1.    Purpose

This policy establishes the principles and processes that TraCarta India Private Limited follows to ensure the lawful, fair, and transparent collection, processing, storage, and disposal of personal and sensitive information. It also ensures compliance with applicable data protection regulations, including the Indian IT Act, 2000, and, where applicable, the General Data Protection Regulation (GDPR).
 

2.    Scope
 

This policy applies to:
•    All personal and sensitive personal information handled by TraCarta India Private Limited.
•    All employees, contractors, vendors, and third parties who collect, process, store, or have access to such data.
•    All systems, applications, and processes where personal or sensitive data is involved.
 

3.    Definitions

•    Personal Information: Any data that identifies an individual, such as name, contact details, identification number, etc.
•    Sensitive Personal Information: Includes financial data, health information, biometric data, or any information classified as sensitive     
      under applicable laws.
•    Data Subject: An individual whose personal data is collected or processed.
 

4.    Policy Statement
 

TraCarta is committed to:
•    Collecting only the data necessary for legitimate business purposes.
•    Processing data lawfully, fairly, and transparently.
•    Implementing strong security controls to protect data.
•    Allowing data subjects to exercise their rights, including opt-in/opt-out and consent withdrawal.
 

5.    Data Collection Principles
 

5.1.    Identifying the Data to be Collected
 

•    Only collect data necessary for business operations, service delivery, and compliance obligations.
•    Maintain a Data Inventory listing the types of data collected, purposes, and retention periods.
 

5.2.    Process of Data Collection
 

•    Data may be collected through forms, portals, secure email, contracts, or client-provided systems.
•    All collection points must include a privacy notice specifying the purpose, legal basis, and rights of the data subject.
 

5.3.    Business Need for Data Collection

•    Data collection must be directly linked to providing services, meeting contractual obligations, or complying with
     legal/regulatory requirements.
•    Collection must be approved by the Data Protection Officer (DPO) or designated authority.
 

5.4.    Opt-In/Opt-Out Mechanisms

•    Obtain explicit consent where required (opt-in).
•    Provide a clear process for withdrawing consent (opt-out) without undue delay.
•    Ensure that opting out does not negatively impact the data subject unless it affects the ability to deliver contracted
     services.
 

6.    Data Protection Measures
 

6.1.    Security Controls

•    Encrypt personal and sensitive data both in transit (TLS 1.2+) and at rest (AES-256).
•    Implement access controls to restrict data access to authorized personnel only.
•    Maintain audit logs for all access to sensitive data.
 

6.2.    Data Retention & Disposal

•    Retain data only for the duration necessary to fulfill the business purpose or legal requirement.
•    Securely destroy data (digital wipe or physical shredding) when no longer needed.
 

6.3.    Third-Party Data Sharing

•    Conduct due diligence on vendors before sharing data.
•    Ensure all third parties sign a Data Processing Agreement (DPA) that aligns with this policy.
 

7.    Roles & Responsibilities

​

•    ​​​​​Data Protection Officer (DPO): Oversees compliance, reviews policy annually, and handles data subject requests.
•    Department Heads: Ensure data collection follows approved processes.
•    Employees: Follow policy requirements, report breaches immediately.
•    IT Security Team: Maintain technical controls to protect data.

​

​​​​​​​​​8.    Data Subject Rights

TraCarta will honor the following rights (where applicable under law):
•    Right to access personal data.
•    Right to correct inaccuracies.
•    Right to withdraw consent.
•    Right to request deletion of data (subject to legal obligations).
 

9.    Breach Management

•    Any data breach must be reported immediately to the DPO.
•    Affected individuals and relevant authorities will be notified where legally required.
 
10.    Review & Maintenance

•    This policy will be reviewed every 12 months by the DPO and updated to reflect changes in laws, technology, and business processes.

​​