Privacy Policy

Table of Contents

1. Introduction & Identity
2. Scope & Applicability
3. Data We Collect
4. Purposes of Processing
5. Legal Basis for Processing
6. Google API Services User Data Policy Compliance
7. Meta Platform Terms Compliance
8. Data Sharing & Third-Party Sub-Processors
9. Data Retention
10. Your Rights
11. Cookie Policy
12. International Data Transfers
13. Security Measures
14. Data Breach Notification
15. Children's Privacy
16. Do Not Track & Global Privacy Control
17. California-Specific Disclosures (CCPA/CPRA)
18. India-Specific Disclosures (DPDPA 2023)
19. Automated Decision-Making & Profiling
20. Privacy by Design
21. Links to Other Sites
22. Changes to This Policy
23. Governing Law & Dispute Resolution

Introduction & Identity

Effective: April 2026 · Last updated: April 2026

UMAP360 Private Limited (“UMAP360”, “we”, “us”, “our”) operates the UMAP360 platform, a growth operating system for modern businesses that provides analytics, engagement, and advertising intelligence services.

UMAP360 Private Limited is a company incorporated under the laws of India.

• Company Name: UMAP360 Private Limited
• CIN: U62020AP2026PTC124230
• Registered Address: D.No: 4-135/5, Flat No:504 Sri Shanmukha, Gollapudi, Krishna, Krishna-521225, Andhra Pradesh, India
• Data Protection Officer: Kalyanam Uday Kiran, Founder & CEO
• Contact: contact@umap360.com
• Website: https://umap360.com

This Privacy Policy explains how we collect, use, disclose, retain, and protect personal data when you visit our website at umap360.com, use the UMAP360 dashboard, integrate the UMAP360 SDK into your applications, or interact with any of our related services. By using any of these services, you acknowledge that you have read and understood this Privacy Policy.

Scope & Applicability

Roles, relationships, and jurisdictions

Controller and Processor Roles

UMAP360 acts as a data controller for the personal data of its direct customers, including account registration data, billing information, and communications. In this capacity, UMAP360 determines the purposes and means of processing your personal data to provide, maintain, and improve the platform.

UMAP360 acts as a data processor for end-user behavioral data collected via the UMAP360 SDK on behalf of our customers. In this capacity, UMAP360 processes personal data strictly in accordance with its customers’ instructions and applicable data processing agreements. Our customers, who deploy the SDK on their own websites and applications, are the data controllers for this end-user data and are responsible for obtaining appropriate consent from their end-users.

Geographic Scope

This Privacy Policy is designed to comply with the following regulatory frameworks:

• India: Digital Personal Data Protection Act, 2023 (DPDPA 2023) and the Information Technology Act, 2000
• European Union / EEA: General Data Protection Regulation (GDPR, Regulation (EU) 2016/679)
• California, USA: California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA)
• Global: We apply the highest applicable standard of data protection to all users regardless of their location

This policy is available in English. Where local law requires a translation, the English version shall prevail in the event of any conflict.

Data We Collect

Six categories of personal data

A. Account & Registration Data(Controller)

When you create an account on UMAP360, we collect the following information directly from you:

• Full name and email address
• Organization name and your role or designation within the organization
• Password (stored exclusively as a bcrypt hash — we never store or have access to your plaintext password)
• Profile preferences and dashboard configuration settings

B. Billing & Payment Data(Joint Controller with Razorpay)

To process your subscription, we collect and store:

• Subscription plan details, billing cycle, and invoice history
• GST identification number and other tax identification numbers
• Payment method type (card, UPI, or netbanking). Actual payment credentials (card numbers, UPI VPAs, bank account details) are handled exclusively by Razorpay and are never transmitted to or stored on UMAP360 servers

Razorpay is a PCI DSS Level 1 certified payment processor. Their handling of your payment data is governed by the Razorpay Privacy Policy.

C. SDK-Collected Behavioral Data(Processor)

When our customers integrate the UMAP360 SDK into their websites or applications, the SDK collects the following end-user data on behalf of the customer:

• Events: page views, clicks, form interactions, and custom events as defined by the customer
• Device information: browser type and version, operating system, and screen resolution
• Session data: timestamps, session duration, and referrer URLs
• UTM parameters and campaign attribution data
• IP address (used for approximate geolocation determination, then truncated to remove the last octet before storage)

All personally identifiable information (PII), including email addresses and phone numbers, is SHA-256 hashed before storage. We do not store raw PII in our event database. This hashing is irreversible and ensures that individual identification from stored event data is not possible without the original input.

D. Advertising & Conversion Data(Processor)

When customers connect their advertising accounts, we process the following data on their behalf:

• Google Ads: campaign metrics, keyword performance data, and conversion events
• Meta Ads: campaign metrics, ad set performance data, and Conversions API (CAPI) events
• Audience segment membership and cross-platform synchronization status
• Ad account identifiers, which are encrypted at rest using AES-256-GCM encryption

OAuth tokens and connector credentials used to access advertising platforms are encrypted at rest with AES-256-GCM and are never stored in plaintext.

E. Technical & Operational Data

• Server access logs: IP address, user agent string, request timestamps, HTTP method, and response status codes
• Error reports via Sentry: stack traces, browser information, operating system details, and error context. Our Sentry instance is hosted in the EU region (de.sentry.io) to ensure error data is processed within the European Union
• Email delivery metadata via Resend: recipient email address, delivery status (delivered, bounced, failed), and open/click tracking for transactional emails

F. Cookies & Tracking Technologies

• Authentication session cookies (strictly necessary for platform operation)
• umap-session-start cookie for 24-hour session duration enforcement
• The UMAP360 SDK may use localStorage for anonymous identity stitching on customer websites
• We do not use third-party advertising or targeting cookies

For full details on cookies and similar technologies, see Section 11: Cookie Policy.

Purposes of Processing

Why we process your data

We process personal data for the following specific, explicit, and legitimate purposes:

1. Providing and maintaining the UMAP360 platform — delivering the analytics dashboard, engagement tools, and related services you have subscribed to
2. User authentication and account security — verifying your identity, managing login sessions, and preventing unauthorized access
3. Processing payments and managing subscriptions — billing, invoicing, tax compliance, and coordinating with Razorpay for payment processing
4. Sending transactional emails — account verification, password resets, security alerts, billing notifications, and service announcements
5. Analytics dashboard and reporting — processing SDK-collected data to generate analytics insights, dashboards, and reports for our customers
6. Ad platform data synchronization — importing campaign data from Google Ads and Meta Ads to provide unified advertising analytics
7. Conversion tracking and multi-touch attribution — attributing conversions across channels and campaigns to help customers measure advertising effectiveness
8. Audience segment creation and cross-platform sync — building audience segments and synchronizing them to advertising platforms at the customer’s direction
9. Error monitoring, debugging, and platform stability — using Sentry to identify, diagnose, and resolve technical issues to maintain service reliability
10. Customer support and communication — responding to support requests, providing technical assistance, and communicating service updates
11. Security anomaly detection and fraud prevention — automated monitoring for suspicious activity, brute-force attacks, and unauthorized access attempts
12. Legal compliance, tax obligations, and regulatory requirements — maintaining records required under the Indian GST Act, Companies Act, and other applicable laws
13. Product improvement and feature development — using aggregated and anonymized data only to analyze usage patterns and improve the platform. Individual personal data is never used for this purpose
14. Enforcing our Terms of Service — investigating violations, preventing abuse, and protecting the rights and safety of UMAP360, our customers, and their end-users

Legal Basis for Processing

Lawful grounds under GDPR, DPDPA 2023, and CCPA/CPRA

Under GDPR (Article 6)

We rely on the following lawful bases for processing personal data of EU/EEA residents:

• Consent (Article 6(1)(a)): For marketing communications, optional analytics features, and non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal
• Performance of a contract (Article 6(1)(b)): For service delivery, billing, subscription management, and account administration necessary to fulfil our contractual obligations to you
• Legitimate interest (Article 6(1)(f)): For security monitoring, fraud prevention, error diagnostics, and product improvement using aggregated data. We have conducted legitimate interest assessments for each of these purposes and concluded that our interests do not override your fundamental rights and freedoms
• Legal obligation (Article 6(1)(c)): For tax record retention, regulatory compliance, breach notification requirements, and responding to lawful requests from public authorities

Under DPDPA 2023

We process personal data of Indian Data Principals on the following grounds:

• Consent of the Data Principal (Section 6): This is the primary basis for processing. Consent is obtained through clear, affirmative action at the time of account creation and SDK deployment
• Certain Legitimate Uses (Section 7): Processing for performance of a contract (Section 7(a)), voluntary provision of data by the Data Principal (Section 7(b)), and compliance with legal obligations (Section 7(c))
• State obligations and legal claims (Section 7(f), 7(g)): Processing necessary for compliance with any judgment, order, or decree of any court or tribunal in India, and for purposes related to legal claims

Under CCPA/CPRA

• We do not sell personal information as defined under the CCPA
• We do not share personal information for cross-context behavioral advertising as defined under the CPRA
• All processing is limited to disclosed business purposes as described in Section 4 of this Privacy Policy

Google API Services User Data Policy Compliance

Limited Use disclosure

UMAP360’s use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

What We Access

We access Google Ads account data — including campaigns, ad groups, keywords, performance metrics, and conversion events — to provide analytics and reporting within the UMAP360 dashboard. We push conversion data back to Google Ads to improve campaign attribution accuracy. We sync audience segments to Google Ads for cross-platform targeting at the user’s direction.

Limited Use Requirements

• Google data is used only to provide UMAP360 platform features expressly requested by the user
• Google data is not sold, rented, or transferred to third parties except as necessary to provide or improve the user-facing features of the service, as required by law, or as part of a merger, acquisition, or asset sale with prior notice to users
• Google data is not used for advertising, retargeting, or profiling beyond the user’s intended and authorized purpose
• Google data is not used to train machine learning models, artificial intelligence systems, or any form of automated learning technology
• Human access to Google user data is limited to what is necessary to provide customer support, investigate security incidents, or comply with applicable law, and only with the user’s explicit consent or as required by law

Revocation & Data Purge

Users can revoke UMAP360’s access to their Google account at any time through the UMAP360 dashboard settings or directly through Google Account > Security > Third-party apps with account access. Upon revocation, all Google-sourced data is made inaccessible within 24 hours and permanently purged from all UMAP360 systems within 90 days. Google Ads data that has not been revoked is retained for up to 25 months from the date of collection, after which it is automatically purged.

Meta Platform Terms Compliance

Meta Developer Data Use Policy adherence

We access Meta Ads account data, including campaigns, ad sets, individual ads, and performance metrics. We process Conversions API (CAPI) events to enable server-side conversion tracking. We sync audience segments to Meta Custom Audiences for cross-platform targeting at the user’s direction.

• Meta platform data is used solely to provide analytics, attribution, and campaign optimization features within the UMAP360 platform
• We comply with Meta’s Developer Data Use Policy and Platform Terms in their entirety
• We do not use Meta data to build independent user profiles, surveillance tools, or discriminatory targeting beyond what users explicitly authorize through the UMAP360 platform
• We support Meta’s data deletion callback protocol. Meta users can request deletion of their Meta-sourced data at any time. See our Data Deletion page for instructions
• Users can revoke UMAP360’s access to their Meta account through the UMAP360 dashboard settings or directly through Facebook > Settings > Business Integrations

Data Sharing & Third-Party Sub-Processors

Who we share data with and why

We do not sell, rent, or trade your personal data to any third party. We share data only with the following sub-processors, each of which is bound by data processing agreements that require them to protect your data to standards consistent with this Privacy Policy:

We will notify customers at least 30 days before adding a new sub-processor to this list. Notification will be sent via email to the account owner’s registered email address.

Customers may object to the addition of a new sub-processor within that 30-day notice period by contacting us at contact@umap360.com. If we are unable to address your objection, you may terminate your subscription in accordance with your service agreement.

Data Retention

How long we keep your data

When you delete your account, your data is made inaccessible immediately through a soft delete mechanism. All personal data is then permanently purged from all production systems, backups, and sub-processor systems within 90 days of the deletion request.

Aggregated, anonymized data that cannot be used to identify any individual, directly or indirectly, may be retained indefinitely for the purpose of product improvement and statistical analysis.

Your Rights

Data subject rights under applicable law

For All Users

Regardless of your location, you have the following rights with respect to your personal data:

• Right to access: Request a copy of the personal data we hold about you
• Right to correction: Request correction of inaccurate or incomplete personal data
• Right to deletion: Request deletion of your personal data (see our Data Deletion page)
• Right to data portability: Request an export of your data in a structured, commonly used, and machine-readable format
• Right to withdraw consent: Withdraw your consent to processing at any time, without affecting the lawfulness of processing performed before the withdrawal
• Right to object: Object to processing based on our legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms

Additional Rights Under GDPR (EU/EEA Residents)

• Right to restriction of processing (Article 18): Request that we restrict processing of your personal data in certain circumstances, such as while we verify the accuracy of your data or assess our legitimate grounds for processing
• Right not to be subject to automated decision-making (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you
• Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority if you believe our processing of your personal data violates the GDPR

Additional Rights Under DPDPA 2023 (Indian Residents)

• Right to access information about processing (Section 11): Request a summary of the personal data being processed and the processing activities undertaken
• Right to correction and erasure (Section 12): Request correction of inaccurate or misleading personal data, completion of incomplete data, and erasure of data that is no longer necessary for the purpose for which it was collected
• Right to grievance redressal (Section 13): Lodge a grievance with our Grievance Officer. See Section 18 for Grievance Officer details
• Right to nominate (Section 14): Nominate a representative to exercise your data protection rights on your behalf in the event of your death or incapacity

Additional Rights Under CCPA/CPRA (California Residents)

• Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you
• Right to delete: Request deletion of personal information we have collected from you
• Right to opt-out: Opt out of the sale or sharing of personal information. We do not sell or share personal information, so this right is already satisfied by default
• Right to non-discrimination: We will not discriminate against you in any way for exercising your privacy rights
• Right to correct: Request correction of inaccurate personal information
• Right to limit use of sensitive personal information: We do not collect sensitive personal information as defined by the CPRA
• Right to opt-out of automated decision-making: Opt out of the use of automated decision-making technology in connection with decisions that produce legal or similarly significant effects

How to Exercise Your Rights

• Email: contact@umap360.com
• Data Deletion: https://umap360.com/data-deletion
• Response timeline: Within 30 days for requests under DPDPA 2023 and GDPR; within 45 days for requests under CCPA (with the possibility of a 45-day extension for complex requests, upon written notice)
• Identity verification: We may require you to verify your identity before processing your request to prevent unauthorized access to personal data. Verification may include confirming your email address or providing additional identifying information
• Authorized agents: California residents may designate an authorized agent to submit requests on their behalf. We may require written proof of the agent’s authorization and independent verification of the consumer’s identity

Cookie Policy

Cookies and similar technologies we use

• We do not use advertising or targeting cookies
• You can manage cookies through your browser settings. Most browsers allow you to block or delete cookies. However, disabling strictly necessary cookies may prevent you from logging into or using the UMAP360 platform
• The UMAP360 SDK operates on your customers’ websites. Cookie usage on those sites is governed by your customers’ own cookie policies, not this one. UMAP360 customers are responsible for disclosing the SDK’s use of localStorage in their own cookie or privacy policies

International Data Transfers

Cross-border data flow safeguards

• Primary data storage: Supabase hosted on AWS us-east-1, United States
• Error monitoring: Sentry hosted in the EU (de.sentry.io)
• Payment processing: Razorpay operates within India

For EU/EEA Users

Transfers of personal data from the EU/EEA to the United States are protected by Standard Contractual Clauses (SCCs) incorporated into our data processing agreements with each sub-processor. Where applicable, our sub-processors participate in the EU-US Data Privacy Framework, providing additional safeguards for transatlantic data transfers. We conduct transfer impact assessments as required by the Schrems II decision to ensure the adequacy of protections.

For Indian Users

We comply with Section 16 of the DPDPA 2023 regarding cross-border transfers of personal data. Your data is not transferred to any country that has been restricted by the Central Government of India for purposes of cross-border data transfers. We ensure that all international transfers are subject to appropriate contractual safeguards.

We ensure appropriate safeguards for all international transfers of personal data in compliance with all applicable data protection laws. If you have questions about the specific safeguards applied to your data, please contact us at contact@umap360.com.

Security Measures

Technical and organizational safeguards

We implement and maintain comprehensive technical and organizational security measures designed to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

• Encryption at rest: Sensitive credentials, including OAuth tokens and advertising connector configurations, are encrypted using AES-256-GCM before storage
• Encryption in transit: All connections use TLS 1.2 or higher, with TLS 1.3 preferred. No unencrypted connections are accepted
• PII hashing: Email addresses and phone numbers in event data are hashed using SHA-256 before storage, making re-identification from stored data computationally infeasible
• Database security: Row Level Security (RLS) is enforced at the PostgreSQL database level, providing strict tenant isolation so that no customer can access another customer’s data
• Authentication: Passwords are hashed using bcrypt with a sufficient work factor. OAuth 2.0 flows use HMAC-signed state parameters to prevent CSRF and replay attacks
• Session security: 24-hour maximum session duration is enforced, with automatic session invalidation after the expiration period
• Rate limiting: All API endpoints and authentication flows are protected by rate limiting to prevent brute-force attacks and abuse
• Security monitoring: Automated security anomaly detection runs every 15 minutes, scanning for suspicious login patterns, unusual API usage, and potential attack vectors
• Access controls: Role-based access control (RBAC) is implemented with the principle of least privilege. Internal access to production systems is restricted and audited
• Infrastructure: Hosted on AWS with automated daily backups and infrastructure redundancy
• SOC 2 Type II: Certification is currently in progress. Contact us for our latest security documentation and compliance status

For a detailed overview of our security posture, please visit our Trust Center.

Data Breach Notification

Our obligations in the event of a personal data breach

In the event of a personal data breach that affects your personal data, we will comply with the following notification obligations:

Under GDPR

We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of natural persons. Where the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, unless one of the exceptions in Article 34(3) GDPR applies.

Under DPDPA 2023

We will notify the Data Protection Board of India and affected Data Principals within 72 hours of becoming aware of a personal data breach, in the form and manner prescribed by the Board. We will provide all information necessary for the Board to assess the severity and scope of the breach.

Under CCPA

We will notify affected California residents in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system, as required under California Civil Code Section 1798.82.

Notification Contents

Our breach notifications will include, at minimum:

• A description of the nature of the personal data breach
• The categories and approximate number of data subjects and personal data records affected
• The likely consequences of the breach for affected individuals
• A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects
• Contact details of our Data Protection Officer for further information

We maintain a documented incident response plan that is tested and updated on a regular basis to ensure we can respond effectively to security incidents.

Children’s Privacy

Protections for minors

UMAP360 is a business-to-business (B2B) SaaS platform designed for use by businesses and their authorized employees. Our services are not directed at, marketed to, or intended for use by children.

• Under COPPA (United States): We do not knowingly collect personal information from children under the age of 13. If we become aware that we have inadvertently collected personal information from a child under 13, we will take immediate steps to delete that information from our systems
• Under DPDPA 2023 (India): We do not knowingly process personal data of children (persons under the age of 18) without verifiable consent from a parent or lawful guardian, as required by Section 9 of the DPDPA

UMAP360 customers who deploy our SDK on websites or applications that are directed at children, or that knowingly collect data from children, are solely responsible for ensuring compliance with COPPA, DPDPA 2023, and all other applicable child protection laws in their jurisdiction. Such customers must configure the SDK to exclude the collection of personal data from children or obtain verifiable parental consent prior to collection.

Do Not Track & Global Privacy Control

Browser-based privacy signals

Do Not Track (DNT)

We currently do not respond to Do Not Track (DNT) browser signals, as there is no universally accepted industry standard or legal requirement for how websites should interpret or respond to DNT signals at this time.

Global Privacy Control (GPC)

We do honor Global Privacy Control (GPC) signals as required by the California Consumer Privacy Act (CCPA/CPRA). When we detect a valid GPC signal from your browser, we treat it as an opt-out of the sale or sharing of personal information. Since UMAP360 does not sell or share personal information for cross-context behavioral advertising, a GPC signal effectively confirms the protections already in place.

To enable GPC, install a GPC-compatible browser or browser extension. Learn more at globalprivacycontrol.org.

California-Specific Disclosures

CCPA / CPRA requirements

This section applies to California residents as defined by the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, “CCPA”). This section supplements the rest of this Privacy Policy.

Categories of Personal Information Collected in the Last 12 Months

• Identifiers: Name, email address, account name, IP address, online identifiers
• Commercial information: Subscription plan, billing history, transaction records
• Internet or network activity: Server access logs, browsing history within the platform, usage data, interactions with the UMAP360 dashboard
• Geolocation data: Approximate location derived from IP address (city/region level)
• Professional or employment-related information: Company name, job title or role, organizational information

Sources of Collection

• Directly from you when you register, configure, or use the platform
• Automatically through your use of the platform (server logs, usage analytics)
• From third-party advertising platforms (Google Ads, Meta Ads) when you connect your accounts

Business Purposes for Collection

See Section 4: Purposes of Processing for a complete list of purposes.

Third Parties & Disclosure

See Section 8: Data Sharing & Third-Party Sub-Processors for the complete list of sub-processors. We share data only with sub-processors under data processing agreements. We do not sell personal information to third parties.

Sale and Sharing of Personal Information

We do not sell personal information as defined by the CCPA. We do not share personal information for cross-context behavioral advertising as defined by the CPRA.

Sensitive Personal Information

We do not collect sensitive personal information as defined by the CPRA, including but not limited to: Social Security numbers, driver’s license numbers, financial account information (handled by Razorpay), precise geolocation, racial or ethnic origin, religious beliefs, genetic data, biometric information, health information, or sex life or sexual orientation data.

Authorized Agents

California residents may designate an authorized agent to submit data subject requests on their behalf. We may require written proof of the agent’s authorization (such as a power of attorney or a signed declaration) and may independently verify the consumer’s identity before processing the request.

Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. We will not deny you goods or services, charge you different prices or rates, provide a different level of quality, or suggest that you will receive different treatment for exercising your rights.

Financial Incentives

We do not offer financial incentives, price differences, or service differences that are tied to the collection, sale, retention, or deletion of personal information.

Annual CCPA Metrics

In accordance with CCPA requirements, we will publish annual metrics on this page reflecting the number of data subject requests received, complied with, and denied during the prior calendar year, once such data becomes available.

India-Specific Disclosures

Digital Personal Data Protection Act, 2023

This section applies to Data Principals as defined under the Digital Personal Data Protection Act, 2023 (“DPDPA”). This section supplements the rest of this Privacy Policy.

Consent Notice

By creating an account on UMAP360 and using our services, you consent to the processing of your personal data for the purposes described in Section 4 of this Privacy Policy. Your consent is obtained through clear, affirmative action at the time of account registration. You may withdraw your consent at any time by contacting us at contact@umap360.com or by deleting your account. Please note that withdrawal of consent may affect your ability to use certain features of the UMAP360 platform.

Grievance Officer (Section 8(10) of the DPDPA)

In accordance with Section 8(10) of the DPDPA, the following individual has been designated as the Grievance Officer:

• Name: Kalyanam Uday Kiran
• Designation: Founder & CEO, Data Protection Officer
• Email: contact@umap360.com
• Address: D.No: 4-135/5, Flat No:504 Sri Shanmukha, Gollapudi, Krishna, Krishna-521225, Andhra Pradesh, India
• Grievance redressal timeline: Within 30 days of receipt of your grievance

Data Protection Board of India

If you are not satisfied with our response to your grievance, or if we fail to respond within the prescribed 30-day period, you have the right to file a complaint with the Data Protection Board of India established under Section 18 of the DPDPA.

Cross-Border Transfers (Section 16)

Your personal data may be transferred to countries outside India for processing by our sub-processors as detailed in Section 8. We do not transfer data to any country that has been restricted by the Central Government of India for the purposes of cross-border data transfers under Section 16 of the DPDPA.

Significant Data Fiduciary Obligations

If UMAP360 is notified as a Significant Data Fiduciary by the Central Government of India under Section 10 of the DPDPA, we will promptly appoint an independent Data Auditor, conduct periodic data protection impact assessments, publish the Data Auditor’s report, and comply with all additional obligations applicable to Significant Data Fiduciaries under the DPDPA and any rules made thereunder.

Automated Decision-Making & Profiling

How we use automated processing

UMAP360 uses automated processing in the following areas:

• Multi-touch attribution modeling: Automated algorithms assign conversion credit across marketing touchpoints based on statistical models
• Health score calculation: Automated scoring of user engagement levels based on behavioral data
• Audience segmentation: Automated grouping of end-users into segments based on behavioral patterns and attributes
• Security anomaly detection: Automated monitoring that identifies suspicious login attempts, unusual API usage patterns, and potential security threats

Impact and Safeguards

These automated processes do not produce legal effects or similarly significant effects on individuals. Attribution scores, health scores, and audience segments are used solely to provide analytics insights and operational tools to our customers. They do not affect any individual’s legal rights, access to services, or financial standing.

Security anomaly detection may automatically restrict access to an account when suspicious activity is detected (e.g., multiple failed login attempts from unusual locations). This is a protective measure designed to safeguard your account. If your access is restricted due to automated security detection, you can contact our support team at contact@umap360.com for a manual review and restoration of access.

Under GDPR Article 22, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. If you believe an automated decision has affected you, contact us to request human review of the decision.

Privacy by Design

How privacy is embedded into our platform

UMAP360 is built with privacy as a foundational principle, not an afterthought. We proactively embed privacy protections at the design and architecture stage of every feature, following the seven principles of Privacy by Design:

• Proactive, not reactive — privacy controls are built before features launch, not added after incidents
• Privacy as the default — data collection is minimal by default; customers opt in to additional data points, not out
• Privacy embedded into design — SHA-256 hashing of PII, AES-256-GCM encryption of credentials, and Row Level Security are architectural decisions, not bolt-on features
• Full functionality — privacy and analytics are not trade-offs; our cookie-less attribution model delivers accurate insights without invasive tracking
• End-to-end security — data is protected at every stage: collection (TLS 1.3), processing (tenant isolation), storage (encryption at rest), and deletion (soft-delete with permanent purge)
• Visibility and transparency — this Privacy Policy, our Trust Center, and our sub-processor disclosures provide full visibility into our data practices
• Respect for user privacy — we provide granular consent management tools, easy data export, and straightforward deletion processes

Links to Other Sites

Third-party website disclaimer

The UMAP360 platform and website may contain links to third-party websites, services, or resources that are not operated or controlled by us, including but not limited to Google, Meta, Razorpay, and documentation sites. These links are provided for your convenience and reference only.

We are not responsible for the privacy practices, content, or security of any third-party websites. We encourage you to review the privacy policies of any third-party sites you visit before providing them with any personal information.

The inclusion of a link to a third-party site does not imply endorsement of the site or its content by UMAP360. Your interactions with third-party websites are governed solely by the terms and policies of those websites.

Changes to This Policy

How we handle policy updates

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other operational factors. When we make changes:

• Material changes will be communicated via email to the registered email address of all account owners and/or through a prominent notice on the UMAP360 website and dashboard at least 30 days before they take effect
• Where required by law (e.g., under the DPDPA), we will obtain fresh consent before processing personal data for materially new purposes not covered by the original consent
• Continued use of the UMAP360 platform after the effective date of changes constitutes acceptance of the updated Privacy Policy, provided that we have given adequate notice as described above
• Previous versions of this Privacy Policy are available upon request by emailing contact@umap360.com

The “Last updated” date at the top of this page indicates when the most recent changes were made. We encourage you to review this page periodically.