DPDP Notice

For the purposes of the DPDP Act, the Data Fiduciary is:

PEGS may process the following categories of personal data as Data Fiduciary in connection with the Services:

• Identity and contact data — name, email, mobile, account credentials.
• Service data — property or asset information, ESG/verification/certification inputs, support and feedback communications.
• Authentication and security data — OTPs, session and device identifiers, IP address, logs.
• Usage and preference data — interaction data, cookie and communication preferences, consent records.
• Payment and billing data — invoice and transaction references, billing details (sensitive card credentials are processed by authorised payment service providers and are not stored by PEGS).

A full description of categories is set out in Section 03 of the Privacy Policy.

PEGS processes personal data for the following specific purposes:

• account creation, login, identity verification, and authentication;
• delivering the Services, including ESG services, UAIN, BASTION anchoring, the My Estatez application, and PEGS Club Memberships;
• sending OTPs, service alerts, security notices, invoices, receipts, and policy updates;
• processing payments, billing, and refunds;
• responding to support requests, grievances, and data-rights requests;
• securing systems, preventing fraud, detecting misuse, and responding to incidents;
• improving Service reliability and user experience; and
• complying with legal, regulatory, tax, accounting, cybersecurity, and law-enforcement obligations.

We send marketing or promotional communications only where you have explicitly opted in.

A full description of purposes is set out in Section 04 of the Privacy Policy.

Where consent is required, PEGS obtains consent through clear and affirmative action, after providing notice of:

• the personal data category involved;
• the specific purpose of processing;
• the Service, feature, benefit, or use enabled by that processing;
• whether the consent is optional or necessary for the requested Service;
• the method by which consent can be withdrawn; and
• the manner of grievance redressal.

Where the law permits, PEGS may also process personal data on the basis of deemed consent or legitimate uses recognised under applicable law, contractual necessity, compliance with law, and security or fraud-prevention requirements.

As a Data Principal, you may have the right to:

• access information about the personal data processed by PEGS;
• request correction or updating of inaccurate or incomplete personal data;
• request erasure of personal data where permitted by law;
• withdraw consent for processing based on consent;
• nominate another individual to exercise your data rights in the event of death or incapacity, in accordance with applicable law;
• raise a grievance with PEGS; and
• file a complaint with the Data Protection Board of India where permitted by law.

5.1 How to Exercise Rights

Submit a request through any of:

• the in-app or website rights-management tool, where available;
• email to privacy@pegs.org.in; or
• post to the address in Section 01.

Include sufficient detail to verify your identity (such as registered email address, mobile number, account ID, transaction ID, or other identifier). PEGS may request additional information to verify the request.

PEGS will respond within the period required by applicable law, and in any case within a reasonable period not exceeding ninety (90) days where the DPDP Rules apply.

You may withdraw consent at any time, subject to legal, regulatory, contractual, security, or fraud-prevention requirements. PEGS will make withdrawal of consent available with ease comparable to the method by which consent was given. The mechanics are described in the User Consent Notice.

The Services are not intended for individuals under 18 years of age. PEGS does not knowingly process personal data of children. Where PEGS introduces any Service that processes personal data of a child, it will obtain verifiable consent from the parent or lawful guardian before processing, except where an exemption applies under applicable law. Where data relates to a person with disability who has a lawful guardian acting on their behalf, PEGS follows applicable guardian-verification requirements before relying on such consent.

Some service providers may process or access personal data outside India. PEGS applies appropriate contractual, technical, and organisational safeguards and complies with applicable Indian data-transfer requirements. PEGS will not make personal data available to a foreign State or any agency of a foreign State except in accordance with requirements specified under applicable law.

Personal data is retained only for as long as necessary for the purposes described in this Notice and the Privacy Policy, or for as long as required by applicable law. The retention framework is described in Section 09 of the Privacy Policy.

PEGS implements reasonable technical and organisational security measures to protect personal data, as described in Section 10 of the Privacy Policy. In the event of a personal-data breach, PEGS will notify affected users and the Data Protection Board of India, as required by applicable law.

If you have a grievance regarding PEGS's processing of your personal data:

1. raise it with the Data Protection Officer / designated DPDP point of contact at privacy@pegs.org.in;
2. if unsatisfied, escalate to the Grievance Officer at grievance@pegs.org.in;
3. if still unsatisfied, you may have the right to file a complaint with the Data Protection Board of India through the official digital mechanism made available by the Board.

Full procedure is set out in the Grievance Redressal Policy.

PEGS may update this Notice from time to time. Material changes will be notified through the Services, by email, or by other reasonable means.

• Digital Personal Data Protection Act, 2023 (Sections 4, 5, 6, 7, 8, 9, and 11 in particular)
• Digital Personal Data Protection Rules, 2025
• Information Technology Act, 2000, and rules made thereunder