Effective Date: October 30, 2025 Supersedes: All previous versions.

Prodhee Technologies Private Limited (PTPL, “we,” “us,” or “our”) is dedicated to the robust protection of personal data and the uncompromising upholding of data subject rights under the applicable data protection legislative framework, which includes, but is not limited to, the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This expansive policy formally delineates the principles, meticulous mechanisms, and explicit legal bases governing the collection, systematic utilisation, controlled disclosure, and comprehensive safeguarding of personal data in connection with our complete portfolio of digital offerings. These offerings encompass our corporate website, proprietary software solutions (e.g., HRMS, QRPay), and the rigorous delivery of advanced professional services, including IT Consulting, full-cycle Custom Software Development, and specialized solutions in Applied & Generative AI and Industrial Internet of Things (IIoT).

1. Scope, Data Roles, and Definitive Principles

A. Material Scope and Jurisdiction of this Policy

This Policy’s stipulations and obligations apply universally to all personal data for which PTPL acts as the Data Controller, thereby singly or jointly determining the explicit purposes and the essential means of processing. This specifically encompasses, without limitation, all data pertaining to our clients, prospective clients engaging in pre-contractual discussions, visitors to our corporate website, and corporate representatives with whom we maintain an active business relationship.

B. Controller and Processor Distinction and Contractual Rigour

PTPL maintains distinct legal roles in data processing, necessitating rigorous definition:

• Data Controller (PTPL’s Primary Role under this Policy): PTPL assumes the status of Controller regarding all personal data collected for the purposes of managing our internal corporate operations, executing strategic marketing campaigns, managing billing and financial administration, and fulfilling statutory requirements related to our internal workforce.
• Data Processor (PTPL’s Role in Service Delivery): Where PTPL is commissioned to provide professional services that necessitate the handling or access to client-owned data—such as data residing within a deployed Custom Software solution, Personally Identifiable Information (PII) processed via an AI/MLOps pipeline, or operational data managed as part of DevOps-as-a-Service—we act strictly as a Processor. In such critical instances, the entire processing activity is governed by the client’s precise written instructions and mandated by a dedicated, legally robust Data Processing Agreement (DPA). The client retains the designation of Controller, and consequently, their internal data policy shall exercise primary jurisdiction over that specific client data set. Our role is strictly limited to supporting the client’s data governance obligations.

C. Basis for Compliance: The Pillars of UK GDPR

This Policy ensures and documents PTPL’s commitment to compliance with the seven key principles of UK GDPR, ensuring all processing is: lawful, fair and transparent; purpose-limited; data minimised; accurate; storage-limited; secure (integrity and confidentiality); and demonstrably accountable. We maintain comprehensive records of processing activities (ROPA) as evidence of this accountability.

2. Categories of Personal Data Collected and Operational Processing

The categories of data collected are stringently governed by the principle of necessity and are directly proportionate to the specified purpose of the interaction. We process several distinct and defined categories of personal data, maintaining the principle of data minimisation throughout the data lifecycle.

A. Data Acquired via Digital Interactions and the Corporate Website

B. Data Related to Contractual, Service, and Operational Administration

For the necessary purposes of establishing, fulfilling, and managing the contractual relationship (PTPL acting as the Data Controller):

• Contractual and Financial Data: Detailed bank account information, comprehensive invoicing data, historic payment records, and necessary formal signatory documentation required for Custom Software Development contracts, managed service agreements, and proprietary product license administration.
• Client Operational Metadata (Non-PII): Highly specialized system-generated logs, performance counters, resource utilisation statistics, and configuration details related to the underlying infrastructure that PTPL manages or provisions. This data, essential for maintaining Cloud Migration environments or client-facing IoT Data Analytics infrastructure, is strictly non-client data (i.e., it pertains to the operational health of the service itself, not the content).
• Special Category Data (SCD) and Risk Mitigation Protocols: In the exceptionally limited event that personal data collected by PTPL as the Controller constitutes Special Category Data (e.g., biometric data for secure internal access, health information related to a legally mandated accommodation request by an employee/contractor, or deep background check data required for a specific security clearance in highly regulated sectors like Banking or Healthcare), processing shall only occur under strict legal exemption. Such exemptions include explicit documented consent, necessity for employment law obligations, or substantial public interest basis, and are subject to a mandatory Data Protection Impact Assessment (DPIA).

3. Lawful Bases, Detailed Purposes, and Legal Justification for Processing

We are mandated under Article 6 of the UK GDPR to identify and document a valid legal basis for every discrete instance of processing personal data. The principal legal bases rigorously relied upon by PTPL are detailed and elaborated below:

A. Fulfillment of Contractual Obligations (Article 6(1)(b) UK GDPR)

The processing of specific personal data is determined to be strictly necessary for the successful performance of the contract entered into directly with the data subject or the organisation they represent, or for taking pre-contractual steps at their request.

• Purpose: Comprehensive deployment, end-to-end lifecycle management, and proactive support of our proprietary platforms (e.g., HRMS), ensuring system uptime and feature delivery as per the Service Level Agreement (SLA).
• Purpose: Execution of the agreed scope of work for bespoke technology initiatives, including the full development lifecycle within Custom Software Development and the provision of specialized, dedicated technical teams (Smart Development Teams). Failure to process this data would render the contract null.

B. Compliance with Legal Obligations (Article 6(1)(c) UK GDPR)

Processing is strictly necessary for compliance with a legal or regulatory obligation to which PTPL is unconditionally subject under UK or international law.

• Purpose: Mandatory regulatory reporting to financial authorities, adherence to rigorous tax compliance requirements, and fulfillment of company law mandates for corporate record-keeping and external auditing purposes.
• Purpose: Responding to mandatory legal requests, enforceable court orders, subpoenas, or lawful demands from the UK Information Commissioner’s Office (ICO) or other recognized regulatory bodies and courts within any jurisdiction in which we operate.

C. Legitimate Interests (Article 6(1)(f) UK GDPR)

Processing is deemed necessary for the purposes of the demonstrable legitimate interests pursued by PTPL or by a trusted third party, critically, except where such interests are overridden by the fundamental rights and freedoms of the data subject. PTPL does not proceed on this basis without first conducting formal Legitimate Interest Assessments (LIAs), ensuring a meticulous balancing test is applied.

• Purpose: Corporate Security and Resilience: This involves the continuous, systematic monitoring of network activity, digital assets, and usage logs (Technical and Usage Data) to effectively detect, prevent, and respond to sophisticated cyber threats, internal and external fraud, or system abuse. This processing enhances our own internal AI-integrated Cybersecurity posture and protects the integrity of our client service delivery environment.
• Purpose: Business Optimization and Strategic Development: Conducting internal analytics, detailed market research, and targeted research and development (R&D) activities (e.g., assessing the efficiency and performance of our MLOps pipelines and service consumption metrics). This optimization is vital for improving service delivery methodologies, enhancing product functionality, and guiding future strategic investment and product roadmapping.
• Purpose: Responsible Business Communications: Sending direct, non-invasive marketing communications and technical updates regarding services that are highly relevant to your confirmed industry or professional expertise (e.g., specialized updates for the Banking or Healthcare sectors), based exclusively on a pre-existing, non-obtrusive business relationship.

D. Consent (Article 6(1)(a) UK GDPR)

Processing occurs solely where the data subject has provided explicit, freely given, specific, and informed consent. This is a primary basis only when other bases are unsuitable.

• Purpose: Sending broad promotional marketing materials, non-service-related newsletters, or communications regarding future PTPL services when no pre-existing legitimate interest basis can be demonstrated.
• Purpose: Processing and retaining certain sensitive categories of Recruitment Data (e.g., keeping CVs and interview notes for potential future roles beyond the necessary statutory period). Consent is freely retractable at any time, which automatically ceases the processing activity.

E. Protecting Vital Interests (Article 6(1)(d) UK GDPR)

Processing may occur where it is necessary to protect the vital interests of the data subject or another natural person.

• Purpose: This highly restricted basis is reserved for emergency scenarios, such as disclosing limited personal data to emergency services personnel (e.g., hospital staff, police) concerning a PTPL employee or contractor who suffers a life-threatening medical emergency while on PTPL premises or during the provision of service, where the data subject is incapable of providing consent.

4. Controlled Disclosure and Management of Data Transfer

PTPL strictly adheres to the strictest non-disclosure protocols and maintains unequivocally that we do not engage in the sale or commercial licensing of personal data to external commercial entities. Disclosure is restricted to the following necessary, contractually safeguarded, and rigorously monitored scenarios:

A. Affiliated Entities and Global Delivery Model

Personal data may be transferred to our globally affiliated group companies, subsidiaries, and joint venture partners that participate directly in the execution and delivery of our services. This is consistent with the core requirements of our global delivery model and is executed for internal administration, specialized technical support, and critical resource allocation across diverse operational regions. All affiliated entities are contractually mandated to adhere to the comprehensive security and data protection standards established within this Policy.

B. Third-Party Service Providers and Due Diligence on Sub-Processors

We engage a selection of carefully chosen and rigorously vetted third-party organisations and Sub-Processors to perform essential, delegated functions on our behalf. These Sub-Processors include, but are not limited to: cloud infrastructure providers (hosting services, per our Cloud Migration expertise), payment processors, and specialized software tool vendors for customer relationship management and communications.

• Due Diligence Process: Before engagement, every Sub-Processor undergoes an extensive due diligence process assessing their security certifications, regulatory compliance history, and technical controls. All third parties are subjected to mandatory Data Processing Agreements (DPAs) that stipulate stringent confidentiality and security requirements, grant PTPL rights of audit, and strictly prohibit the use of data for any non-contractual, secondary purposes.

C. Mandatory Disclosure and Judicial Obligations

We shall disclose personal data where there is a legally binding, non-discretionary obligation to do so. This may include disclosure to government, regulatory bodies (e.g., ICO, FCA), or judicial authorities within the UK or other jurisdictions, particularly where disclosure is necessary to uphold public interest, defend PTPL’s legal rights, or comply with sector-specific obligations, especially concerning our clients operating in regulated sectors (Banking and Financial Services).

D. Corporate Reorganisation and Transactional Integrity

In the event of a proposed or actual merger, acquisition, sale of assets, consolidation, or other form of corporate reorganisation, personal data may be transferred to the acquiring or successor entity as a business asset. Such transfers are executed under strict confidentiality agreements, and the receiving party will be contractually required to uphold privacy standards equivalent to or higher than those set forth in this Policy.

5. International Data Transfers: Mechanisms and Advanced Safeguards

As a global technology provider, the controlled transfer of personal data across international borders is an intrinsic and unavoidable component of our global delivery model. We ensure that such transfers strictly maintain a consistently high level of protection by employing robust and officially recognized legal transfer mechanisms:

• Reliance on Adequacy Decisions: We prioritise transfers to jurisdictions that have been formally deemed by the UK Government to offer an adequate level of protection for personal data, thereby simplifying the compliance process.
• Mandatory Legal Transfer Mechanisms: For transfers to territories not covered by an adequacy decision, we utilise the following mandatory legal safeguards, ensuring full compliance with Chapter V of the UK GDPR:
  • The formal execution of the UK International Data Transfer Agreement (IDTA), which governs the transfer of personal data from the UK.
  • The execution of the International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses (SCCs), as officially recognised and validated under UK law.
• Transfer Risk Assessments (TRAs) and Supplementary Measures: Prior to implementing any transfer mechanism, PTPL conducts thorough Transfer Risk Assessments (TRAs). These assessments meticulously evaluate the legal and practical risks posed by the recipient country’s surveillance laws and public authority access practices. We then implement necessary supplementary measures—which may include enhanced technical measures (e.g., strong end-to-end encryption, multi-party computation) or organizational measures (e.g., contractual transparency requirements, commitment to challenge disclosure requests)—to mitigate any residual risk to the data subject’s rights and freedoms, thereby ensuring the data remains “essentially equivalent” in protection to the UK standard.

6. Data Security, Integrity, and Rigorous Retention Principles

A. Principles of Data Security, Confidentiality, and Testing

PTPL treats the security of personal data as a non-negotiable prerequisite, adopting a philosophy of security by design and by default across all internal systems and client-facing services. Our comprehensive security architecture, consistent with international standards and Cloud Security best practices, includes:

• Cryptographic Controls: The mandatory application of cryptographic technologies (KMS managed keys) to ensure data is encrypted both at rest (storage encryption) and in transit (TLS/SSL protocols).
• Access Control and Identity Management: The stringent implementation of Identity and Access Management (IAM) systems and multi-factor authentication, enforcing the principle of least privilege access. This ensures that personnel only access the minimal data strictly necessary for their defined operational role.
• Proactive Security Testing and Training: We conduct regular, independent penetration testing and vulnerability assessments (VAP) across our digital infrastructure. Furthermore, all personnel receive mandatory and continuous data protection and security awareness training to maintain a culture of vigilance against threats, often utilizing our AI-integrated Cybersecurity platforms for real-time anomaly detection.
• Incident Response: We maintain a formal, tested Data Incident Response Plan (DIRP) to ensure that any security breach is identified, contained, remediated, and reported to relevant supervisory authorities and affected data subjects in strict compliance with the statutory 72-hour notification window.

B. Data Retention Policy and Systematic Destruction

Personal data is retained only for the duration that is strictly necessary for the fulfilment of the purpose for which it was originally collected, or to satisfy any overriding legal, accounting, audit, or mandatory reporting requirements. Retention periods are non-uniform:

• Contractual and Financial Data: Retained for the operational duration of the commercial relationship plus a minimum of seven (7) years following the formal termination or expiry of the contract. This specific period is mandated to comply with the long-term statutory requirements under UK tax, HMRC, and audit laws.
• Recruitment Data: CVs and associated documents for unsuccessful candidates are typically deleted or systematically anonymised within six (6) months of the final decision, unless the candidate provides explicit, documented consent for a longer retention period (not exceeding two years) to be considered for future Staff Augmentation roles.
• Usage and Technical Logs: These logs, critical for security and system diagnostics, are retained for a period necessary for forensic security investigation, typically ranging from 90 days to one (1) year. Following this period, the data is subjected to secure destruction or irreversible aggregation into fully anonymous statistical data sets. All destruction methods comply with established industry best practices for secure data disposal.

7. Comprehensive Exercising of Data Subject Rights (UK GDPR)

As a data subject under UK GDPR, you are legally entitled to exercise the following comprehensive and non-derogable rights concerning your personal data processed by PTPL. All requests are subject to mandatory identity verification procedures to prevent fraudulent access. We commit to responding to all valid requests within the statutory one-month (30-day) timeframe.

A. Right of Access (Subject Access Request – SAR)

You have the unqualified right to obtain confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, access to the personal data itself. This right includes specific information regarding the defined purposes of the processing, the categories of data concerned, the anticipated retention period, and the specific recipients to whom the personal data have been or will be disclosed.

B. Right to Rectification

You have the absolute right to request the prompt rectification of inaccurate personal data and to have incomplete personal data completed, including by means of providing a necessary supplementary statement or documentation.

C. Right to Erasure (Right to be Forgotten)

You possess the right to request the erasure of your personal data without undue delay under specific, stipulated conditions, such as when the data is no longer necessary for the purposes for which it was originally collected, or where you formally withdraw consent and no other overriding legal basis for processing exists. This right is not absolute; we may retain data where necessary for legal claims or compliance with legal obligations.

D. Right to Restriction of Processing

You have the right to obtain from us the restriction of processing in specific circumstances, such as contesting the accuracy of the data (while the accuracy is being verified), or where the processing is determined to be unlawful, but you explicitly oppose the erasure of the personal data.

E. Right to Data Portability

You possess the right to receive the personal data concerning you, which you have provided to us on the basis of consent or contract, in a structured, commonly used, and machine-readable format. You also have the right to request the transmission of that data directly to another Data Controller without hindrance from PTPL, where technically feasible.

F. Right to Object

You have the critical right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on the legal basis of our Legitimate Interests, including profiling based on those interests. Where data is processed for direct marketing purposes, you retain an absolute and unqualified right to object, which we will immediately honour.

G. Rights Related to Automated Decision Making and Profiling

In the context of our specialized Applied & Generative AI services and internal systems, you have the fundamental right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This right is waived only if the decision is necessary for entering into, or performance of, a contract, or is explicitly authorised by UK law, and adequate safeguards are in place.

8. Policy Review, Maintenance, and Transparency of Amendments

PTPL operates under a commitment to proactive and continuous compliance and accountability. This Policy shall be formally reviewed and, where necessary, systematically revised on at least an annual basis, or immediately following any significant legislative changes, material technological advancements (e.g., significant changes in our MLOps or IoT infrastructure), or fundamental alterations to our core business processes. Any fundamental modifications that materially alter your rights or our processing practices shall be communicated to you via a prominent and sustained notice on our corporate website, and, where deemed appropriate and feasible, via direct electronic communication.

9. Data Protection Officer and Engagement with the Supervisory Authority

A. Contacting PTPL’s Data Protection Officer (DPO)

For any substantive questions, formal requests to exercise your data subject rights, or concerns regarding this Policy or PTPL’s processing of your personal data, please address your correspondence to the designated Data Protection Officer:

Prodhee Technologies Private Limited Attention: Data Protection Officer (DPO)

No. 712, MIG ‘A’ Phase, Opp to Seshadripuram PU College, Yelahanka New Town, Bengaluru 560064

Email: dpo@prodhee.com