Privacy Statement

Introduction

M2P Solutions Private Limited (“M2P,” “M2P Group,” “we,” “us”) and its affiliates (“M2P”) believe that the responsible use of Personal Data is critical to our business objectives and reputation. This Privacy Statement outlines the various ways we collect, use, share, and store your Personal Data. It specifically addresses Personal Data collected through our website, as well as certain aspects of the data we collect and store in connection with the services we provide to our partners. By using our website (“Site”), you agree to the practices described in this Privacy Statement. This Privacy Statement outlines how we process, use, and disclose the data you provide when using our Site.

By continuing to use the Site, you consent to the collection and use of your data in accordance with this Privacy Statement. We may update this Privacy Statement periodically, so please review it regularly. If we make material changes to the Privacy Statement, we will notify you by posting a notice on the Site.

Purpose of this Statement

This Statement sets out how M2P collects, uses, shares, and stores your data, both in respect of Personal Data collected through the website and any Personal Data collected from our partners while availing any products/services from M2P.

How we Collect and Use your Personal Data

Collection of Personal Data

We may collect your Personal Data when you interact with our website or engage with any of our partners who utilize our services. This data may be obtained directly from you or indirectly through various sources, such as our partners, service providers, affiliates, public authorities, public websites, and social media platforms. For instance, we may collect your data when you provide details via our contact page, sign up for our newsletter, or use our services.

Classification and Safeguarding of Personal Data

The data we collect is classified according to its level of sensitivity, following our internal data classification framework. Ultra-sensitive data is safeguarded with appropriate technical and security measures, and access is strictly limited to authorized personnel.

Data Controller/Fiduciary Responsibilities

As a Data Controller/Fiduciary, we collect and process Personal Data of employees, potential employees, website users, and the end-users of our partners. This processing is conducted in line with the contractual terms between M2P and our partners. If any additional Personal Data is collected that is not explicitly mentioned in this Privacy Statement, we will provide individuals with appropriate notice, wherever required by law, regarding the nature of the data collected and its intended use.

Sharing Third-Party Data

If you provide us with Personal Data belonging to another individual (e.g., a referral or potential employee), you are responsible for ensuring that the individual is informed about the details in this Privacy Statement and has provided their consent to share their Personal Data with M2P.

Lawful Basis for Processing your Personal Data

Consent

While acting in the capacity of a Data Controller/Fiduciary, M2P processes your Personal Data only with your explicit, informed, and freely given consent wherever required by law. For example, we seek your consent before sending you direct marketing communications.

When requesting consent, we will clearly explain the purpose of the processing and provide you with the ability to opt-in or withdraw consent at any time. If we identify a new purpose for processing your Personal Data, we will obtain fresh consent before initiating such processing, ensuring transparency and compliance with applicable laws.

As a Data Processor at the product level, M2P does not obtain consent from the Data Subject/Principal; the obligation of obtaining consent rests with M2P's partners, who are required to obtain such consent from the Data Subject/Principals in accordance with applicable data protection laws. The legal basis for processing your Personal Data will depend on the specific context in which your Personal Data is collected.

Legal Obligation

We may also process your Personal Data to comply with legal obligations, such as tax or financial reporting requirements, fraud prevention, and compliance with applicable laws.

Legitimate Interest

M2P Group is dedicated to safeguarding individuals’ privacy and ensures that Personal Data is collected and processed for specific, legitimate purposes. These purposes include complying with legal requirements, managing legal rights and proceedings, improving services, addressing customer service issues, managing employment processes, enhancing operational functions, and verifying customer authenticity. Any changes to data processing purposes will be communicated to individuals in advance. Users have the right to withdraw consent at any time by contacting M2P Group via privacy@m2pfintech.com.

Cross-Border Data Transfers

The transfer of Personal Data by the M2P Group ensures that the rights of the Data Subject/Principals with respect to their Personal Data are never undermined during the process of Personal Data transfer. We implement appropriate safeguards and incorporate Standard Contractual Clauses (SCCs) within the Data Processing Addendum, when transferring data to jurisdictions that lack an adequacy decision. M2P also implements adequate controls and technical safeguards ensuring the safety and security of data during transfer. In the absence of such safeguards, Personal Data may be transferred based on the following conditions:

1. Explicit consent from Data Subject/Principal after informing them of the risks involved.
2. Contractual performance between end-users and M2P’s partners.
3. Performance of a contract out of legal necessity with M2P.

M2P will update its practices as necessary and inform Data Subjects/Principals of significant changes, ensuring their consent in accordance with applicable laws.

Retention of Your Data

We retain your Personal Data only for as long as it’s necessary to fulfill the purposes for which it was collected, in accordance with our records management and Data Retention policies. Personal Data will be deleted or archived after a reasonable period, guided by the following criteria:

• We may retain your Personal Data for the duration of our ongoing relationship with you, such as when you hold an account with us.
• We may retain your Personal Data as long as you remain engaged with our partners, and we provide services to you pursuant to contractual obligations with those partners.
• We may retain your Personal Data to the extent necessary to comply with applicable legal, regulatory, and contractual requirements.
• We may retain your Personal Data if we believe it is necessary to prevent fraud or future abuse, or if required by law, such as during the pendency of any legal or regulatory proceedings, or upon receiving a legal or regulatory directive.

Upon the expiration of the applicable retention period, your Personal Data will be securely deleted or archived in compliance with legal retention requirements and statutory limitation periods.

Methods of Securing your Personal Data

M2P ensures that appropriate technical and organizational measures are adopted to protect your Personal Data against unauthorized or unlawful processing and against accidental loss or destruction of, or damage to, such Personal Data. We have invested significant resources to ensure the safekeeping and confidentiality of this data. When engaging vendors, we ensure that they adhere to the same standards as M2P.

Regardless of where Personal Data is transferred or stored, M2P implements comprehensive security measures such as encryption protocols, access controls, data masking, and regular security audits to protect Personal Data. We also have mechanisms in place to respond to security incidents, including recovery, mitigation, and notifying the appropriate regulator or data protection authority as promptly as reasonably possible. If there is any suspicion of misuse, loss, or unauthorized access to Personal Data, individuals should immediately notify M2P Group by contacting via e-mail at privacy@m2pfintech.com.

Your Rights as Data Subject/ Principal

M2P acknowledges and upholds the rights of Data Subjects/Principals concerning their Personal Data. Depending on the applicable jurisdiction, individuals may exercise a range of rights, including but not limited to the following:

Under the EU General Data Protection Regulation (GDPR), individuals are granted with the following rights:

1. Right to access: Data Subjects can view and request copies of their Personal Data.
2. Right to rectification: Data Subjects can request that inaccurate or outdated Personal Data be updated or corrected.
3. Right to erasure: Also known as the "right to be forgotten", Data Subjects can request that their Personal Data be deleted.
4. Right to restrict processing: Data Subjects can restrict how their Personal Data is processed.
5. Right to data portability: Data Subjects can have their Personal Data moved to another party.
6. Right to object: Data Subjects can object to how their Personal Data is processed.
7. Right to be informed: Data Subjects have the right to be informed about how their Personal Data is being processed.
8. Right not to be subject to automated processing: Data Subjects have the right not to be subject to a decision based solely on automated processing.

Under the Digital Personal Data Protection Act of India, individuals are granted with the following rights:

1. Right to access: Individuals have the right to access their Personal Data, how it's being processed, and who it's being shared with.
2. Right to correction and erasure: Individuals have the right to request that inaccurate or Personal Data be corrected or erased.
3. Right to grievance redressal: Individuals have the right to file a grievance and expect a response from the data fiduciary within a specified time.
4. Right to nominate: Individuals can nominate someone to exercise their rights if they become incapacitated or die.

As a Data Controller/Fiduciary, M2P Group directly processes Data Subject/Principal Requests submitted by the individuals themselves. Such requests can be made through our designated email address, privacy@m2pfintech.com. M2P ensures that all requests are handled in strict compliance with relevant data protection laws.

When acting as a Data Processor at the product level, M2P Group handles Data Subject/Principal Rights requests exclusively through its partners. These requests are reviewed and addressed promptly using a ticketing system established with the respective partners, ensuring compliance with applicable Data Protection Laws.

Depending on M2P’s role, requests may be submitted either directly to us or, if we act as a Data Processor, through our partners. We strive to respond to all requests within the regulatory timeframes, typically within one month, with possible extensions for particularly complex cases.

Third-Party

M2P as a Data Controller:

We may engage third-party service providers and vendors to enhance the functionality of our products and services. These third parties are authorized to access, process, and store Personal Data solely for the purposes specified by M2P.

M2P as a Data Processor:

We may also engage third-party service providers and vendors to improve the functionality of our products and services. These third parties are authorized to access, process, and store Personal Data only for the purposes specified either by M2P or by M2P's partners, in accordance with the contractual terms between M2P and its partners.

To ensure compliance with applicable data protection laws, M2P implements data protection measures, including the execution of Data Processing Agreements (DPAs) and regular audits. Before sharing Personal Data with external entities, M2P ensures that these third parties have appropriate data protection measures in place and that a Data Processing Agreement is signed, in accordance with relevant data protection regulations.

Third Party Websites

By accessing third party websites through our Site, you are consenting to the terms and privacy policies of those websites. We do not accept any responsibility or liability for their policies whatsoever as we have no control over them.

How We Use Cookies

When you visit our website (https://m2pfintech.com/), we collect cookies that may be placed on your computer, mobile device, or tablet. It could contain the following data (but not limited to):

• information about the browser;
• an identifier, in the form of a unique number;
• an expiration date (some cookies only).

Data Breach Reporting

In the event of a Personal Data Breach, M2P takes immediate action to protect your Personal Data. Employees who suspect a breach must promptly report it to the IPCM team at [ipcm@m2pfintech.com]. Upon notification, an investigation will be initiated by the IPCM team in collaboration with relevant stakeholders. M2P shall also notify relevant authorities and affected individuals in accordance with applicable laws within stipulated timeframes.

Collection of Personal Data of Children

M2P is committed to protecting the privacy and safety of children. In certain circumstances, M2P may process the Personal Data of children for associated services or to provide insurance benefits under our employee family initiatives. However, we take utmost care to comply with applicable data protection laws and regulations regarding the processing of children's Personal Data. When processing such data, we obtain appropriate consent from parents or legal guardians via consent forms as per the relevant legal requirements.

We ensure that the collection, use, and disclosure of children's Personal Data is limited to what is necessary for the intended purposes and is done securely. Additionally, M2P does not use children’s Personal Data for targeted advertising or any other activities that could compromise their privacy. If you believe that we may have inadvertently collected Personal Data from a child without proper consent or have any concerns regarding processing children's data, please contact us at privacy@m2pfintech.com, and we will promptly address the issue.

How to Contact Us

If you have any comments, questions or concerns about any of the data in this Privacy Statement, or any other issues relating to the processing of your Personal Data carried out by us, or on our behalf, please contact us by email at privacy@m2pfintech.com.

Changes to this Privacy Statement

We reserve the right to update or modify this Privacy Statement at any time. In the event of any changes, we will post the updated notice prominently on this site and in other relevant locations to ensure you are always informed about the data we collect, how we use it, and the circumstances under which we may disclose it. If the changes are material, we will notify you via a notice on this site. We will continue to use your data in accordance with the Privacy Notice under which it was collected, while periodically reviewing our operations and business practices to ensure compliance with corporate policies and procedures regarding data confidentiality.