Your privacy is important to us
This Privacy and Data Protection Policy ("Policy") sets out how ImpactPlus Ventures ("ImpactPlus" or "the Company") collects, uses, stores, and protects personal data across all its operations. It applies to all personal data processed by ImpactPlus, whether relating to external users of our platforms, customers, business partners, or internal personnel (including employees and contractors). The Policy is designed to comply with applicable Indian laws, including the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the Information Technology Act, 2000 (together with relevant rules), as well as globally accepted privacy principles. All ImpactPlus staff and any third parties handling personal data on our behalf are required to adhere to this Policy.
Wherever ImpactPlus is party to a Master Service Agreement (MSA) or similar contract with a client, partner, or service recipient, the terms of that MSA regarding personal data processing shall govern in the event of any conflict with this Policy. In particular, if an MSA allocates specific responsibilities or liabilities for data protection between ImpactPlus and the other party, or provides additional safeguards, those MSA terms will take precedence. This Policy will otherwise apply to all data processing activities, unless expressly overridden by the MSA.
ImpactPlus handles personal data in accordance with core data protection principles: We process data lawfully, fairly, and transparently; we collect data only for specific, explicit and legitimate purposes and refrain from using it in ways incompatible with those purposes; we collect only as much personal data as is adequate and relevant for the intended purpose (data minimization); we take reasonable steps to ensure personal data remains accurate and up-to-date; we do not retain personal data longer than necessary for the purposes stated (storage limitation); we secure personal data with appropriate safeguards to prevent unauthorized access or breaches; and as the data fiduciary (data controller), ImpactPlus remains accountable for all personal data processing under its control.
ImpactPlus will collect personal data only by lawful and fair means and only to the extent necessary for its operational and business purposes. The types of personal data we collect may include, for example: contact information (such as name, email, phone number), identification details, professional or business information, usage data from our website or platform, and any other data you voluntarily provide to us. Whenever feasible, personal data will be collected directly from the individual (data principal) concerned. If we need to collect personal data from third parties or public sources, we will ensure we have a legitimate basis for doing so and, where required, we will obtain the individual's consent. We do not collect any more data than is pertinent to the specified purpose, and sensitive personal data (such as financial information, health information, etc.) is collected only when absolutely necessary and with appropriate safeguards and consents.
Personal data collected by ImpactPlus will be used solely for the purposes communicated at the time of collection or for closely related purposes that would be reasonably expected by the data subject. Such purposes may include: providing and personalizing our services or platform features for users; performing our contractual obligations to clients and partners; communicating with individuals about our services, updates, or responding to inquiries; improving and developing our products, including enhancing algorithms or AI tools (with appropriate safeguards and, where required, consent); marketing and promotional activities (only in accordance with applicable consent requirements); compliance with legal obligations or regulatory requirements; protection of ImpactPlus's legal rights or the rights and safety of others. We will not use personal data for any new purpose that is incompatible with the original purposes unless we obtain fresh consent from the individual or have an alternative lawful basis recognized under applicable law.
ImpactPlus will ensure that all processing of personal data is justified by a lawful basis. In most cases, the primary basis will be the informed consent of the data principal. Where consent is relied upon, it will be obtained through a clear affirmative action and will be free, specific, informed, and unambiguous, covering the specific purposes of processing. Individuals have the right to withdraw consent at any time, and ImpactPlus will honor such withdrawals promptly (with the understanding that withdrawal does not affect the legality of past processing). In certain situations, ImpactPlus may process personal data without explicit consent if an alternative lawful basis applies under applicable law – for example, if the processing is necessary for the performance of a contract to which the individual is a party or a service they have requested, for compliance with a legal obligation, for an emergency involving the individual's life or safety, or for other "legitimate uses" recognized by the DPDP Act (such as in employment contexts or other specific scenarios). Whenever we process data without consent, we will ensure that such processing is permitted by law and will inform individuals as required.
To enhance user experience, facilitate Platform functionality, personalize content, and analyze usage patterns, the Platform operated by ImpactPlus Ventures LLP ("we", "our", or "Service Provider") utilizes cookies and similar tracking technologies such as web beacons, pixels, session identifiers, analytics tools, and third-party SDKs.
These technologies are used to:
We classify cookies into the following categories:
The Company may deploy third-party analytics or advertising tools, including but not limited to:
Such third parties may use their own tracking mechanisms, governed by their respective privacy policies. Clients and Users are encouraged to review those policies directly.
We reserve the right to periodically update the categories of cookies used or revise this policy based on evolving legal standards or technology. All updates will be notified through the Platform interface, and continued usage shall signify acceptance.
ImpactPlus will not disclose or share personal data with any third party except as permitted by this Policy and applicable law. Third-party disclosures may occur under these circumstances: (a) to service providers, vendors, or consultants who process data on our behalf (processors) and under our instructions, pursuant to strict confidentiality and data protection agreements; (b) to business partners or clients as needed for providing our services or as part of joint activities (for example, if our platform is used in a project with a partner, relevant data may be shared with that partner under appropriate safeguards); (c) where the data principal has explicitly consented to or requested such sharing; (d) if required by law or pursuant to an order of a competent authority or court (in which case we will only share what is legally necessary and inform the individual if allowed); (e) in connection with a corporate transaction such as a merger, acquisition, or asset sale, in which case the receiving party will be bound to honor the same standards of data protection. In all cases of third-party disclosure, ImpactPlus will ensure, through contractual or other legally enforceable arrangements, that the third party upholds data protection standards equivalent to those of this Policy. We will never sell personal data to third parties for their own marketing or other independent use without explicit consent.
Whenever ImpactPlus engages a third-party service provider to process personal data on our behalf (as a "data processor" or sub-processor), we will conduct due diligence to ensure that the vendor is capable of maintaining the security and privacy of the data to the standards required by law and this Policy. ImpactPlus will enter into a binding contract or data processing agreement with each such third party, mandating (at a minimum) that the service provider: processes personal data only on ImpactPlus's documented instructions and for the purposes we specify; uses appropriate technical and organizational security measures to safeguard the data; ensures that persons accessing the data are bound by confidentiality; does not further disclose or subcontract the data to other parties without authorization; and assists ImpactPlus in meeting our compliance obligations (for example, by enabling audits or helping us address data subjects' rights and breach response, as needed). ImpactPlus remains responsible and liable for the protection of personal data even when it is processed by our vendors, and we will monitor and enforce our vendors' compliance. If any vendor or sub-processor fails to comply with required standards, ImpactPlus will take prompt remedial action, including the possibility of suspension or termination of the service relationship.
ImpactPlus may, for the purposes outlined in this Policy, transfer personal data to jurisdictions outside of India. Any such cross-border transfer will be carried out in compliance with applicable laws and regulations. In particular, we will ensure that the destination country or organization is not restricted by the Indian government for such transfers, or alternatively, that appropriate safeguards are in place (such as standard data protection clauses, intra-group data transfer agreements, or an adequacy decision/whitelisting by authorities, as applicable). ImpactPlus will inform data principals of cross-border transfers in our privacy notices, and, where required by law or contract, will obtain consent for such transfers. We remain responsible for the protection of personal data during international transit and at the overseas destination. ImpactPlus will take all reasonable steps to ensure that any personal data transferred out of India continues to receive a standard of protection comparable to that under Indian law, including the DPDP Act. Cross-border transfers will be limited to what is necessary, and we will comply with any government notifications designating certain countries or regions as prohibited or sensitive for data transfers.
ImpactPlus implements and maintains appropriate technical and organizational security measures to protect personal data against unauthorized access, disclosure, alteration, loss, or destruction. Such measures include, but are not limited to: access control mechanisms to ensure only authorized personnel with a need-to-know can access personal data; encryption of personal data in transit and at rest, where applicable; secure development practices and regular security testing of our platform and applications; firewalls, intrusion detection systems, and monitoring of systems for potential vulnerabilities or attacks; periodic risk assessments and audits of our information security practices; and employee training programs emphasizing confidentiality and data protection. For any personal data classified as sensitive or critical, ImpactPlus adheres to more stringent security standards (potentially including industry-standard certifications or frameworks, such as ISO/IEC 27001, if applicable, as "reasonable security practices"). We also require similar security commitments from any third-party processors handling personal data on our behalf. All security measures are periodically reviewed and updated to respond to evolving threats. In the unfortunate event of a security incident or breach, ImpactPlus has an incident response plan to contain and mitigate the issue and will invoke notification and remedial actions as described elsewhere in this Policy.
ImpactPlus retains personal data only for as long as necessary to fulfill the purposes for which it was collected, or to comply with applicable legal, accounting, or reporting requirements. We have defined retention periods for various categories of data based on business needs and legal obligations. Once the applicable retention period expires, or if personal data becomes irrelevant or excessive for the intended purposes, we will either securely delete or anonymize the data, unless a legitimate reason exists to retain it longer (such as a legal obligation to preserve records or an ongoing dispute or investigation). In cases where we rely on consent for data processing and the consent is withdrawn, we will erase the personal data related to that consented purpose (provided no other lawful basis justifies continued retention). ImpactPlus maintains a Data Retention Schedule and deletion protocols to ensure systematic and secure disposal of data. Data deletion includes removal from active systems and, where practicable, from backups and archives. Individuals' requests for deletion of their personal data will be honored in accordance with legal rights and Section 13 of this Policy. Overall, we ensure that personal data is not kept indefinitely without justification.
Under this Policy and in accordance with applicable law, individuals (data principals) have the following rights regarding their personal data held by ImpactPlus:
ImpactPlus will not charge individuals for exercising these rights and will respond to eligible requests within the timeframes prescribed by law (for instance, within any timeline set by the DPDP Act or IT rules). To exercise your rights, you may contact us as described in the Grievance Redressal section of this Policy. We may need to verify your identity before fulfilling certain requests and may deny requests that are unreasonable or not legally required, but we will provide an explanation in such cases.
ImpactPlus may use artificial intelligence (AI) or automated systems as part of its services or internal processes. In any cases where AI is used to make decisions that significantly affect individuals, we will ensure appropriate safeguards are in place. Specifically:
Any deployment of AI in processing personal data will follow the principles of privacy by design and accountability.
In the unfortunate event of a personal data breach (meaning a security incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data), ImpactPlus will promptly activate its data breach response procedures. We will contain and investigate the incident to understand scope, cause, and impact. If the breach is likely to result in significant harm to data principals, ImpactPlus will notify the affected individuals and the relevant authorities as required by law. In particular, any notifiable breach will be reported to the Data Protection Board of India (or designated regulatory body under the DPDP Act) within the timeline and format prescribed by regulations. Affected individuals will be informed of the general nature of the breach, the personal data compromised (in general terms), and any steps they should take to protect themselves. ImpactPlus will provide contacts for further information and assistance as part of the notification. We will also take immediate steps to mitigate the breach's effects and prevent future occurrences, such as patching vulnerabilities, recovering data from backups, and improving security measures. All breaches and responses will be documented, and root cause analysis will be conducted. ImpactPlus's breach response policy aligns with Indian legal requirements (including obligations under the DPDP Act and IT Act/CERT-In rules) and industry best practices. We are committed to full cooperation with regulatory agencies and to transparent communication with our users and clients in the event of a breach.
The Client may request termination of Platform access by providing a written notice to the Service Provider in accordance with the notice provisions of the Master Service Agreement ("MSA"). Upon termination, the Client may also request permanent deletion of all Client Data, AI Outputs, user accounts, and associated metadata stored on the Platform, subject to any statutory or contractual retention obligations. The Service Provider shall honor such requests within thirty (30) days, unless a longer retention period is legally required or expressly agreed in the Work Statement or applicable Annexure. The Client acknowledges that termination shall not relieve it of its obligations relating to outstanding payments, confidentiality, or indemnities that survive termination under the MSA.
The Service Provider may suspend or terminate the Client's access to the Platform (in whole or in part) without liability in the event of: (i) material breach of the Platform Terms or MSA; (ii) legal or regulatory mandate; (iii) use of the Platform for prohibited, harmful, or unethical purposes; or (iv) risk of compromise to Platform security or integrity. In such cases, the Service Provider shall, where feasible, provide reasonable prior notice to the Client. Upon such termination, the Service Provider shall provide the Client with a thirty (30) day period to retrieve its data, after which all Client Data and AI Outputs shall be permanently deleted, subject to applicable legal obligations. The Client acknowledges and agrees that following final deletion, no further recovery shall be possible.
The Company may engage third-party service providers and SaaS platforms (such as cloud hosting, analytics tools, CRMs, and email automation platforms) in the course of delivering its services. All such subprocessors are contractually bound by data protection terms consistent with applicable law and this Privacy Policy, including confidentiality obligations, restricted use of data, and security controls. A complete list or classification of third-party subprocessors, including infrastructure and communication vendors, may be provided upon written request or as annexed in the Master Service Agreement (MSA) or relevant Work Statement.
The Platform may also offer integrations or interoperability with external services including, but not limited to, Google, Zoom, LinkedIn, Microsoft, or Notion. The Company is not responsible for the data processing practices, privacy controls, or terms of use of such third-party platforms. Users are encouraged to review the respective privacy policies and usage terms of any external service they choose to connect with or access through the Platform. Any data shared with such third-party platforms shall be governed exclusively by their respective terms and not by this Policy.
The Platform is not intended for use by children below the age of 18. The Company does not knowingly collect, process, or store any personal data relating to minors. If it is discovered that data of a minor has been inadvertently collected, such data shall be permanently deleted upon verification. In the event that the Platform is lawfully accessed by minors under any skill development or educational initiative, such access shall only be permitted with verified parental consent in compliance with the applicable provisions of the Digital Personal Data Protection Act, 2023 (DPDP Act).
To enhance security, prevent misuse, and comply with legal obligations, the Platform may implement identity verification or Know Your Customer (KYC) protocols where appropriate. Such verification may involve collection of limited identifiers such as masked Aadhaar, PAN details, professional licenses, or institutional authorizations. The data so collected shall be processed only for the purpose of identity authentication, fraud prevention, and access control, and retained only for as long as necessary to fulfil such purpose. These measures are implemented in accordance with Clause [•] of the Master Service Agreement (MSA) and any applicable Work Statement.
For AI model enhancement, analytics, and service improvement purposes, the Platform may process data in an anonymized or aggregated form. All such data is stripped of identifiable elements and subjected to appropriate safeguards to prevent re-identification. This includes removing direct identifiers, using tokenization or hashing, and implementing usage boundaries as per industry standards. The Company affirms that anonymized or aggregated data shall not be used to infer individual identities and shall fall outside the scope of personal data under the DPDP Act. This processing is referenced in the "Use of Data" and "AI and Outputs" clauses of the MSA.
In the event of a change in control, merger, platform discontinuation, or bankruptcy, the Company undertakes to provide Clients with a reasonable notice period to retrieve all Client Data and platform outputs. Data survivability protocols shall be followed, and secure deletion will be carried out after disengagement, unless otherwise required by law or agreed in the Work Statement. Additionally, in response to lawful requests from government or law enforcement agencies, the Company shall only disclose user data upon receipt of valid legal process or mandate, and where permissible, shall notify the concerned Client or Data Principal prior to disclosure. By default, all personal data is stored in secure servers within India, and cross-border data transfers, if any, shall strictly comply with directions issued under the DPDP Act or other regulatory frameworks.
ImpactPlus maintains a robust internal governance framework for data protection to ensure accountability and compliance throughout the organization. A Data Protection Officer (DPO) or equivalent responsible officer is designated by ImpactPlus to oversee privacy compliance, advise on data protection obligations, and act as a point of contact for data principals and regulators. The DPO (or designated Grievance Officer under the IT Act) can be reached at the contact information provided in Section 21 of this Policy. ImpactPlus conducts regular privacy and security audits and assessments (at least annually, and additionally as needed) to evaluate compliance with this Policy and applicable laws. We perform risk assessments for new projects or processes involving personal data (for example, privacy impact assessments for high-risk processing or new AI deployments) to ensure appropriate safeguards are built in from the start. All ImpactPlus employees and contractors who handle personal data are subject to confidentiality obligations and receive training on data protection principles and procedures. We have instituted internal policies (such as acceptable use policies, access control policies, and data handling guidelines) that align with this Policy. Employee access to personal data is restricted based on role and necessity (role-based access control), and any misuse of personal data by staff may result in disciplinary action, including termination. ImpactPlus's leadership and board (where applicable) endorse this Policy and allocate resources to its effective implementation. We also maintain required records of processing activities and cooperate fully with regulatory authorities in the event of inquiries or inspections. In summary, ImpactPlus fosters a culture of privacy and has clear organizational accountability for data protection, ensuring that compliance is not just a formality but an integral part of our operations.
ImpactPlus is committed to addressing any questions, concerns, or complaints related to personal data promptly and effectively. If you have a grievance regarding your privacy or how your personal data has been handled under this Policy, or if you wish to exercise any of your rights, you may contact our Office with the concern.
Name: Mihir Joshi
Email: growth@impactplus.co.in
Phone: +91-8401192901
Address: D 1009, Titanium City Centre Corporate offices, 100 ft ringroad, Anandnagar, Satellite, Ahmedabad-380015, Gujarat, India.
The Grievance Cell is available to investigate and resolve your concerns in a fair and expeditious manner. Upon receiving a complaint or inquiry, we will acknowledge it and strive to resolve it within an appropriate timeframe (for example, within 30 days or as mandated by law). If you are not satisfied with the response from our Grievance Officer, and if applicable under the DPDP Act, you may escalate the matter to the Data Protection Board of India or the relevant statutory authority. ImpactPlus will cooperate fully with such authorities in addressing any complaints. Additionally, for general questions about this Policy or ImpactPlus's data practices, you can contact the DPO via the contact details above. We encourage individuals to contact us directly so that we have the opportunity to resolve any issues.
ImpactPlus may review and update this Privacy and Data Protection Policy from time to time to reflect changes in our practices, legal requirements, or for any other operational, legal, or regulatory reasons. If we make material changes to this Policy, we will provide prominent notice (e.g., via our website or by email communication, where appropriate) to inform users and relevant parties of the change. The "effective date" at the end of this Policy indicates when the Policy last came into effect. We encourage you to periodically review this Policy to stay informed about how we are protecting your information. In the event that any update to this Policy would fundamentally change the nature of our processing or materially broaden how we share or use personal data (beyond what is stated at collection), we will seek re-consent from individuals if required by law. Continued use of our services or engagement with us after any Policy update signifies acceptance of the revised Policy, to the extent permitted by law. However, we will not reduce your rights under this Policy without your explicit consent.
Effective Date: 2nd October 2025
This Policy is effective as of the date above and supersedes all previous versions. All clauses of this Policy shall be read in conjunction with the Master Service Agreement or any applicable service terms, and in case of any queries or clarifications, kindly reach out to the Data Protection Officer at the contact provided.