Platform Privacy Policy

1. Introduction

This Privacy Policy explains how OptCulture i.e. OptCulture Private Limited (“Company”, “we”, “our”, or “us”) processes personal data in connection with the provision of our software platform, services, and related technologies (collectively, the “Services”).Our Services enable businesses to manage customer engagement, loyalty programs, marketing campaigns, analytics, and related digital interactions, i.e. suite of customer loyalty, data management and engagement management software as a service.This Privacy Policy describes:

• The types of personal data that may be processed through our Services
• How such data is used and protected
• Our role in the processing of personal data
• The safeguards implemented to ensure compliance with applicable data protection laws

Scope of this Privacy PolicyThis Privacy Policy applies to individuals whose personal data is processed through our Services, including customers and users of our clients, website visitors, business contacts, and other individuals interacting with our platform.This Privacy Policy also describes how personal data may be processed when clients use our platform and services to manage customer engagement, loyalty programs, marketing campaigns, analytics, and related interactions on their behalf.

2. Our Role in Data Processing

Depending on the context, OptCulture may act as either:Data Processor / Service Provider / Sub ProcessorIn most cases, we act as a Data Processor (or Service Provider) processing personal data on behalf of our clients.Our clients determine:

• The purposes of processing
• The types of data collected
• The retention period
• The lawful basis for processing

In such cases:

• Our client is the Data Controller
• We process personal data only in accordance with their instructions and to the extent required to provide the services as per contractually agreed terms

Independent ControllerIn limited circumstances, we may act as a Data Controller, such as when processing personal data related to:

• Our website visitors
• Business contacts
• Prospective customers
• Vendor relationships

3. Categories of Personal Data Processed

Depending on how our clients configure the Services, the following categories of personal data may be processed including but not limited to the following:Identity and Contact Information

• Name
• Email address
• Phone number
• Customer ID or loyalty ID
• Other personal information collected using zero party, first party or second party data collection methods
• Collected by any other methods

Transactional Information

• Purchase history
• Payment-related data (limited to transactional metadata)
• Order details
• Loyalty points and rewards

Customer Engagement Data

• Campaign interactions
• Email open rates
• Engagement via channels like Email, SMS, RCS, WhatsApp and Push Notifications
• Marketing preferences

Behavioral and Usage Data

• Website or application interactions
• Customer journey analytics
• Purchase patterns
• Preferences and segmentation attributes

Technical and Device Data

• IP address
• Device identifiers
• Browser type
• Operating system
• Location derived from IP
• Cookies and similar technologies

Support and Communication Data

• Customer support communications
• Feedback submissions
• Service inquiries

The specific categories processed depend on the configuration selected by our clients.

4. How Personal Data Is Collected

Personal data processed through the Services may be collected through the following source, including but not limited to:Directly from ClientsClients may upload or transmit personal data to the platform through:

• CRM integrations
• POS systems
• Data imports
• Customer registration systems
• Forms

Through Client Digital PropertiesData may be collected when individuals interact with:

• Client websites
• Mobile applications
• Loyalty programs
• Promotional campaigns

Automated TechnologiesCertain technical data may be collected automatically through:

• Cookies
• APIs
• Tracking pixels
• Device identifiers

5. Purpose of Processing

We process personal data solely to provide the Services and in accordance with our clients’ instructions.Processing activities may include:Customer Relationship Management

• Managing loyalty programs
• Maintaining customer profiles
• Facilitating personalized engagement

Campaign Management

• Creating and executing marketing campaigns
• Scheduling and automating communications
• Personalizing marketing content

Customer Segmentation

• Grouping users based on demographics
• Behavioral segmentation
• Predictive audience targeting

Analytics and Reporting

• Campaign performance measurement
• Customer insights
• Marketing analytics

Platform Operations

• Maintaining service functionality
• Monitoring system performance
• Ensuring service reliability

Security and Fraud Prevention

• Detecting unauthorized access
• Preventing misuse of the platform
• Protecting systems and data

6. Legal Basis for Processing

Where we act as a Data Processor, the legal basis for processing is determined by the Data Controller (our client).Common legal basis under applicable laws may include:

• Consent
• Contractual necessity
• Legitimate interests
• Compliance with legal obligations

Where we act as an independent controller, processing may rely on:

• Legitimate business interests
• Contract performance
• Legal compliance
• Consent where required

7. Disclosure of Personal Data

We may share personal data with entities disclosed to the data controller in order to provide the Services.These may include:Sub-processors and Service ProvidersWe engage carefully selected third-party service providers to support our operations, including:

• Cloud infrastructure providers
• Messaging providers (email/SMS)
• Security monitoring services
• Analytics platforms

All sub-processors are required to:

• Enter into data processing agreements
• Maintain appropriate security safeguards
• Process data only on our instructions

Legal AuthoritiesWe may disclose personal data when required to:

• Comply with legal obligations and authorities
• Respond to lawful government requests
• Protect the rights and safety of individuals

Where legally permissible, we will make reasonable efforts to notify the relevant client prior to such disclosure.

8. International Data Transfers

Our Services may involve the transfer of personal data across international borders.Where personal data is transferred outside the originating jurisdiction, we ensure that appropriate safeguards are implemented, including:

• Standard Contractual Clauses (SCCs), where mandated
• Contractual data protection obligations
• Regulatory-approved transfer mechanisms

These safeguards ensure that personal data remains protected in accordance with applicable privacy laws.

9. Security Measures

We implement robust technical and organizational safeguards designed to protect personal data against unauthorized access, loss, misuse, or alteration.Infrastructure Security

• Secure cloud hosting environments
• Network segmentation
• Firewalls and intrusion detection systems

Encryption

• Encryption of data in transit using industry-standard protocols
• Encryption of sensitive data where appropriate
• Encryption of data at rest

Access Controls

• Role-based access permissions
• Multi-factor authentication
• Strict identity management

Monitoring and Auditing

• Continuous system monitoring
• Audit logging
• Security incident response procedures

Vendor Risk Management

• Sub-processor due diligence
• Security assessments
• Contractual compliance requirements

10. Personal Data Breach

In the event of a personal data breach affecting personal data processed through the Services, OptCulture will take appropriate steps to investigate, contain, and mitigate the incident. Where required under applicable data protection laws, relevant authorities and affected individuals, companies and clients will be notified in accordance with legal requirements.

11. Data Retention

Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected or as required by law.Retention periods may depend on:

• Client instructions
• Contractual obligations
• Legal requirements

Upon termination of services, personal data may be:

• Returned to the client
• Deleted securely
• Anonymized where appropriate

12. Data Subject Rights

Depending on applicable law, individuals may have the right to:

• Access their personal data
• Request correction of inaccurate information
• Request deletion of personal data
• Restrict or object to processing
• Withdraw consent

Because our clients act as Data Controllers for personal data processed through the Services, they are responsible for responding to requests from individuals exercising their data protection rights.Individuals whose personal data is processed through our platform should direct such requests, including requests to access, correct, delete, or restrict processing of their personal data, to the relevant client organization acting as the Data Controller.Where OptCulture acts as a Data Processor, we process personal data solely on the instructions of the relevant client and will assist our clients in fulfilling data subject requests in accordance with applicable laws and contractual obligations.

13. Children’s Data

Our Services are not directed to children.We do not knowingly process personal data relating to children unless:

• Such processing is authorized by the client
• Required parental or guardian consent has been obtained where required by applicable law

Clients are responsible for ensuring compliance with laws relating to children’s data.

14. Cookies and Tracking Technologies

Our platform and related services may use cookies and similar technologies to improve functionality, analyze usage patterns, and enhance user experience. Users may manage cookie preferences through their browser settings.

15. Sale of Personal Data

We do not sell personal data to third parties.Personal data processed through our Services is used exclusively for the purpose of providing services to our clients and is not monetized through data brokerage or independent advertising activities.Notwithstanding anything to the contrary, Company shall have the right to collect and analyze anonymized or aggregate data and other information relating to the provision, use and performance of various aspects of the Services and related systems and technologies (including, without limitation, information concerning Client Data and data derived therefrom), and Company will be able to (during and after the term hereof):

• Use such information and data to improve and enhance the Services and for other development, diagnostic and corrective purposes in connection with the Services and other Company offerings
• Disclose such data solely in aggregate or other de-identified form in connection with its business

16. Privacy Contact

For privacy-related inquiries or concerns, please contact: Where applicable, individuals may also contact the relevant client organization (Data Controller) responsible for their personal data.

17. Policy Updates

We reserve the right to update this Privacy Policy periodically to reflect:

• Changes in legal requirements
• Updates to our services
• Improvements to our privacy practices

Any updates will be published on this page with the last updated date.