2. Data Controller and Contact Information

In accordance with applicable data protection laws, Sphinx Worldbiz Limited is the Data Controller in respect of the personal data that we collect from you, meaning that we determine the purposes and means of processing your personal data. In compliance with the Information Technology Act, 2000 and the GDPR, we take full responsibility for ensuring that your data is processed in accordance with applicable laws and regulations.

Should you have any queries regarding this Privacy Policy or if you wish to exercise any of your legal rights, please contact us at:

• Email: info@sphinxworldbiz.com
• Postal Address: A-27 B, Sector 16, Noida, District - Gautam Budh Nagar, Uttar Pradesh - 201 301, India
• Phone: +91-120-4736400, +91-120-4736499

For matters related to European Union (EU) data subjects and GDPR, we have appointed a representative within the EU. You may contact our representative in Europe, Mr. Avishkar Surana, at the following email address:

Email: a.surana@sphinxworldbiz.de

We will promptly respond to your queries or concerns within the time frame prescribed by applicable data protection laws, including the DPDPA, 2023 and the GDPR.

3. Scope of this Privacy Policy

This Privacy Policy applies to all personal data collected by us from individuals across the globe, including but not limited to:

• Website Visitors: Individuals visiting or interacting with our website, including those who submit personal data via forms, emails, or other means of contact
• Prospective Clients and Customers: Individuals, entities, or organizations with whom we are in discussions regarding the provision of services or engagement in business relationships.
• Existing Clients and Customers: Individuals or organizations with whom we have an ongoing business relationship for the provision of IT services, solutions, or any related services.

The processing of personal data is subject to the applicable jurisdiction’s legal framework, including the General Data Protection Regulation (GDPR) for residents of the European Union and Digital Personal Data Protection Act, 2023 for residents of India.

4. Personal Data We Collect

In accordance with the GDPR and the DPDPA, 2023, we collect personal data only to the extent necessary to fulfill the specific purposes outlined in this Privacy Policy. The personal data we collect may include:

A. Automatically Collected Data: When you visit our website, we automatically collect certain technical information, including but not limited to:

• IP address, geolocation data, browser type, and device type;
• Cookie data, including third-party analytics and advertising cookies (in compliance with the GDPR and DPDPA, we request your consent before placing non-essential cookies on your device);
• Pages visited, time spent on site, and other usage statistics (collected via analytics services);
• Metadata related to your interactions with the website or services.

This data is collected primarily for the purposes of improving the performance, security, and functionality of our website and services, as well as to tailor content to your preferences.

B. Data Provided by You Directly: In addition to the automatic data collection, we collect personal data that you voluntarily provide to us in the course of using our services, including but not limited to:

• Name, contact details (email, phone number, physical address), job title, company name;
• Name, contact details (email, phone number, physical address), job title, company name;
• Communication preferences, feedback, and any other information that may be provided through our forms, emails, or other forms of communication.

B. Special Categories of Data:We do not generally collect sensitive personal data unless specifically required by law or for the purposes of providing certain services. Sensitive personal data, as defined under the DPDPA, 2023 and GDPR, includes data such as health information, biometric data, racial or ethnic origin, political opinions, religious beliefs, or trade union membership. Where we collect sensitive data, we will ensure that such collection complies with applicable laws and obtain explicit consent from the data subject, where required.

5. Legal Basis for Processing Personal Data

As a Data Controller, we process your personal data based on one or more of the following lawful bases, in compliance with the GDPR, DPDPA, 2023, and other applicable laws:

A. Consent

We may process your personal data where you have provided us with explicit, informed, and unambiguous consent to do so for specific purposes, such as receiving marketing communications, newsletters, or participating in surveys. You have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent prior to its withdrawal.

B. Performance of a Contract

We process personal data when necessary for the performance of a contract with you or to take steps prior to entering into a contract, such as providing IT services, software solutions, or consulting.

C. Legitimate Interests

We may process your personal data based on our legitimate interests, such as maintaining and improving the performance of our website, marketing, and business development activities. However, we will ensure that your fundamental rights and freedoms are not overridden by our legitimate interests. You may object to this processing at any time, as detailed below.

D. Compliance with Legal Obligations

We may process your personal data to comply with legal obligations, including under the Information Technology Act, 2000, DPDPA, 2023, and the GDPR, for example, to comply with record-keeping, tax, and financial reporting obligations, or in response to lawful requests from authorities.

E. Public Interest or Official Authority

Where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us. (AP, Adv.)

6. Use of Your Personal Data

We process your personal data for the following purposes, in compliance with DPDPA, 2023, GDPR, and other applicable legal frameworks:

• To provide and manage the services we offer;
• To communicate with you regarding business inquiries, service updates, technical support, or marketing communications, where we have obtained your consent to do so;
• To conduct market research, surveys, and to improve our website and services;
• To ensure compliance with legal and regulatory obligations under applicable laws, including reporting and legal proceedings;
• To manage security risks, fraud detection, and prevention, and for system maintenance, upgrades, and enhancements.

7. Sharing Your Personal Data

We will not sell, rent, or trade your personal data to any third party. However, we may share your personal data in the following circumstances:

a. Service Providers and Data Processors: We may disclose your personal data to third-party service providers, data processors, and subcontractors who perform services on our behalf, including

• Hosting providers, cloud services providers, and data storage facilities;
• IT support services, customer relationship management platforms, and data analytics services;
• Marketing, communication, and advertising platforms (with your consent where applicable).
• These third parties are contractually obligated to ensure that your data is processed in accordance with this Privacy Policy and applicable laws, including under the GDPR and DPDPA, 2023.
• To manage security risks, fraud detection, and prevention, and for system maintenance, upgrades, and enhancements.

b. Legal and Regulatory Disclosures: We may disclose your personal data to regulatory authorities, law enforcement agencies, or other government bodies where required to comply with legal obligations or in response to a valid legal request, including court orders, summon(s) / subpoena(s), or other legal processes. This disclosure may also occur in response to legitimate requests to protect our legal rights, prevent fraud, or cooperate in investigations.

c. Business Transfers: In the event of a merger, acquisition, or sale of our business, your personal data may be transferred as part of the transaction. We will ensure that appropriate safeguards are in place to protect your data during such transfers, in compliance with the applicable laws.

8. Data Retention

We will retain your personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, including for the purposes of satisfying any legal, accounting, or reporting requirements, or as required by applicable law. The retention period depends on the nature of the personal data and the purposes for which it is processed.

a. General Data Retention Periods: Personal data will be retained for the duration of our business relationship and for a period of time thereafter as required or permitted under applicable laws. For example, data related to contracts, transactions, and billing will generally be retained for a minimum of 6 years in accordance with Indian tax laws and accounting practices.

b. Retention Based on Legal and Regulatory Requirements: In certain cases, we are required to retain personal data for longer periods to comply with specific legal obligations, such as those related to anti-money laundering laws, cybersecurity regulations, and statutory audits under the applicable Indian laws, Goods or other regulatory requirements specific to our industry

c. Data Anonymization: In some cases, we may anonymize your personal data to such an extent that it can no longer be attributed to you. Once anonymized, this data may be retained indefinitely for research, statistical, or analytical purposes, but will not be used to identify or contact you.

d. Right to Request Deletion or Restriction of Processing: In certain cases, if you request the deletion or restriction of processing of your personal data (and if there are no overriding legal or contractual reasons for retention), we will comply with such a request as required by applicable law.

9. Your Rights as a Data Subject

a. Right to Access: You have the right to request access to the personal data we hold about you. This means you can ask us to confirm whether we are processing your data, and if so, you have the right to request a copy of that data. We will provide you with this information within a reasonable timeframe and at no charge, unless your request is unfounded or excessive.

b.Right to Rectification: You have the right to request the correction of any inaccurate or incomplete personal data we hold about you. If we have shared your incorrect data with third parties, we will also inform them of the correction, where possible

c. Right to Erasure: You have the right to request the deletion of your personal data in certain circumstances. This includes situations where:

• Your personal data is no longer necessary for the purposes for which it was collected or processed.
• You withdraw your consent and there is no other legal ground for processing.
• You object to processing, and we have no overriding legitimate grounds for continuing the processing.
• Your personal data has been unlawfully processed.

However, please note that in certain cases, we may not be able to fulfill your request for erasure, such as when processing is required for legal obligations, contract performance, or for legal claims.

d.Right to Restriction of Processing: You have the right to request the restriction of processing of your personal data in specific situations, including:

• Right to Restriction of Processing: You have the right to request the restriction of processing of your personal data in specific situations, including:
• If the processing is unlawful, but you prefer the restriction of processing instead of deletion.
• If the processing is unlawful, but you prefer the restriction of processing instead of deletion.

e. Right to Data Portability: You have the right to request the transfer of your personal data to another data controller, where technically feasible, in a structured, commonly used, and machine-readable format. This right applies to personal data you have provided to us based on consent or contract.

f. Right to Object to Processing:: You have the right to object to the processing of your personal data in certain cases. This includes where:

• We process your data based on our legitimate interests, and you believe your interests or fundamental rights override our processing.
• We use your data for direct marketing purposes.
• We use your data for statistical or research purposes (unless processing is necessary for the public interest).
• If you object to processing, we will cease processing your data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms.

g. Right to Withdraw Consent: Where you have provided consent for the processing of your personal data, you have the right to withdraw that consent at any time. If you wish to withdraw your consent, please contact us using the contact details below. Please note that withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

Please note that your rights may be subject to certain limitations under the Indian IT laws and GDPR. We may refuse or restrict your requests on the grounds, including but not exclusively, if they are excessive, manifestly unfounded, or if the processing is necessary for the establishment, exercise, or defense of legal claims

10. Data Security

a. We are committed to protecting the security of your personal data and have implemented appropriate technical and organizational measures to safeguard it against unauthorized access, alteration, or disclosure. These measures include encryption, firewalls, secure servers, access control mechanisms, and regular staff training on data protection best practices.

b. We have implemented appropriate technical, organizational, and security measures to protect your personal data from accidental loss, unauthorized access, alteration, or disclosure. These measures include, but are not limited to:

• Encryption of sensitive personal data
• Access control mechanisms
• Regular security audits and assessments
• Employee and contractor training on data security
• We also limit access to your personal data to employees, agents, contractors, and other third parties who have a business need to know. These individuals will only process your personal data based on our instructions and are subject to a duty of confidentiality.

11. Cross-Border Data Transfers

As we operate globally, your personal data may be transferred to and processed in countries outside India, including within the European Union and other jurisdictions. When transferring your personal data across borders, we will ensure that appropriate safeguards are in place to protect your data, in compliance with applicable data protection laws, including the GDPR and DPDPA, 2023

10. Cookies

a. We use cookies and similar tracking technologies to collect and process data to enhance the functionality and performance of our website and improve user experience. Cookies are small text files that are stored on your device when you visit our website. In compliance with GDPR, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 under the Indian Information Technology Act, and other applicable data protection laws, we inform you that by continuing to use our website, you provide your consent for the use of cookies, unless you have disabled them through your browser settings

b. We may use different types of cookies: (i) Essential Cookies, which are necessary for the operation of the website, such as for logging in or securing your session; (ii) Performance and Analytics Cookies, which help us analyze and understand how our website is being used (e.g., via Google Analytics); (iii) Functional Cookies, which allow the website to remember user preferences or settings, such as language or region; (iv) Advertising and Marketing Cookies, which help us deliver targeted ads and track the effectiveness of our marketing efforts; and (v) Social Media Cookies, which enable social sharing functionality and tracking across third-party platforms. In accordance with applicable law, non-essential cookies will only be placed on your device after obtaining your consent, either through our cookie consent banner or browser settings, which allow you to accept or reject non-essential cookies.

c. As per GDPR and Indian data protection laws, you have the right to withdraw consent for the use of non-essential cookies at any time by adjusting your browser settings or using the consent management tools available on the website. Please note that blocking or disabling cookies may result in certain features or functionalities of the website being unavailable or degraded. Furthermore, third-party service providers, such as advertisers or analytics providers, may also use cookies to track your behavior across websites for purposes such as marketing, analytics, or performance optimization. These third parties are required to comply with applicable privacy laws, and we encourage you to review their privacy policies for further information.

d. We retain cookies on your device for the period necessary to fulfill the purposes outlined above or as mandated by applicable law. You may also delete or manage cookies through your browser settings at any time. We have implemented appropriate technical and organizational measures to ensure that the data collected through cookies is processed securely and in compliance with data protection laws.

13. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our legal obligations, business practices, or technological advancements. We will notify you of significant changes by updating the “Last Updated” date provided in this Privacy Policy. We encourage you to review this Privacy Policy regularly to stay informed about how we are protecting your personal data.

14. Legal Review and Drafting

This Privacy Policy has been reviewed and drafted in accordance with the highest standards of legal and regulatory compliance, including adherence to the relevant data protection laws such as the GDPR, the Information Technology Act, 2000 (and corresponding rules and regulations), and the Digital Personal Data Protection Act, 2023.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us using the following details

• Email: info@sphinxworldbiz.com
• Postal Address: A-27 B, Sector 16, Noida, District - Gautam Budh Nagar, Uttar Pradesh - 201 301, India
• Phone: +91-120-4736400, +91-120-4736499

We are committed to ensuring your privacy rights are respected and upheld. (AP)