1. Introduction and Scope

Aghreni Technologies Pvt. Ltd., operating under the brand name Kenscio (“Kenscio”, “we”, “us”, or “our”), is a digital marketing technology company incorporated in India and headquartered in Bengaluru, Karnataka. We provide a suite of digital marketing and communication products and services, including KenMail (email deliverability and campaign management), KenCERT (email authentication and certification), KenPass (SMS and WhatsApp communication), KenClean (data hygiene and validation), and associated professional and managed services.

This Privacy Policy describes how Kenscio collects, uses, stores, shares, transfers, retains, and protects personal data in the course of operating our business and providing our services. It applies when you visit our website at kenscio.com, when you communicate with us as a business contact, when you use any of our platforms or services, when you represent a client, vendor, or partner organisation, when you apply for employment with Kenscio, or when you otherwise provide personal data to us in circumstances where we act as a Data Fiduciary.

This Privacy Policy is intended to comply with the Digital Personal Data Protection Act, 2023 (DPDPA) of India, which is the primary applicable law governing our collection and processing of personal data. Where Kenscio operates in or processes data relating to individuals in other jurisdictions, we endeavour to comply with the applicable data protection laws of those jurisdictions as well.

This policy supersedes and replaces all prior versions of the Kenscio privacy policy. By using our website or services, you acknowledge that you have read and understood this Privacy Policy.

2. Our Role as Data Fiduciary and Data Processor

Kenscio processes personal data in two distinct capacities, depending on the context in which the data is collected and used. Understanding our role in each context is important, as it determines our responsibilities under the DPDPA and your rights in relation to your personal data.

When Kenscio Acts as a Data Fiduciary

Kenscio acts as a Data Fiduciary when we determine the purposes and means of processing personal data. This applies to personal data we collect and process in connection with visits to and interactions with our website, communications with business contacts, personal data relating to representatives of clients, vendors, and business partners, job applicants and the recruitment process, and our own marketing, administrative, security, and compliance operations. In these circumstances, Kenscio independently determines why and how personal data is processed and is directly accountable to Data Principals under the DPDPA.

When Kenscio Acts as a Data Processor

Kenscio acts as a Data Processor when we process personal data on behalf of our clients — for example, when processing email lists or contact data uploaded by clients into KenMail, cleaning and validating data through KenClean, or delivering communications via KenPass on behalf of clients. In this context, the client determines the purposes and means of processing, and Kenscio processes personal data solely on the documented instructions of the client, who is the Data Fiduciary. Kenscio does not use such data for its own independent purposes, does not process it for marketing, profiling, or any purpose unrelated to the contracted service, and does not independently monetise such data.

3. Privacy Notice to Data Principals

In accordance with Sections 5 and 6 of the Digital Personal Data Protection Act, 2023, Kenscio provides this Privacy Notice to all Data Principals whose personal data is collected and processed by us. This notice is provided at or before the point of data collection and remains available at all times on this page.

The Data Fiduciary responsible for your personal data is Aghreni Technologies Pvt. Ltd. (Kenscio), registered at Innovation, No. 101, Amar Jyothi HBCS Layout, Domlur, Bengaluru, Karnataka – 560071, India. CIN: U72200KA2008PTC047005.

For any privacy-related queries, requests to exercise your rights, or to submit a grievance, please contact our Grievance Officer at privacy@kenscio.com with the subject line “Privacy / DPDPA Grievance” or call us at +91-8088029029.

This notice describes the categories of personal data we collect, the specific purposes for which it is collected, the legal basis for processing, how long we retain it, your rights as a Data Principal, and how you can exercise those rights. Each of these elements is described in detail in the sections that follow.

4. Personal Data We Collect

The personal data we collect depends on your relationship with Kenscio. We collect personal data directly from you, automatically through your use of our website and platforms, and in limited circumstances from authorised third parties. We collect only what is necessary for the specific purposes described in this policy and nothing beyond that.

From Website Visitors and Enquirers

When you visit our website or submit an enquiry through our contact form, we collect information you provide directly as well as certain technical information generated automatically by your visit. The personal data collected in this context includes:

• Full name — as provided in the contact or enquiry form.
• Work email address — to enable us to respond to your enquiry.
• Phone number — where provided, for follow-up communication.
• Company name — to understand the organisational context of your enquiry.
• Nature of enquiry or message content — the details you include in the free-text field of the form.
• IP address — collected automatically via server logs for security and fraud prevention purposes.
• Browser type and language — to optimise the website experience.
• Device characteristics — including operating system and screen resolution, collected in aggregate.
• Pages visited, links clicked, and session duration — for website performance analytics.
• Referring URLs and timestamps — to understand how visitors arrive at and navigate through our website.

Technical information is collected through cookies and server log files. Please refer to the Cookies section of this policy for further details on how we manage cookie-based data collection and your choices in that regard.

From Newsletter Subscribers

When you subscribe to the Kenscio newsletter or opt in to receive our marketing communications, we collect the following information:

• Email address — the primary identifier used to deliver newsletter communications to you.
• Name — optionally provided at the time of subscription, used to personalise communications where applicable.
• Subscription preferences and consent record — including the date, time, and mechanism through which consent was given, retained as our record of your opt-in.

This data is collected exclusively on the basis of your explicit, separate consent and is used solely for the purpose of sending the newsletter or marketing communications to which you have subscribed. It is not used for any other purpose without fresh consent.

From Prospective and Active Clients

When you engage with Kenscio as a prospective client exploring our services, or as an active client using our platforms, we collect the following categories of personal data relating to authorised representatives of your organisation:

• Full name and job title — of the individual engaging with Kenscio on behalf of the organisation.
• Work email address and business phone number — for account communication and service support.
• Company name and business address — for account identification and invoicing purposes.
• Service requirements and enquiry details — captured during pre-sales discussions, for prospective clients.
• Billing and invoicing information — including payment details, GST number, and invoicing address, for active clients.
• Account configuration and service usage data — records of how Kenscio platforms are configured and used within your organisation.
• Support and communication records — records of all technical support interactions, service requests, and business correspondence between your organisation and ours.

From Employees

In connection with your employment with Kenscio, we collect personal data that is necessary for employment administration, payroll processing, and compliance with Indian statutory obligations. The personal data collected from employees includes:

• Full name, date of birth, and gender — for identity and HR record purposes.
• Residential address — current and permanent, for official correspondence and HR records.
• PAN number — for income tax deduction and statutory filings with the Income Tax Department.
• Aadhaar number — where required for statutory filings or government benefit schemes, collected and stored in compliance with applicable law.
• Bank account details — for the purpose of salary and reimbursement disbursement through payroll.
• Employment history and educational qualifications — as provided during onboarding and maintained in HR records.
• Emergency contact details — names and contact numbers of nominated emergency contacts.
• Health and medical information — where required for ESI registration, health insurance administration, or statutory leave entitlements such as medical and maternity leave.
• Leave and attendance records — maintained for payroll computation and HR administration.
• Performance and appraisal data — records generated through the performance review and goal-setting process.
• Nominee and dependant details — for provident fund, gratuity, insurance, and other statutory benefit nominations.

From Job-Seeking Candidates

When you apply for a position at Kenscio, whether directly through our website or via an authorised recruitment platform, we collect the personal data you provide as part of your application. This includes:

• Full name, email address, and phone number — for communication regarding your application.
• Curriculum vitae or résumé — containing your professional summary, employment history, and educational background.
• Employment history and current or most recent employer — for evaluating professional experience and suitability.
• Educational qualifications and certifications — academic and professional credentials relevant to the role applied for.
• Expected compensation and notice period — to assess alignment with the role and hiring timelines.
• LinkedIn profile or professional portfolio — where voluntarily provided.
• Cover letter and any additional information — submitted voluntarily as part of your application.
• Reference details — names and contact information of professional referees nominated by the candidate, where applicable.

In certain circumstances, we may also receive information about candidates from authorised recruitment agencies, professional networking platforms, or background verification providers, where permitted by applicable law and disclosed to the candidate.

From Representatives of Vendors and Partners

In the course of establishing and managing our vendor, service provider, and business partner relationships, we collect personal data relating to the designated representatives of those organisations. The information collected in this context includes:

• Full name — of the individual acting as the primary contact for the organisation.
• Work email address and business phone number — for business communications and contract administration.
• Company name, registered address, and GST or CIN details — for due diligence, vendor onboarding, and compliance purposes.
• Job title and department — to understand the scope of the individual’s authority in business dealings.
• Communication records — records of business correspondence, meeting notes, and contractual discussions relevant to the relationship.

This data is collected directly from the representatives themselves, through the course of business communications and contractual processes, or from publicly available professional contact information where appropriate.

Data Processed in Our Capacity as a Data Processor

When clients upload or transmit personal data relating to their own customers, subscribers, or contacts into Kenscio platforms — such as email lists into KenMail, contact databases into KenClean, or communication recipient lists into KenPass — Kenscio processes that data strictly as a Data Processor. The categories of personal data processed in this context depend entirely on what the client uploads and how they configure the service. Kenscio does not control or determine the categories of data in this context, and this data is processed solely in accordance with the client’s instructions and the applicable Data Processing Agreement. Data Principals whose data has been processed in this context should direct their requests to the relevant client organisation.

5. Purpose of Data Collection and Processing

Kenscio collects and processes personal data only for lawful, specific, and clearly defined purposes in accordance with Section 4 of the DPDPA. Personal data will not be used for any purpose other than those described below without providing fresh notice and, where consent is the applicable legal basis, obtaining fresh consent.

Responding to Enquiries and Pre-Sales Communication

Personal data submitted through the contact and enquiry forms on our website is used to respond to your enquiry and to provide you with information about Kenscio products and services that may be relevant to your requirements. Where you have separately opted in, we may follow up with further communications. We do not use enquiry data for any purpose unrelated to the enquiry itself without your consent.

Sending Newsletters and Marketing Communications

Email addresses and names collected through the newsletter subscription form are used exclusively for the purpose of sending periodic newsletters covering digital marketing trends, Kenscio product updates, and industry insights. This processing occurs only where you have given separate, explicit consent for this purpose, and is entirely independent of any other form submission or service request.

Website Security, Performance, and Analytics

Technical information collected automatically through server logs and analytics cookies — including IP addresses, page view data, browser information, and session data — is used to monitor the security and integrity of the Kenscio website, to detect and prevent fraud and unauthorised access, and to analyse aggregate usage patterns for the purpose of improving the website’s performance and user experience. This processing is carried out on the basis of legitimate use in the operation and security of our platform.

Delivering Contracted Services and Managing Client Accounts

Personal data relating to active clients and their representatives is processed for the purpose of delivering the contracted services, managing client accounts, handling billing and invoicing, maintaining records of communications and service configurations, resolving technical issues and disputes, and meeting our legal and regulatory obligations as a service provider. This processing is carried out on the basis of contract performance and legal obligation.

Employment Administration and Statutory Compliance

Personal data relating to employees is processed for the purposes of employment administration, payroll processing, tax deduction and statutory government filings under the Income Tax Act, Employees’ Provident Fund and Miscellaneous Provisions Act, Employees’ State Insurance Act, and other applicable Indian labour legislation, management of employee benefits including health insurance and leave entitlements, performance management, and maintaining records required by law during and after employment.

Recruitment and Hiring

Personal data submitted by job candidates is used for the purposes of reviewing and evaluating applications, assessing suitability for employment, conducting interviews and selection processes, verifying qualifications and references where applicable, and maintaining records of recruitment activities for administrative and compliance purposes.

Vendor and Partner Relationship Management

Personal data relating to representatives of vendors and business partners is used for the purposes of initiating and managing business relationships, contract administration, due diligence, and compliance with our legal and regulatory obligations.

Executing Client-Instructed Processing on Kenscio Platforms

Where Kenscio processes personal data uploaded by clients into its platforms, the sole purpose is to execute the contracted service — delivering email campaigns through KenMail, cleaning and validating contact data through KenClean, or sending SMS or WhatsApp communications through KenPass — strictly as instructed by the client. Kenscio does not use this data for any independent purpose, does not carry out profiling or behavioural analysis on it, and does not share it with third parties except sub-processors engaged to support the delivery of the contracted service.

Kenscio does not engage in automated decision-making or profiling that produces legal or similarly significant effects on individuals in its capacity as a Data Fiduciary. Where clients use automated segmentation or targeting capabilities within Kenscio platforms, such activities are configured and controlled entirely by the client in their capacity as Data Fiduciary.

6. Legal Basis for Processing

Under the DPDPA, Kenscio processes personal data on the basis of one or more of the following lawful grounds, depending on the context and category of data involved.

Consent

Where the DPDPA requires consent as the lawful basis for processing, Kenscio obtains consent that is free, specific, informed, unconditional, and expressed through a clear affirmative action, in accordance with Section 6 of the Act. Consent is the legal basis for processing personal data collected through the website contact and enquiry forms for the purpose of follow-up sales communication, for sending newsletters and marketing emails, for non-essential cookies and tracking technologies, and for any processing of employee personal data that goes beyond the scope of the employment contract and statutory obligations. Where processing is based on consent, you may withdraw it at any time as described in the Consent section of this policy.

Performance of a Contract

Processing that is necessary to enter into, perform, or manage a contractual relationship with a client, vendor, partner, or employee is carried out on the basis of contractual necessity. This includes processing required to deliver contracted services, administer client accounts, manage payroll, and fulfil obligations under employment agreements.

Compliance with Legal Obligations

Where processing is necessary to comply with applicable laws, regulatory requirements, court orders, or lawful government requests, Kenscio carries out such processing on the basis of legal obligation. This includes statutory filings with tax and social security authorities, maintenance of records required under Indian labour law, and responses to lawful requests from law enforcement or regulatory bodies.

Legitimate Use

Where processing is necessary for a legitimate purpose that does not require consent under the DPDPA — such as processing for website security and fraud prevention, maintaining internal administrative records, managing our business operations, and protecting the legal rights of Kenscio — such processing is carried out on the basis of legitimate use as recognised under the Act. We ensure that such processing does not override the fundamental rights and interests of Data Principals.

Processing in Our Capacity as a Data Processor

Where Kenscio processes personal data on behalf of a client through its platforms, the lawful basis for processing is determined by the client in their capacity as Data Fiduciary. Kenscio processes such data solely in accordance with the client’s documented instructions and the applicable Data Processing Agreement and does not independently determine the legal basis for such processing.

7. Consent

Kenscio is committed to obtaining and managing consent in accordance with the requirements of Section 6 of the DPDPA. We do not use pre-ticked checkboxes, bundled consent, or implied consent. Each distinct purpose for which consent is sought has its own separate, unchecked opt-in mechanism presented alongside a plain-language description of that purpose.

How We Obtain Consent

When you submit a contact or enquiry form on our website, you will be presented with a separate opt-in checkbox to consent to follow-up sales communications about Kenscio products and services. This consent is distinct from the act of submitting your enquiry, and declining it does not affect our ability to respond to your specific request. When you subscribe to the Kenscio newsletter, consent is sought through a separate, clearly labelled opt-in checkbox specifically for that purpose. When you visit our website for the first time, a cookie consent banner will be presented allowing you to accept or decline analytics and marketing cookies by category. Where Kenscio seeks to process employee personal data for purposes beyond the employment contract and statutory obligations, consent is sought through the HR onboarding process.

Consent as a Data Processor

Where Kenscio processes personal data on behalf of clients through its platforms, Kenscio relies on the representations of those clients that valid consent has been obtained from the Data Principals whose data is uploaded. Kenscio’s client agreements include a contractual obligation requiring clients to confirm that all necessary consents and lawful bases are in place before uploading or transmitting personal data into Kenscio platforms.

Withdrawing Consent

You may withdraw your consent for any specific purpose at any time. To withdraw consent for marketing emails or newsletters, click the “Unsubscribe” link included in every such communication sent by Kenscio. To withdraw consent for other purposes, send an email to privacy@kenscio.com with the subject line “Withdraw Consent” specifying the purpose or purposes for which you wish to withdraw. To withdraw consent for analytics or marketing cookies, use the cookie preferences tool available on the Kenscio website.

Withdrawal of consent will be processed promptly. Withdrawal does not affect the lawfulness of any processing carried out prior to the withdrawal. Where consent is withdrawn and no other lawful basis applies, Kenscio will cease processing your personal data for that purpose. Kenscio will not penalise, restrict access to services, or otherwise discriminate against any Data Principal who withdraws consent.

8. Data Collection: Adults and Children

Data Collection from Adults

Kenscio’s website, products, and services are directed at adult individuals and business entities. All direct data collection through our website — including contact forms, newsletter subscriptions, and account registration — is intended for individuals who are 18 years of age or older. By submitting any form on the Kenscio website or registering for any Kenscio service, you confirm that you are at least 18 years of age.

If Kenscio becomes aware that personal data has been submitted by or collected from an individual below the age of 18 without verifiable parental or guardian consent, we will delete such data without undue delay. If you believe this has occurred, please contact us immediately at privacy@kenscio.com.

Children’s Personal Data and DPDPA Section 9 Obligations

The Digital Personal Data Protection Act, 2023 defines a child as any individual below the age of 18 years. Section 9 of the Act imposes significant obligations on Data Fiduciaries before processing the personal data of a child, including the requirement to obtain verifiable consent from the child’s parent or lawful guardian, the prohibition on undertaking processing that is likely to cause detrimental effects on the well-being of a child, and the prohibition on engaging in tracking, behavioural monitoring, or targeted advertising directed at children.

The Kenscio website is not directed at children. Kenscio does not knowingly collect personal data from individuals below the age of 18 through its website or direct marketing channels.

Children’s Data in Client-Uploaded Datasets

Clients who upload personal data into Kenscio platforms — including KenMail, KenClean, and KenPass — are contractually prohibited from uploading personal data relating to individuals below the age of 18 unless verifiable parental or guardian consent has been obtained and documented in accordance with the DPDPA. Kenscio’s Data Processing Agreements include an explicit warranty from clients that any personal data uploaded relating to children is accompanied by such verifiable consent. Kenscio does not carry out tracking, profiling, or behavioural monitoring of children and does not permit its platforms to be used for targeted advertising directed at children.

Employee Dependant and Nominee Data

Where employees provide personal data relating to their children — such as nominee information, dependant details for insurance coverage, or emergency contact details relating to minors — such data is collected and processed solely for the purpose of administering HR benefits and fulfilling statutory obligations. This data is not used for any other purpose, is not shared with third parties beyond the relevant benefit providers, and is held with enhanced access controls and confidentiality safeguards.

9. Rights of Data Principals

The Digital Personal Data Protection Act, 2023 grants Data Principals a set of rights in relation to their personal data. Where Kenscio acts as the Data Fiduciary, it is obligated to honour these rights. To exercise any of the rights described below, please write to privacy@kenscio.com with the subject line “DPDPA Rights Request – [Name of Right]”, including your full name and the email address associated with your personal data. We will acknowledge your request and respond within the timelines prescribed by the DPDPA and applicable rules.

Right to Access Information

You may request confirmation of whether Kenscio is processing personal data about you, and if so, a summary of the personal data held, the purposes for which it is being processed, and a description of the processing activities carried out on that data. You may also request details of the categories of persons or organisations with whom your personal data has been shared.

Right to Correction and Erasure

You may request that Kenscio correct any personal data that is inaccurate or incomplete. You may also request the erasure of your personal data where it is no longer necessary for the purpose for which it was collected, where you have withdrawn consent and no other lawful basis applies, or where processing is otherwise unlawful. Kenscio will fulfil erasure requests subject to any legal obligations that require continued retention, such as statutory record-keeping requirements under Indian labour, tax, or social security law. Where erasure is not possible due to a legal obligation, Kenscio will inform you of the basis for continued retention.

Right to Grievance Redressal

You have the right to submit a grievance relating to the processing of your personal data to Kenscio’s Grievance Officer at any time. Kenscio will acknowledge receipt of your grievance promptly and will endeavour to resolve it within the timelines prescribed under the DPDPA and applicable rules. If you are not satisfied with our response, you have the right to escalate your complaint to the Data Protection Board of India once it is constituted and operational under the Act.

Right to Nominate

You may nominate another individual to exercise your DPDPA rights on your behalf in the event of your death or incapacity. Nominations may be submitted in writing to our Grievance Officer at privacy@kenscio.com, and Kenscio will confirm registration of the nomination within seven days of receipt.

Right to Withdraw Consent

Where the processing of your personal data is based on your consent, you have the right to withdraw that consent at any time. The mechanism for withdrawal is described in detail in the Consent section of this policy. Withdrawal of consent will not affect the lawfulness of processing carried out before the withdrawal, and Kenscio will cease processing for the relevant purpose upon receipt of your withdrawal request, except where an alternative lawful basis applies.

Right to Approach the Data Protection Board of India

If you have submitted a grievance to Kenscio and are not satisfied with the response, or if you believe your personal data has been processed in violation of the DPDPA, you have the right to approach the Data Protection Board of India, once constituted. Kenscio encourages Data Principals to first raise concerns directly with us so that we may address them promptly and effectively.

10. Responsibilities of Data Principals

The Digital Personal Data Protection Act, 2023 recognises data protection as a shared responsibility. Section 15 of the Act places duties on Data Principals alongside the rights they hold. Kenscio asks all individuals who share personal data with us to observe the following responsibilities when doing so.

You must not impersonate another person or provide false, misleading, or suppressed information when sharing personal data with Kenscio, whether through the website, during the client onboarding process, or in the course of employment. You must not register false, frivolous, or malicious grievances or data rights requests with Kenscio or with the Data Protection Board of India. You must exercise your rights under the DPDPA in good faith and in compliance with all applicable laws. As an employee or active client, you are responsible for informing Kenscio of material changes to your personal data — such as a change of address, contact number, or bank account — to ensure the accuracy of records held by us. When using Kenscio platforms or services, you must not upload or provide personal data of third parties without the appropriate lawful basis and, where required under the DPDPA, without the verifiable consent of those individuals.

Kenscio reserves the right, in accordance with the DPDPA, to decline requests that are determined to be false, frivolous, repetitive without reasonable cause, or intended to cause disruption to our operations.

11. Data Retention

Kenscio retains personal data only for as long as necessary for the purpose for which it was collected, or as required to comply with applicable legal, regulatory, or contractual obligations, in accordance with Section 8(7) of the DPDPA. Once the applicable retention period has expired and no legal requirement mandates continued storage, personal data is securely erased or irreversibly anonymised.

Website Enquiry and Contact Form Data

Personal data submitted through the contact and enquiry forms on our website is retained for a period of twelve months from the date of the last interaction or until the enquiry is resolved, whichever is earlier, unless the enquiry results in a client relationship being established, in which case the data is retained as part of the client record.

Newsletter and Marketing Subscription Data

Email addresses and associated subscription data are retained for as long as your consent remains valid and active. Upon withdrawal of consent or unsubscription, your data will be removed from our active marketing lists within thirty days, allowing time for system propagation.

Prospective Client Data

Personal data relating to prospective clients with whom no contract has been concluded is retained for a period of twenty-four months from the date of the last meaningful engagement, unless a contract is subsequently entered into.

Active Client Account and Service Data

Personal data relating to active and former clients is retained for the duration of the contractual relationship and for a period of five years following termination or expiry of the contract, for the purposes of dispute resolution, compliance with statutory obligations, and enforcement of our contractual rights.

Employee Personal Data

General HR records relating to current and former employees are retained for the duration of employment and for a period of eight years following the end of employment, in compliance with applicable Indian labour, provident fund, and income tax legislation. Payroll and tax records are retained for a period of ten years following the relevant assessment year, as required under the Income Tax Act, 1961.

Client-Uploaded Data Processed Through Kenscio Platforms

Personal data uploaded by clients into Kenscio platforms is retained only for the duration required to execute the contracted service. Upon completion of the service or termination of the contract, such data is deleted from active systems or returned to the client, as agreed in the Data Processing Agreement, within thirty days. Kenscio will confirm deletion to the client in writing.

Backup and Disaster Recovery Copies

Backup copies of data held in disaster recovery systems are aligned to the primary retention schedule and are purged automatically in the next scheduled backup cycle following the expiry of the primary retention period for that data.

Upon expiry of the applicable retention period, digital personal data is erased using industry-standard deletion methods that render it unrecoverable. Physical records containing personal data are destroyed by cross-cut shredding or certified secure disposal. Where data is anonymised rather than deleted, Kenscio ensures the anonymisation is irreversible, such that the data can no longer be used to identify an individual. Kenscio conducts periodic data audits, no less than annually, to ensure that retention schedules are being observed and that data no longer required is identified and disposed of in a timely manner.

12. Data Security

Kenscio implements appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, loss, or destruction, in accordance with Section 8(5) of the DPDPA. Kenscio holds ISO/IEC 27001:2022 certification & are compliant with SOC 2 Type 1 framework, which reflects our commitment to maintaining a robust information security management system.

Our security measures include hosting all servers in secure, access-controlled, physically protected co-location facilities with logical firewalls and network segmentation. Access to personal data is restricted on a strict need-to-know basis, with employees granted access only to the specific data required for their job function. All employees who handle personal data are bound by confidentiality obligations and receive regular training on data protection and information security practices. Sensitive data in transit is encrypted using industry-standard TLS protocols, and data at rest is encrypted where technically feasible. Multi-factor authentication, strong password policies, and screen-lock requirements are enforced across all systems that access personal data.

Kenscio maintains a formal Data Breach Response Procedure. In the event of a personal data breach that is likely to result in harm to Data Principals, Kenscio will notify the Data Protection Board of India and the affected Data Principals in accordance with the timelines prescribed under the DPDPA. Where Kenscio acts as a Data Processor and a breach affects client data, Kenscio will notify the relevant client without undue delay and assist them in fulfilling their notification obligations.

13. Data Sharing and Cross-Border Transfers

Sharing Within India

Kenscio does not sell or rent personal data to any third party for their own commercial purposes. We may share personal data with third-party service providers and sub-processors who assist in the delivery of our services and the operation of our business, but only to the extent necessary for the specific purpose and subject to appropriate contractual data protection obligations. Categories of recipients include cloud infrastructure and hosting providers, customer relationship management and communication tools, statutory filing and payroll processing platforms, payment processors, professional advisors such as lawyers and auditors operating under strict confidentiality obligations, and security monitoring and fraud prevention services.

We may also disclose personal data to statutory authorities and regulators where required by Indian law — for example, to income tax authorities, provident fund organisations, or labour departments — and to legal or judicial authorities pursuant to a valid court order, regulatory requirement, or applicable law.

Cross-Border Data Transfers

Kenscio operates offices in Bengaluru. Some personal data may be accessed by or transferred to our teams or authorised service providers located outside India in the course of delivering services or managing our business operations.

Kenscio will transfer personal data outside India only to countries notified as permissible by the Central Government under Section 16 of the DPDPA. Where such transfers are made, Kenscio ensures that appropriate safeguards are in place, including contractual protections consistent with the requirements of the DPDPA. This policy will be updated as the Government of India issues notifications identifying permissible transfer destinations. Data Principals may contact us at privacy@kenscio.com to obtain information about the specific safeguards governing cross-border transfers of their personal data.

14. Cookies and Tracking Technologies

Kenscio’s website uses cookies and similar tracking technologies including pixels, tags, and scripts. To the extent that any of these technologies collect or process personal data — such as IP addresses or browsing behaviour linked to an identifiable individual — their use is subject to the DPDPA and this Privacy Policy.

Strictly necessary cookies are required for the website to function securely and correctly. These cookies cannot be disabled and do not require consent, as they are essential to the operation of the website. Analytics cookies are used to understand in aggregate terms how visitors interact with the website — for example, which pages are most visited and how users navigate between sections. These cookies are activated only upon your explicit consent. Marketing cookies are used to deliver more relevant communications to you based on your browsing activity. These cookies are also activated only upon your explicit consent.

Upon your first visit to the Kenscio website, a cookie consent banner will be presented allowing you to accept or decline cookies by category. You may change your preferences at any time using the cookie preferences tool available on the website. For full details on the specific cookies we use, the third-party providers involved, the purposes of use, and the retention periods applicable to each cookie category, please refer to our Cookie Policy at kenscio.com/cookie-policy.

15. Changes to This Privacy Policy

Kenscio may update this Privacy Policy from time to time to reflect changes in our data processing practices, the services we offer, or the applicable legal and regulatory requirements. When we make material changes to this policy, we will update the “Last Updated” date at the top of this page. Where the changes materially affect how we process your personal data in our capacity as a Data Fiduciary, we will also notify you directly by email before the revised policy comes into effect, display a prominent notice on the Kenscio website homepage for a period of at least thirty days, and where the change requires fresh consent, seek that consent through the appropriate mechanism before applying the new processing purpose.

You are encouraged to review this policy periodically. Your continued use of the Kenscio website or services after the effective date of a revised policy constitutes your acknowledgement of the updated terms, in circumstances where fresh consent is not required. This Privacy Policy does not modify or amend any contractual terms agreed between Kenscio and its clients, including any applicable Data Processing Agreement. In the event of a conflict between this Privacy Policy and a client agreement with respect to client data processed in a Data Processor capacity, the client agreement shall govern.

16. Contact Us and Grievance Redressal

If you have any questions about this Privacy Policy, wish to exercise any of your rights under the DPDPA, or wish to submit a grievance relating to the processing of your personal data, please contact our Grievance Officer using the details below. Our Grievance Officer is designated in accordance with the DPDPA and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

If you are not satisfied with our response to your grievance, you have the right to escalate your complaint to the Data Protection Board of India once it is constituted and operational under the DPDPA. Kenscio encourages Data Principals to contact us first so that we may address concerns directly and promptly.

This Privacy Policy is governed by and shall be construed in accordance with the laws of India. Any disputes arising in connection with this policy that are not resolved through the DPDPA’s grievance and redressal mechanisms shall be subject to the exclusive jurisdiction of the courts at Bengaluru, Karnataka.