PRIVACY POLICY
This Privacy Policy (“Policy”) is effective as of April 01,2026 (“Effective Date”).
INTRODUCTION
Drifbolt Retail Private Limited (“Drifbolt”, “Company”, “we”, “us”, or “our”) is committed to safeguarding the privacy and personal data of its customers, users, partners, and stakeholders.
As a technology-driven footwear and lifestyle brand operating through digital platforms, Drifbolt recognises that trust is built on transparency, consent, and responsible data handling. This Policy outlines how we collect, use, process, store, and protect personal data in a lawful and secure manner.
This Policy is designed in compliance with:
-
The Digital Personal Data Protection Act, 2023
-
The Information Technology Act, 2000
-
The IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
and is further aligned with globally accepted privacy standards and best practices.
We are committed to ensuring that all personal data is handled with integrity, confidentiality, and accountability, while also providing Users with clear rights and effective grievance mechanisms.
RECITALS
WHEREAS:
A. Drifbolt Retail Private Limited operates a digital commerce platform and is committed to protecting the personal data and privacy rights of all Users in accordance with applicable laws and best practices;
B. Applicable laws require entities acting as data fiduciaries to implement transparent data processing practices, ensure adequate safeguards, and provide mechanisms for informed consent and grievance redressal;
C. The Company recognises that personal data—including sensitive data such as financial information—must be processed lawfully and protected against unauthorised access, misuse, or loss;
D. The Company seeks to build user trust and ensure legal compliance by establishing a comprehensive framework governing data collection, usage, and protection;
Here is your rephrased and professionally aligned version for Drifbolt, maintaining consistency with the earlier sections and a strong legal tone:
1. DEFINITIONS AND INTERPRETATION
1.1 Definitions
Unless the context otherwise requires, the following terms shall have the meanings assigned below:
a) “Applicable Law” refers to the Digital Personal Data Protection Act, 2023, along with all rules, amendments, and notifications thereunder, and includes the Information Technology Act, 2000 and relevant rules to the extent applicable.
b) “Data Principal” means any identifiable individual whose personal data is processed by the Company, including Users, customers, and website visitors.
c) “Data Fiduciary” refers to Drifbolt Retail Private Limited, which determines the purpose and means of processing personal data under applicable law.
d) “Personal Data” means any data relating to an identified or identifiable individual, including but not limited to:
-
Name
-
Contact details
-
Location data
-
Online identifiers
-
Any other information capable of identifying an individual
e) “Sensitive Personal Data” includes:
-
Passwords
-
Financial information (bank account details, card details, etc.)
-
Biometric data
-
Any other category classified as sensitive under applicable law
f) “Processing” means any operation performed on personal data, whether automated or manual, including:
-
Collection, storage, organisation
-
Use, retrieval, consultation
-
Disclosure, sharing, or transfer
-
Restriction, erasure, or destruction
g) “Consent” means a freely given, specific, informed, and unambiguous indication of agreement by the Data Principal to process their personal data.
h) “Grievance Officer” means the individual designated by the Company to handle privacy-related complaints and ensure timely resolution in accordance with applicable law.
i) “Third Parties” means external entities engaged by the Company, including:
-
Logistics partners
-
Payment gateways
-
Technology providers
-
Service vendors
who process personal data on behalf of or in association with the Company, subject to contractual safeguards.
j) “Data Breach” means any unauthorised or accidental access, disclosure, alteration, loss, or destruction of personal data that compromises its confidentiality, integrity, or availability.
k) “Website” refers to the Company’s official digital platform, including all subdomains, mobile interfaces, and related services operated by or on behalf of Drifbolt.
l) “User” means any individual who accesses, browses, interacts with, or makes a purchase through the Website or otherwise provides personal data to the Company.
m) “Personnel” includes all employees, consultants, interns, contractors, and authorised representatives of the Company.
n) “Nominee” means a person designated by a Data Principal to act on their behalf in accordance with applicable law in case of death or incapacity.
o) “Notice” means a clear and accessible communication provided to Users prior to data collection, outlining the purpose, scope, and legal basis of processing.
1.2 Interpretation
a) Terms defined within this Policy shall have consistent meanings throughout, unless otherwise specified.
b) Headings are included for convenience only and shall not affect interpretation.
c) References to clauses or sections refer to provisions within this Policy unless stated otherwise.
d) Words in singular form shall include the plural and vice versa; references to any gender shall include all genders.
e) Words such as “herein”, “hereof”, and similar expressions refer to this Policy as a whole.
f) This Policy shall be read together with any amendments, updates, or revisions issued by the Company from time to time.
2. PURPOSE
a) This Privacy Policy (“Policy”) governs the manner in which Drifbolt (“Company”, “we”, “us”, or “our”) collects, receives, processes, stores, uses, discloses, transfers, or otherwise handles Personal Data in the course of operating its website, mobile applications, and other digital or physical interfaces (collectively referred to as the “Platform”).
This Policy applies to:
i) Individuals who access, browse, or use the Platform, including those who create accounts, place orders, or engage in any interaction or transaction with the Company (“Users”);
ii) All categories of Data Principals whose Personal Data is processed by the Company, including customers, prospective customers, business partners, vendors, consultants, employees, service providers, and any individual voluntarily providing information to the Company;
iii) Personal Data collected through both online and offline channels, including customer interactions, surveys, feedback forms, product inquiries, email communications, social media engagements, and payment processing systems;
iv) Third-party service providers engaged by the Company (such as logistics partners, payment processors, marketing affiliates, and cloud service providers), to the extent they process Personal Data on behalf of and under the instructions of the Company;
v) Personal Data processed within India, as well as data collected from individuals located outside India but processed or stored within India, subject to applicable data protection and cross-border transfer laws.
b) This Policy applies irrespective of the device or medium used to access the Platform, including desktops, mobile devices, tablets, and other digital interfaces.
c) This Policy does not apply to:
i) Aggregated or anonymised data that does not directly or indirectly identify an individual;
ii) Third-party websites, applications, or platforms that may be accessible via links on the Platform but are not owned or controlled by the Company. Users are advised to review the privacy policies of such third parties independently;
iii) Data processed by individuals for personal or domestic purposes, or for journalistic purposes, as exempted under applicable laws including the Digital Personal Data Protection Act, 2023.
d) By accessing or using the Platform or by providing Personal Data to the Company, the User acknowledges and consents to the collection and processing of their Personal Data in accordance with this Policy.
e) In the event of any inconsistency between this Policy and specific contractual agreements entered into between the Company and any Data Principal (including employees, vendors, or consultants), the terms providing a higher standard of data protection shall prevail, unless otherwise required by applicable law.
3. CATEGORIES OF PERSONAL DATA COLLECTED
a) In order to provide its products and services, and to operate its Platform efficiently, the Company may collect and process the following categories of Personal Data, either directly from Users or through authorised third-party service providers:
Identity Data
Includes full name, username, gender, and user identification details, typically collected during account registration or checkout.
Contact Data
Includes email address, mobile number, billing address, and shipping address, collected through account creation and order placement processes.
Payment and Financial Data
Includes limited financial details such as masked card information, UPI ID, transaction identifiers, and payment timestamps, processed through secure payment gateways.
Order and Transaction Data
Includes purchase history, order details, cart information, delivery tracking data, and payment methods, generated through Platform transactions and logistics integrations.
Device and Technical Data
Includes IP address, browser type, device specifications, operating system, time zone, and device identifiers, collected automatically during Platform usage.
Usage Data
Includes browsing activity, clickstream data, pages visited, time spent, and product interactions such as cart additions or wishlist activity, collected via analytics tools and cookies.
Marketing and Communication Data
Includes user preferences for receiving marketing communications, newsletter subscriptions, feedback responses, and communication records.
Account Credentials
Includes encrypted or hashed passwords, OTP verification records, and login activity data maintained for authentication and security purposes.
Social Media Data
Includes basic profile information such as name and email address when Users choose to log in or interact through third-party social media platforms.
Customer Support Data
Includes support tickets, chat transcripts, complaint records, and any communication with customer service channels.
Location Data
Includes approximate geolocation or delivery location derived from IP address or device settings, subject to user consent where applicable.
Referral and Affiliate Data
Includes referral codes, promotional coupon usage, and affiliate tracking data associated with marketing campaigns.
User-Generated Content
Includes reviews, comments, feedback, testimonials, and any images or media voluntarily uploaded by Users on the Platform.
b) Personal Data may be collected at various stages, including but not limited to account registration, order placement, subscription to communications, customer support interactions, participation in surveys or promotional activities, or any other voluntary submission by the User.
c) The Company may also collect Non-Personal Data, including aggregated or anonymised information such as usage statistics and analytics data, for internal research, performance analysis, and service improvement purposes.
d) The Company does not intentionally collect sensitive personal data such as biometric information, health data, or government-issued identification numbers (e.g., Aadhaar, PAN), unless required by law or explicitly consented to by the User for a legitimate and lawful purpose.
4. PURPOSE OF DATA COLLECTION & USE
a) Drifbolt collects and processes Personal Data solely for specific, lawful, and legitimate purposes. Such processing is carried out either with the consent of the Data Principal, for the performance of a contract, to comply with legal obligations, or for other permissible purposes under applicable law.
b) The key purposes for which Personal Data may be collected and used include:
Order Processing and Fulfilment
To process, confirm, and deliver orders placed by Users.
Data Involved: Identity Data, Contact Data, Payment Data, Transaction Data, Location Data
Legal Basis: Performance of contract; Consent
Account Creation and Authentication
To enable account registration, login, and user authentication.
Data Involved: Identity Data, Account Credentials, Contact Data
Legal Basis: Consent; Legitimate use
Service Communications
To send order updates, delivery notifications, and service-related communications.
Data Involved: Contact Data, Order Data, Transaction Data
Legal Basis: Performance of contract; Legitimate use
Personalisation of User Experience
To recommend products, customise content, and enhance user experience.
Data Involved: Usage Data, Device Data, Purchase History, Wishlist
Legal Basis: Consent (via cookies); Legitimate use
Marketing and Promotions
To send promotional messages, offers, and marketing communications.
Data Involved: Contact Data, Marketing Preferences, Purchase History
Legal Basis: Explicit Consent
Customer Feedback and Surveys
To collect reviews, ratings, and feedback for service improvement.
Data Involved: Contact Data, Usage Data, User-Generated Content
Legal Basis: Consent
Customer Support and Complaint Resolution
To provide assistance, resolve complaints, and handle service requests.
Data Involved: Contact Data, Order Data, Support Data
Legal Basis: Performance of contract; Legitimate use
Fraud Prevention and Security
To detect, prevent, and investigate fraud, abuse, or policy violations.
Data Involved: Identity Data, Device Data, Transaction Data
Legal Basis: Legitimate use; Legal obligation
Legal and Regulatory Compliance
To comply with applicable laws, regulatory requirements, and lawful requests.
Data Involved: Identity Data, Transaction Data, Payment Data
Legal Basis: Legal obligation
Audit, Risk Management, and Record Keeping
To maintain records for audits, dispute resolution, and internal controls.
Data Involved: Identity Data, Contact Data, Transaction Data, Payment Data
Legal Basis: Legal obligation; Legitimate use
Analytics and Performance Improvement
To analyse Platform performance and improve services.
Data Involved: Usage Data, Device Data, Aggregated Data
Legal Basis: Consent (via cookies); Legitimate use
Referral and Affiliate Programs
To manage referral codes, influencer collaborations, and affiliate tracking.
Data Involved: Referral Data, Identity Data, Transaction Data
Legal Basis: Consent; Performance of contract
c) Personal Data shall not be processed for purposes other than those specified above without providing appropriate notice and, where required, obtaining additional consent.
d) Where processing is based on consent, the User may withdraw such consent at any time through available mechanisms on the Platform or by contacting the Company. Withdrawal of consent may impact the availability of certain services.
e) The Company ensures that all processing activities are proportionate, limited to what is necessary, and carried out in accordance with the principles of fairness, transparency, and accountability.
5. LEGAL BASIS FOR PROCESSING
a) Drifbolt processes Personal Data only where a valid legal basis exists under the Digital Personal Data Protection Act, 2023 and other applicable laws. Such legal bases include:
i) Consent of the Data Principal
Personal Data is processed based on the User’s free, specific, informed, unconditional, and unambiguous consent provided through clear affirmative action.
Examples include:
-
Subscribing to newsletters or marketing communications;
-
Providing optional personal details or feedback;
-
Participating in surveys, contests, or campaigns;
-
Creating and maintaining a user account.
Users may withdraw their consent at any time via account settings, opt-out links, or by contacting legal@drifbolt.com. Such withdrawal does not affect prior lawful processing.
ii) Performance of a Contract
Processing is carried out where necessary to fulfil contractual obligations or to take steps at the request of the User prior to entering into a contract.
Examples include:
-
Processing and delivering orders;
-
Managing payments, returns, and refunds;
-
Providing customer support related to transactions.
iii) Compliance with Legal Obligations
Personal Data may be processed to comply with applicable laws, regulations, court orders, or governmental requirements.
Examples include:
-
Taxation, invoicing, and financial reporting compliance;
-
Maintenance of statutory records;
-
Responding to law enforcement or regulatory authorities;
-
Compliance with IT and consumer protection laws.
iv) Legitimate Use (as permitted under applicable law)
The Company may process Personal Data without explicit consent in situations recognised as legitimate use, provided such processing is necessary and does not override the rights of the Data Principal.
Examples include:
-
Data voluntarily provided by Users for services or support;
-
Delivering purchased products or services;
-
Managing disputes, enforcing legal rights, or defending claims;
-
Cooperating with law enforcement or ensuring public safety;
-
Internal administrative purposes including employee or vendor management.
The Company ensures that such processing remains proportionate and aligned with user expectations.
v) Public Interest or Emergency Situations (where applicable)
In exceptional circumstances, such as public emergencies or health-related situations, Personal Data may be processed in accordance with applicable legal directives or governmental instructions.
vi) Third-Party Data Collection and Sharing
Where Personal Data is received from third parties, the Company ensures that such parties have obtained a valid legal basis (including consent, where required) for sharing the data.
The Company may share Personal Data with the following categories of third parties:
-
Payment Processors: For secure transaction handling
-
Logistics Partners: For order delivery and tracking
-
Communication Providers: For email and SMS notifications
-
Cloud and Infrastructure Providers: For hosting and system operations
-
Marketing and Analytics Tools: For campaigns and performance tracking
-
Customer Support Platforms: For managing user queries
-
Affiliate and Influencer Platforms: For referral tracking
-
Professional Advisors: Legal, financial, and compliance purposes
-
Government Authorities: Where legally required
All such third parties are contractually bound to maintain confidentiality, implement adequate security measures, and process data strictly as per the Company’s instructions and applicable laws.
b) The Company maintains internal documentation of the legal basis applicable to each processing activity and periodically reviews such records to ensure ongoing compliance.
c) In the event of any change in the legal basis for processing, the Company shall notify the Data Principal and obtain fresh consent where required.
6. CONSENT MANAGEMENT
a) Obtaining Consent
Drifbolt shall obtain the free, specific, informed, unconditional, and unambiguous consent of the Data Principal prior to collecting or processing any Personal Data, unless such processing is permitted under legitimate use or required to comply with legal obligations.
b) Consent is obtained in a clear and granular manner at the point of data collection, including but not limited to:
i) Account registration;
ii) Checkout and payment processes;
iii) Subscription to newsletters or promotional communications;
iv) Participation in surveys, contests, or referral programs;
v) Acceptance of cookies and similar tracking technologies.
c) The Company does not use pre-ticked checkboxes, bundled consent mechanisms, or implied consent. All consent must be actively and affirmatively provided by the User.
d) Layered Privacy Notices
All consent requests are accompanied by concise and accessible privacy notices that include:
i) The purpose of data collection;
ii) The categories of Personal Data collected;
iii) Details of any third-party data sharing;
iv) A reference or link to this Privacy Policy;
v) Contact details of the designated Grievance Officer.
e) These notices are presented in clear, simple, and user-friendly language to ensure transparency and informed decision-making.
f) Proof and Record of Consent
The Company maintains verifiable records of consent obtained from each Data Principal, including details of the time, method, and purpose of consent. Such records are securely stored and may be disclosed to regulatory authorities where required by law.
g) Refusal or Conditional Consent
i) Users may refuse consent for optional services (such as marketing communications) without affecting access to essential services (such as purchasing products);
ii) The Company does not require consent for unrelated purposes as a condition for accessing core services, unless such data is necessary for the functionality of those services.
h) Withdrawal of Consent
i) Users may withdraw their consent at any time through:
-
Opt-out or unsubscribe links in communications;
-
Account settings or preference dashboards;
-
Direct communication with the Company at: legal@drifbolt.com
i) Upon withdrawal of consent:
i) The Company shall discontinue processing the relevant Personal Data within a reasonable timeframe, unless retention is required by applicable law;
ii) Certain features or services may become unavailable if they depend on the withdrawn data.
j) Consent Relating to Minors
i) The Company does not knowingly collect Personal Data from individuals under the age of 18 years without verifiable parental or guardian consent, in accordance with applicable law;
ii) If such data is identified as having been collected without valid consent, it shall be promptly deleted.
k) Cookies and Tracking Consent
i) The Company uses cookies and similar technologies to enhance user experience, analyse usage, and support marketing efforts;
ii) Users are provided with a cookie consent interface enabling them to:
-
Accept all cookies;
-
Manage preferences by category;
-
Reject non-essential cookies.
7. CHILDREN’S DATA
a) Drifbolt is committed to safeguarding the privacy of children and complying with applicable data protection laws governing children’s data.
b) For the purposes of this Policy, a child refers to any individual below the age of 18 years, unless otherwise defined by applicable law.
c) The Company does not knowingly collect, process, or store Personal Data of children unless:
i) Such processing is necessary for providing a service specifically intended for children; and
ii) Verifiable parental or guardian consent has been obtained through appropriate mechanisms (such as OTP verification or digital consent).
d) In the event that Personal Data of a child is collected without valid consent, the Company shall:
i) Promptly delete such data; and
ii) Where feasible, notify the parent or guardian of such deletion.
e) The Company does not engage in behavioural tracking, profiling, or targeted advertising directed at children, in compliance with applicable legal restrictions.
8. COOKIE AND TRACKING TECHNOLOGIES
a) The Company uses cookies and similar tracking technologies (including pixels, web beacons, and local storage) to enhance functionality, personalise user experience, analyse Platform performance, and support marketing activities.
b) Upon first interaction with the Platform, Users are presented with a cookie consent banner that allows them to:
i) Accept all cookies;
ii) Reject non-essential cookies;
iii) Customise preferences based on cookie categories.
c) Detailed information regarding the types of cookies used, their purposes, and associated third-party tools is provided in the Company’s Cookie Policy, which forms an integral part of this Privacy Policy.
d) Users may review and update their cookie preferences at any time through the Cookie Settings panel available on the Platform.
e) Additional details on managing or disabling cookies at the browser level can be found in the full Cookie Policy.
9. DATA SHARING AND THIRD-PARTY TRANSFERS
a) Internal Access
Personal Data may be accessed by authorised personnel within the Company, including teams such as operations, customer support, marketing, logistics, product development, finance, and compliance, strictly on a need-to-know basis and subject to confidentiality obligations.
b) Third-Party Sharing
The Company may share Personal Data with trusted third-party service providers and partners solely for the purpose of delivering services efficiently. Such parties are contractually obligated to:
-
Process data only for specified purposes;
-
Maintain strict confidentiality;
-
Comply with applicable data protection laws.
c) Categories of Third Parties
i) Payment processors and gateways – to facilitate transactions;
ii) Logistics and delivery partners – to fulfil orders;
iii) Cloud and IT infrastructure providers – for data storage and system operations;
iv) Marketing and analytics platforms – for campaign management and insights;
v) Customer support and CRM tools – to manage user interactions;
vi) Legal, financial, and audit advisors – for compliance purposes;
vii) Government authorities – where required by law.
d) Cross-Border Data Transfers
i) Personal Data is primarily stored and processed within India; however, certain third-party services may involve processing outside India;
ii) Any such transfers shall comply with applicable legal requirements and ensure adequate data protection safeguards.
iii) Where applicable, transfers shall be made:
-
To jurisdictions recognised as providing adequate protection; or
-
Under legally binding agreements ensuring equivalent data protection standards.
e) No Sale of Personal Data
The Company does not sell, rent, or trade Personal Data to third parties for commercial gain.
f) Anonymised and Aggregated Data
Non-identifiable, aggregated data may be shared with partners or research entities for analytics, insights, and service improvement purposes.
g) Vendor Due Diligence
The Company undertakes appropriate due diligence and enters into data protection agreements with all third parties handling Personal Data to ensure:
i) Processing is limited to defined purposes;
ii) Adequate security measures are implemented;
iii) Data is deleted or returned upon completion of services.
10. DATA RETENTION & STORAGE
a) Retention Principle
Drifbolt retains Personal Data only for as long as is reasonably necessary to:
i) Fulfil the purpose for which such data was collected;
ii) Comply with applicable legal and regulatory obligations;
iii) Resolve disputes, enforce contractual rights, or defend legal claims;
iv) Maintain records for audit, taxation, and business continuity purposes.
b) The applicable retention period is determined based on the nature of the data, the purpose of processing, and any statutory or contractual requirements.
c) Indicative Data Retention Periods
Identity and Contact Data
Retained for up to 3 years from the last user interaction or transaction, for customer support and legal claim purposes.
Order and Transaction Data
Retained for up to 8 years from the date of transaction, in accordance with applicable accounting and taxation laws.
Payment and Financial Data (masked)
Retained in accordance with applicable regulatory requirements, including guidelines issued by relevant financial authorities, and for fraud prevention purposes.
Customer Support and Complaint Records
Retained for up to 3 years from the date of last interaction, to support dispute resolution and service quality monitoring.
Marketing Preferences and Consent Records
Retained until the User withdraws consent or remains inactive for a period exceeding 2 years.
Analytics and Usage Data (pseudonymised)
Retained for a period of 12 to 18 months for internal analysis and service improvement.
Account Credentials
Retained until the account is deleted or deactivated, as required for authentication and security purposes.
Dormant or Inactive Accounts
Deleted after 2 years of inactivity, subject to prior notice of at least 30 days.
Anonymised or Aggregated Data
May be retained indefinitely, as such data does not constitute Personal Data under applicable law.
Note: The above timelines may be extended where required for ongoing legal proceedings, investigations, or statutory obligations.
d) Deletion and De-Identification
Upon expiry of the applicable retention period, Personal Data shall be:
i) Permanently deleted from active systems and backups; or
ii) Anonymised or irreversibly de-identified to prevent identification of the Data Principal.
The Company ensures secure deletion through industry-standard data erasure and sanitisation practices.
e) Right to Request Deletion
i) Data Principals may request deletion of their Personal Data where:
-
The data is no longer required for the original purpose;
-
Consent has been withdrawn and no other legal basis exists;
-
The data has been processed unlawfully.
ii) Such requests shall be processed within a reasonable timeframe, subject to legal and contractual retention requirements.
f) Storage and Backups
Personal Data is stored on secure servers operated by the Company or its authorised service providers, primarily located within India. Encrypted backups are maintained periodically to ensure data recovery and continuity, and are subject to the same retention and deletion standards.
g) Review of Retention Practices
The Company periodically reviews its data retention and storage policies to ensure compliance with evolving legal requirements and operational needs. Any updates will be reflected in this Privacy Policy.
11. REASONABLE SECURITY PRACTICES
a) Drifbolt is committed to protecting the security, integrity, and confidentiality of Personal Data. In accordance with applicable laws, including the Digital Personal Data Protection Act, 2023 and relevant IT rules, the Company implements appropriate technical, organisational, and administrative safeguards to prevent unauthorised access, misuse, loss, alteration, or disclosure of Personal Data.
b) The Company adopts industry-standard security measures, including but not limited to:
i) Encryption of sensitive data during transmission using secure protocols (SSL/TLS);
ii) Secure storage practices including hashing and salting of passwords;
iii) Deployment of firewalls and intrusion detection/prevention systems;
iv) Role-based access controls and strict data access policies;
v) Secure APIs and encrypted payment processing systems;
vi) Multi-factor authentication (MFA) for administrative and privileged access;
vii) Continuous monitoring and logging of system access and activities;
viii) Regular vulnerability assessments and penetration testing (VAPT);
ix) Timely application of security patches and system updates.
c) Personal Data is hosted on secure infrastructure managed by reputable cloud service providers that adhere to recognised industry standards (such as ISO/IEC 27001, SOC 2, or equivalent frameworks, where applicable).
d) All third-party vendors or service providers processing Personal Data on behalf of the Company are subject to contractual obligations requiring them to implement appropriate security controls and maintain strict confidentiality standards.
12. NOTIFICATION OF PERSONAL DATA BREACH
a) Drifbolt adopts a proactive and structured approach to the identification, containment, and resolution of personal data breaches. A “personal data breach” refers to any unauthorised or accidental access, disclosure, alteration, loss, or destruction of Personal Data that compromises its confidentiality, integrity, or availability, whether arising from technical failures, cyber incidents, human error, or systemic vulnerabilities.
b) Data Breach Response Procedure
In the event of a suspected or confirmed breach, the Company shall activate its internal Data Breach Response Protocol, which includes timely identification, containment, risk assessment, mitigation, and reporting, in accordance with applicable legal requirements.
c) Contents of Breach Notification
Where notification is required to regulatory authorities or affected Data Principals, such communication shall include:
i) The nature and categories of Personal Data affected;
ii) The approximate number of individuals impacted;
iii) The date and time of the breach (where ascertainable);
iv) The likely consequences or potential risks arising from the breach;
v) Measures taken or proposed to mitigate harm;
vi) Contact details of the Grievance Officer or designated point of contact;
vii) Guidance for Users on steps to protect themselves.
d) Breach Severity Classification
The Company categorises data breaches based on severity:
i) Level 1 – Minor: Limited impact, no sensitive data involved;
ii) Level 2 – Moderate: Involves identity or contact data with moderate risk;
iii) Level 3 – Critical: Involves sensitive or financial data, or affects a large number of individuals with significant risk.
External notifications are made for Level 2 and Level 3 breaches, as required under applicable law.
e) User Reporting
Users are encouraged to promptly report any suspected compromise of their account or Personal Data, including unauthorised access, phishing attempts, or suspicious activity, by contacting: legal@drifbolt.com. The Company will prioritise investigation and remediation of such reports.
13. RIGHTS OF DATA PRINCIPALS
a) In accordance with the Digital Personal Data Protection Act, 2023, Data Principals have the following rights concerning their Personal Data, subject to applicable legal limitations:
Right to Access
Users may request confirmation of whether their Personal Data is being processed, along with details such as categories of data, purpose, recipients, and retention period.
Timeline: Within 15 working days.
Right to Correction
Users may request correction, updating, or completion of inaccurate or incomplete Personal Data.
Timeline: Within 10 working days.
Right to Erasure
Users may request deletion of Personal Data that is no longer necessary, unlawfully processed, or where consent has been withdrawn.
Timeline: Within 15 working days.
Right to Withdraw Consent
Users may withdraw previously provided consent for specific processing activities at any time.
Timeline: Effective upon confirmation.
Right to Grievance Redressal
Users may raise complaints regarding misuse, delay, denial of rights, or improper handling of Personal Data.
Timeline: Acknowledgement within 48 hours; resolution within 7 working days.
Right to Nominate
Users may nominate another individual to exercise their data rights in the event of death or incapacity.
Right to Be Informed
Users have the right to receive clear and transparent information regarding data collection, usage, sharing practices, and policy updates.
b) Exercising Your Rights
All requests may be submitted via email to: legal@drifbolt.com, or through the Platform (where applicable), along with necessary identity verification details.
14. GRIEVANCE REDRESSAL MECHANISM
a) Drifbolt is committed to addressing all privacy-related concerns in a transparent, secure, and time-bound manner. A designated Grievance Officer has been appointed in accordance with applicable laws.
b) Raising a Grievance
Users may submit complaints relating to:
i) Delay or denial of data rights;
ii) Unauthorised access or misuse of Personal Data;
iii) Failure to honour consent withdrawal;
iv) Violation of this Privacy Policy;
v) Non-compliance with applicable data protection laws.
c) Grievance Officer Details
Grievance Officer
Email: legal@drifbolt.com
Working Hours: Monday to Friday, 10:00 AM to 6:00 PM IST
d) Grievance Handling Timelines
-
Acknowledgement: Within 48 hours
-
Initial Review: Within 2 working days
-
Resolution: Within 7 working days
-
Final Response: Within 10 working days from receipt
e) If the User is not satisfied with the resolution or does not receive a response within the prescribed timeframe, they may escalate the matter to the appropriate regulatory authority in accordance with applicable law.
15. FORCE MAJEURE
Drifbolt shall not be held liable for any failure or delay in performing its obligations under this Privacy Policy due to events beyond its reasonable control. Such events include, but are not limited to, natural disasters, acts of war, civil disturbances, pandemics, governmental actions, power or internet outages, cyber incidents, or other force majeure circumstances.
During such events, the Company shall take all reasonable measures to minimise disruption and restore normal operations at the earliest practicable time.
16. GOVERNING LAW AND JURISDICTION
This Privacy Policy shall be governed by and construed in accordance with the laws of India. Any disputes arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the competent courts located in New Delhi, India, without reference to conflict of law principles.
17. CHANGE IN OWNERSHIP OR CONTROL
In the event of a merger, acquisition, restructuring, or transfer of all or part of the Company’s business or assets, Personal Data held by Drifbolt may be transferred to the successor or acquiring entity.
Such transfer shall continue to be governed by the terms of this Privacy Policy unless and until it is amended by the successor entity with appropriate notice to Users, in accordance with applicable laws.
18. POLICY UPDATES AND NOTIFICATION
Drifbolt reserves the right to update, amend, or modify this Privacy Policy from time to time to reflect changes in legal requirements, operational practices, or technological developments.
Any material changes to this Policy shall be communicated through:
i) Prominent notices displayed on the Platform;
ii) Email notifications to registered Users, where applicable; and
iii) Revision of the “Last Updated” date indicated at the beginning of this Policy.
Users are encouraged to review this Policy periodically to remain informed about how their Personal Data is collected, used, and protected.
19. CONTACT US
If you have any questions, concerns, or require clarification regarding this Privacy Policy, the processing of your Personal Data, or your rights as a Data Principal, you may contact:
Grievance Officer
Email: legal@drifbolt.com
Working Hours: Monday to Friday, 10:00 AM to 6:00 PM IST
By accessing or using the Platform, you acknowledge that you have read, understood, and agreed to the terms of this Privacy Policy. Your continued use of the Platform constitutes your consent to the collection, processing, and disclosure of your Personal Data in accordance with this Policy.
This Privacy Policy shall remain in effect unless and until updated, replaced, or withdrawn by the Company.
ANNEXURE A
DATA BREACH RESPONSE FRAMEWORK & TIMELINE
Stage 1: Detection & Containment
Identification and verification of the breach, along with isolation of affected systems.
Timeline: Within 6 hours of detection.
Stage 2: Preliminary Risk Assessment
Assessment of scope, categories of data affected, sensitivity, and potential impact.
Timeline: Within 12 hours of detection.
Stage 3: Internal Escalation
Notification to relevant internal stakeholders, including compliance and senior management.
Timeline: Within 12 hours.
Stage 4: Regulatory Reporting
Notification to applicable authorities (such as CERT-In or other regulators), where required.
Timeline: Within 6 hours of confirming the breach, or as per applicable guidelines.
Stage 5: Notification to Affected Individuals
Communication to impacted Data Principals outlining risks and mitigation steps.
Timeline: Within 48 hours, where there is a risk of harm.
Stage 6: Remedial Measures
Containment of the breach, system patching, credential resets, and prevention of recurrence.
Timeline: Immediate, with completion targeted within 72 hours.
Stage 7: Documentation & Audit Trail
Comprehensive recording of the incident, investigation findings, and corrective actions.
Timeline: Within 7 days.
Stage 8: Final Report & Policy Review
Root cause analysis and updates to internal policies, controls, and training.
Timeline: Within 15 days.