Privacy Policy

Effective Date: 15 December 2015
Last Updated: 15 December 2015

This Privacy Policy explains how Lotus365 (“Lotus365”, “we”, “us”, “our”) collects, uses, shares, stores, and protects your personal data when you use our website, mobile applications, and related services (collectively, the “Services”). By accessing or using the Services, you confirm that you have read and understood this Privacy Policy.

This Privacy Policy is written in plain language for transparency and user understanding. It does not replace legal advice.

Introduction & Purpose

Lotus365 respects your privacy and is committed to handling personal data responsibly. This policy explains:

• what personal data we collect
• why we collect it
• how we use and protect it
• when we share it and with whom
• how long we keep it
• what rights and choices you have

Scope: This policy applies to personal data processed through the Services, including when you: create an account, log in, contact support, request verification, interact with features, or communicate with us.

Not covered: This policy does not apply to third-party websites/apps linked from our Services. Their privacy practices are governed by their own policies.

What Personal Information We Collect

We collect personal data only to the extent needed to provide the Services, maintain security, improve performance, and meet legal obligations (where applicable). The information we collect depends on how you interact with Lotus365.

A) Information you provide directly

• Account & registration details: name (if provided), mobile number, email address, username, password (stored in encrypted/hashed form), state, and preferences
• Support & communications: messages to customer support, email/WhatsApp chats, feedback, complaint details, and related request history
• Verification/KYC information (if required): identity details (ID type/number), date of birth, address proof, selfie/verification image, or other details required to verify identity and reduce fraud (only when required)
• Payment/transaction info (if applicable): payment method type, transaction reference IDs, timestamps, and payment status. We do not intentionally store full card numbers or CVV; payments are handled by secure processors where applicable.

B) Information collected automatically

• Device & technical data: IP address, device identifiers, browser type, OS, app version, language, time zone, and device settings
• Usage data: pages/screens viewed, clicks, session duration, referrer, feature usage, and performance logs
• Security data: login timestamps, failed login attempts, suspicious activity signals, and fraud prevention indicators
• Cookies & similar technologies: cookie IDs, session tokens, and analytics events (see Cookies sections)

C) Information from trusted third parties (when necessary)

• Payment processors: transaction confirmation, chargeback/failed payment indicators (if applicable)
• Verification providers: identity verification status (if applicable)
• Security & analytics vendors: bot detection, risk scoring, performance and stability metrics
• Legal/regulatory authorities: where required by law or lawful process

Sensitive data: We avoid collecting sensitive data unless necessary for security, verification, or compliance, and we apply stronger access controls when such data is processed.

How We Use Your Information (7 Primary Uses)

We use personal data for these primary purposes:

1. Account creation & service delivery – create/manage accounts, enable login, maintain sessions, deliver features
2. Customer support – respond to issues, handle complaints, track requests, improve resolution quality
3. Security & fraud prevention – protect accounts, detect bots, prevent misuse, investigate suspicious activity
4. Compliance & legal obligations (where applicable) – maintain required records, respond to lawful requests, resolve disputes
5. Platform performance & improvements – troubleshoot bugs, improve speed, maintain reliability, upgrade user experience
6. Communications – send OTPs, security alerts, policy updates, and essential service messages
7. Marketing & promotions (optional) – send promotional messages only where permitted and based on your choices/consent; you can opt out anytime

We process data for permitted purposes such as delivering Services, ensuring security, responding to user requests, and complying with applicable legal obligations. Where consent is required for optional processing (such as certain cookies or marketing), we rely on your consent and allow withdrawal.

How We Protect Your Information

We use technical, administrative, and physical safeguards designed to protect personal data from unauthorized access, loss, misuse, alteration, or disclosure.

Technical safeguards

• encryption in transit (SSL/TLS)
• encryption at rest for sensitive data (where appropriate)
• role-based access control (least-privilege access)
• secure authentication for internal systems
• firewall protections and intrusion detection
• vulnerability management, patching, and security testing
• monitoring for suspicious activity and abuse signals
• backups and disaster recovery controls

Administrative safeguards

• staff training and confidentiality obligations
• controlled internal access to sensitive systems
• vendor due diligence and contractual protections
• documented incident response procedures

Physical safeguards

• secure hosting/data center controls by infrastructure providers
• restricted access to systems handling sensitive data

No system can be guaranteed 100% secure. We continuously improve safeguards to reduce risk.

Who We Share Your Data With

We do not sell your personal data. We share data only when necessary for service delivery, security, compliance, or user-requested features.

A) Trusted service providers (processors)
We may share data with vendors who help us operate the Services, such as:

• hosting/infrastructure providers
• customer support platforms
• analytics and performance tools (subject to your cookie choices)
• security and anti-fraud providers
• payment processors (if applicable)
• verification/KYC partners (if applicable)

B) Legal and regulatory disclosures
We may disclose information to authorities or third parties when necessary to:

• comply with legal obligations, court orders, or lawful requests
• protect users and platform security
• investigate fraud or misuse
• enforce Terms & Conditions and resolve disputes

C) Business transfers
If Lotus365 undergoes a merger, acquisition, restructuring, or asset sale, data may be transferred as part of the transaction, subject to appropriate safeguards and notices where required.

We require service providers to use the data only for agreed purposes and to maintain confidentiality and security measures.

Data Retention Policy (Complete Schedule)

We keep personal data only as long as necessary for service delivery, security, dispute resolution, and legal compliance.

Typical retention periods:

• Account information: active account + up to 5 years after closure (legal/tax/dispute handling)
• Transaction records (if applicable): 5–7 years (financial compliance and audits)
• KYC documents (if applicable): up to 7 years or as required (compliance and fraud prevention)
• Login records: up to 1 year (security and investigations)
• Support communications: up to 3 years (dispute resolution and support history)
• Marketing preferences: until you unsubscribe or change settings
• Cookies & tracking data: up to 1 year (varies by cookie type)
• IP/server logs: typically 90 days (troubleshooting and security)

When retention is no longer required, we take reasonable steps to delete, anonymize, or securely destroy data unless we must retain it by law.

Cookies & Tracking Technologies

We use cookies and similar technologies (pixels, SDKs, local storage) to:

• maintain login sessions
• protect accounts and prevent fraud
• remember preferences
• measure performance and improve user experience
• enable analytics and marketing where permitted and enabled

Cookie categories:

• Essential (cannot disable): login/session, security, core functionality
• Functional (optional): language and preference enhancements
• Analytics (optional): usage measurement and experience improvements
• Marketing (optional): campaign measurement and remarketing (where enabled/allowed)

For more detail, see the detailed Cookies Policy section below.

Your Privacy Rights (DPDP Act 2023 – User Rights)

Depending on applicable law, you may request the following rights:

1. Access: request a copy/summary of personal data we hold (subject to lawful limits)
2. Correction: correct inaccurate or incomplete data
3. Deletion: request deletion where legally permitted (some data must be retained by law)
4. Portability/Export (where feasible): request certain data in a common format (CSV/JSON) when technically feasible
5. Withdraw consent: withdraw consent for optional processing (marketing, optional cookies)
6. Lodge complaint/grievance: raise privacy concerns and request redressal through our process

How to request: Email privacy@lotush365official.com.
Identity verification: We may verify your identity before completing requests to protect your account.
Limits: We may deny/limit requests where required by law, to protect others’ rights, for security needs, or if identity cannot be verified.

Third-Country Data Transfers

Some vendors or infrastructure providers may process/store data outside India depending on service architecture. When we transfer data internationally, we use safeguards such as:

• contractual confidentiality and security obligations
• vendor due diligence and audits/assessments
• access control and data minimization
• recognized contractual protections where appropriate

You can contact us for more information about cross-border processing.

Compliance with Indian Laws

We aim to comply with applicable Indian laws and requirements relevant to our Services, including (as applicable):

• Digital Personal Data Protection (DPDP) Act, 2023
• Information Technology Act, 2000 and related rules/guidelines
• Income Tax Act, 1961 (record-keeping obligations where applicable)
• Prevention of Money Laundering Act (PMLA), 2002 (where applicable)
• State-specific legal requirements depending on jurisdiction and service design

We also align with recognized security best practices, and where payments are involved, we use secure processors aligned with payment security standards.

Cookies Policy (Detailed)

Essential cookies (cannot disable)

• session cookies for login maintenance
• security cookies for fraud prevention
• required preference cookies for core settings

Optional cookies (can disable)

• functional cookies (language and UX preferences)
• analytics cookies (usage insights and performance improvements)
• marketing cookies (campaign measurement and remarketing where enabled)

How you can control cookies

• browser privacy settings (block/delete cookies)
• cookie banner/preferences (if available)
• analytics opt-out tools provided by vendors (where applicable)
• advertising platform preferences (where applicable)
• unsubscribe links in emails for marketing communications

Do Not Track: Some browsers offer “Do Not Track” signals. Because there is no uniform standard, we may not respond consistently. You can still manage cookies using the methods above.

Data Breach & Incident Response

If we detect a suspected security incident or data breach, we follow a structured response process:

1. Containment: isolate affected systems and stop unauthorized access
2. Investigation: determine scope, root cause, and data potentially impacted
3. Remediation: patch vulnerabilities, rotate credentials, strengthen controls
4. Notification: notify affected users and/or authorities where required and appropriate
5. Review: document lessons learned and implement improvements

If a breach is likely to create significant risk, we will notify affected users through appropriate channels and provide guidance on safety steps. Where legal timelines apply, we aim to follow those requirements and notify as soon as reasonably practicable.

Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. When we do:

• we will update the “Last Updated” date
• we will publish the updated policy on this page
• for major changes, we may provide additional notice (in-app/email) where appropriate

Your continued use of the Services after updates means you acknowledge the updated policy to the extent permitted by law.

Data Protection Officer (DPO)

We may appoint a Data Protection Officer (DPO) or privacy lead to oversee privacy governance and user requests.

DPO responsibilities include:

• handling privacy inquiries and rights requests
• overseeing privacy/security controls
• coordinating incident response (privacy-related)
• maintaining internal privacy processes

DPO contact: dpo@lotush365official.com
Privacy team: privacy@lotush365official.com

Contact Us for Privacy Matters

If you have questions, concerns, or privacy requests, contact us:

• Privacy Department: privacy@lotush365official.com
• Data Protection Officer: dpo@lotush365official.com
• WhatsApp Support: [Add Number]
• In-App Support: Support > Privacy Inquiry
• Mailing Address: [Add Company Address]

Typical response times

• General inquiries: within 5 business days
• Access requests: up to 30 days
• Corrections: promptly/as feasible
• Deletion requests: up to 45 days (subject to legal retention)
• Complaints/grievances: up to 60 days (depending on complexity)

FAQs – Privacy Policy