Data Protection Policy

1. Purpose and Scope. This policy defines how Thrivana protects and manages personal data for HabitNu users. It applies to all employees, contractors, and vendors handling data in India.

2. Principles. Lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, accountability, confidentiality, and integrity.

3. Roles and Responsibilities. Thrivana is the Data Fiduciary under DPDPA. Vendors act as Data Processors under our supervision and contract.

4. Security and Access Control. Data is encrypted at rest and in transit. Role‑based access with multi‑factor authentication is required. Quarterly access reviews are performed. Access is revoked upon role change.

5. Vendor Management. We conduct due diligence before onboarding vendors. All data remains within India. Vendor contracts include data protection clauses and are governed by Indian law.

6. Training and Awareness. All employees receive annual privacy and security training. Non‑compliance may lead to disciplinary action.

7. Incident and Breach Response. Incidents must be reported to the DPO within twenty‑four hours. Containment and analysis are conducted promptly. Affected users and the Data Protection Board of India are notified if required.

‍