This Privacy Policy describes how Formative Concepts Private Limited ("Company," "we," "us," or "our"), a company incorporated under the Companies Act, 2013 with Corporate Identification Number [CIN], processes your personal information when you use our services, website, or interact with us.

Our Commitment: We are committed to protecting your privacy and ensuring transparency in how we collect, use, and protect your personal information.

Legal Framework: This Privacy Policy complies with:

• India's Digital Personal Data Protection Act (DPDP Act), 2023
• Information Technology Act, 2000 and IT Rules, 2011
• General Data Protection Regulation (GDPR) for EU residents
• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
• Other applicable international data protection laws

Applicability: This policy applies to all personal information processed by us, whether collected online, offline, or through third parties.

Company/Data Fiduciary: Formative Concepts Private Limited, T.C.84/236/2, Eenchaykkal, Chakka.P.O Trivandrum 695008, Kerala, India

Data Principal/Data Subject/You: Any individual whose personal information we process

Personal Information/Personal Data: Any information that relates to an identified or identifiable natural person, including but not limited to:

• Direct identifiers (name, email, phone)
• Online identifiers (IP address, device ID)
• Biometric data, financial data, health data
• Inferences about preferences, characteristics, or behavior

Sensitive Personal Information: Special categories of personal data including:

• Financial information (passwords, financial account numbers)
• Health data and medical records
• Biometric information
• Genetic data
• Information about sexual orientation
• Religious or political beliefs

Processing: Any operation performed on personal data, including collection, storage, use, disclosure, deletion

Service: Our website (https://www.formativeconcepts.com) and all related services

Cross-border Transfer: Transfer of personal data outside India

Primary Data Controller: Formative Concepts Private Limited
T.C.84/236/2, Eenchaykkal, Chakka.P.O
Trivandrum 695008, Kerala, India
Email: connect@formativeconcepts.com

Data Protection Officer (DPO): Name: [Insert DPO Name]
Email: connect@formativeconcepts.com

EU Representative (for GDPR compliance): [If processing EU data, insert EU representative details]

Grievance Officer (as per Indian law): Name: [Insert Grievance Officer Name]
Email: connect@formativeconcepts.com
Address: Same as Company address above

4.1 Information You Provide Directly

• Account Information: Name, email address, phone number, password
• Profile Information: Professional details, company information, job title
• Contact Information: Address, postal code, city, state, country
• Payment Information: Billing address, payment method details (processed by third-party payment processors)
• Communications: Messages, feedback, support requests, survey responses
• Marketing Preferences: Communication preferences, interests

4.2 Information Collected Automatically

• Device Information: IP address, device type, operating system, browser type and version
• Usage Data: Pages visited, time spent, click-through rates, referral URLs
• Location Data: General geographic location based on IP address
• Cookies and Tracking: As detailed in Section 8

4.3 Information from Third Parties

• Business Partners: Information received from authorized business partners
• Public Sources: Publicly available information for business purposes
• Social Media: Information from social media platforms (with your consent)
• Service Providers: Information from vendors and service providers

4.4 Sensitive Personal Information

We may collect sensitive personal information only with explicit consent and for specific purposes:

• Financial account information for payment processing
• Health information (if relevant to our services)
• Background check information (for employment purposes)

5.1 Primary Purposes

We process your personal information for the following purposes:

Service Delivery:

• Providing and maintaining our services
• Processing transactions and payments
• Customer support and assistance
• Service personalization and improvement

Business Operations:

• Account management and administration
• Internal research and analytics
• Quality assurance and training
• Risk management and fraud prevention

Legal Compliance:

• Compliance with applicable laws and regulations
• Responding to legal requests and court orders
• Protecting our legal rights and interests

Marketing and Communications:

• Sending service updates and notifications
• Marketing our products and services (with consent)
• Newsletter and promotional communications
• Event invitations and industry updates

5.2 Legal Basis (GDPR Compliance)

• Consent: For marketing communications, cookies, and sensitive data processing
• Contract Performance: For providing services and processing payments
• Legitimate Interests: For business operations, security, and improvements
• Legal Obligation: For compliance with applicable laws
• Vital Interests: For protecting health and safety
• Public Task: When performing tasks in the public interest

5.3 Lawful Processing (Indian Law)

Processing is based on:

• Explicit consent of the data principal
• Performance of contract with the data principal
• Compliance with legal obligations
• Protection of vital interests
• Performance of public tasks
• Legitimate interests (where applicable)

6.1 Service Providers and Processors

We share personal information with:

• Technology Providers: Cloud hosting, software services, analytics platforms
• Payment Processors: For secure payment processing
• Communication Services: Email, SMS, and communication platforms
• Professional Services: Legal, accounting, consulting services
• Security Providers: For fraud prevention and security monitoring

6.2 Business Transfers

Personal information may be transferred in connection with:

• Mergers, acquisitions, or asset sales
• Bankruptcy or restructuring proceedings
• Joint ventures or partnerships
• Corporate reorganizations

6.3 Legal and Regulatory Disclosures

We may disclose personal information to:

• Government authorities and regulatory bodies
• Law enforcement agencies
• Courts and legal tribunals
• Tax authorities and auditors
• Other parties as required by law

6.4 Other Disclosures

With your explicit consent, we may share information with:

• Business partners for joint marketing
• Third parties for research purposes
• Other users (for public features)

6.5 Data Sharing Restrictions

We do not:

• Sell personal information for monetary consideration
• Share sensitive personal information without explicit consent
• Disclose more information than necessary for the stated purpose

7.1 Transfer Mechanisms

When transferring personal data outside India or the EU, we ensure adequate protection through:

For Transfers from India:

• Adequacy decisions by the Indian government
• Standard contractual clauses approved by authorities
• Binding corporate rules
• Explicit consent (where applicable)

For Transfers from EU (GDPR):

• European Commission adequacy decisions
• Standard Contractual Clauses (SCCs)
• Binding Corporate Rules (BCRs)
• Certification mechanisms
• Codes of conduct

For Transfers from California (CCPA):

• CCPA does not have specific cross-border transfer restrictions, but we maintain equivalent protection standards

7.2 Countries of Transfer

Personal data may be transferred to:

• United States (cloud services, analytics)
• European Union (business operations)
• Other countries as specified in our vendor agreements

7.3 Safeguards

All cross-border transfers include:

• Contractual data protection clauses
• Technical and organizational security measures
• Regular compliance audits
• Data subject rights provisions

8.1 Types of Cookies Used

Strictly Necessary Cookies:

• Authentication and session management
• Security and fraud prevention
• Load balancing and website functionality
• Legal Basis: Legitimate interest (essential functionality)

Functional Cookies:

• Language and regional preferences
• User interface customization
• Remember login status
• Legal Basis: Consent (optional features)

Analytics and Performance Cookies:

• Website usage statistics
• Performance monitoring
• User behavior analysis
• Error tracking and debugging
• Legal Basis: Consent (with opt-out options)

Marketing and Advertising Cookies:

• Personalized advertising
• Campaign effectiveness measurement
• Social media integration
• Cross-site tracking
• Legal Basis: Explicit consent (required)

8.2 Third-Party Cookies

• Google Analytics: Website analytics and reporting
• Social Media Plugins: Facebook, LinkedIn, Twitter integration
• Advertising Networks: For targeted advertising (with consent)
• Customer Support Tools: Live chat and helpdesk integration

8.3 Cookie Consent and Management

• Cookie consent banner with granular choices
• Cookie preference center
• Easy opt-out mechanisms
• Regular consent renewal
• Clear cookie policy explanation

8.4 Do Not Track

We honor Do Not Track (DNT) signals where technically feasible and legally required.

9.1 Retention Periods

• Account Information: Duration of account plus 7 years for legal compliance
• Payment Records: 7 years from last transaction (tax and audit requirements)
• Marketing Data: Until consent is withdrawn or 3 years of inactivity
• Usage Analytics: 26 months (Google Analytics default)
• Legal Records: As required by applicable law or statute of limitations
• Employee Data: As per employment law requirements

9.2 Retention Criteria

Retention periods are based on:

• Legal and regulatory requirements
• Business operational needs
• Data subject rights and requests
• Storage costs and technical limitations
• Risk management considerations

9.3 Secure Deletion

After retention periods expire:

• Secure deletion using industry-standard methods
• Backup data is also securely deleted
• Physical destruction of hardware when required
• Certificates of destruction maintained

10.1 Technical Safeguards

• Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Multi-factor authentication, role-based access
• Network Security: Firewalls, intrusion detection, DDoS protection
• Backup Systems: Regular automated backups with encryption
• Monitoring: 24/7 security monitoring and incident response

10.2 Organizational Measures

• Privacy by Design: Privacy considerations in all system designs
• Staff Training: Regular privacy and security training for all employees
• Vendor Management: Due diligence and contractual protections for third parties
• Incident Response: Comprehensive data breach response procedures
• Regular Audits: Internal and external security assessments

10.3 Compliance Certifications

• ISO 27001 Information Security Management (pursuing/maintaining)
• SOC 2 Type II compliance
• GDPR compliance certification
• Regular penetration testing and vulnerability assessments

10.4 Data Breach Notification

In case of a data breach:

• Internal Response: Immediate containment and investigation
• Regulatory Notification: Within 72 hours to relevant authorities (GDPR) or as required by applicable law
• Individual Notification: Without undue delay if high risk to rights and freedoms
• Documentation: Comprehensive breach register maintained

11.1 Universal Rights (Available to All Data Subjects)

Right to Information:

• Know what personal information we collect and process
• Understand purposes and legal basis for processing
• Information about data sharing and retention

Right to Access:

• Request copies of your personal information
• Information about processing activities
• Details of third parties with whom data is shared

Right to Correction:

• Correct inaccurate or incomplete personal information
• Update your account information directly
• Request verification of corrections made

Right to Deletion/Erasure:

• Request deletion of personal information
• Right to be forgotten (subject to legal exceptions)
• Automatic deletion after retention periods

Right to Data Portability:

• Receive personal information in structured, machine-readable format
• Transfer data to another service provider
• Request direct transfer where technically feasible

Right to Object:

• Object to processing for direct marketing (absolute right)
• Object to processing based on legitimate interests
• Opt-out of automated decision-making

11.2 GDPR-Specific Rights (EU Residents)

• Right to Restrict Processing: Limit how we use your data
• Right not to be Subject to Automated Decision-Making: Including profiling
• Right to Lodge a Complaint: With supervisory authorities
• Right to Withdraw Consent: Where processing is based on consent

11.3 CCPA/CPRA Rights (California Residents)

• Right to Know: Categories and specific pieces of personal information
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: Sale or sharing of personal information
• Right to Non-Discrimination: Equal service regardless of privacy choices
• Right to Correct: Inaccurate personal information
• Right to Limit: Sensitive personal information use

11.4 Indian Law Rights (DPDP Act 2023)

• Right to Access: Confirmation of processing and copy of personal data
• Right to Correction: Correction of inaccurate personal data
• Right to Erasure: Deletion of personal data (with exceptions)
• Right to Grievance Redressal: File complaints with our grievance officer
• Right to Data Protection Board: Appeal to Data Protection Board of India

11.5 Exercising Your Rights

How to Submit Requests:

• Online: Through your account settings or our privacy portal
• Email: Send requests to connect@formativeconcepts.com
• Mail: Write to our Data Protection Officer at the address above
• Phone: Call our privacy helpline at [Insert Phone Number]

What We Need to Process Requests:

• Identity verification (government-issued ID or account authentication)
• Specific details about your request
• Preferred method of response

Response Timeline:

• Initial acknowledgment: Within 3 business days
• Complete response: Within 30 days (may extend to 90 days for complex requests)
• Free of charge for reasonable requests
• May charge fees for excessive or repetitive requests

12.1 Automated Processing

We use automated processing for:

• Fraud Detection: Automated systems to detect suspicious activities
• Content Personalization: Algorithm-based service recommendations
• Customer Support: Automated routing and response systems
• Marketing: Targeted advertising and campaign optimization

12.2 Profiling Activities

• Service Improvement: Understanding user preferences and behavior
• Risk Assessment: Evaluating security and fraud risks
• Business Analytics: Analyzing trends and performance metrics

12.3 Your Rights Regarding Automated Decisions

• Right to human intervention in automated decisions
• Right to contest automated decisions
• Right to obtain explanation of automated decisions
• Right to opt-out of automated decision-making

12.4 Safeguards

• Regular testing for bias and discrimination
• Human oversight of automated systems
• Clear criteria for automated decisions
• Appeal processes for contested decisions

13.1 Age Restrictions

• Our services are not intended for individuals under 18 years
• We do not knowingly collect personal information from minors
• Parental consent required for processing children's data (where applicable)

13.2 Parental Rights

If we become aware that we have collected personal information from a child:

• We will delete the information promptly
• We will notify parents/guardians when legally required
• Parents can request access, deletion, or correction of their child's data

13.3 Educational Services

If we provide services to educational institutions:

• Compliance with applicable educational privacy laws
• Special protections for student data
• Limited use of educational records

14.1 Multi-Jurisdictional Compliance

This Privacy Policy is designed to comply with multiple data protection frameworks simultaneously, including but not limited to Indian, European, and California privacy laws.

14.2 Conflict of Laws

In case of conflicts between different legal requirements:

• We apply the most protective standard for the individual
• We comply with the law of the individual's residence/location
• We seek legal guidance for complex jurisdictional issues

14.3 Local Representatives

We maintain local representatives in key jurisdictions as required by law:

• EU Representative for GDPR compliance
• UK Representative for UK GDPR compliance
• Other representatives as required

15.1 Third-Party Websites

Our service may contain links to third-party websites that are not operated by us:

• We are not responsible for third-party privacy practices
• We encourage you to review third-party privacy policies
• Third-party terms and conditions apply to their services

15.2 Social Media Integration

When you interact with our social media plugins:

• Social media companies may collect information about you
• Your interactions may be governed by their privacy policies
• You can control social media data sharing through their settings

15.3 Third-Party Services We Use

We integrate with various third-party services:

• Payment Processors: [List major payment partners]
• Analytics Providers: Google Analytics, [others]
• Cloud Services: [List major cloud providers]
• Communication Tools: [List email/SMS providers]

16.1 Mergers and Acquisitions

If we are involved in a merger, acquisition, or asset sale:

• Personal information may be transferred to the new entity
• You will be notified before your personal information is transferred
• The new entity must honor this Privacy Policy
• You may have additional rights under applicable law

16.2 Bankruptcy or Insolvency

In case of bankruptcy or insolvency:

• Personal information is considered a business asset
• Transfer must comply with applicable data protection laws
• Court approval may be required for transfers
• Individuals will be notified of any transfers

17.1 Policy Updates

We may update this Privacy Policy to:

• Reflect changes in our data processing practices
• Comply with new legal requirements
• Improve clarity and transparency
• Add new features or services

17.2 Notification of Changes

Material Changes:

• Email notification to registered users
• Prominent notice on our website
• 30 days advance notice before changes take effect
• Option to withdraw consent for new uses

Non-Material Changes:

• Updated "Last Updated" date
• Notice on website or in service
• No additional consent required

17.3 Consent to Changes

• Continued use of services constitutes acceptance of minor changes
• Explicit consent required for material changes
• Right to object or withdraw consent for new processing purposes

18.1 Privacy-Related Inquiries

Data Protection Officer:

• Email: connect@formativeconcepts.com
• Phone: [Insert DPO Phone Number]
• Address: Same as company address

General Privacy Questions:

• Email: connect@formativeconcepts.com

18.2 Complaints and Grievances

Internal Grievance Officer:

• Name: Bhavesh Barot
• Email: connect@formativeconcepts.com
• Response Time: 30 days from receipt of complaint

18.3 Regulatory Complaints

India:

• Data Protection Board of India (once established)
• Cyber Crime Cell
• Consumer Courts

European Union:

• Local Data Protection Authority in your country
• European Data Protection Board (EDPB)

United States (California):

• California Attorney General
• California Privacy Protection Agency

Other Jurisdictions:

• Contact the relevant data protection authority in your country

18.4 Complaint Process

1. Internal Resolution: Contact our grievance officer first
2. Documentation: Provide details of your concern and desired resolution
3. Investigation: We will investigate and respond within 30 days
4. External Appeal: If unsatisfied, you may contact regulatory authorities
5. Legal Remedies: You retain all legal rights and remedies

19.1 India-Specific Provisions

• Compliance with Digital Personal Data Protection Act, 2023
• Grievance officer appointed as required by Indian law
• Data localization requirements (where applicable)
• Consent manager integration (if required)

19.2 EU-Specific Provisions (GDPR)

• Legal basis clearly identified for all processing
• Data Protection Impact Assessments conducted where required
• EU representative appointed for cross-border transfers
• Supervisory authority cooperation

19.3 California-Specific Provisions (CCPA/CPRA)

• Consumer request metrics published annually
• Non-discrimination policy clearly stated
• Sensitive personal information handling specified
• Third-party sale/sharing disclosures

Adequacy Decision: A decision by a regulatory authority that a third country ensures adequate data protection

Binding Corporate Rules: Internal rules adopted by multinational companies for international data transfers

Consent: Freely given, specific, informed, and unambiguous indication of data subject's agreement

Data Breach: Security incident resulting in accidental or unlawful destruction, loss, alteration, or unauthorized disclosure

Data Minimization: Principle that personal data should be adequate, relevant, and limited to what is necessary

Data Protection Impact Assessment: Process to identify and minimize data protection risks of processing operations

Legitimate Interest: Legal basis for processing that balances company interests against individual rights

Pseudonymization: Processing personal data so it can no longer be attributed to a specific person without additional information

Supervisory Authority: Independent public authority responsible for monitoring GDPR compliance

By using our services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with any part of this policy, please do not use our services.

This Privacy Policy is effective as of the date specified above and will remain in effect until updated or replaced.

Document Version: 1.0
Legal Review Date: September 03, 2025
Next Scheduled Review: March 03, 2026
Document Classification: Public
Approved By: Board of Directors