Data Protection Policy
Last Updated: [2025/10/21]
PREFACE
This Data Protection Policy (“Policy”) is made available to the employees, vendors, officers, and directors of Inner Fit Research Inc (hereinafter referred to as the “Company” or “We” or “Our”). We recognize the importance of protecting the privacy of Personal Data of its employees, contractors, vendors, interns, associates, clients, Users and business partners. This Policy outlines the measures we take to ensure the privacy and confidentiality of the Personal Data of Our employees, contractors, vendors, interns, associates, clients, Users and business partners and describes our values and core principles that guide the conduct of Our business. It also explains the types of information we collect, how we use and protect it, and the rights individuals have with respect to their Personal Data. This Policy has been adopted by the Company to outline our commitment to safeguarding both Personal Information and Non-Personal Information and ensures compliance with legal requirements and contractual obligations.
Further, this Policy specifically outlines the guidelines and procedures for the handling, management, retention, storage, and disposal of Company Data (defined below). The purpose of this Policy is to ensure compliance with relevant laws and regulations, minimize the risk of data breaches, and ensure the efficient management of Company Data.
We encourage all our employees, partners, vendors, clients and stakeholders to read this Policy carefully and to contact our Data Protection Officer if they have any questions or concerns regarding the processing of their Personal Data. By working together, we can ensure that we meet our data protection obligations and safeguard the privacy of Personal Data.
We hope that you will read the Policy in its entirety.
We wish you a productive and rewarding association with the Company.
Founder
Sanchit Garg
INTRODUCTION
With the rise of the digital economy, data has become a vital means of communication between people. Therefore, it is essential to promote a culture that encourages a fair and unrestricted digital economy while respecting individuals' informational privacy, fostering empowerment, progress, and innovation. The right to privacy is a fundamental right of individuals.
At Our organization, we have adopted a mechanism that ensures that only the appropriate individuals have access to the necessary data, in the right context, and for the right purpose. This helps to build trust with Our internal staff and external customers, as well as other stakeholders. Our Policy is a legal document that outlines how we collect, use, and manage Personal Information of our employees, contractors, vendors, interns, associates, clients, Users and business partners.
We strictly adhere to security procedures to ensure that all information is stored and disclosed securely, giving our clients, Users, employees, board members, partners, contractors, and agents the confidence that their Personal Information shared with us is private and secure.
As a part of this family, each one of us should strive to achieve the goals of the organization within the framework that has been provided. Thus, this Policy is not just a compilation of information on policies and processes but is a reminder of our responsibilities in ensuring effective implementation of the same.
The information in this Policy may be amended from time to time. You will be notified of any changes and We recommend updating your copy as this happens.
We strongly encourage you to read and comply with the terms of this Policy. It describes many of your duties and responsibilities as an employee towards the Company and outlines the programs developed by the Company for your benefit.
SCOPE
This Policy is applicable to all Our employees, contractors, vendors, interns, associates, clients, Users, and business partners who may receive Company Data, have access to Company Data collected or processed or provide information to the organization, regardless of geographic location or any third party who handles Company Data on behalf of Company. All employees of Company are expected to support the Policy and principles when they collect and/or handle Company Data or are involved in the process of maintaining or disposing of Company Data. This Policy provides the information to successfully meet the organization's commitment towards data privacy.
It applies to all Company Data, regardless of the format or medium in which it is stored, including electronic and physical records.
All partner firms and any third-party working with or for Company, and who have or may have access to Company Data, will be expected to have read, understand and comply with this Policy. No third party may access Company Data held by the organization without having first entered into a confidentiality agreement.
DATA PRIVACY LAWS
We are a company registered in the State of California, United States, and complies with all applicable U.S. federal and state data privacy laws, including the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), among others. As a responsible entity handling Personal Data, we are committed to protecting individual privacy, maintaining data security, and ensuring compliance with regulatory obligations across all relevant jurisdictions.
1. United States (Primary Jurisdiction)
As a California-registered entity, we are subject to U.S. data protection laws, and in particular:
1.1 California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
We uphold the rights of California residents to know, access, delete, correct, and restrict the sale/sharing of their Personal Information. We maintain procedures for transparency, consumer requests, and opt-out mechanisms as required by the law.
1.2 Other Federal and State Laws
We comply with sector-specific regulations, wherever applicable, including:
- Health Insurance Portability and Accountability Act (HIPAA) for healthcare data;
- Gramm-Leach-Bliley Act (GLBA) for financial data;
- Children's Online Privacy Protection Act (COPPA) for children's data; and
- Other state-level privacy statutes as they become effective.
2. European Union (Best Effort Compliance)
Although we are not established in the EU, we recognize that our products and services may be accessed by individuals residing in the European Union. As such, we observe and adopt key principles and practices under the General Data Protection Regulation (GDPR) on a best-effort basis, including:
- Transparency and fair processing;
- Data minimization and purpose limitation;
- Upholding rights of EU data subjects such as access, correction, and erasure;
- Safeguards for any cross-border data transfers.
We also monitor and, where feasible, aim to align with obligations under the EU Artificial Intelligence Act for AI systems operating within the EU or affecting EU data subjects.
3. Other Jurisdictions
For jurisdictions not specifically mentioned above, we will make reasonable best efforts to comply with relevant local privacy and data protection requirements when we offer goods or services to individuals in such jurisdictions, or collect, process, or store data subject to their laws.
In cases where local laws impose additional or more stringent standards, we endeavor to implement jurisdiction-specific measures or privacy notices to the extent feasible and commercially reasonable.
DEFINITION
For the purposes of the present Policy, the following terms are defined as follows:
“Applicable Law” means any law, rules, circulars, guidelines or standards under which the preservation of the Company Data has been prescribed.
“Board of Director” or “BOD” means board of directors of Company.
“Books of Accounts” as per the applicable laws includes records maintained in respect of:
- all sums of money received and expended by the Company and matters in relation to which the receipts and expenditure take place;
- all sales and purchases of goods and services by the Company;
- the assets and liabilities of the Company; and
- the items of cost as may be prescribed under the applicable laws.
“Company Data” includes any and all information collected, used, processed, stored, shared, received, generated, created by the Company including Personal Data, Sensitive Personal Data, Non-Personal Data, Document, Records, Registers.
“Data Subject” means an individual whose Personal Data is subject to Processing and where such individual is (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf.
“Users” shall mean individuals who avail Company's products or services through Our website [zime.ai] or otherwise.
“Minors” means Users under the age of majority/adulthood as per the Applicable Laws.
“Data Protection Officer” means the employee or person appointed by BOD of the Company as data protection officer or a privacy/security officer to perform the duties listed in this Policy or assigned to him/her by decision of BOD.
“Document(s)” shall include and refer to any summons, notice, requisition, order, declaration, form, Register, return, record, communication or other material, whether issued, received, created, maintained or preserved pursuant to any Applicable Laws, and whether in physical or Electronic Form. For the purposes of this Policy, “Document(s)” shall also include statutory records, registers, returns, forms, agreements, reports, electronic storage devices, digital records, system logs, backup data, and other similar materials that are required to be retained, maintained, or safeguarded by the Company in compliance with applicable legal, regulatory, contractual, or operational obligations, whether in physical or Electronic Form.
“Electronic Form” means any contemporaneous electronic device such as computer, laptop, compact disc, floppy disc, space on electronic cloud, or any other form of storage and retrieval device, considered feasible, whether the same is in possession or control of the Company or otherwise the Company has control over access to it.
“Non-Personal Data” or “Non-Personal Information” means any information or data which is not a Personal Data and/or Sensitive Personal Data.
“Personal Data” or “Personal Information” is information that identifies, relates to, or could reasonably be linked with a Data Subject. For example, it could include Data Subject's name, social security number, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences from other Personal Information that could create a profile about Data Subject's preferences and characteristics. Provided that any information that is freely available or accessible in public domain, or any lawfully obtained, truthful information that is a matter of public concern will not be considered to be Personal Data.
“Processing” means any operation or set of operations which is performed upon Personal Data or sets of Personal Data, by manual or automated means (including the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data).
“Preservation” means to keep in good order and to prevent from being damaged or destroyed.
“Register” means documents and records required to be maintained by the Company under the Applicable Laws, secretarial standards and for audit/legal purposes.
“Records” means documentary evidence of past events or transactions in relation to the business of the Company.
“Sensitive Personal Data” or “Sensitive Personal Information” of a person means such Personal Data which consists of information relating to certain government identifiers (such as social security numbers); an account log-in, financial account, debit card, or credit card number with any required security code, password, or credentials allowing access to an account; precise geolocation; contents of mail, email, and text messages; genetic data; biometric information processed to identify a consumer; information concerning a Data Subject's health, sex life, or sexual orientation; or information about racial or ethnic origin, religious or philosophical beliefs, or union membership.
The words and phrases used in this Policy and not defined here shall derive their meaning from the Applicable Law.
SECTION – 1: HANDLING OF PERSONAL INFORMATION/SENSITIVE PERSONAL INFORMATION
1. COLLECTION OF PERSONAL INFORMATION
Personal Information may be collected either online or offline. Regardless of the method of collection, the same privacy protections shall apply to all Personal Information. Personal Information shall not be collected unless one of the following conditions is met:
- the Data Subject has provided valid, informed, and free consent;
- the Processing is carried out for certain lawful purposes;
- the Processing is necessary for the performance of a contract to which the Data Subject is a party, or to take steps at the request of the Data Subject prior to entering into a contract;
- the Processing is necessary for provision of Company's services to the Data Subject or any other person authorized by Data Subject;
- the Processing is necessary for compliance with the organization's legal obligations;
- the Processing is necessary to protect the vital interests of the Data Subject; or
- the Processing is necessary for the performance of a task carried out in the public interest.
1.1 Privacy Notice
Every request made directly to the Data Subject for consent under the Applicable Law shall be accompanied or preceded by a privacy notice provided by Company. This notice shall inform the Data Subject of:
- The Personal Information being collected and the purpose for which it is intended to be processed;
- The manner in which the Data Subject may exercise their rights under Applicable Laws; and
- The procedure for lodging a complaint or a request with the Company, as prescribed.
The privacy notice shall be clear, concise, and easily accessible, ensuring that the Data Subject is fully informed before providing their consent.
1.2 Data Minimization in Collection
The Company shall ensure that Data Subject shall not be required to provide more Personal Information other than which is necessary for the provision of the product or service that Data Subject has requested or authorized. If any data not needed for providing a service or product is requested, such fields shall be clearly labelled as optional. Collection of Personal Information shall be avoided or limited when reasonably possible.
Personal Information shall be de-identified when the purposes of data collection can be achieved without personally identifiable information, at reasonable cost. When using vendors to collect Personal Information on the behalf of Company, it shall ensure that the vendors comply with the privacy requirements of Company as defined in this Policy.
1.3 Review and Monitoring
Company shall at minimum, annually review and monitor the information collected, the consent obtained and the notice/SoW/contract agreement identifying the purpose.
The project team/support function shall obtain approval from the IT Security team before adopting the new methods for collecting Personal Information electronically.
Company shall review the privacy policies and collection methods of third-parties before accepting Personal Information from third-party data sources.
1.4 Collection of Personal Data from Minors
Our products and services are not intended for use by individuals under the age of 18 years (or the age of majority as defined under Applicable Laws). We do not knowingly collect, process, or solicit Personal Information from Minors. If we become aware that a Minor has provided us with Personal Data without appropriate consent or authorization, we will take steps to delete such information as soon as reasonably possible. Parents or legal guardians who believe that their child may have provided personal information to us are encouraged to contact us immediately so that we can take appropriate action.
2. PRINCIPLES FOR PROCESSING PERSONAL DATA
2.1 Fairness and Lawfulness
When Processing Personal Data, the individual rights of the Data Subject must be protected. Personal Data must be collected and processed in a legal and fair manner. Collected data shall be adequate, relevant and not excessive in relation to the purposes for which they are obtained and their further Processing. Personal Data can be processed upon the voluntary consent of the person concerned. In compliance with law or court order, Personal Data shall be Processed if such Processing is explicitly mandated under any Applicable Laws.
2.2 Data Minimization
Company shall ensure that Personal Data collected is limited to what is necessary for the specified purpose of Processing. Only data that is directly relevant and necessary for the intended purpose will be collected, used, or retained. Any unnecessary or excessive data collection is strictly avoided.
The necessity of the Personal Data collected will be regularly reviewed. If any data is found to be unnecessary for the original purpose, it will be securely deleted or anonymized, in compliance with Applicable Laws and Company's data retention policy.
When engaging third-party service providers, Company will ensure that these providers also adhere to the data minimization principle, only processing the minimum data necessary for the provision of their services.
2.3 Purpose Limitation
Personal Data can be processed only for the purpose that was defined before the data was collected. Personal Data shall be obtained for specified, explicit and legitimate purposes, and shall not subsequently be processed in a manner that is incompatible with those purposes.
Subsequent changes to the purpose are only possible to a limited extent and require justification. However, further data Processing for statistical, scientific and historical purposes shall be considered compatible with the initial purposes of the data collection, if it is not used to take decisions with respect to the Data Subject.
2.4 Transparency
The Data Subject must be informed of how his/her data is being handled. In general, personal data must be collected directly from the individual concerned. When the data is collected, the Data Subject must either be made aware of, or informed of:
- the purpose of data Processing;
- categories of third parties to whom the data might be transmitted.
Processing of Personal Data must have received the consent of the Data Subject or must meet one of the following conditions: compliance with any legal obligation to which Company is subject; the protection of the Data Subject's life; the performance of a public service mission entrusted to Company.
2.5 Confidentiality and Security
Personal Data must be treated as confidential and protected by reasonable security safeguards. It shall be secured with appropriate organizational and technical measures to prevent unauthorized access, illegal processing or distribution, as well as accidental loss, modification, destruction, or any other personal data breach.
2.6 Storage Limitation
Personal Data shall be retained in a form that allows the identification of the Data Subject for a period no longer than is necessary for the purposes for which they are obtained and processed. There may be an indication of interests that merit protection or historical significance of this data in individual cases. If so, the data must remain on file until the interests that merit protection have been clarified legally, or the corporate archive has evaluated the data to determine whether it must be retained for historical purposes.
2.7 Accuracy
Personal Data on record must be correct, complete, and if necessary, kept up to date. Suitable steps must be taken to ensure that inaccurate or incomplete data are deleted, corrected, supplemented or updated.
3. DATA PROCESSING
3.1 Consent to Data Processing
Individual data can be processed upon obtaining the consent of the person concerned. Declarations of consent must be submitted voluntarily and, where applicable, should be documented in writing. In certain exceptional circumstances, consent may be given verbally, provided it is appropriately recorded and confirmed.
3.2 Data Processing Pursuant to Legitimate Uses
Personal Information may also be processed in order to enforce the Company's legitimate interests. Legitimate interests typically involve legal, audit, or financial matters, such as filing, enforcing, or defending against legal claims. Personal Information may not be processed on the basis of a legitimate interest in case there is proof of particular situations that the individual's interests need protection. Before data is processed, it must be decided whether there are interests warrant protecting. Control measures requiring the processing of Personal Data can only be implemented if there is a legal requirement to do so or a valid reason. Even if there is a legitimate reason, the proportionality of the control measure must also be examined. The justified interests of the organization in performing the control measure (e.g. compliance with legal provisions and internal rules of the organization) must be weighed against any interests meriting protection that the individual affected by the measure may have in its exclusion and cannot be performed unless appropriate.
3.3 Processing of Sensitive Personal Information
Company shall not process Sensitive Personal Information, except if:
- the Processing is in reference to medical or social protection under the applicable Company's internal rules, including health insurance coverage and/or other social benefits by the Company;
- the Processing is absolutely necessary for the performance and provision of the services of the Company;
- the Processing is for the copying of passports where an employee or stakeholder uses the Company's assistance when requesting either a visa for entering the duty country or applying for any other visa in connection with official travel for the Company; and/or
- the individual has given consent to the Processing of Sensitive Personal Information or made the Sensitive Personal Information manifestly public. The Company may be asked to prove that the individual has explicitly and without reservation consented to the Processing of such Sensitive Personal Information for the purpose at stake.
3.4 Telecommunications and Internet
Telephone equipment, e-mail addresses, intranet and internet along with internal social networks are provided by Company primarily for work-related assignments. They are a tool and an organizational resource. They can be used within the applicable legal regulations and internal Company communication policies. In the event of authorized use for private purposes, the laws on secrecy of telecommunications and the relevant national telecommunication laws must be observed if applicable.
There will be no general monitoring of telephone and e-mail communications or intranet/internet use. To defend against attacks on the IT infrastructure or individual users, protective measures can be implemented for the connections to the network used by Company that block technically harmful content or that analyze the attack patterns. For security reasons, the use of telephone equipment, e-mail addresses, the intranet/internet and internal social networks can be blocked for a temporary period.
Evaluations of this data from a specific person can be made only in a concrete, justified case of suspected violations of policies and/or procedures of Company. The evaluations can be conducted only by investigating departments while ensuring that the principle of proportionality is met. The relevant national laws including Electronic Communications Privacy Act (ECPA) and CCPA must be observed in the same manner as the Company regulations.
3.5 Engagement with Data Processors
Company may engage or appoint data processors to process Personal Data on its behalf only under a valid, legally binding contract. This data processing contract shall clearly define the scope, nature, purpose, and duration of the data processing activities, as well as the responsibilities and obligations of both parties.
4. AI GOVERNANCE
The Company is committed to building responsible and transparent AI systems that empower enterprise sales teams while upholding the highest standards of data integrity, model reliability, and ethical AI practices. This section sets out the governance framework, protocols, and structures currently in place and those planned for the near future to guide the ethical development, deployment, and monitoring of AI technologies developed by the Company.
This section outlines the rules, responsibilities, and procedures that Company's employees must follow when interacting with, developing, or supporting AI-powered systems.
4.1 Governance Policy Objectives
We shall strive to:
- ensure responsible and ethical AI usage aligned with enterprise-grade compliance standards;
- Mitigate risks of bias, hallucination, misuse, and privacy violations;
- Establish traceability, explainability, and human oversight throughout the AI lifecycle;
- Maintain transparency and trust with stakeholders through auditable processes and control mechanisms;
- Comply with applicable data protection laws including GDPR, CCPA/CPRA, and other applicable regulations.
4.2 Scope and Applicability
This policy applies to all employees, contractors, interns, and third-party service providers who:
- Interact with AI tools integrated into Company's product or internal systems;
- Handle enterprise customer data used in AI models;
- Are involved in engineering, QA, support, product, or design of AI functionality.
4.3 Governance Roles and Responsibilities
The following roles and responsibilities apply:
- Employee (All Functions): Comply with this policy, report violations, and use AI tools responsibly;
- Engineering/Data Teams: Ensure secure development, bias checks, and retention controls;
- QA and Privacy Teams: Conduct reviews, handle issue reports, manage audits and compliance;
- AI Governance Committee: Oversee policy updates, ethical risks, and strategic safeguards.
4.4 Acceptable Use of AI Systems
Employees must:
- Use only approved AI platforms (e.g., OpenAI, Gemini, Anthropic) that are integrated and vetted by the Company;
- Avoid uploading any personal, sensitive, or customer-identifiable data into unapproved or public AI tools;
- Ensure outputs used in customer deliverables are fact-checked and validated against internal or enterprise-provided documentation;
- Report any unusual or incorrect AI behavior using the internal QA or “Report Issue” features.
4.5 AI Governance Protocols
Foundation Model Usage:
- We exclusively use foundation models from trusted providers (OpenAI, Gemini, Anthropic) with built-in governance and safety features;
- No fine-tuning or deployment of unvetted/open-source models is permitted to avoid IP, bias, or compliance risks.
Enterprise-Specific Knowledge Graph Layer:
- AI outputs are layered on top of customer-specific knowledge sources (e.g., playbooks, product sheets, documentation);
- Ensures contextual relevance and minimizes hallucination risk.
Human Oversight & Continuous Monitoring:
- 100% of model outputs are manually reviewed during onboarding;
- Weekly audits are conducted post-onboarding using a statistically significant sample;
- Every AI insight is reportable via UI-based flagging; resolution within 3–4 business days.
4.6 Data Governance and Input Protocols
Employees are required to:
- Adhere to Company's data classification policy and use data classified as allowed for AI model consumption;
- Minimize Personal Data inputs unless explicitly required and permitted under a contractual or lawful basis;
- Obtain explicit customer or user consent before using any data for AI-related operations, if applicable;
- Ensure all data inputs to the AI system are relevant, business-justified, and pre-authorized.
4.7 Privacy by Design and Responsible Handling
Employees must follow Privacy by Design principles when working with AI features:
- Use anonymized or synthetic data wherever possible;
- Avoid inputting or exposing any Personal Data, Sensitive Personal Data, or financial data to generative AI models;
- Flag and escalate any instance of AI producing or revealing sensitive content or identifiable user/customer data.
4.8 Access Control and Confidentiality
- Access to AI training data, logs, and model parameters is restricted under Role-Based Access Control (RBAC);
- Do not share credentials or bypass permission controls to access AI logs, test datasets, or administrative dashboards;
- Maintain confidentiality and do not use AI systems to generate outputs for unauthorized clients, individuals, or personal use.
4.9 Retention, Logging, and Deletion Obligations
Employees must:
- Retain training and inference data only for the duration defined in the data retention schedule;
- Avoid storing raw data inputs outside approved systems;
- Assist in deletion or anonymization processes when Users exercise data rights under GDPR, CCPA, or internal policy;
- Log any access, modification, or export of data from the AI system in accordance with internal auditing protocols.
4.10 Monitoring, QA, and Feedback
All employees must:
- Support the internal quality assurance (QA) process, which includes full review of AI outputs during onboarding stages and weekly review samples for accuracy, bias, or hallucinations;
- Use the “Report Issue” functionality to flag concerning or incorrect insights;
- Cooperate with regular audits, spot checks, and performance evaluations of AI use.
4.11 Incident Reporting and Compliance
Employees are required to:
- Immediately report any AI-related data breach, unauthorized access, or unintended output generation to the Privacy or Security Team;
- Participate in Privacy Impact Assessments (PIAs) or compliance reviews when requested;
- Cooperate during incident investigations and privacy audits conducted by internal or external stakeholders.
4.12 Prohibited Conduct
Employees are strictly prohibited from:
- Fine-tuning or modifying AI models outside of Company-approved processes;
- Using unvetted or public open-source models with proprietary or customer data;
- Circumventing governance settings or bypassing content filters;
- Using AI systems for non-business purposes or personal benefit.
5. RIGHTS OF THE DATA SUBJECT
All Data Subjects who are the subject of Personal Data held by the Company are entitled to the following rights:
5.1 Right to Access and Information
- Data Subjects have the right to obtain from Company a summary of the Personal Data relating to them being processed, including the processing activities undertaken;
- Data Subjects may request information about the identities of all third-parties with whom their Personal Data has been shared, along with a description of the Personal Data shared;
- Information regarding data shared with authorized third parties for specific purposes, such as crime prevention or investigation of offences or cyber incidents or court/legal procedure, is excluded from this right.
5.2 Right to Correction
- Data Subjects have the right to request the correction of inaccurate or outdated Personal Data maintained by the Company, subject to verification of their identity and the accuracy of the requested changes;
- The Company shall make reasonable efforts to correct the identified inaccuracies upon receiving a verifiable request and after evaluating whether the correction is substantiated;
- This right does not apply where the requested correction would conflict with legal obligations or the integrity of legitimate records (e.g., audit logs, transaction histories).
5.3 Right to Deletion
Data Subjects may request the deletion of their Personal Data held by the Company, subject to certain exceptions under applicable law. The Company may deny the deletion request where retention is necessary:
- To comply with a legal obligation;
- To complete a transaction or provide a service requested by the Data Subject;
- For internal uses reasonably aligned with the Data Subject's expectations;
- To detect security incidents, protect against malicious activity, or prosecute those responsible.
Any denial of deletion shall be accompanied by a justification based on one or more lawful exceptions.
5.4 Right to Data Portability
- Data Subjects have the right to request and receive a copy of their Personal Data in a structured, commonly used, and machine-readable format;
- Where feasible, Data Subjects may also request that the Company transmit such data directly to another entity, provided the request is technically practicable and does not adversely affect the rights of others;
- This right applies only to the Personal Data collected directly from the Data Subject and does not include derived or inferred data.
5.5 Right to Opt-Out of Sale or Sharing
- Data Subjects have the right to opt-out of the sale or sharing of their Personal Data with third parties, including for purposes of cross-context behavioral advertising or targeted advertising;
- Upon receipt of an opt-out request, the Company will cease all sales or sharing of the Data Subject's Personal Data unless the Data Subject provides express authorization to resume such activities at a later date;
- Data Subjects may exercise this right through a clearly labeled “Do Not Sell or Share My Personal Information” link or similar mechanism made available on the Company's website.
5.6 Right to Limit Use and Disclosure of Sensitive Personal Information
Where applicable (primarily under the California Privacy Rights Act (CPRA)), Data Subjects have the right to direct the Company to limit the use of their Sensitive Personal Information to purposes necessary for:
- Performing the services or providing the goods reasonably expected by an average consumer;
- Ensuring security and integrity;
- Short-term, transient use not involving profiling.
The Company may provide a mechanism to enable the exercise of this right, such as a “Limit the Use of My Sensitive Personal Information” link on the website.
5.7 Right to Non-Discrimination
Data Subjects who exercise any of their rights under U.S. data privacy laws shall not be subjected to discriminatory treatment by the Company. The Company shall not:
- Deny goods or services;
- Charge different prices or rates;
- Provide a different level or quality of goods or services;
- Suggest that the Data Subject may receive a different price, rate, level, or quality based solely on the exercise of privacy rights.
Any legitimate incentive program involving Personal Data shall be offered in compliance with Applicable Laws and only upon informed consent of the Data Subject.
5.8 Right to Appeal
- In jurisdictions where applicable (such as Virginia and Colorado), if a request made by a Data Subject is denied, the Data Subject has the right to submit an appeal;
- The Company will respond to such appeal within the time period prescribed by the applicable state law and shall provide a written explanation for any denial of the appeal;
- If the appeal is denied, the Data Subject may have the right to contact the state Attorney General to lodge a formal complaint.
5.9 Right to Grievance Redressal
- Data Subjects have the right to access a grievance redressal mechanism provided by Company to address any issues related to the processing of their Personal Data or the exercise of their rights under the applicable privacy laws;
- Company will respond to grievances within the prescribed period from receipt of the complaint;
- Data Subjects must use the grievance redressal mechanism provided by Company before approaching the Data Protection Board.
5.10 Right to Nominate a Representative
Data Subjects have the right to nominate an individual to exercise their rights in the event of their death or incapacity. Incapacity is defined as an inability to exercise the rights under the applicable privacy laws due to unsoundness of mind or infirmity of body.
5.11 Additional Rights for EU nationals
5.11.1 Right to Restrict Processing
Data Subjects have the right to request restriction of Processing where:
- The accuracy of Personal Data is contested;
- The Processing is unlawful and the Data Subject opposes deletion;
- The Company no longer needs the Personal Data but it is required by the Data Subject for legal claims;
- The Data Subject has objected to processing pending verification of legitimate grounds.
While processing is restricted, the Company shall store the data but not otherwise process it without the Data Subject's consent, except for legal claims or protection of rights.
5.11.2 Right to Object to Processing
- Data Subjects have the right to object, on grounds relating to their particular situation, to the Processing of Personal Data based on legitimate interests (Article 6(1)(f)) or for direct marketing purposes;
- Where such objection is received, the Company shall cease processing unless it demonstrates compelling legitimate grounds that override the interests or fundamental rights and freedoms of the Data Subject.
5.11.3 Right Not to Be Subject to Automated Decision-Making (Including Profiling)
Data Subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects concerning them. This right does not apply if:
- The processing is necessary for a contract;
- It is authorized by law;
- The Data Subject has provided explicit consent.
In such cases, safeguards must be implemented, including the right to obtain human intervention, express views, and contest the decision.
5.11.4 Right to Withdraw Consent
- Where processing is based on the Data Subject's consent, they have the right to withdraw such consent at any time, without affecting the lawfulness of processing carried out prior to the withdrawal;
- Upon withdrawal, the Company shall cease processing unless an alternate lawful basis exists.
TRANSMISSION OF PERSONAL DATA
Transmission of Personal Data to recipients outside or inside Company is subject to the authorization requirements for Processing Personal Data under Section VI of this Policy and requires the consent of the Data Subject. The data recipient must be required to use the data only for the specific purposes.
In the event that data is transmitted to a recipient outside Company, this recipient must agree to maintain a data protection level equivalent to this Policy. This does not apply if the transmission is based on a legal obligation. The Processing of Personal Data is also permitted if national legislation requests, requires or authorizes this. The type and extent of data Processing must be necessary for the legally authorised data processing activity, and must comply with the relevant statutory provisions. If there is some legal flexibility, the interests of the individual that merit protection must be taken into consideration.
In certain circumstances, the Company Policy allows Personal Data to be disclosed, based on a legal obligation, to law enforcement agencies, without the consent of the Data Subject. Only the BOD of Company can validate any such disclosure in writing, ahead of the disclosure, after ensuring the request is legitimate, motivated by the requester, appropriate, necessary and does not pose a threat or direct risk to Company.
Before approving such disclosure, Company's BOD will check that the recipient of the data uses the data for the defined purposes only, and that it demonstrates the capacity and will to abide by such an obligation.
Where necessary, Company's BOD will refer to legal advisers for advice, notably but not only in cases involving direct security threats and implications or global organisational risks including reputation.
SUBJECT ACCESS AND MODIFICATION REQUESTS TO PERSONAL DATA
All Company employees, contractors, vendors, interns, associates, clients, Users and business partners can contact Company to request rights as listed in Section 5 - Rights of the Data Subject to be applied. Any subject access request from individuals should be addressed by email or in writing. If not in writing, the request should be taken and handled by Data Protection Officer and registered in a log for reference and follow up.
Any individual subject access request received by Company will be duly verified before being handled, with the verification of the identity of anyone making a subject access request, before handing over any information.
The Data Protection Officer will ensure to respond to individual requests in a timely manner. Data Protection Officer will ensure that any Data Subject has the means to contact Company to verify the data Company holds about them and can update and correct Personal Information.
PROVIDING INFORMATION
Company aims to ensure that individuals are aware that their data is being processed, and that they understand (i) how the data is being used; and (ii) how to exercise their rights. To these ends, this Policy is made available to all employees of Company and also available on request by individuals or Data Subject.
CONFIDENTIALITY OF PROCESSING
Personal Data is subject to data secrecy. Any unauthorized collection, processing, or use of such data by employees is strictly prohibited. Any data processing undertaken by an employee that is not authorized as part of their legitimate duties is considered unauthorized. The “need to know” principle applies, meaning that only duly authorized employees may access Personal Information, and only to the extent necessary for the type and scope of their tasks. This requires careful delineation and implementation of roles and responsibilities.
Employees are strictly forbidden from using Personal Data for private or commercial purposes, disclosing it to unauthorized persons, or making it available in any unauthorized manner. Managers are responsible for informing employees at the start of their employment about their obligation to protect data secrecy, an obligation that continues even after the termination of employment.
PROCESSING SECURITY
Personal Data must be safeguarded from unauthorised access and unlawful Processing or disclosure, as well as accidental loss, modification or destruction. This applies regardless of whether data is processed electronically or in paper form. Before the introduction of new methods of data processing, particularly new IT systems, technical and organisational measures to protect personal data must be defined and implemented. These measures must be based on the state of the art, the risks of processing, and the need to protect the data (determined by the process for information classification).
The technical and organisational measures for protecting Personal Data are part of Company management and must be adjusted continuously to the technical developments and organisational changes.
DATA PROTECTION CONTROL
Compliance with the Policy and the applicable data protection laws is checked regularly with data protection audits and other controls. The performance of these controls is the responsibility of Data Protection Officer. The results of the data protection controls performed by Data Protection Officer must be reported to the BOD. Company's BOD must be informed of the primary results as part of the related reporting duties. On request, the results of data protection controls will be made available to the responsible data protection authority.
The responsible data protection authority can perform its own controls of compliance with the regulations of this Policy, as permitted under Applicable Law.
SECTION – 2: HANDLING OF COMPANY DATA
1. COMPANY DATA PROTECTION MEASURES
Access Control: Access to Company Data shall be granted based on the principle of least privilege. Access rights shall be reviewed regularly, and access privileges shall be promptly revoked upon termination of employment or contract.
Data Storage and Transmission: Company Data shall be stored and transmitted securely, using encryption and other appropriate security measures.
Data Disposal: Company Data shall be disposed of securely when no longer needed, following approved data disposal procedures.
Incident Management: A formal incident management process shall be in place to report, investigate, and respond to any actual or suspected data breaches or security incidents promptly.
Training and Awareness: Regular training and awareness programs shall be conducted to educate employees on data protection practices, including the safe handling of Company Data.
Monitoring and Auditing: Regular monitoring and auditing of data access, storage, and transmission activities shall be performed to ensure compliance with this Policy and detect any security vulnerabilities or unauthorized activities.
Vendor Management: Third-party vendors with access to Company Data shall be selected based on their ability to provide adequate data protection measures, and appropriate contracts and agreements shall be in place to govern their activities.
2. DATA BREACH RESPONSE
In the event of a data breach or security incident involving Company Data, the following response procedures shall be followed:
Identification and Containment: The incident shall be identified and contained promptly to prevent further unauthorized access or damage. The relevant IT and security teams shall be notified immediately.
Assessment and Investigation: A thorough investigation shall be conducted to assess the extent of the breach, identify the cause, and gather evidence. The Data Protection Officer or designated personnel shall lead the investigation, coordinating with IT, legal, and other relevant departments as necessary.
Notification and Communication: Appropriate stakeholders, including affected individuals, regulatory authorities, and business partners, shall be notified as required by applicable laws and regulations. Clear and timely communication shall be maintained throughout the incident response process.
Remediation and Recovery: Measures shall be implemented to mitigate the impact of the breach, restore affected systems and data, and prevent similar incidents in the future. This may include patching vulnerabilities, improving security controls, and revising policies and procedures.
Evaluation and Lessons Learned: Following the incident, a post-incident review shall be conducted to evaluate the effectiveness of the incident response and identify areas for improvement. Lessons learned shall be documented and incorporated into future incident response planning and training.
SECTION – 3: GENERAL OBLIGATIONS
1. VIOLATION, SANCTION AND REPORTING
Any failure to comply with the current Policy or to deliberately violate the rules set in the Policy will result in the launch of an appropriate investigation by Company. Depending on the gravity of the suspicion or accusations, Company may suspend employee or relations with other stakeholder during the investigation. This will not be subject to challenge.
Depending on the outcome of the independent investigation, if it comes to light that anyone associated with Company has deliberately violated the rules set in the Policy for its personal profit or any other usage of personal data, or has systematically and deliberately contravened with the principles and standards contained in this document, Company will take immediate disciplinary action and any other action which may be appropriate to the circumstances. This may mean, for example, for:
- Employees - disciplinary action/dismissal;
- Officers and interns - ending the relationship with the organisation;
- Contractors and consultants - termination of contract.
Depending on the nature, circumstances and location of the case and violation, Company will also consider involving authorities such as the police/government regulators to ensure the protection of Company Data and victims.
The reporting of suspected or actual violations of this Policy is a professional and legal obligation of all employees and stakeholders. Failure to report information can lead to disciplinary action. Company encourages its employees and stakeholders to report suspected cases which involve any Company employees, consultants, board members, guests or staff of Company's partner organisations, their board members, staff and or suppliers.
Company encourages its employees and stakeholders to report suspected cases through the following means:
- Employee and interns can report contacting the reporting manager;
- Contractors, vendors, associates, clients, Users, lawful guardian, and business partners can use the confidential email address support@zime.ai.
All reports will be treated as confidential in line with Company's code of conduct and other such policy guidelines of the Company.
Company will not tolerate false accusations which are designed to damage employee's, Company's or other stakeholder reputation. Anyone found making false accusations will be subject to investigation and disciplinary action.
2. INDEMNITY
In consideration of Company providing access to Company Data, the employees and/or any other stakeholder (“Indemnifying Party/ies”) agrees to indemnify and hold harmless Company, its officers, directors, employees, and agents (the “Indemnified Party/ies”) from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable legal fees) arising out of or in connection with:
Breach of this Policy: Any violation or breach of the Policy pertaining to the handling, use, or disclosure of Company Data.
Unauthorized Access or Use: Any unauthorized access to or use of Company Data.
Data Breaches: Any data breaches, including but not limited to the loss, theft, or unauthorized disclosure of Company Data.
Non-Compliance with Laws: Any non-compliance with applicable laws, regulations, or industry standards related to the protection and handling of Company Data.
Third-Party Claims: Any claims, demands, or actions brought against the Indemnified Parties by third parties alleging the violation of their rights or damages resulting from the Indemnifying Party actions or omissions related to the handling of Company Data.
The Indemnifying Party agrees to indemnify the Indemnified Parties for all damages, losses, liabilities, costs, and expenses incurred as a result of the above-stated matters. This indemnity shall survive the termination of any agreement or relationship between Indemnifying Party and Indemnified Party.
The undersigned party agrees to cooperate fully with Company in the defense of any claim or action covered by this indemnity clause. Company shall have the right to select legal counsel and control the defense and settlement of any such claim, at the Indemnifying Party's expense.
By accessing Company Data provided by Company, the Indemnifying Party acknowledges and agrees to be bound by the terms and conditions of this Policy.
3. RETENTION POLICY
General Principle
Personal Data shall be retained only for as long as necessary to fulfill the legitimate business purpose for which it was collected, or as required by applicable law or regulation. Once the purpose is achieved, data shall be securely deleted, anonymized, or archived, as appropriate.
Retention Timelines
Employee Records: Employee records, including employment contracts, personal information, leave records, and disciplinary files, should be retained for a period of six (6) years from the date of termination of employment. These records may be retained longer if subject to ongoing legal, tax, or audit requirements. Records should be stored in secure HR systems and deleted through secure digital purge tools or certified shredding upon expiry.
Recruitment and Interview Data: Resumes, interview assessments, background checks, and test results of candidates who were not hired should be retained for a period of two (2) year from the date of decision or closure of the recruitment process. Delete thereafter unless consent has been obtained for future opportunities. Store separately from employee files and delete or anonymize through HRMS purging or secure file deletion tools.
Books of Accounts and Tax Records: Books of Accounts and tax records should be retained for at least eight (8) years following the completion of the relevant transactions or assessment year for which the records were last used or as per the requirement of the relevant statute. Store in accounting systems with audit controls and delete securely using financial archiving protocols post expiry.
Payroll and Compensation Records: Payroll records, payslips, tax declarations, and salary-related data should be retained for seven (7) years from the end of the relevant financial year. Maintain in secure payroll software with access restrictions and destroy backups and physical copies securely after retention.
Performance Appraisal and Disciplinary Records: Performance reviews, goal sheets, and PIP documentation should be retained for a period of five (5) years from the date of the last recorded action or review. Retain in performance management platforms and delete or anonymize after period using employee lifecycle tools.
System Access Logs: Logs capturing employee access to systems, login/logout records, IP addresses, and usage trails should be retained for a period of ninety (90) to one hundred and eighty (180) days, unless required longer for an active audit or investigation. Retain for security and incident monitoring. Automatically purge from system logging tools or archive securely for audit before deletion.
Client-Related Data (Handled by Employees): Client correspondence, contracts, deliverables, and contact details should be retained for a period of seven (7) years from the date of termination of the client relationship or as per the specific terms of the client agreement. Retain for contractual and legal purposes. Store in encrypted folders or CRMs and delete or archive securely upon client offboarding or expiry.
User/Customer Data: Data related to users of the Company's platform or services, such as contact information, usage history, and preferences, should be retained for the duration of the User's active account and up to two (2) years thereafter unless deleted earlier on request. Retain for service continuity and user experience enhancement. Maintain in the production database with user access controls and purge upon account deletion or inactivity.
Personal Data: Personal Data should be retained only for as long as necessary to fulfill the purpose for which it was collected and for a maximum of two (2) years thereafter unless consent is withdrawn or deletion is requested earlier. Retain for legal, operational, and support-related use. Store in secure, access-controlled systems and delete promptly upon request or once the lawful basis for processing ceases to exist.
Sensitive Personal Data: Sensitive Personal Data should be retained only for the period strictly necessary to fulfil the purpose for which it was collected or until consent is withdrawn, whichever is earlier. Retain with enhanced security and minimal access. Encrypted storage required; delete immediately via secure erasure tools when purpose is fulfilled or consent withdrawn.
Non-Personal/Anonymized Data: Non-Personal Data derived from users, systems, or transactions may be retained as long as necessary for analytical, training, benchmarking, or statistical purposes. Retain for internal reporting, trend analysis, and AI model optimization. Store in business intelligence systems or data lakes with proper tagging and review periodically for continued relevance.
AI Model Training Data: Data used to train AI systems, including synthetic datasets or customer-approved documentation, should be retained for the lifecycle of the corresponding AI model version and for up to twelve (12) months post-deployment unless deletion is mandated by the customer or required by law. Retain for reproducibility, explainability, and audit readiness. Store in restricted-access repositories and schedule periodic reviews for purging or anonymization.
AI Inference Logs/Output Logs: Logs of AI-generated outputs, system responses, and prompt histories should be retained for a period of thirty (30) to ninety (90) days unless specific legal, audit, or customer issues require longer retention. Retain for quality assurance, hallucination detection, and issue resolution. Store in encrypted and monitored log systems; auto-delete or archive as per retention policy.
Synthetic Data (used for testing): Synthetic or de-identified data generated for testing, validation, or non-production use should be retained only during the testing phase or internal development lifecycle. Retain for debugging and QA consistency. Store in secure test environments with clear labeling; delete or archive once testing objectives are complete.
Vendor and Supplier Data: Vendor contracts, invoices, contact details, and bank information should be retained for a period of five (5) years from the end of the commercial relationship. Retain for audit and procurement reference. Retain in vendor management systems and securely erase or archive contract folders after disengagement.
Customer Support and Service Logs: Customer queries, support chat transcripts, and service call notes should be retained for one (1) to two (2) years from the date of resolution. Retain for quality control and complaint resolution tracking. Store in CRM or helpdesk tools and purge automatically through configured retention settings.
Legal and Contractual Records: Executed contracts, NDAs, dispute correspondence, and legal notices should be retained for a minimum of seven (7) to ten (10) years from the date of termination or closure. Retain for legal enforceability and regulatory review. Store in legal document repositories and purge securely under legal oversight after retention period ends.
Marketing and Consent Records: Email subscription logs, consent history, and campaign data should be retained for twenty-four (24) months from the date of last interaction or until consent is withdrawn. Retain for marketing preference verification and compliance with opt-out regulations. Store in marketing platforms with automated consent expiry rules; delete or anonymize based on opt-out triggers.
Health and Safety Records: Incident reports, injury records, and compliance logs should be retained for six (6) years from the date of the incident. Retain for insurance and workplace safety compliance. Store securely in workplace safety records and dispose through certified physical/electronic destruction channels.
CCTV Footage: Video surveillance footage from office premises or access-controlled areas should be retained for a period of thirty (30) to ninety (90) days unless flagged for investigation or legal purpose. Retain for workplace security. Store in secure DVR/cloud systems with retention auto-controls; auto-delete or isolate flagged footage as needed.
Electronic Documents
Electronic Mail: Email needs to be retained, depending on the subject matter. All e-mail from internal or external sources is to be deleted after 8 years.
- Staff will strive to keep all but an insignificant e-mail related to business issues;
- Company will archive e-mail for eight (8) years after the staff has deleted it, after which time the email will be permanently deleted;
- Staff will not store or transfer Company's related e-mail on non-work-related computers;
- Staff shall not to send confidential/proprietary Company's information to outside sources.
Electronic Documents: including Microsoft Office Suite and PDF files. Retention also depends on the subject matter.
- PDF documents – The length of time that a PDF file should be retained should be based upon the content of the file and the category under the various sections of this Policy. The maximum period that a PDF file should be retained is 8 years. PDF files the employee deems vital to the performance of his or her job should be printed and stored in the employee's workspace;
- Text/formatted files – Staff will conduct annual reviews of all text/formatted files (e.g., Microsoft Word documents) and will delete all those they consider unnecessary or outdated. After 8 years, all text files will be deleted from the network and the staff's desktop/laptop. Text/formatted files the staff deems vital to the performance of their job should be printed and stored in the staff's workspace.
Each day the Company shall run a hard drive backup copy of all electronic files (including email) on the Company's servers, as specified in the Company's Disaster Recovery Plan. This backup tape is a safeguard to retrieve lost information within a one-year retrieval period and should document the network experience problems. The tape backup copy is considered a safeguard for the record retention system of Company but is not considered an official repository of the Company's records.
In certain cases, a Document will be maintained in both paper and Electronic Form. In such cases the official Document will be the electronic document.
Retention Period Protocols
The Company shall maintain the following protocol:
- All Company and employee information is retained, stored and destroyed in line with legislative and regulatory guidelines;
- Carry out periodical reviews of the data retained, checking purpose, continued validity, accuracy and requirement to retain;
- Establish periodical reviews of data retained;
- Establish and verify retention periods for the data, with special consideration given in the below areas:
- the requirements of the Company;
- the type of Personal Data;
- the purpose of Processing;
- lawful basis for Processing;
- the categories of Data Subjects;
Where it is not possible to define a statutory or legal retention period, as per the requirement prescribed under applicable laws, the Company will identify the criteria by which the period can be determined and provide this to the Data Subject on request and as part of our standard information disclosures and privacy notices.
Have processes in place to ensure that records pending audit, litigation or investigation are not destroyed or altered.
Information Asset Owners
All systems and the records they contain have information asset owners (“IAO”) throughout their lifecycle to ensure accountability and a tiered approach to data retention and destruction. Owners are assigned based on role, business area and level of access to the data required. The IAO is recorded on the retention register and is fully accessible to all employees. Data and records are never reviewed, removed, accessed or destroyed without the prior authorization and knowledge of the IAO.
Suspension of Record Disposal for Litigation or Claims
If the Company is served with any legal request for Records or information, any employee becomes the subject of an audit or investigation or we are notified of the commencement of any litigation against our Company, we will suspend the disposal of any scheduled Records until we are able to determine the requirement for any such Records as part of a legal requirement.
Storage & Access of Records and Data
Documents are always retained in a secure location and in Preservation, with authorised personnel being the only ones to have access. Once the retention period has elapsed, the documents are reviewed, archived or confidentially destroyed depending on their purpose.
Expiration of Retention Period
Once a record or data has reached its designated retention period date, the IAO should refer to the retention register for the action to be taken.
Destruction and Disposal of Records & Data
All information of a confidential or sensitive nature on paper or electronic media must be securely destroyed when it is no longer required. This ensures compliance with the data protection laws and the duty of confidentiality we owe to our employees, clients, Users and customers.
The Company is committed to the secure and safe disposal of any confidential waste and information assets in accordance with our contractual and legal obligations and that we do so in an ethical and compliant manner. We confirm that our approach and procedures comply with the laws and provisions applicable to us and that staff are trained and advised accordingly on the procedures and controls in place.
Paper Records
Due to the nature of our business, the Company may retain paper based Personal Information and as such, has a duty to ensure that it is disposed of in a secure, confidential, and compliant manner.
Electronic and IT Records and Systems
The Company uses numerous systems, computers, and technology equipment in the running of our business. From time to time, such assets must be disposed of and due to the information held on these whilst they are active, this disposal is handled in an ethical and secure manner.
The deletion of electronic records must be organised in conjunction with the Company's IT department who will ensure the removal of all data from the medium so that it cannot be reconstructed.
Only our IT department can authorise the disposal of any IT equipment and they must accept and authorise such assets from the department personally. IT equipment follows a fully auditable disposal process involving a combination of secure electronic and physical destruction methods to permanently erase data records prior to disposal of the asset.
In all disposal instances, our IT department must complete a disposal form and confirm successful deletion and destruction of each asset. This must also include a valid certificate of disposal from the authorized personnel removing the formatted or shredded asset. Once disposal has occurred, our IT department is responsible for liaising with the IAO and updating the information asset register for the asset that has been removed.
It is the explicit responsibility of the IAO and IT department to ensure that all relevant data has been sufficiently removed from the IT device before requesting disposal.
Internal Correspondence and General Memoranda
Unless otherwise stated in this Policy or the retention periods register, correspondence and internal memoranda should be retained for the same period as the document to which they pertain or support (i.e. where a memo pertains to a contract or personal file, the relevant retention period and filing should be observed).
Where correspondence or memoranda that do not pertain to any documents having already be assigned a retention period, they should be deleted or shredded once the purpose and usefulness of the content ceases.
Erasure
In specific circumstances, Data Subjects' have the right to request that their Personal Data is erased, however the Company recognize that this is not an absolute 'right to be forgotten'. Data Subjects only have a right to have Personal Data erased and to prevent Processing, if one of the below conditions applies:
- Where the Personal Data is no longer necessary in relation to the purpose for which it was originally collected/processed;
- When the individual withdraws consent;
- When the individual objects to the Processing and there is no overriding legitimate interest for continuing the Processing;
- The Personal Data was unlawfully processed; and
- The Personal Data must be erased to comply with a legal obligation.
Special Category Data
In accordance with legal requirements, organisations are required to have and maintain appropriate policy documents and safeguarding measures for the retention and erasure of special categories of Personal Data and criminal convictions etc.
Our methods and measures for destroying and erasing data are noted in this Policy and apply to all forms of Records and Personal Data, as noted on our retention register schedule.
Compliance And Monitoring
The Company is committed to ensuring the continued compliance with this Policy and any associated legislation and undertake regular audits and monitoring of our records, their management, archiving and retention. IAO are tasked with ensuring the continued compliance and review of records and data within their remit.
Retention Periods
As stated above, and as required by law, the Company shall not retain any Personal Data/Company Data for any longer than is necessary considering the purpose(s) for which that data is collected, held, and processed.
4. RESPONSIBILITIES OF DATA PROTECTION OFFICER
Data Protection Officer is responsible to ensure that the legal requirements, and those contained in this Policy, for data protection are met (e.g. national reporting duties). Management staff are responsible for ensuring that organisational, human resources, and technical measures are in place so that any data Processing is carried out in accordance with data protection.
The managers must ensure that employees are sufficiently trained in data protection compliance.
The details of our Data Protection Officer is:
Name: Ashish Gupta
Email:
ashish@zime.ai5. POLICY REVIEW
This Policy shall be subject to review as may be deemed necessary by the Company and in accordance with any regulatory amendments.
CONTACT INFORMATION
If you have any questions about this Data Protection Policy, please contact us at:
Address: Inner Fit Research Inc, 100 Buckingham Dr. Apt. #243, Santa Clara, CA 95051, United States
Data Protection Officer: Ashish Gupta
ACKNOWLEDGMENT
By accessing and using our services, you acknowledge that you have read and understood this Data Protection Policy and agree to comply with its terms.
If you do not agree with any part of this Data Protection Policy, please contact our Data Protection Officer to discuss your concerns.