Privacy Policy

1. Introduction

Nansys Inc. (herein referred to as “ Organization,” “Company,” “we,” “our,” or “us”) is committed to protecting the privacy of individuals who interact with us. This policy explains how we collect, use, store, and safeguard personal data to ensure transparency and build trust with our users, customers, and partners.

2. Scope

This policy applies to all personal data collected through the Organization’s websites, applications, services, and other interactions with individuals, including our Incentive Commission and Customer Rebates Management (ICRM) platform and any of our other related online and offline offerings (collectively, the “Services”).

This Privacy Policy does not apply to any information that our customers provide to us to be processed on their behalf in accordance with a Nansys services agreement (“Customer Data”). In such instances, our customers are the “Data Controllers” responsible for providing the appropriate notice to individuals and obtaining any required authorizations to permit us to process Customer Data. Our customers’ respective privacy policies will govern the collection and use of such information.

3. Definitions

• IP Address: A unique string of characters that identifies each computer using the Internet Protocol to communicate over a network.
• Personal Data: Any information relating to an identifiable individual (e.g., name, email, IP address).
• Processing: Any operation performed on personal data, such as collection, storage, use, disclosure, or deletion.
• Data Controller: The entity that determines the purposes and means of processing personal data.
• Data Processor: The entity that processes data on behalf of the Data Controller.

4. Responsibilities

The Information Security Manager is responsible for developing, implementing, maintaining, and enforcing this policy.

Employees are responsible and/or accountable to ensure adherence to this policy’s terms during their job duties.

5. Data We Collect

We may collect the following types of personal data:

• Identification Information: Name, email address, phone number, address, date of birth, and similar identifiers.
• Account Information: Username, password, and account preferences.
• Financial Information: Payment details and billing address.
• Technical Data: IP address, device identifiers, operating system, browser type and version, cookies, and usage analytics.
• Sensitive Personal Data (if applicable): Health information, biometric data, or other sensitive data only with explicit consent.

6. How We Collect Data

We collect personal data through the following methods:

• Directly from You: When you fill out forms (e.g., demo requests, contact forms), create accounts, subscribe to newsletters, or otherwise communicate with us.
• Automatically: Through cookies, analytics tools, and server logs when you use our website or Services.
• From Third Parties: From business partners, service providers, data enrichment providers, or publicly available sources.

7. Legal Bases for Processing Personal Data

We process personal data only when permitted by applicable law. The legal bases include:

• Consent: When you provide explicit consent for specific processing activities (e.g., marketing communications).
• Contractual Necessity: To fulfill a contract with you (e.g., processing orders, providing platform access).
• Legal Obligation: To comply with legal and regulatory requirements.
• Legitimate Interests: For purposes such as fraud prevention, improving services, or ensuring security.

8. How We Use Personal Data

We use personal data for the following purposes:

• Providing and improving our Services.
• Processing transactions and managing accounts.
• Communicating with you regarding updates, offers, and support.
• Conducting analytics and research to improve user experience.
• Ensuring security, detecting fraud, and complying with legal obligations.
• Enabling integrations with third-party services you choose to connect.

9. Data Sharing and Disclosure

We may share personal data under these circumstances:

Service Providers

With vendors or contractors who perform services on our behalf, including: payment and transaction processing; customer service activities; provision of IT and related services; and data analytics.

Legal Compliance

To comply with applicable laws, subpoenas, court orders, or other legal processes; to protect your, our, or others’ rights, property, or safety; to enforce our policies and contracts; to collect amounts owed to us; or to prevent financial loss or in connection with an investigation or prosecution of suspected or actual illegal activity.

Business Transfers

In the event of mergers, acquisitions, financing, reorganization, sale of all or substantially all assets or stock, bankruptcy, or insolvency event, we may disclose or transfer your personal data in connection with such transaction.

With Your Consent

When you explicitly agree to share your data.

10. Data Retention

We retain personal data only as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by law. Afterward, data is securely deleted or anonymized.

Our retention periods for key data categories are as follows:

• Client Personal Data (Client Master): Retained as long as the client contract continues, or three months from the date of termination, or as specified in the client contract.
• Client’s End-User / Employee Data: Retained as long as the client contract continues, or three months from the date of termination, or as specified in the client contract.
• Application and Database Backups: Retained as long as the client contract continues, or three months from the date of termination, or as specified in the client contract.
• Trial Customer Data: Deleted within one month after the end of the trial period.
• CRM / Marketing Data: Active contacts retained until opt-out; dormant contacts (inactive for 2 years) are deleted. Opt-out list retained indefinitely.
• Cookie Data: Retained for 180 to 365 days depending on cookie type.
• Client Data — Hard Copies: Destroyed within 30 days or as per contractual / regulatory requirements.
• Financial / Invoice Data: Retained as per statutory limits applicable in the region.

When determining retention periods, we follow the highest applicable requirement in this sequence: (1) statutory, regulatory, or legislative requirements; (2) contractual requirements; (3) organizational policy. Records are appropriately archived during the retention period and securely destroyed, deleted, or disposed of at the end of the retention period. The concerned department retains records of the destruction, deletion, or disposal of Personal Data for future audits and reference.

11. Data Security

All efforts shall be made to ensure the Confidentiality, Integrity, and Availability of information. We implement the following measures to safeguard personal data:

• A formal Information Security Management System (ISMS) aligned with ISO 27001:2022 and SOC 2 requirements.
• Encryption of data at rest and in transit, governed by our Encryption and Key Management Policy.
• Access controls to limit access to information and information processing facilities, ensuring authorized user access and preventing unauthorized access to systems and services. Access is provisioned based on data classification and revoked in accordance with corresponding policies.
• Role-based access controls with segregation of duties.
• Regular identification, assessment, and mitigation of all risks related to information and information processing systems.
• Adequate employee training and awareness regarding information security roles and responsibilities.
• Physical security measures to protect personnel, information, and information processing systems from physical and environmental threats.
• Formal incident management to ensure that all information security incidents are reported and managed promptly.
• Business Continuity and Disaster Recovery plans defined, implemented, and tested to ensure the availability of information and information processing systems during emergencies.
• Regular audits, security assessments, and continuous review and improvement of the information security posture.

Your account is protected by a password for your privacy and security. You must prevent unauthorized access to your account by selecting and protecting your password appropriately and limiting access to your computer or device and browser.

While we endeavor to protect the privacy of your account and other personal data, no system is 100% secure, and we cannot guarantee the absolute security of any information you provide to us. To the fullest extent permitted by applicable law, we do not accept liability for unauthorized disclosure.

Employees are prohibited from divulging, copying, altering, or destroying any information, unless properly authorized within the scope of their professional activities. Employees shall not attempt to circumvent or subvert any information security controls. Data masking shall be applied to limit the exposure of personal data and to comply with legal, statutory, regulatory, and contractual requirements.

12. Your Rights

Depending on your jurisdiction of residence, and subject to applicable legal exceptions, you may have the following rights:

• Access: Request access to your personal data.
• Rectification: Correct inaccurate or incomplete data.
• Deletion: Request deletion of your data.
• Data Portability: Obtain a copy of your data in a structured, commonly used, and machine-readable format.
• Restriction: Request a limitation on the processing of your data.
• Objection: Object to certain processing activities, such as direct marketing or processing based on legitimate interests.
• Withdraw Consent: Withdraw your consent at any time when processing is based on consent.

To exercise any of these rights, please contact us at akhil.bandari@nansysinc.com. We will verify your identity for security and to prevent fraud before processing your request. We will not discriminate against you or treat you differently for exercising these rights.

Marketing Choices

If you do not want to receive marketing communications from us, you may opt out by clicking the unsubscribe link in our marketing emails or by contacting us at akhil.bandari@nansysinc.com. Please note that you will not be able to opt out of non-promotional communications (e.g., communications regarding the Services or updates to our agreements with you or this Privacy Policy).

Notice of Right to Opt Out of Sale/Sharing

Depending on your jurisdiction, you may have the right to opt out of the “sale” or “sharing” of your personal data for targeted advertising purposes. Nansys does not sell personal data for monetary consideration. However, as described in our Cookie Policy, we may use third-party analytics and advertising cookies that could be considered a “sale” or “sharing” under certain privacy laws. To manage your cookie preferences, please use our cookie consent banner or adjust your browser settings.

Additional Information for California Residents

If you are a California resident, the California Consumer Privacy Act (“CCPA”) provides you with additional rights, including the right to know what personal data we collect, use, disclose, and sell/share. For details about the categories of personal data we collect and how we use and disclose it, please refer to the relevant sections above. To exercise your CCPA rights, contact us at akhil.bandari@nansysinc.com.

Supervisory Authority

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates applicable law.

13. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your browsing experience, provide personalized services, and analyze website usage.

What Are Cookies?

Cookies are small text files stored on your device (computer, tablet, or mobile) when you visit a website. They enable the website to recognize your device, remember your preferences, and provide relevant functionality.

Cookies can be classified as:

• Session Cookies: Temporary cookies that are deleted when you close your browser.
• Persistent Cookies: Cookies that remain on your device for a specified period or until manually deleted.
• First-Party Cookies: Set by the website you are visiting.
• Third-Party Cookies: Set by external services integrated into the website.

Types of Cookies We Use

• Strictly Necessary Cookies: Essential for the website to function correctly. They enable core functionalities such as security, network management, and accessibility. These cannot be turned off through our cookie consent tool.
• Performance and Analytics Cookies: Help us understand how users interact with our website by collecting and reporting information anonymously. We may use third-party analytics services, such as Google Analytics, for this purpose.
• Functional Cookies: Enable enhanced functionality and personalization, such as remembering your preferences (e.g., language or region).
• Advertising and Targeting Cookies: Used to deliver personalized advertisements and track the effectiveness of marketing campaigns. These may be set by us or third-party advertising partners.

How We Use Cookies

We use cookies to:

• Provide essential website functionality.
• Enhance user experience and website performance.
• Analyze website traffic and usage patterns.
• Deliver relevant advertising and content.
• Enable integrations with third-party services (e.g., social media, analytics tools).

Legal Basis for Using Cookies

• Consent: For non-essential cookies, such as analytics, advertising, and social media cookies, we seek your explicit consent.
• Legitimate Interest: For strictly necessary cookies required for website functionality and security.

Managing Your Cookie Preferences

When you visit our website for the first time, you will see a cookie consent banner explaining our use of cookies. Through this banner, you can accept all cookies, reject non-essential cookies, or customize your preferences. You can also manage cookies through your browser settings. Most browsers allow you to block or delete cookies and set preferences for first-party and third-party cookies. Please note that disabling certain cookies may affect the functionality of our Services.

Data Collected Through Cookies

Cookies may collect the following types of data:

• IP address.
• Device information (e.g., browser type, operating system).
• Browsing behavior and interactions (e.g., pages visited, time spent).
• Referring websites or links.

This data is often aggregated and anonymized, but in some cases, it may be linked to your personal information if you provide it elsewhere on our site.

Retention of Cookies

Cookies are retained for varying periods depending on their purpose:

• Session Cookies: Deleted when you close your browser.
• Persistent Cookies: Retained for 180 to 365 days or until manually deleted.

For more detailed information, please refer to our separate Cookie Policy.

14. Children’s Privacy

We do not knowingly collect personal data from children under the age of 13. Our website and Services are not intended for children. If we become aware of such data, we will delete it promptly. If you learn that your child has provided us with personal data without your consent, please contact us at akhil.bandari@nansysinc.com.

15. Third-Party Links

Our website or Services may contain links to third-party websites. We are not responsible for their privacy practices and encourage you to review their privacy policies. When you choose to link your account with a third-party service, the information you provide will be subject to that third party’s privacy policy. We do not endorse, screen, or approve, and are not responsible for, the privacy practices or content of such third-party websites or applications.

16. International Data Transfers

Nansys Inc. is based in the United States and, to the fullest extent permitted by applicable law, the information we collect is governed by U.S. law. All information processed by us may be transferred, processed, and stored anywhere in the world, including the United States or other countries where we or our service providers operate. By using the Services, you acknowledge that your information may be transferred in this way.

Depending on your location, when we transfer personal data across borders, we rely on certain legal mechanisms to safeguard the transfer, as required by law. If you are located in the European Economic Area, the United Kingdom, or Switzerland, this may include transferring your personal data to countries deemed adequate by the relevant authorities, or using Standard Contractual Clauses (SCCs) and any additional safeguards as necessary.

17. Updates to This Policy

We may update this policy periodically to reflect changes in laws, regulations, or business practices. When we make changes, we will post the revised Privacy Policy on this page and update the “Effective Date” at the top of the policy. We encourage you to review this policy periodically to stay informed about how we protect your personal data. Changes will be effective upon posting on this page, with the “Effective Date” revised accordingly.

18. Contact Us

If you have any questions, concerns, or wish to exercise your rights under this Privacy Policy, please contact us at: