PRIVACY POLICY (GLOBAL – DPDP / GDPR / APAC / MENA ALIGNED)

1. INTRODUCTION

This Privacy Policy ("Policy") explains how SRE360 TECHNOLOGIES PRIVATE LIMITED ("Company", "We", "Us", "Our") collects, uses, processes, stores, transfers, and protects Personal Data when individuals and authorised users ("Users", "You", "Your") access or use the Opsolute FinOps Platform and related services ("Platform", "Services").

This Policy is designed to be compliant with, and interpreted in alignment with, applicable data protection principles under (as applicable):

• Digital Personal Data Protection Act, 2023 (India)
• EU GDPR-equivalent requirements (for customers in GDPR-aligned regions)
• UAE Federal Decree-Law No. 45 of 2021 (PDPL)
• Saudi Personal Data Protection Law (PDPL)
• Singapore PDPA, Malaysia PDPA, Australia Privacy Act and other APAC/MENA data protection regimes, to the extent applicable to the particular processing.

By accessing or using the Platform, you acknowledge that You have read and understood this Policy and agree to the practices described herein, to the extent permitted by applicable law.

2. ROLES & RESPONSIBILITIES

2.1 Company as Data Controller/Fiduciary (Account & Service Data)

For Personal Data relating to User accounts, contact details, billing, support communications and Platform telemetry, the Company acts as a Data Controller / Data Fiduciary, determining the purposes and means of processing.

2.2 Company as Data Processor (Client Cloud / Billing Data)

For Personal Data contained within Customer's cloud billing data and cloud utilisation data ("Client Data"), the Company generally acts as a Data Processor / Data Intermediary, processing such data on documented instructions of the Customer, who is the Data Controller / Data Fiduciary for such Client Data. Such processing is governed by the Data Processing Addendum (DPA) in addition to this Policy.

2.3 Sub-Processors

The Company may engage carefully selected third parties (e.g., cloud infrastructure providers, email delivery providers, logging/monitoring providers) as Sub-Processors, subject to appropriate contractual safeguards.

3. DEFINITIONS

For the purposes of this Policy:

• "Personal Data" means any information relating to an identified or identifiable natural person, including as defined under applicable data protection laws.
• "Sensitive Personal Data" includes, where applicable, data such as financial details, authentication credentials, security logs and other data that may be classified as sensitive under relevant laws.
• "Client Data" means enterprise billing data, cloud cost metadata, utilisation logs, tags, identifiers, and related information ingested from Your cloud accounts through secure integrations.
• "Processing" means any operation performed on Personal Data, including collection, recording, storage, adaptation, retrieval, transmission, analysis, use, disclosure, and deletion.
• "Data Controller / Data Fiduciary" means the entity that determines the purposes and means of Processing Personal Data.
• "Data Processor / Data Intermediary" means the entity that processes Personal Data on behalf of the Controller.

4. CATEGORIES OF DATA WE COLLECT

4.1 Personal Data Provided Directly by You

When You sign up for, access, or use the Platform, We may collect:

• Name, email address, phone number
• Company name, role, job title
• Usernames and login identifiers
• Billing and invoicing information, payment reference details (processed via third-party gateways – We do not store full card details)
• Communication and support correspondence, feedback and ticket history

4.2 Automatically Collected Technical & Usage Data

When You interact with the Platform, we may automatically collect:

• Device details, operating system and browser type
• IP address, approximate location (based on IP), time zone
• Access timestamps, session duration and activity logs
• API usage logs and integration performance metrics
• Session behaviour (e.g., pages visited, clicks, error logs)
• Integration tokens and keys (stored in secure, encrypted vaults – never in plaintext)

4.3 Cloud Billing & Utilisation Data (Client Data)

Upon Your authorisation, we ingest and process Client Data from Your cloud providers (e.g. AWS, Azure, GCP), including:

• Billing and cost & usage reports (e.g., CUR/CSV files)
• Resource identifiers, utilisation metrics, tags and labels
• Cloud account, project, subscription or organisation identifiers
• Anomaly and alert logs related to spend or utilisation
• Historical optimisation recommendations and actions

We do not collect or require Your cloud account passwords. Access credentials (e.g., API keys, access keys, role-based access) are stored and managed using industry-grade, encrypted key vault mechanisms.

4.4 Data We Do Not Intend to Collect

The Platform is not designed to process special categories of personal data such as health data, biometric identifiers, religious beliefs, or data of children. Customers should avoid uploading such data into the Platform unless expressly agreed in writing.

5. PURPOSES OF PROCESSING

We process Personal Data strictly for lawful and legitimate purposes, including:

5.1 Platform Operation & Service Delivery

• Creating and managing User accounts
• Authenticating Users and controlling access
• Providing dashboards, analytics, optimisation recommendations, budgeting and forecasting
• Enabling integrations with Cloud Providers and DevOps tools
• Detecting anomalies, generating alerts and insights
• Logging and monitoring for reliability, debugging and support

5.2 Security, Fraud Prevention & Compliance

• Maintaining security logs, incident logs and audit trails
• Detecting and preventing unauthorised access, abuse, or attacks
• Complying with legal and regulatory obligations, responding to lawful requests, and enforcing Our rights

5.3 Product Improvement & Analytics

• Analysing Platform usage patterns to improve features, performance and usability
• Creating anonymised and aggregated statistics for benchmarking and model training
• Improving AI/ML models for anomaly detection, cost optimisation and forecasting (Anonymised data does not identify You or any Data Subject.)

5.4 Communication & Support

• Sending service-related communications, such as security notices, maintenance updates and important announcements
• Responding to support queries, troubleshooting and customer success activities
• Informing You of relevant product enhancements or optional features (with opt-out wherever required by law)

We do not sell Personal Data to advertisers or data brokers.

6. LEGAL BASIS FOR PROCESSING

We rely on different legal bases depending on the jurisdiction and the nature of processing:

6.1 Under DPDP Act (India)

Processing may be based on:

• Consent of the Data Principal (e.g., when You sign up and accept this Policy);
• Legal obligations (e.g., responding to statutory or regulatory requests);
• Legitimate uses or reasonable purposes, as recognised under DPDP and applicable rules, such as security of the Platform, prevention of fraud, and network integrity.

6.2 Under GDPR-Aligned Principles

Where GDPR-like rules apply, processing may be justified by:

• Contractual necessity – to provide the Services You contract for;
• Legitimate interests – to maintain and secure the Platform, prevent abuse, improve Our services (balanced against Your rights and expectations);
• Consent – where explicitly required (e.g., certain marketing communications, specific optional features);
• Compliance with legal obligations – where We must retain or disclose information under law.

7. DATA SHARING & DISCLOSURE

We share Personal Data only where necessary and under appropriate safeguards:

7.1 Sub-Processors & Service Providers

We may share limited Personal Data with trusted third parties who assist Us in operating the Platform and providing Services, such as:

• Cloud hosting and infrastructure providers (e.g., AWS, Azure, GCP)
• Email and notification service providers
• Logging, monitoring, analytics, and security tooling providers
• Payment processors and invoicing systems
• Professional advisers (e.g., legal, audit, security consultants)

Such third parties act under contractual obligations to process data only on Our instructions and to maintain appropriate security.

7.2 Corporate Transactions

In the event of a merger, acquisition, restructuring, or sale of all or part of Our business or assets, Personal Data may be transferred to the relevant acquiring or successor entity, subject to continuity of protections consistent with this Policy.

7.3 Legal & Regulatory Disclosures

We may disclose Personal Data where required by applicable law, regulation, court order, governmental request, or for the establishment, exercise, or defence of legal claims.

7.4 No Unauthorised Third-Party Marketing Use

We do not share Personal Data with third parties for their independent marketing or advertising purposes.

8. CROSS-BORDER DATA TRANSFERS

Your data may be processed or stored in one or more of the following locations:

• India
• United Arab Emirates (UAE)
• Singapore
• European Union regions (for resilience, redundancy or Sub-Processor operations)

Where cross-border transfers occur, We implement appropriate safeguards consistent with applicable law, which may include: Standard Contractual Clauses (SCCs) or equivalent EU-model clauses; Adequacy decisions; Contractual protections and data transfer agreements; Compliance with PDPL / PDPA transfer conditions and local regulatory guidance.

9. DATA SECURITY

We implement technical and organisational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, disclosure, or unauthorised access, including:

• AES-256 encryption of data at rest, where applicable
• TLS 1.3 (or equivalent) encryption for data in transit
• Role-based access control (RBAC), IAM policies and least-privilege access
• Secure credential vaulting and token-based management of keys/secrets
• Multi-factor authentication for privileged access
• Network segmentation, firewalls, and zero-trust aligned architecture
• Continuous monitoring, logging and anomaly detection
• Regular vulnerability scanning and periodic penetration testing
• Employee confidentiality obligations and security awareness training

No security measure is absolute, but We strive to maintain a security posture aligned with SOC 2 / ISO 27001-style controls and best practices.

10. DATA RETENTION

We retain Personal Data only for as long as necessary for the purposes outlined in this Policy or as required by law:

• Account & Profile Data – retained for the duration of the Customer's subscription and up to 30 days following termination or closure of the account, unless a longer period is required by law or for legitimate business/legal purposes.
• Client Data (Cloud Billing & Utilisation) – retained for the subscription term and up to 30 days post-termination for export or handover, after which it is deleted or anonymised in accordance with Our DPA and internal policies.
• Audit & Security Logs – retained typically for 90–365 days (or such other period as required for security, compliance, or dispute resolution).
• Backups – retained as per secure backup rotation and disaster recovery policies, with automatic expiry and deletion.

Once retention periods expire, we delete or irreversibly anonymise data in a secure manner, unless applicable law requires longer retention.

11. USER RIGHTS

Depending on Your jurisdiction and applicable laws, You may have one or more of the following rights with respect to Your Personal Data:

• Right of access – to know whether We process Your Personal Data and to obtain a copy.
• Right to correction/rectification – to correct inaccurate or incomplete Personal Data.
• Right to erasure (right to be forgotten) – to request deletion of certain Personal Data, subject to legal and contractual limitations.
• Right to withdraw consent – where processing is based on consent, You may withdraw such consent at any time (without affecting prior processing).
• Right to restriction of processing – to request temporary suspension of certain processing activities.
• Right to data portability – where applicable, to receive Personal Data in a structured, commonly used, machine-readable format and/or request transfer to another controller.
• Right to object – to processing based on legitimate interests or for direct marketing (where relevant).

We will respond to valid requests within 30 days, extendable once where law permits, especially for complex or high-volume requests. To exercise these rights, please contact Us using the details in Section 14 below. We may need to verify Your identity before acting on any request. Certain rights may be limited under local law (for example, where fulfilling the request would adversely affect the rights of others or Our legal obligations).

12. CHILDREN'S PRIVACY

The Platform is designed for business and professional use and is not intended for children or minors. We do not knowingly collect Personal Data from individuals under the age of 18. If You believe that a minor has provided Personal Data to Us, please contact Us so that We can take appropriate steps to delete such data.

13. THIRD-PARTY SERVICES & LINKS

The Platform may integrate with or contain links to third-party websites, tools, or services (for example, Cloud Provider consoles, third-party dashboards, collaboration tools). We are not responsible for the privacy practices, content, or security of such third parties. We encourage You to review the privacy policies of all third-party services You access or integrate with the Platform.

14. CONTACT, DPO & GRIEVANCE REDRESSAL

If You have any questions, concerns, or requests regarding this Policy or Our data protection practices, You may contact:

Where applicable law provides, You also have the right to lodge a complaint with the competent data protection authority or regulator in Your jurisdiction. We encourage You to contact Us first so that We can attempt to resolve any concern amicably.

15. GOVERNING LAW & DISPUTE RESOLUTION

To the extent this Policy forms part of Your contractual relationship with Us (through the MSA, EULA or other binding agreement): This Policy shall be governed by the laws of India; and Any disputes arising out of or relating to this Policy shall be handled in accordance with the dispute resolution and arbitration provisions set out in the applicable Master Service Agreement / End User License Agreement between You and the Company (including exclusive jurisdiction of courts at Bengaluru, Karnataka, for interim relief).

16. CHANGES TO THIS POLICY

We may update or amend this Policy from time to time to reflect changes in law, technology, or Our practices. When We make material changes, We will: Update the "Effective Date" at the top of this Policy; and Where required by law, provide prominent notice or seek Your renewed consent. Your continued use of the Platform after the updated Policy becomes effective shall constitute Your acceptance of the revised Policy, to the extent permitted by applicable law.

This Policy should be read together with the Master Service Agreement, End User License Agreement, and Data Processing Addendum, which collectively govern Your legal relationship with SRE360 Technologies Private Limited in respect of the Opsolute Platform.