PRIVACY POLICY

AKSHIRYAKRITI IT SOLUTIONS PRIVATE LIMITED (operating under the brand name “Zerenyth”) Effective Date: 17 April, 2026 Last Updated: 17 April, 2026

1. INTRODUCTION AND APPLICABILITY This Privacy Policy (“ Policy ”) sets out the manner in which AKSHIRYAKRITI IT SOLUTIONS PRIVATE LIMITED , a company incorporated under the Companies Act, 2013 and having its registered office at Lucknow, Uttar Pradesh, India (the “ Company ”, “ we ”, “ us ”, or “ our ”), collects, receives, possesses, stores, uses, processes, discloses, transfers, and otherwise handles personal data in connection with your access to and use of the Company’s website located at http://www.ashiryakirti.com and any associated interactions, communications, and business engagements (collectively, the “ Platform ”). This Policy applies to all individuals interacting with the Company, including website visitors, prospective clients, representatives of organizations, and any individuals whose personal data is processed in the course of the Company’s business operations. This Policy is issued in compliance with the Digital Personal Data Protection Act, 2023 (“ DPDP Act ”), the Information Technology Act, 2000 and rules framed thereunder, and, where applicable, international data protection frameworks including the General Data Protection Regulation (EU) 2016/679 (“ GDPR ”) and the California Consumer Privacy Act, 2018 , as amended (“ CCPA ”). By accessing or using the Platform, you acknowledge that you have read, understood, and agreed to this Policy.

2. NOTICE AT COLLECTION AND CONSENT (DPDP ACT COMPLIANCE)

At or before the time of collection of personal data, the Company provides notice specifying the categories of personal data collected, the purposes of processing, and the rights available to the Data Principal, in accordance with Section 5 and Section 6 of the DPDP Act. Where processing is based on consent, such consent is obtained through clear affirmative action and shall be free, specific, informed, unconditional, and unambiguous. You may withdraw consent at any time by contacting the Company; however, such withdrawal shall not affect the lawfulness of processing undertaken prior to such withdrawal and may impact the Company’s ability to provide services or respond to requests. The Company shall not collect or process personal data beyond what is necessary for the specified purposes, except where such processing is required or permitted under Applicable Law, including legitimate uses recognized under the DPDP Act.

3. ROLE OF THE COMPANY (FIDUCIARY AND PROCESSOR DISTINCTION)

The Company acts as a Data Fiduciary under the DPDP Act and as a Data Controller under GDPR in respect of personal data collected directly through the Platform and related interactions. In the course of providing services, including but not limited to cloud infrastructure, DevOps, SaaS solutions, AI/ML systems, mobile applications, and enterprise software, the Company may process personal data on behalf of its clients and shall act strictly as a Data Processor. In such cases, the client remains solely responsible for determining the purpose, legal basis, and lawfulness of processing, and the Company shall process such data solely in accordance with documented instructions and contractual obligations. The Company shall not be responsible for the data protection practices, compliance failures, or unlawful instructions of clients acting as Data Fiduciaries or Controllers.

4. CATEGORIES OF PERSONAL DATA The Company processes personal data that is necessary, proportionate, and relevant to its business operations. Such data may include identification and contact information such as name, email address, phone number, organizational details, and any information voluntarily provided through inquiries, communications, or engagement processes. The Company may also collect technical and usage-related information, including IP address, device identifiers, browser configuration, access logs, and interaction data, for purposes of security, diagnostics, and performance optimization. Where services are rendered to clients, the Company may process data made available by such clients strictly within the scope of contractual arrangements and shall not independently determine the purposes of such processing. The Company does not intentionally collect sensitive personal data unless such collection is necessary for a specific engagement and is undertaken in compliance with applicable law.

5. PURPOSE OF PROCESSING

Personal data is processed solely for lawful, specific, and legitimate purposes, including responding to inquiries, facilitating communication, onboarding and managing client relationships, delivering services, ensuring security and integrity of systems, improving Platform functionality, and complying with legal and regulatory obligations. Where the Company acts as a Data Processor, personal data shall be processed exclusively in accordance with client instructions and applicable contractual terms.

The Company shall not process personal data for purposes incompatible with those communicated at the time of collection, except as required or permitted by law.

6. LEGAL BASIS OF PROCESSING Under the DPDP Act, processing is carried out on the basis of valid consent or other legitimate uses as recognized under law. Where applicable under GDPR, processing is undertaken on lawful bases including performance of a contract, compliance with legal obligations, legitimate interests (subject to balancing tests), or consent. Where applicable under CCPA, personal data is processed for disclosed business purposes in accordance with statutory rights and obligations.

7. COOKIES AND TRACKING TECHNOLOGIES

The Company uses cookies and similar technologies strictly for operational, analytical, and security purposes. Such technologies may include essential cookies necessary for the functioning of the Platform, analytical tools for performance monitoring, and security mechanisms for fraud detection and prevention. Where required under applicable law, users are provided with mechanisms to manage or refuse non-essential cookies. Disabling certain cookies may affect functionality of the Platform. The Company does not engage in intrusive tracking, profiling, or behavioural advertising beyond what is reasonably necessary for legitimate business purposes. To the extent third-party tools are used, the Company shall not be responsible for independent data collection practices of such third parties.

8. DATA SHARING AND DISCLOSURE The Company does not sell personal data. Personal data may be disclosed to employees, contractors, affiliates, service providers, and infrastructure partners on a need-to-know basis, subject to confidentiality obligations and appropriate safeguards. Personal data may also be disclosed where required to comply with Applicable Law, court orders, regulatory directives, or governmental requests. In the event of corporate restructuring, merger, acquisition, or sale of assets, personal data may be transferred as part of such transaction, subject to appropriate data protection safeguards. 9. CROSS-BORDER DATA TRANSFERS

Personal data may be transferred outside India, including through the use of global cloud infrastructure and third-party service providers. Where required under applicable law, such transfers shall be subject to appropriate safeguards, including contractual protections, data protection agreements, and internationally recognized transfer mechanisms. The Company shall take commercially reasonable steps to ensure that such transfers do not result in a diminution of data protection standards. However, the Company does not warrant that all jurisdictions provide equivalent levels of data protection, and users acknowledge the inherent risks associated with cross-border data flows.

10. DATA RETENTION Personal data shall be retained only for as long as necessary to fulfil the purposes for which it was collected, to comply with legal obligations, to enforce legal rights, and to resolve disputes. Upon expiry of the applicable retention period, personal data shall be deleted, anonymized, or irreversibly de-identified, subject to technical feasibility, legal requirements, and backup retention cycles. 11. INFORMATION SECURITY The Company implements commercially reasonable and industry-standard technical and organizational measures to protect personal data, including encryption, access controls, network monitoring, and periodic security assessments. Notwithstanding the foregoing, no system can be guaranteed to be completely secure. The Company does not warrant or represent that the Platform or associated systems are immune from unauthorized access, cyber-attacks, data breaches, or other security incidents. To the fullest extent permitted by law, the Company disclaims liability for any unauthorized access, loss, or alteration of personal data arising from circumstances beyond its reasonable control, including acts of third parties, system failures, or force majeure events. 12. PERSONAL DATA BREACH In the event of a personal data breach, the Company shall take prompt and reasonable steps to contain, investigate, and mitigate the impact of such breach. Where required under Applicable Law, the Company shall notify relevant authorities and affected individuals within prescribed timelines.

The Company shall not be liable for any indirect or consequential harm arising from such breach, except to the extent such breach results solely from the Company’s wilful misconduct or gross negligence, to the extent such limitation is permitted under law.

13. RIGHTS OF INDIVIDUALS Subject to Applicable Law, individuals have the right to request access to their personal data, seek correction or erasure, withdraw consent, and seek grievance redressal. Requests shall be processed in accordance with applicable legal timelines and may be subject to verification of identity and legal entitlement. The Company reserves the right to decline or limit requests where permitted under law, including where such requests are manifestly unfounded, excessive, or conflict with legal obligations.

14. INTERNAL GOVERNANCE AND ACCOUNTABILITY

The Company maintains internal data protection frameworks, including policies, procedures, risk assessments, and access controls, designed to ensure compliance with applicable laws. The Company adopts a privacy-by-design approach and undertakes periodic review of its data handling practices. However, such measures shall not be construed as a guarantee of absolute compliance or risk elimination.

15. THIRD-PARTY SERVICES The Platform may contain links or integrations with third-party services. The Company does not control and shall not be responsible for the privacy practices, policies, or content of such third parties. Users are advised to review the privacy policies of such third parties independently. 16. CHILDREN’S PRIVACY The Platform is not intended for individuals under eighteen (18) years of age. The Company does not knowingly collect personal data from minors and reserves the right to delete such data upon becoming aware of its collection. 17. GRIEVANCE REDRESSAL Grievance Officer: ___________ Complaints shall be addressed within reasonable timelines in accordance with Applicable Law. Submission of a grievance shall not be construed as an admission of liability by the Company.

18. AMENDMENTS

The Company reserves the right to amend or update this Policy at any time. Updated versions shall become effective upon publication on the Platform. Continued use of the Platform constitutes acceptance of such amendments.

19. CONTACT DETAILS AKSHIRYAKRITI IT SOLUTIONS PRIVATE LIMITED, Lucknow, Uttar Pradesh, India. Email: contact@zerenyth.com