Privacy Policy

1. Scope and Applicability

This Privacy Policy applies to all individuals and entities interacting with OMNIUS Cloud Private Limited ("Company") in connection with the use of its Services.

This includes, without limitation:

• users and customers of the Company's cloud infrastructure, platforms, and applications;
• visitors accessing the Company's website or digital interfaces;
• business partners, vendors, and third-party service providers;
• individuals providing information during onboarding, verification, support, or communication processes.

This Policy governs the collection, use, processing, storage, disclosure, and protection of Personal Data, Customer Data, and technical or system-generated data arising from use of the Services. It applies regardless of the method of access, including web, API, integrations, or other technical interfaces.

2. Definitions

"Personal Data"

means any information relating to an identified or identifiable individual, whether directly or indirectly.

"Data Principal"

means the individual to whom the Personal Data relates (as defined under the Digital Personal Data Protection Act, 2023).

"Data Fiduciary"

means an entity that determines the purpose and means of processing Personal Data.

"Customer Data"

means any data, content, files, or information submitted, stored, processed, or transmitted by customers using the Services.

"Processing"

means any operation performed on data, including collection, storage, use, modification, transfer, disclosure, or deletion.

"KYC Data"

means identity verification data, including government-issued identification and related documentation.

"Authorised User"

means any individual authorised to access or use the Services.

"Subprocessor"

means any third-party entity engaged by the Company to process data on its behalf.

"DPDP Act"

means the Digital Personal Data Protection Act, 2023 (India).

3. Roles and Responsibilities

4. Categories of Data Collected

5. Identity Verification and KYC Information

6. Purpose of Processing

The Company processes data strictly for legitimate and defined purposes, including:

• providing, maintaining, and improving the Services;
• managing user accounts and authentication;
• processing billing and payments;
• delivering customer support;
• monitoring system performance;
• detecting and preventing fraud and abuse;
• complying with legal, regulatory, and contractual obligations.

Data is not processed for purposes incompatible with those described in this Policy.

7. Legal Basis for Processing

The Company processes Personal Data under one or more of the following grounds, in accordance with the Digital Personal Data Protection Act, 2023 and applicable law:

8. Data Sharing and Disclosure

The Company does not sell, rent, or trade Personal Data for monetary or commercial consideration.

9. Subprocessors

The Company may engage third-party Subprocessors to process data on its behalf. Subprocessors are subject to contractual data protection obligations no less protective than this Policy. A list of Subprocessors is available upon request at privacy@omnius.in or on the Company's website.

10. Data Security

The Company implements reasonable and appropriate technical, administrative, and organisational safeguards including:

• role-based access control, multi-factor authentication;
• encryption in transit (TLS 1.2 minimum) and at rest (AES-256 where applicable);
• system monitoring and anomaly detection;
• restricted handling of sensitive and KYC data;
• internal access controls and audit mechanisms.

No system can be completely secure. Users acknowledge that transmission over the internet is inherently insecure and no system can guarantee absolute confidentiality, integrity, or availability. The Company shall not be liable for breaches resulting from user negligence, compromised credentials, or third-party vulnerabilities.

11. Data Retention and Deletion

The Company retains data only for as long as necessary. Specific retention periods are as follows:

• Account and profile data: duration of the contract plus three (3) years post-termination;
• Financial and transaction records: eight (8) years from the date of transaction, as required under the Companies Act, 2013 and applicable tax law;
• Employee data (where applicable): eight (8) years post-employment;
• KYC data: as required for compliance, or one (1) year after the account is closed, whichever is longer;
• System logs and technical data: up to twelve (12) months for operational and security purposes;
• Customer Data: retained for ninety (90) days after account closure or Service termination, then permanently deleted or anonymised.

Once data is deleted, the Company does not guarantee recovery. Users are solely responsible for maintaining independent backups.

12. Limitation of Processing

The Company processes data strictly for the purposes described in this Policy. The Company does not:

• process data for unrelated or incompatible purposes;
• sell or commercially exploit Customer Data;
• use Customer Data for profiling, advertising, or marketing activities.

13. User Rights

14. User Responsibilities

Users are solely responsible for:

• maintaining the confidentiality and security of account credentials;
• ensuring authorised access to their accounts;
• configuring systems and security settings;
• maintaining backups of all Customer Data;
• ensuring that data uploaded through the Services is lawful and authorised.

15. Customer Data Handling

The Company processes Customer Data strictly for the purpose of providing the Services. The Company does not claim ownership over Customer Data, does not use Customer Data for independent commercial purposes, and does not access Customer Data except where required for support, security, or legal compliance.

16. Data Breach Notification

In the event of a confirmed Personal Data breach:

• the Company will initiate internal assessment and containment within seventy-two (72) hours of becoming aware of the breach (aligned with GDPR best practice and pending DPDP Act regulations);
• where required by applicable law, the Company will notify affected Data Principals and the Data Protection Board of India;
• notification will include the nature of the breach, likely consequences, and measures taken, to the extent known.

Timelines are subject to the specific requirements of the DPDP Act and any rules issued thereunder.

17. Cookies and Tracking Technologies

The Company uses cookies and similar technologies categorised as follows:

• Essential cookies: necessary for platform operation, session management, and security. Cannot be disabled.
• Functional cookies: remember user preferences and configurations. Enabled by default; can be disabled.
• Analytics cookies: help understand usage patterns to improve Services. Activated only with your consent.
• Marketing cookies: track visitors for advertising purposes. Activated only with your explicit consent.

For essential cookies, the legal basis is legitimate interest (or equivalent under DPDP Act). For analytics and marketing cookies, your consent is required. Users may manage cookie preferences through the cookie consent banner or browser settings. Disabling essential cookies may affect platform functionality. For full details, please refer to our Cookie Policy at [website]/cookie-policy.

18. Third-Party Services

The Services may integrate with or rely on third-party platforms, tools, or providers. The Company does not control such services and is not responsible for their privacy practices, security, or performance. Users are advised to review third-party policies independently.

19. Cross-Border Data Transfers

Data may be processed, stored, or accessed in jurisdictions outside the user's location. The Company shall ensure that cross-border data transfers comply with the following:

• Under the DPDP Act 2023 (Section 16): transfers are made only to countries or jurisdictions as may be notified by the Government of India. Pending such notifications, the Company implements contractual safeguards including data processing agreements with appropriate protections.
• For EU/EEA data: transfers are made using appropriate safeguards, including Standard Contractual Clauses (SCCs) or adequacy decisions, in compliance with GDPR Chapter V.

Users acknowledge that different jurisdictions may have different data protection standards. The Company will update its transfer mechanisms as government notifications under the DPDP Act are issued.

20. Children's Privacy

The Services are intended for adults and are not directed at minors under 18 years of age.

In compliance with Section 9 of the DPDP Act, 2023:

• the Company does not knowingly process Personal Data of children under 18 years of age without verifiable parental or guardian consent;
• users must confirm they are 18 years of age or older during account registration;
• where a user discloses or indicates that they are under 18, the Company will not process their data without verifiable parental consent and may restrict access to the Services;
• if the Company becomes aware that it has collected Personal Data from a child without appropriate consent, it will delete such data promptly.

Parental consent requests may be directed to privacy@omnius.in.

21. Compliance Statement

The Company aims to operate in alignment with:

• the Digital Personal Data Protection Act, 2023 (India);
• the Information Technology Act, 2000 and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011;
• the General Data Protection Regulation (EU) 2016/679, to the extent applicable to EU/EEA users;
• applicable data protection laws of other jurisdictions where Services are offered.

The Company does not represent or warrant compliance with any specific certification unless explicitly stated.

22. Grievance Officer

[NOTE: A Grievance Officer / Data Protection Officer must be designated before this Policy is published. This individual may be an employee of the Company appointed specifically for this role.]

All grievances shall be acknowledged within forty-eight (48) hours of receipt and resolved within thirty (30) days, or within such period as required under applicable law (including the DPDP Act). Users who are not satisfied with the Company's response may file a complaint with the Data Protection Board of India once established.

23. Changes to This Policy

The Company reserves the right to modify or update this Policy at any time to reflect legal, regulatory, or operational requirements. Users will be notified of material changes via email or platform notice at least fifteen (15) days prior to the changes taking effect. Continued use of Services after updates constitutes acceptance of the revised Policy.

24. Additional Policy Provisions

25. Contact Information

For any questions, concerns, or requests regarding this Privacy Policy: