India DPDP Act Compliance

NOTOXIC® Universe is committed to full compliance with the India Digital Personal Data Protection Act (DPDP), 2023. This statement outlines our comprehensive DPDP compliance measures, your rights as a data principal, and how we protect your personal data.

The DPDP Act applies to our processing of digital personal data of individuals in India, regardless of where the processing occurs.

1. Consent and Notice Requirements

1.1 Consent Requirements

Under the DPDP Act, we obtain your free, specific, informed, and unambiguous consent for:

Collection and processing of personal data
Purpose-specific data usage (clearly specified)
Sharing data with third parties (where applicable)
Marketing communications and promotional activities
Processing of sensitive personal data (where applicable)

1.2 Notice Requirements

Before or at the time of collecting personal data, we provide clear notice containing:

Purpose for which personal data is collected
Identity and contact details of the Data Fiduciary (NOTOXIC® Universe)
Contact details of the Data Protection Officer (if applicable)
Rights available to you as a data principal
Procedure for filing a complaint with the Data Protection Board
Manner of withdrawal of consent

1.3 Withdrawal of Consent

You can withdraw consent at any time:

Withdrawal is as easy as giving consent
Withdrawal does not affect the lawfulness of processing before withdrawal
We will stop processing your data after withdrawal (subject to legal obligations)
Contact the Grievance Officer to withdraw consent

1.4 Legitimate Uses (Without Consent)

We may process personal data without consent for:

Performance of state functions or provision of services
Compliance with legal obligations
Medical emergencies or public health emergencies
Employment purposes (as specified in the Act)
Prevention and detection of fraud

2. Rights of Data Principals

2.1 Right to Access Information (Section 11)

You have the right to obtain:

Summary of personal data being processed
Identities of data fiduciaries and processors with whom data is shared
Categories of personal data shared
Activities undertaken in relation to your personal data

2.2 Right to Correction and Erasure (Section 12)

You have the right to:

Correction: Request correction of inaccurate, incomplete, or outdated personal data
Erasure: Request erasure of personal data that is no longer necessary for the purpose for which it was collected
Updation: Request completion of incomplete personal data

2.3 Right to Erasure Conditions

We will erase your personal data when:

You withdraw consent and there is no other legal basis for processing
Data is no longer necessary for the purpose for which it was collected
You request erasure and we have no legal obligation to retain it

Exceptions: We may retain data if required by law, for legal claims, or for compliance with legal obligations.

2.4 Right to Grievance Redressal (Section 13)

You have the right to file a grievance with our Grievance Officer regarding:

Processing of your personal data
Exercise of your rights
Any matter related to your personal data

2.5 Right to Nominate (Section 14)

You have the right to nominate another individual to exercise your rights in case of death or incapacity.

3. Grievance Officer

3.1 Appointment and Role

As required under Section 10 of the DPDP Act, we have appointed a Grievance Officer who is responsible for:

Receiving and addressing grievances from data principals
Resolving complaints within the specified timeline
Coordinating with the Data Protection Board when necessary
Ensuring compliance with DPDP Act requirements

3.2 Contact Information

To file a grievance or exercise your rights:

Grievance Officer
NOTOXIC® Universe
Email: [email protected]
Subject: "DPDP Grievance" or "Data Protection Complaint"

3.3 Grievance Resolution Process

When you file a grievance:

Within 30 days: The Grievance Officer will respond to your complaint within 30 days
Resolution: We will attempt to resolve the grievance to your satisfaction
Appeal: If unsatisfied, you can appeal to the Data Protection Board within 60 days

3.4 Information to Include in Grievance

When filing a grievance, please include:

Your name and contact information
Description of the grievance or complaint
Relevant account or transaction details
Any supporting documents
Desired resolution or outcome

4. Data Breach Notification

4.1 Breach Notification to Data Protection Board

In case of a personal data breach:

Within 72 hours: We will notify the Data Protection Board of India (where feasible)
Breach Details: Nature of breach, categories and approximate number of data principals affected, likely consequences, measures taken or proposed

4.2 Breach Notification to Data Principals

If a breach may cause harm to you:

We will notify you without undue delay
Notification will include clear information about the breach
We will provide details about the nature of the breach and potential impact
We will recommend measures you can take to protect yourself

4.3 Remedial Measures

In case of a breach, we will:

Take immediate remedial measures to prevent further harm
Investigate the cause of the breach
Implement additional security measures to prevent recurrence
Document the breach and remedial actions taken

5. Obligations of Data Fiduciary

5.1 General Obligations

As a Data Fiduciary, we are obligated to:

Process personal data only for specified, clear, and lawful purposes
Ensure personal data is complete, accurate, and kept up-to-date
Implement reasonable security safeguards to protect personal data
Notify the Data Protection Board and data principals of breaches
Erase personal data when no longer necessary or upon withdrawal of consent
Publish a privacy policy and ensure transparency

5.2 Processing of Personal Data of Children

We take special care when processing personal data of children:

We do not process personal data of children without verifiable parental consent
We do not engage in tracking, behavioral monitoring, or targeted advertising directed at children
We implement additional safeguards for children's data

5.3 Significant Data Fiduciary Obligations

If designated as a Significant Data Fiduciary, we will:

Appoint a Data Protection Officer (DPO)
Conduct periodic Data Protection Impact Assessments (DPIAs)
Undertake periodic audits
Undertake such other measures as may be prescribed

6. Exercising Your Rights

6.1 How to Exercise Your Rights

To exercise any of your DPDP rights:

Contact our Grievance Officer at [email protected]
Specify the right you wish to exercise in the subject line
Provide sufficient information to verify your identity
Include any relevant details (account information, specific data, etc.)

6.2 Response Timeline

We will respond to your request:

Within 30 days: Standard response time for most requests
Free of charge: No fee for exercising your rights (except manifestly unfounded or excessive requests)

6.3 Identity Verification

We may request additional information to verify your identity before processing requests to protect your data from unauthorized access.

7. Data Protection Board

7.1 Right to File Complaint

If you are not satisfied with our response to your grievance, you have the right to file a complaint with the Data Protection Board of India within 60 days of:

Receiving our response to your grievance
The expiry of 30 days from filing the grievance (if no response received)

7.2 Data Protection Board Powers

The Data Protection Board may:

Direct us to take remedial or mitigation measures
Impose penalties for non-compliance
Direct compensation to be paid to affected data principals
Issue directions for compliance

8. Contact Us

For DPDP compliance inquiries or to file a grievance:

NOTOXIC® Universe
Email: [email protected]