1. Purpose
This Data Privacy Policy outlines the procedures and practices of Anchanto Services Pvt Ltd (hereafter referred to as “Anchanto”) regarding the collection, use, and protection of personal information. We are committed to safeguarding the privacy of personal information collected from our employees, contractors, vendors, and clients, ensuring its use in accordance with this policy and applicable laws.
2. Scope
This policy applies to all employees, contractors, consultants, vendors, and clients of Anchanto, ensuring that all parties understand their responsibilities regarding data privacy. It governs all personal information processed by Anchanto, irrespective of the medium through which it is collected or stored.
3. Responsibilities
All Employees and Consultants: Must adhere to the principles outlined in this policy and ensure that personal information is handled responsibly, with care and diligence.
Security Committee: Responsible for overseeing compliance with data protection practices, conducting regular audits, and reviewing incidents related to data breaches.
Chief Information Security Officer (CISO): Tasked with implementing and enforcing this policy across the organization, ensuring ongoing education and awareness among staff regarding data privacy.
4. Policy Statement
Anchanto is dedicated to promoting the responsible use of information and protecting individual privacy rights. We prioritize the confidentiality and security of all personal data we collect and process, striving to maintain the trust of our stakeholders.
5. Guidelines
Types of Personal Data Handled
Anchanto may collect various types of personal data, including but not limited to:
Employee Personal Details: Such as birth date, address, phone number, PAN number, and bank account information.
Visitor Information: Including phone number, name, and address.
Photographs: Of employees and events occurring within the office, which may be used for internal communications or marketing purposes.
5.1 Purpose of Data Collection
Anchanto may collect, store, use, and disclose personal information for the following business purposes:
Fulfillment of Services: To meet contractual obligations and deliver services effectively, ensuring that we can provide our clients with high-quality solutions.
Relationship Management: To manage and enhance interactions with employees, vendors, and clients, fostering strong and productive relationships.
Operational Purposes: For human resources functions, including recruitment, employee screening, onboarding, and performance evaluations.
Communication: To provide individuals with pertinent information regarding products and services, including benefits such as insurance, salary, tax payments, and travel arrangements (including visa processing).
Compliance: To meet legal, regulatory, and internal requirements, including fraud prevention, legal proceedings, and adherence to industry standards.
5.2 Consent
Personal data collection will occur only with the explicit, informed consent of the data subject.
Consent will be voluntary, revocable, and specific to the purposes for which data is being collected, ensuring individuals are aware of their rights.
Records of consent will be maintained in a secure manner, and a defined process for handling the revocation of consent will be established, allowing individuals to withdraw consent easily.
6. Selecting Your Communication and Marketing Preferences
You can manage your marketing communication preferences on this Website. If you prefer not to receive marketing communications or wish to update or correct any information previously provided
We will update your information as soon as possible, but no later than ten (10) days after receiving your request. We will respond to all requests for access to your Personal Data within 30 days.
Even if you opt out of marketing communications, we may still need to contact you regarding your existing account, to fulfill a request you’ve made, or to administer any promotion or program in which you are participating.
7. Targeted Email Marketing
Our marketing communications, including email, may be personalized based on your interactions with this Website and your browsing and purchase history. When you click on certain links in our emails, our email service provider may place a cookie on your browser linked to your email address. This cookie helps us personalize future email marketing messages. You can opt out of personalized email marketing by clicking the unsubscribe link provided in every email.
8. Collection and Use of Children’s Personal Data
We take children’s privacy seriously and do not knowingly collect Personal Data from children under 13 years of age through this Website. If you are under 13, please do not submit any Personal Data without the express consent of a parent or guardian.
9. Targeted Display Advertising
We collaborate with advertising and personalization partners that use cookies to display personalized content and appropriate ads during your visits to this Website and other sites.
10. Third-Party Advertising
For information on the privacy practices of third parties that use cookies for advertising purposes, and to opt out of their cookies, please use the following links: [List third-party advertisers and their privacy policy links here]
These third parties may use cookies to deliver ads based on your visits to this Website and other sites, and to measure the effectiveness of their advertising campaigns.
11. Cookies and Web Beacons
How We Use Cookies: This Website uses cookies to enable sign-in to our services and to personalize your online experience. A cookie is a text file placed on your computer’s hard drive. You can change your browser settings to decline cookies if you prefer. However, if you decline cookies, you may not be able to use certain features of this Website.
Upon your first visit, you will see a banner informing you about our use of cookies and providing a link to our Cookie Use Policy. You can manage your cookie preferences through the Cookie Preference Center (also known as “Your Privacy Choices”) accessible from our home page.
How We Use Web Beacons: We or our business partners may use web beacons on this Website, in emails, and in advertisements to measure the effectiveness of content and campaigns. Web beacons are electronic images that recognize cookies and help us gather information such as the number of visitors, page views, and email engagement.
How We Use Pixel Tracking: This Website and some of our business partners use pixel tracking to collect data about your interactions with our site. Pixel tracking helps us understand user behavior and improve website performance. Data collected includes device type, operating system, session activities, screen resolution, IP address, and visit times.
Business partners using pixel tracking include:
12. How We Secure Personal Data
We are committed to protecting the security of Personal Data. We use a variety of security technologies and procedures to help protect Personal Data from unauthorized access, use, and disclosure. For details about our data protection processes, please see our Information Security Policy and our Technical and Organizational Measures available on the Security page of our website.
When you provide us with sensitive Personal Data (such as financial information), we encrypt that information using SSL (Secure Sockets Layer) technology. Although we strive to protect your Personal Data, we cannot guarantee its absolute confidentiality, and you transmit such data at your own risk.
We and our affiliates maintain reasonable security measures to protect your information from loss, destruction, misuse, unauthorized access, or disclosure. When you enter sensitive information, such as your login credentials, on our website or connect to our Service, we may encrypt the transmission of that information. For any security-related queries regarding our website, please contact us at security.alerts@anchanto.com.
When we use your Personal Data in connection with a SaaS product or service, the data is typically encrypted both in transit and at rest. For third-party providers and cloud hosting services, we rely on the public policies and protections of those globally available services. For a detailed breakdown of the policies of our primary cloud hosting service providers, please refer to the Security Guides for the products you are using.
13. Data Processing
Personal data may be disclosed to management, auditors, service providers, regulators, and law enforcement as necessary for compliance with legal and regulatory obligations.
Anchanto may monitor electronic communications and data access to ensure adherence to internal policies and legal obligations, while respecting employees’ rights to privacy.
Individuals may request access to their personal data and can ask for corrections or deletions where applicable, facilitating transparency and control over personal information.
Employees can withdraw consent at any time; however, this may affect the provision of services based on that data.
Any sharing of personal details with external parties will be communicated to the affected individuals, ensuring transparency in data handling practices.
Individuals have the right to object to the processing of their personal data, which can be communicated via email to the People Experience Team, ensuring that concerns are addressed promptly.
Anchanto employs appropriate administrative, physical, and technical safeguards to protect personally identifiable information, marking sensitive data as Confidential Personal Information.
We utilize masked data for system design and development purposes, minimizing the collection of identifiable information from customers.
14. Monitoring and Compliance
Compliance with this policy will be reviewed annually to ensure its effectiveness. The HR department and CISO will ensure that necessary modifications are made in response to regulatory changes or identified risks. Training programs will be provided to ensure all employees understand their obligations regarding data privacy.
15. Enforcement
Compliance with this policy is mandatory. Any violations must be reported through the Security Incident Response Team (SIRT) procedure. Responses to violations will include:
All breaches reported to the Security Committee for review and action.
Initial violations may result in a warning; repeated violations may lead to disciplinary action, including termination of employment, depending on the severity of the breach.
By adhering to this Data Privacy Policy, we at Anchanto commit to protecting the privacy and security of the personal information entrusted to us. We value your cooperation and support in fostering a culture of respect for privacy.
Annexure – A
Anchanto Data Breach Management Process
Policy Statement As an organization which processes personal data, every care is taken to protect personal data and to avoid a data protection breach. This policy outlines the measures Anchanto takes against unauthorized or unlawful processing or disclosure and against accidental loss, destruction of or damage to personal data. In the event of data being lost or shared inappropriately, Anchanto will take appropriate action to minimize any associated risk as soon as possible. This procedure applies to all personal and sensitive data held by Anchanto and for all customers, vendors, staff and contractors. This Data Breach Procedure document forms part of the Anchanto’s Data Protection Policy and all team-members are made aware of these procedures through induction, supervision and ongoing training.
1. Purpose
It is a regulatory requirement under GDPR for Anchanto to have consistent and effective governance and control arrangements to protect the personal data that we hold. This Data Breach Procedure sets out the course of action to be followed by all team-members in the event of a real or potential data protection breach.
2. Definition of Data Breach
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In summary, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorization; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.
Personal data breaches can include:
- Loss or theft of personal data and/or equipment on which data is stored
- Access by an unauthorized third party
- Deliberate or accidental action (or inaction) by a controller or processor
- Sending personal data to an incorrect recipient
- Computing devices containing personal data being lost or stolen
- Alteration of personal data without permission
- Loss of availability of personal data
- Hacking attack
- Cyber attack
- Equipment failure
- Human error
- Unforeseen circumstances such as a fire or flood
- Flawed data destruction procedures
3. Aim of Data Breach Management Procedure Policy
The aim of this policy is to ensure a standardized and consistent approach is followed when responding to data breaches to enable us to:
- Report data breaches without delay to the Data Protection Officer
- Identify incidents of data breaches quickly and investigate them properly and in a timely manner
- Record and document all incidents and report them to the Senior Leadership Team (SLT), Governors and the Data Protection Manager/DPO
- Assess the severity and impact of the data breach to determine whether it is necessary to inform the Data Subject(s) and customers according to the GDPR guidance
- Take action, which is proportionate, consistent and transparent to prevent further damage · Regularly monitor and review all data breach incidents and potential situations that may lead to a data breach to identify improvements in policies, procedures and control mechanisms to remove or mitigate risk of further repetition.
4. Reporting a Data Breach
As soon as any Anchanto team member or contractor discovers or receives a report of a data breach, they must inform the Data Protection Manager as soon as possible and without delay. If the breach occurs or is discovered outside normal schoolworking hours, then notification should begin as soon as is practicable. An emailed report can be submitted to the Data Protection Officer and Director of Cybersecurity in the first instance and should include accurate details of the incident including but not limited to the date and time of occurrence, place or occurrence, name of the person reporting the breach, details of the errors/logs/evidence of data breach as applicable. An initial assessment of the data breach by the Data Protection Officer or Director of Cybersecurity will include completion of the Data Breach Record to ascertain as much information as possible about the incident in order to fully assess the impact of the data breach and determine actions required.
5. Managing a Data Breach
Step 1: Containment and Recovery
- The Data Protection Officer or Cyber Security team will ascertain the severity of the breach, whether any personal data is involved and whether the breach is still occurring.
- If the breach is still occurring, the Director of Cyber Security will establish what steps need to be taken immediately to minimize the effect of the breach and contain the breach from further data loss (e.g. alert the Technical and customer support, KAMs, Product team, Engineering Managers, CTO, etc. restricting access to systems or close down a system etc).
- The cyber security team will consider and implement appropriate steps required to recover any data loss where possible and limit damage caused (e.g. use of backups to restore data; changing passwords etc.)
- will inform the DPO and ELT/SLT if the severity and likely impact of the breach deems it necessary to inform the Customer of the breach. At the same time, depending on the nature of the breach, the team may seek expert or legal advice and/or the Police if it is believed that illegal activity has occurred or is likely to occur.
- Where a significant breach has occurred, the team will inform the Customer within 24 hours of the confirmation of the breach.
- The decision taken as to the reasons why a data breach is either reported or not reported is documented by the Director of Cyber Security.
- All the key actions and decisions are fully documented and logged in our Data Security Breach Log.
Step 2: Assessment of Risk
Further actions may be needed beyond immediate containment of the data breach. To help determine the next course of action, an assessment of the risks associated with the breach is undertaken to identify whether any potential adverse consequences for individuals are likely to occur and the seriousness of these consequences.
The Data Protection Officer / Director of Cyber Security will consider the points arising from the following questions:
- What type and volume of data is involved?
- How sensitive is the data? Could the data breach lead to distress, financial or even physical harm?
- What events have led to the data breach? What has happened to the data?
- Has the data been unofficially disclosed, lost or stolen? Were preventions in place to prevent access/misuse? (e.g. encryption)
- How many customers are affected by the data breach?
- Who is the customers whose data has been compromised?
- What could the data tell a third party about the customer? Could it be misused regardless of what has happened to the data?
- What actual/potential harm could come to those customers? E.g. physical safety; emotional wellbeing; reputation; finances; identity theft; one or more of these and other private aspects to their life
- Are there wider consequences to consider?
- Are there others that might advise on risks/courses of action (such as banks if individual’s bank details have been affected by the breach)?
Step 3: Notification of Breaches
If the severity and likely impact of the breach warrants notifying the Customers, then we will notify within 24 hours of confirmation of the breach and becoming aware of the essential facts of the breach. This notification will include at least:
- Brief description
- The date and time of the breach (or an estimate)
- The date and time we discovered it
- Basic information about the type of breach
- Basic information about the personal data concerned
As we undertake a full investigation of the details of the breach, within 3 days of the initial notification, we will further provide the Customers with full details of the incident, the number of individuals affected and its possible effect on them, the measures taken to mitigate those effects, and information about our notification to the customers affected. There may be instances when the nature of the breach and the customer(s) affected may necessitate notifying third parties such as regulatory bodies, agencies, professional bodies as part of the initial containment. If the breach is likely to adversely affect the personal data or privacy of Anchanto team-members, Customer staff etc., we will notify them of the breach without unnecessary delay if we cannot demonstrate that the data was encrypted (or made unintelligible by a similar security measure).
We will inform them of:
- The estimated date of the breach
- A summary of the incident
- The nature and content of the personal data
- The likely effect on the individual(s)
- Any measures we have taken to address the breach
- How those affected can mitigate any possible adverse impact
Step 4: Evaluation and Response
When Anchanto’s response to a data breach has reached a conclusion, the Data Protection Officer and the Director of Cyber Security will undertake a full review of both the causes of the breach and the effectiveness of the response. The full review is reported to ELT/SLT and if required to the customer/s, for information and discussion as soon as possible after the data breach has been confirmed. If through the review, systematic or ongoing problems associated with weaknesses in internal processes or security measures have been identified as a cause of the data breach, then appropriate action plans will be drafted, actioned and monitored to rectify any issues and implement recommendations for improvements. The ELT/SLT will be party to discussions regarding action plans and be able to monitor progress against the actions appropriately. If a breach warrants a disciplinary investigation, legal advice will be sought through Human Resources channels.
6. Implementation of these Procedures
The Data Protection Officer or the Director of Cyber Security will ensure that Anchanto team-members are aware of these procedures for reporting and managing data breaches. Data Protection training for all team members is mandatory, including new employees and all team members will undertake refresher training annually. If any of the team members have any queries or questions relating to these procedures, they should discuss this with the Cyber Security team or DPO.
7. Complaints about our Data Breach Management Process
If an individual or Data Subject affected by a data breach believes that a data breach has not been dealt with properly, a complaint should be made through the DPO email as per the Data Privacy and Protection policy. If following the conclusion of the complaint’s procedure within, the individual or Data Subject is still dissatisfied, then a complaint can be made directly to the regional GDPR contact for that region with a copy to the DPO at Anchanto.