DPDP compliance posture.

1. Our dual roles under DPDP

Banao Pvt Ltd operates in two distinct capacities under the DPDP Act, depending on the context:

• Data Fiduciary:When we collect and process personal data directly for our own purposes — e.g., when a business fills out a contact form on vikaas.ai, or when we process our own employees' data.
• Data Processor: When we process personal data on behalf of our customer businesses (who are the Data Fiduciaries) — e.g., when we conduct LinkedIn outreach to prospects or candidates as part of a paid engagement.

This distinction matters because the obligations, responsibilities, and lawful bases differ between the two roles. The rest of this document addresses both roles explicitly.

2. When we act as Data Fiduciary

Context: Collection of data from individuals who interact directly with Vikaas — website visitors, discovery call requesters, newsletter subscribers (if any), and our own employees and contractors.

2.1 Notice

We provide clear notice at the point of data collection. Contact forms on vikaas.ai include a link to this DPDP posture document and our Privacy Policy. The types of data collected, purposes of processing, and data principal rights are disclosed before or at the time of collection.

2.2 Consent

Where consent is the basis for processing, it is obtained in a manner that is free, specific, informed, and unconditional. We use affirmative opt-in mechanisms (checkboxes, not pre-ticked). Consent can be withdrawn at any time with equal ease to giving it.

2.3 Legitimate use

We process data under consent for marketing and outbound communications; under legitimate interests for security, fraud prevention, and service improvement; and under legal obligation for tax, regulatory, and court-ordered requirements.

2.4 Accuracy

We make reasonable efforts to ensure that personal data we hold is accurate and up to date. Data principals can request correction of inaccurate data at any time.

3. When we act as Data Processor

Context: Processing of prospect and candidate data during paid Vikaas engagements, where the customer business is the Data Fiduciary and Vikaas acts on their instructions.

3.1 Our obligations as Processor

As a data processor, we:

• Process personal data only on documented instructions from the customer (Data Fiduciary) as set out in the Order Schedule and MSA
• Do not process data for any purpose beyond what is required to deliver the contracted service
• Implement the security safeguards described in Section 6
• Assist the customer in fulfilling data principal rights requests within applicable timelines
• Notify the customer of any personal data breach as described in Section 7
• Delete or return all personal data at the end of the engagement (see our Privacy Policy for retention timelines)
• Maintain records of our processing activities as required

3.2 Customer obligations as Fiduciary

By engaging Vikaas, customers confirm that:

• They have a lawful basis for directing Vikaas to process the personal data in question
• The ICP definitions and target lists they provide comply with applicable law and do not include individuals whom it is unlawful to contact
• They are responsible for honoring data principal rights requests from prospects or candidates who contact the customer directly, with Vikaas's assistance
• They will notify Vikaas promptly of any privacy-related complaints or regulatory inquiries they receive that relate to Vikaas's processing activities

3.3 Data Processing Agreement

A Data Processing Agreement (DPA), which sets out the formal processor-fiduciary relationship and contains the standard contractual terms required under DPDP, is included as Annex A to Vikaas's standard Master Services Agreement. Customers should ensure their legal team reviews the DPA alongside the MSA.

4. Consent and legitimate use for outreach

Vikaas conducts outreach to buyers and candidates via LinkedIn. The lawful basis we rely on for processing publicly available professional profile information is legitimate interests — specifically, the legitimate interest of our customer businesses in identifying and communicating with potential business partners, buyers, or senior talent candidates.

This basis is appropriate because:

• The data processed is limited to professional information that individuals have voluntarily made publicly available on a professional networking platform
• The communication is professional in nature, targeted to relevant roles and industries, and consistent with what professional network members reasonably expect
• Individuals have readily available opt-out mechanisms — replying "unsubscribe" to any message results in immediate removal from all active pipelines within 2 business days

We do not rely on consent as the basis for initial outreach because requesting consent from every prospect or candidate before reaching out is not operationally feasible and is not required where legitimate interests apply. However, once a prospect or candidate has asked not to be contacted, we treat any further contact as requiring consent and do not reach out again.

5. Data principal rights

Under the DPDP Act, data principals have the following rights, which Vikaas honours in full:

• Right to access information: Data principals can request a summary of the personal data we hold about them and the purposes for which it is processed.
• Right to correction and erasure: Data principals can request correction of inaccurate data or erasure of personal data, subject to applicable legal retention obligations.
• Right to grievance redressal: Data principals can raise complaints about our data processing with our Grievance Officer (see Section 9).
• Right to nominate: Data principals can nominate another individual to exercise their rights in the event of death or incapacity.

Response timeline: We respond to data principal requests within 30 calendar days, or within any shorter statutory period that applies. Complex requests that require coordination with customers (as Data Fiduciaries) may take up to 60 days with notification to the requester within 30 days.

To exercise any right, contact: privacy@vikaas.ai

6. Security safeguards

We implement reasonable security safeguards to protect personal data as required under Section 8 of the DPDP Act. These include:

• Encryption in transit (TLS 1.3) and at rest (AES-256) for all personal data stores
• Role-based access control and mandatory multi-factor authentication for all personnel with access to personal data
• Annual third-party penetration testing and continuous automated vulnerability scanning
• Personnel training on data protection obligations
• Contractual data protection obligations with all sub-processors
• SOC 2 Type II audit engaged (target Q4 2026)

We review and update our security measures periodically and in response to any security incidents or material changes in our technology environment.

7. Data breach notification

In the event of a personal data breach, Vikaas will:

• Contain the breach and assess its scope as quickly as possible
• Notify the affected customer (Data Fiduciary) within 24 hours of confirming a breach involving their data
• Notify the Data Protection Board of India within the statutory period (to be specified under DPDP Rules), or such other timeline as applies
• Provide a written incident report to the customer within 5 business days of initial notification, covering: timeline of events, nature and scope of data affected, immediate mitigation steps, longer-term preventive measures, and any applicable regulatory notifications made

Customers shall promptly notify their affected data principals in the manner required by applicable law. Vikaas will assist the customer in drafting such notifications where requested.

8. Cross-border data transfer

By default, customer personal data is hosted in India (AWS Mumbai region) and is not transferred outside India.

Exceptions where cross-border transfer may occur:

• GCC customer data: Hosted in AWS Bahrain or UAE regions where specified in the Order Schedule. These regions have adequate legal frameworks for personal data protection applicable to GCC-based data subjects.
• AI processing: AI providers used by Vikaas may be located outside India. All such providers are contracted with appropriate data handling terms including data residency and training opt-out. Specific provider details are available under NDA.
• Customer communication tools: Standard business communication tools (email, calendar, video conferencing) may process limited personal data outside India. These are standard enterprise tools with appropriate data handling terms.

Cross-border transfers are conducted only with appropriate safeguards as required by Section 16 of the DPDP Act and applicable DPDP Rules. As DPDP Rules are finalised and cross-border transfer mechanisms are specified, we will update our practices accordingly and notify customers of any material changes.

9. Grievance redressal

Data principals who have concerns about how Vikaas handles their personal data can raise a grievance with our designated Grievance Officer.

Grievance Officer: Trust and Compliance Team, Banao Pvt Ltd

Contact: privacy@vikaas.ai

Response timeline: We acknowledge grievances within 5 business days and resolve them within 30 days, or within such shorter period as required by applicable law.

If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India at dpdp.gov.in (once the Board is operational).

10. Contact our data protection team

Privacy and DPDP inquiries: privacy@vikaas.ai

Security and trust inquiries: trust@vikaas.ai

Legal and contracting: legal@vikaas.ai

Banao Pvt Ltd · Bengaluru, Karnataka, India

This document is reviewed and updated at minimum quarterly, and more frequently as DPDP Rules and related guidance are released. The "last updated" date at the top reflects the most recent revision.