GDPR Compliance

Data Controller and Data Processor Roles

The GDPR distinguishes between data controllers (who determine the purposes and means of processing) and data processors (who process data on behalf of controllers).

• IMAST as Data Controller: When we collect and process personal data for our own purposes — such as account registration, billing, website analytics, and marketing — IMAST acts as the data controller.
• IMAST as Data Processor: When our customers use the IMAST 360 platform to process personal data of their own customers, employees, or contacts, IMAST acts as a data processor on their behalf. In this capacity, we process data strictly in accordance with our customers' instructions and applicable data processing agreements.

Lawful Basis for Processing

IMAST processes personal data only when we have a valid legal basis under Article 6 of the GDPR:

• Performance of a contract (Art. 6(1)(b)): Processing necessary to deliver the IMAST 360 services you have subscribed to
• Legitimate interests (Art. 6(1)(f)): Processing necessary for our legitimate business purposes, such as improving services, ensuring platform security, and preventing fraud
• Consent (Art. 6(1)(a)): Where we rely on consent for specific activities such as marketing communications or non-essential cookies — consent may be withdrawn at any time
• Legal obligation (Art. 6(1)(c)): Processing required to comply with applicable laws, including tax, accounting, and regulatory requirements

Data Subject Rights

Under the GDPR, individuals in the EU/EEA have the following rights with respect to their personal data:

• Right of access (Art. 15): Request a copy of the personal data we hold about you
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete data
• Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
• Right to restriction (Art. 18): Request that we limit the processing of your data
• Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format
• Right to object (Art. 21): Object to processing based on legitimate interests, including profiling
• Right regarding automated decisions (Art. 22): Not be subject to decisions based solely on automated processing that significantly affect you

To exercise any of these rights, submit a request to gdpr@imast.in or dpo@imast.in. We will verify your identity and respond within 30 days. If your data is processed by IMAST on behalf of one of our customers (where IMAST is a processor), we will direct you to the relevant customer or assist the customer in fulfilling your request.

Data Protection Officer

IMAST has appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy and ensuring compliance with the GDPR. The DPO operates independently and reports directly to senior management.

DPO Contact: dpo@imast.in

Data Processing Agreements

IMAST provides Data Processing Agreements (DPAs) to all customers who require them. Our DPA is aligned with GDPR Article 28 requirements and covers:

• Subject matter, duration, nature, and purpose of processing
• Types of personal data and categories of data subjects
• Obligations and rights of the controller and processor
• Sub-processor engagement and notification procedures
• Data security measures and breach notification obligations
• Assistance with data subject requests and data protection impact assessments

To request a copy of our DPA, contact legal@imast.in.

Cross-Border Data Transfers

IMAST's primary data infrastructure is located in AWS data centers in Mumbai, India. When personal data of EU/EEA individuals is transferred to India, we ensure adequate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission are incorporated into our data processing agreements
• Transfer Impact Assessments are conducted to evaluate the legal framework of the destination country
• Supplementary technical measures, including encryption and pseudonymization, are applied to protect data in transit and at rest

Breach Notification

In the event of a personal data breach as defined by GDPR Article 33, IMAST will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of a breach that is likely to result in a risk to data subjects' rights and freedoms
• Promptly notify affected customers (where IMAST acts as processor) so they can fulfill their own notification obligations
• Where the breach is likely to result in a high risk to individuals, notify affected data subjects directly without undue delay
• Document all breaches, including their effects and remedial actions taken

Privacy Impact Assessments

IMAST conducts Data Protection Impact Assessments (DPIAs) as required by GDPR Article 35 whenever we introduce new features, products, or processing activities that are likely to result in a high risk to data subjects. DPIAs are reviewed by our DPO and include:

• A systematic description of the processing operations and their purposes
• Assessment of the necessity and proportionality of the processing
• Evaluation of risks to the rights and freedoms of individuals
• Measures to address identified risks and demonstrate compliance

How to Make a GDPR Request

If you wish to exercise your rights under the GDPR or have any questions about our data protection practices, you can reach us through the following channels:

• GDPR requests: gdpr@imast.in
• Data Protection Officer: dpo@imast.in
• General privacy inquiries: privacy@imast.in

You also have the right to lodge a complaint with a supervisory authority in the EU/EEA member state of your habitual residence, place of work, or place of the alleged infringement.

IMAST Operations Private Limited, Indore, Madhya Pradesh, India