GDPR/CCPA Compliance

1. Regulatory Compliance

CapEngage is committed to complying with global data protection regulations including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and India's Digital Personal Data Protection Act (DPDP).

This document outlines our compliance measures and your rights under these regulations.

2. GDPR Compliance

2.1 Legal Basis for Processing

We process personal data based on:

• Contract: Processing necessary for service delivery
• Consent: Explicit consent where required
• Legitimate Interest: For legitimate business purposes
• Legal Obligation: To comply with legal requirements

2.2 GDPR Rights

Under GDPR, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate data
• Erasure: Request deletion of your data
• Portability: Receive data in machine-readable format
• Objection: Object to processing
• Restriction: Limit processing of your data

2.3 Data Protection Officer

Our Data Protection Officer (DPO) oversees GDPR compliance and can be contacted at dpo@capengage.com.

3. CCPA Compliance

3.1 California Residents Rights

Under CCPA, California residents have the right to:

• Know: Request disclosure of data collected and used
• Delete: Request deletion of personal information
• Opt-Out: Opt-out of sale of personal information
• Non-Discrimination: No discrimination for exercising rights

3.2 Do Not Sell My Personal Information

CapEngage does not sell personal information. We may share data with service providers as described in our Privacy Policy, but these are not sales under CCPA.

4. DPDP Compliance (India)

4.1 Data Fiduciary Obligations

As a Data Fiduciary under India's DPDP Act, we:

• Process personal data only for specified purposes
• Obtain clear and consent from data principals
• Implement appropriate security measures
• Allow data principals to exercise their rights

4.2 Data Principal Rights

Data principals have rights to access, correct, erase, and nominate another individual to exercise rights in case of death or incapacity.

5. Cross-Border Data Transfers

International data transfers are protected by:

• Standard Contractual Clauses (SCCs) for GDPR transfers
• Adequacy decisions where available
• Compliance with cross-border transfer requirements
• Regional data storage options

6. Data Subject Requests

6.1 Submitting Requests

To exercise your rights, submit requests through:

• Account dashboard data request form
• Email to privacy@capengage.com
• Postal mail to our registered address

6.2 Response Time

We respond to data subject requests within 30 days, extendable by an additional 60 days for complex requests. You will be notified of any extensions.

7. Data Breach Notification

In the event of a personal data breach:

• We notify affected individuals without undue delay
• We notify supervisory authorities within 72 hours (GDPR)
• We provide details of the breach and remedial measures

8. Privacy by Design

We implement privacy by design principles:

• Data minimization - collect only necessary data
• Purpose limitation - use data only for stated purposes
• Storage limitation - retain data only as long as necessary
• Default privacy settings