Objective

To establish a comprehensive privacy program, AUK Commerce Tech Private Limited hereby adopts principles aligned with concepts and requirements from applicable data protection laws including India's Digital Personal Data Protection Act, 2023 (“DPDP Act”). Please note that terms used but not defined under this privacy notice shall have the meaning ascribed to such terms under the DPDP Act.

Purpose

AUK Commerce Tech Private Limited henceforth referred to as (“AUKCTPL”, “we”, “us”, “our / ours”) operates under the brand name Nitro Commerce and provides marketing SaaS products Nitro X/ Superacquire, Nitro Ads and Nitro Collab. These are used in the websites through software development kits or virtual tokens which are installed on client's desired platforms, wherein client's avail services provided by AUKCTPL to send personalized marketing communications to the client's website visitors. We are committed to protecting the privacy and security of personal data belonging to the Data Principals or Users (“you”, “your”, “yours”) and processing in accordance with the requirements of the Platform. The protection of your privacy is an important concern to which we pay special attention when processing your personal data with respect to our business processes. We process personal data collected during visits to our Platform and affiliates in accordance with the legal provisions of India.

Scope

This privacy notice describes the information about you that we collect through the SDK installed, how that information is used, maintained, shared, protected and how you can update it. It applies to personal data received by us through our client for the purpose of sending personalized marketing communications to data principals in India in digital format (and non-digital format, if digitized subsequently). Please note that we are not obligated to observe compliances in relation to such sets of personal data that are excluded from the scope of applicable law (including personal data that has been made publicly available by the data principal to whom such data belongs or by any person acting under a legal obligation to disclose the personal data). This document supersedes any previous policy/communication on this subject.

General Information

• Name and Address: AUK Commerce Tech Private Limited
• Primary Business Activity: Developing marketing SaaS products for our client's. SaaS (Software as a Service) refers to a model where software is delivered online rather than installed on individual computers.
• Data Protection Officer (DPO): Rihan Husain is designated as our Data Protection Officer. The DPO is responsible for overseeing compliance with data protection regulations like the DPDP Act.

Types of Data Collected:

Personal data refers to data that lets us know the specifics of who you are and what may be used to identify, contact or manage preferences (e.g. name, email ID, pin code, browsing patterns on client's website). We receive your personal data when you for our client's services or request customer support. Please note that our obligation or responsibility as a data processor to our client is limited to scenarios where you may, of your own accord, or on instructions of another party upload personal data on the client's Platforms or share personal data with another person. In the latter scenarios, the relevant third party will be the data fiduciary and/or responsible for compliance with obligations under applicable law including in relation to obtaining consent (subject to due notice) from concerned data principals, i.e., you. We collect the following types of personal information through our virtual tokens:

• Name: This could be your first name, last name, or full name, depending on how our client's website or app collects this information.
• Email ID: This is the email address you provide on our client's website or app.
• Pincode: This is the postal code associated with your location if you choose to share it on our client's website or app.
• Website page visit data and behaviour: This includes information about the pages you visit on our client's website or app, how long you stay on each page, and the actions you take (e.g., clicking on buttons, and filling out forms).

Purpose of Data Collection:

We collect data to enable our client's to send you personalized marketing communications to enhance your experience across the Platforms of our various client's. This allows our client's to target their marketing messages to data principals who are more likely to be interested in their products or services. The use of your information is subject to the privacy policy in effect at the time of our use. As a practice, we use the information provided to us for our general business use. This may include the following purposes.

• To send communications to you about the current services, new services or promotions that we or our affiliates are developing, and opportunities that may be available to you
• To alert you to new features or enhancements to our services.
• To communicate with you about job or career opportunities about which you have inquired
• To ensure that our site and our services function in an effective manner for you
• To measure or understand the effectiveness of advertising and outreach.
• To send you important information regarding the websites, changes in terms and conditions, user agreements, and policies, and/ or other administrative information.
• Marketing and events: We use personal information to deliver marketing and event communications to you across various platforms, such as email, telephonic communication, text messaging, direct mail, and online. If we send you a marketing email, it will include instructions on how to opt out of receiving these emails in the future. We also maintain email preference centers for you to manage your data and marketing preferences. In the event you opt out of receiving marketing emails from us, we may still send you important service information related to your accounts and subscriptions.

Legal Basis

• We rely on consent as a legal basis to collect and process user data. Users give us their consent when they opt-in to data collection on our client's website or on the app using a pop-up. Kindly read our Terms and Privacy Policy diligently.

Data Sharing and Transfers

AUKCTPL does not share user data with any third parties or external partners. AUKCTPL shares or discloses personal data when necessary to provide services or conduct our business operations. If AUKCTPL intends to transfer your personal data to a third party, AUKCTPL shall take steps to ensure that your privacy rights continue to be protected and shall ensure that adequate safeguards are in place. AUKCTPL does not transfer user data internationally. All data is stored on servers located in India . This means that your data will always be subject to the data protection laws of India.

Data Security

AUKCTPL uses appropriate technologies and procedures to protect your personal data. We use a variety of security measures to protect your data from unauthorized access, disclosure, alteration, or destruction. Our information security policies and procedures are closely aligned with widely accepted international standards and are reviewed regularly and updated as necessary to meet our business needs, changes in technology, and regulatory requirements. These measures include:

• Transport Layer Security (TLS): We use TLS to encrypt data when it is transferred between your device and our servers. This helps to ensure that your data is not intercepted by unauthorized third parties.
• Encryption At Rest and In Motion: Data is encrypted both on our servers and when it is being transferred between our servers. This adds an extra layer of security to protect your data.
• Regular Security Audits: We conduct regular security audits to identify and address any potential vulnerabilities in our systems.
• Role-Based Access Control: We place appropriate restrictions on access to your personal data and is protected by multi-factor authentication
• Training: We conduct privacy, information security, and other applicable training on a regular basis for our employees and contractors who have access to personal data.

Data Storage and Retention

• Storage of Data Principal's information: User data is stored on cloud platforms provided by reputable service providers. These cloud platforms offer a high level of security and reliability. We store your data on platforms that comply with data protection laws that offer an equivalent or greater level of protection as in the DPDP Act.
• Data Retention Policy: We retain user data and profiles for as long as it is to fulfill the purpose for which it was collected after that, the data is automatically purged from our systems. AUKCTPL takes into consideration local laws, contractual obligations, and the expectations and requirements of our client's and data principals both.
• Data Deletion Process: We employ industry-standard deletion and shredding techniques provided by our cloud platform provider (e.g., Google Cloud Platform) to securely delete your data. These techniques make it virtually impossible to recover deleted data.

Data Principal's Rights

Data Principals have the following rights under the DPDP Act in relation to their personal data. These rights include:

• Right to Access Information about personal data: At any point you can contact us to request a summary of the personal data relating to you that we hold. Once we have received your request we will respond within one month. There are no fees or charges for the first request but additional requests for the same data may be subject to an administrative fee. You do not have to provide a reason for requesting access, but you will need to provide some proof of your identity co-relating to the personal data sought access.
• Right to Correction and Erasure of Personal Data: If the data we hold about you is out of date, incomplete, or incorrect, or misleading, you can inform us and your data will be updated or erased.
• Right of Grievance Redressal: Data Principals have the right to have readily available means of grievance redressal provided by a our client's and/ or us in respect of any act or omission of our client's or us regarding the performance of our obligations in relation to your personal data or the exercise of your rights under the provisions of DPDP Act.
• Right To Nominate:Data Principals have the right to nominate any other individual, who shall, in the event of death or incapacity of the Data Principal, exercise the rights of the Data Principal in accordance with the provisions of DPDP Act.
• Right to Give Consent: Consent that is free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose.
• In relation to the above, you can exercise such right by sending us an email with your request to [email protected] along with the necessary proof of identity requirements that we may require prior to processing such a request from you.
• Responding to Data Principal's Requests: We will respond to your requests within a reasonable timeframe, typically within one month of the receipt. We may ask you for additional information to verify your identity before processing your request.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices or applicable laws. We will notify you of any changes by posting the updated Privacy Policy on our website. We encourage you to review ourPrivacy Policy periodically to stay informed about our data practices.