Biosphere.Studio

    Privacy Policy

    Last Updated: April 27, 2025

    1. Introduction and Scope

    Biosphere Studio ("Biosphere," "we," "us," or "our") is committed to protecting the privacy and security of your personal data. This Privacy Policy outlines our practices concerning the collection, use, processing, and disclosure of personal data when you interact with our website (biosphere.studio) (the "Site"), our mobile applications (if applicable, collectively the "App"), our communication channels (including email, contact forms, and phone calls), and when you engage with our digital product development and marketing services (collectively, the "Services").

    This policy applies to all individuals whose personal data we process, including website visitors, prospective clients, current clients, partners, job applicants, and any other individuals interacting with our Services. Biosphere Studio is headquartered in Bangalore, Karnataka, India.

    We are dedicated to processing personal data in compliance with applicable data protection laws, including the European Union's General Data Protection Regulation (GDPR) where applicable, and notably, India's Digital Personal Data Protection Act, 2023 (DPDP Act). This policy aims to provide transparency regarding the types of personal data we collect, the purposes for which we use it, the lawful bases for processing, how we share and protect your data, your rights concerning your data, and how you can contact us.

    The digital nature of our services and our global accessibility mean we may process data from individuals located in various jurisdictions. Consequently, this policy addresses requirements under both the DPDP Act, which has extraterritorial scope when offering goods or services to individuals in India, and the GDPR, which applies when we offer goods or services to, or monitor the behaviour of, individuals in the European Economic Area (EEA). The DPDP Act represents a significant evolution from India's previous data protection framework under the Information Technology Act, 2000 (Section 43A and the SPDI Rules), establishing a higher standard of data protection, enhanced user rights, and stricter compliance obligations. This policy reflects our commitment to these enhanced standards.

    Please read this Privacy Policy carefully to understand our practices regarding your personal data.

    2. Definitions

    For the purposes of this Privacy Policy, the following terms shall have the meanings ascribed to them below:

    • Personal Data: Any data about an individual who is identifiable by or in relation to such data. This includes, but is not limited to, information such as names, email addresses, phone numbers, IP addresses, cookie identifiers, client information provided to us, and website usage data. This definition aligns broadly with the concept of personal data under GDPR.
    • Digital Personal Data: Personal Data that is in digital form. This includes personal data collected digitally, or collected non-digitally and subsequently digitized. The DPDP Act specifically applies to the processing of Digital Personal Data.
    • Processing: Any operation or set of operations performed on digital personal data, whether wholly or partly by automated means. This includes collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure, or destruction.
    • Data Principal: The individual to whom the Personal Data relates. Under the DPDP Act, where the individual is a child (below 18 years) or a person with a disability, this term includes their parent or lawful guardian. This is equivalent to "Data Subject" under GDPR.
    • Data Fiduciary: Any person (individual, company, firm, state, etc.) who alone or in conjunction with others determines the purpose and means of processing personal data. Biosphere Studio acts as a Data Fiduciary for the personal data collected directly through its Site, App, communications, and for its own business purposes (e.g., marketing, employee data).
    • Data Processor: Any person who processes personal data on behalf of a Data Fiduciary. Biosphere Studio may act as a Data Processor when handling personal data provided by its clients (who are the Data Fiduciaries) for the purpose of delivering contracted Services (e.g., developing a client's application, managing client marketing data). Our obligations as a Data Processor are primarily governed by the Data Processing Agreement (DPA) entered into with the respective client.
    • Consent: Consent of the Data Principal means any freely given, specific, informed, unconditional, and unambiguous indication of the Data Principal's wishes by which they, through a clear affirmative action, signify agreement to the processing of their personal data for the specified purpose. Consent must be as easy to withdraw as it is to give.
    • Legitimate Uses (DPDP Act): Specific grounds under the DPDP Act allowing processing without explicit consent, including processing voluntarily provided data for a specified purpose (where the Data Principal has not objected), compliance with law or court orders, responding to medical emergencies, employment-related purposes, and certain state functions. Note that the DPDP Act does not permit processing based on the GDPR concepts of 'contractual necessity' or broad 'legitimate interests' for private entities.
    • Data Breach: Any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of, or loss of access to, personal data that compromises the confidentiality, integrity, or availability of personal data.
    • Sensitive Personal Information: Refers to specific categories of personal data requiring heightened protection under some laws (e.g., GDPR), such as data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sexual orientation. Biosphere Studio explicitly states it does not process Sensitive Personal Information.
    • Publicly Available Personal Data: Personal data made or caused to be made publicly available by the Data Principal themselves, or by any other person who is under a legal obligation to make such data publicly available. The DPDP Act generally does not apply to the processing of such data, though the scope and application of this exemption can be complex.

    3. Personal Data We Collect

    We collect various types of personal data depending on your interaction with us. We are committed to the principle of data minimization, collecting only the data necessary for the specified purposes outlined in this policy. The categories of personal data we collect include:

    3.1. Information You Provide Directly:

    • Contact Information: Name, email address, phone number, postal address.
    • Professional Information: Company name, job title, website URL.
    • Account Information: If you create an account with us (e.g., for a client portal), username, password, and preferences.
    • Communication Preferences: Your preferences for receiving marketing communications or other information from us.
    • Inquiry/Support Data: Information you provide when you contact us through forms, email, phone, or other channels for inquiries, support, or feedback.
    • Client Onboarding & Project Data: Information provided during client engagement, project scoping, and service delivery, including business requirements and contact details for project stakeholders.
    • Billing Information: Payment details necessary for processing payments for our services (typically processed via secure third-party payment processors).
    • Event/Content Registration: Information provided when registering for webinars, events, or downloading resources (e.g., whitepapers).

    3.2. Information Collected Automatically (Usage Data):

    When you visit our Site or use our App, we automatically collect certain information about your device and interaction with our Services. This includes:

    • Device Information: IP address, device type, device name, operating system, browser type and version, screen resolution.
    • Usage Information: Referring URLs, pages visited on our Site/App, time and date of visits, duration spent on pages, clickstream data, interaction patterns, features used.
    • Location Information: Country and general geographic location, often inferred from your IP address. We do not typically collect precise geolocation data unless necessary for a specific service and with your explicit consent.
    • Log and Diagnostic Data: Service-related, diagnostic, usage, and performance information automatically logged by our servers, including crash data, system activity, and error reports.

    3.3. Cookies and Similar Tracking Technologies:

    We use cookies (small text files stored on your device) and similar technologies like web beacons and pixels to collect and store information when you interact with our Services. These technologies help us:

    • Operate and secure our Site/App.
    • Remember your preferences and settings.
    • Analyze website traffic and usage patterns (e.g., via Google Analytics).
    • Understand the effectiveness of marketing campaigns.
    • Prevent crashes and fix bugs.

    We categorize cookies (e.g., Strictly Necessary, Performance/Analytics, Functional, Targeting/Marketing). You can manage your cookie preferences through our Cookie Consent banner and browser settings. For more detailed information, please refer to our Cookie Policy (Section 11 below).

    3.4. Client Data (Processed on Behalf of Clients):

    When providing our Services (e.g., building digital products, creating marketing dashboards), we may process personal data that our clients (acting as Data Fiduciaries) provide to us or instruct us to collect on their behalf. This "Client Data" is processed solely based on the client's instructions and as outlined in the Data Processing Agreement (DPA) between Biosphere Studio and the client. Biosphere Studio acts as a Data Processor for this Client Data. Examples may include:

    • Client's customer lists for analysis or marketing integration.
    • End-user data required for application development, testing, or functionality.
    • Analytics data collected from client platforms for dashboard creation.

    This Privacy Policy primarily covers data for which Biosphere Studio is the Data Fiduciary. The handling of Client Data is governed by our agreements with our clients.

    3.5. Information from Third-Party Sources:

    Our current practice is not to collect personal information about you from third-party sources, such as data brokers or public databases, to supplement the data we collect directly. If this practice changes, we will update this Privacy Policy accordingly. We do utilize third-party tools like Google Analytics, which collect data directly during your interaction with our Site; these tools operate under their own privacy policies.

    3.6. Sensitive Personal Information:

    We do not collect or process Sensitive Personal Information (as defined in Section 2, including data related to health, religion, sexual orientation, biometrics, etc.) through our Site, App, or general business operations. We request that you do not send or disclose any Sensitive Personal Information to us unless specifically requested for a legitimate purpose (which is currently not anticipated) and with appropriate safeguards and explicit consent mechanisms in place.

    4. How and Why We Use Your Personal Data (Purposes and Lawful Basis)

    We process your personal data only for specified, explicit, and legitimate purposes, and only when we have a valid legal reason (lawful basis) to do so under applicable data protection laws (GDPR and DPDP Act). We do not process personal data in a manner incompatible with these purposes.

    The DPDP Act primarily relies on Consent and specific Legitimate Uses as lawful bases for processing by private entities. GDPR provides additional bases like Contractual Necessity and Legitimate Interests (requiring a balancing test). We identify the applicable basis for each processing purpose below, noting distinctions where necessary.

    Here are the purposes for which we process your personal data and the corresponding lawful bases:

    | Category of Personal Data Processed | Purpose of Processing | Lawful Basis (DPDP Act) | Lawful Basis (GDPR, if applicable) | | :---- | :---- | :---- | :---- | | Contact Info, Professional Info, Billing Info, Client Project Data | To Provide and Manage Services: Deliver contracted services, manage client accounts, process payments, communicate about projects, provide support. | Legitimate Use (Processing data voluntarily provided by the client for the specified purpose of receiving services); Consent (where applicable for initial engagement) | Contractual Necessity (Processing necessary to perform the contract with the client); Legitimate Interests (Managing client relationships, business operations) | | Contact Info, Professional Info, Inquiry/Support Data | To Communicate with You: Respond to inquiries via forms/email/phone, send service-related communications, provide customer support, request feedback. | Consent (for initiating contact via forms, newsletter sign-ups); Legitimate Use (Responding to inquiries initiated by you, managing ongoing client communication) | Consent (for marketing opt-ins); Contractual Necessity (for service communications); Legitimate Interests (Responding to inquiries, maintaining business communication) | | Usage Data (IP, browser, device, interaction), Cookies (Analytics) | To Improve Our Website and Services: Analyze website traffic and user behavior, improve user experience, diagnose technical issues, maintain website security. | Legitimate Use (Operating and improving our website and services); Consent (for non-essential analytics/performance cookies) | Legitimate Interests (Website operation, improvement, security analytics); Consent (for non-essential cookies) | | Contact Info, Communication Preferences, Cookies (Marketing/Targeting) | For Marketing and Advertising: Send newsletters, promotional emails, event invitations (if opted-in); measure marketing campaign effectiveness; potentially personalize ads. | Consent (Explicit opt-in required for marketing communications and non-essential marketing cookies) | Consent (Explicit opt-in required for marketing communications and non-essential marketing cookies); Legitimate Interests (potentially for analyzing campaign effectiveness - requires assessment) | | Usage Data (IP, logs), Account Information | For Security and Fraud Prevention: Monitor for suspicious activity, prevent unauthorized access, detect and investigate security incidents and fraud. | Legitimate Use (Ensuring security of our services); Legal Obligation (Compliance with cybersecurity laws/reporting) | Legitimate Interests (Protecting our services and users); Legal Obligation (Compliance with security laws) | | Any relevant Personal Data | To Comply with Legal Obligations: Fulfill legal requirements, respond to lawful requests from authorities, courts, or regulators. | Legal Obligation (Compliance with applicable Indian laws); Legitimate Use (Compliance with law/court orders) | Legal Obligation (Compliance with applicable EU/Member State laws) | | Information provided by job applicants | For Employment Purposes: Process job applications, evaluate candidates, manage recruitment process. | Legitimate Use (Processing necessary for employment purposes); Consent (For initial application submission) | Legitimate Interests (Recruitment); Consent; Potentially Contractual Necessity (steps prior to entering employment contract) | | Client Data (as defined in Sec 3.4) | To Fulfill Client Instructions (as Data Processor): Process Client Data strictly according to the instructions of the client (Data Fiduciary) and the terms of the DPA. | N/A (Processing governed by Client's lawful basis and DPA) | N/A (Processing governed by Client's lawful basis and DPA) |

    Important Considerations regarding Lawful Bases:

    • DPDP Act's Emphasis on Consent: The DPDP Act places a strong emphasis on Consent as the primary lawful basis for processing personal data by private entities. The alternative, Legitimate Uses, covers specific scenarios like processing data voluntarily provided by the Data Principal for the purpose it was provided (provided they haven't objected), employment, legal compliance, and emergencies. This is narrower than GDPR's 'Legitimate Interests' basis, which involves a balancing test. Therefore, for activities like marketing or using non-essential cookies, explicit, affirmative consent is crucial under DPDP.
    • Purpose Limitation: We collect and process personal data only for the specific purposes outlined above and communicated to you (e.g., in a notice provided at the time of collection). We will seek fresh consent if we intend to use your data for a new, incompatible purpose. The DPDP Draft Rules emphasize providing granular, itemized descriptions of purposes in consent notices.

    5. How We Share Your Personal Data

    We do not sell your personal data. We may share your personal data only in the circumstances described below, and always in accordance with applicable data protection laws and with appropriate safeguards in place:

    • Service Providers (Data Processors): We engage trusted third-party companies and individuals to perform functions on our behalf (Data Processors). These may include cloud hosting providers (e.g., AWS), email delivery services (e.g., MailChimp), analytics providers (e.g., Google Analytics), payment processors, customer relationship management (CRM) platforms, and technical support providers. We share personal data with these processors only to the extent necessary for them to perform their services for us. Crucially, under the DPDP Act (Section 8(2)) and GDPR, we enter into legally binding Data Processing Agreements (DPAs) with our processors. These DPAs obligate processors to:
      • Process personal data only on our documented instructions.
      • Implement appropriate technical and organizational security measures to protect the data.
      • Ensure personnel authorized to process the data are bound by confidentiality.
      • Assist us in responding to Data Principal/Subject requests.
      • Notify us promptly of any data breaches.
      • Delete or return data upon termination of the agreement, unless legally required to retain it.
      • Obtain our prior authorization before engaging any sub-processors and ensure sub-processors are bound by equivalent data protection obligations. Biosphere Studio remains responsible for the actions of its Data Processors regarding the handling of personal data processed on our behalf.
    • Client Data Sharing (When Acting as Processor): When we act as a Data Processor for our clients, we process Client Data according to the client's (Data Fiduciary's) instructions as documented in the DPA. We may share this Client Data back with the client or with authorized sub-processors strictly as permitted by the client and the DPA.
    • Business Transfers: If Biosphere Studio is involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your personal data may be shared or transferred as part of that transaction, subject to standard confidentiality agreements and applicable legal requirements. We will notify you of any such change in ownership or control of your personal data, where feasible and legally permitted.
    • Legal Requirements and Protection of Rights: We may disclose your personal data if we believe in good faith that such disclosure is necessary to:
      • Comply with a legal obligation, applicable law, regulation, court order, subpoena, or other legal process.
      • Protect and defend the rights, property, or safety of Biosphere Studio, our clients, our users, or the public.
      • Prevent or investigate possible wrongdoing in connection with our Services.
      • Protect the personal safety of users of the Services or the public.
      • Protect against legal liability.
    • With Your Consent: We may share your personal data with other third parties not described above if we have obtained your explicit consent to do so.
    • Aggregated or Anonymized Data: We may share aggregated or anonymized data, which cannot reasonably be used to identify you, for purposes such as statistical analysis, research, reporting, or improving our services. This type of data is not considered personal data under DPDP or GDPR.
    • Third-Party Analytics and Tools: As mentioned, we use tools like Google Analytics. These tools collect usage data directly from your browser. While we receive analyzed reports, the tool providers may also process this data for their own purposes as independent Data Fiduciaries/Controllers. We encourage you to review their privacy policies (e.g., Google's Privacy Policy).

    6. International Data Transfers

    Your personal data may be transferred to, stored, and processed in countries other than your country of residence, including India, where Biosphere Studio is headquartered, and potentially other countries where our third-party service providers operate (e.g., locations of cloud servers). Data protection laws in these countries may differ from those in your jurisdiction.

    We ensure that any international transfer of personal data complies with applicable data protection laws:

    • Compliance with India's DPDP Act: Under Section 16 of the DPDP Act, the transfer of personal data outside India is generally permitted unless the Central Government of India restricts transfers to specific countries or territories through notification (a "blacklist" approach). We will monitor and comply with any such restrictions issued by the Indian government. Furthermore, if any other applicable Indian law or sectoral regulation imposes stricter requirements or higher degrees of protection for cross-border data transfers, those stricter requirements will apply. The DPDP Act Draft Rules suggest the possibility of additional government-imposed conditions on transfers, even to non-blacklisted countries, particularly concerning access by foreign states. We will adhere to any such conditions once finalized and notified.
    • Compliance with GDPR (for EEA Data): If we transfer personal data originating from the European Economic Area (EEA) to countries outside the EEA that have not been deemed adequate by the European Commission (such as India), we rely on legally recognized transfer mechanisms to ensure an adequate level of data protection. These primarily include implementing Standard Contractual Clauses (SCCs) approved by the European Commission with the data importer (e.g., our service providers or Biosphere Studio itself if acting as importer). We conduct Transfer Impact Assessments (TIAs) where required to evaluate the level of protection in the destination country and implement supplementary measures if necessary.
    • Contractual Safeguards: Regardless of the specific legal mechanism, we ensure that transfers to third-party service providers are governed by Data Processing Agreements (DPAs) that include robust data protection clauses, requiring the recipient to protect the personal data to a standard consistent with this Privacy Policy and applicable laws.

    By using our Services or providing us with your personal data, you acknowledge that your data may be transferred to and processed in countries outside your own, subject to the safeguards described herein.

    7. Data Security Measures

    Biosphere Studio takes the security of your personal data seriously. We implement and maintain "reasonable security safeguards" as required by the DPDP Act and "appropriate technical and organizational measures" under GDPR to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

    Our security measures include, but are not limited to:

    • Encryption: Encrypting personal data both in transit (using protocols like TLS/SSL) and at rest (using standards like AES).
    • Access Controls: Implementing strict access controls based on roles and the principle of least privilege, ensuring that only authorized personnel have access to personal data necessary for their job functions.
    • Authentication: Utilizing secure authentication methods, potentially including multi-factor authentication (MFA) where appropriate, to verify user identities.
    • Secure Development (Privacy by Design): Integrating privacy and security considerations into our software development lifecycle (SDLC) from the outset (Privacy by Design). This includes secure coding practices, vulnerability management, and privacy impact assessments where appropriate. We may also leverage Privacy Enhancing Technologies (PETs) such as anonymization or pseudonymization where feasible to minimize privacy risks.
    • Regular Audits and Testing: Conducting periodic security assessments, vulnerability scans, and potentially penetration tests to identify and remediate security weaknesses.
    • Data Minimization: Collecting and retaining only the personal data that is necessary for the specified purposes.
    • Logging and Monitoring: Maintaining logs of access and processing activities to detect and respond to security incidents.
    • Incident Response: Having procedures in place to detect, respond to, and recover from data breaches or security incidents.
    • Employee Training: Providing regular training to our employees on data protection principles, security best practices, and their responsibilities under this policy and applicable laws.
    • Processor Security: Requiring our Data Processors through contractual agreements (DPAs) to implement and maintain appropriate security measures.

    While the DPDP Act mandates "reasonable security safeguards" without exhaustively defining them, and the Draft Rules provide minimums, we strive to align our practices with recognized industry standards and best practices, such as those outlined in ISO/IEC 27001. The significant penalties under the DPDP Act for security failures underscore the importance of robust protection.

    Disclaimer: Please note that despite our efforts, no method of electronic transmission or storage can be guaranteed to be 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security.

    8. Data Retention and Erasure

    We retain your personal data only for as long as is necessary to fulfill the specific purposes for which it was collected, as outlined in Section 4 of this Privacy Policy, unless a longer retention period is required or permitted by law.

    The criteria used to determine our retention periods include:

    • The duration of our relationship with you (e.g., as a website visitor, client, or applicant).
    • The necessity of the data to provide our Services or operate our business.
    • The existence of a legal or regulatory obligation requiring retention (e.g., tax laws, financial record-keeping, compliance with court orders).
    • The need to retain data for potential or actual dispute resolution (considering applicable statutes of limitation).
    • The purpose for which the data was collected -- data is erased when the purpose is no longer served.

    Under the DPDP Act and GDPR, you have the right to request the erasure of your personal data under certain circumstances (see Section 9, Your Data Protection Rights). We will comply with valid erasure requests unless retention is necessary for compliance with a legal obligation, the establishment, exercise, or defense of legal claims, or other grounds permitted by applicable law.

    We will also erase personal data if the processing was based on consent and you withdraw that consent, provided there is no other legal ground for retaining the data.

    The DPDP Draft Rules propose specific retention periods (e.g., 3 years of inactivity) for certain large online intermediaries. While these specific rules may not directly apply to Biosphere Studio at this time, we adhere to the underlying principle of periodically reviewing data and deleting it when its purpose is fulfilled or after reasonable periods of inactivity, based on the context.

    When personal data is no longer required for the purposes for which it was collected, and we have no ongoing legitimate business need or legal obligation to retain it, we will either securely delete it or anonymize it. If deletion is not immediately possible (e.g., data stored in backup archives), we will securely store the data and isolate it from further processing until deletion is feasible.

    Data processed by Biosphere Studio as a Data Processor on behalf of our clients is retained or deleted in accordance with the client's instructions and the terms specified in the relevant Data Processing Agreement (DPA).

    9. Your Data Protection Rights

    Under applicable data protection laws, you have certain rights regarding your personal data. Biosphere Studio is committed to facilitating the exercise of these rights. Your specific rights may depend on your location (e.g., if you are in the EEA or India) and the context of the data processing.

    9.1. Rights under the DPDP Act (Applicable to Data Principals in India):

    • Right to Access Information: You have the right to request confirmation whether we are processing your personal data, access a summary of the personal data being processed, understand the processing activities undertaken, and know the identities of other Data Fiduciaries or Data Processors with whom your data has been shared (subject to certain limitations, e.g., data shared for law enforcement purposes).
    • Right to Correction and Erasure: You have the right to request the correction of inaccurate or incomplete personal data and the updating of your data. You also have the right to request the erasure (deletion) of your personal data when it is no longer necessary for the purpose for which it was collected, or if you withdraw consent (where consent was the basis), unless retention is required by law.
    • Right to Withdraw Consent: Where our processing of your personal data is based on your consent, you have the right to withdraw that consent at any time. The process for withdrawal will be as easy as the process for giving consent. Upon withdrawal, we will cease processing your data for the purpose(s) for which consent was sought, unless another lawful basis applies.
    • Right to Grievance Redressal: You have the right to a readily available and effective means of registering grievances regarding our processing of your personal data. You should first raise your grievance with us (see Section 15). If you are unsatisfied with our response, you have the right to escalate the complaint to the Data Protection Board of India (DPB).
    • Right to Nominate: You have the right to nominate another individual who can exercise your rights under the DPDP Act on your behalf in the event of your death or incapacity.

    9.2. Rights under GDPR (Applicable to Data Subjects in the EEA):

    If you are located in the EEA, you have the following rights in addition to or overlapping with those under the DPDP Act:

    • Right of Access: Similar to the DPDP Act right.
    • Right to Rectification: Similar to the DPDP Act right.
    • Right to Erasure ('Right to be Forgotten'): Similar to the DPDP Act right.
    • Right to Withdraw Consent: Similar to the DPDP Act right.
    • Right to Restriction of Processing: You have the right to request that we restrict the processing of your personal data under certain conditions (e.g., if you contest the accuracy of the data, or the processing is unlawful).
    • Right to Data Portability: You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and have the right to transmit that data to another controller where the processing is based on consent or contract and is carried out by automated means. Note: The DPDP Act does not explicitly grant a right to data portability.
    • Right to Object: You have the right to object to the processing of your personal data where it is based on our legitimate interests, or for direct marketing purposes.
    • Rights related to Automated Decision-Making and Profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you (subject to exceptions).

    9.3. Exercising Your Rights:

    To exercise any of these rights, please contact us using the details provided in Section 15 (Contact Information). You may submit a request via email or potentially through a dedicated form or portal if made available on our Site.

    We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

    We will respond to your request within the timeframes required by applicable law. Under GDPR, this is typically within one month of receipt of the request, extendable by two further months where necessary. The DPDP Act requires Data Fiduciaries to establish and publish timelines for responding to grievances and rights requests. We aim to respond to all legitimate requests promptly and within legally mandated timelines.

    9.4. Data Principal Duties (DPDP Act):

    Please be aware that under India's DPDP Act, Data Principals also have certain duties, including:

    • Not to register false or frivolous grievances or complaints.
    • Not to furnish any false particulars or suppress material information.
    • Not to impersonate another person.
    • To provide verifiably authentic information when exercising the right to correction or erasure. Violation of these duties may result in penalties under the DPDP Act.

    9.5. Right to Complain:

    You have the right to lodge a complaint with a supervisory authority if you believe that our processing of your personal data infringes applicable data protection laws.

    • For India: The Data Protection Board of India (DPB).
    • For the EEA: The data protection authority in your Member State of residence, place of work, or place of the alleged infringement.

    We encourage you to contact us first (Section 15) to resolve any issues.

    10. Cookie Policy

    10.1. What are Cookies?

    Cookies are small text files placed on your device (computer, smartphone, tablet) when you visit a website. They are widely used to make websites work, or work more efficiently, as well as to provide information to the owners of the site. Similar technologies like web beacons, pixels, and scripts are also used for tracking and analytics purposes.

    10.2. How We Use Cookies:

    Biosphere Studio uses cookies and similar technologies for several purposes:

    • Strictly Necessary Cookies: These are essential for the operation of our Site and Services. They enable basic functions like page navigation, security, and access to secure areas. The Site cannot function properly without these cookies. Consent is not required for these cookies.
    • Performance and Analytics Cookies: These cookies help us understand how visitors interact with our Site by collecting and reporting information anonymously. We use tools like Google Analytics to analyze website traffic, track user engagement (e.g., pages visited, time spent), identify technical issues, and improve our Site's performance and user experience. Your consent is typically required for these cookies under GDPR and potentially under DPDP Act interpretations for non-essential tracking.
    • Functionality Cookies: These cookies enable the Site to remember choices you make (such as your username, language, or region) and provide enhanced, more personal features. For example, they might remember your preference settings. Your consent is generally required for these cookies.
    • Marketing/Targeting Cookies: These cookies may be set through our site by us or our advertising partners. They may be used to build a profile of your interests and show you relevant advertisements on other sites. They track your browser across different sites. They do not store directly personal information but are based on uniquely identifying your browser and internet device. Your explicit consent is required for these cookies.

    10.3. Third-Party Cookies:

    Some cookies may be placed by third-party services that appear on our pages, such as analytics providers (Google Analytics) or potentially embedded content providers (e.g., videos, social media feeds). These third parties collect data directly from your browser and their processing is governed by their own privacy policies. We recommend you review these policies.

    10.4. Managing Your Cookie Preferences:

    When you first visit our Site, you will be presented with a cookie consent banner allowing you to accept or reject different categories of non-essential cookies. You can change your preferences at any time through our Privacy Preference Center (often accessible via a link or icon on the Site, e.g.) or by adjusting your browser settings.

    Most web browsers allow some control of most cookies through the browser settings. You can typically configure your browser to:

    • Notify you when you receive a cookie, allowing you to decide whether to accept it.
    • Disable existing cookies.
    • Set your browser to automatically reject cookies.

    Please note that if you choose to block or delete cookies, some parts of our Site may not function properly. Blocking strictly necessary cookies may prevent you from accessing or using certain features of the Site.

    10.5. Do-Not-Track Signals:

    Some web browsers incorporate a "Do Not Track" (DNT) feature that signals to websites you visit that you do not want to have your online activity tracked. Currently, there is no uniform technology standard for recognizing and implementing DNT signals. Therefore, like many websites, Biosphere Studio does not currently respond to DNT browser signals or mechanisms.

    For more detailed information about the specific cookies we use, their purposes, and duration, please refer to our detailed Cookie Declaration, often available within our Cookie Consent Management tool.

    11. Children's Data

    Our Site and Services are not directed at children under the age of 18. We do not knowingly collect personal data from children under 18.

    Under the DPDP Act, specific obligations apply to the processing of personal data of children (individuals below 18 years of age). These include:

    • Verifiable Parental Consent: Obtaining verifiable consent from the parent or lawful guardian before processing a child's personal data. The DPDP Draft Rules provide some guidance on verification methods (e.g., using details already held, government tokens like DigiLocker), but practical implementation remains challenging.
    • Prohibition on Harmful Processing: Not undertaking any processing that is likely to cause any detrimental effect on the well-being of a child.
    • Restrictions on Tracking and Targeting: Not undertaking tracking or behavioral monitoring of children, or directing targeted advertising at children.

    If you are a parent or guardian and believe we may have collected personal data from your child without your consent, please contact us immediately using the details in Section 15. We will take steps to investigate and delete such information if confirmed.

    12. Data Breach Notification

    Biosphere Studio has implemented technical and organizational measures to prevent personal data breaches. However, in the event of a data breach that compromises the confidentiality, integrity, or availability of personal data under our control (as Data Fiduciary), we will take steps in accordance with applicable laws.

    Under the DPDP Act, a personal data breach includes any unauthorized processing or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data. The Act requires Data Fiduciaries to notify the Data Protection Board of India (DPB) and affected Data Principals in the event of a personal data breach.

    The DPDP Draft Rules propose a specific procedure for notification:

    • Notification to Affected Data Principals: Provide notice "without delay" in a concise, clear manner (via user account, email, etc.) including:
      • Description of the breach (nature, extent, timing, location).
      • Potential consequences.
      • Mitigation measures taken by us.
      • Safety recommendations for the Data Principal.
      • Contact details for inquiries.
    • Notification to the Data Protection Board (DPB):
      • Initial notification "without delay" upon becoming aware, providing basic details.
      • Detailed notification within 72 hours of becoming aware (extendable by the DPB upon request), including circumstances, cause, remediation actions, and confirmation of notification to affected individuals.

    Currently, the DPDP Act and Draft Rules require reporting of all personal data breaches, regardless of severity or risk of harm, which differs from thresholds in regulations like GDPR. We will comply with the final requirements as notified.

    We also note that under India's IT Act rules (CERT-In directions), certain cybersecurity incidents must be reported to the Indian Computer Emergency Response Team (CERT-In) within 6 hours. We will comply with all applicable incident reporting obligations.

    If we are acting as a Data Processor for a client, we will notify the client (Data Fiduciary) without undue delay upon becoming aware of a personal data breach affecting their data, in accordance with our DPA obligations.

    13. Data Protection Officer / Contact Person

    Under the DPDP Act, Data Fiduciaries are required to appoint a contact person to address questions from Data Principals about the processing of their personal data. Significant Data Fiduciaries (SDFs) must appoint a Data Protection Officer (DPO) based in India.

    While Biosphere Studio may not currently qualify as an SDF, we have designated a contact person responsible for overseeing compliance with this Privacy Policy and handling data protection inquiries and requests.

    The contact details for our Data Protection Contact Person are provided in Section 15 (Contact Information).

    The DPDP Draft Rules require Data Fiduciaries to publish the contact details of their DPO or designated contact person on their website/app and in responses related to Data Principal rights.

    14. Grievance Redressal

    Biosphere Studio is committed to resolving any concerns you may have regarding our processing of your personal data. Under the DPDP Act, Data Principals have a specific Right to Grievance Redressal.

    We have established the following procedure for addressing grievances:

    1. Initial Contact: If you have a complaint or concern about how we handle your personal data, please first contact our Data Protection Contact Person using the details in Section 15. Please provide sufficient detail about your concern to allow us to investigate.
    2. Acknowledgement and Investigation: We will acknowledge receipt of your grievance promptly. We will investigate the matter thoroughly and fairly.
    3. Response: We aim to respond to your grievance within a reasonable timeframe, as required by applicable law. The DPDP Draft Rules require Data Fiduciaries to establish and publish clear timelines for responding to grievances. Our response will outline the findings of our investigation and any actions taken or proposed.
    4. Escalation: If you are unsatisfied with our response or the resolution provided, you have the right to escalate your complaint to the Data Protection Board of India (DPB).

    We maintain records of grievances received and their resolution to ensure accountability and continuous improvement of our data protection practices.

    15. Contact Information

    If you have any questions, comments, concerns, or complaints about this Privacy Policy or our data practices, or if you wish to exercise your data protection rights, please contact our designated Data Protection Contact Person:

    Data Protection Contact Person
    Biosphere Studio Support
    Email: [email protected]

    Please ensure your communications include sufficient detail for us to address your query or request effectively.

    16. Exemptions under the DPDP Act

    The DPDP Act includes certain exemptions where some or all of its provisions may not apply. It is important to understand these limitations. Section 17 of the DPDP Act outlines several key exemptions:

    • General Exemptions (from most obligations in Chapters II & III, and Section 16):
      • Processing necessary for enforcing any legal right or claim.
      • Processing by courts, tribunals, or regulatory/supervisory bodies for their functions.
      • Processing necessary for the prevention, detection, investigation, or prosecution of offences or contraventions of law in India. This exemption's applicability to internal corporate investigations is currently debated.
      • Processing personal data of individuals outside India under a contract between an Indian entity and a person outside India (e.g., outsourcing).
      • Processing necessary for approved mergers, demergers, amalgamations, or reconstructions.
      • Processing to ascertain financial information and assets/liabilities of loan defaulters.
    • Exemptions from the Entire Act:
      • Processing by notified state instrumentalities for reasons of sovereignty, integrity, security, foreign relations, public order, or preventing incitement to cognizable offences. This exemption has raised concerns about potential state surveillance.
      • Processing necessary for research, archiving, or statistical purposes, provided the data is not used for decisions specific to a Data Principal and adheres to prescribed standards. The broad nature of this research exemption is also under discussion.
    • Exemptions for Certain Fiduciaries: The Central Government can notify certain Data Fiduciaries (including startups) who may be exempt from specific obligations like providing notice, ensuring data accuracy/completeness, data retention limits, and rights of access/correction/erasure.

    Biosphere Studio will only rely on these exemptions where strictly applicable and legally permissible. Our general operations involving website visitors and client engagement typically fall under the main provisions of the Act, not these exemptions.

    17. Role of the Data Protection Board of India (DPB)

    The DPDP Act establishes the Data Protection Board of India (DPB) as the primary regulatory and adjudicatory body for enforcing the Act. The DPB is envisaged as a digital office, conducting proceedings online.

    Key powers and functions of the DPB include:

    • Inquiring into Data Breaches: Investigating reported personal data breaches.
    • Directing Remedial Measures: Ordering Data Fiduciaries to take urgent actions to mitigate harm from breaches.
    • Handling Complaints: Adjudicating complaints filed by Data Principals regarding violations of the Act.
    • Imposing Penalties: Levying monetary penalties for non-compliance, with amounts specified in the Act's schedule (up to ₹250 crore per instance for certain breaches).
    • Issuing Directions: Providing directions to Data Fiduciaries to ensure compliance.
    • Accepting Voluntary Undertakings: Accepting commitments from entities to take specific actions to comply with the Act.
    • Functioning as a Civil Court: Possessing powers similar to a civil court for summoning witnesses, examining evidence, etc..

    Appeals against DPB orders lie with the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).

    18. Privacy by Design and Emerging Technologies

    18.1. Privacy by Design:

    Biosphere Studio embraces the principle of Privacy by Design (PbD). This means we integrate data protection and privacy considerations into the design and operation of our systems, processes, and services from the outset, rather than treating them as afterthoughts. This proactive approach helps ensure compliance with data protection principles like data minimization and purpose limitation and is embedded in our software development lifecycle (SDLC) for our own Site, App, and internal systems. We also advocate for PbD principles in the digital products we develop for our clients.

    18.2. Privacy Enhancing Technologies (PETs):

    Where appropriate and feasible, we explore and may utilize Privacy Enhancing Technologies (PETs) to further protect personal data while enabling analysis and service delivery. PETs encompass techniques like anonymization, pseudonymization, differential privacy, secure multi-party computation, and encryption methods designed to minimize data exposure while maximizing utility. For example, when creating analytics dashboards, we may employ anonymization techniques to display trends without revealing individual identities.

    18.3. Artificial Intelligence and Machine Learning (AI/ML):

    If Biosphere Studio utilizes AI/ML technologies in its services (e.g., for data analysis, personalization features in client products, internal process automation), we are committed to doing so responsibly and ethically. This includes:

    • Data Privacy: Ensuring that personal data used to train or operate AI/ML models is collected and processed lawfully, respecting consent and purpose limitation principles under DPDP Act and GDPR.
    • Transparency: Striving for transparency in how AI/ML systems make decisions, where feasible and appropriate.
    • Fairness and Bias Mitigation: Taking steps to identify and mitigate potential biases in AI algorithms and training data to prevent discriminatory outcomes.
    • Accountability: Establishing clear lines of responsibility for the development and deployment of AI/ML systems.
    • Alignment with Guidelines: Considering relevant ethical guidelines and principles for responsible AI, such as those proposed by NITI Aayog in India.

    While India currently lacks specific AI legislation, the DPDP Act and existing IT Act provisions provide a baseline for data protection in AI contexts. We monitor developments in AI regulation and best practices.

    19. Updates to This Privacy Policy

    We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will revise the "Last Updated" date at the top of this policy.

    If we make material changes, we will provide notice through our Site or by other means (such as email if we have your contact information) before the changes take effect, where required by law. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your personal data. Your continued use of our Services after any changes constitutes your acceptance of the revised Privacy Policy, subject to applicable consent requirements.

    20. Conclusion

    Biosphere Studio is dedicated to upholding high standards of data privacy and security. This Privacy Policy provides a comprehensive overview of how we collect, use, share, and protect personal data in compliance with applicable laws, including India's DPDP Act, 2023, and GDPR where relevant. We strive for transparency and aim to empower individuals with control over their personal information. We will continue to monitor legal and technological developments to ensure our practices remain robust and compliant. If you have any questions or require further clarification, please do not hesitate to contact us.

    Make it

    work!

    Biosphere.Studio

    © 2025 Biosphere.Studio