Last Updated: 09-07-2026
Effective For: Olatus Systems Private Limited ("Company," "we," "us," or "our")
Jurisdiction: India (with global accessibility)
Compliance Framework: Digital Personal Data Protection Act, 2023 (India) | General Data Protection Regulation (EU) 2016/679
📋 TABLE OF CONTENTS
- Introduction & Scope
- Key Definitions
- Who We Are: Data Fiduciary & Controller Information
- Lawful Basis for Processing
- Categories of Personal Data We Collect
- How and Why We Use Your Data
- Data Sharing & Third-Party Disclosures
- International Data Transfers
- Data Retention & Deletion
- Your Rights: DPDP Act & GDPR
- Consent Management & Withdrawal
- Cookies, Tracking & Analytics
- Children's Privacy
- Security Measures
- Data Breach Notification
- Automated Decision-Making & Profiling
- Grievance Redressal & Contact
- Changes to This Policy
- Appendix: Data Processing Summary
1. INTRODUCTION & SCOPE
1.1 Welcome
Thank you for trusting Olatus Systems Private Limited with your personal data. This Privacy Policy ("Policy") explains how we collect, use, store, protect, and share your personal information when you interact with our integrated platform, including:
✅ eCommerce store (physical & digital products)
✅ Learning Management System (LMS) & online courses
✅ Community forum, blog, and user-generated content features
✅ Membership subscriptions & recurring access plans
✅ Mobile application and related services
(collectively, the "Services")
1.2 Legal Framework & Compliance
This Policy is designed to comply with:
- 🇮🇳 Digital Personal Data Protection Act, 2023 (DPDP Act) and associated rules
- 🇪🇺 General Data Protection Regulation (GDPR) 2016/679 (for EU/EEA users)
- 🌐 Other applicable data protection laws in jurisdictions where we operate
Where conflicts arise between legal frameworks, we apply the standard offering the highest level of protection to you.
1.3 Acceptance & Consent
By accessing or using our Services, you acknowledge that you have read, understood, and consent to the practices described in this Policy. If you do not agree, please discontinue use immediately.
🔹 For Minors (Under 18): Use of our Services requires verifiable parental/guardian consent. Please review Section 13 for details.
2. KEY DEFINITIONS
| Term | DPDP Act Definition | GDPR Equivalent | Our Usage |
|---|---|---|---|
| Personal Data | Any data about an individual who is identifiable by or in relation to such data | Personal data: any information relating to an identified or identifiable natural person | Names, contact details, purchase history, learning progress, forum posts, device identifiers |
| Data Principal | The individual to whom the personal data relates | Data Subject | You, the user of our Services |
| Data Fiduciary | Any person who alone or with others determines the purpose and means of processing personal data | Data Controller | Olatus Systems Private Limited |
| Data Processor | Any person who processes personal data on behalf of a Data Fiduciary | Data Processor | Payment gateways, cloud hosts, analytics providers, courier partners |
| Consent | Freely given, specific, informed, unconditional, and unambiguous indication of agreement | Freely given, specific, informed, and unambiguous indication by clear affirmative action | Your opt-in during registration, checkout, or preference settings |
| Processing | Any operation performed on personal data (collection, storage, use, sharing, deletion, etc.) | Any operation performed on personal data | All activities involving your data within our Services |
| Significant Data Fiduciary | A Data Fiduciary notified by the Government based on volume/sensitivity of data | Not directly applicable | We assess our status annually; if designated, additional obligations apply |
3. WHO WE ARE: DATA FIDUCIARY & CONTROLLER INFORMATION
Olatus Systems Private Limited
House No: 346, 1st Floor, Police Station, Zoo-Narengi Rd, opp. Barista Cafe and Geetanagar, Ambikagirinagar
Guwahati, Assam, 781024, India
📧 Privacy Contact: support@olelectronics.com
📞 Phone: +91 69001 05606
🌐 Website: www.olelectronics.com
3.1 Data Protection Officer (DPO) / Grievance Officer
As required under DPDP Act and GDPR (where applicable), we have designated:
Grievance Officer (DPDP Act)
Name: [Officer Name]
Email: support@olelectronics.com
Response Time: Within 15 days of receiptData Protection Officer (GDPR – if applicable)
Name: [DPO Name]
Email: support@olelectronics.com
Contact for EU/EEA users regarding GDPR rights
If you are in the EU/EEA and believe we are not a GDPR controller for your processing, please contact our DPO for clarification.
3.2 Representative for EU/EEA Users (GDPR Art. 27)
If we do not have an establishment in the EU but process data of EU residents, our appointed representative is:
[Representative Name/Entity]
[Address in EU]
Email: support@olelectronics.com
(If not applicable, this section will state: "Not applicable: Olatus Systems Private Limited has an establishment in the EU / does not target EU residents.")
4. LAWFUL BASIS FOR PROCESSING
We process your personal data only when we have a valid legal basis. Below is our mapping of processing activities to lawful bases:
| Processing Activity | DPDP Act Basis | GDPR Legal Basis | Explanation |
|---|---|---|---|
| Account registration & authentication | Consent / Legitimate Use | Consent (Art. 6(1)(a)) / Contract (Art. 6(1)(b)) | Necessary to create and manage your Account |
| Order processing & fulfillment | Consent / Contractual necessity | Contract (Art. 6(1)(b)) | Required to deliver products/services you purchase |
| Payment processing | Consent / Legal obligation | Contract (Art. 6(1)(b)) / Legal obligation (Art. 6(1)(c)) | To complete transactions and comply with financial regulations |
| Course enrollment & LMS access | Consent / Contract | Contract (Art. 6(1)(b)) | To provide educational services you subscribed to |
| Community participation (forum/blog) | Consent | Consent (Art. 6(1)(a)) / Legitimate interests (Art. 6(1)(f)) | To enable user interaction and content sharing |
| Personalization & recommendations | Consent / Legitimate Use | Legitimate interests (Art. 6(1)(f)) | To improve user experience and content relevance |
| Marketing communications | Explicit Consent | Consent (Art. 6(1)(a)) | Only sent if you opt-in; easy opt-out always available |
| Security, fraud prevention & compliance | Legitimate Use / Legal obligation | Legitimate interests (Art. 6(1)(f)) / Legal obligation (Art. 6(1)(c)) | To protect our Services, users, and comply with law |
| Analytics & service improvement | Consent / Legitimate Use | Legitimate interests (Art. 6(1)(f)) / Consent (Art. 6(1)(a)) | Aggregated, anonymized data used to enhance functionality |
| Legal claims & dispute resolution | Legal obligation | Legal obligation (Art. 6(1)(c)) / Legitimate interests (Art. 6(1)(f)) | To defend rights, comply with court orders, or resolve disputes |
🔹 Special Category Data: We do not intentionally collect sensitive personal data (e.g., health, biometrics, religious beliefs) unless explicitly required for a specific Service (e.g., accessibility accommodations). Such processing requires explicit consent and additional safeguards.
5. CATEGORIES OF PERSONAL DATA WE COLLECT
We collect data directly from you, automatically via technology, and from third parties. Below is a comprehensive inventory:
5.1 Data You Provide Directly
| Category | Examples | When Collected | Purpose |
|---|---|---|---|
| Identity & Contact | Full name, email, phone, mailing address, profile photo | Registration, checkout, support requests | Account creation, order fulfillment, communication |
| Authentication | Password (hashed), security questions, 2FA details | Account setup, login | Secure access to your Account |
| Transaction Data | Order history, payment method (tokenized), billing address, GSTIN | Checkout, subscription management | Process payments, issue invoices, manage refunds |
| Learning Data (LMS) | Course enrollments, progress, quiz scores, certificates, forum posts in courses | Course access, assessments | Deliver education, track completion, issue credentials |
| Community Content | Forum posts, blog comments, reviews, uploaded files, profile bio | Forum/blog participation | Enable community interaction, moderate content |
| Preferences | Language, currency, notification settings, cookie preferences | Account settings, cookie banner | Personalize experience, respect communication choices |
| Support Communications | Help tickets, chat logs, email correspondence | Customer support interactions | Resolve issues, improve service quality |
| Verification Documents | Government ID, address proof (for high-value orders or age verification) | KYC checks, fraud prevention | Comply with legal requirements, prevent fraud |
5.2 Data Collected Automatically
| Category | Examples | Technology Used | Purpose |
|---|---|---|---|
| Device & Technical | IP address, browser type, OS, device model, unique identifiers | Server logs, analytics SDKs | Security, compatibility, troubleshooting |
| Usage & Behavioral | Pages visited, time spent, click patterns, course completion rates | Cookies, pixels, session recording (opt-in) | Improve UX, personalize content, detect abuse |
| Location Data | Approximate location (IP-based) or precise location (with permission) | Geolocation APIs, IP geolocation | Localize content, calculate shipping, comply with regional laws |
| Cookie & Tracking Data | Session IDs, preference cookies, advertising identifiers | First-party & third-party cookies, local storage | Maintain sessions, remember preferences, measure ad performance |
5.3 Data from Third Parties
| Source | Data Received | Purpose |
|---|---|---|
| Payment Processors | Transaction confirmation, fraud scores, tokenized payment references | Complete purchases, prevent fraud |
| Social Login Providers (Google, Facebook, etc.) | Name, email, profile picture (as permitted by you) | Simplify registration, enable social features |
| Courier & Logistics Partners | Delivery status, address validation, proof of delivery | Fulfill orders, resolve shipping issues |
| Analytics & Marketing Partners | Aggregated behavior, campaign attribution (with consent) | Measure performance, optimize marketing |
| Identity Verification Services | KYC validation results (not raw documents) | Comply with anti-fraud regulations |
⚠️ We do not sell your personal data to third parties for monetary consideration. Data shared with processors is strictly for Service delivery under contractual safeguards.
6. HOW AND WHY WE USE YOUR DATA
We process your personal data only for specified, explicit, and legitimate purposes:
6.1 Core Service Delivery
✅ Create, manage, and secure your Account
✅ Process orders, deliver products (physical/digital), and manage subscriptions
✅ Provide access to courses, track progress, and issue certificates
✅ Enable community features: forum discussions, blog comments, reviews
✅ Respond to support requests and resolve technical issues
6.2 Personalization & Experience Enhancement
✅ Recommend products, courses, or content based on your interests
✅ Remember preferences (language, currency, notifications)
✅ Customize dashboards and learning paths
✅ Send relevant, non-marketing service updates (e.g., course reminders, order status)
6.3 Communication (With Consent)
✅ Send transactional emails: order confirmations, password resets, policy updates
✅ Deliver marketing communications only if you opt-in: newsletters, promotions, new course alerts
✅ Provide survey invitations to improve our Services (optional participation)
6.4 Security, Compliance & Legal Obligations
✅ Detect, prevent, and investigate fraud, abuse, or security incidents
✅ Verify identity for high-risk transactions or age-restricted content
✅ Comply with tax, accounting, consumer protection, and data protection laws
✅ Respond to lawful requests from public authorities (with legal validation)
6.5 Analytics & Service Improvement
✅ Analyze aggregated, anonymized usage patterns to improve platform performance
✅ Conduct A/B testing on features (with opt-out where required)
✅ Measure course effectiveness and content engagement (in anonymized form)
🔹 No Automated Profiling for Significant Decisions: We do not use your data for automated decision-making that produces legal or similarly significant effects (e.g., credit scoring, employment decisions) without your explicit consent and right to human intervention.
7. DATA SHARING & THIRD-PARTY DISCLOSURES
We share your data only in the following circumstances, with appropriate safeguards:
7.1 Service Providers (Data Processors)
We engage trusted third parties to perform specific functions under strict data processing agreements (DPAs) compliant with DPDP Act and GDPR:
| Category | Examples | Data Shared | Safeguards |
|---|---|---|---|
| Payment Processing | Razorpay, Stripe, PayPal | Tokenized payment references, transaction amount, billing email | PCI-DSS compliance; no raw card data stored by us |
| Cloud Infrastructure | AWS, Google Cloud, Azure | Encrypted user data, logs, backups | ISO 27001 certification; data residency options |
| Email & Communication | SendGrid, Mailgun, AWS SES | Email address, name, transactional content | Encryption in transit; opt-out mechanisms |
| Analytics & UX | Google Analytics (GA4), Hotjar (opt-in), Mixpanel | Aggregated behavior, device info, session recordings (anonymized) | IP anonymization; data retention limits; DPA in place |
| Courier & Logistics | Delhivery, Blue Dart, India Post | Name, shipping address, phone, order details | Purpose-limited use; no marketing use |
| Customer Support | Zendesk, Freshdesk | Support tickets, chat logs, account info (for context) | Access controls; audit logs; retention policies |
| Identity Verification | Signzy, Karza (India); Onfido (global) | Name, ID number, document images (encrypted) | Minimal data collection; secure deletion post-verification |
7.2 Legal & Regulatory Disclosures
We may disclose personal data if required by law or to:
- Comply with a court order, subpoena, or lawful government request
- Protect the rights, property, or safety of Olatus Systems Private Limited, our users, or the public
- Enforce our Terms of Service or investigate potential violations
- Respond to emergencies involving risk of death or serious bodily injury
We challenge overly broad requests and notify you (unless legally prohibited) when permissible.
7.3 Business Transfers
In the event of a merger, acquisition, restructuring, or sale of assets:
- Your personal data may be transferred as a business asset
- The acquiring entity must agree to honor this Privacy Policy
- You will be notified via email or prominent notice if material changes to data use occur
7.4 With Your Explicit Consent
We may share data for purposes not listed above only with your prior, specific, and informed consent, which you may withdraw at any time.
🚫 We do NOT:
- Sell personal data to data brokers or advertising networks
- Share data with third parties for their independent marketing purposes
- Disclose community content publicly beyond the intended audience (e.g., forum posts visible to community members)
8. INTERNATIONAL DATA TRANSFERS
8.1 Primary Data Location
- Your personal data is primarily stored and processed in India on secure, compliant infrastructure.
- Certain technical operations (e.g., global CDN, analytics) may involve transient processing in other jurisdictions.
8.2 Transfers Outside India (DPDP Act Compliance)
Where personal data is transferred outside India:
✅ We ensure the recipient country has been notified by the Indian Government as having adequate data protection standards, OR
✅ We implement prescribed safeguards, such as:
- Standard Contractual Clauses (SCCs) approved by the Data Protection Board of India
- Binding Corporate Rules (BCRs) for intra-group transfers
- Explicit consent for specific transfers (where permissible)
8.3 Transfers Outside EU/EEA (GDPR Compliance)
For EU/EEA users, transfers outside the European Economic Area rely on:
✅ Adequacy Decisions: Transfers to countries deemed adequate by the European Commission
✅ Standard Contractual Clauses (SCCs): EU-approved clauses with supplementary measures
✅ Derogations: Explicit consent, contract necessity, or important reasons of public interest (used sparingly)
8.4 Your Right to Know
You may request details about international transfers involving your data by contacting support@olelectronics.com.
9. DATA RETENTION & DELETION
We retain personal data only as long as necessary for the purposes outlined in this Policy, or as required by law.
9.1 Retention Periods by Data Category
| Data Category | Retention Period | Legal Basis / Reason |
|---|---|---|
| Account Identity & Contact | Duration of Account + 3 years after last activity | Contractual necessity; legitimate interest in re-engagement |
| Transaction & Order Records | 8 years from transaction date | Indian GST/Income Tax Act requirements |
| Payment References (Tokenized) | 13 months (PCI-DSS requirement) | Payment card industry security standards |
| LMS Progress & Certificates | Lifetime of course access + 2 years | Contractual obligation; user request for records |
| Forum/Blog Contributions | Indefinitely (unless deleted by user or moderator) | Legitimate interest in community archive; user control |
| Support Tickets | 3 years from resolution | Legitimate interest in service improvement; legal defense |
| Marketing Consent Records | Until consent withdrawn + 1 year | Proof of consent per DPDP Act/GDPR accountability |
| Security Logs (IP, login attempts) | 12 months | Legitimate interest in fraud prevention and security |
| Analytics (Aggregated/Anonymized) | Indefinitely (non-personal) | Legitimate interest in service improvement |
9.2 Deletion & Erasure Procedures
You may request deletion of your personal data at any time:
- Self-Service: Delete your Account via Account Settings → "Delete Account" (triggers automated erasure workflow)
- Manual Request: Email support@olelectronics.com with subject "Data Erasure Request" and verification details
- Verification: We will confirm your identity before processing to prevent unauthorized deletion
9.3 Exceptions to Deletion
We may retain certain data despite a deletion request where:
- Required by law (e.g., tax records, fraud investigation)
- Necessary for establishment, exercise, or defense of legal claims
- For archiving purposes in the public interest, scientific/historical research, or statistical purposes (with safeguards)
- The data has been anonymized and can no longer identify you
🔹 Right to Be Forgotten (GDPR): EU/EEA users may request erasure under Article 17. We assess requests case-by-case, balancing your rights against our legitimate interests or legal obligations.
10. YOUR RIGHTS: DPDP ACT & GDPR
You have enforceable rights regarding your personal data. Below is a consolidated overview:
10.1 Rights Under DPDP Act, 2023 (India)
| Right | Description | How to Exercise |
|---|---|---|
| Right to Access | Obtain confirmation whether we process your data and access to such data | Email support@olelectronics.com with "Access Request" + ID verification |
| Right to Correction | Request correction of inaccurate or incomplete personal data | Use Account Settings → "Edit Profile" or email correction request |
| Right to Erasure | Request deletion of personal data when no longer necessary or consent withdrawn | Account deletion feature or email "Erasure Request" |
| Right to Grievance Redressal | Lodge a complaint with our Grievance Officer regarding data processing | Contact support@olelectronics.com; escalation to Data Protection Board of India if unresolved |
| Right to Nominate | Nominate another individual to exercise your rights in case of death or incapacity | Submit written nomination to support@olelectronics.com with verification |
10.2 Rights Under GDPR (EU/EEA Users)
| Right | Description | How to Exercise |
|---|---|---|
| Right of Access (Art. 15) | Receive a copy of your personal data and processing details | Submit "GDPR Access Request" to support@olelectronics.com |
| Right to Rectification (Art. 16) | Have inaccurate data corrected without undue delay | Account Settings or email correction request |
| Right to Erasure / "Right to Be Forgotten" (Art. 17) | Request deletion under specific conditions (e.g., consent withdrawn, data no longer necessary) | Email "GDPR Erasure Request" with justification |
| Right to Restriction (Art. 18) | Limit processing while accuracy is verified or objection is assessed | Email "Restriction Request" specifying grounds |
| Right to Data Portability (Art. 20) | Receive your data in a structured, machine-readable format and transmit to another controller | Request "Data Portability Export" in JSON/CSV format |
| Right to Object (Art. 21) | Object to processing based on legitimate interests or direct marketing | Use unsubscribe links or email "Objection Request" |
| Rights re: Automated Decision-Making (Art. 22) | Not be subject to decisions based solely on automated processing producing legal/significant effects | Contact support@olelectronics.com to request human review |
10.3 Exercising Your Rights: Process & Timeline
-
Submit Request: Email support@olelectronics.com with:
- Subject line: "[Right Type] Request" (e.g., "Access Request", "Erasure Request")
- Full name, registered email, and Account ID (if applicable)
- Specific details of your request
- Copy of government-issued ID for verification (secure upload link provided upon request)
-
Verification: We will verify your identity within 3 Business Days to prevent unauthorized access.
-
Response Timeline:
- DPDP Act: We respond within 15 days (extendable by 15 days with notice)
- GDPR: We respond within 30 days (extendable by 60 days for complex requests)
-
No Fee: Requests are free unless manifestly unfounded or excessive (we will justify any fee).
-
Appeals: If unsatisfied with our response:
- India: Escalate to the Data Protection Board of India (dpb.gov.in)
- EU/EEA: Lodge a complaint with your national Data Protection Authority (list: edpb.europa.eu)
11. CONSENT MANAGEMENT & WITHDRAWAL
11.1 How We Obtain Consent
- Explicit Opt-In: Clear, granular consent prompts for marketing, cookies, and special-category data
- Granular Choices: Separate toggles for email newsletters, SMS alerts, personalized ads, and analytics
- Plain Language: Consent requests describe purpose, data types, and withdrawal method in simple terms
- No Pre-Ticked Boxes: Consent is never assumed; affirmative action is required
11.2 Withdrawing Consent
You may withdraw consent at any time, free of charge:
- Marketing Emails: Click "Unsubscribe" in any promotional email
- Cookie Preferences: Update settings via our Cookie Consent Manager (footer link)
- Account Preferences: Manage communication settings in Account → Preferences
- Global Withdrawal: Email support@olelectronics.com with "Withdraw Consent" + specific processing activities
⚠️ Effect of Withdrawal:
- Withdrawing consent may limit access to certain features (e.g., personalized recommendations)
- It does not affect the lawfulness of processing based on consent before withdrawal
- Contractual services (e.g., order fulfillment) continue based on contractual necessity, not consent
11.3 Consent Records
We maintain auditable records of:
- When and how consent was obtained
- The specific purposes consent covered
- Any subsequent withdrawals or updates
Available for inspection by regulators and provided to you upon request.
12. COOKIES, TRACKING & ANALYTICS
12.1 What Are Cookies & Similar Technologies?
Cookies, pixels, local storage, and SDKs help us:
- Maintain your login session and preferences
- Analyze how you use our Services to improve functionality
- Measure marketing campaign effectiveness (with consent)
- Prevent fraud and enhance security
12.2 Cookie Categories & Consent
| Category | Purpose | Duration | Consent Required? |
|---|---|---|---|
| Strictly Necessary | Enable core functions: login, cart, security, load balancing | Session to 1 year | ❌ No (legitimate interest) |
| Preference / Functional | Remember language, currency, accessibility settings | 1–2 years | ❌ No (contractual necessity) |
| Analytics / Performance | Measure traffic, user behavior, feature usage (aggregated) | 13–26 months | ✅ Yes (DPDP/GDPR) |
| Marketing / Targeting | Personalize ads, retargeting, campaign attribution | 13–24 months | ✅ Yes (explicit opt-in) |
| Social Media Plugins | Enable sharing, embedded content (e.g., YouTube, Twitter) | Varies by provider | ✅ Yes (when activated) |
12.3 Managing Cookies
- Browser Settings: Block/delete cookies via browser preferences (may limit functionality)
- Cookie Consent Manager: Access via footer link "Cookie Preferences" to granularly control categories
- Opt-Out of Analytics:
- Google Analytics: ga-optout
- Meta Pixel: Meta Opt-Out
- Do Not Track (DNT): We respect DNT signals where technically feasible
12.4 Analytics & Privacy by Design
- IP Anonymization: Enabled for all analytics tools (last octet masked)
- Data Minimization: Only essential events tracked; no keystroke logging or screen recording without explicit opt-in
- Aggregation: Reports use aggregated, non-identifiable data for decision-making
- Retention Limits: Raw analytics data auto-deleted after 14 months (GA4 default)
🔹 Third-Party Cookies: We minimize reliance on third-party cookies. Where used (e.g., payment fraud detection), processors are contractually bound to DPDP/GDPR-compliant practices.
13. CHILDREN'S PRIVACY
13.1 Age Restrictions
- Our Services are not directed to children under 18.
- We do not knowingly collect personal data from children under 18 without verifiable parental consent.
13.2 Parental Consent Process (For Users 13–17)
If a minor (13–17) wishes to use our Services:
- Parent/guardian registers the Account and provides consent via:
- Signed consent form (uploaded securely), OR
- Verified email confirmation + government ID match
- Parent receives dashboard access to monitor activity, manage preferences, and request data deletion
- Minor's data is flagged in our systems for enhanced protection and limited processing
13.3 Under 13: Zero Tolerance
- If we discover personal data from a child under 13 was collected without verified parental consent:
- We immediately delete the data
- Disable the Account
- Notify the parent/guardian if contact information was provided
- Parents may contact support@olelectronics.com to request review or deletion.
13.4 Educational Content Safeguards
- LMS courses for minors use age-appropriate content and avoid behavioral profiling
- Forum moderation includes enhanced filters for youth safety
- No targeted advertising to users identified as minors
14. SECURITY MEASURES
We implement technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction:
14.1 Technical Safeguards
✅ Encryption: Data encrypted in transit (TLS 1.3+) and at rest (AES-256)
✅ Access Controls: Role-based access, multi-factor authentication (MFA) for staff, principle of least privilege
✅ Secure Development: OWASP-aligned practices, regular penetration testing, code reviews
✅ Monitoring & Logging: Real-time threat detection, audit trails for data access, SIEM integration
✅ Backup & Recovery: Encrypted, geographically redundant backups; tested disaster recovery plans
14.2 Organizational Safeguards
✅ Staff Training: Mandatory data protection training for all employees and contractors
✅ Data Processing Agreements (DPAs): Legally binding contracts with all processors requiring DPDP/GDPR compliance
✅ Privacy by Design: Data protection impact assessments (DPIAs) for new features involving high-risk processing
✅ Incident Response: Dedicated team and playbook for data breach containment, investigation, and notification
14.3 Limitations
⚠️ No method of electronic transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security. You are responsible for safeguarding your password and device.
15. DATA BREACH NOTIFICATION
15.1 Our Commitment
In the event of a personal data breach likely to result in risk to your rights and freedoms:
✅ DPDP Act: We will notify the Data Protection Board of India and affected Data Principals within 72 hours of becoming aware, as required.
✅ GDPR: We will notify the relevant supervisory authority within 72 hours and affected data subjects without undue delay if high risk exists.
15.2 What We Include in Notifications
- Nature of the breach and categories of data/individuals affected
- Likely consequences and measures taken/proposed to address the breach
- Contact details of our Grievance Officer/DPO for further information
- Recommendations for individuals to mitigate potential adverse effects
15.3 Your Role
If you suspect unauthorized access to your Account:
- Immediately change your password and enable MFA
- Review Account activity for suspicious actions
- Contact support@olelectronics.com with details
- Monitor financial statements if payment data was involved
16. AUTOMATED DECISION-MAKING & PROFILING
16.1 Our Approach
We use limited automated processing to enhance your experience:
- Personalized Recommendations: Based on your browsing/purchase history (opt-out available)
- Fraud Detection: Automated risk scoring for transactions (human review for high-risk flags)
- Course Suggestions: Algorithmic matching of learning goals to content (transparent logic)
16.2 Your Rights
You have the right to:
✅ Opt Out: Disable personalized recommendations in Account → Preferences
✅ Request Human Intervention: For decisions significantly affecting you (e.g., account suspension), email support@olelectronics.com
✅ Understand Logic: Request a plain-language explanation of automated decision criteria
🚫 We do NOT use:
- Automated profiling for credit scoring, employment decisions, or insurance underwriting
- Emotion recognition or biometric identification in public spaces
- Social scoring systems
17. GRIEVANCE REDRESSAL & CONTACT
17.1 Primary Contacts
| Purpose | Contact | Response Time |
|---|---|---|
| General Privacy Inquiries | support@olelectronics.com | 3 Business Days |
| Exercising Data Rights | support@olelectronics.com (subject: "[Right] Request") | 15 Days (DPDP) / 30 Days (GDPR) |
| Grievance Officer (DPDP Act) | support@olelectronics.com | 15 Days |
| Data Protection Officer (GDPR) | support@olelectronics.com | 30 Days |
| Security Incidents | support@olelectronics.com | Immediate acknowledgment |
| Support & Account Help | support@olelectronics.com | 1 Business Day |
17.2 Escalation Path (If Unresolved)
- Internal Review: Contact Grievance Officer/DPO with reference to initial request
- Regulatory Complaint:
- 🇮🇳 India: Data Protection Board of India (dpb.gov.in)
- 🇪🇺 EU/EEA: Your national Data Protection Authority (edpb.europa.eu/authorities)
- Judicial Remedy: You retain the right to seek legal remedy in competent courts.
17.3 Physical Address for Notices
Olatus Systems Private Limited
Attn: Grievance Officer / Data Protection Officer
House No: 346, 1st Floor, Police Station, Zoo-Narengi Rd, opp. Barista Cafe and Geetanagar, Ambikagirinagar
Guwahati, Assam, 781024, India
For secure document submission, we provide an encrypted upload portal upon request.
18. CHANGES TO THIS POLICY
18.1 Updates & Notification
- We may update this Policy to reflect legal changes, new Services, or operational improvements.
- Material changes (e.g., new data uses, reduced rights) will be communicated via:
- Email to your registered address
- Prominent in-app/website notice at least 7 days before effective date
- Updated "Last Updated" date at the top of this Policy
18.2 Your Continued Use
- If you continue using our Services after changes take effect, you accept the revised Policy.
- If you disagree with material changes, you may:
- Deactivate your Account before the effective date
- Contact us to discuss alternatives or data export
18.3 Historical Versions
Archived versions of this Policy are available upon request at support@olelectronics.com.
19. APPENDIX: DATA PROCESSING SUMMARY
19.1 Quick Reference: Data Flows by Service
| Service | Data Collected | Primary Purpose | Legal Basis | Retention |
|---|---|---|---|---|
| eCommerce | Name, address, payment token, order history | Fulfill orders, prevent fraud | Contract, Legal obligation | 8 years (tax) |
| Digital Products | Email, download logs, license keys | Deliver access, prevent piracy | Contract, Consent | Duration of license + 2 years |
| LMS / Courses | Progress, assessments, certificates, forum posts | Deliver education, issue credentials | Contract, Consent | Lifetime access + 2 years |
| Forum / Blog | Username, posts, comments, reports | Enable community, moderate content | Consent, Legitimate interest | Indefinite (user-deletable) |
| Memberships | Subscription status, access logs, billing | Manage recurring access, personalize | Contract, Consent | Duration of membership + 3 years |
| Mobile App | Device ID, crash logs, location (opt-in) | Ensure functionality, improve UX | Consent, Legitimate interest | 12–24 months |
| Marketing | Email, preferences, engagement metrics | Send relevant promotions (opt-in only) | Explicit Consent | Until withdrawal + 1 year |
19.2 Third-Party Processor Register (Excerpt)
Full register available at [privacy.olelectronics.com/processors]
| Processor | Role | Location | Safeguards |
|---|---|---|---|
| Razorpay | Payment processing | India | PCI-DSS, DPDP-compliant DPA |
| AWS | Cloud hosting | India (Mumbai) | ISO 27001, SOC 2, DPA |
| Google Analytics (GA4) | Web analytics | Global (EU-US DPF certified) | IP anonymization, SCCs, 14-month retention |
| Delhivery | Logistics | India | Purpose-limited DPA, data minimization |
| SendGrid | Transactional email | USA (EU-US DPF) | Encryption, DPA, opt-out enforcement |