collect:

IP address and access logs
Device and browser information
Usage patterns and analytics
Cookies and similar tracking technologies

3. Lawful Basis for Processing and Consent

We process your information based on:

Explicit, Verifiable Consent: Consent is obtained through a clear, affirmative action that is free, specific, informed, and unambiguous.
Contractual necessity to provide our Services.
Legal obligations under Indian law.
Legitimate business interests.

Withdrawal of Consent: As a Data Principal, you have the right to withdraw your consent at any time. The withdrawal mechanism is designed to be as easy as providing consent. You may also utilize a registered Consent Manager to manage, review, and withdraw your consent on your behalf.

4. Use of Information and Purpose Limitation

By using our Services, you explicitly consent to the collection and use of your data strictly for the specified purposes:

Processing of share transfers and maintaining statutory records.
Generation of reports and regulatory filings.
Communication regarding service updates and notices.
Compliance with legal and regulatory requirements.
Fraud detection and security enhancement.
Service improvement and user experience optimization.

Data Minimization: We only collect the minimal personal data necessary to achieve these purposes. If we need to process your data for a new purpose, we will seek fresh consent before doing so.

5. Data Storage, Security, and Breach Notification

We implement security measures as prescribed under:

The Digital Personal Data Protection Act, 2023.
ISO/IEC 27001 standards for information security.
The Information Technology Act, 2000 and the SPI Rules.

We utilise commercially reasonable technical and organizational measures to safeguard your Digital Personal Data.

Breach Notification: In the unlikely event of a personal data breach, we will notify the Data Protection Board of India and the affected Data Principals without undue delay, as required by the DPDP Act.

6. Disclosure of Information

We may disclose your information to:

Regulatory authorities (SEBI, ROC, etc.)
Law enforcement agencies upon lawful request
Professional advisors and auditors
Service providers and business partners
Other users as necessary for share transfers

7. Data Principal Rights

Under the DPDP Act, you (as a Data Principal) have the right to:

Right to Access: Obtain a summary of the personal data being processed, processing activities, and identities of all other Data Fiduciaries/processors data was shared with.
Right to Correction and Erasure: Request correction of inaccurate/incomplete data, and demand erasure of data no longer needed or if consent is withdrawn.
Right to Grievance Redressal: Easily access a mechanism to register your grievances regarding your data.
Right to Nominate: Nominate another individual to exercise your rights in the event of your death or incapacity.
Right to Withdraw Consent: At any time, with mechanisms as accessible as the consent-gathering process.

7.1 Children's Data

Our platform is intended for B2B usage by professionals over the age of 18. We do not knowingly process personal data of children, nor do we undertake any tracking, behavioral monitoring, or targeted advertising directed at children. In the event we inadvertently process such data, verifiable parental consent is strictly required as per the DPDP Act.

8. Limitation of Liability

THE COMPANY SHALL NOT BE LIABLE FOR:

Any unauthorized access to or alteration of your information
Any actions or omissions of third parties
Any direct, indirect, incidental, consequential or punitive damages arising from use of our Services
Technical or security breaches beyond our reasonable control

9. Changes to Privacy Policy

We reserve the right to modify this Policy at any time. Changes will be effective immediately upon posting on our platform. Your continued use of the Services constitutes acceptance of such changes.

10. Grievance Officer

In accordance with Information Technology Act 2000 and rules made there under, the contact details of the Grievance Officer are provided below:

Grievance Officer

Email: [email protected]