This Privacy Policy sets (hereinafter known as “Policy”) out how the information provided to M/S D2C Insurance Broking Private Limited (hereafter referred to as DIBPL) is collected, processed, protected, stored, transferred, and used. For the purposes of this Privacy Policy, ‘We’, ‘Us’, ‘Our’, ‘DIBPL’ and “Company” refers to M/S D2C Insurance Broking Private Limited, representatives, POSP and affiliates. ‘You’ or ‘Your’ or ‘Yourself’ or ‘User’ which term shall include persons who are accessing the website merely as visitors or undertaking any of the Services provided by DIBPL across all levels in addition to all the employees (permanent or contractual) or contractors, associates and vendors. By accessing the website or using any of our services, you agree to be bound by all the terms of this Privacy Policy. DIBPL "Affiliate" means any Person directly, or indirectly through one or more intermediaries, that i) controls, ii) is controlled by or iii) is under common control of DIBPL. "control," as used in the immediately preceding sentence, shall mean with respect to any person, the possession, directly or indirectly, of the power, through the exercise of voting rights, contractual rights or otherwise, to direct or control the decision-making of the management or policies of the controlled person. "Person" includes any natural person, corporation, partnership, Limited Liability Company, trust, unincorporated association, or any other entity.

This Privacy Policy has been designed and developed to help you to understand the following:

The type of Personal Data (including digital personal data or information and physical personal data uploaded digitally) that we collect from the Users; The purpose of collection, means and modes of usage of such Personal Data by the Company; how and to whom the Company will disclose such information; how the Company will protect the Personal Data that is collected from the Users; and how Users may access and/or modify their Personal Data.

This Policy defines requirements in line with Digital Personal Data Protection Act, 2023 (“DPDP Act”) to help ensure compliance with laws and regulations applicable to DIBPL’s’ collection, processing, storage, use, transmission, disclosure to third parties and retention of Personal Data.

While using our Services, we may collect the following categories of Personal Data from the Users:

1. Name
2. User ID
3. Email address
4. Address (including country and ZIP/postal code)
5. Gender
6. Age
7. Phone Number
8. Password chosen by the User
9. Geographical location through the IP address of the Users;
10. Financial account information like bank account details, GST certificate, PAN Card, Credit Card details and tokenization henceforth etc. and transactional information in relation to transactions where the Company is involved;
11. Personal information pertaining to the health of the User;
12. Personal Data of Child (under 18 years of age) along with Guardian/parental consent
13. Vehicle details i.e Registration certificate, Insurance policies (current and previous), Transfer Certificate, Challans, Driving license.
14. Any of the aforesaid information pertaining to the customer/buyer of the User; and
15. All other Personal Data as the User may share from time to time (including personally identifiable information/details)

To avail the services, the Users may also be required to upload/share certain documents (for instance, Aadhaar, PAN Card, GST certificate, etc.), on the platform and/or e-mail the same to the Company. We may also keep records of telephone calls received and made for making inquiries, orders, or other purposes necessary for the administration of services.

We may also receive and/or hold information about the User’s browsing history including the Uniform Resource Locator (URL) of the site that the User visited prior to visiting the platform as well as the Internet Protocol (IP) address of each User's computer (or the proxy server a User used to access the World Wide Web), User's computer operating system and type of web browser the User is using as well as the name of User's Internet Service Provider (ISP). The platform may use temporary cookies to store certain data (that is not Personal Data) that is used by us for the technical administration of the platform, research, and development, and for User administration. In addition, we may in future include other optional requests for information from the User including through User surveys to help Us customize the platform to deliver personalized information to the User and for other purposes as mentioned herein. Such information may also be collected during surveyss conducted by us. Any such additional Personal Data will also be processed in accordance with this Privacy Policy.

We will retain Personal Data only to the extent it is necessary to provide one or more services. By providing your information, you consent to the collection, sharing, disclosure and usage of the information in accordance with this Privacy Policy. The information, which we collect may be utilized for various business and/or regulatory purposes including but not limited for the following purposes:

1. For issuance of the insurance policy that you have opted for.
2. For providing information about various products and services.
3. For addressing queries put forth by you and for resolving the concerns pertaining to any service or product.
4. For processing your transactions and also to provide you transaction and post transaction-related services.
5. For providing, improving, and marketing our products and services, including site content and performance.
6. For sending you survey and marketing communications.
7. For facilitating various programmes and initiatives launched either by us or third party which we believe may be of an interest to you.
8. For facilitating usage of our Website/App.
9. For improving our services, product or content on our Website/App.
10. For providing group insurance cover .
11. For providing health related information to you that are offered by insurer.
12. For sending notices, communications, offer alerts and to contact you over the telephone/mobile number and/or e-mail address provided by you for sending information of our products in which you have shown your interest, policy renewal reminders, other service details and other general information about insurance.
13. For appointment as Point of Salesperson /employee.
14. For verification purposes.
15. For the purpose of joining of the employee and for validation of the details of the curriculum vitiate.
16. To enhance customer service.
17. To extend services or promotion, survey or other site or business feature.
18. For Aadhaar authentication and sharing, storing, using Aadhaar data
19. For sales and marketing Activities
20. Allow you to access specific account information.
21. To process transactions, where requested, under your User ID and Password All the data/information collected may be stored on the infrastructure provided by third party cloud service in India which is fully compliant with regulatory requirements within. No information/data that is collected ever goes out of India.

This policy is applicable to the following:

1. Customers who provide their personal data to DCSPL.
2. All DIBPL employees, contractors, vendors, interns, and business partners who may receive personal data from DIBPL, have access to personal data collected or processed by or on behalf of DIBPL, or who provide information to DIBPL

This policy covers the treatment of personal data gathered and used by DIBPL for lawful purposes. And covers the personal data we share with authorized Third Parties or that Third Parties share with us.

The main objectives of the Privacy Policy are:

1. To ensure that all the personal data in DIBPL custody is adequately protected against threats to maintain its security.
2. To ensure that DIBPL employees are fully aware of the contractual, statutory, or regulatory implications of any privacy breaches.
3. To limit the use of personal data to identified business purposes for which it is collected.
4. To create an awareness of privacy requirements to be an integral part of the day-to-day operation of every employee and ensure that all employees understand the importance of privacy practices and their responsibilities for maintaining privacy.
5. To make all the employees and users aware about, the processes that need to be followed for collection, lawful usage, disclosure/ transfer, retention, archival and disposal of personal data.
6. To ensure that all third parties collecting, storing, and processing personal data on behalf of DIBPL provide adequate data protection.
7. To ensure that applicable regulations and contracts regarding the maintenance of privacy, protection and cross border transfer of personal data are adhered to.

1. Compliance with this policy is mandatory for all DIBPL employees involved in processing DIBPL’s personal data.
2. The Data Protection Officer will monitor and report on the level of compliance that DIBPL employees achieve with respect to this policy and the requirements set out within this document.
3. Non-compliance with this policy will require explicit authorisation from the DIBPL Data Protection Officer.
4. Prior approval should be obtained from the Data Protection Officer before this document is provided to any third parties.

As per DPDP Act, DIBPL shall provide the notice only where consent is the basis of processing data. The Notice shall entail purpose of processing, manner for accessing rights and the manner to make a complaint. Privacy Notice shall be published in languages as specified in the Eighth Schedule of the Indian Constitution as per DPDP Act.

As per DPDP Act, Notice which shall be issued by DIBPL shall have the following contents:

1. Information regarding nature of personal data being collected.
2. The purpose for which it is collected.
3. The mechanism in which consent may be withdrawn.
4. Information regarding grievance redressal
5. The mechanism in which a complaint may be made to enforcement authority.

Appropriate notice shall be provided to data principals at the time personal data is collected.

Period for which personal data shall be retained as per identified business purpose or as mandated by regulations, whichever is later.

That personal data shall only be collected for the identified purposes.

Methods employed for collection of personal data, including ‘cookies and other tracking techniques, and third-party agencies.

That an individual’s personal data shall be disclosed to Third Parties only for identified lawful purposes and with the consent of the individual, wherever possible

Consequences of withholding or withdrawing consent to the collection, use and disclosure of personal data for identified purposes.

Data principals are responsible for providing DIBPL with accurate and complete personal data, and for contacting the entity if correction of such information is required.

Process for an individual to view and update their personal data records.

Process for an individual to register a complaint or grievance with regard to privacy practices at DIBPL.

Contact information of person in charge of privacy practises and responsible for privacy concerns with address at DIBPL

Process for an individual to withdraw consent for the collection, use and disclosure of their personal data for identified purposes; and

That implicit or explicit consent is required to collect, use, and disclose personal data, unless a law or regulation specifically requires or allows otherwise.

Data principals shall be provided a Privacy Notice in case any new purpose is identified for using or disclosing personal data before such information is used for purposes not previously identified.

Lawful purpose after obtaining consent of the data principal or for certain legitimate uses. These legitimate cases include:

1. Voluntarily provided personal data by data principal.
2. Data principal has not explicitly indicated that they do not provide consent to use personal data.
3. By the state and any of its instrumentalities for any function under any law for the time being in force in India.
4. For matters concerning public interest, e.g., medical emergency, judicial use.
5. For the purposes of employment or those related to safeguarding the employer from loss or liability.

By using our website and submitting your information, you are required to provide your explicit consent on this site for the collection and use of your personal data, as described in this Privacy Policy, including but not limited to, Your explicit consent for sharing this information as per this Privacy Policy. We recommend that You do not use/access and/or continue to use/access the website/app if You do not agree to the terms and conditions of this Privacy Policy. We obtain Your consent depending on our relationship with You. Thus, the consent is obtained in the following manner:

1. Consent of prospects/customers: Consent of the customer is taken on the proposal form/ through acceptance of the terms and conditions of our application or website
2. Consent of Partners: Consent of the Partner is obtained at the time of joining the company or accepting the terms and conditions of our app or website during enrolling stage.
3. Consent of Vendors/Suppliers: Consent of the vendor/supplier is obtained through signed written contracts along with supporting legal documents like affidavits.
4. Consent of the Employees: Consent of an employee is obtained through the forms filled up by an employee at the time of joining through the joining documents and/ or through self-attested testimonials and other KYC documentation.

You have an option to refuse to give Your consent or withdraw Your consent in a way as specified below:

1. Customers can choose to approach our offices for a more private and protected meeting further leading to safe completion of the transaction or choose to make transactions through the website/app.
2. Vendors have the right to choose to terminate the contract or modify the terms of the contract as mutually agreed upon by the Company and the vendor.
3. Partners can drop the decision to become a Partner or after becoming a Partner, request for termination can be made and NOC can be taken from us with respect to the same.
4. Employee has the option to not join the Company or if the employee has joined the Company, they can modify the information submitted to us.”
5. In case of termination of Partners, Vendors or employment, data of the respective individual may be kept as mandated by any regulations abided by DIBPL.

The DPDP Act outlines the requirements for obtaining valid explicit consent for processing personal data.

1. DIBPL shall seek consent, which is freely given, specific, informed, and unambiguous by a clear affirmative action. An option to access Consent in English or languages specified in the Eighth Schedule of the Indian Constitution shall be provided. A record shall be maintained of explicit consent obtained from data principals.
2. Consent shall be obtained from data principals before their personal information is used for purposes not previously identified.
3. Appropriate consent shall be obtained from data principals before their personal information is shared with third parties or transferred to or from their information processing systems.
4. DIBPL shall seek verifiable parental consent before processing any personal data related to children.

The DPDP Act introduces the concept of "consent managers," registered with the Data Protection Board, who assist data principals in managing their consent.

The Data Principal through a Consent Manager may give, review, or withdraw their consent.

Consent Manager Details are provided below:

Name: Ashutosh Pandey

Email:Ashutosh.Pandey@renewbuy.com

Personal data shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by DPDP Act. Personal Data retention shall be only for the duration necessary to fulfil the identified lawful purposes or as prescribed by law. We may need to disclose/transfer User’s Personal Data to certain third-party service providers in order to provide Users with the Services they have opted for. We may need to disclose / transfer User’s Personal Data to government and judicial institutions/authorities, to the extent required:

1. Under the laws, rules, and regulations and/or under orders of any relevant judicial or quasi-judicial authority;
2. To protect and defend the rights or property of the Company;
3. To fight fraud and credit risk;
4. To enforce the Company's Terms of use (to which this Privacy Policy is also a part); or
5. When the Company, in its sole discretion, deems it necessary in order to protect its rights or the rights of others.

The Company may also make all Personal Data accessible to its employees and data processors/third party vendors only on a need-to-know basis and for the purposes set out in this Privacy Policy. The Company takes adequate steps to ensure that all the employees and data processors/third party vendors, who have access to, and are associated with the processing of Personal Data, respect its confidentiality and that such data processors/third party vendors adopt at least such reasonable level of security practices and procedures as required under applicable law. However, the Company does not disclose information, individually labelled, or aggregated, obtained through Marketplace application programming interface on behalf of a User to other Users or any third parties, unless required by law.

Non-personally identifiable information may be disclosed to third party ad servers, ad agencies, technology vendors and research firms to serve non-targeted advertisements to the Users. The Company may also share its aggregate findings (not specific information) in a non- personally identifiable form based on information relating to the User’s internet use (to the extent set out in this Privacy Policy) to prospective, investors, strategic partners, sponsors, and others in order to help growth of Company's business. We may also disclose or transfer the Personal Data, to another third party as part of reorganization or a sale of the assets or business of Company. Any third party to which the Company transfers or sells its assets will have the right to continue to use.

1. Provide a clear, concise, and comprehensible notice to data principals.
2. Ensure data collected is accurate, complete, and consistent.
3. Process personal data for which data principal has given consent or for certain legitimate uses.
4. Report Personal Data Breaches to Data Protection Board and Data Principals within 24 hours of breach.
5. Erase Your personal data unless retention of the same is necessary as per any other applicable regulations abided by DIBPL.
6. Implement technical and organizational measures to ensure protection of personal data and effective adherence with the DPDP Act.

Data principals under the DPDP Act have the below rights:

Right to Information - Individuals have the right to seek more information on how their data is processed, available in clear and understandable way from DIBPL.

Right to correction and erasure - Individuals have the right to correct inaccurate/ incomplete data and erase data that is no longer required for processing.

Right to grievance redressal - Individuals have the right to readily available means of registering a grievance with DIBPL.

Right to nominate - Individuals may nominate any other individual to exercise these rights in the event of death or incapacity.

To exercise any of the above rights or raise grievances, Data Principals may contact the Consent Manager at DIBPL by sending an email to the contact address provided in the policy. The policy also contains details of other designated officers such as the Data Protection Officer and Grievance Redressal Officer for further support. [Refer to Section 9]

Significant data fiduciaries are required to appoint a Data Protection Officer and Data Protection Auditor (DPA) responsible for ensuring DPDP compliance.

Consent Manager Details are provided below:

Name: Ashutosh Pandey

Email:Ashutosh.Pandey@renewbuy.com

In case of a personal data breach (Data breach refers to any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data), DIBPL is obligated to notify the Data Protection Board of India and affected data principals promptly.

Data principals must first seek redressal with DIBPL before lodging a complaint with the Data Protection Board or courts.

Data Grievance Officer Details are provided below:

Name: Mr. Sanchit Baveja

Email:data-grievance@renewbuy.com

The links to third-party advertisements, third party websites or any third-party electronic communication services (referred to as “Third Party Links”) may be provided on the platform which are operated by third parties and are not controlled by, or affiliated to, or associated with the Company, unless expressly specified on the platform. If You access any such Third-Party Links, we request You to review the concerned website’s privacy policy. We shall not be responsible for the policies or practices of such third parties.

Personal data shall be disclosed to third parties only for identified lawful purposes and after obtaining appropriate consent from the data principals unless a law or regulation allows or requires otherwise.

Where reasonably possible, DIBPL shall ensure that third parties collecting, storing, or processing personal data on behalf of DIBPL have:

1. Signed agreements to protect personal data consistent with DIBPL Privacy Policy and information security practices or implemented measures as prescribed by law.
2. Signed non-disclosure agreements or confidentiality agreements which includes privacy clauses in the contract;
3. Established procedures to meet the terms of their agreement with DIBPL to protect personal data.

Personal data may be transferred across geographies from where DIBPL operates for storage or processing where any of the following apply:

1. The individual has given consent to the transfer of information.
2. The transfer is necessary for the performance of a contract between the individual and DIBPL, or the implementation of pre-contractual measures taken in response to the individual’s request.
3. The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between DIBPL and a third party.
4. The transfer is necessary or legally required on important public interest grounds or for the establishment, exercise, or defence of legal claims.
5. The transfer is required by law.
6. The transfer is necessary in order to protect the vital interests of the individual.
7. The transfer is made under a data transfer agreement.
8. The transfer is otherwise legitimised by applicable law.

Remedial action shall be taken in response to misuse or unauthorized disclosure of personal data by a third party collecting, storing, or processing personal data on behalf of DIBPL.

For the purpose of providing the Services and for other purposes identified in this Privacy Policy, we are required to collect and host certain data and information of the Users. We are committed to protecting Your Personal Data, and to that end, the Company adopts reasonable security practices and procedures to implement technical, operational, managerial and physical security control measures in order to protect the Personal Data in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction. While we try our best to provide security that is commensurate with the industry standards, due to the inherent vulnerabilities of the internet, we cannot ensure or warrant complete security of all information that is being transmitted to Us.

The Company takes adequate steps to ensure that third parties to whom the Personal Data may be transferred adopt at least such reasonable level of security practices and procedures as required under applicable law to ensure security of Personal Data.

You hereby acknowledge that the Company is not responsible for any information sent via the internet that has been intercepted beyond Our control after having adopted reasonable security practices and procedures, and You hereby release Us from any and all claims arising out of or related to the use of intercepted information in any unauthorized manner.

DIBPL has a statutory duty to keep certain records for a minimum 12 years or longer if mandated by any other applicable laws. A data fiduciary shall, unless retention is necessary for compliance with any law, erase personal data upon the data principal withdrawing his/her consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier.