Data Protection Policy

1. Introduction and Scope

Kalaloka ("Platform"), operated by DigiYogi ("we", "us", "Data Fiduciary"), is committed to protecting the personal data of all individuals who use our Platform. This Data Protection Policy is drafted in compliance with the Digital Personal Data Protection Act, 2023 (DPDPA) and the rules notified thereunder, along with the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

This policy applies to all personal data processed by the Platform, whether collected through the website, mobile application, or any other channel.

2. Data Fiduciary Obligations

As a Data Fiduciary under the DPDPA, DigiYogi undertakes the following obligations:

• Lawful Processing: We process personal data only for lawful purposes for which the Data Principal (you) has given consent, or for certain legitimate uses as specified under the DPDPA (Section 4).
• Purpose Limitation: Personal data is collected and processed only for the specific purposes communicated to you at the time of collection or as described in our Privacy Policy.
• Data Minimization: We collect only the personal data that is necessary and adequate for the purposes for which it is processed. We do not collect excessive data.
• Accuracy: We take reasonable steps to ensure the personal data we process is accurate, complete, and up to date. You may update your data through your profile settings at any time.
• Storage Limitation: We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Upon expiry of the retention period, data is deleted or anonymized.
• Security Safeguards: We implement reasonable security safeguards to protect personal data from unauthorized access, disclosure, alteration, or destruction (Section 8 of the DPDPA).
• Accountability: We maintain records of our data processing activities and can demonstrate compliance with the DPDPA upon request by the Data Protection Board of India.

3. Consent Management

3.1 Obtaining Consent

• We obtain your free, specific, informed, unconditional, and unambiguous consent before processing your personal data (Section 6 of the DPDPA).
• Consent is requested through clear, plain-language notices that describe the purpose of data collection and the categories of data being processed.
• Consent is obtained through affirmative action (opt-in), not pre-ticked checkboxes or inaction.
• Consent requests are presented in English and Kannada.

3.2 Withdrawal of Consent

• You have the right to withdraw your consent at any time (Section 6(6) of the DPDPA).
• Withdrawal of consent can be done through your account settings or by contacting us.
• Withdrawal of consent does not affect the lawfulness of processing done before the withdrawal.
• The consequences of withdrawing consent (such as loss of access to certain features) will be communicated to you before the withdrawal is processed.

3.3 Certain Legitimate Uses Without Consent

Under Section 7 of the DPDPA, we may process personal data without consent for:

• Performance of functions under any law or for compliance with any legal judgment or order.
• Responding to medical emergencies involving a threat to life.
• Ensuring safety during disasters or breakdown of public order.
• Employment-related purposes (for employees and contractors).

4. Purpose Limitation

We process personal data only for the following specified purposes:

• Account Management: Creating and maintaining your user account, authentication, and identity verification.
• Service Delivery: Providing reading, writing, and content discovery features, processing payments, and facilitating creator monetization.
• Personalization: Customizing your content feed, recommendations, and notifications based on your reading preferences.
• AI Features: Generating audio narrations, translations, content summaries, and improving content recommendation algorithms.
• Communication: Sending service-related notifications, responding to support requests, and in-app messaging.
• Analytics: Understanding usage patterns, improving Platform performance, and conducting market research (using anonymized data where possible).
• Safety and Security: Fraud detection, content moderation, and preventing abuse.
• Legal Compliance: Complying with applicable laws, regulations, and legal processes.

We will not process your personal data for purposes beyond those stated above without obtaining fresh consent, unless permitted by law.

5. Data Minimization

We adhere to the principle of collecting only what is necessary:

• Registration: Only phone number (for OTP verification) and display name are required. Email, bio, profile picture, and date of birth are optional.
• Content Creation: Only the content body is required. Title, cover image, and description are optional.
• Payments: Only UPI ID is collected for creator payouts. Full bank account details are not stored.
• Usage Data: We collect only the usage data necessary for service improvement and personalization. We do not collect precise GPS location data.

6. Storage Limitation

7. Data Principal Rights

Under the DPDPA, you (as a "Data Principal") have the following rights:

7.1 Right to Access (Section 11)

You have the right to obtain a summary of your personal data being processed and the processing activities. You may request this through your profile settings or by emailing us.

7.2 Right to Correction (Section 11)

You have the right to correct inaccurate or misleading personal data and to complete incomplete data. You may update your profile information directly, or request corrections by contacting us.

7.3 Right to Erasure (Section 12)

You have the right to request erasure of your personal data when it is no longer necessary for the purpose for which it was collected. Erasure requests will be processed within 30 days, subject to legal retention requirements.

7.4 Right to Grievance Redressal (Section 13)

You have the right to have your grievances addressed. See our Grievance Redressal Policy for the detailed process. If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India.

7.5 Right to Nominate

You have the right to nominate another individual to exercise your rights under the DPDPA in the event of your death or incapacity. Nomination can be made by contacting us with the necessary documentation.

7.6 How to Exercise Your Rights

• Self-Service: Access and correction can be done through your profile settings.
• Email: Send requests to support@kalaloka.buzz with the subject "Data Principal Rights Request."
• Response Time: We will acknowledge your request within 48 hours and fulfill it within 30 days.
• Verification: We may need to verify your identity (via OTP to your registered phone number) before processing your request.

8. Data Protection Officer

We have designated the following person as our point of contact for data protection matters:

• Name: Nagaraj
• Role: Founder & Data Protection Lead
• Email: support@kalaloka.buzz
• Address: DigiYogi, Bangalore, Karnataka, India

The Data Protection Lead is responsible for ensuring compliance with the DPDPA, addressing Data Principal requests, and acting as the point of contact for the Data Protection Board of India.

9. Cross-Border Data Transfer

• Primary Storage: All personal data is primarily stored on servers located in India (hosted on E2E Networks, an Indian cloud provider).
• Third-Party Services: Some third-party services we use (such as analytics tools, email delivery services) may process data outside India. We ensure that such transfers comply with Section 16 of the DPDPA and are not made to countries restricted by the Central Government.
• Restricted Countries: We do not transfer personal data to any country that the Central Government has notified as restricted under the DPDPA.
• Contractual Safeguards: Where data is transferred to third-party processors outside India, we ensure appropriate contractual safeguards, including data processing agreements that mandate security measures and purpose limitations.

10. Breach Notification

• Detection: We maintain systems to detect personal data breaches promptly.
• Notification to Data Protection Board of India (DPBI): In the event of a personal data breach, we will notify the DPBI within 72 hours of becoming aware of the breach, as required under Section 8(6) of the DPDPA.
• Notification to Data Principals: We will notify affected Data Principals without undue delay, providing information about the nature of the breach, the data affected, and the remedial measures taken.
• Breach Record: We maintain a record of all personal data breaches, including the facts, effects, and remedial actions taken.
• Remediation: Upon detecting a breach, we will take immediate steps to contain the breach, assess the impact, remediate vulnerabilities, and prevent recurrence.

11. Children's Data

• Age Restriction: The Platform is not intended for children under the age of 18. Under Section 9 of the DPDPA, processing personal data of children (under 18) requires verifiable parental consent.
• Parental Consent: If we become aware that a user is under 18, we will require verifiable consent from a parent or lawful guardian before continuing to process their data.
• No Harmful Processing: We do not engage in tracking, behavioral monitoring, or targeted advertising directed at children, as prohibited under Section 9(3) of the DPDPA.
• Deletion: If we discover that we have collected personal data from a child without verifiable parental consent, we will delete that data promptly.

12. Significant Data Fiduciary Obligations

If DigiYogi is classified as a Significant Data Fiduciary by the Central Government under Section 10 of the DPDPA, we will additionally:

• Appoint a Data Protection Officer (DPO) who is based in India.
• Appoint an independent data auditor to evaluate our compliance.
• Conduct periodic Data Protection Impact Assessments (DPIA).
• Undertake periodic audits of our data processing activities.
• Publish the business contact information of the DPO on our website.

As of the date of this policy, DigiYogi has not been classified as a Significant Data Fiduciary. We will update this policy if our classification changes.

13. Data Principal Duties

Under Section 15 of the DPDPA, Data Principals also have certain duties:

• You must provide accurate and truthful personal data when registering and using the Platform.
• You must not impersonate another person when providing personal data.
• You must not suppress any material information when providing personal data.
• You must not register a false or frivolous grievance or complaint with the Platform or the Data Protection Board.

14. Updates to This Policy

We may update this Data Protection Policy to reflect changes in the law, our data processing practices, or regulatory guidance from the Data Protection Board of India. Material changes will be communicated through the Platform and by email. The "Last Updated" date indicates the most recent revision.

15. Contact

For data protection queries, rights requests, or complaints:

• Data Protection Lead: Nagaraj
• Email: support@kalaloka.buzz
• Platform: Kalaloka (a product of DigiYogi)
• Address: Bangalore, Karnataka, India

If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India as established under the DPDPA.