This Privacy Policy (the “Policy”) describes how BytePhase Technologies Private Limited (“BytePhase”, “We”, “Us”, or “Our”) collects, uses, stores, discloses, and otherwise processes Personal Data in connection with the website www.bytephase.com (the “Website”), the BytePhase repair-shop management software, the BytePhase API, and any related products or services (collectively, the “Services”).

This Policy is issued in compliance with the Information Technology Act, 2000, the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the Digital Personal Data Protection Act, 2023, of India (“DPDP Act”), and to the extent applicable, the GDPR, the UK GDPR, the CCPA/CPRA, the LGPD, the Saudi PDPL, and other applicable data-protection laws (each, an “Applicable Data Protection Law”).

This Policy forms part of, and should be read together with, Our Terms and Conditions. Capitalised terms used but not defined in this Policy have the meanings given to them in the Terms and Conditions.

By using the Services, You acknowledge that You have read and understood this Policy. If You do not agree with this Policy, please do not use the Services.

2.1   Scope

This Policy applies to Personal Data that We process in three distinct capacities. Different sections of this Policy will apply depending on Your relationship with BytePhase.

2.2   When We Act as Data Controller / Data Fiduciary

We act as a Data Controller (also referred to as a Data Fiduciary under DPDP Act, or a Business under CCPA/CPRA) with respect to:

• Personal Data of visitors to the Website;
• Personal Data of prospective customers, leads, and persons who contact Us through forms, demo requests, marketing campaigns (including WhatsApp, email, telephone), or events;
• Personal Data of Our subscribers and the authorised users of subscribers (including names, email addresses, phone numbers, billing details, and login credentials);
• Personal Data collected automatically through cookies, analytics tools, and similar technologies, as described in Section 12.

2.3   When We Act as Data Processor

We act as a Data Processor (also referred to as a Data Operator under LGPD, a Data Intermediary under Singapore PDPA, or a Service Provider under CCPA/CPRA) with respect to Personal Data that Our subscribers (“Customers”) upload to the Services about their own end-customers, employees, suppliers, and other third parties (“Customer Data”). When We act as a Processor, the Customer is the Controller and is responsible for determining the lawful basis, providing privacy notices, and honouring data-subject rights. Our processing of Customer Data is governed by the Data Processing Terms in Section 10 of the Terms and Conditions, which are incorporated into this Policy by reference.

2.4   When This Policy Does Not Apply

This Policy does not apply to: (a) Personal Data processed by Our Customers within the Services in their capacity as Controllers — Customers are responsible for providing their own privacy notices to their end-customers; (b) websites or services operated by third parties that may be linked from the Website; or (c) any product or service expressly subject to a separate privacy notice.

• “Personal Data” means any information relating to an identified or identifiable natural person, including “personal information” under CCPA/CPRA, “personal data” under GDPR and DPDP Act, and equivalent terms under other Applicable Data Protection Laws.
• “Sensitive Personal Data” means special categories of Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, health data, data concerning sex life or sexual orientation, financial information, identification documents, criminal-conviction data, and any other data classified as sensitive under Applicable Data Protection Law.
• “Data Subject / Data Principal / Consumer” means the natural person to whom Personal Data relates.
• “Processing” means any operation performed on Personal Data, including collection, recording, storage, use, disclosure, transmission, restriction, erasure, or destruction.
• “Sub-processor” means any third party engaged by BytePhase to process Personal Data on Our behalf.

BytePhase Technologies Private Limited is a private limited company incorporated under the Companies Act, 2013, with its registered office at:

Office 402, Speciality Business Centre, 4th Floor, Opp. SKP Campus, Moze College Road, Balewadi, Pune – 411045, Maharashtra, India

• CIN: U72900PN2020PTC192751
• GSTIN: 27AAJCB1677J1ZC

Our key contacts for privacy and data-protection matters are listed in Section 18 of this Policy.

5.1   Categories of Personal Data

Depending on Your interaction with Us, We may collect the following categories of Personal Data:

5.2 Sensitive Personal Data

We do not intentionally collect Sensitive Personal Data about You as a Controller. However, the Services include optional features that allow Customers (acting as Controllers) to upload data such as bank account details, government-issued identification numbers, tax identifiers, and (where applicable) device-related data of their end-customers. Customers are solely responsible for the lawful basis, accuracy, and security implications of uploading such data.

5.3 Personal Data We Do Not Collect

We do not knowingly collect: (a) Personal Data of children under the age of 18 years (see Section 13); (b) full payment-card numbers (these are processed and stored by Our PCI-DSS compliant payment gateway); or (c) precise geolocation data of Data Subjects (other than approximate location derived from IP address for security and analytics purposes).

5.4 Mobile Application Permissions and Device Data

When You install and use the BytePhase mobile application (Android/iOS), We may, with Your prior in-app disclosure and explicit operating-system-level consent, access and Process the

following categories of device data. None of this data is collected without Your active permission grant. You may revoke any of these permissions at any time through Your device settings (Settings → Apps → BytePhase → Permissions); the App will continue to function, but features that depend on the revoked permission will be unavailable.

5.4.1 Location Data

Categories collected:

(a) Precise location (GPS coordinates);

(b) Approximate location (network-, Wi-Fi-, or cell- tower-based);

(c) Foreground and background location while a pickup or delivery trip is active.

Trigger: Location data is captured only after You start a pickup or delivery trip from inside the App. Background tracking continues until You mark the trip complete or cancel it, and stops automatically thereafter. Location is not collected when no trip is active and is not collected for users who do not perform pickup/delivery duties.

Purposes:

(a) Computing the route from Your current position to the customer’s pickup or drop-off address;

(b) Sharing Your live location with the customer assigned to the active trip so they receive accurate arrival estimates;

(c) Generating estimated time of arrival (“ETA”);

(d) Recording the trip route and final position as proof of service for dispute resolution.

5.4.2 Camera and Photos

Categories collected: Photographs, video frames, and barcode/QR images captured by You via the in-App camera

interface.

Trigger: Only when You actively tap a camera control inside the App (e.g., capture device condition photo, attach image to a comment, photograph an expense receipt, scan a part barcode). The App does not access the camera in the background.

Purposes: Documenting device condition for repair jobs, attaching evidence to customer communications, capturing expense receipts for accounting, and scanning part or inventory barcodes.

5.4.3 Push Notifications

Categories collected: A Firebase Cloud Messaging (“FCM”) device token issued by Google Firebase, which uniquelyidentifies Your device for the purpose of receiving push alerts.

Trigger: When You grant the notification permission during onboarding. The token is automatically rotated by the operating system and updated on Our servers.

Purposes: Delivering account-related alerts including payment receipts, customer comments, quotation approvals/rejections, new job/pickup/delivery assignments, business summaries, and one-time passwords (OTPs).

5.4.4 Storage and Photo Library (Android 12 and below only)

On Android 12 and earlier We request read/write external storage permission so the App can save captured images and read selected images for upload. On Android 13 and later, We use the scoped Photo Picker API and do not request broad storage access.

We process Personal Data only where We have a valid legal basis under Applicable Data Protection Law. The table below describes Our purposes of processing and the corresponding legal bases under the GDPR (which We apply globally to the extent compatible with local law) and the DPDP Act.

6.1   Where Processing Is Based on Consent

Where We rely on Your consent, You may withdraw it at any time by contacting Us using the details in Section 18 or by using the unsubscribe mechanism in marketing emails. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

6.2   Where Processing Is Based on Legitimate Interests

Where We rely on Our legitimate interests, We have conducted a balancing test to ensure that Our interests are not overridden by Your interests, rights, and freedoms. You have the right to object to such processing, as set out in Section 11.

6.3   No Automated Decision-Making with Legal Effects

We do not use Personal Data to make decisions based solely on automated processing that produce legal effects concerning You or similarly significantly affect You within the meaning of Article 22 GDPR or equivalent provisions of other Applicable Data Protection Law.

We do not sell, rent, or trade Personal Data. We share Personal Data only as described below.

7.1 Sub-processors

We engage carefully selected third-party service providers (“Sub-processors”) to assist Us in providing the Services. Categories of Sub-processors include:

• Cloud-hosting providers (currently Amazon Web Services, Mumbai region);
• Payment processors and gateways;
• Email-delivery providers;
• SMS, WhatsApp, and other messaging gateway providers;
• Customer-support and helpdesk software providers;
• Web analytics and product analytics providers;
• Security, monitoring, and logging service providers.

A current list of Our Sub-processors, including their identities and processing locations, is published at www.bytephase.com/legal/sub-processors (or such other URL as We may notify from time to time). Each Sub-processor is bound by written contractual obligations to process Personal Data only on Our instructions and to maintain appropriate security measures.

7.2 Affiliates and Group Companies

We may share Personal Data with Our affiliates and group companies, where applicable, for the purposes set out in Section 6, and subject to obligations of confidentiality and data protection no less protective than those set out in this Policy.

7.3 Professional Advisors

We may disclose Personal Data to Our professional advisors, including legal counsel, auditors, accountants, and insurers, where reasonably necessary and subject to confidentiality obligations.

7.4 Legal and Regulatory Disclosures

We may disclose Personal Data to law-enforcement authorities, regulators, courts, and other governmental bodies where We are required to do so by law or in response to a valid legal request. Where lawful, We will challenge requests that are overbroad or otherwise unlawful.

7.5 Business Transfers

In the event of a merger, acquisition, restructuring, sale of assets, financing, or insolvency, Personal Data may be transferred to the relevant counterparty as part of the transaction, subject to appropriate confidentiality and data-protection obligations. We will notify You of any such transfer where required by Applicable Data Protection Law.

7.6 With Your Consent

We may share Personal Data in any other manner with Your prior consent.

7.7 No Sale or Sharing of Personal Information (CCPA/CPRA)

We do not “sell” or “share” Personal Information within the meaning of CCPA/CPRA, and We have not done so in the preceding twelve (12) months. We do not “sell” Personal Information of consumers under the age of sixteen (16). For the purposes of CCPA/CPRA, “share” includes sharing for cross-context behavioural advertising, which We do not engage in.

7.8 Mobile Application Data Sharing

The data described in Section 5.4 is shared as follows:

(a) Live location (Section 5.4.1): During an active pickup or delivery trip, Your live coordinates are transmitted in real time to the customer assigned to that specific trip, and only for the duration of that trip. Live location is not visible to other customers, other tenant users outside the dispatch role, advertisers, data brokers, analytics providers, or any other third party.

(b) Photographs (Section 5.4.2): Images You capture are visible to users within Your tenant workspace who hold the appropriate role-based permission, and to the customer the image is explicitly attached to (e.g., a job comment shared with the customer through the BytePhase tenant portal). Images are not shared with advertisers or third parties.

(c) FCM device tokens (Section 5.4.3): Tokens are used solely to deliver push alerts to Your own device through Google Firebase. Tokens are not shared with advertisers or other third parties.

We do not use any data described in Section 5.4 for advertising, profiling, behavioural targeting, or any purpose other than fulfilling the specific feature You initiated.

BytePhase is established in India, and Our infrastructure is hosted on Amazon Web Services in the Mumbai (India) region. Personal Data You provide to Us is therefore transferred to and processed in India. Some of Our Sub-processors may also be located in other countries.

8.1   Transfers from the European Union and EEA

Where Personal Data is transferred from the EU/EEA to a country outside the EU/EEA that has not been recognised as providing an adequate level of data protection by the European Commission, We rely on the Standard Contractual Clauses adopted by the European Commission under Implementing Decision (EU) 2021/914 (“SCCs”) and supplementary measures where required following Schrems II. The SCCs and supplementary information are available on request.

8.2   Transfers from the United Kingdom

Where Personal Data is transferred from the UK to a country that has not been recognised as providing an adequate level of data protection, We rely on the UK International Data Transfer Agreement or the UK Addendum to the SCCs issued by the Information Commissioner’s Office.

8.3   Transfers from Other Jurisdictions

Where Personal Data is transferred from other jurisdictions with cross-border transfer restrictions (including, where applicable, Brazil, Saudi Arabia, Switzerland, the UAE, China, and others), We rely on the lawful transfer mechanism prescribed by the law of the originating jurisdiction, which may include standard contractual clauses, Your consent, contractual necessity, or supervisory-authority approval.

8.4   India — DPDP Act

Where Personal Data of Data Principals in India is transferred outside India, such transfers are made in accordance with Section 16 DPDP Act 2023 and any notifications issued by the Central Government from time to time.

8.5   Copies of Transfer Mechanisms

You may obtain a copy of the relevant safeguards by contacting Us at support@bytephase.com.

We retain Personal Data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy any legal, accounting, regulatory, or reporting requirements. The retention periods set out below are indicative, and the actual retention period may vary based on the specific facts and applicable law.

At the end of the applicable retention period, We will securely delete, anonymise, or de-identify the Personal Data, unless retention is required by law.

9.1 Mobile App Data Retention

(a) Location coordinates captured during a trip are retained for ninety (90) days after trip completion for audit and dispute-resolution purposes, after which they are automatically and permanently deleted.

(b) Photographs attached to a job, comment, or expense are retained for the lifetime of the parent record. When the parent record is deleted (or the tenant workspace is closed), attached images are permanently deleted within thirty (30) days.

(c) FCM device tokens are deleted automatically when You revoke the notification permission, uninstall the App, or after thirty (30) days of inactivity, whichever occurs first.

You may request earlier deletion of any data referred to in this Section 9.x by contacting Us at support@bytephase.com.

We have implemented appropriate technical and organisational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:

• Encryption of Personal Data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent);
• Role-based access controls and the principle of least privilege;
• Multi-factor authentication for administrative access;
• Network segmentation, firewalls, and intrusion-detection systems;
• Continuous monitoring, logging, and audit trails;
• Periodic vulnerability scans and penetration testing;
• Secure software-development lifecycle, including code review and dependency scanning;
• Mandatory data-protection and security training for personnel;
• Written confidentiality undertakings from personnel and Sub-processors;
• Documented incident-response, business-continuity, and disaster-recovery plans;
• Regular backups with tested restore procedures.

No method of transmission over the internet or method of electronic storage is one hundred percent (100%) secure. While We strive to use commercially acceptable means to protect Personal Data, We cannot guarantee absolute security. You are responsible for keeping Your login credentials confidential and for using strong passwords.

Subject to the Applicable Data Protection Law, You have the following rights with respect to Your Personal Data. Where We act as a Processor on behalf of a Customer, You should direct rights requests to that Customer (the Controller); We will assist the Customer in responding.

11.1   Rights Available Across Most Jurisdictions

• Right of access: to obtain confirmation of whether We process Your Personal Data and a copy of such data;
• Right to rectification / correction: to have inaccurate or incomplete Personal Data corrected or completed;
• Right to erasure / deletion: to have Your Personal Data erased in certain circumstances;
• Right to restriction of processing: to require Us to restrict processing in certain circumstances;
• Right to data portability: to receive Your Personal Data in a structured, commonly used, and machine-readable format and to transmit it to another controller;
• Right to object: to object to processing based on legitimate interests or for direct marketing;
• Right to withdraw consent: where processing is based on consent;
• Right to lodge a complaint: with a competent supervisory or data-protection authority.

11.2   India — DPDP Act, 2023

If You are a Data Principal under the DPDP Act, You have the rights of access, correction and erasure, the right of grievance redressal, and the right to nominate another individual to exercise Your rights in the event of Your death or incapacity, in accordance with Sections 11 to 14 of the DPDP Act.

11.3   European Union and EEA — GDPR

If You are a Data Subject in the EU or EEA, You have the rights set out in Articles 15 to 22 GDPR. You also have the right to lodge a complaint with the supervisory authority in Your Member State of residence, place of work, or place of the alleged infringement.

11.4   United Kingdom — UK GDPR

If You are a Data Subject in the UK, You have the rights set out in the UK GDPR and the Data Protection Act 2018. You may lodge a complaint with the ICO at ico.org.uk.

11.5   California — CCPA/CPRA

If You are a California consumer, You have the following rights under CCPA/CPRA:

• Right to know what Personal Information We collect, use, disclose, and (if applicable) sell or share;
• Right to delete Personal Information We have collected from You, subject to exceptions;
• Right to correct inaccurate Personal Information;
• Right to opt out of the sale or sharing of Personal Information (note: We do not sell or share Personal Information);
• Right to limit the use and disclosure of Sensitive Personal Information;
• Right to non-discrimination for exercising any of the foregoing rights;
• Right to designate an authorised agent to make a request on Your behalf.

We do not use or disclose Sensitive Personal Information for purposes that require providing You with the right to limit such use or disclosure under Section 1798.121 of the California Civil Code.

11.6   Brazil — LGPD

If You are a Data Subject in Brazil, You have the rights set out in Article 18 LGPD, including confirmation of processing, access, correction, anonymisation, blocking, deletion, portability, information about sharing, information about the consequences of denying consent, and revocation of consent. You may lodge a complaint with the ANPD.

11.7   Other Jurisdictions

Data Subjects in other jurisdictions (Saudi Arabia, Singapore, South Africa, Canada, Australia, New Zealand, Japan, UAE, Switzerland) have the rights set out under their respective Applicable Data Protection Laws and may lodge complaints with the relevant local supervisory authority.

11.8   How to Exercise Your Rights

To exercise any of the foregoing rights, please contact Us at dpo@bytephase.com or by post at the address in Section 18. We will respond to Your request within the timeframe required by the Applicable Data Protection Law (typically thirty (30) days under GDPR and DPDP Act, and forty-five (45) days under CCPA/CPRA), with extensions as permitted by law. We may need to verify Your identity before fulfilling Your request to protect Your Personal Data.

11.9   Limitations

Your rights are not absolute and may be subject to exceptions under Applicable Data Protection Law. Where We are unable to fulfil Your request in whole or in part, We will explain the reason and inform You of Your right to lodge a complaint with the relevant supervisory authority.

12.1 What Are Cookies

Cookies are small text files placed on Your device when You visit a website. We also use similar technologies such as web beacons, pixels, local storage, and software development kits, which We refer to collectively as “cookies” in this Policy.

12.2 Categories of Cookies We Use

• Strictly Necessary Cookies: required to operate the Website and the Services (e.g., authentication, session management, load balancing). These cannot be disabled.
• Functional Cookies: remember Your preferences and choices to enhance Your experience.
• Analytics Cookies: help Us understand how visitors use the Website (e.g., pages visited, time on page) so We can improve performance.
• Marketing Cookies: used to deliver relevant marketing content. We only set marketing cookies with Your consent.

12.3 Your Choices

Where required by Applicable Data Protection Law (including the EU ePrivacy Directive, the UK PECR, and equivalent laws), We will obtain Your prior consent before placing non-essential cookies. You may manage Your cookie preferences through Our cookie banner or in Your browser settings. Disabling cookies may affect the functionality of the Services.

12.4 Do-Not-Track Signals

Some browsers transmit “do-not-track” signals. There is no industry standard for how to respond to such signals. We currently do not respond differently to do-not-track signals, but We honour Your cookie preferences as set through Our cookie banner.

12.5 Mobile Permission Controls

You can review and revoke any permission granted to the BytePhase mobile application at any time:

Android: Settings → Apps → BytePhase → Permissions

iOS: Settings → BytePhase → (Location / Camera / Notifications)

Revoking a permission does not delete data already collected. To request deletion of previously collected data, contact Us at support@bytephase.com

The Services are intended for adult business users and are not directed at children. We do not knowingly collect Personal Data from any individual under the age of 18 years. If You are under the age of 18, please do not provide any Personal Data to Us. If We become aware that We have collected Personal Data from a child without verifiable parental consent in accordance with Section 9 DPDP Act, Article 8 GDPR, or COPPA, We will take reasonable steps to delete such data promptly.

Customers are contractually prohibited from uploading Personal Data of individuals under the age of 18 to the Services without first obtaining verifiable parental consent in accordance with Applicable Data Protection Law. Customers shall not use the Services to engage in tracking, behavioural monitoring, or targeted advertising directed at children.

In the event of a Personal Data Breach affecting Personal Data for which We act as Controller, We will, where required by Applicable Data Protection Law:

• Notify the relevant supervisory authority (Data Protection Board of India, the relevant EU/EEA supervisory authority, the UK ICO, the California Privacy Protection Agency, the ANPD, the SDAIA, or other competent authority) within seventy-two (72) hours of becoming aware of the breach, where feasible;
• Notify affected Data Subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms;
• Maintain records of all Personal Data Breaches in accordance with Applicable Data Protection Law.

Where We act as Processor on behalf of a Customer, We will notify the Customer of a Personal Data Breach affecting Customer Data within seventy-two (72) hours of becoming aware of the breach, in accordance with Section 8.6 of the Terms and Conditions. The Customer (as Controller) is responsible for any notifications to supervisory authorities and affected Data Subjects.

15.1   Direct Marketing

We may send You marketing communications about Our products and services where You have consented or where We have a legitimate interest to do so (such as where You are an existing customer and the marketing relates to similar products and services). We comply with applicable marketing and anti-spam laws, including TCCCPR 2018 (India), CAN-SPAM 2003 (US), Canada’s CASL, PECR 2003 (UK), the ePrivacy Directive (EU), the Spam Act 2003 (Australia), and the Unsolicited Electronic Messages Act 2007 (NZ).

15.2   Opt-Out

You may opt out of receiving marketing communications at any time by following the unsubscribe instructions in the relevant message or by contacting Us at the addresses in Section 18. Opting out of marketing communications will not affect transactional or service-related communications necessary for the operation of Your Account.

The Services may contain links to or integrations with third-party websites and services (such as payment gateways, social-media platforms, and integration partners). This Policy does not apply to the practices of those third parties, and We are not responsible for their privacy practices. We encourage You to review the privacy policies of any third-party websites or services that You visit.

We may update this Policy from time to time to reflect changes in Our practices, technology, legal requirements, or for other operational reasons. When We make changes, We will update the “Last Updated” date at the top of this Policy. Where the changes are material, We will provide notice through the Services or by email at least thirty (30) days before the changes take effect. Your continued use of the Services after the effective date of the changes constitutes Your acceptance of the updated Policy.

You may contact Us about this Policy or about Your Personal Data using the details below.

18.1  General Contact

BytePhase Technologies Private Limited

Office 402, Speciality Business Centre, 4th Floor, Opp. SKP Campus, Moze College Road, Balewadi, Pune – 411045, Maharashtra, India

• General: support@bytephase.com
• Website: www.bytephase.com

18.6   Right to Lodge a Complaint

You also have the right to lodge a complaint with the data-protection or privacy supervisory authority in Your jurisdiction. Major supervisory authorities include the Data Protection Board of India (once notified), the European Data Protection Board and the EU/EEA national supervisory authorities, the UK Information Commissioner’s Office, the California Privacy Protection Agency and the California Attorney-General, the Brazilian ANPD, the Saudi SDAIA, the Singapore PDPC, the South African Information Regulator, the Office of the Privacy Commissioner of Canada, the Office of the Australian Information Commissioner, the Office of the Privacy Commissioner of New Zealand, and the Japanese PPC. We encourage You to contact Us first so We can address Your concerns directly.