Privacy Policy


PRIVACY POLICY FOR GOALS101 DATA SOLUTIONS PRIVATE LIMITED

INTRODUCTION

Goals101 Data Solutions Private Limited (“Company/ We/ Us/ Our”) is inter alia engaged in the business of cards linked marketing, purchase data driven marketing, recommendation engine and location based offers and data analytics in partnership with leading banks in India and abroad. This Privacy Policy (“Privacy Policy”) applies to the personal information We collect on Our website ‘https://goals101.in/’ (“Platform”). By using the Platform you confirm that you accept the terms of this Privacy Policy and that you agree to abide by them. This Privacy Policy is incorporated into and subject to the terms of use available at the Platform..

We value the trust you place in us. That is why We insist upon the highest standards for secure transactions and customer information privacy. This Privacy Policy applies to the personal `information We collect on the Platform. This Privacy Policy describes the types of personal information We collect on the Platform, how We may use that information and with whom We may share it. We also tell you how you can reach Us to ask Us to update your preferences regarding how We communicate with you or answer any questions you may have about Our privacy practices.

When you access the Platform you accept, without limitation or qualification, the Privacy Policy set forth below and any additional terms of use set forth in the Platform. This Privacy Policy constitutes a binding legal agreement between you and Uus. If you do not agree to the Privacy Policy, you have no right to obtain information from or otherwise continue using the Platform. Failure to use the Platform in accordance with the Privacy Policy may subject you to civil and criminal penalties. We have provided this Privacy Policy to familiarize you with the type of data or information that you share with or provide to Us and that We collect from you, the purpose for collection of such data or information from you, Our information security practices and policies and Our Privacy policy on controlling or processing your data or information with third parties. This Privacy Policy may be amended / updated from time to time. Upon amending / updating the Privacy Policy, We will accordingly amend the date above. We suggest that you regularly check this Privacy Policy to apprise yourself of any updates. Your continued use of Website or provision of data or information thereafter will imply your unconditional acceptance of such updates to this Privacy Policy. The information (which shall also include data) provided by you to Goals101 or collected from you by Us may consist of Personal Information and Non- Personal Information. “Personal Information” is the information you submit and that can be used to uniquely identify or contact you and “Non-Personal Information” is the de-identified and non-personally identifiable information collected from the Platform or any other sources.

PLEDGE ON PRIVACY

The term ”Personal Data” as used in this Privacy Policy refers to information such as your name, birth date, e-mail address, mailing address, or telephone number that can be used to identify you. Generally, We will only process your Personal Data as described in this Privacy Policy. However, We reserve the right, to conduct additional processing to the extent permitted or required by law, or in support of any legal or criminal investigation.

INFORMATION WE COLLECT

Information We collect form the service providers

We may collect information from:

service providers that make user-generated content from their service available to others, such as local business reviews or public social media posts;
communication service providers, including email providers and social networks, when you give Us permission to access your data on such third-party services or networks;
partners with which We offer co-branded services or engage in joint marketing activities;
publicly-available sources, such as open government databases; and
non-personally identifiable information.

Information We collect by automated means

If you use the Platform, We may collect the following information by automated means:

The type of device you use and its operating system;
Identification details of your device (e.g., unique device identifier);
Internet protocol (“IP”) address; and
Information about your use of the Platform.

Non- Personal Information

We may de-identify personal information that We have collected from you through the Platform and combine it with de-identified information about other users, information from third parties, and/or publicly available information. We may also collect information other than Personal Information from you through the Platform when you visit and / or use the Platform. Such information may be stored in server logs. This Non-Personal Information would not assist Us to identify you personally. This Non-Personal Information may include:

Your geographic location;
details of your telecom service provider or internet service provider;
the type of browser (Internet Explorer, Firefox, Opera, Google Chrome etc.);
the operating system of your system, device and the website you last visited before visiting the Platform;
The duration of your stay on the Platform is also stored in the session along with the date and time of your access, Non-Personal Information is collected through various ways such through the use of cookies. We may store temporary or permanent ‘cookies’ on your computer. You can erase or choose to block these cookies from your computer. You can configure your computer’s browser to alert you when We attempt to send you a cookie with an option to accept or refuse the cookie. If you have turned cookies off, you may be prevented from using certain features of the Platform; and
We may use third-party service providers to serve ads on Our behalf across the internet and sometimes on the Platform. They may collect Non-Personal Information about your visits to the Platform, and your interaction with Our services on the Platform. Please note that Personal Information and Non Personal Information may be treated differently as per this Privacy Policy.

Platform visitorship information

We gather information from the Platform activity, such as data on the number of people who visit the Platform, the pages they visit, the duration of their stay, etc. Platform visitorship information includes:

Collected on an aggregate, anonymous basis, which means no personal identifiable information is associated with this data.
Gathered through the use of web server logs and cookies.

Personal Information

You may choose to provide Us with Personal Information through the Platform, like:

Contact information, such as your name, address, telephone number and email address;
Your profile, messages you send on the Platform, searches conducted by you and the reviews submitted by you;
Payment information, such as your payment card details;
Information obtained from the account you use to login to the Platform;
Personal Information in communications and other content you submit or share, such as photographs and video clips;
Information about services received/ rendered on the Platform; and
Your location.

USE OF INFORMATION COLLECTED

Most of Our services do not require any form of registration, allowing you to visit Our Platform without telling Us who you are. However, some services may require you to provide Us with Personal Information. In these situations, if you choose to withhold any Personal Information requested by us, it may not be possible for you to gain access to certain parts of the site and for Us to respond to your query.
We may collect and use Personal Information to provide you with products or services, to bill you for products and services you request, to market products and services which We think may be of interest to you, or to communicate with you for other purposes which are evident from the circumstances or about which We inform you when We collect Personal Infomation from you.
We are controllers of customer data and may process such data as may be required. We store the information collected from the Platform, which is used to:

Improve Our product;
Enhance the end user experience;
Provide, maintain and protect services, Platform and Our Business;
Communicate with the customers in relation to technical and other administrative matters via emails and other modes of communication;
Personalisation of the product and the services;
Product development;
Relevant offers;
Reporting and Business operations;
Conduct and undertake research in order to develop and provide search, learning and productivity tools and additional features to service better experience;
Consulting services;
Research wherein We investigate and help prevent security issues and abuse; and
Bill, manage accounts and other administrative matters in order to keep a track of the billings and payments.

The information is processed and analysed by automated means to offer a variety of features that you get from using the Platform. The information will be used for advanced analytics to offer additional insightful features in future. We may also anonymise (de-personalise) your information We collect and combine it with other information sources for the purpose of advanced analytics and future use cases.

STORAGE AND MAINTENANCE OF INFORMATION COLLECTED

We access and control the personal data provided by you. In lieu of the same, We may store or track information about you , however, We shall not be obligated to do so and may delete any information and records, in whole or in part, solely at Our discretion. We may retain other information pertaining to you for as long as necessary for the purposes detailed within this Privacy Policy. Storing such other information provided by you shall be retained with Us for the period of time needed for Us to pursue legitimate business interests, conduct audits, comply with (and demonstrate compliance with) legal obligations, resolve disputes and enforce Our agreements.

Your Communication Preferences: To help Us make e-mails more useful and informative, We often receive a confirmation when you open e-mail from Us if your computer supports such capabilities. If you do not want to receive e-mail or other mail from us, you may adjust your customer communication preferences from the Platform.

Information from Other Sources: We might receive information about you from other sources and add it to Our account information as may be required to serve you better and for Our business enhancement. By using or continuing to use Our website and Our platform, you agree to Our use of your information (including sensitive Personal Information) in accordance with this Privacy Policy, as may be amended from time to time by Us at Our discretion. You also agree and consent to Us collecting, storing, processing, transferring and sharing information (including sensitive Personal Information) related to you with third parties or service providers for the purposes as set out in this Privacy Policy.

We may be required to share the aforesaid information with government authorities and agencies for the purposes of verification of identity or for prevention, detection or investigation, including of cyber incidents, prosecution and punishment of offences. You agree and consent for Goals101 to disclose your information, if so required, under applicable law.

DISCLOSURE OF INFORMATION

Our customer’s privacy is extremely important to us. However, We may disclose certain information obtained due to the following:

To Our employees, in order to diagnose and resolve any problems or to provide support to you.
To any other person, who perform services on Our behalf, including credit-card and billing, survey administration, technical or customer support, shipping, and provision of email and data analytics.
To the business partners, who can alert you about the new services. Upon receipt of any alert if you desire to be removed from such alert list, you may inform the sender or unsubscribe from the list as provided in each mail alert.
In the event that We engage in a merger, acquisition, bankruptcy, dissolution, reorganization, sale of some or all of a part of Our assets or stock, financing, public offering of securities, acquisition of all or a portion of Our business, a similar transaction or proceeding, or steps in contemplation of such activities (such as due diligence), some or all other information may be shared or transferred, subject to standard confidentiality arrangements.
Tto engage third party companies or individuals as service providers or business partners to process other information and support Our business. These third parties may provide virtual computing and storage services. This may be with or without your consent.
With Our with its corporate affiliates, parents and/or subsidiaries with respect to other information provided by the customer;
to protect and defend the rights, property or safety of the Company or third parties, including enforcing contracts or policies, or in connection with investigating and preventing fraud or security issues.
If We are required to do so by law, regulation or legal process, such as a court order or in response to legal requests by government agencies or when We believe disclosure is necessary or appropriate to prevent physical, financial or other harm, injury or loss or in connection with an investigation of suspected or actual unlawful activity.

USE OF COOKIES

Some pages on the Platform use “cookies” which are small files that the Platform places on your hard drive for identification purposes. These files are used for Platform registration and customisation the next time you visit Us. Your web browser may allow you to be notified when you are receiving a cookie, giving you the choice to accept it or not. By not accepting cookies, some pages may not fully function and you may not be able to access certain information on the Platform. The help menu on the menu bar of most of the commonly used browsers (such as google chrome, internet explorer, firefox and safari) will tell you how to prevent your browser from accepting new cookies, how to have the browser notify you when you receive a new cookie and how to disable cookies altogether. Additionally, you can disable or delete similar data used by browser add-ons, such as flash cookies, by changing the add-on’s settings or visiting the website of its manufacturer. However, because cookies allow you to take advantage of some of our Platform’s essential features, We recommend that you leave them turned on. If you do leave cookies turned on, be sure to sign off when you finish using a shared computer.

SECURITY OF DATA

We take security of your data very seriously. We work hard to protect information you provide from loss, misuse, and unauthorised access or disclosure. These steps take into account the sensitivity of your information We collect, process and store, and the current state of technology. We retain the data collected from you for 7 years. In order to build Our Platform and products, We use multiple sources of data however, We do not use any of Your Personal Information for developing Our Platform and products. We maintain commercially reasonabley measures to maintain information security and prevent it from unauthorized access. Given the nature of communications and information processing technology, We cannot guarantee that any information, during transmission through the internet or while stored on Our systems or otherwise in Our care, will be absolutely safe from intrusion by others. Since, no security is fool-proof and in case We become aware of any breach of security of your information, We will notify you using the email address that We have. If you do not agree to the terms discussed above, you should exit Our Platform or stop using the same. When you access Our Platform, you acknowledge that you have read and agreed to abide by the terms described above.

LINK TO THIRD PARTY WEBSITES

Our Platform may contain links to third party websites/ apps, that display interest-based advertising using information you make available to Us when you interact with Our Platform, content, or services. Interest-based ads, also sometimes referred to as personalised or targeted ads, are displayed to you based on information from activities on Our sites, which are not under Our control. (please review this part)

This Privacy Policy applies only to the Platform, and not to websites owned by third parties. We may provide links to other websites which We believe may be of interest to Our visitors. We aim to ensure that such websites are of the highest standard. However, due to the nature of the internet, We cannot guarantee the privacy standards of websites to which We link or be responsible for the contents of sites other than Our Platform, and this Privacy Policy is not intended to be applicable to any linked, non-Company website. For websites owned by third parties, the privacy policy of the third party shall be applicable on You.

We do not provide any Personal Information to advertisers or to third party sites that display Our interest-based ads. However, advertisers and other third-parties (including the ad networks, ad-serving companies, and other service providers they may use) may assume that users who interact with or click on a personalised ad or content are part of the group, to whom that the ad or content is directed towards. Also, some third-parties may provide Us information about you (such as the sites where you have been shown ads or demographic information) from offline and online sources, that We may use to provide you more relevant and useful information and services.

Advertisers or ad companies working on their own behalf sometimes use technology to serve the ads that appear on Our Platform directly to your browser. They automatically receive your IP address when this happens. They may also use cookies to measure the effectiveness of their ads and to personalise ad content. We do not have access to or control over cookies or other features that advertisers and third party sites may use, and the information practices of these advertisers and third party websites are not covered by Our Privacy Policy. Please contact them directly for more information about their privacy practices. We have no responsibility or liability for and We make no representations whatsoever about any other website that you may have access to through Our Platform. We advise you to review the terms of use, privacy policy and other policies available at third party websites/ apps that you may access. These linked sites are only for your convenience, and therefore, you access them at your own risk. The inclusion of such links does not imply that We endorse or accept any responsibility for the content or uses of such websites.

SOCIAL MEDIA WIDGETS

Our Platform includes social media features, such as the LinkedIn, Twitter, Glassdoor and Facebook like button and widgets, such as the share this button or interactive mini-programs that run on the Platform. Our Platform includes social media plugins such as LinkedIn, Twitter, Glassdoor, Facebook or more, which may have different features and widgets such as like, share this button or interactive mini programs that run on the Platform. These features may collect your IP address, which page you are visiting on the Platform, and may set a cookie to enable the feature to function properly. We track the visitors from the point onward they visit our Platform. Social media features and widgets are either hosted by a third party or hosted directly on the Platform. Your interactions with these features are governed by the privacy policy of the company providing it and extent of tracking allowed by them for the visitors to their platforms. We will be using the tracking mechanisms to re-market our products and services or highlight our knowledge/award/achievements related content at appropriate places in appropriate form.

FORCE MAJEURE

Notwithstanding anything contained in this Privacy Policy or elsewhere, We shall not be held responsible for any loss, damage or misuse of your user information, if such loss, damage or misuse is attributable to a Force Majeure Event. “Force Majeure Event” shall mean any event that is beyond Our reasonable control and shall include without limitation, sabotage, fire, flood, explosion, acts of God, civil commotion, strikes or industrial action of any kind, riots, insurrection, war, acts of government, network errors, computer hacking, technical snags, unauthorized access to computer data and storage device, breach of security and encryption and any other like event beyond Our control.

YOUR RIGHTS

Individuals located in certain countries, including the European Economic Area, have certain statutory rights in relation to their Personal Information. If you are a resident or a citizen of European Union or the European Economic Area we will collect, store, process and control your information in accordance with our Data Protection Policy (DPA) provided under ‘Annexure A’ hereto. Subject to any exemptions provided by law, you may have the right to request access to information, as well as to seek to update, delete or correct this information. You can contact us for any help regarding the same.

CHANGE IN PRIVACY POLICY

We reserve the right to update, modify and amend the any of the terms of Our Privacy Policy, at any time without prior intimation to you. We shall not be liable for any failure or negligence on your part to review the updated Privacy Policy before accessing or using the Platform. Your continued use of the Platform, following changes to the Privacy Policy, will constitute your acceptance of those changes.

CONTACT US

If you have any concerns or questions in relation to Our Platform or this Privacy Policy, you may address them to Our grievance officer Ms. Diksha Punyani at:

E-mail: diksha@goals101.in ; or
Tel: +91 11 – 41112721; or
Physical Address: 217 B, Okhla Phase 3, Second Floor, New Delhi-110020
ANNEXURE A

DATA PROTECTION POLICY

This Data Protection Policy (“DPA”) has been framed in compliance with GDPR issued by the European Parliament and Council. This DPA is applicable on every person that collects data from (“European Union”) EU residents, or processes data on behalf of a data controller, or any person based in the EU and has a contractual relationship with Goals101 Data Solutions Private Limited, a company incorporated under the Companies Act, 2013 having its registered office at 9/5, Nehru Enclave, East Kalkaji South Delhi 110019, India (hereinafter referred to as “Company”/ “We”/ “Us”/ “Our”).

This DPA is incorporated by reference into any and all agreements currently in place between you and the Company (“Agreement”). When you enter into any Agreement with the Company, you accept, without limitation or qualification, the DPA set forth below. You hereby represent and warrant that you have the authority to legally bind yourself and all of Your personnel, representatives and/or Affiliates operating pursuant to any such Agreement referenced herein.

The Company reserves the right to modify or update this DPA at any time and changes will become effective immediately upon posting. You are requested to check for updates to the DPA periodically.
You hereby agree to comply with the following provisions with respect to any Personal Data of one or more Data Subjects located in the European Economic Area Processed in connection with the Agreement. The purposes of the DPA is to ensure such Processing is conducted in accordance with Data Protection Laws, including GDPR and with due respect for the rights and freedoms of individuals whose Personal Data are Processed. References to the Agreement will be construed as including this DPA. To the extent that the terms of this DPA differ from those in the Agreement, the terms of this DPA shall govern.

DEFINITIONS

In this DPA, the following terms shall have the meanings set out below:

“Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with a party, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;

“Contracted Processor” means the duly appointed Data Processor or a Sub- processor;

“Data Protection Laws” means all privacy and data protection laws and regulations applicable to the Processing of Personal Data under the Agreement, including the GDPR;

“Data Subject” means the individual to whom the Personal Data relates;

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;

“Security Breach” has the meaning set forth in Clause 7 of this DPA;

“Standard Contractual Clauses” means standard contractual clauses for the transfer of Personal Data to third countries approved by the European Commission Decision C (2004) 5271;

“Sub-processor” means any Processor or sub-processor engaged by the Data Controller for the Processing of Personal Data;

“Supervisory Authority” has the meaning set forth in Article 51 of the GDPR;

“Term” has the meaning set forth in Clause 12.1 of this DPA; and

The terms “Controller”, “Personal Data”, “Processor,” “Processed” and “Processing,” have the meanings given to them in applicable Data Protection Laws.

PROCESSING OF PERSONAL DATA

The parties to the Agreement hereby agree that they are independent Controllers with respect to the processing of the Personal Data. To the extent that the data protection legislation of another jurisdiction is applicable to either party’s processing of data, the parties acknowledge and agree that the relevant party will comply with any obligations applicable to it under that legislation with respect to the processing of that data. Both the parties shall keep a record of all Processing activities with respect to Personal Data as required under GDPR.

Each party will comply with the obligations applicable to it under the Data Protection Laws with respect to the processing of Personal Data, including but not limited to: (i) providing accurate and up-to-date contact details of either party’s data protection officer to the other party; and (ii) providing reasonable information and assistance to the other party: (a) conducting data protection impact assessments as required under the Data Protection Laws; and (b) regarding consultations between that party and a Supervisory Authority.

The Data Processor shall Process the Personal Data in accordance with the requirements of the Data Protection Laws.

The Data Processor shall not Process any Personal Data other than with the written instructions of the Data Controller.

The Data Controller:

shall instruct the Data Processor and its Affiliates (and instruct the Data Processor and its Affiliates to instruct each Sub- Processor) to:

Process the Personal Data; and
in particular, transfer the Personal Data to any country or territory,

as reasonably necessary and consistent with the Agreement.

hereby warrants and represents that it is and will at all relevant times remain duly and effectively authorised to give the instructions set out in clause 2.5.1 above on behalf of its Affiliates.

The information regarding Processing of Personal Data is set out under ‘Annexure 1’ of this DPA. The parties shall incorporate the terms of ‘Annexure 1’ as a part of the Agreement and such terms shall form an integral part of this DPA.

DATA SUBJECT RIGHTS

Each party is separately responsible for honouring Data Subject access requests under Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable) and responding to correspondence, inquiries and complaints from Data Subjects. Each party shall provide reasonable and timely assistance to the other party as necessary to help facilitate compliance with this Clause 3.

PERSONNEL

Both the parties shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/ access the relevant Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with Data Protection Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

SUB-PROCESSORS

The Data Controller hereby authorises the Data Processor to appoint Sub- processors in accordance with this Clause and any restrictions in the Agreement.

The Data Processor may continue to use those Sub- processors already engaged by the Data Processor as at the date of the Agreement, subject to the Data Processor as soon as practicable meeting the obligations set out in Clause 5.4 below.

The Data Processor shall neither appoint, nor disclose any Personal Data to the proposed Sub-processor except with the prior written consent of the Data Controller.

With respect to each Sub-processor, the Data Processor shall:

before the Sub- processor first Processes the Personal Data, carry out adequate due diligence to ensure that the Sub- processor is capable of providing the level of protection for the Personal Data required by the Agreement; and

ensure that the arrangement between the Data Processor and the Sub- processor is governed by a written contract including terms which offer at least the same level of protection for Personal Data as those set out in this DPA.

SECURITY AND AUDIT RIGHTS

The Data Controller shall maintain administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of Personal Data it Processes under this DPA and the Agreement. The Data Controller will implement and maintain technical and organizational measures to protect such Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.

Both the parties will (taking into account the nature of the processing of Personal Data under the Agreement) cooperatively and reasonably assist each other in ensuring compliance with any of each other’s respective obligations with respect to the security of Personal Data and Personal Data breaches under this DPA, including (if applicable) any obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by: (a) in the case of the Data Controller, implementing and maintaining appropriate security measures; and (b) complying with the terms of Clause 7 of this DPA.

Each party shall make available to the other party all information necessary to demonstrate compliance with the DPA and each Party may (or if mandated by a Supervisory Authority, will) allow for an audit by a mutually agreeable firm. To request an audit, the requestor must submit a detailed audit plan at least four (4) weeks in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit. The auditor must be approved in advance by both the parties (such approval may not be unreasonably withheld) and execute a written confidentiality agreement acceptable to both the parties before conducting the audit. The audit must be conducted during regular business hours, subject to both the parties’ company policies, and may not unreasonably interfere with either company’s business activities. Any such audits shall be conducted at the expense of the party making the request for such audit. Both the parties agree to share information with the other regarding any non-compliance discovered during the course of an audit.

SECURITY BREACH MANAGEMENT AND NOTIFICATION

If either party becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to any Personal Data transmitted, stored or otherwise Processed on the other party’s equipment or facilities under this DPA (“Security Breach”), such party will promptly notify the other party of the Security Breach. Notifications made pursuant to this section will take place within a reasonable time and certainly no longer than 3 (three) business days after discovery and shall describe, to the extent possible, details of the Security Breach, including steps taken to mitigate the potential risks and any recommended steps that either or both parties should take to address the Security Breach. Each party will promptly investigate the Personal Data Breach if it occurred on its infrastructure or in another area it is responsible for and will assist the other party as reasonably necessary for both parties to meet their obligations under Data Protection Laws.

Both the parties agree that an unsuccessful Security Breach attempt will not be subject to this Clause 7. An unsuccessful Security Breach attempt is one that results in no unauthorized access to Personal Data processed pursuant to this DPA or to any of either party’s equipment or facilities storing Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, or similar incidents.

Notifications of Security Breaches, if any, will be delivered to one or more of the other party’s business, technical or administrative contacts by any reasonable means, including via email. It is each party’s responsibility to ensure it keeps the other party updated with accurate contact information.

Any notification of or response to a Security Breach under this Clause 7 will not be construed as an acknowledgement by either party of any fault or liability with respect to the Security Breach.

The Data Controller shall implement reasonable technical and organizational security measures to provide a level of security appropriate to the risk in respect to the Personal Data. As technical and organisational measures are subject to technological development, either party is entitled to implement alternative measures provided they do not fall short of the level of data protection set out by Data Protection Laws.

RETURN AND DELETION OF PERSONAL DATA

Both the parties will comply with instructions from the other party to delete certain Personal Data as soon as reasonably practicable and within a maximum period of 30 (thirty) days, unless Data Protection Law (or, in the case the data is not subject to Data Protection Law, applicable law) requires further storage.

On expiry of the Agreement, both parties hereby instruct the other to delete all Personal Data (including existing copies) from their respective systems and discontinue processing of such Personal Data in accordance with Data Protection Law as soon as reasonably practicable and within a maximum period of 60 (sixty) days, unless Data Protection Law (or, in the case the data is not subject to Data Protection Law, applicable law) requires further storage. This requirement shall not apply to the extent that the Personal Data has been archived on back-up systems so long as such Personal Data is isolated and protected from any further processing except to the extent required by applicable law.

DATA TRANSFERS

Neither party shall transfer any Personal Data (nor permit any Personal Data to be transferred) to a territory outside of the European Economic Area (“EEA”) unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Data Protection Laws.

Except with regard to the Personal Data transferred from one party to the other party in reliance on the appropriate transfer mechanism specified in Clause 9.1 above, the Standard Contractual Clauses shall apply to the recipient’s processing of Personal Data in countries outside the EEA that do not provide an adequate level of data protection. To the extent that the parties transfer Personal Data in reliance on the Standard Contractual Clauses, the Standard Contractual Clauses shall be deemed completed and signed by the parties by the execution of the Agreement.

LIABILITY

Both parties agree that their respective liability under this DPA shall be apportioned according to each parties’ respective responsibility for the harm (if any) caused by each respective party as may be determined by the parties mutually.

Liability Cap Exclusions. Nothing in this Section 10 will affect the remaining terms of the Agreement relating to liability (including any specific exclusions from any limitation of liability).

GOVERNING LAW AND JURISDICTION

The parties shall submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and

This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.

MISCELLANEOUS

This DPA will take effect on the date of execution of the Agreement (the “Effective Date”) and will remain valid until the deletion of all Personal Data under the Agreement by both the parties (“Term”).

Nothing in this DPA shall impact either party’s intellectual property rights with respect to Personal Data provided by either party under the Agreement except to the extent required by applicable law.

Nothing in this DPA shall confer any benefits or rights on any person or entity other than the parties to the Agreement.

ANNEXURE 1

DETAILS OF PROCESSING OF THE PERSONAL DATA

Subject matter and duration of Processing of the Personal Data
The subject matter of the processing under the agreement is the Personal data. The duration of the processing under the agreement is as set forth in this Agreement.

The nature and purpose of Processing of the Personal Data
Goals101 or it’s sub processors are providing personalized offers to Customers. These services may include the processing of Personal Data by Goals101 or it’s sub processors on system which may contain personal data. The purpose of the processing under the Agreement is to execute intelligent, personalized campaigns for the customers of Goals101.

The types of Personal Data to be Processed
Cookie data, Social media data, IP addresses and emails

The categories of Data Subject to whom the Personal Data relates
Data relating to individuals provided to Goals101 via it’s services or by end users

The rights and obligations of the Data Controller

The rights and obligations of the Data Controller and its Affiliates shall be as set forth under the Agreement.