1. INTRODUCTION

1.1 Purpose of the Policy
This Privacy Policy (“Policy”) governs the collection, processing, storage, and protection of personal information by Winngoo India Private Limited, a company incorporated under the Companies Act, 2013, having its registered office in Chennai, Tamil Nadu, India (hereinafter referred to as “Winngoo India”, “Company”, “we”, “us”, or “our”). The Company operates a digital ecosystem offering membership-based rewards, cashback programs, referral benefits, and business listing services through its website, mobile application, and affiliated digital systems (collectively referred to as the “Platform”).

1.2 Commitment to Privacy
Winngoo India acknowledges the importance of data privacy and recognizes that the protection of personal information is a matter of trust. The Company is fully committed to maintaining the confidentiality, integrity, and security of personal data shared by its Members, Business Partners, and Users.

1.3 Regulatory Framework
This Policy has been formulated in strict accordance with the following Indian laws and regulatory frameworks:
a. Information Technology Act, 2000;
b. Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011;
c. Digital Personal Data Protection Act, 2023 (DPDP Act 2023);
d. Consumer Protection Act, 2019; and
e. Other applicable notifications, circulars, and industry standards prescribed by the Government of India or competent authorities.

1.4 Scope of Application
This Policy applies to all Users who access or interact with Winngoo India’s Platform, including:
a. Members – individuals or entities registered under a paid membership;
b. Business Partners – registered merchants or companies offering discounts or rewards through the Platform;
c. Visitors – any person browsing or interacting with the Platform without registration; and
d. Employees, Vendors, and Associates – individuals engaged by the Company who handle or process personal information under contractual or lawful obligations.

1.5 Exclusions
This Policy does not apply to:
a. Third-party websites or applications linked through the Platform, which are governed by their respective privacy policies;
b. Anonymous, aggregated, or statistical data incapable of identifying an individual; and
c. Any publicly disclosed information voluntarily shared by Users on social media or public forums.

2. POLICY OBJECTIVES AND PRINCIPLES

2.1 Objectives
The objectives of this Privacy Policy are to:
a. Establish a transparent framework for the lawful processing of personal data;
b. Define the nature, purpose, and scope of data collection and retention;
c. Outline the rights and obligations of Users with respect to their personal information;
d. Ensure compliance with all applicable Indian privacy and cybersecurity laws; and
e. Provide assurance that all data is stored and processed exclusively within the territory of India.

2.2 Principles of Data Protection
In accordance with Section 4 of the DPDP Act 2023, Winngoo India adheres to the following core principles:
a. Lawfulness, Fairness, and Transparency – Data shall be collected and processed in a lawful, fair, and transparent manner.
b. Purpose Limitation – Personal data shall be used only for purposes explicitly stated and consented to by the User.
c. Data Minimization – Only data that is necessary for the intended purpose shall be collected.
d. Accuracy – Reasonable steps shall be taken to ensure that data remains accurate, complete, and up to date.
e. Storage Limitation – Data shall not be retained longer than necessary for the purpose for which it was collected.
f. Integrity and Confidentiality – Appropriate security measures shall protect personal data against unauthorized access, loss, or alteration.
g. Accountability – The Company shall demonstrate compliance with applicable privacy laws and this Policy at all times.

2.3 Trust and Transparency Commitment
Winngoo India believes that privacy protection is fundamental to maintaining customer trust. Therefore, the Company discloses, with complete transparency, the nature and purpose of every data collection and ensures that consent mechanisms are explicit, informed, and traceable.

3. LEGAL BASIS FOR DATA PROCESSING

3.1 Lawful Grounds
Winngoo India processes personal data only when there exists a legitimate legal basis as defined under the DPDP Act 2023 and associated Indian privacy rules. Such bases include:
a. Explicit User Consent – freely given and informed consent obtained prior to data processing;
b. Contractual Necessity – data required for the performance or enforcement of membership agreements;
c. Legal Obligation – compliance with statutory requirements, including KYC, AML, and taxation laws;
d. Legitimate Interests – processing essential for platform operations, fraud detection, analytics, or service improvement, provided it does not infringe user rights;
e. Public or Vital Interests – data required for the protection of health, safety, or property, or to fulfil a statutory mandate.

3.2 Record of Processing Activities (ROPA)
The Company maintains internal documentation of all data processing operations, including the categories of data collected, purpose of processing, retention periods, and lawful bases, in accordance with Section 10 of the DPDP Act 2023.

3.3 Data Fiduciary Responsibility
As the primary Data Fiduciary, Winngoo India acknowledges its legal and moral responsibility to protect user data. Any third-party entity acting as a “Data Processor” on behalf of the Company shall be bound by confidentiality and data protection obligations through written contracts.

3.4 Compliance Verification
Periodic compliance reviews and audits shall be conducted by the Data Protection Officer (DPO) to ensure adherence to lawful processing practices, documentation standards, and user consent verification.

4. TERRITORIAL JURISDICTION AND DATA LOCALIZATION

4.1 Data Residency Requirement
All personal data collected by Winngoo India shall be stored, processed, and managed exclusively within servers located in India. No data shall be transferred outside Indian territory except under lawful government authorization or explicit regulatory consent.

4.2 Infrastructure and Hosting
The Company employs reputable Indian data and hosting providers that implement security infrastructure, ensuring compliance with domestic cybersecurity norms and governmental data residency mandates.

4.3 Government Access Compliance
Any access or disclosure of data to government authorities shall be made strictly in accordance with lawful requests, court orders, or national security obligations, and such disclosures shall be duly documented in internal access logs.

4.4 Prohibition of Cross-Border Transfer
Unless explicitly mandated by the Government of India, Winngoo India shall not engage in cross-border data transfer or outsourcing to jurisdictions lacking equivalent data protection standards.

4.5 Audit Trail and Record-Keeping
The Company shall maintain auditable records of all data access, retention, modification, and deletion activities, accessible only to authorized compliance officers and regulators.

5. CONSENT FRAMEWORK AND USER ACKNOWLEDGMENT

5.1 Nature of Consent
Under this Policy refers to a clear, affirmative act by which the User signifies agreement to data processing for defined purposes.

5.2 Collection of Consent
a. Consent shall be collected electronically through registration forms, checkboxes, digital signatures, or similar mechanisms on the Platform.
b. Each consent instance shall specify the nature of data collected, intended use, and duration of retention.

5.3 Withdrawal of Consent
Users may withdraw consent at any time by submitting a written or electronic request to the Data Protection Officer at [insert website]. Upon withdrawal, Winngoo India shall cease processing such data unless retention is legally required.

5.4 Impact of Withdrawal
The Company shall inform Users that withdrawal of consent may affect their ability to access or continue certain membership, cashback, or referral features of the Platform.

5.5 Audit of Consent Records
All consent forms, timestamps, and withdrawal requests shall be preserved as verifiable evidence under Section 7 of the DPDP Act and may be reviewed by regulatory authorities upon request.

6. CATEGORIES OF INFORMATION COLLECTED

6.1 Overview
Winngoo India collects various categories of personal and transactional information from Members, Business Partners, and Visitors to enable membership registration, payment processing, loyalty tracking, and customer communication. All data is collected and processed solely for lawful and legitimate business purposes as defined under the Digital Personal Data Protection Act, 2023 (DPDP Act) and associated Indian regulations.

6.2 Personal Identification Information
The following personal identifiers may be collected directly from the User during registration or subsequent interactions:

• Full name (first name, middle name, surname)
• Date of birth and age confirmation (18+ verification)
• Gender (optional field)
• Permanent and correspondence address
• Contact numbers (mobile and alternate)
• Email address
• Aadhaar number or other government-issued identification (for KYC verification)
• PAN (Permanent Account Number) where legally required for financial transactions

6.3 Membership and Account Information
To create and maintain a functional user account, the Company may collect:

• Usernames and unique membership IDs
• Passwords, security PINs, or authentication credentials (stored in encrypted format)
• Membership start and renewal dates
• Referral codes and referrer identification data
• Account preferences, communication settings, and feedback

6.4 Business Partner and Merchant Information
For entities registering as Business Partners, additional details may include:

• Legal business name, trade name, and GST registration number
• Business address and contact details
• Nature of business activity and operational category
• Authorized signatory details
• Banking and payment settlement information (subject to secure encryption)
• Uploaded business licenses or certifications (for verification purposes)

6.5 Payment and Financial Data
When Members or Business Partners engage in financial transactions, Winngoo India collects limited payment-related data through secure payment gateways, such as:

• Payment mode (UPI, credit/debit card, net banking, wallet)
• Transaction reference numbers
• Payment timestamps and statuses
• Amount paid, including applicable taxes (GST)
• Billing address and invoice details 
  The Company does not store or retain card numbers, CVV codes, or complete banking credentials; such data is securely managed by licensed payment intermediaries in accordance with Reserve Bank of India (RBI) and NPCI guidelines.

6.6 Loyalty, Cashback, and Referral Data
In connection with the Platform’s ecosystem of rewards and loyalty programs, the following information may be collected and recorded:

• Total membership points earned and redeemed
• Cashback transactions and pending balances
• Referral links, referral counts, and associated earnings
• Transaction history linked to participating merchants
• Records of offers availed, discounts used, and charity contributions made Such data enables Winngoo India to ensure accurate computation, verification, and disbursement of member rewards and cashback.

6.7 Technical and Device Information
When Users access the Platform, certain information is automatically collected to enhance user experience and system performance, including:

• Internet Protocol (IP) address
• Browser type and version
• Device type (mobile, desktop, tablet) and operating system
• Unique device identifiers (UDID, IMEI, MAC address where permitted)
• Access timestamps, session durations, and login logs
• Referring URLs and app usage statistics
• Crash reports and performance logs This information helps the Company maintain platform integrity, detect unauthorized access, and improve system functionality.

6.8 Location and Geographical Data
Subject to user consent, Winngoo India may collect approximate or precise location data through GPS or network-based methods for the purpose of:

• Identifying nearby partner businesses or active offers;
• Preventing location-based fraud; and
• Personalizing recommendations based on region or city. Users may disable location tracking via device settings, though doing so may limit certain platform functionalities.

6.9 Communication and Correspondence Data
Information voluntarily provided during customer support interactions, survey responses, emails, chats, or in-app feedback may include:

• Message content and attachments;
• Service request details and resolution logs;
• Audio or video call records (where legally permitted);
• Communications with Business Partners or third-party affiliates via the Platform. All communications are logged solely for quality assurance, compliance monitoring, and dispute resolution.

7. METHODS OF DATA COLLECTION

7.1 Direct Collection
Winngoo India collects data directly from Users through:

• Account registration forms;
• Membership payment gateways;
• Feedback, complaint, or support submissions;
• Voluntary participation in surveys, contests, or charity drives; and
• Redemption of loyalty points or cashback offers.

7.2 Automated Collection
Certain data is collected automatically through digital technologies integrated into the Platform, such as:

• Cookies, web beacons, and tracking pixels;
• App usage logs and analytic scripts;
• Device synchronization records;
• Session recording and clickstream data. This information assists in monitoring system performance, fraud prevention, and understanding user engagement metrics.

7.3 Third-Party and Affiliate Sources
Where applicable, the Company may receive supplementary data from:

• Authorized Business Partners, in respect of purchases, discounts, or service utilization;
• Payment processors and financial institutions, confirming transaction outcomes;
• Referral systems or affiliate networks, verifying member recruitment; and
• Governmental or regulatory authorities, validating identity and compliance information. Such data integrations are performed under explicit consent or lawful mandate, with contractual confidentiality protections.

7.4 Indirect or Publicly Available Sources
Winngoo India may obtain limited user data from publicly available government databases (e.g., MCA, GSTIN directories) or verified marketing partners to ensure business legitimacy and fraud mitigation.

8. SENSITIVE PERSONAL DATA OR INFORMATION

8.1 Under Rule 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, Winngoo India recognizes the following as Sensitive Personal Data or Information (SPDI):

• Financial account details (bank account, UPI ID, payment credentials);
• Passwords and authentication credentials;
• Biometric identifiers, if any, collected for verification;
• Health or medical data (only where necessary for insurance-linked offers);
• Any other information designated by Indian authorities as sensitive.

8.2 Handling of SPDI
a. SPDI shall be collected only upon explicit, written, or digital consent.
b. All SPDI shall be encrypted, securely transmitted, and accessible only to authorized personnel on a “need-to-know” basis.
c. SPDI shall not be shared with third parties except for lawful or contractual purposes after obtaining explicit user consent.

8.3 Non-Disclosure of Sensitive Data
Winngoo India shall not rent, sell, or commercially exploit SPDI for marketing purposes. Disclosure shall occur strictly in compliance with Sections 69 and 72A of the Information Technology Act, 2000, and only upon lawful government requisition or judicial directive.

9. ACCURACY, VERIFICATION, AND UPDATION OF DATA

9.1 Accuracy Obligation
Users shall ensure that all data provided to Winngoo India is true, accurate, and current at the time of submission. The Company shall not be liable for any loss or limitation of service arising from inaccurate or outdated information.

9.2 Verification Procedures
Winngoo India may perform automated or manual verification of submitted documents such as Aadhaar, PAN, or GST certificates to confirm identity and authenticity.

9.3 User-Initiated Updates
Members may access and update their information at any time via their profile dashboard or by contacting [insert email]. Upon receipt of such requests, updates will be reflected within a reasonable time, not exceeding fifteen (15) business days.

9.4 Retention of Historical Data
For compliance and audit purposes, Winngoo India may retain certain non-sensitive historical data or metadata (such as transaction records) even after profile updates, ensuring traceability and legal compliance.

10. PURPOSE OF DATA COLLECTION AND PROCESSING

10.1 General Overview
Winngoo India collects, stores, and processes personal data solely for purposes that are lawful, legitimate, specific, and explicitly disclosed to the User. Each processing activity is conducted in accordance with Section 4 and Section 6 of the Digital Personal Data Protection Act, 2023, ensuring fairness, transparency, and accountability.

10.2 Core Business and Membership Operations
Personal data is primarily processed for the following key purposes:
a. To facilitate the creation, verification, and management of Member accounts;
b. To activate paid memberships, process renewals, and administer user access rights;
c. To manage loyalty points, cashback, referral bonuses, and promotional offers;
d. To authenticate Business Partner registrations and validate merchant legitimacy;
e. To issue invoices, receipts, and official communications; and
f. To ensure accurate record-keeping and performance of contractual obligations.

10.3 Transactional and Financial Processing
Winngoo India processes financial and payment data to:
a. Confirm payment status and execute refunds (where applicable);
b. Track subscription validity and renewal timelines;
c. Calculate referral rewards and cashback entitlements;
d. Maintain audit trails for tax and accounting compliance; and
e. Detect duplicate or fraudulent transactions under internal Anti-Money Laundering (AML) protocols.

10.4 Loyalty, Rewards, and Cashback Program Management
The Company processes loyalty and transaction data to:
a. Track purchases, redemptions, and points accumulation;
b. Reconcile rewards across multiple Business Partners;
c. Prevent abuse or manipulation of reward systems;
d. Personalize offers, campaigns, and cashback promotions; and
e. Communicate reward balances, expiry alerts, and bonus eligibility.

10.5 Business Partner Management
For registered merchants, data processing serves to:
a. Verify GST numbers, licenses, and certifications;
b. Facilitate listing, promotion, and offer publication;
c. Reconcile payment settlements and loyalty transactions;
d. Enable communication between merchants and members; and
e. Support dispute resolution or compliance audits.

10.6 User Experience and Service Enhancement
Technical and analytics data is processed to:
a. Analyise traffic patterns and user behaviour on the Platform;
b. Improve navigation, loading times, and app responsiveness;
c. Identify bugs, system errors, or security vulnerabilities;
d. Implement personalization and localized recommendations; and
e. Optimize digital marketing and platform performance metrics.

10.7 Customer Support and Communication
Data from emails, calls, or in-app chat may be processed to:
a. Address service-related queries, feedback, or grievances;
b. Track complaint resolution timelines;
c. Verify user identity during customer interactions; and
d. Record communications for training, monitoring, and compliance review.

10.8 Charity and Corporate Social Responsibility (CSR) Transparency
As part of Winngoo India’s social impact initiative, 5% of membership fees are allocated to charitable causes. Relevant processing activities include:
a. Tracking aggregated donations and beneficiary details;
b. Publishing impact summaries without disclosing personal identifiers;
c. Verifying authenticity of recipient organizations; and
d. Ensuring transparent fund allocation consistent with legal obligations under CSR and Charity Regulations in India.

11. LEGAL BASIS FOR DATA PROCESSING

11.1 Winngoo India processes data on
the following lawful grounds recognized under the Digital Personal Data Protection Act, 2023 (DPDP Act) and Information Technology Act, 2000:

    a. Consent (Section 6, DPDP Act 2023) 
    Processing based on freely given, specific, informed, and unambiguous consent for defined purposes, including:

• Creation of a user profile;
• Participation in loyalty or referral programs;
• Receiving marketing or promotional communications; and
• Sharing limited data with business partners for cashback or offer validation.

    b. Contractual Necessity 
    Data processing essential for the execution of agreements between Winngoo India and:

• Registered Members, for access to paid membership benefits; and
• Business Partners, for listing offers, handling transactions, and managing loyalty integrations.

    C. Legal and Regulatory Compliance 
    Processing mandated under Indian law, including but not limited to:

• Verification of identity through government-issued documents;
• Maintenance of financial and tax records for statutory audits;
• Compliance with Anti-Money Laundering (AML) and Know Your Customer (KYC) obligations; and
• Response to lawful government or judicial requests.

    d. Legitimate Business Interests 
    Processing reasonably necessary for the Company’s legitimate business purposes, including:

• Enhancing customer satisfaction and engagement;
• Conducting internal analytics, forecasting, and risk management;
• Preventing fraudulent activities or system abuse;
• Ensuring operational continuity and IT security; and
• Maintaining corporate governance and reporting obligations.

 e. Public or Vital Interests

In rare cases, personal data may be processed to protect the vital interests of a user, such as:

• Responding to data breaches or security threats;
• Protecting the safety or property of individuals; or
• Assisting lawful authorities in emergency circumstances.

12. PROCESSING IN ACCORDANCE WITH PRINCIPLES OF FAIRNESS

12.1 Winngoo India ensures that
all data processing complies with the Fairness, Purpose Limitation, and Proportionality standards defined under Section 8 of the DPDP Act 2023.

12.2 Data Minimization
The Company collects only such information as is necessary for its declared purposes. Superfluous, irrelevant, or excessive data is neither requested nor retained.

12.3 Transparency
All processing activities are communicated to users through this Policy and clear disclosures during registration, purchase, or data submission.

12.4 User Notification of Purpose
Before initiating data collection, Winngoo India provides Users with concise, plain-language notifications specifying:
a. What data is being collected;
b. The purpose for which it will be used;
c. The retention duration; and
d. The process for withdrawing consent.

12.5 No Automated Decision-Making without Oversight
Winngoo India does not make legally significant decisions solely based on automated profiling. Where automation is used (for example, reward computation), human oversight ensures fairness and accuracy.

13. MARKETING AND PROMOTIONAL COMMUNICATIONS

13.1 Direct Marketing
The Company may use contact information (such as name, email address, or phone number) to send promotional materials, updates, or personalized offers relating to:

• Loyalty point redemptions, cashback events, or referral bonuses;
• New business partner listings or brand collaborations; and
• Platform features, contests, or awareness campaigns.

13.2 User Consent for Marketing
Marketing communications shall be sent only where the User has provided explicit opt-in consent. Each communication shall provide an option to unsubscribe or withdraw consent in accordance with Section 7 of the DPDP Act.

13.3 Third-Party Promotions
Winngoo India may share limited data (e.g., membership ID, location, and transaction type) with verified business partners for promotional offers, subject to contractual confidentiality and explicit user consent.

13.4 No Spam or Unsolicited Communication
The Company maintains strict anti-spam protocols in line with Telecom Commercial Communications Customer Preference Regulations (TCCCPR). Unsolicited messages are not permitted under any circumstance.

13.5 Opt-Out Mechanism
Users may unsubscribe from promotional communications at any time by:
a. Clicking the “Unsubscribe” link in marketing emails; or
b. Adjusting notification preferences within their account; or
c. Sending an opt-out request to [insert email].

14. FRAUD PREVENTION, SECURITY, AND LEGAL ENFORCEMENT

14.1 Fraud Detection and Risk Management
Data is processed to identify and prevent:

• Duplicate or fake accounts;
• Unlawful referral manipulations;
• Money laundering and misuse of rewards;
• System intrusions and cyber threats.

14.2 AML/KYC Compliance
All financial and referral activities are monitored under internal Anti-Money Laundering (AML) and Know Your Customer (KYC) standards. Data related to these activities may be shared with regulatory authorities or banks for lawful verification.

14.3 Legal Disclosures
Where required by law, Winngoo India shall disclose relevant personal information to:

• Government agencies or law enforcement bodies;
• Tax or regulatory authorities; and
• Courts or tribunals under lawful order.

14.4 Prevention of Abuse and Misrepresentation
The Company reserves the right to process and monitor user data to safeguard the integrity of its ecosystem, including referral authenticity, reward validation, and business partner legitimacy.

DATA RETENTION AND STORAGE

15. DATA RETENTION POLICY

15.1 Purpose of Retention
Winngoo India retains personal information only for as long as necessary to fulfil the purposes for which it was collected, to comply with applicable legal, accounting, or regulatory obligations, and to enforce contractual rights.

15.2 Retention Principles
a. Data retention shall conform to the principles of necessity, proportionality, and purpose limitation under Section 8 of the Digital Personal Data Protection Act, 2023.
b. No personal data shall be kept indefinitely or without lawful purpose.
c. Retention periods are documented in internal registers and subject to annual review by the Data Protection Officer (“DPO”).

15.3 Periodic Review
All data retention schedules are subject to periodic review to ensure continued compliance with current laws and business requirements. Records identified as obsolete are securely deleted or anonymized without delay.

16. DATA STORAGE AND SECURITY INFRASTRUCTURE

16.1 Domestic Data Residency
In strict compliance with Section 16 of the DPDP Act 2023, all personal data collected by Winngoo India shall be stored and processed exclusively within India using secure data centres located in Chennai and other approved regions of the Republic of India.

16.2 Data Centre Certifications
The Company ensures that its servers and cloud providers comply with industry-accepted standards such as ISO/IEC 27001, ISO 22301, and CERT-In guidelines for security and business continuity.

16.3 Encryption and Access Control
a. All personal data in transit is protected using TLS 1.3 or equivalent encryption protocols.
b. Data at rest is secured through AES-256 encryption standards.
c. Access to stored data is restricted to authorized employees under multi-factor authentication (MFA) and role-based access controls (RBAC).

16.4 Physical Security
Server facilities are monitored 24/7 with CCTV, biometric entry, and redundant power backup. Unauthorized physical access to hardware is strictly prohibited.

16.5 Backup and Redundancy
Regular encrypted backups are maintained to prevent data loss arising from hardware failure, natural disaster, or cyber incident. Backups are stored within India and retained in accordance with the Company’s disaster-recovery plan.

17. ARCHIVAL AND DESTRUCTION PROCEDURES

17.1 Archival Policy
Data requiring long-term retention (for legal or audit purposes) shall be archived in encrypted, read-only formats. Archived data is isolated from active processing environments and subject to restricted access controls.

17.2 Destruction and Erasure
Upon expiry of the retention period or withdrawal of consent, Winngoo India shall initiate secure erasure using methods such as:
a. Digital wiping and cryptographic erasure of files;
b. Physical destruction of obsolete media; and
c. Verification logs confirming permanent deletion.

17.3 Anonymization and Aggregation
Where data must be retained for statistical or research purposes, it shall be converted to anonymized form that cannot reasonably identify an individual. Anonymization methods include tokenization, data masking, and irreversible hashing.

17.4 Audit Trail for Deletion
The Company maintains verifiable audit trails of all data deletion events for a minimum of three years to demonstrate regulatory compliance upon inspection by competent authorities.

18. DATA PORTABILITY AND MIGRATION

18.1 User Requests for Portability
Pursuant to Section 12 of the DPDP Act 2023, a User may request a copy of their personal data in a structured, machine-readable format. Such requests shall be honoured within thirty (30) days of verification of identity.

18.2 Transfer Limitations
No data portability request shall involve the transfer of SPDI or third-party proprietary information without explicit written authorization and appropriate security arrangements.

18.3 Internal Migration
For technical reasons (such as server optimization or load balancing), data may be migrated between servers within India. All migrations are subject to pre-migration risk assessment and post-migration validation.

19. BREACH PREVENTION AND CONTINGENCY PLANNING

19.1 Preventive Controls
Winngoo India implements preventive security controls including firewalls, intrusion-detection systems (IDS), and regular penetration testing conducted by CERT-In empanelled auditors.

19.2 Incident Response Protocol
In the event of a data breach or suspected compromise, the Company shall:
a. Activate its Incident Response Plan;
b. Contain and remediate the breach within defined timeframes;
c. Notify affected users and the Data Protection Board of India (DPB) as required by law; and
d. Maintain documentation of root-cause analysis and corrective actions.

19.3 Business Continuity and Disaster Recovery
Comprehensive Business Continuity and Disaster Recovery (BC/DR) plans are maintained to ensure minimum downtime and data availability during adverse events such as cyber-attacks, power outages, or natural disasters.

20. AUDIT AND COMPLIANCE MONITORING

20.1 Internal Audits
The Company conducts annual internal data-protection audits to verify adherence to retention policies and evaluate technical and organizational controls.

20.2 External Audits
Independent external audits may be commissioned by the Board or DPO to certify compliance with the DPDP Act, IT Rules 2011, and ISO standards.

20.3 Record Maintenance
Comprehensive logs of data access, storage location, and modifications shall be maintained for a minimum of five years post transaction to enable regulatory scrutiny.

20.4 Corrective Actions
Findings from audits shall be addressed through formal Corrective and Preventive Action (CAPA) plans, monitored by the DPO and Compliance Committee.

DATA SHARING AND DISCLOSURE

21. GENERAL PRINCIPLES OF DATA SHARING

21.1 Purpose-Limited Disclosure
Winngoo India shall not disclose, share, or transfer any personal data except where such disclosure is lawful, necessary, and consistent with the purpose for which the data was collected.

21.2 Transparency and Lawful Basis
All sharing of data shall be:
a. Conducted in accordance with Sections 8 and 10 of the Digital Personal Data Protection Act, 2023 (DPDP Act);
b. Supported by a lawful basis such as consent, contractual necessity, or legal obligation; and
c. Accompanied by safeguards ensuring confidentiality and integrity.

21.3 Commercial Integrity
The Company does not sell, rent, trade, or commercially exploit personal information for profit. Any exchange of data occurs strictly under legitimate business operations or legal compulsion.

22. INTERNAL DATA SHARING

22.1 Intra-Company Processing
Personal data may be shared within departments and subsidiaries of Winngoo India solely for authorized internal purposes such as:
a. Membership management and customer support;
b. Accounting, finance, and taxation compliance;
c. Product enhancement and operational analytics;
d. Audit and compliance verification; and
e. Information security and fraud prevention.

22.2 Access Control and Confidentiality
Only authorized personnel, bound by confidentiality agreements and role-based access controls, shall have access to user information. Internal sharing is documented in the Record of Processing Activities (ROPA) maintained by the Data Protection Officer (DPO).

22.3 Employee Confidentiality Clause
All employees handling personal data are bound by strict non-disclosure and confidentiality obligations under the Company’s Information Security and Ethics Policy. Any breach shall constitute a disciplinary and legal offense.

23. SHARING WITH BUSINESS PARTNERS AND AFFILIATES

23.1 Business Partner Data Sharing
Winngoo India may share limited, purpose-specific data with registered Business Partners and merchants for:
a. Validation of membership and referral eligibility;
b. Cashback or loyalty transaction reconciliation;
c. Verification of offers, discounts, or purchase claims; and
d. Customer satisfaction surveys or reward.

23.2 Contractual Safeguards
All data sharing with Business Partners shall be governed by written data-processing agreements (DPAs) specifying:
a. Permitted data use and processing scope;
b. Confidentiality and security obligations;
c. Data retention duration;
d. Prohibition of onward transfers; and
e. Audit and liability clauses for breach or misuse.

23.3 Limited Identifiable Data
Unless expressly authorized by the User, Business Partners receive only the minimum required identifiers (membership ID, transaction reference, city) without access to sensitive personal or financial details.

23.4 Performance Monitoring
The Company periodically reviews Partner compliance with data protection obligations and reserves the right to suspend or terminate access in the event of breach or misuse.

24. THIRD-PARTY SERVICE PROVIDERS

24.1 Engagement of Processors
Winngoo India may engage third-party vendors (“Data Processors”) to perform functions such as:
a. Payment gateway processing;
b. IT infrastructure hosting and maintenance;
c. Customer support operations;
d. Email or SMS delivery;
e. Fraud detection and cybersecurity audits.

24.2 Due Diligence and Risk Assessment
Prior to engagement, each Processor undergoes a Data Protection Impact Assessment (DPIA) evaluating:
a. Security certifications and compliance posture;
b. Reputation and financial standing;
c. Technical and organizational measures implemented; and
d. Incident management readiness.

24.3 Processor Agreements
Each Processor is bound by a written contract mandating:

• Processing solely for Winngoo India’s instructions;
• Implementation of reasonable security practices;
• Prohibition of secondary use or disclosure;
• Notification of any data breach within 24 hours; and
• Deletion or return of data upon termination of the service contract.

24.4 Supervision and Audit Rights
The Company reserves the right to audit or inspect any Processor handling its data to ensure compliance with this Policy and applicable law.

25. DISCLOSURE TO GOVERNMENT AND LAW ENFORCEMENT AUTHORITIES

25.1 Statutory Compliance
Winngoo India may disclose user information to governmental or regulatory agencies only where required by law or pursuant to valid legal process under:

• The Information Technology Act, 2000;
• The Prevention of Money Laundering Act, 2002 (PMLA);
• The Income Tax Act, 1961; or
• Any order of a court or competent authority.

25.2 Verification of Legitimacy
Before releasing data, the Company shall verify the authenticity, jurisdiction, and scope of the request to ensure it originates from lawful authority.

25.3 Notification to User
Where permissible, the Company shall notify the concerned User regarding such disclosure, unless prohibited under legal confidentiality or national security grounds.

25.4 Record Keeping
A record of all disclosures made to government agencies shall be maintained, detailing:

• Requesting authority and reference number;
• Nature of data shared;
• Legal basis invoked; and
• Date and method of disclosure.

26. CROSS-BORDER DATA TRANSFER (RESTRICTION)

26.1 India-Only Processing Mandate
As per the Company’s Data Localization Policy and DPDP Act Section 16, Winngoo India does not transfer any personal data outside the Republic of India.

26.2 Exceptional Circumstances
Cross-border transfer may occur only when:
a. Required by a lawful international investigation with Government of India approval; or
b. Authorized under a bilateral or multilateral data-sharing agreement ratified by the Indian Government.

26.3 Equivalent Protection Requirement
In such rare cases, transfer shall occur only to jurisdictions offering data protection standards comparable to India’s and written undertakings of confidentiality and security.

26.4 Notification and Consent
Users shall be informed and, where applicable, their consent obtained prior to any such transfer.

27. DISCLOSURE DURING CORPORATE EVENTS

27.1 Mergers, Acquisitions, or Restructuring
In the event of any merger, acquisition, reorganization, or transfer of business assets, user data may be shared or transferred as part of the transaction, subject to:
a. Confidentiality agreements with receiving entities;
b. Compliance with applicable laws; and
c. Notification to affected users.

27.2 Continuation of Privacy Obligations
Any successor entity shall be bound by the same or stronger privacy obligations as those set forth herein.

28. AGGREGATED AND ANONYMIZED DISCLOSURES

28.1 Statistical Use
Winngoo India may compile non-identifiable statistical or demographic data derived from personal information for:
a. Market research, reporting, or trend analysis;
b. Performance analytics of loyalty programs; and
c. Publication of community impact reports.

28.2 De-Identification Assurance
All such data shall be aggregated and anonymized in a manner that ensures no individual can be reasonably identified.

29. USER RIGHTS REGARDING DISCLOSURE

29.1 Right to Information
Users may request information regarding:

• Categories of third parties with whom data has been shared; and
• The purpose and lawful basis of such disclosure.

29.2 Right to Object
Where disclosure is based on consent or legitimate interest (and not legal obligation), Users have the right to object or restrict such sharing by contacting [insert email].

29.3 Timelines
Requests for disclosure information shall be responded to within thirty (30) business days, subject to verification of identity and applicable exemptions.

COOKIES, ANALYTICS & TRACKING TECHNOLOGIES

30. USE OF COOKIES AND RELATED TECHNOLOGIES

30.1 Definition
Cookies are small text files placed on a user’s device by websites or mobile applications to recognize returning visitors, store user preferences, and enhance overall functionality.

30.2 Legal Basis for Use
The use of cookies and similar tracking technologies on the Winngoo India Platform is governed by:

Section 8 of the Digital Personal Data Protection Act, 2023 (DPDP Act), requiring consent-based, purpose-limited processing; and

Rule 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, which mandates disclosure of data-collection mechanisms.

30.3 Purpose of Cookies
Winngoo India employs cookies for legitimate and defined purposes, including:
a. Session Management: To authenticate Users, maintain login sessions, and prevent unauthorized access;
b. Preference Storage: To remember user-selected settings, language, and region;
c. Analytics and Performance: To know traffic patterns, measure engagement, and improve platform usability;
d. Security and Fraud Prevention: To detect anomalies, prevent bots, and monitor suspicious activity;
e. Marketing Optimization: To deliver personalized offers, rewards, and targeted advertisements where the User has provided explicit consent.

31. TYPES OF COOKIES USED

31.1 Strictly Necessary Cookies
These cookies are essential for the operation of the Platform and cannot be disabled through user settings. They enable secure logins, payment processing, and site navigation. Examples include:

• Authentication tokens;
• Session cookies for transaction continuity;
• CSRF protection tokens.

31.2 Performance and Analytical Cookies
Used to collect aggregated information on how Users interact with the Platform, such as page visits, app crashes, and session duration. Data collected through these cookies is anonymized and used for internal improvement only.

31.3 Functional Cookies
These enhance user experience by remembering choices such as saved login credentials (if consented), preferred merchant categories, or default location preferences.

31.4 Marketing and Advertising Cookies
Subject to explicit opt-in consent, these cookies allow the Company and its verified partners to deliver relevant promotions, cashback alerts, or offers tailored to the User’s interests.

31.5 Third-Party Cookies
Certain sections of the Platform may incorporate cookies or SDKs (Software Development Kits) from trusted service providers such as:

• Google Analytics (for usage statistics);
• Facebook Pixel or LinkedIn Insight Tag (for campaign performance). All third-party cookie integrations are reviewed under written contractual assurances ensuring compliance with Indian privacy standards.

32. USER CONSENT AND CONTROL

32.1 Consent Requirement
Non-essential cookies (e.g., marketing or analytics cookies) shall only be placed on a User’s device after obtaining explicit, informed consent through a cookie banner or preference displayed on the Platform.

32.2 Cookie Preference Management
Users may manage or withdraw consent at any time by:
a. Adjusting settings within the Platform’s cookie preference manager;
b. Modifying browser or device settings to block or delete cookies; or
c. Submitting a written request to [insert email].

32.3 Impact of Disabling Cookies
Blocking or disabling certain cookies may impair access to some Platform functionalities, such as secure login, offer redemption, or referral tracking.

32.4 Audit of Cookie Consents
The Company shall maintain timestamped digital records of all cookie consent actions (acceptance, withdrawal, modification) as evidence of compliance with Section 7 of the DPDP Act.

33. ANALYTICS AND USAGE TRACKING

33.1 Purpose of Analytics
Analytical tools are deployed to monitor system stability, understand user engagement, and optimize the Platform’s design and efficiency.

33.2 Scope of Data Collected via Analytics

• Device and browser information;
• Frequency and duration of user visits;
• Referring URLs and navigation paths;
• Performance metrics (load times, API response, app crashes).

33.3 Google Analytics and Similar Tools
When used, such third-party analytics platforms operate under restricted configurations ensuring:
a. Anonymization of IP addresses;
b. Non-collection of personal identifiers; and
c. Data retention consistent with the Company’s internal retention policy.

33.4 Anonymized Reporting
Analytic insights are always derived from aggregated, non-personal data. Under no circumstance does Winngoo India use analytics tools for profiling, tracking individual identity, or making automated decisions that produce legal effects.

34. THIRD-PARTY ADVERTISING AND REMARKETING

34.1 Limited Marketing Partnerships
With explicit consent, Winngoo India may collaborate with select advertising networks or affiliate partners for the purpose of remarketing offers relevant to members’ interests or transactions.

34.2 Data Shared with Advertisers
Only pseudonymized identifiers (e.g., user ID, referral code, or hashed email) are shared — never personal identifiers like full names or financial details.

34.3 Opt-Out Option
Users may opt out of targeted advertising at any time through the Platform’s privacy settings or by contacting [insert email]. Opting out will not affect general membership services or transactional features.

34.4 No Sale of Personal Data
Winngoo India expressly prohibits the sale, barter, or commercial exchange of personal data with advertisers or any other entity.

35. LEGAL COMPLIANCE AND SECURITY OF TRACKING DATA

35.1 Security Safeguards
All data collected via cookies or analytic tools is transmitted over secure, encrypted channels (TLS 1.3 or higher) and stored only in anonymized format.

35.2 Compliance Oversight
The DPO and IT Security Division jointly oversee all tracking and analytics integrations to ensure compliance with:

• DPDP Act 2023;
• IT Rules 2011;
• CERT-In advisories; and
• Industry-recognized security standards (ISO/IEC 27001).

35.3 Third-Party Compliance Verification
Every third-party analytics or marketing partner must demonstrate adherence to Indian data privacy standards and is subject to contractual audit rights held by Winngoo India.