Data Protection Policy

Last Updated: December 5, 2024

This Data Protection Policy outlines how Lumiotech Private Limited ("Company", "we", "us", "our") protects data processed by the lumioSentry platform.

This Data Protection Policy ("Policy") outlines how Lumiotech Private Limited ("Company") protects data in compliance with:

• Information Technology Act, 2000
• Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
• Proposed Personal Data Protection Bill (as applicable)
• Other applicable data protection laws and regulations

1. Data Classification

1.1 Categories of Data

We classify data into the following categories:

• Personal Data: Information that can identify an individual
• Sensitive Personal Data: Passwords, financial information, etc.
• Corporate Data: Company information and business records
• Public Data: Information available in public domain

1.2 Special Categories

We handle the following special categories of data:

• Share ownership records
• Financial transactions
• Corporate governance documents
• Regulatory filings

2. Data Collection and Processing

2.1 Lawful Basis

We collect and process data based on:

• Explicit user consent
• Contractual obligations
• Legal requirements
• Legitimate business interests

2.2 Purpose Limitation

Data is collected and processed only for:

• Providing platform services
• Regulatory compliance
• Service improvement
• Security purposes

3. Data Storage and Security

3.1 Storage Location

All data is stored on servers located in India, in compliance with data localization requirements.

3.2 Security Measures

We implement the following security measures:

• End-to-end encryption
• Access control and authentication
• Regular security audits
• Intrusion detection systems
• Data backup and recovery
• Employee security training

4. Data Retention

4.1 We retain data for the following periods:

• Active account data: Throughout the service period
• Transaction records: 8 years (as per Companies Act)
• Audit logs: 5 years
• Communication records: 3 years

4.2 Extended Retention

Data may be retained longer if required by law or for legitimate business purposes.

5. Data Access and Rights

Users have the following rights regarding their data:

• Right to access
• Right to correction
• Right to data portability
• Right to erasure (subject to legal requirements)
• Right to withdraw consent

6. Data Sharing and Transfers

6.1 Internal Sharing

Data is shared internally on a need-to-know basis with:

• Authorized employees
• System administrators
• Security personnel

6.2 External Sharing

Data may be shared with:

• Regulatory authorities
• Service providers
• Legal advisors
• Auditors

7. Data Breach Protocol

In the event of a data breach:

• Immediate internal notification
• Assessment of breach impact
• User notification within 72 hours
• Regulatory reporting as required
• Implementation of remedial measures

8. Compliance and Accountability

We maintain compliance through:

• Regular audits and assessments
• Employee training programs
• Documentation of procedures
• Incident response planning
• Privacy impact assessments

9. User Responsibilities

Users are responsible for:

• Maintaining confidentiality of credentials
• Ensuring accuracy of provided data
• Reporting unauthorized access
• Complying with security policies

10. Contact Information

For any questions regarding data protection: