1. DATA PRIVACY STATEMENT

As per the requirements of the Information Technology Act, 2000 (“IT Act”), and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”)as amended from time to time, this data privacy policy (“Policy”) outlines the manner in which “Personal Information” or “Sensitive Personal Information” will be handled or dealt with by FrenusTech Private Limited (“Company”).

2. DEFINITIONS

• “Personal Information” also referred to as “Pl”, for the purposes of this Policy, refers to any information that relates to a natural person, which either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.
• “Sensitive Personal data or information of a person” hereinafter referred to as “Sensitive Personal Information” or “SPDI”, for the purposes of this Policy refers to such personal information about a natural person, which consists of but is not limited to information relating to:
• Password;
• Financial information such as bank account or credit card or debit card or other payment instrument details;
• Physical, physiological and mental health condition;
• Sexual orientation;
• Medical records and history;
• Biometric information;
• Any detail relating to the above clauses as provided to the Companyto enable the Company to provide products and/or services; and
• Any of the information received under any of the above clauses:(a) by the Company for processing;and/ or (b) stored or processed under a lawful contract or otherwise.

Provided that any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as Sensitive Personal Information for the purposes of this Policy.

• “Information Provider” for the purpose of this Policy, refers to a natural person or individual who provides PI or SPDI directly under a lawful contract to the Company.

3. PURPOSE OF DATA COLLECTION OR PROCESSING OR USE

• The Company realizes the importance of PI including SPDI provided to it by Information Providersand the trust they place with respect to maintaining the security of such With respect to PI including Sensitive Personal Information, the Company shall take reasonable steps to keep such information confidential and may share it with third parties in accordance with this Policy on a need to know basis under appropriate arrangements.
• Notwithstanding anything contained in this Policy or any other document, the Information Provider agrees and confirms that the Company may disclose and transfer PI (including Sensitive Personal Information)which was collected from the Information Provider, to any of its affiliates, agents or a third party:(i) in connection with the products and/or services the Information Provider may have sought; or (ii) pertaining to the Information Provider’s employment with the Company; or (iii) to ensure the Company’s compliance with a legal or contractual obligation.
• The Company(or any person on its behalf) will:
• Ordinarily collect PI and/or Sensitive Personal Information that it believes is necessary:(a) for a lawful purpose connected with a function or activity necessary to deliver, promote or market the Company’sservices/products;(b) to carry out primary its business functions and/or activities;(c) to comply with applicable regulations; or (d) in the capacity as an employer or a counterparty to agreements with individuals/customers.
• Generally, collect only such information about the Information Provider,which is voluntarily provided, or the Information Provider has consented to provide the information or where it is required by law.
• Only collect such information by lawful and fair means and not in an unreasonably intrusive way.
• Collect such information from the Information Provideronly when the Information Provider has applied for a service/product. Any such information collected will be kept confidential.
• Apart from the necessity to collect the Information Provider’s information in order to provide a service (or products) or maintain a business or employment relationship with the Information Provider, the purposes for which the Company would generally collect and use your Sensitive Personal Information will include but are not limited to:
• complying with legislative and regulatory requirements;
• performing administrative functions; and
• offering products and services that may interest the Information Provider.
• The PI and/or SPDI of the Information Provider may be collected and/or retained either directly by the Company or by any person on its behalf. The Company will be able to share the names and addresses of entities that may collect and/or retain PI and SPDI, upon receiving a valid and written request in this regard. The Company(or any person on its behalf) will not retain the information collected for longer than is required for the purposes for which such information may be lawfully used or is otherwise required under any law for the time being in force. The PI and SPDI collected shall only be used for the purpose for which it has been collected and for no other purpose.
• The Company (or any person on its behalf collecting PI or SPDI)will seek the Information Provider’s consent (regarding the purpose for which the information will be used) in writing, in the form of a letter, email, or faxbefore collection of such information. The Information Provider shall be given the option to not provide or refuse to provide the PI or SPDI sought by the Company. The Information Provider also has the option to withdraw the consent given earlier by intimation to the Company in writing. However, if the Information Provider opts out, the Company will not be able to provide the related product and/or service to the Information Provider.
• The Company (or any person on its behalf) will upon request of the Information Provider allow the Information Provider to review the information provided and ensure that any PI or SPDIthat is inaccurate or deficient will be corrected or amended as feasible. The Company (or any other person acting on its behalf) will not be responsible for the authenticity of the information supplied by the Information Provider.

4. DESCRIPTION OF THE GROUPS OF PERSONS CONCERNED AND THE DATA OR CATEGORIES RELATING TO SUCH PERSONS

The Company (or any other person on its behalf) will collect PI, SPDI, customer data and employee data insofar as such are necessary for the fulfillment of the purposes mentioned under Paragraph 3 above.

5. RECIPIENTS OR CATEGORIES OF RECIPIENTS TO WHOM THE DATA MAY BE DISCLOSED

• • The Company (or any other person on its behalf) will not use or disclose SPDI collected about the Information Provider to a third party otherwise than for the purposes set out in this Policy unless the disclosure is necessary for compliance of a legal obligation or where it is agreed to in the contract with the Information Provider or as consented by the Information Provider. The Company (or any other person on its behalf) will also not publish the SPDI unless the same is required for compliance of a legal obligation or as consented by the Information Provider.
• Provided that such information shall be shared without the Information Provider’s consent, with government agencies as mandated under law for the purpose of verification of identity or for prevention, detection, investigation including cyber incidents, prosecution and punishment of offences.
• Notwithstanding anything contained in this Policy, any SPDI shall be disclosed to any third party if required by an order under a law for the time being in force.
• The Information Providerauthorises the Company (or any other person on its behalf) to disclose necessary PI and SPDI to affiliates, agents or third-party service providers who provide services to the Company in connection with the Company’s services/products or, the Information Provider’s employment with the Company.
• Subject to what is permitted under law, following are the types of third parties (whether in India or overseas) to whom the Information Provider’s PI and SPDI could be disclosed to:
• agents, contractors, service providers and external advisers engaged by the Company from time to time to carry out, provide services or advise on the functions and activities where PI or SPDI of Information Provider is required;
• other related bodies corporate/affiliates of the Company;
• regulatory bodies, government agencies, law enforcement bodies and courts; and
• any person who the Company deems necessary for carrying out the instructions Information Providergives to the Company.

6. TIME LIMITS FOR THE DELETION OF DATA AND ACCESS

SPDI will be deleted if the purpose mentioned under Paragraph 3above is attained.

7. TRANSFER OF DATA

The Company(or any person on its behalf) maytransfer SPDI and/or PI to any other body corporate or a person in India, or located in any other country, that ensures the same level of data protection that isadhered tobytheCompanyasprovidedforunder the IT Act and SPDI Rules.Thetransfer may be allowedonly ifitisnecessary fortheperformance ofthelawfulcontractbetweenthe Company (or any person acting on its behalf) and the Information Provider or where the Information Provider has consented to such data transfer.

8. SECURITY

The Company (or any person on its behalf) has formulated adequate security practices and procedures to ensure that the information assets are adequately protected as per the applicable industrial practice and standards. The Company’s security practices and procedures are commensurate with or equivalent to the international standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements”. The Company strives hard for ensuring that the SPDI it holds is protected from misuse, loss and unauthorized access, modification or disclosure.

9. MANAGER IN CHARGE OF DATA PROTECTION

The Company appoints Mr.Ramesh Bhat, CEO, (Contact: +917259284511, email id: ramesh.bhat@frenustech.com) as the Grievance Officer. The Grievance Officer shall redress the grievances of the Information Provider expeditiously within 1 (One) month from the date of receipt of grievance.

10. AMENDMENT

The Company may amend or modify this Policy from time to time at its sole discretion.

**********