Sensitive Information Protection Policy

  1. Home
  2. Sensitive Information Policy

POLICY ON SENSITIVE INFORMATION PROTECTION

Overview

At Kanha Herbs, we are committed to protecting the personal and confidential information shared with us by our customers, employees, partners, and distributors. We take every possible step to safeguard this information and ensure that the interests of our consumers are always protected.

Applicability

This policy shall be known as Information Technology-Reasonable Security Practices for protecting sensitive personal data and information. It applies to all sensitive data provided to Kanha Herbs by any concerned person.

Objective

The purpose of this policy is to ensure the protection of all data, information, and personal details that directly or indirectly relate to any individual associated with Kanha Herbs.

Applicable Laws

  • Consumer Protection (Direct Selling) Rules, 2021
  • Consumer Protection Act, 2019
  • Consumer Protection (E-Commerce) Rules, 2020
  • Information Technology Rules, 2011 (Reasonable security practices, procedures, and protection of sensitive personal data or information)

Definitions

For the purpose of this policy, the following terms shall have the meanings assigned below:

  • Act: Information Technology Act, 2000 (21 of 2000).
  • Company: Kanha Herbs.
  • Concerned Person: Direct sellers, customers, distributors, and employees of the Company.
  • Cyber Incidents: Any real or suspected event related to cyber security that violates applicable security policies. This may include unauthorized access, denial of service, disruption, misuse of computer resources, or unauthorized changes to data or information.
  • Data: Information, knowledge, facts, concepts, or instructions prepared or processed in a formal manner within a computer system or network. Data may exist in printouts, magnetic or optical media, punched cards, tapes, or stored within computer memory.
  • Information: Data, messages, text, images, sound, voice, codes, computer programs, software, databases, microfilm, or computer-generated microfiche.
  • Intermediary: Any person or entity that, on behalf of another, receives, stores, or transmits electronic records, or provides related services. This includes telecom service providers, network providers, internet service providers, web-hosting services, search engines, online payment platforms, e-commerce sites, marketplaces, and cyber cafes.
  • Password: Secret word, phrase, code, passphrase, or key (including encryption or decryption keys) that allows access to information.
  • Personal Information: Any information that relates to a natural person which, directly or indirectly, alone or in combination with other available information, can identify that person.

Sensitive Personal Data and Information

  1. Password- Any secret code, phrase, or key used to access information.
  2. Financial Information- Such as bank account details, credit card, debit card, or other payment instrument details.
  3. Health Information- Physical, physiological, or mental health conditions of an individual.
  4. Sexual Orientation- Any details relating to the individual's orientation.
  5. Medical Records and History- Information about past or current medical conditions, treatments, or health records.
  6. Associated Details- Any information related to the above categories provided to the Company for the purpose of delivering services.
  7. Processed Information- Any information received, stored, or processed by the Company under lawful contract or otherwise, which relates to the above categories.

Need for Your Information

As per our policy, we generally do not require you to share sensitive personal data or information in our regular processes.

However, in certain cases, we may need this information as required by law, such as:

  • When you place an order.
  • For processing commission payments to direct sellers.
  • When medical records or health history are necessary for routine health check-ups or for purchasing specific products.

We assure you that any information collected in such cases will be handled strictly in line with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

Collection of Information

  1. Consent as per Your Choice
    • We do not collect any personal or sensitive information without your acceptance or permission.
    • The Company will obtain your consent in writing, through a signed letter, mobile OTP, or email before using any sensitive personal data or information.
  2. Collected for Lawful Purpose
    • The Company will only collect sensitive personal data if it is required for a lawful purpose.
    • Such information will only be gathered when it is necessary for the proper functioning of the Company and directly related to that purpose.
  3. Your Information Is in Your Knowledge

    The Company will take reasonable steps to ensure that the person providing the information is fully aware of:

    • That their information is being collected.
    • The purpose for which it is being collected.
    • Who the intended recipients of the information are.
    • The name and address of the person responsible for collecting and retaining the information.
  4. Limited Retention of Information
    • The Company or any authorized person will not retain your information longer than necessary, except where required by law.
  5. Use of Information
    • The information collected will only be used for the specific purpose for which it was collected.
  6. Review of Information
    • The Company may request you to update your information or provide additional details if required by law or for business needs.
    • However, the Company will not be responsible for the accuracy or authenticity of the personal or sensitive information provided by you.
  7. Withdrawal of Information
    • Before collecting sensitive personal data, the Company provides you with the choice to withhold or decline to share the information.
    • You may withdraw your consent at any time while availing of the services, but the withdrawal must be submitted in writing.
    • If you choose not to provide or later withdraw your information, the Company may not be able to provide the goods or services for which the information was required.
  8. Addressing Discrepancies or Grievances
    • The Company will address any discrepancies or grievances raised by the information provider.
    • A Grievance Officer will be appointed by the Company to handle such issues, and grievances will be resolved within 1 month from the date of receipt.

Disclosure of Information

  1. Disclosure to Third Parties
    • Prior Approval: The Company will not disclose any information to third parties without obtaining prior approval from the provider of the information.
    • Sharing with Government Agencies: Information, including sensitive personal data, may be shared with government agencies as required by law for purposes such as identity verification, prevention, detection, investigation (including cyber incidents), prosecution, or punishment of offences. In such cases, prior consent of the information provider is not required.
    • No Publication: The Company will not publish sensitive personal data of any individual under any circumstances.
    • Third-Party Responsibility: Any third party that receives sensitive personal data or information from the Company will be prohibited from disclosing it further.

To Whom Your Personal Data May Be Disclosed

  • Group Companies & Service Providers: Other group companies, subcontractors, direct sellers, agents, or service providers (including their employees, directors, officers, and subcontractors) who work with us or provide services to us.
  • Government & Legal Authorities: Law enforcement agencies, government authorities, courts, dispute resolution bodies, regulators, auditors, or any parties appointed by regulators to conduct audits or investigations.
  • Statutory & Regulatory Bodies: Authorities, investigating agencies, or entities before whom disclosure of Personal Data is legally required, including courts, judicial and quasi-judicial authorities, tribunals, and arbitration bodies.
  • Overseas Regulators: Where applicable, we may also disclose data to regulators outside India.
  • Based on Your Instructions: Any other party you specifically instruct us to share your Personal Data with.

Transfer of Information

  1. Authority to Transfer
    The Company, or any authorized person acting on its behalf, may transfer sensitive personal data or information to another person or company. However, the receiving party must provide the same level of data protection as maintained by the Company.
  2. Conditions for Transfer
    Transfer of information will only be allowed in the following cases:
    • When it is necessary to perform a lawful contract between the Company (or its authorized representatives) and the provider of the information.
    • When the provider of the information has given clear consent for the transfer.

Security Practices

  • We comply with IS/ISO/IEC 27001 standards on Information Security Management Systems to protect sensitive personal data.
  • Regular reviews are conducted to ensure policies remain accurate and up to date.

Policy Updates

We may update this Privacy Policy from time to time. Any changes will be posted on this page, and we encourage you to review it regularly.

Contact Us

For any questions, updates, or concerns related to this Policy, please contact us:

Kanha Herbs
Email: contact@kanhaherbs.in

© Kanha Herbs Pvt. Ltd. All rights reserved.