Privacy & Personal Data Protection Policy

Last updated: 14-01-2026

Purpose

The purpose of this Privacy & Personal Data Protection Policy ("Policy") is to define the principles, controls, and safeguards adopted by Vasudhaiva Kutumbakam Software Solutions Private Limited (hereinafter referred to as "Company" or "MHITR") for the protection of personal data shared by our Client (hereinafter referred to as "Client"). This Policy ensures that personal data relating to Client's employees, clients, residents, consultants, service partners, and other authorized individuals ("Data Principals") is processed in a lawful, fair, secure, and transparent manner, strictly in accordance with Client's governance standards and applicable data protection laws, including the Digital Personal Data Protection Act, 2023 ("DPDP Act").

Scope

This Policy applies to:

  • All personal data shared by Client with MHITR
  • All MHITR employees, consultants, contractors, and authorized representatives
  • All systems, platforms, applications, infrastructure, and processes used by MHITR in providing services to Client

This Policy forms an integral part of MHITR's information security, confidentiality, and vendor compliance framework.

Roles and Accountability

| Role | Responsibility | | --- | --- | | Client | Data Fiduciary under DPDP Act | | MHITR Private Limited | Data Processor | | MHITR Management | Policy enforcement and oversight | | Authorized Personnel | Secure and compliant data handling |

Categories of Personal Data

MHITR may process the following categories of personal data on a need-to-know and purpose-limited basis:

  • Identification data (e.g., name, age, gender)
  • Contact information (e.g., address, phone number, email ID)
  • Employee, client, resident, or user reference identifiers
  • Wellness, lifestyle, or health-related data (only where applicable, permitted, and consented)
  • Any other personal data necessary for service delivery as expressly approved by Client

MHITR shall not collect personal data directly from Data Principals unless explicitly authorized by Client.

Principles of Data Processing

MHITR adheres to the following data protection principles, aligned with Client's vendor policies:

  • Lawfulness & Fairness: Processing only for lawful, authorized, and legitimate purposes
  • Purpose Limitation: Use strictly limited to defined service objectives
  • Data Minimization: Processing only data that is strictly necessary
  • Accuracy: Reasonable measures to ensure data accuracy and relevance
  • Storage Limitation: Retention only for approved periods
  • Accountability: Demonstrable compliance and audit readiness

MHITR processes personal data based on:

  • Valid consent obtained by Client from Data Principals; and/or
  • Legitimate uses permitted under the DPDP Act, 2023

MHITR relies on Client to ensure lawful collection, consent management, and fulfillment of fiduciary obligations.

Information Security Controls

MHITR implements appropriate technical and organizational security measures aligned with enterprise vendor requirements, including:

  • Role-based and least-privilege access controls
  • Strong authentication mechanisms
  • Secure storage, encryption, and controlled access
  • Confidentiality and non-disclosure obligations for personnel
  • Periodic internal security reviews and assessments

Personal data is protected against unauthorized access, alteration, disclosure, loss, or destruction.

Data Sharing and Third-Party Access

  • Personal data shall not be disclosed, sold, licensed, or transferred to any third party without prior written approval from Client.
  • Approved sub-processors shall be bound by data protection obligations equivalent to or stronger than this Policy.
  • Any legally mandated disclosure shall be promptly notified to Client, unless prohibited by law.

Data Retention and Disposal

  • Personal data shall be retained only for the duration necessary to fulfill service obligations or comply with applicable legal requirements.
  • Upon completion or termination of services, personal data shall be securely returned, deleted, or anonymized as instructed by Client.
  • Secure deletion and disposal methods shall be used to prevent unauthorized recovery.

Data Principal Rights Support

MHITR shall reasonably assist Client in fulfilling Data Principal rights under the DPDP Act, including:

  • Right to access information regarding processing
  • Right to correction or updating of personal data
  • Right to erasure of personal data
  • Right to withdraw consent
  • Right to grievance redressal

All requests shall be routed through Client as the primary interface and handled without undue delay.

Personal Data Breach Management

In the event of a personal data breach or suspected breach:

  • MHITR shall notify Client without undue delay
  • Immediate containment, mitigation, and remediation actions shall be initiated
  • MHITR shall fully cooperate with Client for regulatory reporting, investigation, and corrective measures

Breach handling shall align with Client's incident management and reporting expectations.

Cross-Border Data Transfer

Personal data shall not be transferred outside India unless:

  • Explicitly authorized in writing by Client; and
  • Such transfer is permitted under applicable Indian law

Audit and Compliance

  • MHITR shall maintain audit-ready records of personal data processing activities
  • Client or its authorized auditors may review compliance upon reasonable notice
  • Any identified non-compliance shall be promptly addressed through corrective actions

Training and Awareness

MHITR ensures that relevant personnel:

  • Are aware of data protection and confidentiality responsibilities
  • Receive periodic training on security and compliance requirements
  • Are subject to disciplinary action for violations of this Policy

Policy Review and Updates

This Policy shall be reviewed periodically to reflect:

  • Changes in applicable laws or regulations
  • Updates to Client's vendor requirements
  • Operational, technological, or security enhancements

Material changes shall be communicated to Client.

Grievance Redressal

For any data protection concerns or complaints:

Grievance Officer

Vasudhaiva Kutumbakam Software Solutions Private Limited

Email: rsvn.sharma@mhitr.in

Address: 17, Obel Villas, Balagere Main Road, Bengaluru, Karnataka, 560087

Policy Acceptance

Compliance with this Policy is mandatory for all MHITR personnel and forms part of MHITR's contractual and vendor obligations towards Client.