Privacy Policy

Last Updated: 5 September 2025
Effective Date: 2 February 2026

This Privacy Policy ("Policy") describes how Vibeshared, operated as an independent digital platform based in India ("Platform", "we", "us", "our"), collects, uses, stores, shares, and protects Personal Data when you ("User", "you", "your") access or use our website, mobile applications, and services (collectively, the "Platform").

This Policy is legally binding and forms an integral part of our Terms and Conditions.

1. PURPOSE, SCOPE, AND APPLICABILITY

1.1 Purpose of This Policy

The purpose of this Privacy Policy is to:

• Explain what Personal Data we collect
• Describe how and why we process such data
• Set out the lawful bases for processing
• Inform Users of their rights
• Describe grievance and redressal mechanisms
• Demonstrate compliance with applicable data protection laws

1.2 Applicability

This Policy applies to:

• All visitors to the Platform
• Registered users
• Content creators
• Advertisers (if applicable)
• Any individual whose Personal Data is processed through the Platform

1.3 Laws Covered

This Policy is drafted to comply with:

• Digital Personal Data Protection Act, 2023 (India)
• Information Technology Act, 2000 and associated rules
• General Data Protection Regulation (EU) 2016/679 (GDPR)
• Other applicable data protection and privacy laws

Where multiple laws apply, we apply the highest standard of protection, subject to legal feasibility.

2. DEFINITIONS AND INTERPRETATION

For the purposes of this Policy:

• "Personal Data" means any data about an identifiable individual.
• "Sensitive Personal Data" includes categories requiring enhanced protection under law.
• "Data Principal" has the meaning assigned under the DPDP Act.
• "Data Subject" has the meaning assigned under GDPR.
• "Processing" includes collection, storage, use, sharing, disclosure, or deletion.
• "Consent" means freely given, specific, informed, and unambiguous indication of agreement.

Headings are for convenience only and do not affect interpretation.

3. ROLE OF THE COMPANY UNDER DATA PROTECTION LAWS

3.1 DPDP Act Role

For the purposes of the Digital Personal Data Protection Act, 2023, the Platform operator acts as the Data Fiduciary responsible for determining the purpose and means of processing Personal Data, irrespective of formal corporate registration status.

Under the Digital Personal Data Protection Act, 2023:

• The Company acts as a Data Fiduciary
• Users act as Data Principals

3.2 GDPR Role

Where GDPR applies:

• The Company acts as a Data Controller
• Certain service providers act as Data Processors

3.3 Intermediary Status

The Company also operates as an intermediary under the Information Technology Act, 2000, and does not exercise editorial control over all User Content.

3.4 Interpretation of the Term “Company”

References to the “Company” in this Privacy Policy shall be deemed to refer to the Platform operator, whether acting as an individual, sole proprietor, or through any present or future legal entity responsible for operating Vibeshared.

4. CATEGORIES OF PERSONAL DATA WE COLLECT

4.1 Data Provided Directly by Users

We may collect Personal Data that Users voluntarily provide, including:

• Name or username
• Email address
• Phone number
• Profile photo
• Bio or description
• Account credentials
• Communications with support
• Content uploaded or posted

4.2 Automatically Collected Data

When you access the Platform, we may automatically collect:

• IP address
• Device identifiers
• Browser type
• Operating system
• Log files
• Access times
• Interaction data
• Cookies and similar technologies

4.3 User-Generated Content

User-generated content may include Personal Data, such as:

• Posts
• Comments
• Images
• Videos
• Messages
• Metadata associated with content

Users are responsible for Personal Data they choose to disclose publicly.

5. SOURCES OF PERSONAL DATA

Personal Data may be collected from:

• Direct user input
• Automated technologies
• Third-party authentication providers
• Lawful third-party sources
• Publicly available information (where permitted)

6. PURPOSES OF PROCESSING

We process Personal Data for the following purposes:

• Account creation and management
• Platform operation and maintenance
• Content hosting and delivery
• User interaction and engagement
• Security and fraud prevention
• Legal compliance
• Customer support
• Platform analytics and improvement
• Enforcement of Terms and Policies

Processing is strictly limited to stated purposes.

7. LAWFUL BASIS FOR PROCESSING (GDPR – ARTICLE 6)

Where GDPR applies, we rely on one or more of the following lawful bases:

7.1 Consent (Article 6(1)(a))

Where Users have explicitly consented, including for:

• Optional features
• Marketing communications
• Cookies (where required)

7.2 Contractual Necessity (Article 6(1)(b))

Processing necessary to:

• Provide Platform services
• Fulfill contractual obligations
• Manage user accounts

7.3 Legal Obligation (Article 6(1)(c))

Processing required to:

• Comply with laws
• Respond to lawful requests
• Meet regulatory requirements

7.4 Legitimate Interests (Article 6(1)(f))

Processing necessary for:

• Platform security
• Fraud prevention
• Service improvement
• Business continuity

Such interests are balanced against User rights.

8. CONSENT MODEL UNDER DPDP ACT, 2023

8.1 Nature of Consent

Under the DPDP Act, consent must be:

• Free
• Informed
• Specific
• Unambiguous
• Given through affirmative action

8.2 Consent Collection

Consent may be collected through:

• Account registration flows
• Feature opt-ins
• Settings controls
• Clear notices

8.3 Withdrawal of Consent

Users may withdraw consent at any time.

Withdrawal:

• Does not affect prior lawful processing
• May limit access to certain features
• May result in account termination where processing is essential

9. FAIRNESS, TRANSPARENCY, AND MINIMIZATION

We adhere to the principles of:

• Data minimization
• Purpose limitation
• Storage limitation
• Accuracy
• Integrity and confidentiality
• Accountability

10. FEATURE-LEVEL DATA COLLECTION

This section explains what data is collected by specific Platform features and why such collection is necessary.

Where access to private repositories or restricted Platform components is provided, Personal Data is processed solely for access control, security, and communication purposes.

10.1 Account Registration and Authentication

When you create or access an account, we may collect:

• Username and display name
• Email address and/or phone number
• Password (hashed and salted)
• Authentication tokens and session identifiers
• Account status indicators (verified, private, suspended)

Purpose:

• Account creation and login
• Identity verification
• Security and fraud prevention

Lawful Basis:

• Contractual necessity (GDPR Art. 6(1)(b))
• Consent (DPDP Act)
• Legitimate interests (security)

10.2 Profile and Social Features

When you use profile and social interaction features, we may process:

• Profile photo and bio
• Follower/following lists
• Likes, reactions, and engagement signals
• Privacy preferences
• Blocked or muted user lists

Purpose:

• Enable social interactions
• Display profiles and connections
• Enforce user privacy choices

Lawful Basis:

• Contractual necessity
• Legitimate interests

10.3 Content Creation and Interaction

When you post, comment, message, or otherwise interact, we process:

• Text, images, videos, and audio
• Metadata (timestamps, location tags if enabled)
• Engagement data (views, shares, comments)
• Reports or flags associated with content

Purpose:

• Content hosting and delivery
• Community moderation
• Abuse detection and enforcement

Lawful Basis:

• Contractual necessity
• Legitimate interests
• Legal obligation (where content is unlawful)

10.4 Messaging and Communications

If the Platform offers messaging or communication tools, we may process:

• Message content
• Attachments
• Sender and recipient identifiers
• Timestamps and delivery status

Important:

• Messages may be scanned using automated systems, to the extent permitted by law, for abuse, spam, or legal compliance
• The Company does not guarantee end-to-end encryption unless explicitly stated

Purpose:

• Message delivery
• Safety and abuse prevention
• Legal compliance

Lawful Basis:

• Contractual necessity
• Legitimate interests
• Legal obligation

11. AUTOMATICALLY COLLECTED TECHNICAL DATA

11.1 Device and Log Information

We automatically collect technical data, including:

• IP address
• Device identifiers
• Browser type and version
• Operating system
• Time zone
• Access logs
• Error logs

Purpose:

• Platform functionality
• Security monitoring
• Debugging and performance optimization

Lawful Basis:

• Legitimate interests
• Legal obligation (security logging)

11.2 Usage and Interaction Data

We may collect data relating to how you use the Platform, such as:

• Pages viewed
• Features used
• Interaction frequency
• Session duration
• Clickstream data

Purpose:

• Platform analytics
• Feature improvement
• User experience optimization

Lawful Basis:

• Legitimate interests
• Consent (where required)

12. COOKIES AND TRACKING TECHNOLOGIES

12.1 What Are Cookies

Cookies are small text files placed on your device to enable Platform functionality, preferences, and analytics.

12.2 Types of Cookies Used

We may use the following categories:

Strictly Necessary Cookies

• Authentication
• Security
• Session management

Functional Cookies

• Language preferences
• Display settings

Analytics Cookies

• Usage measurement
• Performance analysis

Advertising Cookies (if applicable)

• Ad relevance
• Campaign measurement

12.3 Cookie Consent

• Strictly necessary cookies do not require consent
• Non-essential cookies require explicit consent where mandated by law
• Users may manage cookie preferences through browser settings or consent tools

• Where required by Applicable Law, cookie consent is obtained through platform interfaces or consent banners prior to the placement of non-essential cookies.

12.4 Similar Technologies

We may also use:

• Local storage
• Web beacons
• Pixels
• SDKs in mobile applications

13. ANALYTICS, TELEMETRY, AND DIAGNOSTICS

13.1 Analytics Data

We may use analytics tools to process:

• Aggregate usage statistics
• Feature adoption metrics
• Error rates
• Performance benchmarks

Data is processed in aggregated or pseudonymized form wherever possible.

13.2 Purpose of Analytics

Analytics data is used solely to:

• Improve Platform performance
• Identify bugs or failures
• Optimize user experience
• Inform product development

13.3 Third-Party Analytics Providers

We may engage third-party analytics providers under contractual obligations that:

• Restrict data usage
• Require security safeguards
• Prohibit independent exploitation of data

Personal Data is not used to train public or third-party artificial intelligence or machine learning models. Any internal use of data for automated systems is limited to platform functionality, security, and improvement purposes, and is subject to Applicable Law.

Nothing in this Privacy Policy permits third parties or Users to use Personal Data, Platform outputs, or technical access for training external AI or ML models, which is expressly restricted under the Terms & Conditions.

14. ADVERTISING AND MARKETING DATA (IF APPLICABLE)

14.1 Use of Third-Party Advertising Services

The Platform may display advertisements provided by third-party advertising networks or partners. These third parties may use cookies, pixels, web beacons, SDKs, or similar technologies to collect information about user interactions with advertisements and the Platform.

14.2 Data Collected by Advertising Partners

Advertising partners may collect certain information, including:

• IP address
• Device identifiers
• Browser and device type
• Interaction with advertisements
• Approximate location data

Such third parties may act as independent data controllers under applicable law and process data in accordance with their own privacy policies.

14.3 Purpose of Advertising Data Processing

Advertising data may be used for:

• Displaying contextual or interest-based advertisements
• Measuring ad performance
• Preventing fraud and abuse
• Improving advertising relevance

14.4 User Choice and Consent

Where required by Applicable Law (including GDPR), we obtain user consent before placing non-essential advertising cookies. Users may withdraw consent or manage preferences through cookie settings or browser controls.

14.5 No Sale of Personal Data

We do not sell Personal Data to third parties. Advertising relationships are limited to service-based integrations and do not constitute a sale of Personal Data.

15. COMMUNICATIONS AND SUPPORT INTERACTIONS

15.1 Support Requests

When you contact support, we may process:

• Contact details
• Issue descriptions
• Attachments
• Communication history

Purpose:

• Resolve issues
• Improve customer support

15.2 Monitoring and Quality Assurance

Support interactions may be reviewed for:

• Training
• Quality control
• Compliance

16. PUBLIC VS PRIVATE INFORMATION

16.1 Public Content

Content posted publicly may be:

• Viewed by other Users
• Indexed by search engines
• Shared by third parties

Users are responsible for managing visibility settings.

16.2 Private Information

Private or restricted content is processed in accordance with selected privacy controls but may still be accessed where:

• Required by law
• Necessary for security or enforcement

17. DATA SHARING AND DISCLOSURE PRINCIPLES

17.1 General Principle

We do not share Personal Data except:

• As described in this Policy
• With your consent
• Where required or permitted by Applicable Law

All data sharing is governed by:

• Purpose limitation
• Data minimization
• Confidentiality obligations

17.2 No Unauthorised Commercial Exploitation

We do not:

• Sell Personal Data
• Rent Personal Data
• Trade Personal Data as a commodity

Any data sharing is strictly tied to Platform operations or legal obligations.

18. DISCLOSURE TO SERVICE PROVIDERS (DATA PROCESSORS)

18.1 Categories of Service Providers

We may share Personal Data with trusted third-party service providers, including:

• Cloud hosting providers
• Content delivery networks (CDNs)
• Email and communication services
• Analytics and monitoring providers
• Customer support tools
• Payment processors (if applicable)
• Security and fraud-prevention vendors
• Advertising networks and monetization partners (e.g., Monetag), where applicable
• Advertising partners may collect device identifiers, IP address, and interaction data strictly for ad delivery, fraud prevention, and performance measurement, subject to contractual safeguards and Applicable Law.

18.2 Processor Obligations

All service providers are engaged under written agreements requiring them to:

• Process data only on our instructions
• Implement appropriate security safeguards
• Maintain confidentiality
• Delete or return data upon termination
• Comply with GDPR and DPDP Act obligations where applicable

18.3 No Independent Use by Processors

Service providers are prohibited from:

• Using Personal Data for their own purposes
• Selling or sublicensing data
• Retaining data beyond contractual necessity

19. DISCLOSURE FOR LEGAL AND REGULATORY PURPOSES

19.1 Legal Compliance

We may disclose Personal Data where required to:

• Comply with Applicable Law
• Respond to court orders, subpoenas, or warrants
• Comply with government directives
• Meet regulatory obligations

19.2 IT Act and Intermediary Compliance

As an intermediary under the Information Technology Act, 2000, we may:

• Remove or disable access to unlawful content
• Preserve information as directed
• Share information with authorized government agencies

Such disclosures shall be limited to the scope legally required.

19.3 Law Enforcement Requests

We may disclose Personal Data to law enforcement agencies when:

• Legally required
• Necessary to investigate fraud, abuse, or security incidents
• Required to protect public safety or national security

Where permitted by law, we may notify Users of such requests.

20. DISCLOSURE IN EMERGENCY SITUATIONS

We may disclose Personal Data without prior notice where necessary to:

• Prevent imminent harm
• Protect life or safety
• Respond to emergencies
• Address credible threats

Such disclosures shall be narrowly tailored.

21. DISCLOSURE IN CORPORATE TRANSACTIONS

21.1 Business Transfers

Personal Data may be disclosed or transferred in connection with:

• Merger
• Acquisition
• Asset sale
• Corporate restructuring
• Bankruptcy or insolvency proceedings

21.2 Safeguards in Transfers

In such events:

• Data shall remain subject to this Policy
• Successor entities must honor existing privacy commitments
• Users shall be notified where required by law

22. DISCLOSURE WITH USER CONSENT

We may share Personal Data with third parties where:

• You have explicitly consented
• You have initiated the sharing
• Sharing is integral to a feature you choose to use

Consent may be withdrawn at any time, subject to legal limitations.

23. AGGREGATED AND ANONYMIZED DATA

23.1 Use of Non-Identifiable Data

We may create and use:

• Aggregated data
• Anonymized data

Such data does not identify individuals and may be used for:

• Research
• Analytics
• Product improvement
• Public reporting

23.2 No Re-Identification

We do not attempt to re-identify anonymized data.

24. INTERNATIONAL DATA TRANSFERS (OVERVIEW)

24.1 Cross-Border Processing

Personal Data may be processed or stored outside your country of residence, including in jurisdictions with different data protection laws.

24.2 Safeguards for Transfers

Where required, cross-border transfers are protected by:

• Adequacy determinations
• Contractual safeguards
• Statutory mechanisms
• Government-approved frameworks

24.3 User Acknowledgement

By using the Platform, you acknowledge and consent to such transfers where lawful.

25. ACCESS BY EMPLOYEES AND AUTHORIZED PERSONNEL

25.1 Internal Access Controls

Access to Personal Data is limited to:

• Authorized employees
• Contractors with legitimate business needs

25.2 Confidentiality Obligations

All personnel are bound by:

• Confidentiality agreements
• Internal data protection policies
• Disciplinary consequences for misuse

26. DATA DISCLOSURE RECORDKEEPING

We maintain internal records of:

• Categories of disclosures
• Legal bases
• Recipients

As required under GDPR accountability and DPDP Act obligations.

27. DATA RETENTION PRINCIPLES

27.1 Storage Limitation

We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected, including:

• Provision of Platform services
• Compliance with legal obligations
• Resolution of disputes
• Enforcement of our Terms and policies
• Security, fraud prevention, and audit requirements

Retention periods are determined based on:

• Nature of the data
• Purpose of processing
• Legal and regulatory requirements
• Risk profile and operational needs

27.2 No Indefinite Retention

Personal Data is not retained indefinitely, except where:

• Required by law
• Subject to a valid legal hold
• Necessary for establishment, exercise, or defense of legal claims

28. DATA RETENTION CATEGORIES AND SCHEDULES

28.1 Account and Profile Data

Includes:

• Username
• Email address / phone number
• Profile photo
• Bio and preferences

Retention:

• Retained for the duration of the active account
• Deleted or anonymized within a reasonable period after account deletion, unless legally required

28.2 User-Generated Content

Includes:

• Posts
• Comments
• Media uploads
• Messages (where applicable)

Retention:

• Retained while the content remains published
• Deleted upon user request or account deletion, subject to:
  • Legal obligations
  • Abuse investigations
  • Preservation requirements

Public content may persist if copied or shared by others.

28.3 Communications and Support Records

Includes:

• Support tickets
• Emails
• In-app communications with support

Retention:

• Retained for customer service and dispute resolution
• Typically retained for 12–36 months after resolution

28.4 Logs, Security, and Technical Data

Includes:

• IP logs
• Access logs
• Error logs
• Audit trails

Retention:

• Retained for 6–24 months, depending on security and compliance needs
• Longer retention where required for fraud detection or legal compliance

28.5 Transactional and Financial Data (If Applicable)

Includes:

• Payment records
• Invoices
• Payout details

Retention:

• Retained as required under applicable tax and financial laws
• Typically 7–10 years, depending on jurisdiction

29. ACCOUNT DELETION AND DATA ERASURE

29.1 User-Initiated Deletion

Users may request account deletion through:

• Account settings
• Designated support channels

Upon valid deletion request:

• Account access is disabled
• Public profile is deactivated
• Content is scheduled for deletion

29.2 Deletion Timelines

Hard deletion means irreversible removal of Personal Data from active production systems and user-accessible environments. Temporary retention in backups or archives does not constitute active processing and is permitted solely for lawful purposes.

Deleted or anonymized without undue delay, and in any case within a reasonable period (generally 30–90 days), unless retention is required by law.

• Legal obligations
• Ongoing investigations
• Security incidents

29.3 GDPR Right to Erasure

Where GDPR applies, Users may exercise the right to erasure under Article 17, subject to statutory exceptions, including:

• Freedom of expression
• Legal compliance
• Public interest
• Legal claims

29.4 DPDP Act Erasure Rights

Under the DPDP Act, Users (Data Principals) may request erasure when:

• The purpose of processing is fulfilled
• Consent is withdrawn
• Processing is unlawful

Subject to lawful retention requirements.

30. ANONYMIZATION AND PSEUDONYMIZATION

30.1 Anonymization

Where feasible, we may anonymize Personal Data so that it:

• Cannot be linked to an identifiable individual
• Is no longer considered Personal Data

Anonymized data may be retained for analytics, research, or reporting.

30.2 Pseudonymization

We may apply pseudonymization techniques, such as:

• Replacing identifiers with tokens
• Separating identity data from usage data

This reduces risk while preserving operational utility.

31. BACKUPS, ARCHIVES, AND DISASTER RECOVERY

31.1 Backup Systems

Personal Data may be stored in:

• Encrypted backups
• Disaster recovery systems

Backups are maintained to:

• Ensure business continuity
• Recover from system failures

31.2 Deletion from Backups

Data deleted from active systems may persist in backups for a limited period.

Such data:

• Is isolated from active use
• Is deleted or overwritten according to backup cycles
• Is not restored except for disaster recovery

31.3 Archival Data

Archived data is:

• Access-restricted
• Used only for legal, audit, or compliance purposes
• Subject to enhanced security controls

32. LEGAL HOLDS AND PRESERVATION

32.1 Legal Hold Obligations

We may preserve Personal Data where required to:

• Comply with court orders
• Respond to regulatory investigations
• Preserve evidence

Such data shall not be deleted until the hold is lifted.

32.2 User Notification

Where legally permitted, Users may be notified of:

• Data preservation
• Delayed deletion

33. STORAGE SECURITY AND LOCATION

33.1 Secure Storage

Personal Data is stored using:

• Secure servers
• Encryption at rest and in transit
• Access controls

33.2 Data Localization (Where Applicable)

Where required by Indian law or sectoral regulations:

• Certain data may be stored within India
• Cross-border transfers are restricted accordingly

34. ACCOUNTABILITY AND AUDIT

We maintain internal documentation regarding:

• Retention schedules
• Deletion workflows
• Compliance measures

As required under GDPR accountability and DPDP Act obligations.

35. USER RIGHTS – OVERVIEW

Users are entitled to exercise certain rights over their Personal Data, subject to Applicable Law. These rights are designed to ensure transparency, control, and accountability in how Personal Data is processed.

Rights may vary depending on:

• Jurisdiction
• Nature of the data
• Legal basis of processing

Nothing in this Policy limits rights that cannot be waived under law.

36. RIGHTS UNDER THE DPDP ACT, 2023 (INDIA)

Under the Digital Personal Data Protection Act, 2023, Users (Data Principals) are entitled to the following rights.

36.1 Right to Access Information

Users have the right to obtain:

• A summary of Personal Data being processed
• The purposes of processing
• Categories of data processed
• Identities of data processors and third parties (where applicable)

Information may be provided in electronic form.

36.2 Right to Correction and Updating

Users may request:

• Correction of inaccurate Personal Data
• Completion of incomplete Personal Data
• Updating of outdated Personal Data

Requests may require verification to prevent misuse.

36.3 Right to Erasure

Users may request erasure of Personal Data where:

• The purpose of processing has been fulfilled
• Consent has been withdrawn
• Processing is unlawful

Erasure is subject to:

• Legal retention requirements
• Ongoing investigations
• Security and fraud prevention needs

36.4 Right to Withdraw Consent

Users may withdraw consent at any time.

Withdrawal:

• Does not affect past lawful processing
• May limit or disable certain Platform features
• May result in account termination where processing is essential

36.5 Right to Nominate Another Person

Users may nominate another individual to:

• Exercise rights on their behalf
• Receive data-related information
• Act in the event of death or incapacity

Nomination mechanisms shall be provided where required.

37. RIGHTS UNDER GDPR (WHERE APPLICABLE)

Where GDPR applies, Users (Data Subjects) have the following rights.

37.1 Right of Access (Article 15)

Users may request:

• Confirmation whether Personal Data is processed
• Access to such data
• Information on processing purposes and recipients

37.2 Right to Rectification (Article 16)

Users may request correction of:

• Inaccurate Personal Data
• Incomplete Personal Data

37.3 Right to Erasure ("Right to be Forgotten") (Article 17)

Users may request deletion of Personal Data where:

• Data is no longer necessary
• Consent is withdrawn
• Processing is unlawful

Subject to statutory exceptions.

37.4 Right to Restriction of Processing (Article 18)

Users may request restriction where:

• Accuracy is contested
• Processing is unlawful
• Data is needed for legal claims

37.5 Right to Data Portability (Article 20)

Where applicable, Users may request:

• A copy of Personal Data
• In a structured, commonly used, machine-readable format
• Transfer to another controller where feasible

37.6 Right to Object (Article 21)

Users may object to processing based on:

• Legitimate interests
• Direct marketing

We shall cease processing unless compelling legitimate grounds exist.

37.7 Rights Related to Automated Decision-Making (Article 22)

Where applicable, Users have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects, subject to statutory exceptions.

38. EXERCISING YOUR RIGHTS

38.1 How to Submit Requests

Users may exercise rights through:

• Account settings
• Designated support channels
• Grievance redressal mechanisms

Requests must include sufficient information to verify identity.

38.2 Identity Verification

To protect privacy and security, we may require:

• Account authentication
• Additional verification steps

Failure to verify may result in request denial.

38.3 Response Timelines

We endeavor to respond:

• Within reasonable timeframes
• Within statutory limits where specified by law

Extensions may apply for complex requests.

38.4 Refusal or Limitation of Requests

Requests may be refused or limited where:

• Legally permitted
• Manifestly unfounded or excessive
• Conflicting with legal obligations
• Affecting rights of others

Reasons shall be communicated where required.

39. GRIEVANCE REDRESSAL MECHANISM

This grievance mechanism operates in conjunction with the grievance redressal process described in the Terms & Conditions.

39.1 Grievance Officer

In compliance with Indian law, the Company has appointed a Grievance Officer to address privacy-related concerns.

Details shall be published on the Platform.

39.2 Grievance Submission

Users may submit grievances relating to:

• Data processing
• Rights exercise
• Delayed or denied requests
• Security incidents

39.3 Resolution Timelines

Grievances shall be:

• Acknowledged within 24 hours
• Resolved within 15 days, unless extended by law

39.4 Escalation

Where unresolved, Users may:

• Approach the Data Protection Board of India
• Approach supervisory authorities (GDPR)
• Seek judicial remedies

40. NO RETALIATION

Users shall not be subject to:

• Retaliation
• Discrimination
• Reduced service quality

for exercising lawful privacy rights, except where consequences are inherent to withdrawal of consent.

41. RECORDKEEPING AND ACCOUNTABILITY

We maintain records of:

• Rights requests
• Responses
• Grievance resolutions

As required under GDPR accountability and DPDP Act compliance.

42. DATA SECURITY – OVERVIEW

We implement reasonable and appropriate technical and organizational measures to protect Personal Data against:

• Unauthorized access
• Accidental or unlawful destruction
• Loss
• Alteration
• Disclosure

Security measures are designed based on:

• Nature and sensitivity of data
• Risk profile
• State of the art
• Cost of implementation
• Legal requirements

However, no system is completely secure.

43. TECHNICAL SAFEGUARDS

43.1 Encryption

We use encryption where appropriate, including:

• Encryption in transit (e.g., TLS/HTTPS)
• Encryption at rest for sensitive data
• Secure key management practices

43.2 Access Controls

Access to Personal Data is restricted using:

• Role-based access control (RBAC)
• Least-privilege principles
• Strong authentication mechanisms
• Periodic access reviews

Only authorized personnel may access Personal Data.

43.3 Network and Infrastructure Security

We employ measures such as:

• Firewalls and intrusion detection/prevention systems
• Network segmentation
• Secure server configurations
• Monitoring for suspicious activity

43.4 Application Security

Our security practices may include:

• Secure development lifecycle (SDLC)
• Code reviews
• Vulnerability scanning
• Dependency management
• Patch management

44. ORGANIZATIONAL SAFEGUARDS

44.1 Internal Policies and Training

We maintain internal:

• Information security policies
• Data protection policies
• Incident response procedures

Personnel handling Personal Data receive:

• Periodic privacy and security training
• Role-specific security awareness education

44.2 Confidentiality Obligations

Employees, contractors, and service providers are subject to:

• Confidentiality agreements
• Disciplinary action for violations
• Access termination upon role change or exit

44.3 Vendor Risk Management

Service providers are assessed for:

• Security posture
• Compliance capabilities
• Data protection practices

High-risk vendors may be subject to additional audits or controls.

45. MONITORING, LOGGING, AND AUDITING

45.1 Logging and Monitoring

We maintain logs for:

• System access
• Authentication events
• Administrative actions
• Security incidents

Logs are protected from unauthorized access and tampering.

45.2 Audits and Reviews

Security controls may be:

• Periodically reviewed
• Tested through internal audits
• Updated in response to emerging risks

Audit findings are addressed through remediation plans.

46. INCIDENT RESPONSE AND MANAGEMENT

46.1 Incident Detection

We employ processes to detect:

• Data breaches
• Unauthorized access
• Security vulnerabilities
• System anomalies

Detection may involve automated alerts and human review.

46.2 Incident Response Procedures

Upon identifying a security incident, we may:

• Contain and mitigate the incident
• Assess scope and impact
• Preserve evidence
• Engage internal or external experts

46.3 Documentation

Security incidents are documented, including:

• Nature of the incident
• Data affected
• Response actions taken
• Remediation measures

Documentation supports accountability and regulatory compliance.

47. PERSONAL DATA BREACH NOTIFICATION

47.1 GDPR Breach Notification

Where GDPR applies, we shall:

• Notify the relevant supervisory authority without undue delay
• Notify affected Users where required under Articles 33 and 34
• Provide required information regarding the breach

47.2 DPDP Act Breach Notification

Under the DPDP Act, where applicable:

• We shall notify the Data Protection Board of India
• We shall notify affected Data Principals where mandated

Notifications shall be made in the prescribed manner.

47.3 Exceptions

Notification may not be required where:

• The breach is unlikely to result in harm
• Data was adequately encrypted or protected
• Lawful exceptions apply

48. RISK ASSESSMENT AND MITIGATION

48.1 Risk-Based Approach

Security measures are implemented using a risk-based approach considering:

• Likelihood of harm
• Severity of impact
• Nature of processing activities

48.2 Data Protection Impact Assessments (DPIA)

Where required by law or best practice, we may conduct DPIAs for:

• High-risk processing activities
• New technologies
• Large-scale data processing

49. SECURITY GOVERNANCE AND OVERSIGHT

49.1 Accountability

Responsibility for data security rests with:

• Designated internal teams
• Senior management oversight

49.2 Continuous Improvement

Security controls are continuously improved in response to:

• Technological changes
• Legal developments
• Threat intelligence
• Incident learnings

50. USER RESPONSIBILITIES FOR SECURITY

Users are responsible for:

• Protecting account credentials
• Using strong passwords
• Reporting suspected unauthorized access
• Keeping devices secure

We are not responsible for breaches caused by User negligence.

51. CHILDREN'S PRIVACY AND PROTECTION

Dispute resolution mechanisms relating to the Platform, including arbitration and jurisdiction, are further detailed in the Terms & Conditions.

51.1 Children's Data – General Rule

The Platform is not intended for children below the age permitted under Applicable Law without appropriate consent. We take additional precautions when processing Personal Data relating to minors.

51.2 DPDP Act – Children's Data (India)

Under the Digital Personal Data Protection Act, 2023:

• Processing of children's Personal Data requires verifiable parental or guardian consent, where applicable
• We do not knowingly engage in:
  • Behavioral monitoring of children
  • Targeted advertising directed at children
  • Processing that may cause harm to children

If we become aware that children's data has been collected without valid consent, we shall take steps to delete such data.

51.3 GDPR – Children's Data (EU)

Where GDPR applies:

• The age of digital consent shall be determined by applicable EU Member State law
• Parental authorization may be required for users below the applicable age threshold
• Reasonable efforts shall be made to verify such consent

51.4 Reporting Child Safety Concerns

Users may report concerns related to:

• Child exploitation
• Abuse
• Unsafe interactions

Such reports may be escalated to law enforcement where required by law.

52. INTERNATIONAL USERS AND JURISDICTION

52.1 Global Access

The Platform may be accessed globally. Users accessing the Platform from outside India do so on their own initiative and are responsible for compliance with local laws.

52.2 Governing Law for Privacy Matters

Unless otherwise required by Applicable Law:

• This Privacy Policy shall be governed by the laws of India
• Indian courts shall have jurisdiction, subject to mandatory statutory rights

52.3 EU Users

For Users located in the European Economic Area:

• GDPR rights and protections apply
• Users may lodge complaints with their local supervisory authority

53. POLICY UPDATES AND CHANGES

53.1 Right to Update

We may update this Privacy Policy from time to time to reflect:

• Legal or regulatory changes
• Platform changes
• Security or operational updates

53.2 Notification of Changes

Material changes may be notified through:

• Platform notices
• Email communications
• Updated "Last Updated" date

Continued use of the Platform after updates constitutes acceptance.

54. CONTACT INFORMATION AND STATUTORY DISCLOSURES

54.1 Data Protection and Privacy Contact

For privacy-related questions, requests, or complaints, Users may contact:

Privacy / Data Protection Contact:
Email: support@vibeshared.com

54.2 Grievance Officer (India)

In compliance with the Information Technology Act, 2000 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, the Platform has designated a Grievance Officer

• Designation: Grievance Officer – Vibeshared
• Address: India (Correspondence via email only)
• Email: support@vibeshared.com
• Response Time: Acknowledgment within 24 hours and resolution within 15 days

54.3 Supervisory Authorities

Users may also contact:

• Data Protection Board of India (for DPDP Act matters)
• Relevant EU supervisory authority (for GDPR matters)

55. NO WAIVER OF STATUTORY RIGHTS

Nothing in this Privacy Policy limits or waives:

• Rights granted under the DPDP Act
• Rights granted under GDPR
• Rights under any applicable consumer or data protection law

Statutory remedies remain fully available.

56. SEVERABILITY

If any provision of this Privacy Policy is held to be invalid or unenforceable:

• Such provision shall be severed or modified to the minimum extent necessary
• Remaining provisions shall remain in full force and effect

57. ENTIRE PRIVACY POLICY

This Privacy Policy:

• Forms part of the Platform's legal framework
• Must be read together with the Terms & Conditions
• Supersedes prior privacy notices relating to the Platform

58. USER ACKNOWLEDGEMENT AND ACCEPTANCE

By accessing or using the Platform, you acknowledge that:

• You have read and understood this Privacy Policy
• Where required by law, you provide consent for the collection and processing of Personal Data through explicit platform mechanisms
• You understand your rights and available remedies

59. EFFECTIVE DATE

This Privacy Policy is effective as of:

Effective Date: 2 February 2026