Privacy Policy

1

Overview

Imagine's intention behind publishing this Data Security and Privacy Policy is to ensure that we are compliant to the privacy and data security requirements. Herein, Imagine would like to provide detailed information regarding the data we collect, process and the controls we have implemented to safeguard the information provided to us by Data Subjects.

2

Objective

The purpose of this policy is to outline the practices that we adhere to with respect to:

  • Data Security and Privacy Regulations including European Union General Data Protection Regulation (EU GDPR), Personal Information Protection and Electronics Documents Act (PIPEDA), Malaysia Personal Data Protection Act and any other such data privacy regulations
  • Statutory and Regulatory requirements such as HIPAA(Health Insurance Portability and Accountability Act)
  • Data Security, Confidentiality and Privacy requirements specified as part of Master Services Agreement (MSA), Statement of work (SOW) etc. by customers
  • Intellectual Property Rights of Data Subjects and customers
2.1

Terms & Definitions

TermsDefinition
MSAMaster Service Agreements
SOWStatement of Work
HIPAAHealth Insurance Portability and Accountability Act
Personally Identifiable Information (PII)Any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII.
Protected Health Information (PHI)Any information about health status, provision of health care, or payment for health care that is created or collected and can be linked to a specific individual
Processing of PHI / PIIProcessing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
EU GDPREuropean Union General Data Protection regulation
Data ControllerAny natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law
Data ProcessorMeans a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
Data SubjectAny natural or legal person providing its PII
ISMGInformation Security Management Group
PIMSPersonal Information Management System
IPSIntrusion Prevention System
IDSIntrusion Detection System
DLPData Loss Prevention
SOCSecurity Operations Center
HRISHuman Resources Information System
Terms Definition
MSA Master Service Agreements
3

Policy Description

Many countries have introduced legislations placing controls on collection, processing and transmission of PII.
We ensure to perform our services abiding to such laws and ensuring data security, privacy and confidentiality

4

What data / information we collect

4.1

Prospective Customers

  • Prospective customers may provide their information while contacting us through our website for business opportunities
    • We collect name, company details, email id (professional email id), and phone number
    • Access to such PII is provided only on need-to-know basis and is restricted to those individuals, affiliates or subcontractors who are subjected to Imagine's strict confidentiality obligations and disciplinary policies
    • Adequate controls are implemented to safeguard the PII which includes physical, technical and administrative controls
  • Imagine is a new tech startup offering a suite of applied AI solutions for global organizations. A ValueLabs Group company, Imagine brings together a team of business and technology leaders with a distinguished background in building AI-powered solutions that deliver real business results.
  • Now, we’ve come together to create the Imagine Portfolio, a suite of applied AI solutions to help your business achieve more, faster. We would like to connect to organizations such as yours to explore partnership opportunities.
    • We receive information including name, email id, phone number, role, organization associated with from professional service providers such as LinkedIn premium service, marketing databases, prospective customer websites, references from our existing clients
    • We assume that the data subjects have provided consent to such professional service providers to share the PII with Imagine
4.2

Customers Information

  • To provide effective services to our customers we collect PII which includes name, professional email id, phone number and company address
  • The respective customer provides us with the information during the contract phase in order to perform services effectively (billing, invoicing, program management etc.)
  • Imagine assumes that the customer organization has already obtained consent from the data subject and would exclude Imagine from any additional consent to be acquired
4.3

Prospective Employees

  • In the process of recruitment and talent management, Imagine's HR may receive PII from Job Boards, Social Networking sites & other referral channels
  • Imagine receives name, email ID, mobile number, address and other information provided by data subject in the respective job portals
  • Imagine assumes that the job posting portals has already obtained consent from the data subjects to share such information and would exclude Imagine from any of the obligations related to additional consent management
4.4

Imagine Employees PII

  • HR at Imagine collects PII of employees while issuing the offer letters and during onboarding Information includes name, address, email id, phone number and emergency contact details
  • By accepting the offer, the employee by default consents to allow Imagine to share PII with customers, affiliates and third party as may be required in relation to employment
  • Access to PII is provided only on need-to-know basis and is restricted to those individuals, affiliates or subcontractors who are subjected to Imagine’ strict confidentiality obligations and disciplinary policies
4.5

Customer (Data Controller) provided information

  • PII / PHI data collection is done by Imagine’ Customers and is shared with Imagine for access / processing / storage during the services provided to them
  • Data subjects consent will be obtained for such collection by the customers
  • Imagine employees always ensure that they access such data only after written consent from Customer (SOW / MSA / meeting minutes shared with Customer)
  • Project owners reach out to ISMG to understand the regulatory and compliance requirements prior to any such processing and thoroughly read the MSA
  • Customers to inform Imagine in case the data subject has withdrawn the consent so Imagine would erase such data as appropriate
4.6

Vendors/Business partners

  • To provide & initiate effective NDA, MSA & Purchase Order, we collect vendor’s data such as Name, Address, Email, Contact details, GST, PAN, Company registration details, Client list & Bank Details etc., by sending email for onboarding Vendors in SAP.
  • Access to PII is provided only on need-to-know basis and is restricted to those individuals from Admin & Finance team, who are subjected to Imagine strict confidentiality obligations and disciplinary policies
4.7

Consultant / Interns

  • We collect PII related data through Personal History Record (PHR form) and while calling the candidate for a job opportunity
  • Data collected by HR-Tag : (To name a few) Name, Contact number, Email id, Address, blood group, DOB, Passport number, CTC details , Nationality, country, Place of birth
4.8

Website data and the user behavior

  • The marketing team uses Google Tag Manager and Google Analytics to track user behavior on the website.
  • The process given below is usually followed for every page on the website:
    • Creation of tags for all the clickable actions on a webpage.
    • Complete user behavior for all the tags that are stored in Google Analytics.
    • Team also uses GA to get the number of conversions for any form on the website.
    • Monitoring of user behavior data like number of visits, time spent; bounce rate, source, geo, etc. through Google Analytics.
  • The data filled by a visitor on any form present on the website is transferred to the Marketing team. The team categorizes this data into different buckets and assigns respective owners for the same. Qualified contacts are moved into the central CRM database.
  • The cookies settings on our websites are set to "allow cookies" for best browsing experience possible. User's consent is obtained by them clicking on "Accept" in the notification pop-up about cookies which appears at the bottom right-hand side corner of the page as soon as they visit our websites
5

Data processing

5.1

Prospective Customers

  • In order to establish this connection, we would like to reach out to prospective customers with technological / digital propositions and solutions relevant to their business, invitations for our sales reach events, white papers, publications, industry newsletters and any relevant technology related content
5.2

Prospective employees

  • PII data of prospective employees are collected through job portals for recruitment and talent acquisition team will process/use the collected data to reach out to prospective employees for job openings and careers at Imagine
5.3

Employees

  • PII collected from employees would be processed as per our HRIS practices and fulfil the obligation of our people policy.
5.4

Customer (Data Controller) provided information

  • Processing of the PII / PHI shared by the Customers for providing the relevant services will be processed by Imagine as per the Statement of work and / or Master Services agreement, approved business requirement and / or written instruction only
  • Imagine would ensure the integrity of the personal data while processing by applying the required controls
  • Imagine would implement appropriate security controls in the application developed to ensure the confidentiality and privacy of the PII / PHI to avoid unauthorized access or disclosure of such PII / PHI
  • Project owners along with the help of the IT and SOC teams at Imagine would ensure adequate security controls (including the controls defined in MSA/SOW) are deployed in the project environment. The controls shall include but not limited to:
    • Authentication and authorization
    • Encryption of data while transmitting over a network and storage
    • Provision for emergency access
    • Data anonymization
    • Log management where application / database should maintain logs of all processing etc.
5.5

Vendor/Business Partners

  • Data Processing of the PII / PHI shared by the vendors for providing the relevant services will be processed by Imagine as per the Non-Disclosure Agreement, Purchase Order and Master Service agreement, approved business requirement and / or written instruction only
  • Imagine would ensure the integrity of the personal data while processing
5.6

Consultant / Interns

  • After collection of Data, if Consultant / Interns is joining with Imagine we transfer the data to HR Operations team
6

Data Storage

6.1

Prospective Customers

  • PII provided by the prospect in the website or gathered through marketing database shall be stored on a well-established CRM tool
  • Appropriate technical controls shall include but not limited to access control mechanism, encryption, data anonymization are in place to safe guard the confidentiality, integrity and availability of the information
6.2

Prospective Employees

  • PII provided by the prospective employees in the website or job portals shall be stored on a well-established HRIS Tool
  • Appropriate technical controls shall include but not limited to access control mechanism, encryption, data anonymization are in place to safe guard the confidentiality, integrity and availability of the information
6.3

Employees

  • PII provided by the employees during on-boarding would be stored on a well-established HRIS Tool
  • Appropriate technical controls shall include but not limited to access control mechanism, encryption, data anonymization are in place to safe guard the confidentiality, integrity and availability of the information
6.4

Customer (Data Controller) provided information

  • Project owners should ensure that the PII / PHI data storage is limited to Customer environment only
  • Project Owners should restrain from copying the data in Imagine environment and educate the project resources on the legal / compliance obligations if such actions are performed.
  • Most of the Data protection and privacy regulatory requirements restrain transmitting of PII and PHI data beyond the specified geographical regions. Project owner should ensure such restrictions are addressing (for e.g. Securing a virtual environment, storage in that geographical location etc) and restrain transmission of such data in to Imagine environment.
  • In case of storage of PII / PHI data is one of the project / service requirement, Project owners or resources should ensure written consent from the Customer (in MSA or SOW or email approval from Customer) is obtained prior to transmission
  • Project owners should reach out to security operation center to implement technical controls like DLP, Web content filtering etc. to safe guard data if storage is done within Imagine.
6.5

Vendor/Business Partner

  • PII provided by vendors during on-boarding would be stored on a SAP Tool
  • Appropriate technical controls including but not limited to access control mechanism, encryption, data anonymization are in place to safe guard the confidentiality, integrity and availability of the information
6.6

Consultant / Interns

  • Data is stored in Excel sheets and PHR forms (Hard / soft copy) which is transferred to HR Operations team
7

Data Retention & disposal

  • Imagine shall retain the data of its employees in order to verify re-hire cases.
  • Customers and their end users data (which may include PII or PHI data) shall not be retained and disposed as soon as they are no longer required for processing by Imagine
  • PII / PHI of data subjects shall not be retained by Imagine for a duration longer than necessary. Such requirements shall be identified during data collection process based on regulatory or legal requirements prevailing during that period
  • PII / PHI Data will be securely disposed once it is no longer in use according to the Data Retention and Disposal procedure
8

Data Disclosure

  • Imagine ensures that PII / PHI data is not disclosed to the unauthorized users without proper consent
  • Any such request for access to the data from third parties including law enforcement and government agencies would be notified to Data Subject where applicable
  • Disciplinary actions would be initiated as per the disciplinary policy defined for any unauthorized disclosure of PII / PHI
9

Data Subject rights

9.1

Right of Access, Modify

9.2

Prospective Clients and Employees

  • Data subjects at all times can reach out to Imagine through "email id: privacy@imagine.tech" for access to the personal data to review, modify and correct any inaccuracies
  • For Customer provided information, we request Customer to inform Imagine in case the data subject has withdrawn the consent so Imagine can take actions on such PII as appropriate
9.3

Employees

  • Employees can reach out to relevant HR business partner for access, review, modification and correction of such data
9.4

Vendor/Business Partner

  • Vendors at all times can reach out to Imagine Procurement team through email: procurement@imagine.tech for modification and correction of such data of any inaccuracies
9.5

Consultant / Interns

  • Respective candidate can reach out to concerned recruiter through email for any modifications, corrections of such data provided by them for any inaccuracies
9.6

Right to consent / opt out consent

9.7

Prospective Clients

  • In case of data obtained through Premium services, Imagine will reach out to all such prospective clients with an email to obtain their consent providing a link to this policy
  • In case the data subject would like to opt out they can reply to the email or web link option provided. In case, we do not receive the information within one week it would be deemed that consent is not provided
  • Imagine would maintain name, LinkedIn ID, or marketing database ID of opted out data subjects in do-not-contact(DNC) list to ensure that no future contacts are made by our sales team
9.8

Prospective Employees

  • Imagine will reach out to all such prospective employees with an email to obtain their consent providing a link to this policy
  • In case the data subject would like to opt out they can reply to the email or web link option provided. In case, we do not receive the information within one week it would be deemed that consent is not provided
  • Imagine would maintain name, LinkedIn ID, job portal ID of opted out data subjects in do-not-contact(DNC) list to ensure that no future contacts are made by our HR team
9.9

Right to Erase

  • Data subjects at all times can reach out to Imagine through "email id: privacy@imagine.tech" to erase a part of data or complete data
  • For Customer provided information, we request customer to inform Imagine in case the data subject has made such request
10

Breach Notification

  1. Imagine would intimate the data subjects, customers on any instance of data breach which could potentially impact the privacy of data subject
  2. Such notifications where ever feasible would be within 72 hours or as per the contracts established
  3. Imagine would further take all reasonable steps to curb such instance from repeating and take all corrective measure to minimize the impact of such data breach
11

Data Processing and Data Controlling

11.1

Imagine will be acting as a data controller & processor

  1. If they are determining the purpose and the means of collecting PII data from internal employees & prospect candidates and processing it
  2. If they are determining the purpose and the means of collecting PII data from other regions where GDPR applies and processing the data and processing it (Ex: Marketing team collecting details on any company events)
  3. If the contractual agreement states that Imagine will be acting as data controller and as a data processor
11.2

Imagine will be acting as a data controller

  1. If they are determining the purpose of and by which means the data is processed when collecting PII data from internal employees & prospect candidates
  2. If they are determining the purpose of and by which means the data is processed when collecting PII data from other regions where GDPR applies (Ex: Marketing team collecting details on any company events)
  3. If the contractual agreement states that Imagine will be acting as data controller
11.3

Imagine will be acting as a data processor

  1. If they are processing the PII data collected from internal employees & prospect candidates
  2. If they are processing the PII data collected from other regions where GDPR applies
  3. If the contractual agreement states that Imagine will be acting as data processor
12

Organization Controls

  1. Imagine has ensured that there is a Data Protection Officer (DPO) nominated for the Data security and privacy
  2. Appropriate controls such as DLP, Web Control Filtering, IDS, IPS etc. are be implemented to ensure there is no Data Leakage
  3. Imagine has mandated Project owners to understand the compliance requirements thoroughly which are in the MSA and educate the same to the project resources
  4. Legal and ISMG team would prepare the MSA trackers and share it to the project owners / resources upon request
  5. Imagine has mandated that all compliance requirements related to any statutory, regulatory and or contractual requirements are explicitly captured in the MSA / SOW
  6. Imagine ensures that awareness sessions w.r.t data privacy and security are conducted for all relevant employees
13

Intellectual property

  1. All work products developed for Imagine and / or its customers including but not limited to code, test cases, test data, presentations, proof of concepts, marketing collaterals etc. are intellectual property of Imagine and / or its customers (and / or as defined in the MSA)
  2. Employees, contractors working on behalf of Imagine are strictly prohibited to share these work products over internet to unauthorized users, transfer these in to personal folders, drives etc
  3. In case users have been given access to the customers work product, users are restrained to transfer such work products in to Imagine environment without written consent from the customers
  4. Project owners should ensure that they read out the Intellectual properties clause in the MSA and educate resources in the projects to provide their services accordingly
14

Enforcement

Legal and ISMG would ensure that the policy is enforced and implemented thoroughly. Any employee found to have violated this policy shall be subjected to disciplinary action.

15

Review

This policy shall be reviewed once in a year, or in case of compulsive changes, whichever is earlier