Data Protection Policy

Last Updated: December 5, 2024

This Data Protection Policy outlines how Lumiotech Private Limited ("Company", "we", "us", "our") protects data processed by the lumioSentry platform.

This Data Protection Policy ("Policy") outlines how Lumiotech Private Limited ("Company") protects data in compliance with:

Information Technology Act, 2000
Digital Personal Data Protection (DPDP) Act, 2023
CERT-In Cyber Security Directions, 2022
Other applicable data protection laws and regulations

1. Data Classification

1.1 Categories of Data

We classify data into the following categories:

Personal Data: Information that can identify an individual
Sensitive Personal Data: Passwords, financial information, etc.
Corporate Data: Company information and business records
Public Data: Information available in public domain

1.2 Special Categories

We handle the following special categories of data:

Share ownership records
Financial transactions
Corporate governance documents
Regulatory filings

2. Data Collection and Processing

2.1 Lawful Basis

We collect and process data based on:

Explicit user consent
Contractual obligations
Legal requirements
Legitimate business interests

2.2 Purpose Limitation

Data is collected and processed only for:

Providing platform services
Regulatory compliance
Service improvement
Security purposes

3. Data Storage and Security

3.1 Storage Location

All data is stored on servers located in India, in compliance with data localization requirements.

3.2 Security Measures

We implement the following security measures:

End-to-end encryption
Access control and authentication
Regular security audits
Intrusion detection systems
Data backup and recovery
Employee security training

4. Data Retention

4.1 Retention Periods

We retain data only as long as necessary for its intended purpose, adhering to the DPDP Act's purpose limitation principles:

Active account data: Erased promptly when the purpose for processing is served or consent is withdrawn, unless retained for compliance with the law.
Transaction records: 8 years (as per Companies Act compliance).
ICT System Logs: Maintained securely for a rolling period of 180 days within Indian jurisdiction (as per CERT-In 2022 Directions).
Audit logs: 5 years for broader system auditing purposes.

4.2 Extended Retention

Data may be retained longer if required by law or for legitimate business purposes.

5. Data Access and Rights

Users have the following rights regarding their data:

Right to access
Right to correction
Right to data portability
Right to erasure (subject to legal requirements)
Right to withdraw consent

6.1 Internal Sharing

Data is shared internally on a need-to-know basis with:

Authorized employees
System administrators
Security personnel

6.2 External Sharing

Data may be shared with:

Regulatory authorities
Service providers
Legal advisors
Auditors

7. Data Breach and Cyber Incident Protocol

In the event of a data breach or cyber security incident:

Immediate internal notification and assessment of breach impact
Mandatory reporting of identified severe cyber incidents to CERT-In within 6 hours of noticing such incidents (in compliance with CERT-In 2022 directions)
Prompt notification to the Data Protection Board of India and affected Data Principals as per the DPDP Act
Implementation of comprehensive remedial measures and mitigation

8. Compliance and Accountability

We maintain compliance through:

Regular audits and assessments
Employee training programs
Documentation of procedures
Incident response planning
Privacy impact assessments

9. User Responsibilities

Users are responsible for:

Maintaining confidentiality of credentials
Ensuring accuracy of provided data
Reporting unauthorized access
Complying with security policies

10. Contact Information

For any questions regarding data protection:

Data Protection Officer

Email: legal@lumiotech.in