Privacy Policy

PURECHAIN AI & SUSTAINABLE SOLUTIONS LLP

PRIVACY POLICY

Aligned with DPDP Act 2023 + DPDP Rules 2025

Version 1.0 • Effective Date: 30-05-2026

Last Updated: May 2026

1. Introduction and Scope

1.1 Who we are. Purechain AI & Sustainable Solutions LLP ("Purechain," "we," "us," or "our") is a Limited Liability Partnership registered under the Limited Liability Partnership Act, 2008, with its registered office at KC Arcade, Kakkanad, Ernakulam, Kerala — 682037, India. Our LLP Identification Number (LLPIN) is [To be inserted].

1.2 Purpose of this Policy. This Privacy Policy explains how Purechain collects, uses, processes, stores, discloses, and protects personal data and business information when you interact with: (a) our website at www.purechain.in and any related subdomains, (b) Purechain Academy and affiliated learning platforms, (c) our AI-assisted sustainability and procurement platform, (d) our assessment tools, mobile interfaces, WhatsApp-based services, and APIs, and (e) any communication channels including contact forms, email, scheduled consultations, and messaging integrations (collectively, the "Services").

1.3 Legal compliance framework. This Policy is drafted to comply with the Digital Personal Data Protection Act, 2023 ("DPDP Act"); the DPDP Rules, 2025; the Information Technology Act, 2000 with rules thereunder including the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and Explicitly list the IT (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2026; the Consumer Protection Act, 2019 and the Consumer Protection (E-Commerce) Rules, 2020; and other applicable Indian laws.

1.4 Acceptance. By accessing or using the Services, you (the "Data Principal" as defined under the DPDP Act, also referred to herein as "User" or "you") confirm that you have read, understood, and agree to this Privacy Policy. If you do not agree, please do not use the Services.

2. Categories of Information We Collect

2.1 Information you provide directly. When you sign up, subscribe to Services, complete forms, request consultations, or otherwise interact with us, we may collect:

• Identity information: full name, designation, date of birth (only where required)
• Contact information: email address, phone number, WhatsApp number, postal address, country of residence
• Business information: company name, GSTIN, Udyam Registration Number, PAN of the entity, industry/sector, business address, employee count
• Account information: username, password (stored in encrypted/hashed form), profile preferences, communication preferences
• Payment information: when processed via third-party payment gateways (Razorpay or equivalent), we receive limited transaction confirmation data; full payment card details are not stored by us
• Communication content: messages, queries, feedback, voice notes, documents and files uploaded to our platform

2.2 Information collected automatically. When you access our Services, we may automatically collect:

• Technical information: IP address, browser type and version, operating system, device type and identifiers
• Usage information: pages visited, features used, time spent, click patterns, referral source
• Cookies and similar technologies as detailed in our Cookie Policy
• Log data: server logs, error logs, performance metrics

2.3 Business and operational data (for platform users). For users actively using our sustainability and procurement platform, we process:

• Procurement records: supplier information, purchase orders, invoices, transaction history
• Supplier data: information about your suppliers' identity, sustainability practices, certifications
• Sustainability inputs: utility bills, fuel consumption records, production data, emission inventories
• Documents and uploads: any files, spreadsheets, images, or other materials you upload to the platform

2.4 Information from third parties. We may receive information from authorized third-party services we integrate with:

• GST verification services (ClearTax, KarmaCheck, or equivalent) — for verifying GSTIN and registration details
• Udyam Portal — for verifying MSME registration status
• Ministry of Corporate Affairs (MCA21) — for verifying company/LLP registration details
• Payment gateway providers — for transaction confirmation
• Authorized credential providers — for issuing course completion certificates

3. Purposes for Which We Process Your Data

Under the DPDP Act, we process personal data only for specific, lawful purposes:

3.1 Service delivery. To provide, maintain, and improve the Services; to authenticate users; to process subscriptions and payments; to deliver consultations and assessment outputs; to issue course completion certificates.

3.2 Communication. To respond to your queries; to send service-related notifications, transactional emails, and platform updates; to deliver course materials and learning reminders; to provide customer support; to send security alerts and policy updates.

3.3 AI-assisted operations. To extract structured information from documents you upload; to generate sustainability insights, emission calculations, supplier scoring, and compliance reports; to provide procurement recommendations; to automate workflows you have requested.

3.4 Compliance and reporting outputs. To generate ESG reports, BRSR-aligned outputs, CBAM-related disclosures, EUDR Digital Product Passports, and similar regulatory or buyer-mandated reports based on data you provide.

3.5 Marketing communication (with consent). To send you newsletters, content marketing, and information about new Services, but only after obtaining your explicit consent, and only until you withdraw such consent.

3.6 Platform improvement. To analyze usage patterns and improve features, user experience, and security. Where possible, we use anonymized or aggregated data for this purpose.

3.7 Legal and regulatory compliance. To comply with applicable laws including tax laws, regulatory reporting, court orders, and statutory obligations.

3.8 Security and fraud prevention. To detect, prevent, and address technical issues, unauthorized access, fraud, abuse, or other harmful activities.

4. Consent Mechanism Under the DPDP Act

4.1 Explicit consent. Before collecting personal data, we obtain your free, specific, informed, unconditional, and unambiguous consent through clear affirmative actions (such as ticking a consent checkbox, signing up via a clear acceptance flow, or explicit confirmation in onboarding).

4.2 Notice provided at the time of collection. At or before collection, you receive a clear notice in plain language stating: the personal data being collected; the specific purposes; the rights available to you; and the manner of withdrawing consent and exercising rights. Consent notices, privacy disclosures, and mechanisms for exercising data rights are accessible in English and the languages specified in the Eighth Schedule of the Constitution of India, available via platform language settings

4.3 Granular consent. Where multiple purposes are involved, we seek separate consent for each. Marketing consent is always separate from service-delivery consent.

4.4 Withdrawal of consent. You may withdraw your consent at any time by: (a) sending an email to privacy@purechain.in, (b) using the account settings menu in our platform, (c) replying "STOP" to WhatsApp messages, or (d) clicking the unsubscribe link in any marketing email. Withdrawal of consent will not affect the lawfulness of processing carried out before withdrawal.

4.5 Consequences of withdrawal. If you withdraw consent essential to providing the Services (such as account information), we may need to discontinue your access to the affected Services. We will inform you clearly before doing so.

5. AI-Assisted Processing

5.1 Use of AI in Services. Certain Services use AI-assisted systems to: extract structured data from documents you upload; generate sustainability insights and emission calculations; automate reporting workflows; identify procurement or compliance risks; provide operational recommendations.

5.2 AI as a tool, not an advisor. Outputs generated by AI-assisted features are intended to support operational decision-making. They are not, and should not be interpreted as, legal advice, financial advice, regulatory certification, audited reports, or guaranteed outcomes. You remain responsible for reviewing and validating AI-assisted outputs before relying on them for regulatory filings, business decisions, or external commitments.

5.3 Training data and model improvement. Unless you explicitly opt in, we do not use your business documents, supplier data, or other operational uploads to train general-purpose AI models. Aggregated, anonymized, and statistical data may be used to improve platform features and benchmarks. You may opt out of even anonymized usage by contacting privacy@purechain.in.

5.4 Third-party AI providers. We use AI infrastructure providers (such as OpenAI, Anthropic, or Indian cloud providers). These providers process data under strict data processing agreements that prohibit them from using your data to train their general models, in accordance with our requirements.

6. Data Sharing and Third Parties

We share limited information with carefully selected third-party providers strictly for operational purposes. All such providers are bound by Data Processing Agreements requiring DPDP-aligned security and confidentiality.

6.1 Categories of recipients:

• Cloud hosting providers (e.g., Amazon Web Services, Google Cloud — both with Indian region presence)
• Payment gateway providers (e.g., Razorpay) — for processing payments
• Communication services (e.g., email delivery, WhatsApp Business API providers such as AiSensy/WATI)
• Analytics and performance monitoring tools
• Customer support and CRM tools (e.g., HubSpot)
• Course delivery and credential platforms (e.g., TrainerCentral, Certopus)
• GST and business verification services (e.g., ClearTax)
• AI infrastructure providers as referenced in Section 5.4

6.2 Legal disclosures. We may disclose personal data to law enforcement agencies, regulators, courts, or other authorities when required by applicable law, regulation, legal process, or governmental request, or to protect our rights, your safety, or the safety of others.

6.3 Business transfers. If we are involved in a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you and provide choices where required by law.

7. Cross-Border Data Transfer

7.1 Primary data residency. Your personal data is primarily stored on servers located in India.

7.2 Permitted international transfers. Some service providers we use (such as Google, Microsoft, OpenAI, Anthropic) may store backup data or process data in jurisdictions outside India. Such transfers are conducted only to jurisdictions permitted under the DPDP Act and the DPDP Rules, and are governed by Standard Contractual Clauses or equivalent safeguards.

7.3 Notified countries. We will not transfer your personal data to any country specifically restricted by the Central Government under the DPDP Act. We monitor regulatory notifications and adjust our processing accordingly.

8. Data Security

In accordance with the DPDP Act, IT Rules 2011, and IS/ISO/IEC 27001 standards, we implement reasonable security safeguards including:

• Encryption: AES-256 encryption for data at rest; TLS 1.3 for data in transit
• Access controls: role-based access control with multi-factor authentication for administrative access
• Network security: firewalls, intrusion detection systems, and regular security monitoring
• Security audits: quarterly Vulnerability Assessment and Penetration Testing (VAPT)
• Personnel security: confidentiality obligations and background verification for staff with data access
• Incident response: documented breach response procedures
• Backup and recovery: daily backups with tested disaster recovery procedures

8.2 No absolute guarantee. Despite our reasonable safeguards, no digital system can be guaranteed completely secure against all threats. We continuously improve our security in line with evolving best practices.

9. Personal Data Breach Notification

9.1 Notification commitment. Upon determination of a personal data breach, Purechain shall notify the Data Protection Board of India immediately. Subsequently, affected Data Principals will be notified within a strictly enforced maximum timeframe of 72 hours following the Board notification, detailing the breach nature, exposed data, and required mitigation steps, adhering to the dual-stage protocol of Rule 7 of the DPDP Rules, 20259.2 What to do if you suspect a breach. If you believe your data has been compromised, please contact our Grievance Redressal Officer immediately at grievance@purechain.in with subject line "URGENT: Suspected Data Breach."

10. Data Retention

10.1 Retention principle. We retain personal data only for as long as necessary to fulfill the purposes outlined in this Policy, comply with our legal obligations, resolve disputes, and enforce our agreements.

10.2 Indicative retention periods:

• Account information: Notwithstanding account deletion requests, Purechain strictly adheres to Rule 8(3) of the DPDP Rules, 2025. Associated traffic data, network identifiers, and logs of processing shall be retained in a secure, tamper-evident environment for a mandatory minimum period of 12 months from the date of the transaction to fulfill legal, security, and statutory obligations specified under the Seventh Schedule
• Business operational data (procurement, supplier, sustainability records): for the duration of your subscription, plus 24 months thereafter
• Marketing consent records: until you withdraw consent, plus 30 days for audit purposes
• Tax and financial records: 7 years from the end of the relevant financial year (as required under the Income Tax Act and GST Act)
• Audit logs (security and compliance): 10 years from the date of logging
• Course completion records and certificates: 10 years from issuance (to support verification by third parties)

10.3 Erasure on request. You may request erasure of your personal data as described in Section 11. Upon valid request, we will delete or anonymize your data within 7 business days, except for data we are legally required to retain.

11. Your Rights as a Data Principal

Under the DPDP Act, you have the following rights with respect to your personal data:

11.1 Right to access. You can request a summary of personal data we hold about you, the processing activities, and the recipients with whom we have shared your data.

11.2 Right to correction and updation. You can request correction of inaccurate or misleading data, completion of incomplete data, and updation of your data.

11.3 Right to erasure. You can request erasure of your personal data where the data is no longer necessary for the purpose for which it was collected, or where you have withdrawn consent.

11.4 Right to grievance redressal. You can lodge a grievance with our Grievance Redressal Officer regarding any aspect of personal data processing. See Section 14 for contact details.

11.5 Right to nominate. You have the right to nominate another individual who shall, in the event of your death or incapacity, exercise your rights on your behalf, in the manner prescribed under the DPDP Rules.

11.6 Right to withdraw consent. You can withdraw consent at any time as described in Section 4.4.

11.7 How to exercise rights. Send a written request to privacy@purechain.in clearly stating: your name; your contact details; the right you wish to exercise; sufficient information to identify your data. We will verify your identity and respond within 7 business days. Where the request is complex, we may take up to 30 days, with intermediate updates.

11.8 No charge. We do not charge any fee for exercising your rights, except in cases of manifestly unfounded or excessive requests, where we may charge a reasonable fee.

12. Children's Personal Data

12.1 Services are for adults. Our Services are intended exclusively for businesses, professionals, and adults aged 18 years or older. We do not knowingly target or solicit data from children under 18.

12.2 Verifiable parental consent. If we become aware that we have collected personal data of a child (person under 18) without verifiable parental or lawful guardian consent as required under the DPDP Act, we will: (a) cease processing such data immediately; (b) delete such data unless retention is required by law; (c) notify the parent/guardian where contact details are available.

12.3 Restrictions. We do not engage in: tracking children; behavioral monitoring of children; targeted advertising to children. Reporting any suspected misuse can be done at privacy@purechain.in.

13. Cookies and Tracking Technologies

13.1 What are cookies. Cookies are small text files stored on your device when you visit our website. They help us recognize your device, remember your preferences, and analyze usage.

13.2 Categories of cookies we use:

• Strictly necessary cookies: required for the Services to function (e.g., authentication, security). These cannot be disabled.
• Functional cookies: remember your preferences and improve user experience. Activated only with consent.
• Analytics cookies: help us understand how users interact with our Services (e.g., Google Analytics 4 with IP anonymization). Activated only with consent.
• Marketing cookies: used for targeted advertising. Activated only with explicit consent.

13.3 Cookie consent. On your first visit, you will see a cookie consent banner allowing you to accept all, reject all (except strictly necessary), or customize your preferences. You can change your preferences at any time via the "Cookie Settings" link in our website footer.

13.4 Browser controls. You can also control cookies through your browser settings. However, blocking strictly necessary cookies may prevent the Services from functioning properly.

14. Grievance Redressal and Contact Information

14.1 Grievance Redressal Officer. In accordance with the DPDP Act and IT Rules, 2021, we have designated a Grievance Redressal Officer:

• Name: Manav Nambiar
• Designation: Grievance Redressal Officer
• Email: grievance@purechain.in
• Address: KC Arcade, Kakkanad, Ernakulam, Kerala — 682037, India
• Response time: Grievances will be acknowledged within 24 hours. Final resolution will be provided as expeditiously as technically feasible, ensuring completion prior to the statutory maximum of 90 days prescribed by Rule 14 of the DPDP Rules, 2025

14.2 Data Protection Officer (DPO). Once Purechain qualifies as a Significant Data Fiduciary or where required under the DPDP Rules, we will appoint a dedicated Data Protection Officer and update this Policy accordingly.

14.3 General contact:

• Privacy queries: privacy@purechain.in
• General queries: hello@purechain.in
• Phone: +91 92926 11621
• Website: https://www.purechain.in

14.4 Escalation to Data Protection Board of India. If you are not satisfied with our response to a grievance, you may lodge a complaint with the Data Protection Board of India (DPBI) through its official portal at https://www.dpbi.gov.in or through such other mechanism as DPBI may notify.

15. External Links

Our Services may contain links to third-party websites, applications, or content. This Privacy Policy does not apply to such third-party services. We are not responsible for the privacy practices, content, or actions of third parties. We encourage you to review the privacy policies of any third-party services you access through our Services.

16. Changes to This Policy

16.1 Updates. We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

16.2 Notification of material changes. For material changes (such as new purposes of processing or new categories of recipients), we will: (a) provide prominent notice on our website at least 30 days before the change takes effect; (b) for registered users, send an email notification; (c) where required by law, obtain fresh consent.

16.3 Version control. Each version of this Policy is identified by version number and effective date. Previous versions are available on request to privacy@purechain.in. By continuing to use the Services after changes take effect, you accept the updated Policy.

17. Governing Law and Jurisdiction

This Privacy Policy is governed by and construed in accordance with the laws of India. Any disputes arising from or in connection with this Privacy Policy shall be subject to the jurisdiction described in our Terms of Service. The DPDP Act, IT Act, and Consumer Protection Act provisions shall apply with full force.

Acknowledgment

— END OF PRIVACY POLICY —

Purechain AI & Sustainable Solutions LLP | www.purechain.in | Version 1.0 | May 2026