Privacy Policy

Last modified – 21st June 2023

Introduction

Your privacy is important to us !!

EkRewards is committed to respecting your privacy while using our website and services. This EkRewards Privacy Policy ("Policy") defines the requirements to ensure compliance with applicable data privacy laws and regulations regarding our collection, use, and transmission of Personal Data and Sensitive Personal Data.

This website is operated by EkRewards ("we", "us" or "our"). This privacy policy ("Policy") explains how we collect, use, and disclose information about our users when you use our rewards and recognition platform, our website (the "Site"), and other online products and services that link to this Policy (collectively, the "Service").

We refer throughout this Policy to our users as "User," "you," or "your," and we also refer to users as "Potential Customers" to denote those visiting our site or requesting information regarding our Services, "Customer Company" to denote our organizational customer, and "Employee User" to denote individual employees of Customer Company who are users of our rewards platform and services through their employer.

By using the Service, you consent to our collection, use, and disclosure of your personal information as described in this Policy. Protecting the privacy rights of data subjects and safeguarding their Personal Data is treated as a basic right of an individual and a legal requirement. As a global organization, EkRewards respects the privacy of data subjects and is committed to complying with applicable data privacy laws and legislations (including but not limited to GDPR, CCPA/CPRA, and other applicable privacy laws to the extent that they apply to EkRewards data processing and business operations).

We take your privacy seriously. If you have any questions about this Policy or about privacy at EkRewards, please contact us at privacy@ekrewards.com.

This privacy policy describes:

• The information we collect, how we do so, and the purposes of our collection
• How we use and with whom we share such information
• How you can access and update such information
• The choices you can make about how we collect, use, and share your information
• How we protect the information we store about you
• Your rights regarding your personal data

If you access our Services from a third-party site, you may be required to also read and accept the third party's terms of service and privacy policy.

Definitions

The meaning of some of the terms in use in the Policy are explained below:

Personal Data:

Any information of "Data Subject" which can reasonably associate or link to an identifiable natural person or could include anyone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, economic, cultural, or social identity of that natural person.

Personal Information (applicable only to California residents):

Information pertaining to residents of California that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, but does not include information that is lawfully made available from federal, state, or local government records, nor does it include "deidentified" or "aggregate customer information" as those terms are defined pursuant to the California Consumer Privacy Act/California Privacy Rights Act (CCPA/CPRA).

Sensitive Personal Data:

Defined as any information revealing an identified or identifiable natural person's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of genetic information, biometric information for the purpose of uniquely identifying a natural person, data concerning health, or information concerning an individual's sex life or sexual orientation, and data relating to offenses, or criminal convictions.

Process, Processes, Processed or Processing:

Means any operation or set of operations performed on Personal Data or Personal Information or Sensitive Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Consent:

Any freely given, specific, informed, and unambiguous indication of the Data Subject's wishes by which the Processing of their Personal Data, Personal Information and/or Sensitive Personal Data via a statement or by a clear affirmative action, signifies agreement to the processing of their Personal Data, Personal Information and/or Sensitive Personal Data.

Data Subject:

Relates to a particular natural person (i.e., an identified or identifiable natural person to whom the Personal Data relates). In case of a minor/individual with mental disabilities, the data subject would be represented by a legal representative (parent/guardian).

For the purpose of clarity of this Policy, "Data Subject" means EkRewards current and previous employees, prospective candidates, current, prospective and previous customer personnel, current and previous partner/vendor personnel, website visitors, sub-contractors, and visitors.

EkRewards does not collect Personal Data/Personal Information and Sensitive Personal Information from Data Subjects that are under the age of 18. For the purpose of CCPA/CPRA, Data Subject shall include California residents.

Data Controller:

Means a person or organization who (either alone, or jointly, or in common) determines the purposes for which and the manner in which any Personal Data are, or are to be, Processed. For the purposes of this Policy, references to Data Controller shall mean references to EkRewards and its affiliates, where relevant.

Data Processor:

Is a person or organization who Processes the Personal Data on behalf of and under the instruction of the Data Controller.

Third Party:

In relation to Personal Data or Personal Information or Sensitive Personal Data means any person other than the Data Subject, the Data Controller, or any Data Processor or other person authorized to process data for the Data Controller.

Personal Information we collect and process and how we use it

Information we collect from Customer Company

When a Customer Company indicates interest in our Service, we collect the following information: full name, email address, company name, and phone number. We collect this information through our website contact forms, demo requests, and integration with various business platforms.

Personal data we collect from Employee Users

We collect human resource ("HR") information and other information about Employee Users from the Customer Company, such as: full name, email address, phone number, employee ID, department, and any other information that may be required for rewards and recognition program administration.

This data is provided by the Customer Company's HR department directly or indirectly by allowing EkRewards to connect to customer systems like HRMS, Single sign-on systems, etc., and is loaded and maintained in our system for program administration and analytics.

When Employee Users participate in recognition programs, redeem rewards, or engage with our platform, we collect usage data and preferences. Employee User activities are connected to their profiles for program administration purposes.

Tracking Information

When a User visits our Site, we use certain tracking data ("Tracking Information"). We use analytics tools for Tracking Information.

The following Tracking Information is collected: email address, device ID, IP address, and usage patterns. We collect this information directly through our platform and mobile applications.

Payment information

If a third party is not paying for the service on your behalf, we will collect the billing and financial information necessary to process your charges for EkRewards services which require payment, which may include your postal and e-mail addresses. EkRewards may also receive the billing and payment information that you provide when your purchase is processed by another party, such as payment processors. Our Terms of Service explain our policies and terms relevant to our charges and billing practices.

Technical and usage information

When you access our websites or use our Services, we collect:

1. Certain technical information about your mobile device or computer system, including IP Address and mobile device ID; and
2. Usage statistics about your interactions with the Service, including rewards redeemed, recognition given and received, and platform engagement metrics.

This information is typically collected using server log files or web log files ("Log Files"), mobile device software development kits, and tracking technologies like browser cookies to collect and analyze certain types of technical information.

Cookies and automated information collection

When you access the Service, we collect certain technical information in order to:

1. Analyze the usage of our sites and services;
2. Provide a more personalized experience;
3. Improve our rewards and recognition platform functionality; and
4. Manage user preferences

You can set your web browser to warn you about attempts to place cookies on your computer or limit the type of cookies you allow.

Other sources

We may collect or receive information from other sources including third-party information providers. This information will be used to supplement your profile and improve our services. It will be combined with other information we collect.

How we use the information we collect

In general, we collect, store, and use your information to provide you with a safe, smooth, efficient, and customized experience. For example, we may use information collected from you in any one or more of the following ways:

• Provide, maintain, and improve our rewards and recognition Service
• Provide and deliver the Service Customer Company requests and configures, process reward transactions, and send you related information, including confirmations
• Investigate system issues that impact our ability to provide the Service to Users
• Send you technical notices, updates, confirmations, security alerts, and support and administrative messages
• Respond to your comments, questions, and requests and provide customer service
• Communicate with Customer Companies about products, services, offers, promotions, and rewards offered by EkRewards and our partners
• Monitor and analyze trends, usage, and activities in connection with our Service and improve and personalize the Service
• Personalize and improve the Service, content, or features that match user profiles or interests
• Link or combine with information we get from others to help understand your needs and provide you with better service
• Facilitate reward redemptions and recognition programs

We will not sell, rent, or share Personal Data with third parties outside of our company without your consent, except in the following ways:

Law enforcement and internal operations

Personal Data may be provided where we are required to do so by law, or if we believe in good faith that it is reasonably necessary:

1. To respond to claims asserted against EkRewards or to comply with the legal process (for example, discovery requests, subpoenas, or warrants);
2. To enforce or administer our policies and agreements with users;
3. For fraud prevention, risk assessment, investigation, customer support, product development, and de-bugging purposes; or
4. To protect the rights, property, or safety of EkRewards, its users, or members of the general public.

We will use commercially reasonable efforts to notify users about law enforcement or court-ordered requests for data unless otherwise prohibited by law. However, nothing in this Privacy Policy is intended to limit any legal defenses or objections that you may have to any third-party request to compel disclosure of your information.

Data recipients, transfer, and disclosure of Personal Information

EkRewards does not share your Personal Information with third parties for their direct marketing purposes

We reserve the right to use or disclose your Personal Information if required by law or if we reasonably believe that use or disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or comply with a law, court order, or legal process.

Business transfer

EkRewards may sell, transfer, or otherwise share some or all of its assets, including your Personal Data, in connection with a merger, acquisition, reorganization, or sale of assets or in the event of bankruptcy. Under such circumstances, EkRewards will use commercially reasonable efforts to notify its users if their personal information is to be disclosed or transferred and/or becomes subject to a different privacy policy.

Third-parties

We sometimes contract with other companies and individuals to perform functions or services on our behalf, such as reward fulfillment, software maintenance, data hosting, sending email messages, etc. We necessarily have to share your Personal Data with such third parties as may be required to perform their functions. We take necessary steps to ensure that these parties take protecting your privacy as seriously as we do, including entering into Data Processing Addendum(s) and ensuring appropriate data protection measures are in place.

How is my data protected?

We have implemented reasonable administrative, technical, and physical security measures to protect your personal information against unauthorized access, destruction, or alteration. For example:

• SSL encryption (https) where we deal with personal data. Personal Data is encrypted in transit using https/ssl/tls and encrypted at rest
• Our database is encrypted, and data transferred is encrypted using secure protocols
• Password protection on your account with strong password requirements
• Multi-factor authentication options for enhanced security
• Data is kept on secure, encrypted servers with regular security audits
• Restricting staff access to Personal Data, protected by password logs and two-factor authentication
• Non-Disclosure Agreements with vendors and partners
• Regular staff privacy and security training
• Continuous security monitoring and vulnerability assessments

Retention and Disposal of Personal Data or Personal Information

1. User Data: 7 Years from the date of termination of contract
2. Employee data: As per applicable data protection laws and company retention policies
3. Financial data: As per applicable financial regulations
4. Audit logs: 1 Year
5. Other records: 3 Years or as required by applicable law

Children's Personal Information

We do not knowingly collect any personal information from children under the age of 16. If you are under the age of 16, please do not submit any personal information through our Websites or Services.

We encourage parents and legal guardians to monitor their children's Internet usage and to help enforce this Policy by instructing their children never to provide personal information through the Websites or Services without their permission. If you have reason to believe that a child under the age of 16 has provided personal information to us through the Websites or Services, please contact us at privacy@ekrewards.com, and we will use commercially reasonable efforts to delete that information.

Your rights in relation to your information

• Access: You have the right to access information about the personal data we hold about you
• Right to be informed about the data that we collect, process, and store
• Right to object to processing: You have the right to object to processing of your personal data
• Rectification: You have the right to request rectification of inaccurate personal data held about you
• Erasure: To the extent permitted by applicable data protection laws, you have the right to request erasure of personal data held about you
• Request to restriction of processing: This enables you to request to restrict the processing of your personal data in certain circumstances
• Rights in relation to automated decision-making, including profiling
• Portability: You have the right to obtain your personal data to enable you to reuse it

To exercise any of these rights, please email us at privacy@ekrewards.com

India Privacy Rights

To align your privacy policy with Indian laws, several critical updates and additions must be made. The central requirements are dictated by the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules), and the IT Act, 2000. Here are the fundamental changes and their relevance, based on your original policy:

Core Requirements under Indian Law

• Explicit and Informed Consent: Clearly obtain consent before collecting any personal or sensitive data, ensuring users know what information will be collected, how it will be used, and their rights regarding their data.
• Clear and Accessible Privacy Notice: The policy must be itemized and in plain language. Offer the notice in English and relevant Indian languages where practical.
• Sensitive Personal Data: Define and treat "Sensitive Personal Data or Information" (SPDI) as per Indian law—this includes passwords, financial info, health data, biometrics, etc. SPDI requires explicit written consent before collection or processing.
• Purpose Limitation & Data Minimization: Collect personal data only for stated, lawful purposes. Limit data collection to what's strictly needed for the specified function.
• Retention and Deletion: Retain personal data only as long as necessary for the purpose. Upon withdrawal of consent or completion of purpose, data must be erased unless required otherwise by law.
• Data Security & Reasonable Practices: Implement administrative, technical, and physical safeguards, including encryption, password policies, secure servers, and regular staff training, as required by the SPDI Rules and IT Act.
• Data Access and Correction Rights: Users must have the ability to access, correct, and request erasure of their personal data, and restrict or object to processing as applicable.
• Grievance Redressal: Appoint a Grievance Officer in India and provide contact details in the policy for users to address complaints/concerns.
• Reporting Data Breaches: All personal data breaches must be notified to the Data Protection Board of India under the DPDP Act.
• Cross-Border Data Transfer: Data transfers outside India must comply with the localization and transfer provisions as per the DPDP Act—only to trusted jurisdictions and with consent where mandated.
• Children's Data: Obtain verifiable parental consent before collecting data from children under 18. Avoid tracking, targeted advertising, and behavioral monitoring of children.
• Complaint Handling and Penalties: The privacy policy should mention user rights to file complaints and outline redressal mechanisms. Non-compliance includes hefty penalties (up to ₹250 crore).

Specific Content Changes Needed

• Remove references to non-Indian laws like GDPR and CCPA except to the extent they are needed for global operations with cross-border transfers.
• Ensure definitions and terminology align with the DPDP Act and IT rules.
• Reframe the section on children's privacy to reflect the age limit (under 18) as per Indian law rather than 16.
• Include a clear section about data localization requirements for certain types of data (e.g., financial/payment data).
• Clarify that explicit consent must be obtained for sensitive personal data or SPDI, and additional care must be taken for children's data.
• Appoint and list the contact of a Grievance Officer in India, distinct from any Data Protection Officer globally.
• Reference the right to lodge complaints with the Data Protection Board of India and explain grievance procedure timelines.

Additional Recommendations

• Adapt cookie consent and data tracking clauses to DPDP Act requirements.
• Language should be customer-centric, written in clear, comprehensible terms, with an emphasis on user rights and transparency.

Complaints and Grievances

Any complaints or grievances received about our use of Personal Data, Personal Information, or Sensitive Personal Data and any communications regarding enforcement of your privacy rights should be promptly directed to our Data Protection Officer.

Contact:
Attn: Data Protection Officer
Email ID: privacy@ekrewards.com

Updates to Our Policy

We may amend or update our Privacy Policy. We will provide you notice of amendments to this Privacy Policy, as appropriate, and update the "Last modified" date at the top of this Privacy Policy. Please review our Privacy Policy from time to time.