- How long will we keep your information
We will keep your personal data for as long as is necessary for the relevant service, in accordance with our legal obligations. After this time, your personal data will either be securely deleted or anonymised so that it can be used for analytical purposes. You may request further information via the contact details given in this Privacy Notice.
- How we secure your information
We maintain appropriate organisational and technological safeguards to help protect against unauthorised use, access to or accidental loss, alteration or destruction of personal data. We also seek to ensure our service providers do the same.
- Information Sharing and Disclosure
Information shared with our third-party service providers
We use a number of third parties to perform business functions on our behalf, such as sending our newsletters and hosting our online services and customer relationship management. We will only disclose the information necessary to enable these third parties to perform their services. Our service providers are contracted to comply with our instructions and we require that they do not use your personal data for their own business purpose.
Information shared with other parties
Where required or permitted by law, personal data may be provided to others, such as regulator and law enforcement agencies, for example in response to a court order or a subpoena, or in response to a law enforcement agency’s request, or where we believe it is necessary to investigate, prevent or take action regarding illegal activities, and as otherwise required by law.
We do not sell or rent any personal data about you to any third party.
- International and group company transfers
Expedify is a registered trademark of Brainpan Digital Private Limited, the global marketing and advertising company. Therefore, we may from time to time disclose your personal data within our group of companies. Access will always be controlled on a need-to-know basis, and only provided where it is necessary to provide you with requested services or to allow us to perform any necessary or legitimate functions.
You may request further information on the measures used for such transfers via the contact details given in this Privacy Notice.
- Your rights
- Object to our processing of your personal data where we are relying on legitimate interest (or those of a third-party), and you want to object to processing on this ground, as you feel it impacts on your fundamental rights and freedoms. You also have a right to object where we are processing your personal data for the purposes of direct marketing. You can object at any time and we shall stop processing the information you have objected to, unless we can show compelling legitimate grounds to continue that processing.
- Access your personal data. If you make this kind of request and we hold personal data about you. We are required to provide you with information on it, including a description and copy of the personal data and why we are processing it. We will require you to prove your identity before granting access to your personal data. We will process your request within the timeframe required under the relevant law.
- Request the transfer of your personal data. We will provide to you or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Please note, this right applies to the personal data you have provided to us; and if we use your personal data on the basis of consent or where we used the information to perform a contract with you.
- Request erasure (deletion) of your personal data. You have a right to ask us to delete or remove your data where you have successfully exercised your right to object (see above), or where we are required to erase your personal data to comply with local law. Please note, we may be required to retain certain information by law and/or for our own legitimate business purpose. But when we do so, we will inform you
- Request correction or updating of your personal data. This enables you to have any incomplete or inaccurate data we hold about you corrected.
- Request the restriction of our processing of your personal data in some situations. If you request this, we can continue to store your personal data but are restricted from processing it while the restriction is in place.
- Withdraw your consent. Where you have provided your consent to our processing of your personal data you can withdraw your consent at any time. If you do withdraw consent, that will not affect the lawfulness of what we have done with your personal data before you withdrew consent.
- Make a Complaint. We will do our best to resolve any complaint. However, if you feel we have not resolved your complaint, you have a right to make a complaint to your local data protection authority.
If you exercise the rights above and there is any question about who you are, we may require you to provide information from which we can satisfy ourselves as to your identity.
- Our responsibility for website links
This Privacy Notice is limited to the personal data collected by Expedify. We do provide links within this site to other websites, including social media sites such as Facebook, Twitter and LinkedIn. If you follow these links, you should use these sites in conjunction with their applicable user and privacy notices as their data practises fall outside the scope of this Privacy Notice. Further, we can have no responsibility for or control over the information collected by any third-party website and we cannot be responsible for the protection and privacy of any information which you may provide on such websites.
- Updates
This Privacy Notice may be updated from time to time to reflect changes in law, best practice or a change in our practises regarding the treatment of personal data. The date of the most recent revision will appear at the top of this page. If you do not agree to the changes, please do not continue to use our services and please refrain from sharing your personal data with us. You should check this notice frequently for updates.
- Contact us
If you have any questions about this Privacy Notice, our approach to privacy or you would like to exercise any of the rights mentioned in this Privacy Notice you can contact our Data Protection Officer in any of the following ways:
Address: C-1184, LGF, Sushant Lok 1, Gurgaon 122002
Telephone: (+91) 98 732 666 94
Email: [email protected]
Supplementary Information
In this Supplementary Information section, we explain some of the terminology used in this Privacy Notice.
“data controller” – the person or company that controls the purposes and means of processing personal data.
“personal data” – any information that relates to you (or from which you can be identified).
“processing” – means doing anything with data. For example, it includes collecting it, holding it, disclosing it and deleting it.
“transfer” – sending personal information outside the Brainpan Digital Private Limited (e.g. by storing it on equipment located outside the Brainpan Digital Private Limited), or allowing someone from outside the Brainpan Digital Private Limited to access the personal information.
Responsible Disclosure
Brainpan Digital Private Limited (BDPL) believes that everybody should be safe and secure on the Internet. BDPL is committed to maintaining the security of our assets, systems, and customers’ information. If any potential vulnerabilities are identified in any product, system, or asset belonging to BDPL, we encourage security researchers to contact us as soon as possible. If you believe you have identified a potential security vulnerability, please submit it in accordance with our Responsible Disclosure Program.
Thank you in advance for your submission. BDPL does not operate a public bug bounty program and will not provide a reward or compensation in exchange for reporting potential issues.
Responsible Disclosure Program Guidelines
Researchers shall ensure that when in the process of disclosing potential vulnerabilities they:
- Do not engage in any activity that can cause potential or actual harm to BDPL, BDPL customers, or BDPL employees.
- Do not engage in any activity that can potentially or actually degrade BDPLservices or assets or cause them to stop entirely.
- Do not engage in any activity that violates (a) applicable laws or regulations or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) the researcher is conducting research activity
- Do not engage in any activity that puts BDPL in violation of any (a) applicable laws or regulations or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) the researcher is conducting research activity.
- Do not store, share, compromise or destroy BDPL or any customer data. If any Personal Information is identified, you should immediately stop the activity, remove related data from your system, and immediately contact BDPL. This is important for protecting any potentially vulnerable data, and you.
- Do not initiate a fraudulent financial transaction.
- Do not disclose any reported issues to third parties, or publish such reported issues publicly
By acting in accordance with the guidelines above and responsibly submitting your findings to BDPL, BDPL agrees not to pursue legal action against you unless it is compelled to do so by a regulatory authority, other third party, or applicable laws
Once a report is submitted, Expedify commits to provide prompt acknowledgement of receipt of all reports (in any event, within 5 business days of submission). Where possible, BDPL shall use commercially reasonable endeavours to keep you reasonably informed of the status of any validated vulnerability that you report through this program
Submission Format
When reporting a potential vulnerability, please include a detailed summary of the vulnerability. This shall include the following:
- The target
- The steps
- The tools
- The artefacts
- You may include screen captures to illustrate detail.
Out of Scope Vulnerabilities
Certain vulnerabilities are considered out of scope for our Responsible Disclosure Program. Out-of-scope vulnerabilities include, but are not limited to:
- Physical testing of premises
- Social engineering. For example, attempts to steal cookies, fake login pages to collect credentials
- Denial of service attacks
- Resource Exhaustion Attacks
Please submit your report to: [email protected]