This Privacy Policy sets out how the information provided by you is collected, used, stored, processed, transferred and protected. Please read the terms carefully. By accessing the Website or using any of our services, You agree to be bound by all the terms of this Privacy Policy.
This Privacy Policy sets (hereinafter known as “Policy”) out how the information provided to M/S D2C Insurance Broking Private Limited (hereafter referred to as DIBPL) is collected, processed, protected, stored, transferred, and used. For the purposes of this Privacy Policy, ‘We’, ‘Us’, ‘Our’, ‘DIBPL’ and “Company” refers to M/S D2C Insurance Broking Private Limited, representatives, POSP and affiliates. ‘You’ or ‘Your’ or ‘Yourself’ or ‘User’ which term shall include persons who are accessing the website merely as visitors or undertaking any of the Services provided by DIBPL across all levels in addition to all the employees (permanent or contractual) or contractors, associates and vendors. By accessing the website or using any of our services, you agree to be bound by all the terms of this Privacy Policy. DIBPL "Affiliate" means any Person directly, or indirectly through one or more intermediaries, that i) controls, ii) is controlled by or iii) is under common control of DIBPL. "control," as used in the immediately preceding sentence, shall mean with respect to any person, the possession, directly or indirectly, of the power, through the exercise of voting rights, contractual rights or otherwise, to direct or control the decision-making of the management or policies of the controlled person. "Person" includes any natural person, corporation, partnership, Limited Liability Company, trust, unincorporated association, or any other entity.
2. PurposeThis Privacy Policy has been designed and developed to help you to understand the following:
The type of Personal Data (including digital personal data or information and physical personal data uploaded digitally) that we collect from the Users; The purpose of collection, means and modes of usage of such Personal Data by the Company; how and to whom the Company will disclose such information; how the Company will protect the Personal Data that is collected from the Users; and how Users may access and/or modify their Personal Data.
This Policy defines requirements in line with Digital Personal Data Protection Act, 2023 (“DPDP Act”) to help ensure compliance with laws and regulations applicable to DIBPL’s’ collection, processing, storage, use, transmission, disclosure to third parties and retention of Personal Data.
Types of Personal Data collected by the Company:While using our Services, we may collect the following categories of Personal Data from the Users:
To avail the services, the Users may also be required to upload/share certain documents (for instance, Aadhaar, PAN Card, GST certificate, etc.), on the platform and/or e-mail the same to the Company. We may also keep records of telephone calls received and made for making inquiries, orders, or other purposes necessary for the administration of services.
Automatic Data CollectionWe may also receive and/or hold information about the User’s browsing history including the Uniform Resource Locator (URL) of the site that the User visited prior to visiting the platform as well as the Internet Protocol (IP) address of each User's computer (or the proxy server a User used to access the World Wide Web), User's computer operating system and type of web browser the User is using as well as the name of User's Internet Service Provider (ISP). The platform may use temporary cookies to store certain data (that is not Personal Data) that is used by us for the technical administration of the platform, research, and development, and for User administration. In addition, we may in future include other optional requests for information from the User including through User surveys to help Us customize the platform to deliver personalized information to the User and for other purposes as mentioned herein. Such information may also be collected during surveyss conducted by us. Any such additional Personal Data will also be processed in accordance with this Privacy Policy.
Purposes for which the Company may use the Information:We will retain Personal Data only to the extent it is necessary to provide one or more services. By providing your information, you consent to the collection, sharing, disclosure and usage of the information in accordance with this Privacy Policy. The information, which we collect may be utilized for various business and/or regulatory purposes including but not limited for the following purposes:
This policy is applicable to the following:
This policy covers the treatment of personal data gathered and used by DIBPL for lawful purposes. And covers the personal data we share with authorized Third Parties or that Third Parties share with us.
4. ObjectiveThe main objectives of the Privacy Policy are:
As per DPDP Act, DIBPL shall provide the notice only where consent is the basis of processing data. The Notice shall entail purpose of processing, manner for accessing rights and the manner to make a complaint. Privacy Notice shall be published in languages as specified in the Eighth Schedule of the Indian Constitution as per DPDP Act.
Contents of NoticeAs per DPDP Act, Notice which shall be issued by DIBPL shall have the following contents:
Appropriate notice shall be provided to data principals at the time personal data is collected.
Period for which personal data shall be retained as per identified business purpose or as mandated by regulations, whichever is later.
That personal data shall only be collected for the identified purposes.
Methods employed for collection of personal data, including ‘cookies and other tracking techniques, and third-party agencies.
That an individual’s personal data shall be disclosed to Third Parties only for identified lawful purposes and with the consent of the individual, wherever possible
Consequences of withholding or withdrawing consent to the collection, use and disclosure of personal data for identified purposes.
Data principals are responsible for providing DIBPL with accurate and complete personal data, and for contacting the entity if correction of such information is required.
Process for an individual to view and update their personal data records.
Process for an individual to register a complaint or grievance with regard to privacy practices at DIBPL.
Contact information of person in charge of privacy practises and responsible for privacy concerns with address at DIBPL
Process for an individual to withdraw consent for the collection, use and disclosure of their personal data for identified purposes; and
That implicit or explicit consent is required to collect, use, and disclose personal data, unless a law or regulation specifically requires or allows otherwise.
Data principals shall be provided a Privacy Notice in case any new purpose is identified for using or disclosing personal data before such information is used for purposes not previously identified.
7. Legitimate UsesLawful purpose after obtaining consent of the data principal or for certain legitimate uses. These legitimate cases include:
By using our website and submitting your information, you are required to provide your explicit consent on this site for the collection and use of your personal data, as described in this Privacy Policy, including but not limited to, Your explicit consent for sharing this information as per this Privacy Policy. We recommend that You do not use/access and/or continue to use/access the website/app if You do not agree to the terms and conditions of this Privacy Policy. We obtain Your consent depending on our relationship with You. Thus, the consent is obtained in the following manner:
You have an option to refuse to give Your consent or withdraw Your consent in a way as specified below:
The DPDP Act outlines the requirements for obtaining valid explicit consent for processing personal data.
The DPDP Act introduces the concept of "consent managers," registered with the Data Protection Board, who assist data principals in managing their consent.
The Data Principal through a Consent Manager may give, review, or withdraw their consent.
Consent Manager Details are provided below:
Name: Ashutosh Pandey
Email:Ashutosh.Pandey@renewbuy.com
Address: Plot No. 94, Second Floor, Sector-32, Gurugram -122001, Haryana 10. Limiting use, Disclosure and Transfer of User’s Personal DataPersonal data shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by DPDP Act. Personal Data retention shall be only for the duration necessary to fulfil the identified lawful purposes or as prescribed by law. We may need to disclose/transfer User’s Personal Data to certain third-party service providers in order to provide Users with the Services they have opted for. We may need to disclose / transfer User’s Personal Data to government and judicial institutions/authorities, to the extent required:
The Company may also make all Personal Data accessible to its employees and data processors/third party vendors only on a need-to-know basis and for the purposes set out in this Privacy Policy. The Company takes adequate steps to ensure that all the employees and data processors/third party vendors, who have access to, and are associated with the processing of Personal Data, respect its confidentiality and that such data processors/third party vendors adopt at least such reasonable level of security practices and procedures as required under applicable law. However, the Company does not disclose information, individually labelled, or aggregated, obtained through Marketplace application programming interface on behalf of a User to other Users or any third parties, unless required by law.
Non-personally identifiable information may be disclosed to third party ad servers, ad agencies, technology vendors and research firms to serve non-targeted advertisements to the Users. The Company may also share its aggregate findings (not specific information) in a non- personally identifiable form based on information relating to the User’s internet use (to the extent set out in this Privacy Policy) to prospective, investors, strategic partners, sponsors, and others in order to help growth of Company's business. We may also disclose or transfer the Personal Data, to another third party as part of reorganization or a sale of the assets or business of Company. Any third party to which the Company transfers or sells its assets will have the right to continue to use.
11. Obligations of DCSPL as Data FiduciaryData principals under the DPDP Act have the below rights:
Right to Information - Individuals have the right to seek more information on how their data is processed, available in clear and understandable way from DIBPL.
Right to correction and erasure - Individuals have the right to correct inaccurate/ incomplete data and erase data that is no longer required for processing.
Right to grievance redressal - Individuals have the right to readily available means of registering a grievance with DIBPL.
Right to nominate - Individuals may nominate any other individual to exercise these rights in the event of death or incapacity.
To exercise any of the above rights or raise grievances, Data Principals may contact the Consent Manager at DIBPL by sending an email to the contact address provided in the policy. The policy also contains details of other designated officers such as the Data Protection Officer and Grievance Redressal Officer for further support. [Refer to Section 9]
13. Data Protection OfficerSignificant data fiduciaries are required to appoint a Data Protection Officer and Data Protection Auditor (DPA) responsible for ensuring DPDP compliance.
Consent Manager Details are provided below:
Name: Ashutosh Pandey
Email:Ashutosh.Pandey@renewbuy.com
Address: Plot No. 94, Second Floor, Sector-32, Gurugram -122001, Haryana 14. Breach NotificationIn case of a personal data breach (Data breach refers to any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data), DIBPL is obligated to notify the Data Protection Board of India and affected data principals promptly.
15. Grievance RedressalData principals must first seek redressal with DIBPL before lodging a complaint with the Data Protection Board or courts.
Data Grievance Officer Details are provided below:
Name: Mr. Sanchit Baveja
Email:data-grievance@renewbuy.com
Address: Plot No. 94, Second Floor, Sector-32, Gurugram -122001, Haryana 16. Disclosure to Third PartiesThe links to third-party advertisements, third party websites or any third-party electronic communication services (referred to as “Third Party Links”) may be provided on the platform which are operated by third parties and are not controlled by, or affiliated to, or associated with the Company, unless expressly specified on the platform. If You access any such Third-Party Links, we request You to review the concerned website’s privacy policy. We shall not be responsible for the policies or practices of such third parties.
Personal data shall be disclosed to third parties only for identified lawful purposes and after obtaining appropriate consent from the data principals unless a law or regulation allows or requires otherwise.
Where reasonably possible, DIBPL shall ensure that third parties collecting, storing, or processing personal data on behalf of DIBPL have:
Personal data may be transferred across geographies from where DIBPL operates for storage or processing where any of the following apply:
Remedial action shall be taken in response to misuse or unauthorized disclosure of personal data by a third party collecting, storing, or processing personal data on behalf of DIBPL.
17. Security Practices for PrivacyFor the purpose of providing the Services and for other purposes identified in this Privacy Policy, we are required to collect and host certain data and information of the Users. We are committed to protecting Your Personal Data, and to that end, the Company adopts reasonable security practices and procedures to implement technical, operational, managerial and physical security control measures in order to protect the Personal Data in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction. While we try our best to provide security that is commensurate with the industry standards, due to the inherent vulnerabilities of the internet, we cannot ensure or warrant complete security of all information that is being transmitted to Us.
The Company takes adequate steps to ensure that third parties to whom the Personal Data may be transferred adopt at least such reasonable level of security practices and procedures as required under applicable law to ensure security of Personal Data.
You hereby acknowledge that the Company is not responsible for any information sent via the internet that has been intercepted beyond Our control after having adopted reasonable security practices and procedures, and You hereby release Us from any and all claims arising out of or related to the use of intercepted information in any unauthorized manner.
18. Deletion & Retention of RecordsDIBPL has a statutory duty to keep certain records for a minimum 12 years or longer if mandated by any other applicable laws. A data fiduciary shall, unless retention is necessary for compliance with any law, erase personal data upon the data principal withdrawing his/her consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier.
19. DefinitionsS. No. | Terms | Definitions |
---|---|---|
1 | Data Fiduciary | Refers to any person who alone or in conjunction with other persons determine the purpose and means of processing of personal data |
2 | Data Principal/ User | Refers to the individual to whom the personal data relates and where such individual is— (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf; |
3 | Consent Manager | Refers to a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent, and interoperable platform |
4 | Data Processor | Refers to any person who processes the personal data on behalf of the Data Fiduciary. |
5 | Personal Data or Personally Identifiable Information (PII) | It refers to any data about an individual who is identifiable by or in relation to such data |
6 | Personal Data Breach | It refers to any means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data, that compromises the confidentiality, integrity, or availability of personal data |
7 | Records of Processing Activities (ROPA) | ROPA are documents that provide a detailed overview of the personal data processing activities carried out by an organization. |
8 | Significant Data Fiduciary | Refers to any Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government on the basis of an assessment of such relevant factors as it may determine, including: (a) the volume and sensitivity of personal data processed; (b) risk to the rights of Data Principal; (c) potential impact on the sovereignty and integrity of India; (d) risk to electoral democracy; (e) security of the State; and (f) public order |
9 | Board | Refers to the Data Protection Board of India established by the Central Government |
10 | Child | Refers to an individual who has not completed the age of eighteen years |
11 | Data Protection Officer | Refers to means an individual appointed by the Significant Data Fiduciary who shall (i) represent the Significant Data Fiduciary under the provisions of this Act; (ii) be based in India; (iii) be an individual responsible to the Board of Directors or similar governing body of the Significant Data Fiduciary; and (iv) be the point of contact for the grievance redressal mechanism under the provisions of this Act |
12 | Notification | Means a notification published in the Official Gazette and the expressions “notify” and “notified” shall be construed accordingly |
13 | Processing | Means a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment, or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure, or destruction |
14 | Specified Purpose | Means the purpose mentioned in the notice given by the Data Fiduciary to the Data Principal in accordance with the provisions of this Act and the rules made thereunder |
15 | POSP | POSP stands for Point of Sales Person. It refers to an individual authorized to sell insurance products (life, health, and general) on behalf of insurers or intermediaries under IRDAI guidelines. |