Employee and Consultant Personal Information Policy

Purpose
This policy outlines the principles, responsibilities, and procedures adopted by Fintellix India Private Limited (“the Company”) for the collection, storage, processing, disclosure, and retention of Personal Information and Sensitive Personal Data or Information (SPDI). The policy ensures compliance with the Information Technology Act, 2000, and the SPDI Rules, and demonstrates the Company’s commitment to data privacy and protection.

Scope
This policy applies to all personal and sensitive personal data collected, stored, processed, transferred, or disclosed by the Company, across all business units and IT systems. It covers employees, interns, contractors, and consultants. The reference is to both current and former.

Definitions

• Personal Information: Information that can identify an individual, such as:
  ➢Full name, Date of birth, Gender
  ➢Contact details (email, phone number, address)
  ➢Identification numbers (PAN, Aadhaar, Passport, etc.)
  ➢Bank account details
  ➢Employment details
• Sensitive Personal Data or Information (SPDI) includes:
  ➢Passwords
  ➢Financial information
  ➢Health and medical records
  ➢Biometric data

Legal Basis for Collection and Processing
The Company collects and processes personal and sensitive personal data based on:

• Legal obligation
• Contractual necessity
• Legitimate business interests

Data Collection
Data may be collected through:

• Recruitment and onboarding forms
• Employment or contractual documentation
• HR and payroll systems
• Access control systems
• Third-party services

Use and Processing
Collected data will be used for:

• HR administration, payroll, and benefits
• Performance evaluations and training
• Compliance with statutory obligations
• Security and IT access management
• Health and safety compliance
• Background verification and audits

Disclosure of Information
Personal and SPDI data may be disclosed to:

• Government authorities as required by law
• Auditors, legal advisors, and consultants
• Third-party service providers under confidentiality
• Group companies for internal purposes

Security Practices and Procedures
Key measures include:

• Password protection
• Access controls and audit trails
• Data encryption and secure transmission
• Periodic security audits and training
• Incident response plans

Data Retention

• Data will be retained only for as long as necessary or as per applicable laws. Common retention periods:
• Employee data: Retained for the duration of employment and as long as necessary for the required purposes.
• Financial records: Retained in accordance with the Income Tax Act and other applicable regulations.
• Background verification records: Retained for the duration of employment and as long as necessary for the specified purposes

Responsibilities
The following roles are accountable for implementing this policy:

• HR Department (Custodian of Employee Personal Data): Ensures lawful collection, secure storage, controlled access, and compliance
• IT Department: Implement safeguards and ensure secure systems
• Employees / Consultants: Provide accurate and updated data, follow data protection guidelines

Data Custodianship
The HR Department is designated as the official custodian of personal data for employees, interns, and consultants. Their responsibilities include:

• Maintaining secure employee data records
• Ensuring compliance with SPDI Rules
• Coordinating data retention and disposal
• Liaising with IT for secure handling and access control mechanisms

For queries, contact:

HR Data Custodian
Raghunandan V / Director- HR
Email: raghunandan.v@fintellix.com

HR related queries & Employment Verifications:

For any queries from former employees or for employment verification requests, please contact our HR team at hr@fintellix.com

Incident Management
In the event of a suspected or confirmed data breach, the Company will:

• Contain and investigate the incident
• Assess the scope and impact
• Identify affected individuals and systems
• Notify affected individuals and regulators (if required)
• Document the incident and take corrective actions

Policy Review and Updates
We may revise this policy periodically. Updates will be posted on our official website, with updated dates.

Photographs, Videos and Recordings:
Subject to applicable law, Fintellix may take photographs and make audio and/or visual recordings of our employees in our offices and at various events for any use in the Company’s internal or external materials, including but not limited to electronic and print formats as well as Fintellix website and external websites, and on social media. By participating in any event that is being photographed or recorded, to the extent permitted by applicable law, you consent to being photographed and/or recorded and to Fintellix using such photographs and recordings of you as described above at any time.