PRIVACY POLICY

1. INTRODUCTION

1.1 The domain name https://app.sangti.tech and its related sub-domains, sites, services and tools (collectively, the “Platform”), is owned and managed by Sangti Solutions Private Limited, a  company incorporated under the Companies Act, bearing company identification number  U72900MP2022PTC060184 having its registered office at A -509, The Residence, Bicholi,  Mardana, Indore, Madhya Pradesh - 452016 (hereinafter referred to as the “Company” or “We”  or “Us” which expression shall, unless it be repugnant to the context or meaning thereof, be  deemed to include its successors, affiliates, and permitted assigns). The Company is inter alia  engaged in the business of providing carbon emission measurement and decarbonisation  solutions and related services via the Platform (the “Services”).

1.2 The Company is committed to respecting your online privacy and recognizes your need for  appropriate protection and management of any information you share with the Company on the  Platform. This privacy policy (“Privacy Policy” or “Policy”) explains how the Company will  collect, use, share and process information in relation to the services provided on the Platform.  

1.3 This Policy shall be deemed to be incorporated into the terms of use of the Platform (the  “Terms”) and shall be read in addition to the Terms and any other agreement, that you may  enter into with the Company shall define our relationship and mutual expectations while you  use the Services on the Platform (“License Agreement”). In the event of any conflict between  this Policy with the Terms and/or the License Agreement, the interpretation placed by the  Company shall be final and binding on you.  

1.4 This Policy is being framed in view of the Information Technology Act, 2000 read with  Regulation 4 of the Information Technology (Reasonable Security Practices and Procedures  and Sensitive Personal Data or Information) Rules, 2011 and Regulation 3 (1) of the Information  Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.

1.5 By accepting this Policy, you understand and agree to the collection, use, sharing and  processing of personal information as described herein. If you provide the Company with  personal information about someone else, you confirm that (a) such information is accurate and  up-to-date; (b) such person is aware that you have provided their information; and (c) they  consent to both, the disclosure and the use/processing of their information in accordance with  this Policy. This Policy applies to all the current and former visitors, users and others who  access this Platform.

2. SCOPE

2.1 This Privacy Policy is an electronic record in the form of an electronic contract and does not  require any physical, electronic or digital signature.  

2.2 By accessing or using the Platform or giving us your information or otherwise clicking to accept  this Privacy Policy, if and when prompted on the Platform, you undertake that you have the  capacity to enter into a legally binding contract vide. this Privacy Policy, which constitutes a  legally binding document between you and the Company under the applicable laws. The  Company will collect and process your personal and third-party data carefully, only for the  purposes described in this Privacy Policy and only to the extent necessary as defined herein  and within the scope of the applicable legal regulations. This Privacy Policy seeks to ensure  that any personal information or third-party information handled by the Company is managed  in a way that is ethical, compliant and adheres to best industry practices.  

2.3 Please read the terms and conditions of this Privacy Policy carefully, before accessing or using  the Platform or otherwise clicking to accept this Privacy Policy, if and when prompted on the

1

Platform. By accessing or using the Platform or otherwise clicking to accept this Privacy Policy,  if and when prompted on the Platform, you agree to the terms of this Privacy Policy.  

2.4 This Privacy Policy describes the types of information the Company collects, why and how the  Company uses the information, with whom the Company shares it, and the choices you can  make about Company’s use of the information. This Privacy Policy also describes the measures  the Company takes to protect the security of the information and how you can contact the  Company about its privacy practices.  

2.5 Further, this Privacy Policy describes the Company’s current data protection policies and  practices and may be amended/updated from time to time. The Company will notify the users  of any changes made to the Privacy Policy in compliance with applicable laws. The Privacy  Policy shall come to effect from the date of such update, change or modification. Your continued  use of the Platform or provision of data or information thereafter will imply your unconditional  acceptance of such updates to this Privacy Policy.

3. CONSENT

3.1 By mere access and/or use of the Platform, you expressly consent to the Company’s use and  disclosure of your Information (as defined below) and Third-party Information (as defined below) in accordance with this Privacy Policy. If you do not agree with the terms of this Privacy Policy,  please do not use the Platform.  

3.2 In case you wish to avail certain Services provided by the Company on the Platform, you are  required to register on the Platform and thereafter access the Platform using the login  credentials provided by you at the time of registration as set out in the Terms (“Login  Credentials”). You hereby explicitly agree that your use of the Login Credentials shall be  governed by the Terms read with the terms of this Policy.

3.3 In order to avail any Services on the Platform, you may be required to share certain Third-party  Information. The term “Third-party Information”, for the purpose of this Policy, shall mean and  include any Information collected from a third-party information source, including without  limitation, your customers, including Activity Information (defined below). The Company, whilst  providing the Services on the Platform, shall not be responsible for access to or use of such  Third-party Information. Depending on the nature of the Services being availed by you on the  Platform, you hereby agree that you obtained explicit written authorization and consent, from  all such subjects/individuals whose Information you provide in the format required by the  applicable laws in force, from time to time and store the same in your custody basis such laws.  You hereby represent and warrant that the Company shall not be held responsible, liable or  accountable in any manner or to any extent whatsoever, for your failure to perform obligations  under this clause.  

4. TYPES OF INFORMATION  

4.1 Personal Information is defined as any information that relates to a natural person, which, either  directly or indirectly, in combination with other information available or likely to be available with  a body corporate, is capable of identifying such person.  

4.2 Personal Information: Personal information means any information that may be used to  identify an individual, including, but not limited to, the first and last names, telephone number,  e-mail address, or any other contact information (“Personal Information”). The Company limits  the collection of Personal Information to that which is necessary for its intended purpose.

Further, Sensitive Personal Data or Information (“SPDI”) of a person includes Personal  Information about that person relating to passwords, financial information (bank accounts,  credit and debit cards or other payment instruments), physical information. The Company limits

2

the collection of Personal Information (including, SPDI) to that which is necessary for its  intended purpose.

4.3 Non-Personal Information: Non-personal information means information that does not  specifically identify an individual, but includes information from you, such as your browser type,  your Internet Service Provider (ISP), operating system and your Internet Protocol (IP) address.  The Company may gather any non-personal information regarding how many people visit the

Platform, their IP address, browser types and versions, time zone settings and locations,  operating systems, applications installed on your device, device ID, device manufacturer and  type, device, connection information, screen resolution, usage statistics, default communication  applications and other technology on the devices you use to access the Platform (hereinafter  referred to as “Non-Personal Information”). The Company may also collect Non-Personal  Information that you voluntarily provide, such as information included in response to a  questionnaire or a survey conducted by the Company.  

4.4 Usage Information: Usage information includes without limitation all data and information  collected automatically through the Platform (or through the third party analytics service  providers), by use and access of the Platform in the nature of system administrative data,  statistical and demographical data, and operational information and data generated by or  characterizing use of the Platform including without limitation Non-Personal Information,  cookies, Platform traffic, time spent on the Platform, number of visits to the Platform and other  similar information and behaviour indicating the mode and manner of use of the Platform

(hereinafter referred to as the “Usage Information”).

4.5 Activity Information: Activity information includes without limitation all data and information  collected from you or your customers, in relation to the Services being provided via the  Platform, such as the data related to shipments and transport, electricity use in facilities and  warehouses, spend on purchases, etc. which will be used by the Company to generate the  carbon emissions and/or provide any other Services on the Platform (hereinafter referred to as  the “Activity Information”).  

4.6 Personal Information, SPDI, Non-Personal Information, Usage Information and Activity  Information hereinafter shall be referred to as “Information”.

5. COLLECTION OF INFORMATION  

5.1 The Company may collect Information from you when you (a) register on the Platform; (b) use  the Platform for availing any Services provided by the Platform; (c) voluntarily complete a survey or provide feedback in relation to the services provided on the Platform; and (d) carry  out any other transactions on the Platform.

5.2 You hereby acknowledge and agree that all Information is provided by you to the Company voluntarily and the Information provided by you or is not subject to any undue influence.

5.3 The Company may use cookies to monitor the Platform usage including, without limitation, to  provide useful features to simplify your experience when you return to the Platform, like deliver  relevant content based on your preferences, usage patterns and location.

5.4 The Company may also collect Non-Personal Information based on your browsing activity and  in relation to your use or access to the Platform like your Internet Protocol address, your  operating system etc., which may or may not be publicly accessible.

5.5 Information collected by the Company from a particular browser or device may be used with  another computer or device that is linked to the browser or device on which such information  was collected.

3

6. USE OF INFORMATION

6.1 The Company uses the Information you provide to (a) manage your Customer Account (as  defined in the Terms); (b) fulfil your requests for the Services offered on the Platform; (c) provide  you with information about Services offered by the Company and details of the Company; (d)  respond to your inquiries about the offerings and the transactions carried out by the Company;  (e) resolve any glitches on the Platform including addressing any technical problems; (f)  improve the Services and content on the Platform and your experience of navigating through  the Platform; and (g) manage the Company’s relationship with you.

6.2 The Company may use the Information to monitor your use of the Services and may review  and analyse the Information provided by you to provide you with customized service.

6.3 The Company may use your Non-Personal Information or Usage Information for internal  business purposes, such as data analysis, research, developing new products and/or features,  enhancing and improving existing products and services and identifying usage trends.  

6.4 Subject to and in accordance with applicable laws, the Company has the right to use your  Information for the purpose of conducting promotional/marketing related activities on the  Platform.  

6.5 When you send an email message or otherwise contact the Company through the Platform, the  Company may use the Information provided by you to respond to your communication by way  of messages on the Platform, Short Message Service (SMS), email or any other communication  channels that the Company may deem fit. The Company may also archive such Information  and/or use it for future communications with you to inform you regarding updates, newsletters,  offers, new services and promotions.  

7. INFORMATION SHARING

7.1 The Company maintains your Information in electronic form on its devices and on the  equipment of its employees. The Information is made accessible to employees, agents or  partners and third-parties only on a need-to-know basis.  

7.2 The Company does not rent, sell, or share Information with other people or with other non affiliated entities, except with your consent or to provide Services you have requested for or  under the following circumstances:

(a) The Company may engage third party vendors and/or contractors to perform certain  support services, who may have limited access to Information.  

(b) The Company may rent, sell or share Non-Personal Information or Personal Information  in an aggregate form after it undergoes the process of de-identifications and is no more  identifiable to you, with any third party. 

(c) The Company may share Information with government authorities in response to  subpoenas, court orders, or other legal process; to establish or exercise legal rights; to  defend against legal claims; or as otherwise required by law. This may be done in  response to a law enforcement agency's request. 

8. THIRD PARTY SERVICE PROVIDERS  

8.1 The Company may engage other third party vendors and/or contractors to perform certain  support services, including, without limitation, software maintenance services, advertising and  marketing services, web hosting services and such other related services which are required  by the Company to provide its Services efficiently. These third parties may have limited access

4

to Information. If they do, this limited access is provided so that they may perform these tasks  for the Company and they are not authorized by the Company to otherwise use or disclose  Information, except to the extent required by law. The Company does not make any  representations concerning the privacy practices or policies or terms of use of such websites,  nor does it control or guarantee the accuracy, integrity, or quality of the information, data, text,  software, music, sound, photographs, graphics, videos, messages or other materials available  on such websites. The inclusion or exclusion does not imply any endorsement by the Company

of the website, the website's provider, or the information on such website.

8.2 The Platform may contain links and interactive functionality interacting with the websites of third  parties. The Company is not responsible for and has no liability for the functionality, actions,  inactions, privacy settings, privacy policies, terms, or content of any such websites. Before  enabling any sharing functions to communicate with any such websites or otherwise visiting  any such websites, the Company strongly recommends that you review and understand the  terms and conditions, privacy policies, settings, and information-sharing functions of each such  third-party websites.

9. DISCLOSURE TO ACQUIRERS

The Company may disclose and/or transfer Information to an investor, acquirer, assignee or  other successor entity in connection with a sale, merger, or reorganization of all or substantially  all of the Company’s equity, business or assets.

10. CONTROL OVER YOUR PERSONAL INFORMATION  

10.1 Where your consent is required for the purpose of the Company’s usage, processing, sharing  or collection of the Personal Information submitted by you in accordance with applicable laws,  you shall have the right to withdraw your consent at any point, provided such withdrawal of the  consent is intimated to the Company in writing through an email at support@sangti.tech in

requesting the same.  

10.2 Once you withdraw your consent to share the Personal Information, collected by the Company, the Company shall have the option not to fulfil the purposes for which the said Personal  Information was sought and the Company may restrict you from using the Platform.

10.3 If you wish to delete your Customer Account, and thereby discontinue using the Services  provided by the Company on the Platform, you may do so at any time, in accordance with the Terms. In other cases, you may discontinue using the Services provided by the Company on  the Platform by writing to the Company at support@sangti.tech .

11. RECTIFICATION/CORRECTION OF PERSONAL INFORMATION  

11.1 You shall have the right to review the Personal Information submitted by you on the Platform and to modify or delete any Personal Information provided by you directly on the Platform. You  hereby understand that any such modification or deletion may affect your ability to use the  Platform. Further, it may affect the Company’s ability to provide its Services to you.  

11.2 The Company reserves the right to verify and authenticate your identity and Information in any  manner in order to ensure accurate delivery of Services. Access to or correction, updating or  deletion of the Personal Information and/or SPDI (as the case may be) may be denied or limited  by the Company if it would violate another person’s rights and/or is not otherwise permitted by  applicable law.  

11.3 If you need to update or correct the Personal Information provided by you that the Company may have collected to offer you personalized services and offers, you may send updates and  corrections to the Company at support@sangti.tech citing the reason for such rectification of

5

Personal Information. The Company will take all reasonable efforts to incorporate the changes  within a reasonable period of time.

12. TERM OF STORAGE OF PERSONAL INFORMATION  

12.1 The Company shall store your Personal Information at least for such period as may be required  and permitted by law applicable in your jurisdiction or for a period necessary to satisfy the  purpose for which the Personal Information has been collected. These periods vary depending  on the nature of the information and your interactions with the Company.

12.2 The Company may store Non-Personal Information, Usage Information and Activity Information  received from you till such time it requires provided such storage and retention is in accordance  with applicable law.  

12.3 You agree that you will not submit any false information or any illegal or damaging content to  the Platform.  

12.4 The Company reserves the right to terminate access to or the ability to interact with the Platform in response to any concerns the Company may have about false, illegal, or damaging content,  or for any other reason, in its sole discretion.

13. COOKIES  

13.1 The Company uses cookies and/or other tracking technologies to distinguish you from other  users of the Services and to remember your preferences on the Platform. This helps the  Company to provide you with a good experience when you use the Services on the Platform and also allows the Company to improve such Services. Cookies are text files the Company places in your mobile phone, tablet or other devices to store your preferences. Cookies, by  themselves, do not tell the Company your e-mail address or other personally identifiable  information unless you choose to provide this information to the Company. They are designed  to hold a marginal amount of data specific to a particular user. However, once you choose to  furnish the Platform with personally identifiable information, this information may be linked to  the data stored in the cookie. The Company uses cookies to understand Platform usage and to  improve the content and offerings on the Platform. Cookies may be placed on the Platform by  third parties as well, the use of which the Company does not control.

13.2 Session cookies are automatically deleted from your hard drive once a session ends, and most  cookies are session cookies. You may decline the cookies, however, if you decline the cookies,  you may be unable to use certain features on the Platform. You may opt to leave the cookie  turned on.

14. PROTECTION OF INFORMATION  

14.1 The Company has taken adequate measures to protect the security of Information and to  ensure that your choices for its intended use are honoured. The Company takes robust  precautions to protect your data from loss, misuse, unauthorized access or disclosure,  alteration, or destruction.  

14.2 The Company considers the confidentiality and security of your Information to be of utmost  importance. It therefore uses industry standards, and physical, technical and administrative  security measures to keep Information confidential and secure and the Company will not share  your Information with third parties, except as otherwise provided in this Privacy Policy. Please  be advised that, however, while the Company strives to protect Information and privacy, the  Company cannot guarantee or warrant its absolute security when Information is transmitted  over the internet into the Platform. The Company will periodically evaluate this necessity  considering your privacy and our relation while keeping the applicable legislation in mind.

6

14.3 Access to your Customer Account on the Platform is via. your Login Credentials which helps to  secure your Information. You are solely responsible for maintaining the confidentiality of your Login Credentials. To ensure safety of your Information, you are advised against sharing your  Login Credentials with anyone. If you suspect any unauthorized use of your Customer Account,  you must immediately notify the Company. You shall be liable to indemnify the Company for  any loss suffered by the Company due to such unauthorized use of your Customer Account.

14.4 For any loss or theft of Information, due to reasons solely attributable to you, the Company shall  not be held liable or responsible under any circumstance whatsoever. Further, the Company shall not be responsible for any breach of security or for any actions of any third parties or  events that are beyond the Company’s reasonable control including but not limited to acts of  government, computer hacking, unauthorised access to computer data and storage device,  computer crashes, breach of security and encryption, poor quality of Internet service or  telephone service of the user, etc.  

15. USAGE ON BEHALF OF ANOTHER PERSON

If you are using the Platform on behalf of someone else, including but not limited to, on behalf  of your employer/customer, you represent and warrant that you are authorised by such person  to accept this Privacy Policy on their behalf and to consent on behalf of such person to the  Company’s use of such person’s Personal Information as described in this Privacy Policy.

16. LIMITATION OF LIABILITY

16.1 The Company shall not be liable to you for any loss of profit, production, anticipated savings,  goodwill or business opportunities or any type of direct or indirect, incidental, economic,  compensatory, punitive, exemplary or consequential losses arising out of performance or non performance of its obligations under this Privacy Policy.

16.2 The Company is not responsible for any actions or inactions of any third parties that receive  your Information.

16.3 Notwithstanding anything contained in this Privacy Policy or elsewhere, the Company shall not  be held responsible for any loss, damage or misuse of your Information, if such loss, damage  or misuse is attributable to a Force Majeure Event (as defined in the Terms).  

17. OPT- OUT

Once you register as a user on the Platform, you may receive communication, including but not  limited to messages on the Platform, Short Message Service (SMS) and phone calls from the  Company on the registered mobile number and e-mails on your registered e-mail address.  These messages, e-mails and calls could relate to your registration, transactions that you carry

out through the Platform and promotions that are undertaken by the Company. You have the  option to 'opt-out' of all newsletters and other general email marketing communications from  the Company by way of links provided at the bottom of each mailer. The Company respects  your privacy and in the event that you choose to not receive such mailers, the Company shall  take all adequate steps to remove you from such lists. Notwithstanding the foregoing, you  understand that you will not be able to opt-out of receiving administrative messages, customer  service responses or other transactional communications.

18. CHANGES TO THIS PRIVACY POLICY

The Company reserves the right to update, change or modify this Privacy Policy at any time,  subject to the terms contained herein. The Privacy Policy shall come to effect from the date of  such update, change or modification.

7

19. GOVERNING LAW AND DISPUTE RESOLUTION

This Policy shall be governed by and interpreted and construed in accordance with the laws of  India. The place of jurisdiction shall exclusively be in Indore, Madhya Pradesh. In the event of any dispute arising out of this Policy, the same shall be settled by a binding arbitration  conducted by a sole arbitrator, appointed jointly by both parties, and governed by the Arbitration  and Conciliation Act, 1996. The venue and seat of arbitration shall be Indore, Madhya Pradesh.

20. GRIEVANCE REDRESSAL MECHANISM

In accordance with the Information Technology Act, 2000 and rules made thereunder, the name  and contact details of the Grievance Officer are provided below:  

Name: Hitesh Bhuraria  

Phone Number: +91 8962434394

Email: hitesh@sangti.tech 

For registering your complaint, please contact the Grievance Officer at the above-mentioned  details in relation to any violation of this Policy or the Information Technology (Intermediary  Guidelines and Digital Media Ethics Code) Rules, 2021. The Grievance Officer shall redress  the complaint in accordance with the provisions of the Information Technology Act, 2000 and  rules made thereunder.

21. DATA RETENTION

Any data received to facilitate usage of the platform will be deleted within a period of max 180 days post request for deletion of account received via the platform or otherwise.

22. HOW TO CONTACT US

If you have questions or concerns about this Policy, you may contact the Company at  support@sangti.tech .

[Remainder of this page has been intentionally left blank]

8

COOKIE POLICY

1. CONSENT

1.1 We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

1.2 The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site.

1.3 We also use third-party cookies that help us analyze how you use this website, store your preferences, and provide the content and advertisements that are relevant to you. These cookies will only be stored in your browser with your prior consent.

1.4 You can choose to enable or disable some or all of these cookies but disabling some of them may affect your browsing experience.

DATA SUBJECT REQUESTS MANUAL

1. PURPOSE

1.1 This Data Subject Requests Manual (‘Manual’) establishes an effective, accountable, and transparent framework for ensuring compliance with the requirements in relation to data subject rights under the General Data Protection Regulation (EU) 2016/679 (‘GDPR’).  

2. SCOPE AND APPLICABILITY

2.1 The Manual applies across all entities or subsidiaries owned, controlled, or operated by Sangti Solutions Pvt. Ltd (“Sangti”, “we”, “us”, “our”) and to all personnel, including temporary, or contract employees, that handle Personal Data on behalf of us.  

3. DEFINITIONS

3.1 Controller shall mean the party responsible for determining the purposes and means of processing the Personal Data;  

3.2 Data Subject means a natural person whose Personal Data is processed by a controller or processor;  

3.3 Data Subject Request (‘DSR’) is a request made by a Data Subject in order to exercise any or all of the rights mentioned under para 5.1 below.  

3.4 Personal Data has the meaning given to it in GDPR and shall include any information relating to an identified or identifiable natural person.  

3.5 Processor shall mean the party who processes Personal Data on behalf of Controller; 

3.6 Processing includes any operation performed on Personal Data, whether or not by automated means, including collection, use, recording, etc.  

3.7 Supervisory Authority shall have the meaning assigned to it under the GDPR;  

4. REQUIREMENTS

4.1 GDPR provides for certain rights to Data Subjects in relation to the processing of their Personal Data. Individuals can request us to exercise these rights as part of our relationship with them.  

4.2 Under the GDPR, organizations are required to respond to such requests within one month. Failure to do so would amount to non-compliance with GDPR and could lead to risks, including administrative fines.  

4.3 The Manual describes the process for enabling individuals to exercise their data subject rights (described under 5.1 below). Key considerations are as follows:  

• All staff need to be aware of their responsibilities to provide information when a data subject access request is received. When a DSR is received, it should immediately be reported to the Privacy Officer at nishant@sangti.tech to log and track each request.
• Without limitation to other media, the preferred mode of making a DSR would be as per para 10 below.
• The statutory response time is one month.

5. PROCEDURE

When a DSR is received from an individual, it should immediately be reported to the Privacy Officer at nishant@sangti.tech, who will log and track each request. If you are asked to provide information, you will need to consider the following before deciding how to respond:  

5.1 Under GDPR, individuals have the following rights: 

• To be informed of the processing of their Personal Data;
• To access their own data;
• To rectification;
• To erasure (Right to be Forgotten);
• To restriction of processing;
• To data portability;
• To object;
• To object to automated decision making.

5.2 DSR can be raised as per the description under para 10 below. 

5.3 The type of access you must provide and the fee you are allowed to charge may vary depending on how the records are held.  

5.4 If a request has already been complied with and an identical or similar request is received from the same individual, a fee can be charged for the second request unless a reasonable interval has elapsed.  

5.5 Requests should include the full name, date of birth, and address of the person seeking access to their information. Information relating to an individual must only be disclosed to them or someone with their written authority to receive it to comply with the GDPR.  

5.6 Before processing a request, the requestor’s identity must be verified. Examples of suitable documentation include:  

• valid passport
• valid identity card
• valid driving license
• birth certificate along with some other proof of address, e.g., a utility bill.

5.7 No fee can be charged for providing information in response to a data subject access request unless the request is ‘manifestly unfounded or excessive’, in particular, because it is repetitive. Alternatively, we may refuse the request on appropriate grounds.  

6. SUBJECT ACCESS REQUESTS MADE BY A REPRESENTATIVE OR THIRD PARTY

6.1 Anyone with full mental capacity can authorize a representative/third party to help them make a data subject request. Before disclosing any information, Sangti must be satisfied that the third party has the authority to make the request on behalf of the requestor and that the appropriate authorization to act on their behalf is included  

7. COMPLAINTS

7.1 If a Data Subject is dissatisfied with the way we have dealt with their subject access request, they should be advised to exercise their right to complain against us with the relevant Supervisory Authority. 

8. ROLES AND RESPONSIBILITIES

8.1 Compliance, monitoring, and review 

• The overall responsibility for ensuring compliance with the requirements of the related legislation in relation to handling DSR at Sangti rests with the Privacy Officer.
• All functions/staff that deal with Personal Data are responsible for processing this data in compliance with the relevant privacy policies and procedures.

8.2 Records management 

• Staff must maintain all records relevant to administering this requested procedure in electronic form in a secure recordkeeping system.
• All records relevant to administering this manual and its procedure shall be maintained for a period of five (5) years.

9. PROCESSING DSR

9.1 Where business units within Sangti process a large quantity of information about a Data Subject, they should request the Privacy Officer to ask such an individual making the request to provide more specifics on the Personal Data sought.

9.2 The GDPR does not include an exemption for requests that relate to large amounts of data, but we may consider whether the request is manifestly unfounded or excessive.

9.3 If a decision is made to refuse a DSR, we must provide an explanation as to why the request is being refused within one month. In addition, we must inform the individual making the request of their right to complain to the relevant Supervisory Authority.

9.4 A reasonable fee, considering the administrative costs of providing the information, may only be applied where requests are deemed manifestly unfounded or excessive, in particular, because they are repetitive. Should the decision be taken to charge a fee, this must be communicated to the individual making the request.

9.5 The onus is on the officials in business areas handling the DSR to identify the relevant Personal Data and where the data is held. In doing so, these officials must have regard to the following:

• Staff must maintain all records relevant to administering this requested procedure in electronic form in a secure recordkeeping system.
• All records relevant to administering this manual and its procedure shall be maintained for a period of five (5) years.
• Retrieve all relevant data and prepare for action as per the DSR, e.g., in case of a request to access, a copy of retrieved Personal Data would be made available to Data Subject concerned issue after redacting the Personal Data of other individuals.
• The business unit official prepares a schedule listing the data provided and a breakdown of any data refused or redacted, which will accompany the data provided to the individual. The schedule should also provide information on:
• The purposes for processing the data.
• The categories of Personal Data concerned.
• Others outside the function/department to whom the data has been or will be disclosed.
• Whether the data has been or will be transferred outside of Sangti.
• The period for which the data will be stored or the criteria used to determine retention periods.
• Whether the individual has been subject to automated decision-making.

9.6 The schedule, together with the data, should be passed back to the Privacy Officer for a response within the required time frame. The letter should mention the Data Subject’s right to make a complaint to the Supervisory Authority along with the rights mentioned under 5.1 above. If the request is made electronically, the reply should, unless otherwise requested by the data subject, be provided in a commonly used electronic form. The data to be supplied will need to be redacted and scanned.

9.7 Information must be provided in an “intelligible and easily accessible form”, so that an individual may view and understand their data.

9.8 The data should not be retained by Sangti as this is merely generating more copies of existing Personal Data. If a copy is made, it may be retained for a short period, a maximum of one month, in case of material going astray in the post.

10. MODE OF RAISING A DATA SUBJECT REQUEST

10.1 Data subjects should send their DSRs to the Privacy Officer by email at nishant@sangti.tech. We must respond to them in the same way, within one month. We may extend this period by two months, due to the complexity or number of DSRs involved, but we must inform the concerned individual of this within the first month.

10.2 One may request information by phone, but it is very difficult to verify identity on the phone. If we can confirm the identity, we must provide the information requested orally (by phone). This is feasible for small volumes of information, such as confirmation of processing or requests for very small amounts of Personal Data requests. However, it would be a disproportionate effort to provide copies of Personal Data orally in response to a DSR except where the volume of data is low. However, we recognize that visually impaired individuals may have no other means of making a DSR, where they should be provided access through other compatible means and media.

10.3 It is not necessary to make a DSR via a solicitor; however, it is an individual’s right to do so should they so wish.

10.4 We prefer to complete the DSR form and send it to the Privacy Officer by email to make your request. Please be as specific as possible so that we direct your DSR to the appropriate area(s). The data subject can contact our Privacy Officer in any of the following ways:

• By email: nishant@sangti.tech
• By phone: +91 9701792337

11. PROVING YOUR IDENTITY

11.1 As we have a duty to protect Personal Data, it can only be disclosed against a valid request. Sangti must be satisfied that the individual making the DSR is the Data Subject of the Personal Data requested. We, therefore, need to verify the identity of the requestor. We need to collect one of the following forms of identity:

• A copy of a photo identity with an address, such as a passport or driving license. Sangti shall not retain these documents once we have verified the identity. Please do not collect original documents; or
• A copy of a photo identity without an address, together with a copy of a document containing proof of address, e.g., a recent utility bill or a letter from a public service body. Sangti shall not retain these documents once we have verified the identity. Please do not collect original documents.

11.2 The identity of current staff and contractors can be verified with relevant teams, e.g., the human resources team.

11.3 If the Data Subject does not have any of the identity documents above, please direct such an individual to contact our Privacy Officer: nishant@sangti.tech

12. ENFORCEMENT

The violation of the aforementioned procedure or any provisions thereof by an employee shall invite disciplinary actions.

Any personnel found to have violated the Manual may be subject to disciplinary actions, up to and including termination of employment, and applicable penalties.

DATA PROTECTION ADDENDUM

This Data Protection Addendum ("Addendum"), dated 3rd July 2023 , and effective as of the Addendum Effect Date (as defined below), forms part of the Terms of Service ("Terms") between (i) Sangti Solutions Pvt. Ltd. ("Sangti") and (ii) "User/User's Org" each being a “Party” and together the “Parties”.

The Parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Terms and references in this Addendum to the Terms are to the Terms as amended by, and including, this Addendum.

1. DEFINITIONS

1.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

• "Addendum Effective Date" has the meaning given to it in section 2;
• "Affiliate" means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either Client or Sangti (as the context allows), where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
• "Client Personal Data" means any Personal Data Processed by Sangti (i) on behalf of Client (including for the sake of clarity, any Client Affiliate), or (ii) otherwise Processed by Sangti, in each case pursuant to or in connection with instructions given by Client in writing, consistent with the Terms;
• "Controller to Processors" means the Standard Contractual Clauses (processors) for the purposes of Article 26(2) of Directive 95/46/EC set out in Decision 2010/87/EC as the same are revised or updated from time to time by the European Commission;
• "Data Protection Laws" means (i) Directive 95/46/EC and, from May 25, 2018, Regulation (EU) 2016/679 ("GDPR") together with applicable legislation implementing or supplementing the same or otherwise relating to the processing of Personal Data of natural persons, and (ii) to the extent not included in sub-clause (i), the Data Protection Act 1998 of the United Kingdom, as amended from time to time, and including any substantially similar legislation that replaces the DPA 1998;
• "Privacy Shield" means the EU-US Privacy Shield Framework; and
• "Services" means the services to be supplied by Sangti to Client or Client Affiliates pursuant to the Terms.

1.2 The terms "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Process", "Processor" and “Supervisory Authority” have the same meanings as described in applicable Data Protection Laws, and cognate terms shall be construed accordingly.

1.3 Capitalized terms not otherwise defined in this Addendum shall have the meanings ascribed to them in the Terms.

2. FORMATION OF THIS ADDENDUM

This Addendum is deemed agreed by the Parties and comes into effect on the “Addendum Effective Date”, being the later of (i) the date that this Addendum is accepted by Client; and (ii) Sangti.

3. ROLES OF THE PARTIES

The Parties acknowledge and agree that with regard to the Processing of Client Personal Data, and as more fully described in Annex 1 hereto, Client acts as a Controller and Sangti acts as a Processor (as defined in section 5.2.4 below).

The Parties expressly agree that Client shall be solely responsible for ensuring timely communications to Client’s Affiliates or the relevant Controller(s) who receive the Services, insofar as such communications may be required or useful in light of applicable Data Protection Laws to enable Client’s Affiliates or the relevant Controller(s) to comply with such Laws.

4. DESCRIPTION OF PERSONAL DATA PROCESSING

In Annex 1 to this Addendum, the Parties have mutually set out their understanding of the details of the Processing of the Client Personal Data to be Processed by Sangti pursuant to this Addendum, as required by Article 28(3) of the GDPR. Either Party may make reasonable amendments to Annex 1 by written notice to the other Party and as reasonably necessary to meet those requirements. Annex 1 does not create any obligation or rights for any Party.

5. DATA PROCESSING TERMS

5.1 Client shall comply with all applicable Data Protection Laws in connection with the performance of this Addendum. As between the Parties, Client shall be solely responsible for compliance with applicable Data Protection Laws regarding the collection of and transfer to Sangti of Client Personal Data. Client agrees not to provide Sangti with any data concerning a natural person’s health, religion, or any special categories of data as defined in Article 9 of the GDPR.

5.2 Sangti shall comply with all applicable Data Protection Laws in the Processing of Client Personal Data and Sangti shall:

• 5.2.1 process the Client Personal Data relating to the categories of Data Subjects for the purposes of the Terms and for the specific purposes in each case as set out in Annex 1 to this Addendum and otherwise solely on the documented instructions of Client, for the purposes of providing the Services and as otherwise necessary to perform its obligations under the Terms including with regard to transfers of Client Personal Data to a third country outside to an international organization; Sangti shall immediately inform Client if, in Sangti’s opinion, an instruction infringes applicable Data Protection Laws;
• 5.2.2 ensure that persons authorized to process the Client Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• 5.2.3 implement and maintain the technical and organizational measures set out in the Terms and, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement any further appropriate technical and organizational measures necessary to ensure a level of security appropriate to the risk of the Processing of Client Personal Data as per following:
  • (a) pseudonymization and encryption of Client Personal Data;
  • (b) ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services that process Client Personal Data;
  • (c) restoring availability and access to Client Personal Data in a timely manner in the event of a physical or technical incident; and
  • (d) regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing of the Client Personal Data.
  Any amendment to such agreed measures that is necessitated by Client shall be dealt with via an agreed change control process between Sangti and Client;
• 5.2.4 Client (on behalf of the relevant Controller(s), as applicable), hereby expressly and specifically authorizes Sangti to engage another Processor to Process the Client Personal Data ("Other Processor"), and specifically the Other Processors listed in Annex 2 hereto, subject to Sangti's:
  • (a) notifying Client of any intended changes to its use of Other Processors listed in Annex 2 by emailing notice of the intended change to Client;
  • (b) including data protection obligations in its contract with each Other Processor that are materially the same as those set out in this Addendum; and
  • (c) remaining liable to the Client for any failure by each Other Processor to fulfill its obligations in relation to the Processing of the Client Personal Data.
  In relation to any notice received under section 5.2.4 a., the Client shall have a period of 30 (thirty) days from the date of the notice to inform Sangti in writing of any reasonable objection to the use of that Other Processor. The parties will then, for a period of no more than 30 (thirty) days from the date of the Client's objection, work together in good faith to attempt to find a commercially reasonable solution for the Client which avoids the use of the objected-to Other Processor. Where no such solution can be found, either Party may (notwithstanding anything to the contrary in the Terms) terminate the relevant Services immediately on written notice to the other Party, without damages, penalty, or indemnification whatsoever;
• 5.2.5 to the extent legally permissible, promptly notify Client of any communication from a Data Subject regarding the Processing of Client Personal Data, or any other communication (including from a Supervisory Authority) relating to any obligation under the applicable Data Protection Laws in respect of the Client Personal Data and, taking into account the nature of the Processing, assist Client (or the relevant Controller) by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Client’s, Client’s Affiliates’ or the relevant Controller(s)’ obligation to respond to requests for exercising the data subject's rights laid down in Chapter III GDPR; Client agrees to pay Sangti for time and for out of pocket expenses incurred by Sangti in connection with the performance of its obligations under this Section 5.2.5;
• 5.2.6 upon Sangti’s becoming aware of a Personal Data Breach involving Client Personal Data, notify Client without undue delay, of any Personal Data Breach involving Client Personal Data, such notice to include all information reasonably required by Client (or the relevant Controller) to comply with its obligations under the applicable Data Protection Laws;
• 5.2.7 to the extent required by the applicable Data Protection Laws, provide reasonable assistance to Client, Client’s Affiliates’ or the relevant Controller(s)’ with its obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the Processing and information available to Sangti; Client agrees to pay Sangti for time and for out of pocket expenses incurred by Sangti in connection with any assistance provided in connection with Articles 35 and 36 of the GDPR;
• 5.2.8 cease Processing the Client Personal Data upon the termination or expiry of the Terms, and at option of Client, Client’s Affiliates or the relevant Controller(s) either return or delete (including by ensuring such data is in non-readable format) all copies of the Client Personal Data Processed by Sangti, unless (and solely to the extent and for such period as) Country law requires storage of the Personal Data. Notwithstanding the foregoing or anything to the contrary contained herein, Sangti may retain Personal Data and shall have no obligation to return Personal Data to the extent required by applicable laws or regulations obligations. Any such Personal Data retained shall remain subject to the obligations of confidentiality set forth in the Terms, and
• 5.2.9 make available to Client all information necessary to demonstrate compliance with this Addendum and allow for and contribute to audits, including inspections, by Client, or an auditor mandated by Client. For the purposes of demonstrating compliance with this Addendum under section 5.2.9, the Parties agree that once per year during the term of the Terms, Sangti will provide to Client, on reasonable notice, responses to cybersecurity and other assessments. Client agrees to pay Sangti for time and for out-of-pocket expenses incurred by Sangti in connection with assistance provided in connection with such audits, responses to cybersecurity, and other assessments.

6. TRANSFERS

Sangti is certified by Information Security Management as per ISO 27001:2022. Sangti shall notify Client in writing without undue delay if it can no longer comply with its obligations under the Privacy compliance, and, in such a case, Sangti will have the option of (i) promptly taking reasonable steps to remediate any non-compliance with applicable obligations under this Addendum, or (ii) engaging in a good faith dialogue with Client to determine a new data transfer mechanism to carry out the purposes of the Terms. Sangti acts as a Processor with respect to Personal Data received pursuant to a data transfer.

In the event the Privacy Compliance is invalidated, Client and each Client Affiliate (on behalf of the relevant Controller(s), as the case may be), if applicable (as "data exporter") and Sangti (as "data importer"), with effect from the commencement of the relevant transfer, shall enter into the Controller to Processor SCCs (mutatis mutandis, as the case may be) in respect of any transfer (or onward transfer) from Client or Client Affiliate to Sangti, where such transfer would otherwise be prohibited by applicable Data Protection Laws or by the terms of data transfer agreements put in place to address applicable Data Protection Laws. Appendix 1 to the Controller to Processor SCCs shall be deemed to be prepopulated with the relevant sections of Annex 1 to this Addendum and the processing operations are deemed to be those described in the Terms. Appendix 2 to the Controller to Processor SCCs shall be deemed to be prepopulated with the following "Taking into account state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of the varying likelihood for the rights and freedoms of natural persons, Sangti shall implement appropriate technical and organizational measures as set forth in the Addendum."

7. PRECEDENCE

The provisions of this Addendum are supplemental to the provisions of the Terms. In the event of any inconsistency between the provisions of this Addendum and the provisions of the Terms, the provisions of this Addendum shall prevail.

8. INDEMNITY

To the extent permissible by law, Client shall indemnify and hold harmless Sangti against all (i) losses, (ii) third-party claims, (iii) administrative fines, and (iv) costs and expenses (including without limitation, reasonable legal, investigatory and consultancy fees and expenses) reasonably incurred in relation to (i), (ii) or iii), suffered by Sangti and that arise from any breach by Client of this Addendum or of its obligations under applicable Data Protection Laws.

9. SEVERABILITY

The Parties agree that, if any section or sub-section of this Addendum is held by any court or competent authority to be unlawful or unenforceable, it shall not invalidate or render unenforceable any other section of this Addendum.

10. OTHERS

The organization ensures that the contract to process PII addresses the organization’s role in providing assistance with the customer's obligations. The Agreement considers the following and follows:

• (a) Privacy by Design and default
• (b) Achieving Security of Processing
• (c) Notification of breaches involving PII to a Supervisory authority
• (d) Notification of breaches involving PII to Customers and PII Principals,
• (e) Conducting Privacy Impact Assessment
• (f) Assurance of Assistance by the PII Processors if prior consultations with relevant PII Protection authorities are needed.
• (g) Sangti shall inform the customer if, in its opinion, a processing instruction infringes applicable legislation or regulation.
• (h) The organization does not use PII processed under a contract for the purposes of Marketing and Advertising.
• (i) Coordinate with Clients to help Audit the systems. The organization provides the customer with the appropriate information so that it can demonstrate compliance with its obligations
• (j) Sangti shall use (List of processors available on request) as subprocessors with Security and Privacy requirements full filled.
• (k) The organization shall comply with all statutory and regulatory requirements, ISO 27001:2013, ISO 27701:2022, and EU GDPR requirements.
• (l) The Data shall be deleted, or de-identified after the processing is complete (This is after the retention period selected is complete).
• (m) Sangti shall inform 24 hours in advance to clients in case of any legally binding requests for disclosure of PII.
• (n) For Access, Correction, and/or Erasure of the PII of Data subjects can be done by contacting the Data Protection Officer (DPO) below. Also, raising concerns and/or any complaints related with PII that can be done by contacting the Data Protection Officer below:
  • Name: Nishant Singh
  • Email: nishant@sangti.tech
  • Phone: +91 9701792337

ANNEX 1: DESCRIPTION OF PROCESSING OF CLIENT PERSONAL DATA

This Annex includes certain details of the Processing of Client Personal Data as required by Article 28(3) GDPR and, as applicable, Controller to Processor SCC.

• Subject matter and duration of the Processing of the Personal Data: The subject matter and duration of the Processing of the Client's Personal Data are set out in Section 2 of the Terms.
• The nature and purpose of the Processing of Personal Data: Due diligence and Background Verification of Organizations and Individuals.
• The categories of Data Subject to whom the Client's Personal Data relates - Employees and Contractors of Clients.
• The types of Client Personal Data to be Processed: Name, Email, Image, Job, Language, Phone, User ID, and Username
• Special categories of data: None
• The obligations and rights of Client: The obligations and rights of Client are set out in the Terms and this Addendum.
• Processing operations (as applicable): The personal data transferred will be subject to basic processing activities required for authentication and usage of the platform.

ANNEX 2: AUTHORIZED OTHER PROCESSORS

• Name: Cloud Provider (Name available on request)
• Description of processing: Host for private cloud
• Location: (Locations available on request)