GDPR Compliance Policy

Last updated: January 23, 2026

GDPR Core Principles

How we implement GDPR requirements in our system

Lawfulness & Transparency

Process data fairly and with transparency

Purpose Limitation

Collect data for specified, explicit purposes

Data Minimization

Collect only necessary data for stated purpose

Accuracy

Keep data correct and up-to-date

Integrity & Confidentiality

Protect data against unauthorized access

Accountability

Demonstrate GDPR compliance

1. Introduction

Selfeey Infotech Private Limited ("Selfeey", "we", "our", or "us") is committed to complying with the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) when processing personal data of individuals located in the European Union ("EU Data Subjects").

This GDPR Compliance Policy outlines the principles, rights, safeguards, and governance measures adopted by Selfeey to ensure lawful, fair, and transparent processing of personal data in accordance with GDPR requirements.

2. GDPR Principles

Selfeey processes personal data in strict adherence to the following GDPR principles:

Lawfulness, Fairness, and Transparency

Personal data is processed only on valid legal grounds and in a transparent manner.

Purpose Limitation

Data is collected for specified, explicit, and legitimate purposes and not further processed incompatibly.

Data Minimization

Only data that is adequate, relevant, and necessary for the stated purpose is collected.

Accuracy

Reasonable steps are taken to ensure personal data is accurate and up to date.

Storage Limitation

Personal data is retained only for as long as necessary to fulfill its purpose or legal obligations.

Integrity and Confidentiality

Data is protected against unauthorized access, loss, alteration, or disclosure.

Accountability

Selfeey maintains documentation, policies, and records to demonstrate GDPR compliance.

3. Rights of Data Subjects

EU Data Subjects are entitled to exercise the following rights under GDPR:

Right of Access

Access to personal data

Right to Rectification

Rectification of inaccurate data

Right to Erasure

"Right to be Forgotten"

Right to Restriction

Restriction of processing

Right to Object

Object to processing

Right to Data Portability

Data portability

Right to Withdraw Consent

Withdraw consent at any time

Selfeey provides mechanisms to exercise these rights through:

  • • Designated portals within the Platform
  • • Email or written requests to official contact points

Requests are handled within GDPR-prescribed timelines.

4. Legal Basis for Processing

Selfeey processes personal data only where at least one lawful basis applies, including:

Explicit Consent

Explicit consent of the data subject

Performance of a Contract

Performance of a contract with the data subject

Compliance with Legal Obligations

Compliance with legal obligations

Legitimate Interests

Legitimate interests, balanced against data subject rights

Protection of Vital Interests

Protection of vital interests

The applicable legal basis is identified and documented for each processing activity.

5. International Data Transfers

Where personal data of EU Data Subjects is transferred outside the EU/EEA, Selfeey ensures appropriate safeguards, including but not limited to:

  • • Standard Contractual Clauses (SCCs)
  • • Contractual data protection commitments
  • • Technical and organizational security measures

Such transfers comply with Chapter V of GDPR.

6. Personal Data Breach Management

In the event of a personal data breach involving EU Data Subjects:

  • Selfeey will assess the risk without undue delay
  • Relevant EU supervisory authorities will be notified within 72 hours, where feasible
  • Affected data subjects will be informed when required by law
  • All incidents are documented internally for accountability and audit purposes

7. Data Protection Officer (DPO)

Selfeey has appointed a Data Protection Officer (DPO) responsible for:

  • • Overseeing GDPR compliance
  • • Conducting audits and risk assessments
  • • Advising on data protection obligations
  • • Acting as a point of contact for regulators and data subjects

The DPO operates independently and reports to senior management.

8. Security Measures

Selfeey implements appropriate technical and organizational security measures, including:

  • Data encryption (at rest and in transit)
  • Role-based access controls
  • Continuous monitoring and logging
  • Secure cloud infrastructure
  • Regular vulnerability assessments and audits

These measures are designed to protect personal data from unauthorized access, loss, or misuse.

9. Training & Awareness

Employees and contractors involved in processing EU personal data receive:

  • • Regular GDPR awareness training
  • • Role-specific data protection guidance
  • • Updates on regulatory and policy changes

This ensures a strong culture of data protection across the organization.

10. Policy Review & Amendment

This GDPR Compliance Policy is:

  • • Reviewed annually
  • • Updated upon changes to GDPR, regulatory guidance, or business operations

All amendments are approved by the Board of Directors or authorized governance bodies and communicated to relevant stakeholders.

11. Governing Law & Jurisdiction

This Policy shall be governed by the laws of India.

GDPR obligations apply specifically to the processing of personal data of EU Data Subjects.

Courts of competent jurisdiction in India shall have exclusive authority over disputes arising under this Policy, without prejudice to GDPR enforcement rights of EU supervisory authorities.

Contact Our Data Protection Officer

For any GDPR-related inquiries or to exercise your rights:

Data Protection Officer: dpo@selfeey.com

Phone: +91 8088176317

Address: Selfeey Infotech Private Limited, Bangalore, India

We will respond to your request within GDPR-prescribed timelines (typically 30 days).