Data Protection Policy

Purpose & Commitment

RatingIcon is committed to protecting personal data and upholding privacy rights of all users and customers.
This policy outlines how we collect, use, store, share, and protect personal data in line with applicable Indian laws.

Information Technology Act, 2000 and associated Rules, including Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules, 2011.
Digital Personal Data Protection Act, 2023 (DPDP Act) and any rules, notifications, and directions issued thereunder as and when they take effect.

Applies to all personal data processed by RatingIcon across web, mobile, integrations, and support channels.
Covers customers, business users, end-consumers submitting ratings or feedback, website visitors, contractors, and employees where applicable.

Personal Data: Any data about an individual who is identifiable by or in relation to such data.
Sensitive Personal Data or Information (SPDI): As defined under applicable IT Rules (for example, financial information, health data, biometric information) where relevant.
Data Principal: The individual to whom the personal data relates.
Data Fiduciary: RatingIcon, when determining the purpose and means of processing personal data.
Data Processor: Third parties that process personal data on our instructions.

Account data: name, business details, email, phone, role.
End-customer data for reviews: name (optional), rating, comments, contact details if provided for verification.
Transactional and usage data: invitations sent, delivery status, opens, clicks, device and log data.
Support and grievance records.

Consent: Obtained where required, clear and specific, with the ability to withdraw at any time.
Legitimate uses: Performance of a contract, compliance with law, prevention of fraud and abuse, and other lawful purposes under applicable Indian law.
Children’s data: We do not knowingly solicit or process data of children without verifiable consent as required by law.

Collect the minimum data necessary for providing services such as review collection, verification, reporting, and analytics.
Provide clear notices describing the purpose of collection and key rights available to data principals.
Prohibit deceptive or unfair data collection practices.

To deliver core features: send invitations, collect ratings, detect fake or harmful content, and generate insights.
To provide customer support, resolve issues, and improve platform security and performance.
To comply with legal obligations and enforce our terms.

Maintain data only as long as needed for the stated purpose or as required by law or legitimate business needs.
Apply documented retention schedules and secure deletion or anonymization upon expiry.

Reasonable steps are taken to keep personal data accurate, complete, and up to date.
Mechanisms exist for users to update or correct their information.

Implement reasonable security practices and procedures including access controls, encryption in transit where applicable, hashed credentials, monitoring, and regular reviews.
Employee access is role-based and subject to confidentiality obligations.
Vendors and processors are bound by data protection and security obligations.

Where personal data is transferred outside India, we ensure lawful transfer mechanisms and comparable protections consistent with applicable Indian law.

Share data with processors strictly on need-to-know basis under written contracts with confidentiality, security, and use limitations.
No sale of personal data.

Use automated and manual checks to detect spam, duplicate, or manipulated reviews.
Flagged content may be held, reviewed, or removed in line with our acceptable use and legal obligations.

Right to access information about processing.
Right to correction, completion, and updating.
Right to withdraw consent where processing is based on consent.
Right to grievance redressal and to nominate a person to exercise rights in case of death or incapacity as per law.

We maintain an incident response process for detection, containment, assessment, and remediation.
Where required, we will notify the appropriate authority and affected individuals as per applicable legal requirements.

If and when classified as a Significant Data Fiduciary under the DPDP Act, we will appoint a Data Protection Officer, conduct Data Protection Impact Assessments for high-risk processing, and meet any additional obligations notified by the Government of India.

Grievance Officer: To be published with name and contact details on our website and within the application.
Users may submit requests or complaints related to data protection. We will acknowledge and address them within timelines required by applicable laws.

Staff handling personal data receive periodic privacy and security training.
Internal audits and reviews are conducted to ensure ongoing compliance and effectiveness of controls.

We may update this policy to reflect legal, technical, or business developments. Material changes will be communicated through our website or application notices.