Introduction

‍

NovaBenefits Private Limited, hereinafter referred to as "Nova Benefits," is committed to protecting the privacy and security of your personal information. 

We understand that you value your privacy, and we take your concerns seriously. This Privacy Notice outlines our policies and practices regarding the collection and use of your personal data and explains your privacy rights. We recognize that safeguarding your information is an ongoing commitment, and as such, we will periodically update this Privacy Notice to reflect any changes in our data practices or privacy policies.

This Privacy Notice applies to NovaBenefits Private Limited, and its subsidiary, associate, affiliate companies (“Nova Benefits Group companies”).

‍

Interpretation and Definitions

‍

For the purposes of this Privacy Notice:

• "Company" (referred to as either "the Company," "We," "Us," or "Our" in this Privacy Notice) refers to NovaBenefits Private Limited, having its registered Office at “III Floor, Lakshmi Narasimha, No. 6/A, 100 Feet Road, Koramangala 4th Block, Koramangala, Bengaluru 560095, Karnataka”.
• "Service" refers to the Company’s wellness and insurance services accessible via our website and mobile applications.
• "Personal Data" means any information that relates to an identified or identifiable individual.
• "Data Subject" is any living individual who is the subject of Personal Data.
• "Data Controller" / “Data Fiduciary” means the natural or legal person who determines the purposes and means of the processing of Personal Data.
• "Data Processor" means the natural or legal person who processes Personal Data on behalf of the Data Controller.
• "Cookies" are small files stored on your device (computer or mobile device).
• “Affiliate” means an entity that controls, is controlled by or is under common control with a party, where "control" means ownership of 50% or more of the shares, equity interest or other securities entitled to vote for election of directors or other managing authority.
• “Country” refers to India.
• “Application/ Platform” means the software program provided by the Company downloaded by You on any electronic device, named “Nova Benefits”.
• “You” means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.
• “Privacy Notice” refers to this Privacy Notice, and any subsequent amendments hereto.

‍

Data Protection Officer

‍

Nova Benefits, headquartered in Bengaluru, India, has appointed an internal Data Protection Officer (DPO) to address any inquiries or concerns you may have regarding our personal data policies or practices. If you wish to exercise your privacy rights or have questions about how we handle your personal data, please contact Nova Benefits' Data Protection Officer, details are as follows: 

• Name: Ujjwal Sinha
• Email: [email protected]

‍

How we collect and use (process) your personal information

‍

Nova Benefits collects personal information from its users and customers to provide them with our services and enhance their experience. We prioritize the protection and privacy of your personal data, ensuring that it is used only for legitimate purposes outlined in this Privacy Notice. This section describes the types of personal information we collect, how we use it, and the measures we take to safeguard your privacy.

‍

We collect the following types of personal information, some of which may only be collected if relevant to the services you have subscribed to:

• User Information: 
  • Data Collected: Email, Full Name, Display Name, Date of Birth (DOB), Gender, Profile Photo, City, Pincode, Blood Group, Primary Email, Secondary Email, Contact Number, Address, Nominee Details (Name, Relation, Contact Number, Email Address, Pincode).

• Dependent Information:
  • Data Collected: Name, DOB, Gender, Relation.

• Nominee Details (Super Top Ups): 
  • Data Collected: Name, Relation, Contact Number, Email Address, Pincode.

• Medical Information: 
  • Data Collected: Checkup Results, Diagnosis Details, Medical Investigation Bills and Reports, Hospital name, Hospitalization date, Hospitalization city, Contact number, WhatsApp consent, Doctor Name, Aadhaar card, PAN card, Canceled cheque, UHID.

• Contact Information:
  • Data Collected: Email, Name, Contact Number.

• Mobile App Permissions:
  • Data Collected: Camera, Location, Notification, Photos.

• Wellness Partner Integration Data:
  • Data Collected: Name, Email, Contact Number, DOB, City, Gender.

• StepRecord Data:‍
  • Data Collected: Step count data from Google Health Connect.

We use this information for the following purposes:

• Wellness and Insurance Services: To provide wellness and insurance benefits to users and their dependents.
• Retail Policy Management: To manage super top-up policies.
• Medical and Health Services: To facilitate health check-ups, hospitalization claims, and integration with wellness partners.
• Mobile App Features: To enable mobile app functionalities such as profile picture updates, network hospital listings, location services, push notifications, and document uploads.
• Communication: To send email notifications, reminders, and updates about our services.‍
• StepRecord data: We collect step count data from Google Health Connect to display users' activity logs and contribute to organizational and user challenges. This data helps users earn points and advance on leaderboards. Step count data is collected directly from Google Health Connect with the user's consent.

We do not sell personal information to anyone and only share it with third parties who are facilitating the delivery of Nova Benefits services. This includes sharing personal information with the service providers involved in providing our wellness and insurance services.

‍

How we collect personal information:

• Directly from Users: Most users provide their personal information directly to Nova Benefits during the user onboarding process, through forms, or via our mobile app.
• Via Organizations: In some cases, your employer may provide your personal information if they sign you up for our services.

‍

Scenarios where we may receive personal information from third parties:

• Employer Provided Data: Your employer may provide your personal information if they are a corporate customer of Nova Benefits.
• Wellness Partners: Our wellness partners may share your personal information with us when you utilize their services integrated with Nova Benefits.
• Event Registrations: We may receive your personal data from third-party websites (e.g., LinkedIn) if you fill out a form requesting content or registering for an event.
• Google Health Connect: We may receive your step count data from Google Health Connect when you use our Services. This data is used to display your activity logs, contribute to organizational and user challenges, and help you earn points and advance on leaderboards. This data is collected and shared with us with your explicit consent.

You can access and update your data directly on the Nova Benefits Platform. For any queries or to exercise your privacy rights, please contact our Data Protection Officer at [email protected].

‍

Use of the novabenefits.com Website

‍

As is true of most other websites, the Nova Benefits website collects certain information automatically and stores it in log files. This information may include Internet Protocol (IP) addresses, the region or general location where your computer or device is accessing the internet, browser type, operating system, and other usage information about the use of the Nova Benefits website, including a history of the pages you view. We use this information to help us design our site to better suit our users' needs. We may also use your IP address to help diagnose problems with our server and to administer our website, analyze trends, track visitor movements, and gather broad demographic information that assists us in identifying visitor preferences.

Nova Benefits has a legitimate interest in understanding how members, customers, and potential customers use its website. This assists Nova Benefits with providing more relevant products and services, with communicating value to our sponsors and corporate members, and with providing appropriate staffing to meet member and customer needs.

‍Cookies and Web Beacons

Nova Benefits makes available a comprehensive Cookie Notice that describes the cookies used on the Nova Benefits website and provides information on how users can accept or reject them. You can view our Cookie Notice here.

Do Not Track

Nova Benefits tracks users when they cross from our primary public website (novabenefits.com) to our “Nova Benefits Platform” portion of the site by logging in with their username and password or via Single Sign On, Magic Link, OTP. Nova Benefits also keeps a record of third-party websites accessed when a user is on the Nova Benefits site and clicks on a hyperlink. However, Nova Benefits does not track users to subsequent sites and does not serve targeted advertising to them. Therefore, Nova Benefits does not respond to Do Not Track (DNT) signals.

Third-Party Tracking and Analytics Tools

We use PostHog, Google Analytics, and Sprouts.ai for tracking and analytics. These tools help us understand user behavior and improve the overall user experience on our website. The data collected by these tools includes IP addresses, browser type, operating system, and other usage information. This data is used strictly within the scope of improving our services and is not processed outside of this scope.

‍

When and How We Share Information with Others

‍

Information about your interactions with Nova Benefits, including your wellness activities and insurance status, is maintained in association with your membership or profile account. The personal information Nova Benefits collects from you is stored in one or more databases hosted by Amazon Web Services (AWS) located in the Mumbai region. These third parties do not use or have access to your personal information for any purpose other than cloud storage and retrieval. On occasion, Nova Benefits engages third parties to mail information to you, including items like wellness program materials or insurance documentation.

We do not otherwise reveal your personal data to non-Nova Benefits persons or businesses for their independent use unless:

1. you request or authorize it; 
2. it’s in connection with Nova Benefits-hosted and Nova Benefits co-sponsored events or programs as described above; 
3. it is to assist your employer with confirming receipt or consumption of a benefit they provided on your behalf; 
4. the information is provided to comply with the law (for example, to comply with a search warrant, subpoena, or court order), enforce an agreement we have with you or your employer, or to protect our rights, property, or safety, or the rights, property, or safety of our employees or others; 
5. the information is provided to our agents, vendors, or service providers who perform functions on our behalf; 
6. to address emergencies or acts of God; or 
7. to address disputes, claims, or to persons demonstrating legal authority to act on your behalf. We do NOT gather aggregated data about our members and site visitors and disclose the results of such aggregated (but not personally identifiable) information to our partners, service providers, advertisers, and/or other third parties for marketing or promotional purposes.

The personal information Nova Benefits collects may be shared with insurers or wellness service providers as required to provide the services. This includes sharing personal information with our service providers involved in providing our wellness and insurance services.

StepsRecord Data Sharing: We confirm that the collected step count data will not be shared with any third parties.

‍

Social Media Integration

The Nova Benefits website uses interfaces with social media sites such as LinkedIn, Twitter, YouTube, and Instagram. If you choose to "like" or share information from the Nova Benefits website through these services, you should review the privacy policy of that service. If you are a member of a social media site, the interfaces may allow the social media site to connect your site visit to your personal data.

• LinkedIn: https://www.linkedin.com/company/nova-benefits/
• Twitter: https://x.com/novabenefits
• YouTube: https://www.youtube.com/channel/UCXeubD17S937tzG9R2SI2hg/featured
• Instagram: https://www.instagram.com/novabenefits/

‍

Transferring Personal Data

‍

Nova Benefits is headquartered in Bengaluru, India. Information we collect about you will be processed in India. By using Nova Benefits' services, you acknowledge that your personal information will be processed in India.

Nova Benefits provides safeguards by entering into data processing agreements and standard data protection clauses where appropriate for the data subjects’ location. We also ensure that our data processors comply with applicable data protection laws and implement adequate technical and organizational measures to protect your personal data.

For more information or if you have any questions, please contact us at [email protected].

‍

Data Subject Rights

‍

Under the Digital Personal Data Protection (DPDP) Act, 2023 (India):

As per the DPDP Act, 2023, data subjects, referred to as Data Principals, have the following rights:

‍

1. Right to Information (Section 11):

• Summary of Personal Data: Obtain a summary of the personal data being processed and the processing activities undertaken.
• Identities of Data Fiduciaries and Processors: Obtain information about all other Data Fiduciaries and Data Processors with whom the personal data has been shared.
• Additional Information: Request any other prescribed information related to the personal data and its processing.

2. Right to Correction and Erasure (Section 12):

• Correction: Request the correction of inaccurate or misleading personal data.
• Completion and Updating: Request the completion of incomplete personal data and updating of personal data.
• Erasure: Request the erasure of personal data unless retention is necessary for compliance with law or for the specified purpose.

3. Right to Grievance Redressal (Section 13):

• Grievance Redressal: Have readily available means for grievance redressal in case of any issues related to personal data processing.
• Response Time: Data Fiduciaries must respond to grievances within a prescribed period.

4. Right to Nominate (Section 14):

• Nomination: Nominate another individual to exercise rights on behalf of the Data Principal in case of death or incapacity.

5. Duties of Data Principals (Section 15):

• Compliance with Laws: Ensure compliance with applicable laws while exercising rights.
• Authenticity: Provide verifiable authentic information and avoid impersonation or suppression of material information.

‍

Under the General Data Protection Regulation (GDPR) (European Union):

As per the GDPR, data subjects have the following rights:

1. Right to Information and Access (Articles 12 - 15):

• Information to be Provided: Understand what personal data is collected, the purposes of processing, and who will receive the data.

• Access to Data: Confirm whether personal data is being processed and access the personal data held by the controller.

2. Right to Rectification (Article 16):

• Correction of Data: Correct inaccurate personal data and complete incomplete data.

3. Right to Erasure (Article 17):

• Erasure of Data: Request the deletion of personal data when it is no longer necessary, consent is withdrawn, or if processing is unlawful.

4. Right to Restriction of Processing (Article 18):

• Restrict Processing: Limit processing of personal data under certain circumstances.

5. Right to Data Portability (Article 20):

• Data Portability: Receive personal data in a structured, commonly used format and transmit it to another controller.

6. Right to Object (Article 21):

• Objection: Object to processing based on legitimate interests, direct marketing, or processing for research or statistical purposes.

7. Automated Decision-Making (Article 22):

• Restrictions: Challenge automated decisions, including profiling, that produce legal effects or significantly affect them.

8. Right to Lodge a Complaint (Article 77):

• Complaint: Lodge a complaint with the appropriate data protection authority if you have concerns about how your data is processed.

‍

How to Exercise Your Rights

To exercise any of these rights, you may contact us at [email protected]. We will respond to your requests in accordance with applicable laws and within the prescribed time frames.

For more information or if you have any questions, please contact us at [email protected].

‍

Security of Your Information

‍

At Nova Benefits, we are committed to ensuring the security and confidentiality of your personal data. We have implemented a robust Information Security Management System (ISMS) based on the ISO 27001:2022 standard, designed to protect your data from unauthorized access and other threats.

For more detailed information about our security practices, please visit our dedicated security page: https://infosec.novabenefits.com/

‍

Key Security Measures

• Encryption: We use HTTPS with TLS 1.2 and 1.3 for secure data transmission and AES-256 encryption for data at rest.
• Access Controls: Strict access controls ensure that only authorized personnel can access your data.
• Regular Testing and Audits: We conduct annual penetration testing, continuous monitoring, and quarterly audits to identify and mitigate vulnerabilities.

‍

Employee Training and Accountability

• Comprehensive Training: All employees undergo security training during onboarding and receive annual refresher courses.
• Continuous Development: Our security team stays updated with the latest security methods and tools through ongoing training.
• Disciplinary Measures: We enforce strict disciplinary measures for any violations of our security policies to ensure accountability.

‍

Certifications

• Nova Benefits is ISO 27001:2022 and SOC 2 Type 2 certified, demonstrating our adherence to the highest standards of information security.

‍

Data Retention Guidelines

‍

At Nova Benefits, we adhere to strict data retention guidelines to ensure compliance with regulatory requirements and to protect the privacy and security of personal data. Our retention policies are informed by the Insurance Regulatory and Development Authority of India (IRDAI) guidelines and industry best practices.

‍‍

IRDAI Retention Requirements

In compliance with the Insurance Regulatory and Development Authority of India (Minimum Information Required for Investigation and Inspection) Regulations, 2020 , we maintain the following records:

• Policy Records: Includes details such as the name and address of the policyholder, the date when the policy was effected, and records of any transfers, assignments, or nominations.

• Claims Records: Includes information about every claim made, the date of the claim, the name and address of the claimant, and the date on which the claim was discharged or rejected, along with the grounds for rejection.

‍

These records can be maintained in both physical and electronic forms. Our board-approved policy ensures that these records are managed and stored securely, addressing aspects like accessibility, security, archival, disaster recovery, and business continuity.

‍

Data Retention Periods

• Policy Records: Retained for a minimum of ten years from the date of policy maturity, surrender, or lapse.
• Claims Records: Retained for a minimum of ten years from the date of claim settlement or rejection.
• Personally Identifiable Data (not falling under "Policy Records" and "Claims Records"): Retained for a period of 12 months after the services have been canceled.
• Wellness Services Data Records: If opted in, data would be retained for a period of 12 months after the termination of the service.
• Retention of Step Count Data: We retain step count data for as long as the user remains active in the application. If the user or their organization discontinues using the service, the data will be retained until a deletion request is made. Users can request the deletion of their data at any time by contacting us at [email protected].

‍

Electronic Records Management

Our electronic records management system complies with the IRDAI regulations and includes:

• Processing and Maintenance: Efficient electronic maintenance of records to ensure easy retrieval and round-the-clock accessibility.
• Privacy and Security: Implementation of robust privacy and security measures to protect policyholder data.
• Virus and Vulnerability Handling: Procedures to address and mitigate virus and vulnerability issues.
• Hardware and Software Security: Secure management of hardware and software resources.
• Backups and Disaster Recovery: Regular backups and a comprehensive disaster recovery plan to ensure data integrity and availability.
• Data Archival: Long-term storage solutions for archived data.

‍

Annual Review and Compliance

Our data retention policy is reviewed annually and overseen by our senior management to ensure compliance with regulatory requirements and to address evolving business needs. The review is conducted within 90 days from the end of each financial year.

All records, including those maintained electronically, are stored in data centers located within India, ensuring compliance with local regulatory requirements.

For more detailed information about our data retention and security practices, please visit our dedicated InfoSec page.

‍

Grievance Redressal Mechanism

‍

If you have any grievances regarding the processing of your Personal Data, please contact our Data Protection Officer (DPO) at:

• Name: Ujjwal Sinha
• Contact Email: [email protected]

We will acknowledge and address your complaint promptly in accordance with applicable laws and regulations.

‍

Governing Laws

‍

This Privacy Notice and any disputes related to it shall be governed by and construed in accordance with the laws of India, without regard to its conflict of law principles. You agree to submit to the exclusive jurisdiction of the courts located in Bengaluru, Karnataka, India to resolve any legal matter arising from the Privacy Notice.

‍

Disclaimer of Liability

‍

Nova Benefits aims to keep your Personal Data secure and up to date, but we cannot guarantee the absolute security of your data transmitted to our site or mobile applications. Any transmission of data is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on the website.

‍

Amendments to Privacy Notice

‍

Nova Benefits reserves the right to update or change this Privacy Notice at any time. We will notify you of any changes by posting the new Privacy Notice on our website and mobile applications. You are advised to review this Privacy Notice periodically for any changes. Changes to this Privacy Notice are effective when they are posted on this page.

‍

Questions, or Concerns

‍

If you have any questions, or concerns, or if you would like to exercise your data subject rights, please contact our Data Protection Officer (DPO):

• Name: Ujjwal Sinha
• Company: NovaBenefits Private Limited
• Address:  III Floor, Lakshmi Narasimha, No. 6/A, 100 Feet Road, Koramangala 4th Block, Koramangala, Bengaluru 560095, Karnataka‍
• Email address: [email protected]

We are committed to addressing your inquiries promptly and ensuring the protection and privacy of your personal data.

‍

Note: Insurance products are offered and serviced by NovaBenefits Insurance Brokers Pvt Ltd | CIN U66020KA2020PTC141160IRDAI Broking License Registration Code: IRDA/DB848/20, Certificate No. 753, License category- Direct Broker (Life & General), License validity till 12-07-2024.

‍

‍