Privacy Policy.

This Privacy Policy("Policy") was updated at 1st November, 2025 ("Effective Date").

This Privacy Policy ("Policy") is issued by METACIRCLES PRIVATE LIMITED, a company incorporated under the laws of India and having its registered office at [Insert Address], which owns and operates the website https://culture-circle.com and its relevant mobile application("Culture Circle" or "Company").

Culture Circle is an e-commerce platform that curates and showcases exclusive, community-driven, and culturally relevant products in the domains of fashion, sneakers, lifestyle collectibles, and designer-led collaborations. It enables users to explore, purchase, and engage with curated collections, while also inviting resellers and creators to contribute, showcase, and collaborate with the brand.

This Policy governs the collection, use, storage, processing, and disclosure of personal data of all individuals interacting with the Platform, including but not limited to customers, users, collaborators, and resellers. The Policy reflects Culture Circle's commitment to upholding the rights of individuals and its obligation to adopt responsible, transparent, and secure data practices.

This Policy is formulated in accordance with the provisions of the Digital Personal Data Protection Act, 2023 ("DPDPA"), the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and such other rules, regulations, and guidelines as may be applicable. It is also guided by internationally recognised privacy principles, including purpose limitation, data minimisation and data security.

The Policy reflects the Company's enduring commitment to ensure that all personal data is processed fairly, lawfully, and in a manner that respects the privacy rights of individuals and upholds the principles of integrity, confidentiality, and accountability.

WHEREAS

A. METACIRCLES PRIVATE LIMITED ("Culture Circle" or the "Company") operates an e-commerce platform and is committed to protecting the personal data and privacy rights of its users, resellers, customers, vendors, employees, and other stakeholders, in accordance with the highest standards of transparency, accountability, and ethical data governance;

B. Culture Circle is committed to ensuring that its data governance practices remain fully compliant with the applicable laws in force within India, including the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, as well as any relevant rules, directions, advisories, or notifications issued by the Indian Computer Emergency Response Team (CERT-In) and the Ministry of Electronics and Information Technology (MeitY);

C. The Company acknowledges that personal data, including sensitive personal data such as payment-related information, must be processed on the basis of lawful grounds including consent or legitimate use, and managed through appropriate safeguards to prevent misuse, loss, or unauthorised access;

D. The protection of personal data, the implementation of industry-standard security safeguards, and the adoption of lawful, transparent, and accountable data handling procedures constitute core principles of Culture Circle's operational framework and commercial ethos.

NOW THEREFORE, Culture Circle hereby adopts this Privacy Policy to provide a clear, lawful, and user-centric framework for the collection, processing, storage, use, disclosure, and protection of personal data, thereby reinforcing its commitment to data privacy and regulatory compliance. By accessing, browsing, using the Platform, via website or its application, submitting any personal data voluntarily, or otherwise engaging with the services of Culture Circle, each user is deemed to have read, understood, and agreed to be bound by this Privacy Policy, and to adhere to the rights and obligations set out herein.

1. DEFINITIONS AND INTERPRETATION

1.1. Definitions:

In this Policy (including the recitals above hereto), except where the context otherwise requires, the following words and expressions shall bear the meaning assigned to them below:

a) "Act" shall mean the Digital Personal Data Protection Act, 2023, including all applicable rules, notifications, and amendments relating to the collection, processing, storage, transfer, and protection of personal data in India, and shall include the Information Technology Act, 2000, and IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, to the extent applicable.
b) "Data Principal" shall mean the individual to whom the personal data relates, and includes any user, customer, website visitor, or individual whose personal data is processed by the Company.
c) "Data Fiduciary" shall mean Culture Circle, which determines the purpose and means of processing personal data in its capacity as a data fiduciary under the Act.
d) "Data Processor" means any natural or legal person, public or private entity, agency, or other body, whether incorporated or unincorporated, who processes personal data on behalf of the Data Fiduciary pursuant to a contract or other lawful instruction. A Data Processor shall not process such data for any purpose other than as expressly instructed by the Data Fiduciary, and shall be subject to obligations of confidentiality, data security, and regulatory compliance as prescribed under applicable law.
e) "Personal Data" shall mean any data about an individual who is identifiable by or in relation to such data, whether directly or indirectly, through reference to identifiers such as name, contact details, location data, online identifiers, or any other characteristic or attribute of identity.
f) "Sensitive Personal Data" shall mean personal data that relates to passwords, financial information such as bank account or credit card details, biometric data, and any other category of data notified as sensitive under applicable law.
g) "Processing" shall mean any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
h) "Consent" shall mean any freely given, specific, informed, and unambiguous indication of the Data Principal's agreement to the processing of their personal data for the intended purpose, either through a clear affirmative action or through any other prescribed manner under applicable law.
i) "Grievance Officer" shall mean the designated individual appointed by the Company to address privacy-related grievances and ensure redressal in accordance with the timelines and procedures under the Act.
j) "Third Parties" shall mean any external persons or entities, including service providers, contractors, consultants, logistics partners, and technology vendors, with whom personal data may be shared for business purposes, subject to appropriate safeguards.
k) "Data Breach" shall mean any unauthorized or accidental disclosure, alteration, loss, access, or destruction of personal data that compromises its confidentiality, integrity, or availability.
l) "Website" shall mean the online platform of the Company, accessible at https://culture-circle.com, including all subdomains and mobile applications operated by or on behalf of the Company.
m) "User" shall mean any individual who accesses or uses the Company's website, interacts with its services, purchases products, or otherwise provides personal data to the Company.
n) "Culture Circle Team" or "Personnel" shall mean all full-time, part-time, probationary, temporary, or contractual employees, interns, consultants, and authorised representatives of the Company, regardless of location or designation.
o) "Nominee" shall mean a person appointed by a Data Principal under the Act to act on their behalf in the event of their death or incapacity.
p) "Notice" shall mean a clear and accessible statement provided by the Company to the Data Principal, before collecting personal data, informing them of the purpose, method, legal basis, and rights in relation to such processing.

1.2. Interpretation

a) In addition to the terms defined above, certain terms may be defined elsewhere in this Policy, and wherever such terms are used, they shall have the meaning assigned to them.
b) Section headings are for convenience only and shall not affect the construction or interpretation of any provision of this Policy.
c) References to sections or annexures are, unless the context otherwise requires, references to sections or annexures of this Policy.
d) Where a word or phrase is defined, other parts of speech and grammatical forms and the cognate variations of that word or phrase will have corresponding meanings
e) Words denoting singular shall include the plural and vice versa, and words denoting any gender shall include all genders unless the context otherwise requires.
f) The terms "hereof", "herein", "hereto" and derivative or similar words refer to this entire Policy or specified Sections of this Policy, as the case may be.
g) All references to this Policy shall include any amendments or updates to this Policy, as approved by the Compliance Officer or the designated authority from time to time.

2. APPLICATION

a) The purpose of this Privacy Policy is to establish a clear, lawful, and comprehensive framework for the collection, processing, usage, storage, disclosure, and protection of personal data submitted to, or collected by, the Culture Circle platform. The Policy reflects the Company's commitment to ensuring the privacy and dignity of individuals whose data is processed in connection with the use of the Platform.

b) This Policy applies to all data principals who interact with the Platform in any capacity, including but not limited to:

i. Users who access, browse, or interact with any part of the website, irrespective of account creation whose session-based or cookie-related data is collected during their interaction with the Platform;
ii. Registered customers who make purchases or create user profiles on the Platform;
iii. Resellers, vendors, or business partners who submit information for the purposes of onboarding, verification, collaboration, or fulfilment;
iv. Designers, artists, creative collaborators, and contributors who engage with the Platform through product design, promotion, or creative representation;
v. Personal Data collected through both online and offline channels, including but not limited to customer interactions, surveys, feedback forms, product inquiries, email communications, social media interactions, and payment gateways which are PCI DSS Level 1 Compliant;
vi. Third parties acting on behalf of the Company (such as logistics providers, payment processors, marketing affiliates, or cloud service providers), to the extent that they process Personal Data under the Company's instructions and authority;
vii. Personal Data processed in India, as well as data collected from Users outside India but processed or stored in India, subject to applicable local and cross-border data transfer laws.

c) This Policy shall apply regardless of the device, platform, or medium used to access the Company's services, including desktops, mobile phones, tablets, smart devices, and other digital channels.

d) This Policy does not apply to:

i. Aggregated or anonymised information that does not, directly or indirectly, identify an individual;
ii. Data submitted directly to courier partners, affiliate service providers, or external applications used in conjunction with the Platform but governed by their own privacy practices;
iii. Third-party websites, platforms, or applications which may be linked from the Company's Platform but are not owned or operated by the Company. Users are encouraged to review the privacy policies of such third-party services independently;
iv. Data that is collected or processed for purely personal, household, or journalistic purposes by individuals and is exempted under the provisions of the Digital Personal Data Protection Act, 2023.

e) By accessing or using the Platform or otherwise providing Personal Data to the Company, the User expressly acknowledges and agrees to the terms of this Policy, and consents to the processing of their Personal Data in accordance with the terms stated herein.

f) In case of any conflict between this Policy and any contractual terms agreed between the Company and any Data Principal (such as employees, vendors, or consultants), the provisions offering higher privacy protection shall prevail, unless otherwise required by applicable law.

3. CATEGORIES OF PERSONAL DATA COLLECTED

a) Culture Circle collects and processes specific categories of personal data to facilitate the delivery of its e-commerce services, enhance user experience, ensure legal compliance, and enable commercial collaboration. The nature and extent of data collected may vary depending on the user's role and interaction with the Platform, including but not limited to that of a customer, reseller, creator, visitor, or guest user;

b) Personal data may be acquired through one or more of the following sources:

i. Data voluntarily submitted by users during registration, checkout, communication, or onboarding;
ii. Data automatically collected from the user's browser, device, or activity on the Platform;
iii. Data obtained from third-party integrations or external platforms used to support Culture Circle's functionality;
iv. Data inferred or derived through behavioural patterns, interaction history, and system analytics.

Mode	Description	Examples	Typical Use Cases
Voluntarily Provided	Information directly submitted by the user through forms, registrations, submissions, or communication.	Account creation, checkout, newsletter sign-up, reseller onboarding, contact forms, event RSVPs.	Creating user accounts, submitting business details, subscribing to communication.
Automatically Collected	Data captured by systems, browsers, or devices during user interaction with the Platform.	Cookies, device identifiers, IP address, session analytics, clickstream, cart abandonment patterns.	Website interaction tracking, improving performance, fraud detection, analytics.
Collected from Third Parties	Information obtained through external service providers, tools, or integrations.	Social login data (e.g., Google, Meta), payment gateway status, influencer links, courier tracking data.	Login via third-party providers, processing payments, affiliate and referral tracking.
Derived or Inferred Data	Data analytically generated based on existing data and behaviour patterns.	Wishlist trends, repeat purchase analysis, likelihood of churn or engagement, profile preference tags.	Behavioural targeting, personalisation, product recommendations, feature improvements.

c) The above Personal Data may be collected at the time of account creation, while placing an order, subscribing to newsletters, interacting with the Platform or customer care, participating in surveys or contests, or otherwise voluntarily provided by the User.

d) In addition to the above, the Company may collect certain Non-Personal Data (data that does not identify an individual directly or indirectly), which may include aggregated statistics, anonymised usage metrics, and analytics data, solely for internal research, service improvement, or marketing performance purposes.

e) The Company does not intentionally collect or process biometric data, health data, or official government identifiers (such as Aadhaar or PAN), unless specifically required by law or consented to by the User for a legitimate purpose.

f) The categories of personal data collected by the Company are presented in detail in the table provided below. Each entry defines the nature of the data, its origin, how it is collected, and the contextual interaction in which such collection typically occurs:

Category	Description	Source	Collection Method	Collection Scenario
Identity Data	Name, username, date of birth, profile photo (if submitted)	User	Provided voluntarily	During account registration, reseller onboarding, or checkout
Contact Data	Email, phone number, shipping and billing addresses	User	Provided voluntarily	While placing an order, creating an account, or submitting forms
Payment & Financial Data	Masked card details, UPI ID, payment ID, Card details, CVV payment timestamp	Payment gateway, user	Provided via secure channel	At the time of making a purchase or processing a transaction
Order & Transaction Data	Purchase history, cart contents, order IDs, shipping tracking info	Platform backend, logistics	Automatically collected	After placing orders or interacting with the cart
Device & Technical Data	IP address, browser type, device model, OS, screen resolution, time zone	User device/browser	Automatically collected	When browsing the site or interacting via any device
Usage & Log Data	Page visits, session duration, clicks, crash reports, error logs	Internal system	Automatically collected	During any on-site or in-app activity
Location Data	Approximate or precise geolocation via IP or browser (if permitted)	User browser or device	Automatically collected	While accessing the Platform with location permissions
Behavioural Data	Items viewed, wishlist activity, cart interactions, session flow	Platform analytics	Automatically collected	As part of browsing and shopping behaviour
Marketing & Communication Data	Newsletter preferences, survey responses, promotional opt-ins/out	User, CRM systems	Voluntarily provided	When subscribing, responding to campaigns, or updating preferences
Account Credentials	Hashed passwords, OTP logs, login attempts	User	Provided voluntarily	At registration or login
Social Media Data	Public profile info (name, email, metadata) from linked accounts	Third-party login APIs	API-based retrieval	When logging in via Google, Facebook, or other integrations
Customer Support Data	Emails, chat transcripts, complaint records	User, support systems	Provided voluntarily	During customer support requests or helpdesk interactions
Referral or Affiliate Data	Referral codes used, affiliate clicks, influencer coupon application	Affiliate and marketing platforms	Automatically collected	When using referral links or participating in campaigns
User-Generated Content	Reviews, testimonials, public comments, uploaded photos or videos	User	Provided voluntarily	When submitting content via product pages or campaigns
Reseller/Business Data	Business name, contact person, social handles, business summary	Reseller	Provided voluntarily	During reseller application or partnership proposal
Creator/Collaborator Data	Portfolio links, bios, creative samples, brand associations	Creator/Collaborator	Provided voluntarily	During onboarding or collaboration discussions

4. PURPOSE OF DATA COLLECTION & USE

a) Culture Circle collects personal data through lawful, fair, and transparent means, using both direct and indirect collection mechanisms. All data is collected only to the extent necessary for defined, legitimate, and proportionate purposes in connection with the services provided on the Platform.

b) The Company may, from time to time, use AI-enabled tools or automated software systems to support internal processing, organisation, segmentation, or analysis of personal data, such as trend recognition, recommendation models, fraud detection, or customer preference mapping. All such tools are subject to ethical safeguards, accuracy checks, and restricted deployment. Automated processing shall not override user rights or be used as the sole basis for decision-making that materially affects the user.

c) All personal data collected and processed by Culture Circle is accessed internally on a strictly need-to-know basis, governed by the principles of role-based access control (RBAC) and least privilege. Access is granted only to authorised personnel depending on function, such as customer support, finance, marketing, compliance, fulfilment, or technology teams. Access logs are maintained and periodically reviewed, and no unauthorised or cross-functional access is permitted.

d) The following table outlines the specific purposes for which each category of Personal Data may be collected and used:

Purpose of Processing	Category of Personal Data Involved	Legal Basis under DPDPA	Processing & Internal Access Control
To process, fulfil, and deliver orders	Identity Data, Contact Data, Payment & Financial Data, Order & Transaction Data, Location Data	Performance of Contract; Consent	Order and delivery managed by Logistics team; access restricted to logistics and transaction nodes
To provide account registration and login functionality	Identity Data, Account Credentials, Contact Data	Consent; Legitimate Use	Data encrypted and stored securely; access permitted to platform engineering and account services team
To communicate order updates and service-related information	Contact Data, Order & Transaction Data	Legitimate Use; Performance of Contract	Enabled through CRM and order systems; limited to support and logistics personnel
To personalise user experience and recommend products	Behavioural Data, Usage Data, Wishlist, Purchase History	Consent (cookies); Legitimate Use	Analytics dashboards used; no direct identifiers accessed; limited to marketing analytics team
To conduct marketing campaigns and send promotional content	Contact Data, Marketing Preferences, Purchase History	Explicit Consent	Executed through marketing automation tools; accessed by authorised brand and campaign teams
To conduct customer satisfaction surveys, reviews, and feedback	Contact Data, Usage Data, User-Generated Content	Consent	Survey data anonymised for analysis; review content published upon moderation; limited access to community team
To provide customer service and resolve complaints	Contact Data, Order & Transaction Data, Customer Support Data	Legitimate Use; Performance of Contract	Case-specific access by grievance redressal team; records logged in helpdesk with limited audit rights
To detect and prevent fraud, abuse, or policy violations	Identity Data, Device Data, Transaction Data, Account Credentials	Legitimate Use; Legal Obligation	Monitored by fraud engine; escalated alerts reviewed by compliance and backend admin teams only.
To comply with applicable legal, regulatory, and tax requirements	Identity Data, Transaction Data, Payment & Financial Data	Legal Obligation	Reviewed by finance, legal, or compliance officers; maintained in audit-compliant formats.
To maintain records for audit, dispute resolution, and risk management	Identity Data, Contact Data, Payment & Transaction Data	Legal Obligation; Legitimate Interest	Records encrypted and archived in controlled-access databases; reviewed during audit cycles.
To improve website performance, analytics, and internal reporting	Usage Data, Device Data, Aggregated Behavioural Data	Consent (cookies); Legitimate Use	Data is pseudonymised and aggregated; accessible to analytics teams for platform enhancement only.
To process influencer codes and affiliate marketing programs	Referral Data, Identity Data, Transaction Data	Consent; Performance of Contract	Affiliate activity tracked by partner platforms; access limited to campaign managers
To engage authorised third-party service providers for business operations	All relevant data categories	Performance of Contract; Legitimate Use	Data shared over secured channels; processors bound by confidentiality and lawful processing obligations
To send transactional SMS and voice communications via authorised providers	Contact Data, Communication Preferences	Consent	Routed through messaging APIs; governed by marketing or order communication SOPs
To onboard and evaluate resellers and commercial partners	Reseller/Business Data, Contact Data, Identity Data	Consent; Performance of Contract	Verified by business onboarding team; stored securely and accessible only to B2B managers
To showcase creator submissions, portfolios, or collaborative content	Creator/Collaborator Data, Contact Data, Attribution Metadata	Consent	Used only with explicit opt-in; access by creative and content publishing teams
To publish and moderate user-generated content such as reviews or testimonials	User-Generated Content, Identity Data (where public), Feedback Data	Consent	Moderated manually prior to publishing; limited to UGC moderation and community management teams

e) The Company does not use Personal Data for any purpose other than those stated above without providing appropriate notice and, where applicable, obtaining specific and informed consent from the Data Principal.

f) Where consent is the legal basis for processing, the User may withdraw such consent at any time by contacting the Grievance Officer or using the mechanisms provided on the Platform. However, withdrawal of consent may affect the ability to deliver certain products or services.

g) The Company ensures that all processing of Personal Data is proportionate, limited to the extent necessary for the stated purposes, and in accordance with the principles of fairness, transparency, and accountability under applicable law.

5. LEGAL BASIS FOR PROCESSING

a) The Company processes Personal Data only when there is a lawful basis for such processing under the Digital Personal Data Protection Act, 2023, or other applicable laws. The legal bases may include one or more of the following:

b) Consent of the Data Principal: Where the Company collects Personal Data directly from a User or Data Principal, it shall do so after obtaining the individual's free, specific, informed, unconditional, and unambiguous consent through clear affirmative action.

c) Examples:

i. Subscribing to marketing emails or newsletters;
ii. Providing optional demographic details or feedback;
iii. Participating in surveys, contests, or promotional campaigns;
iv. Creating an account on the Platform.

d) The User may withdraw consent at any time through the settings panel, opt-out links, or by contacting the Grievance Officer. Such withdrawal shall not affect any prior lawful processing.

e) Performance of a Contract: The Company may process Personal Data where such processing is necessary to fulfil its obligations under a contract with the Data Principal or to take steps at their request before entering into a contract.

i. Examples:
ii. Processing an order placed by a User;
iii. Arranging for delivery, payment, and returns;
iv. Providing customer support regarding the order.

f) Compliance with Legal Obligations: The Company may process Personal Data where it is legally required to do so under applicable laws, court orders, or regulations, including requirements imposed by government or law enforcement agencies.

g) Examples:

i. Complying with taxation and invoicing regulations;
ii. Retaining records for audits;
iii. Assisting law enforcement in fraud or criminal investigations;
iv. Compliance with obligations under the Information Technology Act or applicable consumer laws.

h) Legitimate Use (as permitted under Section 7 of the DPDPA, 2023): The Company may process Personal Data without consent for certain "legitimate uses" as explicitly provided under the DPDPA, including but not limited to:

LEGITIMATE USE CATEGORY	EXAMPLE
Voluntary Data Provided by User	User submits details for placing an order or contacting customer support
Provision of Benefit or Service	Delivering a purchased product or issuing an invoice
Legal Proceedings or Dispute Resolution	Defending legal claims, enforcing contractual rights
Public Interest or Public Order	Co-operating with investigations, law enforcement or public safety officials
Employment or Internal Administration	Processing employee/vendor data for internal compliance or record-keeping

i) The Company ensures that any reliance on legitimate use does not override the fundamental rights and expectations of the Data Principal and is consistent with the purpose limitation and necessity principles.

j) Public Interest or Public Health (If Applicable): In exceptional circumstances such as pandemics or emergencies, the Company may process Personal Data in the interest of public health, subject to applicable statutory permissions or directions from government authorities.

k) Where Personal Data is collected indirectly or through third-party service providers, the Company ensures that such third parties have obtained appropriate legal basis (including consent) for sharing such data with the Company. A list of categories of third parties (including their names, where applicable) with whom Personal Data may be shared is set out below. These third parties are contractually obligated to maintain the confidentiality and security of the data and to process such data strictly in accordance with applicable law and instructions issued by the Company.

l) The Company maintains detailed internal records of the legal basis applicable to each processing activity, and such records are reviewed periodically to ensure compliance.

m) In cases where the legal basis for processing changes (e.g., from contract to consent), the Company shall notify the Data Principal and, where required, obtain fresh consent before proceeding.

6. CONSENT MANAGEMENT

a) Obtaining Consent: The Company shall obtain the free, specific, informed, unconditional, and unambiguous consent of the Data Principal before collecting or processing any Personal Data, unless the processing is permitted under legitimate use or legal obligation in accordance with Section 5 of this Policy.

b) Consent is obtained in a clear and granular manner at the point of data collection, such as during:

i. Account registration;
ii. Checkout and payment stages;
iii. Subscription to newsletters or marketing communications;
iv. Participation in contests, surveys, or referral programs;
v. Accepting cookies and similar tracking technologies on the website.
vi. No pre-ticked boxes, bundled consent, or inferred consent mechanisms are used. Consent must be affirmatively provided by the User. For the users who do not agree or consent to the terms of this Privacy Policy are advised not to access or use the Website.

c) Layered Notices: All consent requests are accompanied by a layered privacy notice that includes:

i. The purpose of data collection;
ii. The categories of data collected;
iii. Whether the data will be shared with third parties;
iv. A link to this Privacy Policy;
v. Contact details of the Grievance Officer.

d) These notices are drafted in clear, plain, and concise language to ensure that Users understand what they are agreeing to.

e) Proof and Record of Consent: The Company maintains verifiable records of the consent obtained from each Data Principal, including the time, method, and purpose for which consent was granted. These records are stored securely and may be made available to the Data Protection Board or other authorities in the event of a lawful request or audit.

f) Refusal or Conditional Consent:

i. Users have the right to refuse consent for optional features (such as marketing communications) without affecting their access to essential services (such as ordering products).
ii. Any conditional consent that ties unrelated services or benefits to the provision of Personal Data is not enforced by the Company, unless reasonably necessary for the functioning of such services.

g) Withdrawal of Consent:

i. The Data Principal may withdraw consent at any time, without any adverse consequences, by:
ii. Using the unsubscribe or opt-out links in emails or messages;
iii. Changing settings in the user account dashboard;
iv. Contacting the Grievance Officer directly at grievances@culture-circle.com.
v. Upon withdrawal of consent:
vi. The Company shall cease processing the concerned Personal Data within a reasonable time, unless required to retain it under law;
vii. Certain services may become unavailable to the User where such services are dependent on the withdrawn data.

h) Consent for Minors:

i. The Company does not knowingly collect Personal Data from individuals below the age of 18 years without verifiable parental or guardian consent as required under Section 9 of the DPDPA, 2023.
ii. If the Company becomes aware that Personal Data of a minor has been collected without lawful parental consent, such data shall be promptly deleted.

i) Cookies and Tracking Consent:

i. The Company uses cookies and similar technologies for enhancing User experience, analytics, and targeted advertising.
ii. Preferences for cookies can be modified through Cookie preferences in the browser settings which may allow Users to:
iii. Accept all cookies;
iv. Manage preferences by category;
v. Reject non-essential cookies.

j) The Company honours the User's tracking preferences and provides information on how to modify or withdraw cookie preferences in its Cookie Policy [insert].

k) Updates to Consent Preferences:

i. Users may modify their consent preferences at any time by visiting their by contacting customer care.
ii. The Company periodically prompts Users to review and confirm their consent preferences to ensure continued alignment with their expectations and legal requirements.

7. CHILDREN'S DATA

a) The Company is committed to protecting the privacy of children and complying with the provisions of Section 9 of the Digital Personal Data Protection Act, 2023, which restricts the processing of personal data of children without verifiable parental or guardian consent.

b) For the purposes of this Policy, a child is defined as an individual who has not completed the age of 18 years, unless a different age threshold is prescribed by applicable law.

c) The Company does not knowingly collect, process, or store Personal Data from children unless:

i. It is necessary for delivering a service explicitly intended for child users; and
ii. Verifiable parental or guardian consent has been obtained through acceptable means, such as a digitally signed declaration or validated OTP-based consent process.

d) If it comes to the Company's attention that Personal Data of a child has been collected without lawful consent, the Company shall:

i. Promptly delete such Personal Data from its systems; and
ii. Notify the parent or guardian, if identifiable, of such deletion.

e) The Company does not engage in behavioural tracking, profiling, or targeted advertising towards children, directly or indirectly, in compliance with the prohibitions under Section 9 of the DPDPA.

8. COOKIE AND TRACKING TECHNOLOGIES

a) The Company uses cookies and similar tracking technologies (such as pixels, beacons, and local storage) on its website and mobile application to enhance user experience, deliver personalized content, enable core functionalities, analyze usage trends, and facilitate marketing campaigns.

b) Users are provided with a cookie policy, which can be accessed through the Platform, in accordance with the notice and consent requirements under the Digital Personal Data Protection Act, 2023, and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

c) The types of cookies used, their purposes, and the list of third-party tools involved are described in the Company's Cookie Policy, which forms an integral part of this Privacy Policy.

d) Users may review or update their cookie preferences at any time by visiting the Cookie Preferences in their browser settings.

e) For more detailed information on our cookie practices, including how to manage or disable cookies at the browser level, please refer to our full Cookie Policy.

9. DATA SHARING AND THIRD-PARTY TRANSFERS

a) Internal Access and Sharing: Personal Data collected by the Company may be accessed by authorised internal teams, including but not limited to operations, customer support, marketing, logistics coordination, product development, finance, and compliance, strictly on a need-to-know basis. All such access is governed by internal access controls, confidentiality obligations, and data minimisation principles.

b) Third-Party Disclosures: The Company may share Personal Data with trusted third-party service providers, vendors, and business partners (collectively, "Third Parties") solely for the purpose of enabling the Company to provide its products and services efficiently. These Third Parties process Personal Data on behalf of the Company and are contractually bound to comply with applicable data protection laws, maintain data confidentiality, and use the data only for the specified purposes. A summary of categories of Third Parties with whom data may be shared, and the purpose of sharing, is set out in Section 5(a)(viii) above.

c) Categories of Third Parties May Include:

i. Payment gateways and processors – to facilitate secure payment transactions;
ii. Shipping and logistics providers – to deliver products to customers;
iii. Cloud hosting and IT infrastructure providers – to securely store and manage Platform data;
iv. Marketing, analytics, and advertising tools – to run campaigns and personalise content;
v. Customer support and CRM tools – to resolve service requests and complaints;
vi. Auditors, legal counsel, tax advisors – for regulatory, dispute, or audit purposes;
vii. Government authorities or law enforcement – when required under applicable laws or court orders.
viii. Affiliate marketing and referral partners – to track referrals, influencer codes, and campaign performance.
ix. Retargeting and personalised advertising platforms – to deliver interest-based advertisements across websites and social media.
x. Analytics and performance monitoring tools – to understand usage patterns, improve features, and track system performance (e.g., Google Analytics).
xi. Communication and messaging platforms – to manage transactional emails, SMS, voice calls, and customer notifications (including via third-party APIs).
xii. User authentication and access management providers – to verify identity and manage secure account login and session activity.
xiii. Product testing and development service providers – to conduct usability testing, feature deployment, and technical troubleshooting.
xiv. Affiliates and group entities – to ensure coordinated service delivery and shared business operations under common control.
xv. Business partners – to jointly offer or promote co-branded products, services, events, or incentives.
xvi. M&A or corporate transaction parties – in connection with mergers, acquisitions, investments, restructuring, or sale of business assets.
xvii. The table below summarizes the data collected, transferred and used by the Company:

CATEGORY	PURPOSE OF PROCESSING	THIRD PARTY NAME(S)	TYPE OF DATA SHARED
Payment Processors	To facilitate secure payments	Razorpay, Paytm, Cashfree, PhonePe, Stripe	Name, contact, transaction ID, masked card/bank info
Shipping & Logistics Partners	To deliver orders and provide tracking	Nimbuspost, Delhivery, Shiprocket, Bluedart, Ekart	Name, contact, address, order details
Email & SMS Communication	To send order updates, alerts, and promotional messages	Mailchimp, Sendinblue, Gupshup, Twilio	Email, phone number, communication logs
Web Hosting & Infrastructure	Website operation, backups, and performance	Hostinger, AWS, Cloudflare, DigitalOcean	Device metadata, IP address, access logs
Marketing and Retargeting Tools	Online advertising, analytics, and promotional campaigns	Meta (Facebook), Google Ads, Instagram, Hotjar, CleverTap	IP address, browsing behavior, cookies
Customer Support Tools	Customer query management and ticketing	Freshdesk, Zoho Desk, Intercom	Name, contact, chat logs, order info
Analytics & Tracking Providers	Monitor website usage and improve services	Google Analytics, Facebook Pixel, Microsoft Clarity	IP, session data, page visits, clicks
Affiliate/Influencer Platforms	Track referral codes, commissions	Impact.com, Refersion, custom influencer codes	Referral ID, coupon usage, transaction data
Internal Consultants & Auditors	Legal, tax, or compliance purposes	CA firms, Legal counsel, Compliance auditors (on retainer)	Financial, order, and sometimes user data
Government or Legal Authorities	Legal compliance, law enforcement	Income Tax Dept., Police, Consumer Forums	Any legally mandated personal data, upon request
Authentication & Access Services	To manage account logins, identity, and session security	Firebase Auth, AWS Cognito, custom OTP APIs	User ID, email, mobile, OTP verification logs

d) Cross-Border Transfers:

i. As of the effective date of this Policy, the Company stores and processes Data on servers located within India as well as outside India including USA and Canada. Further, third-party tools and service providers may process data on infrastructure located outside India, subject to appropriate legal safeguards.
ii. Any transfer of Personal Data outside India shall be conducted in accordance with Section 16 of the Digital Personal Data Protection Act, 2023, and any rules or government-issued notifications relating to cross-border transfers.
iii. The Company shall ensure that any such transfers are made:
1. To countries or territories recognised by the Indian Government as having adequate data protection standards; or
2. Pursuant to appropriate contractual arrangements (such as standard contractual clauses or data protection agreements) that ensure the same level of data protection as applicable under Indian law.
iv. No Sale of Personal Data: The Company does not sell, rent, trade, or otherwise monetise Personal Data of its users or customers to any third party for direct commercial gain.
v. Aggregated and Anonymised Data: The Company may share anonymised or aggregated data (which does not identify an individual directly or indirectly) with business partners, advertisers, or research agencies for the purpose of market analysis, trend detection, or improving services. Such data is outside the scope of "Personal Data" as defined under applicable law.
vi. Due Diligence and Oversight: The Company undertakes vendor due diligence and executes appropriate data processing agreements or confidentiality undertakings with all Third Parties who receive or process Personal Data, ensuring that:
1. Data is processed only for legitimate and stated purposes;
2. Adequate security measures are in place to prevent misuse or unauthorised access;
3. Processing ceases upon completion of the contractual purpose or termination of engagement.

10. USER OBLIGATIONS

a) Users who access or interacting with the Culture Circle Platform are required to act in good faith, observe lawful conduct, and take reasonable responsibility for the personal data and activities associated with their accounts. By engaging with the Platform, each user accepts the obligation to comply with this Policy, the Platform's Terms of Use, and all applicable Indian laws.

b) Users are expected to ensure the accuracy, completeness, and legality of the information they provide. Personal data submitted must not be false, misleading, stolen, impersonated, or unlawfully obtained. Culture Circle shall not be liable for any consequences arising from reliance on erroneous or unauthorised data submitted by users.

c) Users shall be personally responsible for the integrity and confidentiality of their account credentials, devices, and access points used to engage with the Platform:

i. Login credentials (including passwords and OTPs) must not be shared, disclosed, or reused in an insecure manner;
ii. Devices used to access the Platform must be protected against unauthorised use, malware, or data breaches;
iii. Users are advised to log out from shared or public systems and update passwords periodically

d) Users shall refrain from engaging in, authorising, or facilitating any activity that:

i. Violates the intellectual property rights, privacy, or dignity of other users, creators, resellers, or collaborators;
ii. Circumvents or manipulates Platform features, analytics systems, payment processes, or consent flows;
iii. Submits or uploads objectionable, abusive, harmful, fraudulent, or misleading content, including fabricated user reviews or impersonated identities.

e) Users shall not attempt to:

i. Probe, scan, or test the vulnerability of the Platform or its security systems;
ii. Gain unauthorised access to other user accounts, internal databases, restricted APIs, or administrative areas;
iii. Use any automated tools or scripts (e.g., bots, scrapers, crawlers) without prior written consent from the Company.

f) Users must promptly notify Culture Circle in the event of:

i. Suspected unauthorised access to their account or credentials;
ii. Discovery of any system vulnerabilities or data security concerns;
iii. Receipt of fraudulent communications impersonating the Platform.

g) Users may have the ability to submit, post, or upload content on the Culture Circle Platform, including but not limited to product reviews, testimonials, feedback, comments, ratings, creative media, and other publicly visible content ("User-Generated Content" or "UGC")

h) All UGC submitted must be original, lawful, respectful, and relevant to the purpose for which it is submitted. Users shall be solely responsible for the content they contribute, and represent that they have full rights and authority to submit such material.

i) By submitting UGC to the Platform, the user grants Culture Circle a worldwide, royalty-free, non-exclusive, and irrevocable license to use, display, reproduce, publish, modify, and distribute such content for the purposes of:

i. Displaying it on the Platform;
ii. Promoting products, campaigns, or community engagement;
iii. Reposting or syndicating it via Culture Circle's social media or partner platforms.

j) Culture Circle reserves the right to:

i. Review, moderate, or edit submitted content;
ii. Refuse publication of content deemed inappropriate, misleading, defamatory, or in violation of law or Platform policy;
iii. Remove any UGC without prior notice at its sole discretion.

k) Users may request the removal of UGC that they have previously submitted by writing to the Company, subject to verification and lawful review.

l) Culture Circle reserves the right to suspend, restrict, or terminate a user's account or access if a violation of these obligations is suspected, reported, or confirmed. Further, the Company may initiate legal proceedings or report such violations to competent authorities under applicable law.

11. MARKETING, COMMUNICATIONS, NEWSLETTERS AND VISIBILITY PREFERENCES

a) Culture Circle may, from time to time, send users promotional communications, newsletters, event announcements, limited-edition releases, and product or brand-related updates, based on prior consent. Users are provided the option to manage their communication preferences at the time of subscription, registration, or through account settings.

b) Marketing and promotional content is shared only:

i. Where the user has explicitly opted in to receive such communications;
ii. Where a business partner (e.g., reseller or creator) has consented to visibility or promotional participation;
iii. Through channels approved by the user, such as email, SMS, WhatsApp, or push notifications.

c) Users, collaborators, or business partners may withdraw their consent to receive marketing communications or newsletters at any time by:

i. Clicking the "unsubscribe" or "opt-out" link included in promotional emails;
ii. Accessing their profile or account settings to update preferences;
iii. Writing directly to the Company at the contact email provided in this Policy.

d) Certain platform communications may be transactional in nature and not subject to consent withdrawal. These include order confirmations, delivery updates, security alerts, and account-related notices.

e) Resellers and creators onboarded on the Platform may be invited to participate in promotional campaigns, featured listings, or editorial content. Such visibility is optional and subject to:

i. Explicit opt-in via onboarding forms or campaign invitations;
ii. Withdrawal or modification of consent by written notice to the Company;
iii. De-listing or content takedown within a reasonable timeline upon request.

f) All marketing and visibility preferences shall be recorded, timestamped, and retained as part of the Platform's consent management framework, in accordance with the Digital Personal Data Protection Act, 2023 and related regulations.

12. DATA RETENTION & STORAGE

a) Retention Principle: The Company retains Personal Data only for as long as is reasonably necessary to:

i. Fulfil the purpose for which it was collected;
ii. Comply with legal or regulatory obligations;
iii. Resolve disputes, enforce contracts, or defend legal claims;
iv. Maintain records for auditing, taxation, or business continuity purposes.

b) The retention period is determined by the nature of the data, the purpose of processing, and any applicable legal or contractual requirements.

c) Data Retention Timelines:

Category of Data	Typical Retention Period	Legal / Operational Basis
Identity and Contact Data	3 years from last activity or transaction	Statutory limitation for consumer claims, account recovery, and customer support
Order and Transaction Data	8 years from date of transaction	Income Tax Act compliance, accounting, audit, GST and invoice retention requirements
Payment and Financial Data (masked)	As per RBI Payment Aggregator Guidelines or 13 months	Regulatory requirements, fraud monitoring, chargeback defence
Customer Support and Complaint Logs	3 years from date of last correspondence	Grievance handling, dispute resolution, internal quality audit
Marketing Preferences and Opt-In Data	Until withdrawal of consent or 2 years of inactivity	Consent-based retention for promotional communications
Analytics and Usage Data (pseudonymised)	12–18 months from date of collection	Platform optimisation, performance measurement, and internal benchmarking
Account Credentials (Hashed)	Until account is deleted or voluntarily deactivated	Essential for user login, multi-factor authentication, and session recovery
Unused or Dormant Account Data	2 years of inactivity, with 30-day advance notice before deletion	Data minimisation, privacy-by-default, and periodic account housekeeping
Reseller / Business Partner Data	5 years from last engagement or active listing	Business record maintenance, compliance, fraud traceability, onboarding due diligence
Creator / Collaborator Data	5 years from end of engagement or publication date	Brand representation, portfolio attribution, legal traceability of submitted creative content
User-Generated Content (UGC)	Until takedown request is verified and processed	Public content hosted until user requests removal or account is deleted
Anonymised or Aggregated Data	Retained indefinitely	No longer constitutes "personal data" under DPDPA; used for trends, reports, or insights

Note: The above periods are subject to change in case of any legal proceedings, enforcement actions, or statutory hold directives.

d) Deletion and De-identification: Upon expiration of the applicable retention period, Personal Data is either:

i. Permanently deleted from all systems (active and backup); or
ii. Anonymised or de-identified in a way that prevents re-identification of the Data Principal.

The Company ensures that deletion is performed in a secure manner using industry-standard sanitisation or erasure methods.

e) Right to Request Deletion:

i. A Data Principal or its Nominee may request deletion of their Personal Data where:
1. The data is no longer necessary for the purpose for which it was collected;
2. Consent has been withdrawn and there is no other legal basis for retention;
3. The data has been unlawfully processed.

f) Such requests will be honoured subject to legal and contractual retention obligations and shall be responded to within a reasonable period as prescribed under the DPDPA, 2023.

g) Storage Location and Backups: Personal Data is stored on secure servers operated by the Company or its authorised hosting providers, currently located in India. Periodic encrypted backups are maintained to ensure data recoverability in case of system failure, which are subject to the same retention and deletion practices outlined above.

h) Policy Review and Updates: The Company periodically reviews its data retention schedules and storage practices to ensure compliance with evolving legal standards and operational needs. Any changes to retention durations will be notified through an update to this Policy.

13. REASONABLE SECURITY PRACTICES

a) Culture Circle is committed to ensuring the security, integrity, and confidentiality of the Personal Data it collects and processes. In line with Rule 8 of the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and Section 8(5) of the Digital Personal Data Protection Act, 2023, the Company implements appropriate technical, organizational, and administrative security measures to protect Personal Data against accidental loss, unauthorised access, destruction, misuse, alteration, or disclosure.

b) The Company adopts industry-standard safeguards including, but not limited to:

i. End-to-end encryption of sensitive data during transmission (SSL/TLS protocols);
ii. Hashing and salting of passwords;
iii. Firewalls and intrusion detection systems for network monitoring;
iv. Access control policies based on role and need-to-know;
v. Secure APIs and encrypted payment gateways;
vi. Multi-factor authentication (MFA) for administrative and system access;
vii. Logging and monitoring of access to sensitive systems;
viii. Regular vulnerability assessments and penetration testing (VAPT);
ix. Frequent security patching and system updates.

c) Personal Data is stored in secure servers hosted on reputable cloud platforms that are compliant with industry frameworks such as ISO/IEC 27001 and SOC 2, where applicable. All third-party service providers processing Personal Data on the Company's behalf are contractually bound to adhere to similar or higher levels of security and confidentiality.

14. NOTIFICATION OF PERSONAL DATA BREACH

a) Culture Circle, adopts a proactive and structured approach to identifying, mitigating, and responding to any personal data breach. A personal data breach refers to any unauthorised or accidental disclosure, alteration, loss, destruction, or access to Personal Data that compromises its confidentiality, integrity, or availability whether caused by technical failures, malicious attacks, human error, or organisational gaps.

b) Data Breach Response Procedure and Timelines: In the event of a suspected or confirmed data breach, the Company shall activate its internal Data Breach Response Procedure, which comprises the following steps and timeframes as detailed in Annexure A.

c) Information Included in Notifications: Any notification to the Data Protection Board of India, CERT-In, or affected individuals (Data Principals) shall include the following information:

i. Nature and categories of Personal Data affected;
ii. Number of individuals impacted;
iii. Date and time of the breach (estimated and confirmed);
iv. Likely consequences or harm;
v. Actions taken to mitigate risks and limit damage;
vi. Contact information of the Grievance Officer or point of contact;
vii. Instructions for Users on how to protect themselves.

d) Breach Severity Categorisation: The Company classifies data breaches into three severity levels:

i. Level 1 – Minor: No sensitive data involved, minimal or no risk;
ii. Level 2 – Moderate: Involves contact or identity data, limited exposure;
iii. Level 3 – Critical: Involves sensitive personal data, financial data, or a large number of individuals, with potential for significant harm.

Only Level 2 and Level 3 breaches require mandatory external notification.

e) User Cooperation: Users who become aware of any potential compromise of their account, such as unauthorised login attempts, phishing emails, or suspicious transactions, must report the same immediately by emailing customersupport@culture-circle.com. The Company will investigate such reports on priority and take appropriate action.

15. RIGHTS OF DATA PRINCIPALS

a) As a Data Principal under the Digital Personal Data Protection Act, 2023, you are entitled to exercise the following rights in relation to your Personal Data collected and processed by Culture Circle. These rights are subject to reasonable limitations and applicable legal requirements.

b) As per the Digital Personal Data Protection Act, 2023, Data Principals have the following rights in relation to their Personal Data:

RIGHT	DESCRIPTION	TIMELINE FOR RESPONSE	HOW TO EXERCISE THIS RIGHT
Right to Access	To know whether the Company processes your Personal Data and request details such as categories, purpose, recipients, and retention period.	Within 15 working days	Email a request to customersupport@culture-circle.com or use your account dashboard (if available).
Right to Correction	To request correction, updating, or completion of inaccurate, outdated, or incomplete Personal Data.	Within 10 working days	Submit a correction request with valid supporting documents to customersupport@culture-circle.com
Right to Erasure	To request deletion of Personal Data that is no longer necessary, has been unlawfully processed, or after consent withdrawal.	Within 15 working days	Send a deletion request via email to customersupport@culture-circle.com with identity verification.
Right to Withdraw Consent	To withdraw previously given consent for specific data processing activities.	Immediate upon confirmation	Use opt-out links in emails or write to customersupport@culture-circle.com specifying the consent to withdraw.
Right to Grievance Redressal	To file a complaint regarding delay, denial, misuse, or mishandling of Personal Data or non-fulfilment of rights.	Acknowledgement in 48 hrs, resolution in 7 working days	Email your grievance to the Grievance Officer at customersupport@culture-circle.com
Right to Nominate	To nominate another individual to exercise your rights under this Policy in the event of your death or incapacity.	As per Company records	Send a signed nomination form or declaration via email to customersupport@culture-circle.com
Right to Be Informed	To receive clear, accessible information on data collection, legal basis, purpose, rights, third-party disclosures, and policy changes.	Continuous right	Review this Privacy Policy regularly and subscribe to update notifications via email or the Platform.

16. GRIEVANCE REDRESSAL MECHANISM

a) Culture Circle India is committed to addressing all privacy-related concerns, complaints, and requests in a transparent, secure, and time-bound manner. In accordance with Section 13 of the Digital Personal Data Protection Act, 2023 and Rule 5(9) of the IT Rules, 2011, the Company has appointed a Grievance Officer to ensure proper handling of grievances related to Personal Data.

b) Lodging a Grievance: If you have any concerns or grievances regarding:

i. Denial or delay in fulfilling your data rights;
ii. Misuse, unauthorised access, or mishandling of your Personal Data;
iii. Withdrawal of consent not being respected;
iv. Violation of any terms of this Privacy Policy;
v. Any breach of applicable data protection laws;

c) You may raise a grievance by sending an email to the designated Grievance Officer:

Grievance Officer

Email: grievances@culture-circle.com

Address: Two Horizon Centre, DLF Phase 5, Sector 43, Gurugram, Haryana 122002

Working Hours: Monday to Friday, 10:00 AM to 6:00 PM IST

d) Grievance Handling Procedure and Timelines:

STAGE	ACTION	TIMELINE
Acknowledgement	The Grievance Officer will acknowledge receipt of your complaint.	Within 48 hours
Initial Review	Assess completeness and legitimacy of the grievance.	Within 2 working days
Investigation and Resolution	Conduct internal inquiry, coordinate with relevant departments, resolve issue.	Within 7 working days
Notification of Outcome	Communicate resolution decision or status update to the complainant.	Within 10 working days total

e) If you are dissatisfied with the resolution provided by the Grievance Officer or if no response is received within the prescribed period, you have the right to escalate the matter to the Data Protection Board of India under Section 13(2) of the Digital Personal Data Protection Act, 2023.

17. FORCE MAJEURE

The Company shall not be held liable for any failure or delay in performing its obligations under this Privacy Policy, including the processing of rights requests or breach notifications, due to circumstances beyond its reasonable control. Such events may include natural disasters, war, civil unrest, pandemic, governmental actions, electricity or internet outages, cyberattacks, or other force majeure events. During such periods, the Company will take reasonable steps to mitigate the impact and restore normal operations as soon as practicable.

18. GOVERNING LAW AND JURISDICTION

This Privacy Policy shall be governed by and construed in accordance with the laws of India. Any disputes arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the competent courts located in [New Delhi], India, without regard to conflict of law principles.

19. CHANGE IN OWNERSHIP OR CONTROL

In the event of a merger, acquisition, reorganisation, or sale of all or a portion of the Company's assets or business, Personal Data held by the Company may be transferred to the successor entity. Such transfer will continue to be governed by the terms of this Privacy Policy unless and until it is amended by the successor with due notice to Users.

20. POLICY UPDATES AND NOTIFICATION

The Company may update or modify this Privacy Policy from time to time to reflect changes in legal requirements, business practices, or technological advancements. Any material changes will be notified to Users through:

(i) Prominent notices on the Platform;
(ii) Email communication to registered Users (where applicable); and
(iii) Updates to the "Last Updated" date at the top of this Policy.

Users are encouraged to periodically review this Policy to stay informed of how their Personal Data is protected.

21. CONTACT US

If you have any questions, concerns, or require clarification regarding this Privacy Policy, the processing of your Personal Data, or your rights as a Data Principal, you may contact our designated

Grievance Officer

Email: grievances@culture-circle.com

Address: Two Horizon Centre, DLF Phase 5, Sector 43, Gurugram, Haryana 122002

Working Hours: Monday to Friday, 10:00 AM to 6:00 PM IST.

By continuing to access or use the Platform, you acknowledge that you have read and understood this Privacy Policy and agree to its terms. Your continued use of the services constitutes your consent to the collection, processing, and disclosure of your Personal Data in accordance with this Policy.

This Privacy Policy shall remain in effect until it is updated, superseded, or revoked by the Company.

ANNEXURE A

DATA BREACH RESPONSE FRAMEWORK & TIMELINE

STAGE	ACTION	TIMELINE
1. Detection & Containment	Identify and verify the breach, isolate affected systems	Within 6 hours of detection
2. Preliminary Risk Assessment	Assess scope, type of data affected, sensitivity, and potential impact	Within 12 hours of detection
3. Internal Escalation	Notify Compliance Officer, Data Protection Officer, and senior management	Within 12 hours
4. Reporting to Authorities	Notify CERT-In and/or the Data Protection Board of India, where applicable	Within 6 hours of confirming the breach (as per CERT-In guidelines)
5. Notification to Individuals	Inform affected Data Principals of the nature of the breach, risk, and mitigation steps	Within 48 hours, where risk of harm is high
6. Remedial Action	Contain breach, patch systems, reset credentials, and prevent recurrence	Immediate, completed within 72 hours
7. Documentation & Audit Trail	Record breach details, investigation logs, and corrective measures taken	Within 7 days of incident
8. Final Report & Policy Update	Root cause analysis and review of internal policies/training	Within 15 days of breach