Master Privacy Policy & Data Protection Framework

Governing the Collection, Storage, Processing, and Transfer of Personal Data

ISSUED BY: Launzr Private Limited

CORPORATE IDENTIFICATION NUMBER (CIN): U62012BR2025PTC080111

REGISTERED OFFICE: Launzr Private Limited, C/O- Lalit Sah, Ward no. 06, Near Pustakalaya, Dhadiya, Dharia, Kamtaul, Darbhanga, Bihar,-847304 India.

DATE OF EFFECT: February 07, 2026

DOCUMENT CONTROL NO: LPL/LEGAL/PRIVACY-2026/V3

1. PRELIMINARY RECITALS, LEGAL BASIS, AND APPLICABILITY

1.1. Statutory Mandate & Electronic Record

This Master Privacy Policy (hereinafter referred to as the "Policy" or "Framework") is published in strict compliance with the statutory mandates enshrined under:

Section 43A of the Information Technology Act, 2000 (Liability for failure to protect sensitive personal data);
Regulation 4 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (hereinafter "SPDI Rules");
The Digital Personal Data Protection Act, 2023 (hereinafter "DPDP Act"); and
Regulation (EU) 2016/679 (General Data Protection Regulation - GDPR) regarding the processing of personal data of subjects within the European Economic Area (EEA).

This document constitutes an "Electronic Record" within the meaning of Section 2(t) of the Information Technology Act, 2000, and the rules thereunder. This Policy requires no physical, electronic, or digital signature to be legally binding and enforceable.

1.2. Affirmative Acceptance (Consensus ad Idem)

By accessing the platform [www.launzr.com]/[www.launzr.in], availing of our professional services, or utilizing our proprietary software (including "NexLibrary"), the User (hereinafter "Data Principal") unequivocally acknowledges having read, understood, and agreed to the terms herein. Continued use of the Services constitutes an affirmative act of consent under Section 6 of the DPDP Act, 2023.

1.3. Territorial Scope

This Policy governs the processing of Personal Data:

(i) Collected within the territory of India;
(ii) Collected from Data Principals residing outside India (including the EU, UK, and USA) where such data is processed by Launzr in connection with the offering of goods or services.

2. DEFINITIONS AND INTERPRETATION

In this Policy, unless the context otherwise requires, the following terms shall have the meanings ascribed to them:

"Data Fiduciary" (or "Controller" under GDPR) means Launzr Private Limited, which alone or jointly with others determines the purpose and means of processing of personal data.
"Data Principal" (or "Data Subject") means the individual to whom the personal data relates and where such individual is a child, includes the parents or lawful guardian of such a child.
"Personal Data" means any data about an individual who is identifiable by or in relation to such data.
"Sensitive Personal Data or Information (SPDI)" means Personal Data revealing financial information (bank accounts, credit cards), physical or mental health, sexual orientation, biometric data, genetic data, transgender status, religious or political belief or affiliation.
"Processing" means a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organization, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.
"Consent Manager" means a person registered with the Data Protection Board of India, who acts as a single point of contact to enable a Data Principal to give, manage, review, and withdraw her consent through an accessible, transparent, and interoperable platform.

3. COMPREHENSIVE DATA INVENTORY & COLLECTION MECHANISM

Launzr adheres to the Principle of Data Minimization, collecting only such Personal Data as is strictly necessary for the specified purpose.

3.1. Data Provided Voluntarily by the Data Principal

(a) Identity & Verification Attributes (KYC Data):

Full Legal Name, Father's/Spouse's Name, Date of Birth, Gender, Marital Status, Nationality, Residential Status (Resident/NRI).
Government Identifiers: Permanent Account Number (PAN), Aadhaar Number (strictly in redacted/masked form pursuant to UIDAI Circulars), Passport Number, Voter ID, Driving License, Director Identification Number (DIN).

(b) Corporate & Professional Attributes:

Name of Entity, Corporate Identity Number (CIN), Date of Incorporation, Registered Office Address, Shareholding Patterns, Memorandum & Articles of Association (MoA/AoA).
Digital Signature Certificates (DSC) Public Keys and USB Token drivers.

Bank Account Details: Account Number, IFSC, MICR, Branch Code, Account Type.
Taxation Data: Income Tax Returns (ITR-V), Form 26AS, Annual Information Statement (AIS), GST Returns (GSTR-1, GSTR-3B), Balance Sheets, Profit & Loss Statements, Audit Reports.

3.2. Data Collected Automatically (Technical Telemetry)

(a) Device & Network Information:

Internet Protocol (IP) Address, Media Access Control (MAC) Address, Device Type (Mobile/Desktop), Operating System (OS) Version, Browser Type and Version, Time Zone Setting.

(b) Usage & Interaction Data:

Uniform Resource Locators (URLs) clickstream to, through, and from our Website (including date and time); products viewed or searched for; page response times; download errors; length of visits to certain pages; page interaction information (scrolling, clicks, and mouse-overs).

3.3. Data Received from Third Parties

Launzr may receive Personal Data from credit reference agencies, government registries (MCA Master Data), and public databases for the purpose of verification and due diligence (Know Your Customer / Anti-Money Laundering checks).

4. PURPOSE LIMITATION AND LAWFUL BASIS OF PROCESSING

Launzr processes Personal Data solely for the "Specified Purposes" outlined below, relying on the corresponding "Lawful Basis".

Specified Purpose	Detailed Description of Processing	Lawful Basis
Contractual Performance	Drafting legal deeds, filing incorporation forms (SPICe+), developing software, hosting websites, and delivering professional advisory services.	Performance of Contract (Section 6(a) DPDP Act; Art. 6(1)(b) GDPR)
Statutory Compliance	Filing Annual Returns, GST Returns, TDS Returns, maintaining Statutory Registers (MGT-1, MGT-2), and complying with MCA/Income Tax notices.	Legal Obligation (Section 6(b) DPDP Act; Art. 6(1)(c) GDPR)
Identity Verification	Verification of identity for DSC issuance, PMLA compliance, and fraud prevention protocols.	Public Interest / Legal Obligation
Legitimate Business Interest	Network security monitoring, preventing DDoS attacks, improving UI/UX of NexLibrary, internal auditing, and dispute resolution.	Legitimate Interest (Section 6(c) DPDP Act; Art. 6(1)(f) GDPR)
Marketing & Outreach	Sending newsletters, promotional offers, and updates on regulatory changes (e.g., "New GST Rates").	Consent (Affirmative Opt-in)

5. CONSENT ARCHITECTURE

5.1. Affirmative & Granular Consent

Consent shall be free, specific, informed, unconditional, and unambiguous. By clicking "I Accept," "Register," or "Submit" on our platforms, the Data Principal provides a clear affirmative action signifying agreement to the processing of their Personal Data.

5.2. Right to Withdraw Consent

The Data Principal retains the absolute right to withdraw consent at any time. Such withdrawal must be communicated in writing to the Grievance Officer.

Consequence of Withdrawal: Upon withdrawal, Launzr reserves the right to discontinue services for which the said data was essential.
Statutory Exception: Withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal, nor shall it require the deletion of data that Launzr is legally obligated to retain (e.g., Tax Records).

6. DATA DISCLOSURE AND ONWARD TRANSFER

Launzr maintains a strict "Need-to-Know" disclosure policy. Personal Data is disclosed only to the following categories of recipients:

6.1. Statutory & Regulatory Authorities (Mandatory Disclosure)

The Data Principal explicitly acknowledges that for the provision of Corporate Services, Launzr acts as a facilitator to submit data to public registries. Data is disclosed to:

Ministry of Corporate Affairs (MCA): For incorporation and compliance (Data becomes public record).
Central Board of Direct Taxes (CBDT): For Income Tax assessments.
Goods and Services Tax Network (GSTN): For indirect tax compliance.
Controller General of Patents, Designs and Trademarks (CGPDTM): For IPR filings.
Reserve Bank of India (RBI): For FEMA compliance (FC-GPR/FLA Returns).

6.2. Third-Party Data Processors (Sub-Processors)

Launzr engages third-party processors under robust Data Processing Agreements (DPAs) that mandate confidentiality and security standards equivalent to this Policy.

Cloud Infrastructure: Amazon Web Services (AWS) [Region: AP-South-1], Google Cloud Platform.
Payment Aggregators: Razorpay, Stripe (PCI-DSS Level 1 Compliant).
Communication Providers: Twilio (SMS/WhatsApp), Zoho Mail (Email).
Certifying Authorities (CA): eMudhra, Capricorn (For Digital Signatures).

6.3. Legal Process & Law Enforcement

Launzr may disclose Personal Data if required to do so by law or in the good faith belief that such access, preservation, or disclosure is reasonably necessary to:

(i) Comply with a legal process (e.g., Court Order, Warrant, Section 91 CrPC Notice);
(ii) Enforce the Master Service Agreement;
(iii) Respond to claims that any content violates the rights of third parties.

7. CROSS-BORDER DATA TRANSFERS

7.1. Transfer Mechanism (India to ROW)

For Data Principals located outside India, Personal Data is transferred to, stored, and processed in India. India acts as the central hub for Launzr's operations.

Derogation for Specific Situations: Such transfers are necessary for the performance of the contract between the Data Principal and Launzr (Art. 49(1)(b) GDPR).

7.2. Compliance with GDPR/CCPA

Standard Contractual Clauses (SCCs): Where applicable, Launzr agrees to execute the European Commission's Standard Contractual Clauses for the transfer of personal data to third countries.
Data Sovereignty: Launzr ensures that no data is transferred to any country notified by the Central Government of India as a "restricted territory" under the DPDP Act.

8. DATA SECURITY & INFORMATION SECURITY MANAGEMENT SYSTEM (ISMS)

Launzr implements legally mandated "Reasonable Security Practices and Procedures" (IS/ISO/IEC 27001) to protect Personal Data.

8.1. Technical Measures

Encryption:

At Rest: AES-256 bit encryption for sensitive databases (Passwords, API Keys, Financial Data).
In Transit: TLS 1.3 (Transport Layer Security) protocols for all data transmission.

Access Control:

Multi-Factor Authentication (MFA) enforcement for administrative access. Strict Role-Based Access Control (RBAC) ensuring employees access data only on a "Need-to-Know" basis.

Hashing:

Passwords are never stored in plain text; they are salted and hashed using bcrypt or Argon2 algorithms.

Perimeter Defense:

Deployment of Web Application Firewalls (WAF), Intrusion Detection Systems (IDS), and regular Vulnerability Assessments and Penetration Testing (VAPT).

8.2. Organizational Measures

Confidentiality Deeds: Mandatory execution of Non-Disclosure Agreements (NDAs) by all employees, consultants, and interns.
Data Isolation: Logical segregation of tenant data within SaaS products (NexLibrary) to prevent cross-contamination.
Audit Trails: Maintenance of immutable logs of all access to Sensitive Personal Data for a period of 180 days.

9. DATA RETENTION & DESTRUCTION POLICY

Launzr retains Personal Data only for as long as is necessary to fulfill the purposes for which it was collected, or to comply with legal, regulatory, tax, accounting, or reporting requirements.

Category of Data	Retention Period	Statutory Reference
Corporate Records (MoA, AoA, Incorporation Cert.)	Permanent	Constitutive Documents of the Entity.
Books of Accounts & Vouchers	8 Years	Section 128(5), Companies Act, 2013.
Income Tax Records	8 to 10 Years	Section 147/148, Income Tax Act, 1961.
GST Records	72 Months (6 Years)	Section 36, CGST Act, 2017.
Project Source Code	12 Months (Post-Handover)	Backup & Warranty Period.
Server Logs	180 Days (Rolling)	CERT-In Directions (No. 20(3)/2022).

Destruction Protocol: Upon expiration of the retention period, physical documents are shredded, and digital data is securely wiped (using NIST 800-88 Guidelines) to ensure it is irretrievable.

10. RIGHTS OF THE DATA PRINCIPAL

Subject to applicable laws, the Data Principal is vested with the following rights:

1. Right to Access & Information: The right to obtain confirmation as to whether Personal Data is being processed and to access a summary of such data.
2. Right to Correction & Erasure: The right to request correction of inaccurate/misleading data and the erasure of data which is no longer necessary for the purpose.
- Caveat: The Right to Erasure is not absolute and does not apply where retention is necessary for compliance with a legal obligation (e.g., Tax Laws).
3. Right to Grievance Redressal: The right to readily available means of grievance redressal regarding any act or omission of the Data Fiduciary.
4. Right to Nominate: The right to nominate any other individual who shall, in the event of death or incapacity of the Data Principal, exercise the rights of the Data Principal.

Exercise of Rights: Requests must be submitted to the Grievance Officer via email. Launzr shall respond within 72 hours and resolve the request within 30 days.

11. INDEMNITY AND LIMITATION OF LIABILITY

11.1. Third-Party Breaches

The Data Principal acknowledges that Launzr provides services relying on third-party infrastructure (Government Portals, Payment Gateways). Launzr shall not be liable for any breach of security, data leak, or loss of data occurring on:

(i) MCA21 / Income Tax / GST Portals;
(ii) Third-party Banking or Payment Gateway servers;
(iii) The Data Principal's own insecure networks or devices.

11.2. Force Majeure

Launzr shall not be held responsible for any loss, damage, or misuse of Personal Data attributable to a Force Majeure Event (acts of God, war, cyber-terrorism, failure of public utility/telecommunication networks).

12. DISPUTE RESOLUTION AND GOVERNING LAW

12.1. Governing Law

This Policy shall be governed by, interpreted, and construed in accordance with the substantive laws of the Republic of India, without regard to conflict of law principles.

12.2. Arbitration

In the event of any dispute arising out of or in connection with this Policy, including any question regarding its existence, validity, or termination, the parties shall first attempt to resolve the dispute amicably. If unresolved within 30 days, the dispute shall be referred to Sole Arbitration in Mumbai, India, in accordance with the Arbitration and Conciliation Act, 1996. The language of arbitration shall be English.

12.3. Jurisdiction

Subject to the Arbitration clause, the Courts at Mumbai, Maharashtra shall have exclusive jurisdiction.

13. CONTACT AND GRIEVANCE REDRESSAL MECHANISM

In accordance with Rule 5(9) of the IT Rules, 2011 and Section 13 of the DPDP Act, 2023, the contact details of the Grievance Officer are published below:

Name: Aaditya Jha

Designation: Data Protection & Grievance Officer

Email Address: privacy@launzr.com

Postal Address: Launzr Private Limited, C/O- Lalit Sah, Ward no. 06, Near Pustakalaya, Dhadiya, Dharia, Kamtaul, Darbhanga, Bihar,-847304 India.

Contact Number: 9867358861 (Available Mon-Fri, 10 AM - 6 PM IST)

The Grievance Officer shall acknowledge the complaint within twenty-four (24) hours and dispose of such complaint within a period of fifteen (15) days from the date of its receipt.

This document contains proprietary legal framework and shall not be reproduced without authorization.