We, Hansa Research Group Pvt. Ltd., a company incorporated under the Companies Act, 2013 (hereinafter referred to as the “Company”, “BDC”, “we”, “us” or “our”), are committed to protecting the privacy and personal data of all individuals who access or use our research software platform and mobile application known as Hansa Cheetah (Mobile Application). This Privacy Policy describes how personal data is collected, used, stored, disclosed, and protected when you access or use the Platform as an end user, customer, researcher, employee, or registered Panellist.

This Privacy Policy has been formulated in accordance with the Digital Personal Data Protection Act, 2023 of India (“DPDP Act”) and is aligned with internationally recognised data protection principles and applicable privacy laws of multiple jurisdictions, including but not limited to the United Kingdom, European Union member states, Switzerland, the United States, Canada, Australia, Brazil, Mexico, China, Japan, Southeast Asia, Russia, Turkey, and countries in the Middle East.

All visitors to Hansa Cheetah (Mobile Application) are advised to read and understand our Privacy Policy carefully as by accessing or using the Hansa Cheetah (Mobile Application and HansaCheetah.com), you acknowledge that you have read, understood, and agreed to the terms of this Privacy Policy and consent to the collection and processing of your personal data as described herein. If you do not agree with this Privacy Policy, you are advised not to access or use the Hansa Cheetah (Mobile Application).

We reserve the right to change the Terms and Privacy Policy from time to time as we deem fit, without any intimation to You, and your continued use of the mobile application and HansaCheetah.com will signify your acceptance of any amendment to these terms.

You are therefore advised to re-read the Terms of Service on a regular basis. Should it be that you do not accept any of the modifications or amendments to the Terms, you may terminate your use of this mobile application immediately.

Any questions or concerns regarding this Privacy Policy may be addressed by contacting us at survey@hansaresearch.com

We commit to respecting your online privacy data. We further recognised your need for appropriate protection and management of any personally identifiable information ("Personal Information") you share with us. Information that is considered personal about you by us includes, but is not limited to, your name, address, email address or other contact information.

1.1 Scope and Applicability

This Policy applies globally to the Company, all its business units, subsidiaries, and affiliated entities, and to all employees, contractors, temporary staff, consultants, and third parties acting on behalf of the Company. It applies to all processing of personal data carried out through the Company’s research software’s mobile application, internal systems, and supporting business operations.

This Policy applies regardless of the location of the data subject, the location where the personal data is processed, or the form in which the personal data exists, whether electronic, paper-based, or otherwise. Compliance with this Policy is mandatory and forms part of the Company’s overall corporate governance and risk management framework.

1.2 Interpretation and Definitions

For the purposes of this Privacy Policy, terms shall have the meanings assigned to them below.

• “We”, “Our”, “Us”, and “Company” refer to Hansa Research Group Pvt. Ltd., the owner and operator of the Platform, the creator of this policy.
• “You”, “Your”, “Yourself”, and “User” refer to any natural or legal person accessing or using Website and the Mobile Application.
• “Mobile Application” or “Platform” refers to Hansa Cheetah created by Hansa Research Group Pvt. Ltd., including its web based software, mobile application, and associated services.
• “Personal Data” means any data about an individual who is identifiable by or in relation to such data, including basic personal and contact information.
• “Sensitive Personal Data” refers to categories of data such as health information, biometric identifiers, financial information, government issued identifiers, precise geolocation data, or data relating to children the Platform does not collect or process such data.
• “Data Principal” or “Data Subject” refers to the individual to whom the personal data relates.
• “Processing” means any operation performed on personal data, including collection, storage, use, disclosure, analysis, or deletion.
• “Analytics Data” refers to aggregated or technical information generated through Platform usage that does not directly identify individuals and is used for analytical and research insights.

ANY CAPITALIZED WORDS USED HENCEFORTH SHALL HAVE THE MEANING ACCORDED TO THEM UNDER THIS AGREEMENT. FURTHER, ALL HEADING USED HEREIN ARE ONLY FOR THE PURPOSE OF ARRANGING THE VARIOUS PROVISIONS OF THE AGREEMENT IN ANY MANNER. NEITHER THE USER NOR THE CREATORS OF THIS PRIVACY POLICY MAY USE THE HEADING TO INTERPRET THE PROVISIONS CONTAINED WITHIN IT IN ANY MANNER.

1.3 Applicability of This Privacy Policy

This Privacy Policy applies to personal data collected from individuals who register on, access, or use the Mobile Application including registered Panellists, customers, researchers, employees, and authorised representatives. It applies irrespective of the geographic location of the user or the location from which the Platform is accessed.

1.4 Categories of Personal Data Collected

The Company collects only basic and limited personal data necessary for legitimate and lawful business purposes.

For the Mobile Application, You may register yourself by providing the following information which includes:

• Name
• Mobile Number
• Email Id
• Geolocation Data and
• Data related to children in the survey.

Certain information, such as your name, e-mail addresses and mobile number is collected in order to, among other things; verify your identity, use as account numbers in our record system and to manage user participation and research engagement.

This privacy policy applies to data we collect from users who are registered as Panellist of this mobile application.

We Collect Information directly obtained from you. Our Mobile Application and website gives you an option of sharing your contact information (like name, address, e-mail and telephone number) for the purposes of creating our database.

The Company may also collect communications submitted by users through the mobile application.

We commit to respecting your online privacy data. We further recognised your need for appropriate protection and management of any personally identifiable information ("Personal Information") you share with us. Information that is considered personal about you by us includes, but is not limited to, your name, address, email address or other contact information.

1.4.1 Sources of Personal Information

Personal information collected may include:

• Information provided directly by users during registration
• Survey responses voluntarily provided by users
• Information available in the public domain
• Information from publicly available social media platforms including LinkedIn, Facebook, Twitter, and other publicly accessible sources

Such information is collected only where permitted by applicable laws and used solely for research and analytical purposes.

1.4.2 How Information Is Collected:

• Before or at the time of collecting personal information, we identified the purposes for which information is being collected.
• We collect and use of personal information solely with the objective of fulfilling those purposes specified by us and for other compatible purposes, unless we obtain the consent of the individual concerned or as required by law.
• We collect personal information by lawful and fair means and, where appropriate, with the knowledge or consent of the individual concerned.

Personal data relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete, and up-to-date.

1.4.3 Information collected indirectly:

In addition, the mobile application automatically collects limited technical and analytics data, including IP address, device information, operating system, application version, access timestamps, session information, APN token, GSM ID, error logs, and system usage metrics.

The Company does not intentionally collect sensitive personal data. Where such data is collected for research purposes, explicit consent shall be obtained. Users are requested not to submit sensitive personal data through the mobile application

We collect only basic information such as name, e-mail address, contact number, location etc. We also collect and store personal information provided by you from time to time on the mobile application.

1.4.4 Cookies And Tracking Technologies

The Application uses cookies and similar technologies primarily for essential functionality and limited analytics. Non-essential tracking technologies are used only where permitted by law and, where required, based on user consent. Users are provided with options to manage their preferences.

1.4.5 Third Party

We use third-party applications and service providers for sending emails, WhatsApp communications, and processing incentives such as Xoxoday.

1.5 Consent and Choice

Where consent is required, it is obtained through clear and affirmative action, supported by transparent and easily understandable notices. Users are provided with the ability to manage their preferences and withdraw consent at any time through the Mobile Application and website. The Company maintains records of consent to demonstrate compliance and ensures that withdrawal mechanisms are simple and accessible.Consent may be withdrawn at any time without affecting prior lawful processing.

In surveys, where children data is captured, the consent will be provided by the parents and/or the guardians. We have implemented mechanisms to ensure that the consent is provided by the parent and/or guardian only. Consent provided by the child/ren is not valid and accepted by the law.

1.6 Purpose, Legitimacy and Specifications of Processing

The Company adheres to globally recognised data protection principles. Personal data is processed lawfully, fairly, and transparently, ensuring individuals are clearly informed about how their data is used. Data is collected only for specific and legitimate purposes and is not used for unrelated activities.

Personal data is collected and processed solely for specified, explicit, and lawful purposes. We use your IP address, APN Token or GSM ID to help diagnose problems with our server, and to administer Mobile Application. Your IP address, APN Token & GSM ID is also used to help identify you and to gather broad demographic information. Finally, we may use your IP address, APN Token & GSM ID to help protect our partners and ourselves from fraud. We will continue to enhance our security procedures as new technology becomes available.

Processing of personal data is carried out on the basis of consent, contractual necessity, compliance with applicable laws, or legitimate business interests in accordance with the DPDP Act and other applicable data protection laws.

1.6.1 Lawful Basis of Processing

The Company processes personal data based on lawful grounds as required under applicable laws. Under the Digital Personal Data Protection Act, 2023, processing is primarily based on user consent, supplemented by legitimate uses such as compliance with legal obligations or employment-related purposes.

We only collect and use such information from you that we consider necessary for achieving a seamless, efficient and safe experience, customized to your needs including:

• To enable the provision of services opted for by you;
• To communicate with you via SMS, email, WhatsApp, phone calls, and other communication channels, including invitations to participate in surveys, research studies, and qualitative interviews conducted through video conferencing platforms such as Zoom, Google Meet, or similar technologies; and
• To comply with applicable laws, rules and regulations
• Further, transacting over the internet has inherent risks which can only be avoided by you following security practices yourself such as ensuring that Your e-mail address and profile information is confidential. Any information sent to Us by Your e-mail address which has not been sent by You should be notified to our customer care team at the earliest.

1.6.2 Panel Participation and Research Purpose

Hansa Cheetah, owned and operated by Hansa Research Group Pvt. Ltd., contributes to society by providing business firms, organizations, and institutions with statistically processed information and research insights regarding consumer awareness, opinions, and experiences related to products, services, and public initiatives.

Such information is collected through market research activities, surveys, and feedback programs conducted via the Hansa Cheetah platform.

Hansa Cheetah conducts research in accordance with:

• Applicable data protection laws
• The Digital Personal Data Protection Act, 2023
• ESOMAR Code of Conduct
• Industry standards for ethical research practices

All research outputs shared with clients are aggregated, anonymized, and non-personally identifiable formats.

1.6.3 AI-Based Response Quality and Automated Processing

The Company uses Artificial Intelligence (AI), machine learning, and automated tools during survey participation to evaluate open-ended responses in real time. This is done to support response validation, improve data quality, detect inconsistent or fraudulent inputs, and enhance overall research integrity.

Such processing may include automated review of text responses at the time of submission to ensure relevance, completeness, and adherence to survey guidelines. This helps maintain the quality and reliability of research outputs.

Where feasible, such processing is carried out using aggregated, anonymized, or pseudonymized data. The AI systems are designed to support research objectives and do not make decisions that produce legal or similarly significant effects on users.

This processing does not affect user incentives, eligibility, or participation rights without appropriate human review.

Personal data and survey responses may also be used to improve internal AI models for response analysis and quality checks. Such use is limited to research and operational purposes and is not used for unrelated external commercial AI training without appropriate consent, where required by applicable law.

Where third-party AI tools are used, the Company ensures that such providers are bound by contractual obligations to maintain confidentiality, data protection, and security standards consistent with this Privacy Policy.

The Company remains committed to responsible and ethical use of AI technologies and ensures that appropriate human oversight is maintained where necessary.

1.7 Data Minimisation and Accuracy

The Company limits the collection of personal data to what is necessary to achieve the stated purposes and ensures that personal data is relevant and proportionate. The Company takes reasonable steps to ensure that personal data is accurate and kept up to date. Users may update or correct their account information through the Mobile Application or by contacting the Company.

1.8 Use, Retention and Disclosure

1.8.1 Use of Analytics and Research Outputs

The application primarily generates analytical and research outputs that are statistical, aggregated, and non personal in nature. Analytics data is used to understand Platform performance, improve functionality, enhance user experience, ensure system stability, and generate research insights. Analytics data is used only for research insights, service improvement, and operational purpose.

1.8.2 Rights of Data Principals

Individuals are provided with rights in accordance with applicable data protection laws. These include the right to access their personal data, request correction of inaccurate or incomplete data, request deletion of data where applicable, and withdraw consent. In jurisdictions such as the European Union and the United Kingdom, additional rights such as data portability, restriction of processing, and objection to processing may apply.

Under Indian law, individuals also have the right to grievance redressal. The Company provides appropriate mechanisms for exercising these rights and ensures timely responses in accordance with legal requirements. Grievance Redressal is addressed by sending an email to grievance@hansaresearch.com

Requests may be submitted through the Application or by contacting the Company, and will be responded to within legally prescribed timeframes.

Right to correction

Right to deletion

Right to withdraw consent

Users may review and update their information through the Platform or by contacting the Company. Inaccurate or outdated data is corrected or deleted in a timely manner where appropriate.

Users may request modification or deletion of their personal information by contacting:

Data Protection Officer (DPO)

Email: dpo@hansaresearch.com

Subject Line: "Delete/Modify Details"

The Company shall review and respond to such requests within a reasonable timeframe in accordance with applicable laws.

1.8.3 Sharing of PII Information

Research data shared with clients is aggregated and anonymized

1.8.4 Cross Border Data Transfers

As the Mobile Application and website is globally accessible, personal data may be transferred to and processed in jurisdictions outside the user’s country of residence. The Company ensures that such transfers are conducted in compliance with the DPDP Act and other applicable data protection laws and are subject to appropriate safeguards.

Given that only basic personal data is processed, risks associated with cross-border transfers are inherently limited, and appropriate safeguards are implemented to ensure continued protection. Cross Border Data Transfers of PII data are conducted subject to contractual safeguards."

1.8.5 Storage Limitation and Retention

Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected, or as required under applicable laws, contracts, or regulatory obligations. Upon expiration of the retention period, personal data is securely deleted in accordance with internal data retention policies.

The communications will be sent only while you are an active panel member and will cease once you opt out or unsubscribe from the panel.

1.9 Security Safeguards

The Company implements reasonable technical and organizational security measures to protect personal data against unauthorised access, loss, misuse, alteration, or disclosure. These measures include access controls, authentication processes, encryption, system monitoring, periodic security reviews as applicable and appropriate. Despite these measures, users acknowledge that no system is completely secure and that they also play a role in safeguarding their credentials.

With regards to third-party applications and service providers for sending emails, WhatsApp communications, and processing incentives such as Xoxoday, the security controls are implemented by the respective service provider. We assess our third-party security controls on a periodic basis.

1.9.1 Confidentiality

You further acknowledge Mobile Application may contain information which is designated confidential by Us and that you shall not disclose such information without our prior written consent.

Your information is regarded as confidential and therefore will not be divulged to any third party, unless legally required to do so to the appropriate authorities.

We will not sell, share, or rent your personal information to any third party or use your e-mail address and phone number for unsolicited mail / SMS. Any emails / SMS sent by us will only be in connection with the provision of agreed services and products.

1.9.2 Governance And Accountability

The Company maintains a governance framework to ensure compliance with applicable data protection laws. This includes maintaining records of processing activities, conducting risk assessments where necessary, managing third-party risks, and implementing privacy-by-design and privacy-by-default principles. Where required, appropriate personnel are designated to oversee data protection compliance and handle user grievances.

1.9.3 Third Party Links

The Hansa Cheetah platform may contain links to third party websites. The Company is not responsible for the privacy practices, content, or policies of such external websites. Users are advised to review the privacy policies of such websites before providing any personal information.

1.9.4 Panel Behaviour and Community Guidelines

To maintain the integrity of the research panel and platform, users agree not to:

• Post spam or promotional content
• Share unauthorized third party links
• Use offensive, abusive, or profane language
• Engage in harassment or inappropriate conduct
• Promote racism, casteism, or religious offense
• Tag brands or individuals unnecessarily

Violation of these guidelines may result in:

• Warning
• Suspension
• Permanent removal from the panel

The Company reserves the right to take appropriate action to maintain platform integrity.

1.10 Data Breach Management

In the event of a personal data breach, the Company follows a structured response process to identify, contain, investigate, and remediate the incident. Where required by applicable laws, the Company notifies regulatory authorities and affected individuals within prescribed timelines and takes appropriate corrective actions to prevent recurrence.

1.10.1 Fraud Prevention and Panel Integrity

To ensure quality research data, the Company reserves the right to:

• Verify user responses
• Detect fraudulent participation
• Suspend or terminate accounts involved in suspicious activity
• Remove users providing inconsistent or false responses

Such actions are taken to maintain research quality and platform integrity.

1.10.2 Disclosure of Personal Data

Personal data is treated as confidential and is not sold, rented, or shared for unsolicited communications. Personal data may be disclosed to trusted third party service providers who assist in operating the Platform, subject to contractual obligations to protect confidentiality and comply with applicable laws. Personal data may also be disclosed where required by law, court order, or governmental authority, or where necessary to prevent fraud, illegal activity, or harm.

Due to the existing regulatory environment, we cannot ensure that all of your private communications and other personally identifiable information will never be disclosed in ways not otherwise described in this Privacy Policy. By way of example (without limiting and foregoing), we may be forced to disclose information to the government, law enforcement agencies or third parties. Therefore, although we use industry standard practices to protect your privacy, we do not promise, While we implement industry-standard safeguards, no system is completely secure. However, we remain committed to protecting personal data and responding promptly to any incident

Personal data if shared is done so only where necessary and subject to appropriate safeguards We may release your personal information to a third-party in order to comply with a Court Order or other similar legal procedure, or when We believe in good faith that such disclosure is necessary to comply with the law; prevent imminent physical harm or financial loss; or investigate or take action regarding illegal activities, suspected fraud, or violations of Our Terms of Use. We may disclose personally identifiable information to parties in compliance with our Copyright Policy as mentioned in the Terms of Use as we in our sole discretion believe necessary or appropriate in connection with an investigation of fraud, intellectual property infringement, piracy, or other unlawful activity. In such events, We may disclose name, address, country, phone number, email address.

1.11 Changes to This Privacy Policy

The Company reserves the right to update or modify this Privacy Policy from time to time to reflect changes in law, technology, or business practices. Updated versions will be made available through the Mobile application. Continued use of the Application after such updates constitutes acceptance of the revised Privacy Policy, to the extent permitted by law.

1.12 Policy Review and Maintenance

This Policy shall be reviewed annually and updated as necessary to reflect changes in laws, regulations, business operations, or technological developments. Any material changes shall be approved through the appropriate corporate governance process and communicated to relevant stakeholders.

1.13 Monitoring, Compliance, and Enforcement

Compliance with this Policy is mandatory. Violations of this Policy may result in disciplinary action, contractual remedies, or other corrective measures, in accordance with applicable laws and internal policies. The Company periodically reviews compliance with this Policy through audits, assessments, and management oversight.

1.14 Contact Information

If you have any questions, complaints, or requests regarding this Privacy Policy or the processing of your personal data, you may contact us at survey@hansaresearch.com / support@hansacheetah.com

1.15 Annexure A: Country Specific Privacy Considerations

This Policy is designed to meet or exceed baseline compliance requirements across all jurisdictions listed. In jurisdictions such as the UK, EU member states, Switzerland, Brazil, and Japan, the Policy aligns with GDPR style principles including transparency, purpose limitation, and data minimization. In India, it reflects DPDP obligations relating to lawful processing, notice, consent, and data principal rights. In the United States, it aligns with applicable consumer privacy frameworks by limiting data collection and avoiding sale or behavioral profiling. In China, Southeast Asia, Russia, Turkey, and Middle Eastern jurisdictions, the Policy reflects statutory requirements for lawful processing, security safeguards, and cross border transfer controls.

Where local law imposes additional requirements, such requirements are applied in conjunction with this Policy.

1.16 Annexure B: Jurisdictional Compliance Matrix

Core Privacy Principle	Policy Coverage	India (DPDP)	UK/EU	USA	Canada	Australia	Brazil	China	Japan	SEA	Middle East
Lawful processing	Sections 5–6
Data minimization	Section 7
Purpose limitation	Section 6
Accuracy	Section 8
Security safeguards	Section 10
Individual rights	Section 14
Cross-border transfers	Section 13
No sensitive data processing	Section 4

= Fully supported by Policy

= Subject to jurisdiction-specific variation

1.17 Status and Authority

This Annex forms an integral part of the Corporate Data Privacy Policy and must be read in conjunction with the Policy. In the event of conflict between this Annex and local law, applicable law shall prevail. Business units are responsible for ensuring operational compliance in their respective jurisdictions.