whatsapp logo

PRIVACY POLICY

Last updated May 02, 2025

Introduction

OpenReach DeepMarketing (OPC) Private Limited (“OpenReach,” “we,” “us,” or “our”) is committed to protecting the privacy of individuals and ensuring that personal data is handled in a safe and lawful manner. This Privacy Policy explains how we collect, use, share, and safeguard personal information when you interact with our services – including our website openreach.co (the “Website”), our mobile applications OpenKYC and OpenPay, and our secure web portal for client brands (collectively, our “Platforms” or “Services”). This Policy is designed to comply with India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the Information Technology Act, 2000 (including applicable Rules), as well as globally accepted privacy principles such as those under the EU General Data Protection Regulation (GDPR). By accessing or using our Services, you acknowledge that you have read and agree to the practices described in this Policy. If you do not agree, please refrain from using the Services. We may update this Policy from time to time, and will notify users of any material changes by posting the revised Policy on our Website (and where appropriate, through our apps or other communication). Your continued use of our Services after any changes indicates your acceptance of the updated Policy.

Scope of Policy

This Privacy Policy applies to:

  • All visitors to our Website, who may browse pages, submit inquiries via contact forms, or interact with our online content.
  • Users of our mobile applications OpenKYC and OpenPay (such as retailers, in-store promoters, sales officers, and client managers) who provide personal data for onboarding, KYC, tracking payouts, and participating in field marketing programs.
  • Authorized users of our secure client portal (typically representatives of brand clients) who access campaign data, retailer engagement information, and payout program details.

It covers the personal data we collect from these individuals, how we use and process that data, and the rights and choices available to data subjects. It does not cover any third-party websites or services that may be linked from our Platforms (see Third-Party Links below).

Information We Collect

We collect various categories of personal information (“Personal Data”) from and about users of our Services, as described below:

Information You Provide Directly:

When you interact with us or use our Services, you may provide personal details such as:

  • Contact and Identity Details: Your name, business/store name, address, email address, telephone number, and other contact information. For example, website visitors may provide these details in contact or inquiry forms, and retailers or promoters may provide these during registration.
  • KYC and Verification Data: Through the OpenKYC app (used for onboarding retailers), we collect Know-Your-Customer information including government- issued identification details – for example, your Aadhaar number, PAN (Permanent Account Number), or other ID proof, as well as bank account details (such as account number and IFSC) needed for e-payment payouts. We may also capture certain documents or photographs (e.g. images of ID cards or store premises) as part of verification. Sensitive Personal Data, such as financial account information or official identifiers, is collected and processed only for lawful verification purposes with your explicit consent and in compliance with applicable laws. We will not use your Aadhaar number or biometric information for any purpose other than identity verification as permitted by law, and any Aadhaar data is handled in accordance with the Aadhaar Act and related regulations.
  • Business and Transaction Data: Through the OpenPay app (used by retailers to track schemes and payments) and our client portal, we may collect information related to your transactions and engagement in marketing programs. This includes records of incentives or payout amounts due or paid to you, details of the sales or scheme participation (e.g. which promotional campaigns you participated in, your performance or points earned), and your account status (such as whether KYC is completed).
  • Location Data: With your permission, our OpenKYC app may collect geo- location data (for instance, GPS coordinates or location pins) to geo-tag retailer outlets or verify the location of in-store activations. This helps us ensure that field marketing activities are conducted at the correct locations and to prevent fraud. Similarly, if promoters or field officers use our apps, we may collect their location check-in data to track visitations and campaign execution. You can choose not to grant location access, but certain features (like on-site verification) may not function without it.
  • Communications: If you contact us (through the Website “Contact Us” form, customer support, email, or phone), we will collect the information you provide in your inquiry, such as your questions, feedback, or details about an issue. This may include your contact details and any other personal information you choose to share. We use this data to respond to you and resolve any requests or complaints.

Information Collected Automatically:

When you visit our Website or use our apps and portal, we automatically collect certain technical and usage data through cookies, analytics tools, and other tracking technologies. This may include:

  • Device and Browser Information: Your device type, operating system, browser type, IP address, device identifiers or advertising ID, and other technical information. For example, when a retailer uses the OpenPay app or a manager accesses the web portal, our systems log the device information and IP for security and troubleshooting.
  • Usage Data: Details about how you use our Services, such as the pages or screens you view, the features you interact with, the date/time of your visits, the amount of time spent, errors or performance data, and other analytical information. For instance, we may record that a user logged into the portal at a certain time or clicked on a particular report.
  • Cookies and Similar Technologies: Our Website uses cookies and similar tracking technologies (like web beacons or SDKs in apps) to enhance user experience and gather analytics. Cookies are small text files placed on your browser or device. They help us remember your preferences (e.g., language or region), understand how you navigate our content, and personalize your experience. Some cookies are essential for the site to work (for example, to keep you logged in on the client portal), while others are analytical or functional. We also use third-party analytics services (such as Google Analytics) that set their own cookies to collect aggregate information about site traffic and user interactions. For detailed information, see Cookies and Tracking Technologies below.

Information from Third Parties:

In general, we collect data directly from you. However, in some cases we may receive information about you from third parties, such as:

  • Verification Services: We might use authorized KYC verification services or government databases (for example, PAN verification services, or the UIDAI Aadhaar verification mechanism) to confirm the authenticity of documents or IDs you provide. These services might return information like whether your PAN is valid or fetch certain masked Aadhaar details, subject to your consent.
  • Client Brands or Partners: If you are a retailer or participant in a campaign run by one of our client brands, that brand or its representatives might share with us certain data needed to include you in the program (for instance, a list of eligible retailer IDs or prior sales performance). Conversely, if you are a client user (brand manager) accessing our portal, your employer (our client) might have provided your details to create your account. We treat any such third- party provided data per this Policy and any applicable agreements.

Note: We do not intentionally collect any data that is not required for the stated purposes. We do not target or knowingly collect personal data from children (minors under 18 years of age). Our Services are intended for business use by adults (such as shop owners and professionals). If you are under 18, please do not submit any personal information to us. If we discover that a minor’s personal data has been inadvertently collected, we will delete it promptly.

How We Use Your Information

We use the personal information collected for the following lawful purposes:

  • Providing Our Services: We process your personal data to operate and deliver the Services you request. This includes using KYC information to verify and onboard you as a retailer or field agent, creating and managing your user account, and enabling you to participate in in-store activation programs or incentive schemes. For example, we use your Aadhaar, PAN, or other KYC details to confirm your identity and eligibility for certain e-payment payout programs. We use your bank account information to process payouts (such as transferring incentive payments to your account). In the OpenPay app, we use your data to show you the status of your earnings, payouts, and scheme participation. For client brand managers, we use your account data to authenticate you and allow access to campaign dashboards on the portal.
  • Communication and Customer Support: We use contact information (like phone numbers and email addresses) to communicate with you about our Services. This includes sending you OTPs or verification codes (for example, to authenticate logins or sign-ups), notifying you about payouts or rewards earned, alerting you to new campaigns or updates in which you are enrolled, and responding to your queries or support requests. If you fill out a contact form on our Website (for instance, to inquire about our marketing solutions or partnerships), we will use the provided information to reach out and answer your questions. We may also send important service-related announcements or updates (such as changes to our terms or this Policy, security alerts, etc.). These communications are generally necessary for our contractual or legal obligations. We will not send you promotional or marketing emails unrelated to our Services without your consent, and you have the choice to opt out of such communications at any time (see Your Rights and Choices below).
  • Improvement and Analytics: We process usage data and feedback to understand and improve our Services. For example, analyzing how users navigate our Website or apps helps us optimize the design, fix technical issues, and enhance user experience. We use analytics cookies to gauge which features are most used or where users encounter problems, so we can make informed decisions on service improvements. We may also aggregate and anonymize personal data to produce insights (such as total number of retailers engaged in a campaign, average payout times, or website traffic patterns) for internal research, reporting to clients (in case of program metrics), and to ensure our field marketing strategies are effective. These analyses help us refine our tools and offerings. All such analytics are done in compliance with applicable privacy laws and, where required, based on user consent (for example, for non-essential cookies).
  • Security and Fraud Prevention: We are dedicated to keeping your data and our Platforms secure. Personal data may be used to monitor and ensure the integrity, security, and reliability of our Services. For instance, we may use device information and usage logs to detect or investigate fraudulent activity or unauthorized access (such as detecting multiple log-in attempts, or ensuring that a payout request is genuine). Geo-location data from OpenKYC might be used to confirm that a promoter was physically present at a specified retailer location, thereby preventing false registration of outlets. We also maintain audit logs and may review user activity if needed to troubleshoot errors or investigate any violation of our terms or misuse of our systems. Any monitoring is conducted in accordance with law and our legitimate interest in protecting our business and users.
  • Legal Compliance and Enforcement: In certain cases, we need to process personal data to comply with our legal obligations or to enforce our rights. This includes using and retaining KYC and transaction records to meet requirements under Indian laws (for example, tax laws, financial regulations, or anti-fraud laws). For instance, when we make e-payment payouts to you, we may need to report transactions above certain thresholds to tax authorities or keep records for audit purposes. If you provide PAN for payouts, we use it to comply with tax deduction (TDS) rules and other regulatory mandates. We may also process personal data to respond to lawful requests from government or regulatory bodies (such as verifying details if required by a court order or law enforcement inquiry). Additionally, if needed, we will use personal information to pursue or defend against legal claims – for example, to enforce our agreements, investigate potential fraud, or resolve disputes. We will only disclose as much data as is necessary and always in line with applicable law when handling such requests.
  • Other Purposes with Consent: If we intend to process your personal data for any purpose beyond the ones listed above, we will do so only with your explicit consent. For instance, if we ever want to use your information for a testimonial or case study on our Website, or share your contact details with a partner for a promotional offer, we would ask for your prior consent. You are under no obligation to provide consent for any optional purpose, and refusal or withdrawal of such consent will not affect the core services we provide to you.

Legal Bases for Processing

Our processing of your personal data is grounded in one or more of the following legal bases:

  • Your consent – for example, we rely on consent for collecting sensitive KYC information and for setting non-essential cookies.
  • Contractual necessity – many data uses are necessary to provide the services you request (for instance, we must process your information to onboard you into a payout program or to execute a payment to your account).
  • Legal obligation – we process certain data to comply with laws (such as retaining transaction records for regulatory compliance).
  • Legitimate interests – we may process data for our legitimate business interests, such as improving security and user experience, provided these do not override your rights.

In all cases, we adhere to the principles of data minimization and purpose limitation. We do not collect or use personal data that is not relevant to the stated purposes, and we do not engage in any form of automated decision-making or profiling that has legal or significant effects on individuals without human intervention (any such activity, if it were to occur, would only be done in compliance with law and with notice to you).

Cookies and Tracking Technologies

Cookies are small files stored on your browser or device that help websites and apps remember information about you. When you visit our Website (openreach.co), we use cookies and similar technologies to provide, protect, and improve our Services. This section describes the types of cookies we use and your choices regarding them:

  • Essential Cookies: These cookies are necessary for the website or portal to function properly. They enable core functionality such as security, network management, and accessibility. For example, if our client portal uses session cookies to keep you logged in securely, or if our site uses a cookie to record your cookie consent preferences, those are essential. You cannot opt out of essential cookies via our banner since they are required for basic operation, but you can block them using browser settings (though parts of the site may not work as a result).
  • Analytics and Performance Cookies: We use these to understand how visitors engage with our Website and Platforms. For instance, we may use Google Analytics or a similar tool that sets cookies to collect information about your site usage (pages visited, time spent, bounce rate, etc.). This information is aggregated and does not directly identify you. It helps us analyze website traffic and user behavior so that we can improve content and navigation. We treat analytics data as personal data if it is linked to your identifiers (like IP address or user ID) and handle it accordingly. Where required by law, we will seek your consent before setting analytics cookies. You can also disable analytics cookies by adjusting your browser settings or using available opt-out tools (for example, Google provides a browser add-on to opt out of Google Analytics tracking).
  • Functional Cookies: These cookies remember your preferences and enhance the functionality of our Services. For instance, they may recall your chosen language or region, or remember form data to save you time. While not strictly necessary, they improve your user experience. You may manage these via browser settings; however, blocking them might affect some features (like customized content).
  • No Third-Party Advertising Cookies: Our Website does not use third-party advertising cookies or tracking pixels for marketing to you. We do not serve third-party ads, so you will not see cookies for advertising networks when using our site. (We focus on our field marketing services rather than advertising on our own site.) In the event this ever changes, we will update this Policy and obtain necessary consents.

For our mobile apps, we use analogous tracking technologies (such as SDK analytics or crash reporting tools) to achieve similar purposes (ensuring the app works well and understanding usage patterns). You can configure your mobile device settings to limit ad tracking or reset identifiers.

Your Choices for Cookies

On your first visit to our Website, you may see a cookie notice or banner. Where applicable, you can choose to accept or decline certain non-essential cookies. Additionally, most web browsers provide settings to refuse new cookies, disable existing cookies, or alert you when new cookies are being sent. Please note that if you disable all cookies, our Website or portal may not function optimally – for example, you may not be able to log in or use some interactive features.

For more information on how to manage cookies and trackers, refer to your browser’s help documentation. By continuing to use our Website without changing your settings, you consent to our use of cookies as described herein.

Sharing and Disclosure of Personal Data

OpenReach values your privacy. We treat your personal data with confidentiality and do not sell, rent, or trade your personal information to any third parties for their own commercial or marketing purposes. We share personal data only in the ways described below, and always subject to appropriate safeguards and applicable law:

  • With Client Brands (Program Sponsors): If you are a retailer or participant in a campaign or incentive program managed by OpenReach on behalf of a client brand, we may share relevant personal data with that client (the sponsoring brand) strictly for purposes of the program. For example, if a brand has engaged us to run a retailer incentive scheme, we will provide them reports or portal access that include information such as the list of participating retailers, their performance metrics (sales, points, etc.), and payout details (e.g. amounts earned). This sharing is inherent to the service we provide – enabling the brand to verify that incentives are distributed correctly and to analyze campaign reach. We do not allow the client to use that data for any purpose outside the scope of the agreed campaign. The client is required to handle any personal data we share in accordance with applicable privacy laws and only as instructed by us or as otherwise independently permitted by law.
  • With Service Providers (Processors): We employ trusted third-party companies and individuals to perform certain business-related functions on our behalf. These service providers are given access to personal data only as needed to perform their specific services, and they are contractually obligated to protect it and use it solely for the instructed purpose. Key examples include:
    • IT Infrastructure and Storage: We may host data on reputable cloud servers or data centers (for instance, cloud service providers or web hosting companies) that store our databases, backup our information, or enable our applications to run. These providers might be located in India or abroad (see International Data Transfers below), but in all cases we ensure they have adequate security measures and agreements in place.
    • Payment and Banking Partners: If applicable, we might share necessary details with banks or payment gateways to process e-payment payouts to retailers. For instance, when initiating a bank transfer for an incentive payout, we will provide the bank with the beneficiary’s account details and payment amount. Such processing is done securely, and the financial institutions are themselves regulated entities obliged to maintain confidentiality.
    • KYC Verification Agencies: We may use third-party verification services (such as APIs for PAN validation, or services that can verify Aadhaar or other IDs with user consent). In doing so, certain data (like your ID number or details) may be transmitted to the service solely to perform the verification and receive a result. These agencies are bound to not store or misuse your data beyond the verification.
    • Analytics and Email/SMS Services: We might share minimal data with providers that help us send communications or analyze usage. For example, if we use an email service provider to send bulk notifications or a cloud messaging service for app notifications, we would provide your email or phone and the message content to that provider. Likewise, analytics services (like Google Analytics) will process usage data (possibly including your IP or device ID in truncated form) on our behalf for usage analysis. All such providers act under our instructions and not for their own purposes.

    We ensure that any third-party service provider we engage has a strong commitment to data protection. We sign appropriate Data Processing Agreements (DPAs) with them where required, mandating that they implement adequate security controls and confidentiality. They are not permitted to further disclose your data or use it for anything other than providing the service to us.

  • With Affiliates and Corporate Transactions: OpenReach DeepMarketing (OPC) Pvt. Ltd. is currently a single corporate entity (an OPC). If in the future we have any affiliated entities (such as a parent, subsidiaries, or sister companies), we may share personal data within that corporate group as necessary for internal administration and to provide our Services (for example, if another group entity takes over operating a certain app or process). Any such intra-group sharing would still be limited to the purposes in this Policy and subject to equivalent security protections. Additionally, if OpenReach is involved in a merger, acquisition, reorganization, or sale of business/assets, personal data may be transferred to the acquiring or succeeding entity as part of the transaction. In such cases, we will ensure that the new owner will continue to honor the privacy commitments made in this Policy with respect to your personal data (or we will notify you and obtain consent if required by law for any changes in data handling).
  • For Legal Compliance or Protection: We may disclose personal data to third parties (such as government authorities, law enforcement, courts, or regulators) if we believe in good faith that such disclosure is necessary to (a) comply with any applicable law, regulation, legal process, or governmental request; (b) enforce our terms of service or other agreements; (c) detect, prevent, or address fraud, security, or technical issues; or (d) protect the rights, property, or safety of OpenReach, our users, our clients, or the public. For example, we may have to share information with law enforcement if required by a lawful subpoena or to report certain financial transactions under regulatory requirements. We will only share the information that is reasonably required in the situation and, where permissible, we will inform the affected users about such disclosures.
  • With Your Consent: Apart from the cases above, we will only share your personal data with third parties if you have given us consent to do so. For instance, if you agree to let us share your testimonial on a partner’s site, or opt-in to a scheme where data needs to be shared with a co-sponsor, we will honor your consent preferences. You have the right to refuse or withdraw consent for such sharing at any time.

In all sharing scenarios, we maintain the principle of data minimization – only the necessary information relevant to the purpose will be shared. We do not disclose your personal data to any third party for their own marketing or monetization. In fact, Indian law prohibits us from disclosing sensitive personal data or information to third parties without your permission, and we abide by this requirement strictly. Any third party that receives personal data from us is contractually or legally bound to protect that data and use it only for the specified purpose. If you have questions about third parties we work with, you may contact us for more information.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, as outlined in this Policy, unless a longer retention period is required or permitted by law. Our retention practices are guided by the principle that data should not be stored indefinitely without justification. Below is an overview of our retention approach:

  • Operational Retention: For users of our Platforms (retailers, promoters, etc.), we keep your personal data active in our systems for the duration that you have an account or an ongoing relationship with us. For example, if you are a retailer participating in active schemes, your profile and KYC details will be retained so that you can continue to receive payouts and we can verify your eligibility. If a period of inactivity occurs (e.g., you have not logged into OpenPay or participated in any program for a long time), we may reach out to confirm if you wish to maintain your account.
  • Program Records: Data related to specific campaigns or payout programs (such as transaction histories, payout records, and performance data) is retained at least until the relevant campaign is concluded and for a reasonable period thereafter for auditing or reconciliation. We might archive historical campaign data for our clients’ reference and our internal analysis, but we will either anonymize it or continue to protect any personal identifiers within it as long as it is retained.
  • Legal and Regulatory Requirements: In certain cases, laws require us to keep data for a set period. For instance, financial transaction records and KYC documents might need to be stored for a minimum number of years under tax or anti-money laundering regulations. Even if you request deletion or withdraw consent, we may retain such data as needed to comply with law (we will retain only what is necessary and for the mandated duration). Likewise, if a legal dispute or investigation is ongoing, we would preserve relevant data until it is resolved. The DPDP Act specifically provides that personal data should be erased once the purpose is fulfilled or consent is withdrawn unless retention is needed for legal purposes – we adhere to this standard.
  • Deletion and Anonymization: When the retention period for any personal data expires, or if you request deletion and we have no lawful basis to retain it further, we will take steps to securely delete or irreversibly anonymize the data. Secure deletion may involve erasing data from our databases, overwriting storage media, and instructing any third-party processors to also delete the data. Anonymization means we alter the data in such a way that it can no longer be associated with you (for example, aggregating it with others’ data or removing personal identifiers). Once anonymized, the information is no longer personal data and may be retained for analytics or statistical purposes without further notice to you.
  • Backups and Residual Copies: Even after active deletion, some data may persist in our backup systems or logs for a short duration. We maintain backups for disaster recovery and business continuity, which are kept secure. Any personal data in backups will also eventually be purged or overwritten in the normal backup rotation cycle. We do not restore archived personal data back into active systems except as needed for legal, security, or performance reasons.

In summary, we do not keep your personal data longer than necessary. We periodically review the data we hold and erase or anonymize that which is no longer required. If you have specific questions about our retention periods for any category of data, you may contact us (see Grievance Redressal and Contact Us section below).

Data Security

We take the security of your personal data very seriously. OpenReach has implemented a variety of technical and organizational measures to prevent unauthorized access, loss, misuse, alteration, or disclosure of personal data under our control. Some of the key security practices we employ include:

  • Encryption: Sensitive personal data (such as passwords, financial information, or identity numbers) is protected using encryption both in transit and at rest. For example, our applications use HTTPS (TLS encryption) for all data transmission between your device and our servers, preventing eavesdropping. Certain sensitive fields in our databases may also be encrypted or hashed so that even if the data were accessed, it would not be easily interpretable.
  • Access Controls: We restrict access to personal data strictly to authorized personnel and service providers who need that information to perform their duties. Internal access to databases or systems containing personal data is permission-based, and employees are granted access on a role-based, need-to-know basis (for example, our finance team may access payout information, but not KYC documents, unless required). All staff members and contractors with such access are bound by confidentiality obligations.
  • Authentication and Session Security: For our Platform users, we enforce secure authentication practices. This may include strong password requirements, OTP verifications, or multi-factor authentication for certain actions (especially for client managers on the portal). Sessions are encrypted and time-limited. We also encourage users to keep their credentials confidential and notify us immediately of any unauthorized account use.
  • Network & System Security: Our servers and network are protected by firewalls, intrusion detection systems, and regular security monitoring. We apply security patches and updates to our software and infrastructure in a timely manner to guard against vulnerabilities. Regular backups are maintained to prevent data loss. We also run periodic security audits and penetration tests (either internally or via third-party experts) to identify and remediate potential security risks. Additionally, where feasible, we follow industry standards such as ISO 27001 for information security management and align with best practices for cybersecurity.
  • Training and Awareness: We ensure that our employees are trained in data protection best practices and understand the importance of safeguarding personal data. We have internal policies regarding data handling, and we conduct background checks on staff as permissible. Employees are required to report any suspicious activities or potential security incidents so that quick action can be taken.
  • Incident Response: Despite all precautions, no system can be guaranteed 100% secure. We have established a data breach response plan to deal with any potential security incident swiftly and effectively. If we detect any breach of personal data, we will immediately assess the scope and risk, take necessary containment measures, and notify affected parties and authorities as required. Under the DPDP Act, for example, we would inform the Data Protection Board of India and possibly the impacted individuals in the event of a significant data breach. We also log and analyze incidents to prevent future occurrences.

By implementing these measures, we strive to protect your personal data at all times. However, it is important for you as well to play a part in keeping your data secure: please use unique, strong passwords for our Services, do not share your account details with others, and inform us if you suspect any unauthorized activity on your account.

Your Rights and Choices

We respect your rights over your personal data. As an individual (or “Data Principal” under the DPDP Act), you have certain rights regarding the personal information that we hold about you. We have established procedures to enable you to exercise these rights easily and to the extent required by law. These rights include:

  • Right to Access and Confirmation: You have the right to know whether we process any personal data about you, and to request access to that information. This means you can ask us to confirm if we have your personal data, and if so, request a copy of or details about the information we hold, including the categories of data, the purposes of processing, and any third parties with whom it has been shared. We will provide the requested information in a concise and transparent form, typically within a reasonable time. (Do note that repetitive or excessive requests may attract a reasonable fee or be subject to legal limitations, but we will inform you accordingly.)
  • Right to Correction and Update: If any of your personal data we have is inaccurate, incomplete, or outdated, you have the right to request that it be corrected or updated. For example, if you change your phone number or identify an error in your stored address, you can ask us to rectify it. Where available, certain users (such as retailers via the app or portal) might be able to log in to their profile and directly update some details. For other changes, you can contact us with proof of the correct information, and we will make the amendments after verification.
  • Right to Erasure: You have the right to request deletion of your personal data in certain circumstances. You may exercise this right, for instance, if you no longer want to participate in our programs and wish to close your account, or if you believe our processing is unlawful or beyond the original purpose. Upon such request, we will erase your personal data from our active systems without undue delay, provided (a) there is no overriding legitimate ground or legal obligation for us to retain it (see Data Retention above), and (b) the data is not required for a contract performance that you are still a party to. We will also instruct our processors to delete respective data. Please note that we may retain limited information as required (e.g., to fulfill legal retention or to maintain suppression lists of those who do not wish to be contacted).
  • Right to Withdraw Consent: In cases where we rely on your consent to process personal data (for example, for using your KYC data in a specific optional program, or for sending marketing communications, or for using certain cookies), you have the right to withdraw that consent at any time. If you withdraw consent, we will stop the processing for which consent was provided. For example, you can withdraw your consent for us to use your location data by revoking location permissions on your device or in the app settings; or you can opt out of marketing emails by clicking “unsubscribe” in the email. Withdrawing consent will not affect the lawfulness of processing done before the withdrawal. However, note that if certain data is necessary for providing a service (e.g., KYC for payouts) and you withdraw consent for that essential processing, we may have to limit or terminate your access to that service (since we cannot provide it without the data). We will inform you if such a situation arises.
  • Right to Restrict or Object (Applicable in some jurisdictions): Under GDPR and similar global regimes, individuals have the right in certain situations to object to processing or request restriction of processing. For example, you might object to processing that is based on our legitimate interests or done for direct marketing. While Indian law (DPDP Act) doesn’t explicitly enumerate a broad right to object, it aligns by allowing withdrawal of consent and requiring consent for most processing. If you are an EU resident or otherwise entitled to such rights, you may object to our processing of your personal data on grounds relating to your particular situation. We will consider such objections and comply unless we have compelling legitimate grounds to continue or a legal obligation. You may also request that we temporarily restrict processing your data (other than storing it) if you contest its accuracy or the lawfulness of processing, or if you need us to preserve it for legal claims.
  • Right to Data Portability: To the extent provided by law (such as under GDPR for EU users), you may have the right to data portability, which means you can request a digital copy of certain personal data you provided to us in a structured, commonly used, machine-readable format, and have the right to transmit that data to another service provider. If applicable, we can directly transfer the data to a third party at your direction, where technically feasible. In the context of our services, this might include basic registration information and KYC details you provided. (Note: This right may not be explicitly available under current Indian law, but we mention it here for completeness for global standards. We will endeavor to assist with such requests if made.)
  • Right of Grievance Redressal: Under Indian law, you have the right to raise a grievance with us regarding the processing of your personal data. We are required to provide a readily available means for you to lodge any privacy-related complaints and to address them within a stipulated time. If you have any concerns or complaints about how we are handling your data, you can contact our Grievance Officer (see contact details below). We will acknowledge and strive to resolve your grievance expeditiously, typically within 30 days or as mandated by law. If you are not satisfied with our response, you have the right to escalate the matter to the appropriate regulatory authority (such as the Data Protection Board of India under the DPDP Act, or a supervisory authority in the EU, etc., depending on your jurisdiction).
  • Right to Nominate a Representative: The DPDP Act grants you the right to nominate another individual to exercise your data rights on your behalf in case of your death or incapacity. You may inform us if you wish to designate an authorized person (such as a family member or legal heir) who can act as your nominee for your data. We will require proper verification and legal documentation to validate any requests from a nominee.
  • Right to Opt-Out of Communication: Even outside the strict legal rights, we provide you simple ways to control your preferences. You can opt out of receiving promotional communications from us by using the unsubscribe link in our emails or by contacting us. For push notifications or SMS, you can disable them via your device or notify us that you do not wish to receive such messages. For cookies, as mentioned, you can adjust your browser settings to opt out of non-essential tracking.

To exercise any of your rights, please contact us through the channels provided in the Contact Information section below. We may need to verify your identity (and authority, in case you make a request on someone else’s behalf) to process your request. Verification is to ensure that we do not disclose data to the wrong person or delete data at the wrong person’s request. Verification may involve answering a few questions or providing identification.

We will do our best to honor your request promptly and within the timeframes stipulated by law. If we cannot fulfill your request (due to legal reasons or certain exemptions – for example, if you ask us to delete data which we are required by law to keep), we will inform you of the reasons (unless prohibited). Rest assured, we never discriminate against anyone for exercising their privacy rights. We provide all users with equal service and support regardless of their choices about personal data.

International Data Transfers

OpenReach is an India-based company and, as such, we primarily store and process personal data on servers located within India. However, in the course of our operations, your personal data may be transferred to, and processed in, other countries in the following scenarios:

  • Cloud Hosting and Service Providers: Some of our third-party service providers (for cloud infrastructure, email delivery, analytics, etc.) may store or process data in data centers outside India. For example, if we use a cloud service whose servers are in the United States or the European Union, or if we use a multinational email/SMS provider, some personal data (such as your name, email, or usage data) might be transmitted and stored on those foreign servers. We carefully select service providers who assure a high standard of data protection.
  • Client or Partner Access: If any of our client brand partners or their authorized users access the secure portal from outside India (for instance, a regional manager based abroad reviewing an India campaign), then technically personal data is being accessed from outside the country. Additionally, if in future OpenReach expands or has affiliates in other jurisdictions that need to access data for support or processing, such access would constitute a transfer.

We are mindful of the rules governing cross-border data transfers. The DPDP Act requires that transfers of personal data outside India comply with conditions as may be prescribed by the government, potentially including whitelisting of certain countries or similar mechanisms. Globally, laws like GDPR require that if personal data is exported out of the origin country, it must be protected to the same level as required by the original jurisdiction.

Whenever we transfer personal data internationally, we take steps to ensure adequate protection:

  • We will only transfer data to countries that are recognized as having an adequate level of data protection, or ensure appropriate safeguards are in place. For example, for transfers from India to another country, we will follow the Indian government’s guidelines (if any exist for permitted destinations). For transfers from the EU (if we ever handle EU data) to a third country, we may use Standard Contractual Clauses (SCCs) or rely on an adequacy decision or binding corporate rules to ensure GDPR- level protection.
  • We include robust data protection clauses in our contracts with any foreign processors to bind them to protect your data. They must treat your personal data according to the standards of this Privacy Policy and applicable law, regardless of where it is processed.
  • You consent to the possible transfer of your information outside your country by using our Services. We will always seek to minimize unnecessary cross-border data flows. If you have questions about where your data is stored or transferred, please contact us.

Currently, personal data of Indian users is generally retained in servers within India or in trusted facilities in jurisdictions with strong privacy laws. If the law requires data localization for certain sensitive information (for instance, financial data), we will comply and store such information only in India.

We will update this section if there are any significant changes in our cross-border data handling, especially in response to future regulations under the DPDP Act regarding international transfers.

Third-Party Links and Services

Our Platforms may contain links to websites, applications, or services that are not operated by OpenReach. For example, our Website might include a link to a client’s website, a social media page, or an article of interest. Additionally, our mobile apps might integrate Google Maps for location selection or redirect you to a bank’s portal for completing a KYC step. This Privacy Policy does not apply to personal data processed by those external websites or services.

If you click on a third-party link or otherwise leave our Platforms to interact with an external service, be aware that you are transferring to a platform with its own privacy practices. We do not control and are not responsible for the content, security, or privacy practices of any third-party websites or services. We encourage you to review the privacy policies of every site or app you visit when you leave our Services, to understand how they collect and use your information.

Examples to note:

  • If our Website uses social media sharing plugins (like a LinkedIn or Facebook button), those platforms may collect data about your visit under their own policies.
  • If you use OpenKYC and it leverages a government eKYC service (like UIDAI’s Aadhaar verification page), that process is governed by the respective authority’s terms and privacy rules.
  • If you follow a link from our client portal to download a report on a third-party system or to use a partner’s tool, any data you provide directly to that third party is not covered by our Policy.

Nonetheless, if you believe a third party linked from our Services is misusing your personal data in relation to your interaction via us, please inform us. We take user feedback seriously and will consider removing or disabling links to third parties that are known to compromise user privacy or security.

Grievance Redressal and Contact Information

OpenReach has appointed a Grievance Officer to address any questions, concerns, or complaints you may have regarding your personal data or this Privacy Policy. In accordance with Indian law, we have published the Grievance Officer’s contact details below. If you have any issues – whether it is to report a problem, ask about our practices, or exercise your rights – please do not hesitate to reach out:

  • Grievance Officer: [NIVEDITHA CHAVAN]
  • Designation: Grievance Officer – Privacy Compliance
  • Email: grievance_officer@openreach.co
  • Telephone: [+91-8850217491] (available on working days during business hours)
  • Postal Address: OpenReach DeepMarketing (OPC) Pvt. Ltd, Navi Mumbai

(Note: The above contact details are provided in accordance with Section 10 of the DPDP Act and Rule 5(9) of the IT Rules, which require the designation and publication of a Grievance Officer’s information. We will update this information if there are any changes in the contact or person designated.)

Redressal Process: When you contact our Grievance Officer with a privacy-related query or complaint, we will acknowledge your communication within a reasonable time (typically within 24-48 hours). We will then investigate and attempt to resolve the issue. If it is a request to exercise a data right, the Officer will guide you through any verification needed and fulfill your request or provide an appropriate response. For grievances, we aim to resolve them expeditiously, and in any case within the timeline prescribed by law (currently, the IT Rules suggest resolution within 1 month). You will receive a response outlining the resolution or next steps. If you are not satisfied with our response or if your grievance is not resolved within the stipulated time, you may escalate the matter. Under the DPDP Act, you can file a complaint with the Data Protection Board of India. Similarly, if you are in a jurisdiction outside India, you may contact your local data protection authority or regulator. For instance, EU residents can reach out to their nation’s supervisory authority. We hope it never comes to that, as we are committed to addressing your concerns in good faith.

Other Contact Information: For general inquiries not related to privacy (such as learning more about our services), you may contact us at the general contact provided on our Website (e.g., our sales email or customer service number). We are always here to help our users and clients.

Updates to this Privacy Policy

We may review and update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. If we make any material changes, we will notify users by posting the updated Policy on our Website (with a new “Last Updated” date) and, if appropriate, via our apps or by email notification. We encourage you to periodically review this page for the latest information on our privacy practices. Your continued use of our Services after the effective date of an updated Policy will signify your acceptance of the changes. However, if the changes involve new purposes of processing or require new consent under applicable law, we will obtain your consent where necessary.