Privacy Policy

"Consent" means freely given, specific, informed, and unambiguous indication of the Data Principal's agreement to the processing of their personal data, expressed by a clear affirmative act, and withdrawable at any time.

"Data Fiduciary" has the meaning ascribed to it under the Digital Personal Data Protection Act, 2023 (India), and refers to Yashuss in the context of this Policy.

"Data Principal" / "Data Subject" means the natural person to whom the personal data relates.

"Data Processor" means a person or entity that processes personal data on behalf of the Data Fiduciary.

"DPDPA" means the Digital Personal Data Protection Act, 2023, and the rules thereunder, as amended from time to time.

"GDPR" means the General Data Protection Regulation (EU) 2016/679 and/or the UK GDPR retained in domestic UK law, as applicable.

"Personal Data / Personal Information" means any information that relates to an identified or identifiable natural person, including but not limited to names, contact details, identification numbers, location data, and online identifiers.

"Processing" means any operation performed on personal data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, use, disclosure, dissemination, restriction, erasure, or destruction.

"Sensitive Personal Data" means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, data concerning sex life or sexual orientation, financial information, official identifiers (Aadhaar, PAN, Passport), and children's data.

"Sub-Processor" means a third-party Data Processor engaged by Yashuss to carry out specific processing activities on its behalf.

1. SCOPE OF THIS PRIVACY POLICY

This Privacy Policy applies to personal data collected, processed, or held by Yashuss Unlimited Business Solutions Pvt. Ltd. and its affiliated entities and subsidiaries (collectively, "Yashuss", "we", "our", or "us") in connection with the following individuals and activities:

• Visitors to our website at www.yashussunlimited.com and any associated digital properties
• Existing and prospective customers and client personnel
• Business partners, suppliers, vendors, and their representatives
• Event attendees, webinar participants, and registrants
• Individuals communicating with us by electronic, telephonic, or written means
• Job applicants and employment candidates
• Any other natural person whose personal data is processed in connection with our lawful business operations

This Privacy Policy applies to information collected through our website, email communications, marketing campaigns, online forms, customer relationship management systems, support channels, recruitment activities, contract administration, and all other lawful business interactions.

2. INFORMATION WE COLLECT

2.1 Identity & Contact Data

We may collect personal identifiers including full name, business email address, telephone number, company name, job title, business address, country of residence, and other contact information provided voluntarily during communications or business engagements.

2.2 Professional & Transactional Data

Where relevant to service delivery, we may collect organisational details, project specifications, technology environments, service requirements, procurement information, contractual documentation, payment records, invoices, and records of customer interactions.

2.3 Communications Data

We maintain records of correspondence, inquiries, support requests, meeting notes, feedback, survey responses, event registrations, and other communications necessary to manage and improve our business relationships.

2.4 Recruitment Data

For recruitment and employment purposes, we may collect résumés, curriculum vitae, employment applications, educational qualifications, certifications, employment history, interview assessments, reference information, and other data voluntarily provided by candidates or obtained through lawful recruitment channels.

2.5 Technical & Usage Data (Automated Collection)

When users access our website, certain data is collected automatically through cookies, server logs, and analytics tools, including:

• Internet Protocol (IP) addresses
• Browser type and version, operating system, and device type
• Pages visited, content viewed, and links clicked
• Referral sources and session duration
• Approximate geographic location derived from IP address
• Other usage-related metadata

Such automated collection is governed by Section 6 (Cookies & Tracking Technologies) of this Policy.

2.6 Sensitive Personal Data

Yashuss does not intentionally collect sensitive personal data (as defined in Section 1 above) unless specifically required for a documented legitimate purpose with explicit consent or legal authorisation. Where such data is inadvertently received, it will be deleted promptly unless a lawful basis for retention exists.

3. LAWFUL BASIS FOR PROCESSING

Yashuss processes personal data only where a lawful basis exists under applicable law. The table below maps our primary processing activities to their corresponding legal grounds:

4. HOW WE USE PERSONAL DATA

Yashuss processes personal data only for specified, explicit, and legitimate purposes and does not process data in a manner incompatible with those purposes. Our primary processing activities include:

• Responding to inquiries, evaluating service requirements, preparing proposals and quotations
• Delivering professional services, administering contracts, managing customer relationships
• Providing technical support, processing transactions, and fulfilling business obligations
• Communicating service updates, events, industry insights, and other business-related communications
• Improving website functionality, evaluating marketing effectiveness, and supporting business intelligence
• Conducting recruitment, candidate evaluation, interview management, verification, and onboarding
• Maintaining information security, detecting and preventing fraud, protecting our legal rights and interests
• Complying with legal and regulatory obligations, enforcing contractual obligations, and supporting corporate governance

4.1 Automated Decision-Making & Profiling

Where Yashuss uses automated means to evaluate personal data that produces legal or similarly significant effects on individuals, we shall: (a) inform the individual; (b) provide a meaningful explanation of the logic involved; (c) allow the individual to request human review; and (d) obtain explicit consent where required by applicable law. Currently, Yashuss does not engage in solely automated decision-making that produces legally significant effects without human oversight.

5. COOKIES AND TRACKING TECHNOLOGIES

Our website uses cookies, pixel tags, web beacons, session tokens, and similar technologies. The categories of cookies we deploy are:

Strictly Necessary Cookies: Required for core website functionality, security, and authentication. These cookies cannot be disabled without impairing website performance.

Performance / Analytics Cookies: Used to understand how visitors interact with the website, identify pages visited, and improve performance. Requires consent where applicable law mandates it.

Functional Cookies: Used to remember user preferences and personalise the browsing experience. Subject to consent.

Marketing / Targeting Cookies: Used to deliver relevant content and measure marketing campaign effectiveness. Requires explicit opt-in consent in jurisdictions where required (EU, UK, certain Indian use-cases).

Cookies placed by third-party analytics and marketing platforms (such as Google Analytics, HubSpot, LinkedIn Insight Tag, or similar) are subject to the respective provider's privacy policies. Users should review these independently.

Users may manage, restrict, or delete cookies through their browser settings or via the cookie consent banner available on our website. Disabling strictly necessary cookies may impair website functionality. Our full Cookie Policy, including a list of active cookies, duration, and third-party providers.

6. DISCLOSURE OF PERSONAL DATA

6.1 General Principle

Yashuss does not sell, rent, trade, or otherwise transfer personal data to third parties for their independent commercial purposes. Personal data is shared only as described in this Section.

6.2 Service Providers & Sub-Processors

We may share personal data with service providers, technology vendors, contractors, and professional advisors acting as Data Processors or Sub-Processors on our behalf, including providers of:

• Cloud infrastructure and hosting services
• Customer relationship management (CRM) systems
• Communication and collaboration platforms
• Marketing automation and email delivery tools
• Cybersecurity and vulnerability management solutions
• Recruitment and human resources platforms
• Accounting, finance, and legal advisory services
• Analytics and business intelligence tools

All Sub-Processors are bound by written data processing agreements containing obligations at least equivalent to those contained in this Policy, including obligations relating to confidentiality, security, and data subject rights. Yashuss remains accountable for the acts and omissions of its Sub-Processors.

6.3 Legal & Regulatory Disclosures

We may disclose personal data where required by applicable law, regulation, court order, governmental authority, law enforcement agency, or regulatory body. Prior to such disclosure, we will, to the extent permitted by law, notify the Data Principal and seek to limit the scope of the disclosure to what is strictly necessary.

6.4 Corporate Transactions

In the event of a merger, acquisition, restructuring, asset transfer, insolvency, or similar corporate event, personal data may be transferred subject to: (a) prior notification to affected Data Principals; (b) the acquirer being bound by privacy obligations at least equivalent to this Policy; and (c) any applicable regulatory approvals.

6.5 Affiliated Entities

Personal data may be shared with Yashuss's affiliated entities and subsidiaries on a need-to-know basis, subject to inter-group data transfer agreements and confidentiality obligations consistent with this Policy.

7. INTERNATIONAL TRANSFERS OF PERSONAL DATA

As a global organisation, Yashuss may process, store, or transfer personal data across national boundaries. Transfers may occur to and from India, the United States, Mauritius, the United Kingdom, the European Union, the GCC region, and African jurisdictions where our business operations are conducted.

Where personal data originating from the EEA or UK is transferred to a country not recognised as providing an adequate level of data protection, Yashuss implements one or more of the following transfer mechanisms:

• Standard Contractual Clauses (SCCs) approved by the European Commission or UK ICO
• Binding Corporate Rules (BCRs) where applicable
• Adequacy decisions recognised by the European Commission or UK Secretary of State
• Derogations under Article 49 of the GDPR where applicable and documented

Where personal data originating from India is transferred internationally, Yashuss complies with the requirements of Section 16 of the DPDPA and any Central Government notifications designating permitted countries for cross-border data transfer.

Copies of applicable transfer safeguards may be requested by contacting [email protected].

8. INFORMATION SECURITY

Yashuss implements a comprehensive, risk-based information security programme commensurate with the nature, volume, and sensitivity of the personal data processed. Our security measures include:

• Role-based access controls and principle of least privilege
• Multi-factor authentication on critical systems
• Encryption of personal data in transit (TLS 1.2+) and at rest where appropriate
• Network security controls, firewalls, and intrusion detection systems
• Regular vulnerability assessments and penetration testing
• Secure software development lifecycle (SSDLC) practices
• Periodic security awareness training for personnel
• Vendor and third-party risk assessments
• Incident response and business continuity procedures aligned with ISO 27001 and CERT-In guidelines

Notwithstanding the foregoing, no method of electronic transmission or storage can be guaranteed to be completely secure. Yashuss makes no absolute warranty of security, but undertakes to notify affected individuals and relevant authorities in the event of a personal data breach in accordance with Section 10 below.

8.1 Personal Data Breach Notification

In the event of a personal data breach likely to result in risk to the rights and freedoms of Data Principals, Yashuss shall:

• Notify the relevant Data Protection Board (India), Supervisory Authority (EU/UK), or equivalent authority within the timeframe prescribed by applicable law (72 hours under GDPR; as notified under DPDPA; 6 hours under CERT-In Directions 2022 where applicable);
• Notify affected Data Principals without undue delay where the breach is likely to result in high risk to their rights and interests, including a description of the breach, likely consequences, and measures taken;
• Maintain an internal breach register documenting all breaches, whether or not notification is required.

9. DATA RETENTION

Yashuss retains personal data only for as long as necessary to fulfil the purposes for which it was collected. The following schedule provides indicative retention periods:

10. INDIVIDUAL RIGHTS

Subject to applicable jurisdiction-specific law, Data Principals/Subjects have the following rights in relation to their personal data:

Right of Access: The right to request confirmation of whether we process your personal data and to obtain a copy of such data (GDPR Art. 15; DPDPA S.11).

Right to Correction: The right to request correction of inaccurate or incomplete personal data (GDPR Art. 16; DPDPA S.12).

Right to Erasure: The right to request deletion of personal data where it is no longer necessary, consent is withdrawn, or processing is unlawful, subject to overriding legal obligations (GDPR Art. 17; DPDPA S.12(3)).

Right to Restriction of Processing: The right to request that processing be restricted in certain circumstances (GDPR Art. 18).

Right to Data Portability: The right to receive personal data in a structured, commonly used, machine-readable format and transmit it to another controller (GDPR Art. 20).

Right to Object: The right to object to processing based on legitimate interests or for direct marketing purposes (GDPR Art. 21; DPDPA S.13).

Right to Nominate: Under DPDPA, the right to nominate an individual to exercise data rights on your behalf in the event of death or incapacity (DPDPA S.14).

Right against Automated Decision-Making: The right not to be subject to solely automated decisions that produce significant legal or similar effects without human review (GDPR Art. 22).

Right to Withdraw Consent: The right to withdraw consent at any time without detriment; withdrawal does not affect the lawfulness of prior processing.

Right to Lodge a Complaint: The right to lodge a complaint with the relevant supervisory authority. See Section 17 for authority contact details.

To exercise any of the above rights, submit a written request to [email protected] with sufficient information to verify your identity. We will acknowledge requests within 48 hours and respond substantively within 30 days (extendable by a further 30 days for complex requests, with notice). We will not charge a fee for rights requests except where manifestly unfounded or excessive.

Yashuss may send business communications, newsletters, event invitations, service updates, industry insights, and promotional materials to individuals who have: (a) expressed interest in our services; (b) engaged with our business; or (c) provided appropriate consent where required by applicable law.

Recipients may opt out of marketing communications at any time by:

• Clicking the 'Unsubscribe' link in any marketing email;
• Sending an opt-out request to [email protected]; or
• Updating communication preferences through any profile management portal we provide.

We will process opt-out requests within 10 business days. Withdrawal of marketing consent shall not affect transactional, contractual, service-related, administrative, or legally required communications.

12. RECRUITMENT AND EMPLOYMENT

Personal data submitted in connection with employment opportunities will be processed solely for recruitment, evaluation, hiring, onboarding, workforce administration, and related legitimate business purposes.

Candidate information may be accessed by authorised HR personnel, hiring managers, recruitment partners, and affiliated entities involved in the evaluation process. All such parties are bound by confidentiality obligations.

Where permitted by applicable law, we may conduct reference checks, employment verification, qualification reviews, and background screening proportionate to the position. Background checks will only be conducted with the candidate's explicit prior consent.

Unsuccessful candidate information will be retained for one year from the closure of the relevant recruitment process, after which it will be securely deleted, unless the candidate consents to retention for future opportunities. Candidates may withdraw consent for such extended retention at any time.

13. CHILDREN'S PRIVACY

Our website and services are directed at business professionals and are not intended for individuals under the age of 18 years ("Children") or any higher age of digital consent applicable in their jurisdiction.

Yashuss does not knowingly collect personal data from Children without verifiable parental or guardian consent as required by Section 9 of the DPDPA, COPPA (United States), or equivalent applicable legislation. Where Children's data is processed with appropriate consent (e.g., in jurisdictions where services may be offered to minors), a separate Children's Data Processing Notice will be provided.

If we become aware that personal data has been collected from a Child without appropriate authorisation, we will promptly delete such data and notify the parent or guardian where contact information is available.

14. GRIEVANCE OFFICER / DATA PROTECTION OFFICER

In compliance with applicable law, Yashuss designates the following contact for privacy-related enquiries, requests, and complaints:

Grievance Officer (India — IT Act 2000 / DPDPA): Ami Sheth (Finance, Risk and Compliance - Chief Finance, Risk and Compliance Officer)

Email: [email protected]

Postal Address: Yashuss Unlimited Business Solutions Pvt. Ltd., 517, Palm Spring, New Link Rd, Mind Space, Malad West, Mumbai - 400064 , Maharashtra, India

Response Timeline: Complaints and requests will be acknowledged within 48 hours and resolved within 30 days of receipt.

For EU/UK GDPR purposes, Yashuss acts as a Data Controller in respect of the personal data it processes.

For Mauritius operations: The Data Protection Officer for Mauritius may be contacted at [email protected] in accordance with the Data Protection Act 2017 (Mauritius).

15. JURISDICTION-SPECIFIC RIGHTS AND PROVISIONS

15.1 India — Digital Personal Data Protection Act, 2023

Data Principals in India have rights under the DPDPA including access, correction, erasure, nomination, and grievance redressal as described in Section 11. Complaints may be escalated to the Data Protection Board of India (once constituted).

15.2 European Union / United Kingdom — GDPR

Data Subjects in the EU/EEA may lodge complaints with the relevant national Supervisory Authority. Data Subjects in the UK may contact the Information Commissioner's Office (ICO) at www.ico.org.uk.

15.3 California, United States — CCPA/CPRA

California residents have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), including:

• Right to Know — categories and specific pieces of personal information collected in the preceding 12 months
• Right to Delete — request deletion of personal information
• Right to Correct — request correction of inaccurate personal information
• Right to Opt-Out of Sale or Sharing — Yashuss does not sell or share personal information for cross-context behavioural advertising
• Right to Limit Use of Sensitive Personal Information
• Right to Non-Discrimination for exercising privacy rights

15.4 Mauritius — Data Protection Act 2017

For personal data processed in connection with Mauritius-domiciled operations, Yashuss complies with the Data Protection Act 2017 (Mauritius) as amended. Data Subjects in Mauritius may contact the Data Protection Commissioner at [email protected] for complaints and supervisory oversight.

15.5 Gulf Cooperation Council & African Jurisdictions

Where Yashuss processes personal data in GCC or African jurisdictions (including but not limited to UAE, Saudi Arabia, South Africa, Kenya, or Nigeria), applicable local data protection frameworks shall apply in addition to this Policy.

16. SUPERVISORY AUTHORITIES

Yashuss reserves the right to modify this Privacy Policy at any time to reflect changes in legal requirements, regulatory guidance, business practices, or service offerings. The revised Policy will be published on our website with an updated effective date.

For material changes that significantly affect the processing of personal data, Yashuss will provide at least 14 days' prior notice via email (where we hold a valid address) or prominent website notification, and will seek fresh consent where required.

Continued use of our website or services following the effective date of any revision constitutes acknowledgment of the updated Policy, to the extent permitted by applicable law.

18. CONTACT INFORMATION

For questions, requests, concerns, or complaints relating to this Privacy Policy or the processing of personal data, please contact:

Entity: Yashuss Unlimited Business Solutions Pvt. Ltd.

Trading as: The Solution Doctors™

Email: [email protected]

Website: www.yashussunlimited.com

Registered Office: 517, Palm Spring, New Link Rd, Mind Space, Malad West, Mumbai - 400064 , Maharashtra, India