SafetyConnect Privacy Policy

We at SafetyConnect are committed to protecting your privacy. This Privacy Policy applies to the information and data collected by SafetyConnect as a controller, including the information collected on our Websites (www.safetyconnect.io) or through other channels as described below. This Privacy Notice describes how we collect, receive, use, store, share, transfer, and process your personal information. It also describes your choices regarding use, as well as your rights of access and correction of your personal information.

We periodically update this Privacy Policy. We will post any privacy policy changes on the Website and, if the changes are material, we will provide more prominent notice by sending you an email notification.

While we will notify you of any material changes to this Privacy Policy prior to the changes becoming effective, we encourage you to review this Privacy Policy periodically. We will also keep prior versions of this Privacy Policy in an archive for your review.

Points covered in the document are listed below:

• What Information We Collect About You
• How We Use Information We Collect
• How We Share Information We Collect
• Cookies and Similar Technologies
• How to Access & Control Your Data
• Data Protection Officer

1. What Information We Collect About You

a. "Personal Information"

1. The term "Personal Information" refers to any information that can be used to identify you, including contact details like your name, email address, company name, phone number, and other details about you or your business. This can also include information about any transactions you may have made.
2. We collect personal information when you submit web forms or interact with our applications. This includes subscribing to a SafetyConnect product, requesting customer support, and signing up with the SafetyConnect platform.
3. We collect personal information about you when you use our services. This information helps us securely admit you to our platform. We collect your vehicle number to accurately identify your driving behaviour, as it is dependent on the type of vehicle used by the user.

We collect:
‍
For SafetyConnect Mobile App

• User Email ID
• User Phone Number
• User Vehicle Number

For SafetyConnect Mobile App

• Admin User ID
• Admin Phone Number

The SafetyConnect user mobile application leverages the sensors on the smartphone such as:

• G force Sensor
• Accelerometer
• Gyroscope
• Magnetometer

To arrive at data on:

• Harsh Acceleration
• Harsh Braking
• Harsh Cornering
• Over Speeding
• Phone usage while driving

This is used to arrive at user driving safety scores, improvement suggestions and trigger SOS and collision detection alerts with accurate location.

Through the SafetyConnect web application reports companies can get visibility to high risk employees, regions and behaviours.

b. "Sensitive Information"

1. This refers to credit or debit card numbers, financial account numbers or wire instructions, government issues before the issues to the before identification numbers (such as Social Security, Aadhaar Card, PAN details, GSTIN, numbers, passport numbers), biometric information, personal health information (or other information protected under any applicable health data protection laws), personal information of children protected under any child data protection laws, and any other information or combinations of information that falls within the definition of “special categories of data” under regulatory compliance or any other applicable law relating to privacy and data protection. SafetyConnect does not collect or store any sensitive information.

c. "Information About Children"

1. The applications are not intended for or targeted at children under 16, and we do not knowingly or intentionally collect personal information about children under 16 If you believe that we have collected personal information about a child under 16, please contact us here, so that we may delete the information.

2. How We Use Information We Collect

a. Compliance with Our Privacy Policy

1. We use the information we collect only in compliance with this Privacy Policy. Customers who subscribe to our Subscription Services are obligated through our agreements with them to comply with this Privacy Policy.

b. We Never Sell Personal Information

1. We will never sell your Personal Information to any third party.

c. Use of Personal Information

1. In addition to the uses identified elsewhere in this Privacy Policy, we may use your Personal Information to:

1. Develop and improve our products and services;
2. Promote use of our services to you and share promotional and information content with you in accordance with your communication preferences;
3. Contact you about billing, account management, and other administrative matters;
4. Send information to you regarding changes to our Customer Terms of Service, Privacy Policy (including the Cookie Policy), or other legal agreements;
5. Investigate and help prevent security issues and abuse, or meet legal requirements.

d. Customer Testimonials and Comments

1. We post customer testimonials and comments on our Websites, which may contain Personal Information. We obtain each customer's consent via email, text message, WhatsApp, LinkedIn text, and verbally before posting the customer's name and testimonial.

e. Use of Payment Information

1. If you give us Payment information, we use it solely as authorized by you in accordance with this Privacy Policy in order for you to use the Subscription Services, including checking your financial qualifications and collect payment from you. We use a third-party service provider to manage credit card processing. This service provider is not permitted to store, retain, or use information you provide except for the sole purpose of credit card processing on our behalf.

f. Security of your Personal Information

1. We use a variety of security technologies and procedures to help protect your Personal Information from unauthorized access, use, or disclosure. We secure the Personal Information you provide on computer servers in a controlled, secure environment, protected from unauthorized access, use, or disclosure. All Personal Information is protected using appropriate physical, technical, and organizational measures.

g. Social Media Features

1. Our Websites include Social Media Features, such as the Facebook Like button and Widgets, such as the Share Button or interactive mini-programs that run on our sites. These features may collect your IP address, which page you are visiting on our sites, and may set a cookie to enable the feature to function properly. Social Media Features and Widgets are either hosted by a third party or hosted directly on our Websites. This Privacy Policy does not apply to these features. Your interactions with these features are governed by the privacy policy and other policies of the companies providing them.

h. Retention of Personal Information

1. How long we keep information we collect about you depends on the type of information, as described in further detail below.  After such time, we will either delete or anonymize your information or, if this is not possible, then we will securely store your information and isolate it from any further use until deletion is possible.
2. We retain Personal Information that you provide to us where we have an ongoing legitimate business need to do so (for example, as needed to comply with our legal obligations, resolve disputes and enforce our agreements).
3. When we have no ongoing legitimate business need to process your Personal Information, we securely delete the information or anonymize it or, if this is not possible, securely store your Personal Information and isolate it from any further processing until deletion is possible. We will delete this information at an earlier date if you so request, as described in the "How to Access & Control Your Personal Data" below.
4. If you have elected to receive marketing communications from us, we retain information about your marketing preferences for a reasonable period of time from the date you last expressed interest in our content, products, or services, such as when you last opened an email from us or ceased using your SafetyConnect account.  We retain information derived from cookies and other tracking technologies for a reasonable period of time from the date such information was created
5. The data our customers collect by using the Subscription Service is retained according to the relevant agreements with our customers.

3. How we Share Information we Collect

a. Service Providers

1. We employ other third-party service providers to provide services on our behalf to visitors to our Websites and our customers and users of the Subscription Service and may need to share your information with them to provide information, products, or services to you. We might also share data with third parties but only if the data has been de-identified in a way so it cannot be used to identify you. Examples may include removing repetitive information from prospect lists, analyzing data or performing statistical analysis on your use of the Subscription Service or interactions on our Websites, providing marketing assistance, processing credit card payments, supplementing the information you provide us in order to provide you with better service, developing and improving the product and services, and providing customer service or support. These service providers are prohibited from using your Personal Information except for these purposes, and they are required to maintain the confidentiality of your information. In all cases where we share your information with such agents, we explicitly require the agent to acknowledge and adhere to our privacy and data protection policies and standards.

b. Compelled Disclosure

1. We reserve the right to use or disclose your Personal Information if required by law or if we reasonably believe that use or disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or comply with a law, court order, or legal process.

4. Cookies and Similar Technologies

a. Cookies

1. SafetyConnect and our partners use cookies or similar technologies (such as web beacons and JavaScript) to analyze trends, administer the website, applications, track users’ movements around the website & applications, and gather demographic information about our user base as a whole. To find out more about how we use cookies on our Websites and how to manage your cookie preferences please see our Cookie Policy.

5. How to Access & Control Your Data

a. Reviewing, Correcting, and Removing Your Personal Information

b. You have the following data protection rights:

1. You can request access, correction, updates, or deletion of your personal information.
2. You can object to the processing of your personal information, ask us to restrict the processing of your personal information users, or request the portability of your personal information.
3. If we have collected and processed your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.
4. You have the right to complain to a data protection authority about our collection and use of your personal information. To exercise any of these rights, please contact us here or by mail at support@SafetyConnect.io. We will respond to your request to change, correct, or delete your information within a reasonable timeframe and notify you of the action we have taken.

c. Anti-Spam Policy

1. Our Acceptable Use Policy applies to us and our customers and, among other things, prohibits the use of the Subscription Service to send unsolicited commercial email in violation of applicable laws, and requires the inclusion in every email sent using the Subscription Service of an "opt out" mechanism and other required information. We require all of our customers to agree to adhere to the Acceptable Use Policy at all times, and any violations of the Acceptable Use Policy by a customer can result in immediate suspension or termination of the Subscription Service.

d. To Unsubscribe From Our Communications

1. You may unsubscribe from our marketing communications by clicking on the "unsubscribe" link located at the bottom of our emails, updating your communication preferences, or by contacting us here or by postal mail to SafetyConnect. Customers cannot opt out of receiving transactional emails related to their account with us or the Subscription Service.

6. Information Security Program

a. Our application must be assessed for vulnerabilities and any vulnerabilities are remediated before production deployment.

b. The purpose of this program is to define application security assessments within SafetyConnect (SafetyConnect). Application assessments are performed to identify potential or realized weaknesses as a result of inadvertent misconfiguration, weak authentication, insufficient error handling, sensitive information leakage, etc. Discovery and subsequent mitigation of these issues will limit the attack surface of SafetyConnect’s services available both internally and externally as well as satisfy compliance with any relevant policies in place.

c. This program covers application security assessments requested by any individual, group, or department to maintain the security posture, compliance, risk management, and change control of technologies in use at SafetyConnect.

d. Application security assessments will be performed by delegated security personnel either employed or contracted by SafetyConnect.  All findings are considered confidential and are to be distributed to persons on a “need to know” basis. Distribution of any findings outside of SafetyConnect is strictly prohibited unless approved by the Product Head/ CEO/Designated Personnel by the Administration.

e. Any relationships within multi-tiered applications found during the scoping phase will be included in the assessment unless explicitly limited.  Limitations and subsequent justification will be documented prior to the start of the assessment.

f. Policy:

1. Web applications are subject to security assessments based on the following criteria:

1. New or Major Application Release – will be subject to a full assessment prior to the approval of the change control documentation and/or release into the live environment.
2. Third-Party or Acquired Web Application – will be subject to full assessment after which it will be bound to policy requirements.
3. Point Releases – will be subject to an appropriate assessment level based on the risk of the changes in the application functionality and/or architecture.
4. Patch Releases – will be subject to an appropriate assessment level based on the risk of the changes to the application functionality and/or architecture.
5. Emergency Releases – An emergency release will be allowed to forgo security assessments and carry the assumed risk until such time that a proper assessment can be carried out.  Emergency releases will be designated as such by the Product Head/ CEO or an appropriate manager who has been delegated this authority.

ii. All security issues that are discovered during assessments must be mitigated based upon the following risk levels. The Risk Levels are based on the OWASP Risk Rating Methodology. Remediation validation testing will be required to validate fix and/or mitigation strategies for any discovered issues of Medium risk level or greater.

1. High – Any high-risk issue must be fixed immediately or other mitigation strategies must be put in place to limit exposure before deployment.  Applications with high-risk issues are subject to being taken off-line or denied release into the live environment.
2. Medium – Medium risk issues should be reviewed to determine what is required to mitigate and scheduled accordingly.  Applications with medium-risk issues may be taken off-line or denied release into the live environment based on the number of issues and if multiple issues increase the risk to an unacceptable level.  Issues should be fixed in a patch/point release unless other mitigation strategies will limit exposure.
3. Low – Issue should be reviewed to determine what is required to correct the issue and scheduled accordingly.

ii. The following security assessment levels shall be established by a certain designated organization that will be performing the assessments.

1. Full – A full assessment consists of tests for all known web application vulnerabilities using both automated and manual tools based on the OWASP Testing Guide.  A full assessment will use manual penetration testing techniques to validate discovered vulnerabilities to determine the overall risk of any and all discovered.
2. Quick – A quick assessment will consist of a (typically) automated scan of an application for the OWASP Top Ten web application security risks at a minimum.
3. Targeted – A targeted assessment is performed to verify vulnerability remediation changes or new application functionality.

Other tools and/or techniques may be used depending upon what is found in the default assessment and the need to determine validity and risk are subject to the discretion of the Security Engineering team.

g. Policy Compliance

1. Compliance Measurement
   The team will verify compliance to this policy through various methods, including but not limited to, periodic walk-through, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
2. Exceptions
   Any exception to the policy must be approved in advance.
3. Non-Compliance
   An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
4. You have the right to complain to a data protection authority about our collection and use of your personal information. To exercise any of these rights, please contact us here or by mail at support@SafetyConnect.io. We will respond to your request to change, correct, or delete your information within a reasonable timeframe and notify you of the action we have taken.

Web application assessments are a requirement of the change control process and are required to adhere to this policy unless found to be exempt.   All application releases must pass through the change control process.  Any web applications that do not adhere to this policy may be taken offline until such time that a formal assessment can be performed at the discretion of the Product Head/ CEO.

7. Record Management Policy

a. Retention - A good record retention policy protects the assets and helps in avoiding risk and litigation.

1. Records are kept as long as legally and operationally required.
2. Records retention schedule supports SafetyConnect’s to manage intellectual property, control the cost of information storage, locate and retrieve documents for any purposes and dispose of records after a particular time period.
3. The development of the Record Retention Schedule involves the following policies:

1. Identification of major record groups:

1. Customer details for administration and billing purposes.
2. Employee and vehicle details.
3. Driver behavior parameters come from IoT devices.
4. We have IoT device-specific records mapped with our customer database.

2. Creating of every keep of schema: We have classified our schemas based on business functions, record class, and record type as a way of dealing more practically with the high volume of data.

3. Performing legal research: By default, data is stored for one year or as per the customer’s specific requirement.

b. Policies and Procedures - Record management programs should be supported by policies and procedures that should address all types of problems.

1. We have a set of procedures and policies for governing the retention and destruction of business records for both active and inactive files management systems and implications of these policies and procedures are being monitored consistently.
2. SafetyConnect also has a proper disaster Recovery Program to protect all our data.
3. We have an organization-wide record management structure regarding the creation, retention, destruction, access, and storage of electronic data
4. SafetyConnect has a proper Data Backup system to overcome incidents and disasters which can take place.
5. Scheduled security checks and updates are performed on our backup system to protect our system from vulnerabilities.

c. Access and Indexing - A proper record management program hinges on the ability to provide access of the information to authorized persons and continuous analysis of the system.

1. Indexing of the records has been done on parameters such as subjects, record creators, Date, intended recipient, etc.
2. Proper indexing methods will result in ensure easy and right access of data, reduced time, and financial cost.
3. There is a proper directory or Master collection which is responsible for directing in the right direction regarding records.

d. Compliance and Accountability

1. Record ownership at every level is maintained to ensure compliance.
2. Each employee in our organization understands the policies and procedures and the importance of data and security breaches related to that data.
3. A proper audit happens every six months to make sure that guidelines and the policies are being followed by our team.

8. Data Protection Officer

If you have any questions about this Privacy Policy or our privacy practices, or if you have a disability and need to access this notice in a different format, please contact us here or by mail at: support@iotrl.io

9. FAQ

1. The purpose for which the personal data is collected.
   Only name, mobile no, email ID is captured for identification and authentication.
2. How & where the information is stored?
   The data is stored on SafetyConnect's cloud servers in Chennai and Mumbai. SafetyConnect uses the cloud services of Microsoft Azure. Hence the data is secured and only accessible by the team via a separate login id. SafetyConnect cannot view or access user data.
3. Does the user have a right to ask the Data Collector to delete the information at any time?
   Yes, we can delete the information as per the user's email request.
   
4. How long will the information be stored and later deleted from your server?
   Once onboarded the users data is stored until the term of the agreement, post which personal data is deleted.