Privacy Policy

Brisk Startup ("we", "our", or "us") is committed to protecting the privacy and personal data of all individuals who interact with our website at briskstartup.com and its associated services (collectively, the "Platform"). This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you visit or use our Platform. It has been prepared in accordance with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), the Information Technology Act, 2000, and the Digital Personal Data Protection Act, 2023 ("DPDPA") as applicable. By accessing or using the Platform, you consent to the practices described in this Privacy Policy. If you do not agree, please discontinue use of the Platform immediately.

2.1 Information You Provide Directly We may collect the following categories of personal data when you voluntarily submit information through forms, registration, or contact channels: • Identity Information: Full name, date of birth, gender • Contact Information: Email address, phone number, postal address • Professional Information: Startup name, industry, stage of business, investment interest • Financial Information: Bank account details, GST number (only where necessary for service delivery) • Government-Issued Identifiers: PAN, Aadhaar number, DIPP/DPIIT registration number (only if expressly required and with your consent) 2.2 Information Collected Automatically When you browse the Platform, we may automatically collect: • Technical Data: IP address, browser type, operating system, device identifiers • Usage Data: Pages visited, time spent, click-through paths, referring URLs • Cookie Data: Session identifiers, preference settings (see Section 7 for Cookie Policy) 2.3 Information from Third Parties We may receive data from third-party partners, government portals, or publicly available sources to enhance our services, always subject to applicable legal requirements.

We process your personal data only for lawful, specified, and legitimate purposes. The data we collect is used to: • Provide and operate the Platform and its features • Respond to your queries, feedback, or grievance submissions • Send information about government schemes, funding opportunities, and startup resources (with your consent) • Personalise your experience and improve Platform content • Analyse usage trends and conduct internal research and analytics • Comply with applicable legal and regulatory obligations under Indian law • Prevent fraud, abuse, or any activity that may violate these Terms or applicable law • Verify identity where required by regulations, such as under PMLA, 2002 or FEMA, 1999 We will not process your personal data in any manner inconsistent with the purposes disclosed at the time of collection without your prior consent.

Under the Digital Personal Data Protection Act, 2023 and applicable Indian privacy frameworks, we process your personal data on the following grounds: • Consent: Where you have given clear, free, specific, informed, and unambiguous consent. • Contractual Necessity: Where processing is necessary to fulfil a contractual obligation or pre-contractual steps taken at your request. • Legal Obligation: Where we are required to process data to comply with applicable Indian laws, regulations, court orders, or directions from competent authorities. • Legitimate Interests: Where processing is necessary for our legitimate business interests, provided such interests are not overridden by your rights and interests. You have the right to withdraw consent at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

We do not sell, rent, or trade your personal data to any third party. We may share your information only in the following circumstances: 5.1 Service Providers We may engage trusted third-party vendors (such as cloud hosting, analytics, or email service providers) who process data on our behalf under strict confidentiality obligations and data processing agreements. 5.2 Government and Regulatory Authorities We may disclose personal data to law enforcement agencies, government bodies, or regulatory authorities when required to do so by law, court order, or legal process in India — including under the IT Act, 2000, PMLA, 2002, or any other applicable statute. 5.3 Business Transfers In the event of a merger, acquisition, restructuring, or sale of assets, your data may be transferred to the acquiring entity, subject to the same level of protection as described in this Policy. 5.4 With Your Consent We may share your data with third parties in cases where you have provided explicit consent for a specific purpose. We require all third parties to respect the security of your personal data and to treat it in accordance with applicable data protection laws.

In accordance with the SPDI Rules, 2011, "Sensitive Personal Data or Information" (SPDI) includes: • Passwords • Financial information such as bank account, credit/debit card, or other payment instrument details • Physical, physiological, and mental health conditions • Sexual orientation • Medical records and history • Biometric information We collect SPDI only when strictly necessary for delivering a specific service and only with your explicit, written consent. You have the right to withdraw consent for the collection and use of SPDI at any time, though this may affect our ability to provide certain services. We implement ISO/IEC 27001-aligned security measures to protect SPDI from unauthorised access, disclosure, or processing.

We use cookies and similar tracking technologies (such as pixels and web beacons) on the Platform to improve functionality and user experience. Types of cookies we use: • Essential Cookies: Necessary for the Platform to function properly (e.g., session management). These cannot be disabled. • Analytical Cookies: Help us understand how visitors interact with the Platform (e.g., Google Analytics). These are enabled by default but can be opted out. • Preference Cookies: Remember your settings and preferences for future visits. • Marketing Cookies: Used only with your consent to deliver relevant content or advertising. You can manage cookie preferences through your browser settings. Please note that disabling certain cookies may impact Platform functionality. For detailed information on third-party cookies used, please refer to the respective privacy policies of those service providers.

We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable Indian laws and regulations. Retention guidelines: • Account/Registration Data: Retained for the duration of your use of the Platform and up to 3 years thereafter, unless a longer retention period is required by law. • Communications Data (emails, queries): Retained for up to 2 years. • Financial Transaction Records: Retained for a minimum of 5–8 years as required under the Companies Act, 2013, GST laws, and PMLA, 2002. • Log and Technical Data: Retained for up to 6 months for security and debugging purposes. After the applicable retention period, data is securely deleted or anonymised in a manner that prevents re-identification.

Under the Digital Personal Data Protection Act, 2023 and applicable Indian frameworks, you have the following rights regarding your personal data: • Right to Access: Request a summary of personal data processed and the purposes of processing. • Right to Correction: Request correction of inaccurate or incomplete personal data. • Right to Erasure: Request deletion of personal data when it is no longer necessary for the purpose for which it was collected, subject to legal retention obligations. • Right to Grievance Redressal: Lodge a complaint with our Grievance Officer (see Section 11). • Right to Nominate: Nominate a person who can exercise rights on your behalf in the event of death or incapacity. • Right to Withdraw Consent: Withdraw consent for processing of personal data, without affecting prior lawful processing. To exercise any of the above rights, please contact our Grievance Officer at grievance@briskstartup.com. We will respond within 30 days of receiving your request.

Our Platform is not directed at or intended for use by individuals below the age of 18 years. We do not knowingly collect personal data from minors. In the event we inadvertently collect personal data from a child without verifiable parental or guardian consent, we will take immediate steps to delete such data upon becoming aware of the situation. If you believe a minor has provided us with personal information, please contact us immediately at grievance@briskstartup.com so that we can take appropriate action. We are committed to complying with all applicable provisions of the Digital Personal Data Protection Act, 2023 regarding the processing of data of children and minors in India.

We implement reasonable and appropriate technical and organisational security measures to protect your personal data from unauthorised access, disclosure, alteration, or destruction, in line with our obligations under the SPDI Rules, 2011 and the IT Act, 2000. Security measures include: • Encrypted data transmission using SSL/TLS protocols • Access controls and role-based permissions for internal systems • Regular security assessments and vulnerability testing • Secure cloud infrastructure with data hosted in India or compliant jurisdictions • Employee training and confidentiality obligations However, please note that no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security. You are advised not to share sensitive credentials with anyone. In the event of a personal data breach that is likely to result in high risk to your rights and freedoms, we will notify you and relevant authorities in accordance with applicable law.

In accordance with the Information Technology Act, 2000 and the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, we have appointed a Grievance Officer to address any complaints or concerns regarding the processing of your personal data. Grievance Officer Details: Name: Compliance Officer, Brisk Startup Designation: Data Protection & Privacy Officer Email: grievance@briskstartup.com Phone: +91 99104 91889 Address: FF-9 & 10, Vasant Square Mall, Vasant Kunj, New Delhi – 110070, India Working Hours: Monday to Friday, 10:00 AM – 6:00 PM IST (excluding public holidays) We will acknowledge your complaint within 24 hours and endeavour to resolve it within 15 (fifteen) business days of receipt, as required under applicable law. If your concern remains unresolved, you may approach the Data Protection Board of India (once constituted under the DPDPA, 2023) for further redressal.

We primarily store and process personal data within the Republic of India. In the event that personal data is transferred to or accessible from jurisdictions outside India — for instance, through cloud service providers or third-party analytics tools — we ensure that: • Such transfers are made to countries or territories notified by the Central Government as providing adequate data protection standards. • Appropriate contractual safeguards (such as data processing agreements or standard contractual clauses) are in place. • Your rights as a Data Principal are protected regardless of where your data is processed. We will not transfer SPDI outside India without your explicit consent and compliance with applicable Indian law, including the DPDPA, 2023.

We reserve the right to modify or update this Privacy Policy at any time to reflect changes in law, technology, business practices, or for any other operational reason. We will notify you of material changes by: • Posting the updated Privacy Policy on this page with a revised "Last Updated" date. • Sending an email notification to your registered address where appropriate. • Displaying a prominent notice on the Platform. Your continued use of the Platform after any such changes constitutes acceptance of the revised Privacy Policy. We encourage you to review this Policy periodically. If you disagree with the revised terms, please discontinue your use of the Platform.

This Privacy Policy and all matters relating to the collection, processing, or storage of your personal data shall be governed by and construed in accordance with the laws of the Republic of India. Any disputes arising from or related to this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of New Delhi, India, unless otherwise resolved through the Data Protection Board of India under the Digital Personal Data Protection Act, 2023. If any provision of this Privacy Policy is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.