Privacy Policy

YBF Business Private Limited ("YBF", "we", "us", or "our") operates the website https://www.yourbestfrnd.com/ and associated mobile applications (collectively, the "Platform"). The Platform connects entrepreneurs, professionals, founders, and members for networking, mentorship, events, community building, and growth opportunities.

This Privacy Policy ("Policy") describes how we collect, process, use, disclose, store, transfer, and protect your personal data. It is prepared in compliance with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000 (as amended), the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and other applicable Indian laws, rules, and regulations.

By accessing or using the Platform, you ("Data Principal" or "you") acknowledge that you have read, understood, and agree to the collection and use of your personal data as described in this Policy. If you do not agree, please discontinue use of the Platform immediately.

1. Scope and Applicability

This Policy applies to all personal data collected through or in connection with YBF and the Platform. Specifically, it covers:

• The Platform, encompassing both the website and mobile applications;
• Registration and onboarding processes undertaken to create an account;
• Events, webinars, and community activities organised or co-organised by YBF;
• Third-party integrations where you expressly authorise data sharing with YBF; and
• Offline interactions where YBF collects personal data in connection with Platform services.

This Policy does not apply to third-party websites, services, or applications that may be linked from the Platform. YBF has no control over, and accepts no responsibility for, the privacy practices of any such third parties. We strongly encourage you to review the privacy policies of every external platform you visit.

1. Identity of Data Fiduciary and Contact Details

YBF is the Data Fiduciary under the DPDP Act, responsible for determining the purpose and means of processing your personal data. Our key contact details are set out below.

2.1 Organisational Details

• Registered Name: YBF Business Private Limited
• Platform URL: https://www.yourbestfrnd.com/
• Privacy Contact: support@yourbestfrnd.com
• Grievance Officer Contact: grievance@yourbestfrnd.com
• General Support: support@yourbestfrnd.com
• Registered Office: Floor-2, Plot- 264/265, Vaswani Chambers, Dr. Annie Besant Road, Worli Colony, Mumbai-400030
• Jurisdiction: Mumbai, Maharashtra, India

2.2 Grievance Officer

In accordance with the DPDP Act and Rule 5 of the IT (Intermediaries Guidelines and Digital Media Ethics Code) Rules, 2021, YBF has designated a Grievance Officer to address privacy-related concerns and Data Principal rights requests. The Grievance Officer can be reached at the following address:

• Email Address: support@yourbestfrnd.com
• Postal Address: Floor-2, Plot- 264/265, Vaswani Chambers, Dr. Annie Besant Road, Worli Colony, Mumbai-400030
• Response Timeline: All grievances will be acknowledged promptly and resolved within 30 days of receipt.

2.3 Data Protection Officer (DPO)

YBF has formally designated the Data Protection Officer and can be reached at dpo@yourbestfrnd.com.

1. Personal Data We Collect

We collect only necessary, relevant, and limited personal data strictly for specified and lawful purposes, consistent with the data minimisation principle under the DPDP Act. We do not collect personal data beyond what is reasonably required to provide and improve the Platform.

3.1 Categories of Personal Data Collected

The personal data we collect falls into the following categories:

• Account and Profile Information: This includes your full name, email address, phone number, profile picture, city and country of residence, professional title, company or organisation name, biography, areas of interest and expertise, mentorship preferences, and links to professional profiles such as LinkedIn or Twitter/X.
• Usage and Technical Data: This includes your IP address, device type, browser information, operating system, Platform usage logs, session data, cookies, pixels, and analytics information generated through your use of the Platform.
• Event and Interaction Data: This includes records of event registrations and attendance, feedback submitted, survey responses, community posts, messages exchanged, and connections made on the Platform.
• Payment Information: Where applicable for premium memberships or paid events, payment transactions are processed securely through Payment Card Industry Data Security Standard (“PCI-DSS”) compliant third-party payment gateways. YBF does not store complete credit or debit card numbers or any sensitive financial authentication data.
• Location Data: We may collect city-level location data for the purpose of event recommendations and logistics. Where required by applicable law, such collection will be subject to your prior consent.
• Communications: This includes records of your correspondence with YBF's support team, grievance submissions, feedback provided, and responses to surveys.
• Identity Verification Data: Where strictly required for legal or regulatory compliance, government-issued identification data may be collected with your explicit consent and will be handled under heightened security and access controls.

3.2 Sensitive Personal Data

YBF does not collect sensitive personal data, including data pertaining to religion, ethnicity, biometric identifiers, health or medical information, sexual orientation, or financial account credentials, unless one of the following conditions is met:

• You provide explicit, informed, and written consent for a clearly specified purpose; or
• Collection is mandated by applicable law or a court order of competent jurisdiction.

Where sensitive personal data is collected under either of the above conditions, it will be subject to additional protective measures including restricted access, enhanced encryption, and explicit purpose limitation.

3.3 Data Received from Third Parties

With your authorisation, we may receive personal data from third-party platforms. Such data is governed by this Policy from the moment it is received by YBF. We encourage you to review the privacy settings and policies of any third-party service before authorising a connection.

3.4 Children and Minors

The Platform is intended exclusively for individuals aged 18 years and above. We do not knowingly collect, process, or store personal data of individuals under the age of 18. Age verification is implemented at the point of registration through self-declaration. Where we become aware that a minor's personal data has been collected without verifiable parental or guardian consent, we will take the following steps without delay:

• The relevant account will be immediately suspended pending further verification;
• All personal data associated with the minor will be deleted within 72 hours of discovery; and
• The relevant parent or guardian will be notified where contact details are available.

Parents or guardians who believe that a minor's data may have been inadvertently collected should contact us immediately at dpo@yourbestfrnd.com.

1. How We Collect Personal Data

We collect personal data through the following methods and channels:

• Directly from You: When you register for an account, create or update your profile, register for events, participate in community features, submit feedback, contact our support team, or otherwise communicate with YBF or other members through the Platform.
• Automatically: Through cookies, web beacons, pixels, and similar tracking technologies when you access and interact with the Platform.
• Third-Party Integrations: When you link your Platform account with a third-party service such as LinkedIn or Google, data sharing is subject to your explicit authorisation at the point of connection.
• Referrals: When an existing member refers you to the Platform, we may receive limited information including, but not limited to, your name and email address, solely for the purpose of facilitating your registration.
• Publicly Available Sources: Publicly accessible professional information, such as that available on LinkedIn public profiles, may be referenced to assist in populating or verifying your profile on the Platform, and will only be used with your knowledge.

4.1 Automated Messaging via WhatsApp

YBF uses WhatsApp-based automation platforms in order to communicate with you for purposes including account onboarding, event reminders, membership updates, community notifications, and support interactions. When you engage with YBF through WhatsApp, the following categories of personal data are collected and processed:

• Your name, WhatsApp-registered mobile number, and country code, as associated with your WhatsApp account;
• The content of messages exchanged between you and YBF through automated or semi-automated WhatsApp flows, including any information you voluntarily provide in the course of such conversations;
• Metadata associated with the interaction, including message timestamps, delivery and read status, and session identifiers; and
• Any attachments, documents, or images you share with YBF through the WhatsApp channel, where relevant to your query or registration.

WhatsApp communications are facilitated through the WhatsApp Business API and are governed both by this Policy and by Meta's applicable terms and privacy policies. YBF's WhatsApp automation providers operate as data processors under binding agreements and are prohibited from using your data for any purpose other than facilitating YBF's communications with you.

4.2 Voice Interactions via AI-Powered Calling Agents

YBF deploys AI-powered voice agents in order to conduct outbound and inbound voice interactions with you for purposes including onboarding calls, event follow-ups, membership enquiries, feedback collection, and community engagement. When you interact with a YBF voice agent, the following personal data is collected and processed:

• Your name and registered phone number, used to initiate or receive the call;
• A recording of the voice interaction, which constitutes personal data and may include any personal information you voluntarily disclose during the conversation;
• An automated transcript of the call, generated by the voice agent platform for quality assurance, training, and support resolution purposes; and
• Metadata associated with the call, including date, time, duration, call outcome, and agent session identifiers.

You will be informed at the commencement of any AI-assisted voice interaction that the call is automated and may be recorded. Where required by applicable law, your consent to recording will be sought before the interaction proceeds. Call recordings and transcripts are retained in accordance with the retention schedule set out in Section 10 and are accessible only to authorised YBF personnel and the relevant voice agent service provider, acting as a data processor under a binding agreement.

1. Lawful Basis for Processing and Consent

5.1 Lawful Bases for Processing

We process your personal data only under one or more of the following lawful bases, as recognised under the DPDP Act:

• Consent: You have freely given, specific, informed, and unambiguous consent for one or more clearly defined purposes. Consent is obtained through explicit opt-in mechanisms at registration and for each optional processing activity.
• Performance of Contract: Processing is necessary for the provision of Platform services to you, pursuant to our Terms of Service.
• Legitimate Uses: Processing is necessary for certain activities specified under the DPDP Act or notified by the Central Government, including fraud prevention, national security, legal compliance, and user safety.
• Legal Obligation: Processing is required to comply with applicable Indian laws, court orders, or binding directions issued by government authorities.
• Vital Interests: Processing is necessary to protect the vital interests of a Data Principal or another individual in an emergency context.

5.2 How We Obtain and Record Consent

YBF obtains and records your consent through the following clearly documented mechanisms:

• A dedicated, unticked opt-in checkbox at the point of user registration, requiring affirmative acceptance of this Privacy Policy before an account is created;
• In-app consent prompts for specific features that necessitate additional or distinct data processing; and
• Timestamped consent records capturing the version of the Policy consented to, the date and time of consent, and the user's IP address, which are maintained in our systems for evidentiary purposes.

5.3 Consent Involving Minors

Where YBF becomes aware, at any point, that a user may be under the age of 18, all data processing activities associated with that account will be suspended immediately. The account will either be closed and all data deleted.

1. Cookies and Tracking Technologies

We use cookies and similar technologies to enable Platform functionality, enhance user experience, and gather analytics. The types of cookies we deploy are described below:

6.1 Essential / Strictly Necessary Cookies

These cookies are required for the Platform to operate and cannot be disabled. They enable core functions such as user login and authentication, session management, security features, and fraud prevention.

6.2 Performance and Analytics Cookies

These cookies help us understand how users interact with the Platform by collecting aggregated usage data, identifying errors, and measuring performance metrics. They are used solely to improve the Platform.

6.3 Preference and Functionality Cookies

These cookies remember your settings and preferences such as language, region, or display options, so that you do not have to re-enter them each time you visit. They are deployed only with your opt-in consent.

6.4 Marketing and Advertising Cookies

Where used, marketing cookies enable us to deliver targeted promotional content and measure the effectiveness of our campaigns. These require your explicit, separate opt-in consent and will not be activated without it.

6.5 Managing Your Cookie Preferences

You may manage, restrict, or withdraw your consent for non-essential cookies at any time through any of the following:

• Your browser settings, which typically allow you to block or delete cookies;
• The Platform's cookie preferences panel, accessible from your account settings at any time; or
• A direct written request submitted to support@yourbestfrnd.com.

Please note that disabling essential cookies may impair the functionality of the Platform. We honour Do Not Track browser signals to the extent technically feasible. For a comprehensive list of the specific cookies we use, including their names, durations, and third-party providers.

1. How We Use Your Personal Data

We process personal data only for lawful, specified, and legitimate purposes. All processing is subject to the principle of purpose limitation, data collected for one purpose will not be used for an incompatible purpose without fresh consent or a new lawful basis. Our processing activities are as follows:

7.1 Core Platform Services

• Account creation, maintenance, and management, including authentication and profile administration. Lawful basis: contract performance.
• Enabling networking, mentorship matching, and access to community features and events. Lawful basis: contract performance.
• Processing payments and managing subscriptions or event registrations. Lawful basis: contract performance.

7.2 Personalisation and Recommendations

• Providing personalised recommendations for events, content, and other members, based on your profile data and Platform activity. Lawful basis: consent and legitimate use.
• Feed personalisation and display of relevant community content. Lawful basis: consent.

7.3 Communications

• Sending essential transactional communications such as account updates, event confirmations, and security alerts. Lawful basis: contract performance.
• Sending promotional, marketing, or event-related communications. Lawful basis: your explicit opt-in consent.

7.4 Analytics, Research, and Improvement

• Conducting internal analytics, user research, and product development using aggregated or de-identified data wherever feasible. Lawful basis: legitimate use.

7.5 Security, Compliance, and Legal Purposes

• Preventing fraud, investigating misuse, and protecting the security and integrity of the Platform. Lawful basis: legitimate use and legal obligation.
• Complying with applicable Indian laws, court orders, and lawful government or regulatory directions. Lawful basis: legal obligation.
• Enforcing our Terms of Service and protecting the rights and safety of YBF, its users, and the Platform. Lawful basis: legitimate use.

7.6 Automated Decision-Making

• Operating profiling and recommendation algorithms to enhance your Platform experience. Lawful basis: consent where applicable.

1. Sharing and Disclosure of Personal Data

We do not sell, rent, or trade your personal data to third parties. We share personal data only where it is necessary for specified purposes, with appropriate contractual and technical safeguards, and in full compliance with the DPDP Act and applicable Indian law. The circumstances in which we may share your data are described below:

8.1 Service Providers and Data Processors

We engage trusted third-party vendors to assist in operating the Platform. These service providers, who may include cloud hosting providers, payment processors, email service providers, analytics platforms, and event management tools, process personal data solely on YBF's written instructions. Each is bound by a data processing agreement that requires them to:

• Implement adequate technical and organisational security safeguards;
• Maintain strict confidentiality in respect of all personal data processed;
• Prohibit sub-processing without prior written authorisation from YBF; and
• Comply fully with the requirements of the DPDP Act and applicable rules.

Our key categories of third-party processors include: Cloud Infrastructure, Payment Processing, Email Communications, Analytics, Event Management, and Customer Support. A complete Vendor Register is available upon written request to our Grievance Officer and Data Protection Officer.

8.2 Platform Community

To enable the core networking and mentorship functions of the Platform, limited profile information, such as your name, professional title, and city, is visible to other registered members and shared with other attendees and speakers of events you voluntarily register for.

8.3 Affiliates, Group Companies, and Business Partners

We may share personal data with YBF group companies, affiliated entities, or co-organisers of events and programmes, where necessary for the coordinated provision of a service. Such sharing is subject to this Policy and equivalent data protection obligations. Where a co-branded event involves data sharing with a third-party partner, you will be informed of this at the point of registration.

8.4 Legal and Regulatory Authorities

We may disclose personal data to government authorities, regulatory bodies, law enforcement agencies, or courts where we are required to do so under applicable Indian law, pursuant to a court order or lawful direction, for national security purposes, or to protect the vital interests of any individual or to prevent illegal activity. To the extent permitted by law, we will notify you of any such disclosure.

8.5 Business Transactions

In the event of a merger, acquisition, restructuring, or sale of all or part of YBF's assets or business, personal data may be transferred to the relevant acquiring or successor entity. Any such transfer will be subject to equivalent data protection obligations. Where required by law, we will provide prior notice to affected users and, where material changes to processing are involved, seek fresh consent.

8.6 With Your Explicit Consent

In any other circumstance not covered above, we will share your personal data only with your prior, specific, written, or electronic consent.

8.7 International Data Transfers

Your personal data may be transferred to, stored in, and processed in countries outside India. We ensure that all international transfers of personal data occur only under one of the following conditions:

• The destination country has been recognised as providing an adequate level of personal data protection by the Government of India under the DPDP Act;
• The transfer is made under appropriate contractual safeguards, such as Standard Contractual Clauses or equivalent mechanisms approved under the DPDP Act; or
• The transfer is otherwise permitted under the DPDP Act and applicable rules and regulations.

1. Data Security

YBF implements a multi-layered, risk-based information security framework, consistent with the DPDP Act and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Our security programme encompasses both technical and organisational measures.

9.1 Technical Security Measures

The following technical controls are implemented to protect personal data against unauthorised access, disclosure, alteration, or destruction:

• End-to-end encryption using appropriate TLS level for all personal data transmitted in transit;
• Appropriate AES encryption for sensitive personal data stored at rest;
• Role-Based Access Controls (RBAC) ensuring that personal data is accessible only to authorised personnel who require it for their designated functions;
• Multi-Factor Authentication (MFA) for all administrative and privileged system access;
• Regular penetration testing and vulnerability assessments, conducted at minimum on an annual basis;
• Firewalls, intrusion detection and prevention systems, and continuous security event monitoring; and
• A Secure Software Development Lifecycle (SSDLC), incorporating security review at each stage of product development.

9.2 Organisational Security Measures

In addition to technical controls, the following organisational measures form part of our security framework:

• Mandatory annual privacy and information security training for all employees and contractors who handle personal data;
• Binding confidentiality agreements with all staff, contractors, and service providers;
• Maintenance of data access logs and audit trails for accountability and forensic purposes;
• Formal security assessments of third-party vendors prior to onboarding as data processors; and
• Internal Privacy Impact Assessments (PIAs) conducted for all new or materially changed data processing activities.

9.3 Personal Data Breach Response

YBF maintains a formal Data Breach Response Procedure. In the event of a personal data breach, we will:

• Initiate containment measures and conduct an assessment of the breach's scope, cause, and impact within 24 hours of discovery;
• Notify the Data Protection Board of India within the timeline prescribed under the DPDP Act, expected to be 72 hours for significant breaches, from the time we become aware of the breach;
• Notify affected Data Principals without undue delay, where the breach is likely to result in a high risk to their rights or freedoms, providing details of the nature of the breach, categories and approximate volume of data affected, likely consequences, and remediation measures being taken; and
• Record all breaches in an internal breach register, regardless of whether they trigger a formal notification obligation.

While YBF employs industry-standard security measures, no security system is completely impenetrable, and we cannot guarantee absolute security of data transmitted over the internet or stored on our systems. You acknowledge and accept this inherent risk as a condition of using the Platform.

1. Data Retention

We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, to comply with applicable legal or regulatory obligations, or to serve legitimate business interests such as fraud prevention or the defence of legal claims. Our data retention schedule is as follows:

10.1 Retention Periods by Data Category

• Active Account and Profile Data: Retained for the duration of the active account relationship, plus one additional year following account closure, to facilitate reactivation requests and resolve any outstanding matters.
• Transaction and Payment Records: Retained for a period of seven years following the date of the transaction, in compliance with the Income Tax Act, 1961, and applicable GST legislation.
• Event Registration Records: Retained for three years following the date of the relevant event, for the purposes of legal compliance and legitimate business interests.
• Support and Communications Records: Retained for three years from the date of the last communication, to facilitate dispute resolution and quality assurance.
• Security and Access Logs: Retained for one year from the date of generation, for fraud prevention and security investigation purposes.
• Marketing Consent Records: Retained for the duration of the consent, plus three years following withdrawal, as legal evidence of the consent obtained.
• Anonymised and Aggregated Analytics Data: Retained indefinitely, as such data does not constitute personal data and cannot be used to identify any individual.
• Backup Copies: Isolated and protected backup copies are retained for up to 90 days following deletion from active systems, after which they are permanently purged.

10.2 Deletion and Anonymisation

Upon the expiry of the applicable retention period, personal data is securely deleted or, where deletion is not immediately technically feasible, isolated and protected from any further active processing until permanent deletion is possible. Where data is anonymised rather than deleted, YBF takes reasonable technical steps to ensure it cannot be re-identified.

1. Your Rights as a Data Principal

Under the DPDP Act and other applicable laws, you are entitled to the following rights in respect of your personal data. All rights are exercisable free of charge, subject to identity verification and any applicable legal exceptions or limitations. We will respond to all verified requests within 30 days of receipt, or within any shorter period prescribed by applicable law.

11.1 Right to Access

You have the right to obtain confirmation of whether YBF processes your personal data, and to receive a copy of that data, including information regarding the categories of personal data held and the purposes for which it is being processed. To exercise this right, contact us at support@yourbestfrnd.com.

11.2 Right to Correction

You have the right to request the correction of any personal data that is inaccurate, incomplete, or outdated. You may update much of your profile information directly through your account settings, or submit a correction request to grievance@yourbestfrnd.com.

11.3 Right to Erasure

You have the right to request the deletion of your personal data, subject to any overriding legal retention obligations, ongoing contractual needs, or legitimate business interests such as the prevention of fraud or defence of legal claims. Erasure requests should be submitted to grievance@yourbestfrnd.com.

11.4 Right to Withdraw Consent

Where processing is based on your consent, you have the right to withdraw that consent at any time, without penalty or detriment to you. Withdrawal of consent will not affect the lawfulness of any processing carried out prior to withdrawal. Requests to withdraw consent will be processed within 7 business days. You may withdraw consent through your account settings or by contacting grievance@yourbestfrnd.com.

11.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to request that it be transmitted directly to another service provider where technically feasible. Portability requests should be submitted to support@yourbestfrnd.com.

11.6 Right to Restrict Processing

You have the right to request that YBF restrict the processing of your personal data in certain circumstances. Submit restriction requests to grievance@yourbestfrnd.com.

11.7 Right to Nomination

The DPDP Act grants you the right to nominate another individual to exercise your data rights on your behalf in the event of your death or incapacity. To initiate the nomination process, contact support@yourbestfrnd.com.

11.8 Right to Grievance Redressal

You have the right to lodge a complaint with our Grievance Officer in respect of any aspect of YBF's data processing practices.

11.9 Right to Opt Out of Marketing

You may withdraw your consent to receive promotional or marketing communications at any time by clicking the unsubscribe link included in any marketing email, by updating your communication preferences in your account settings, or by contacting us at grievance@yourbestfrnd.com. Opt-out requests will be processed within 7 business days.

11.10 How to Exercise Your Rights

To exercise any of the rights described above, please submit a written request to support@yourbestfrnd.com with the subject line: "Data Rights Request of [Your Full Name]". Include sufficient information to enable us to verify your identity. We may request additional documentation for sensitive requests.

1. Third-Party Links and Services

The Platform may contain hyperlinks to third-party websites, applications, or services that are not operated or controlled by YBF. We have no control over, and accept no responsibility for, the content, data handling practices, or privacy policies of any such third parties. Accessing a third-party link will direct you away from the Platform and into an external environment governed by that third party's own terms and conditions.

We strongly advise you to review the privacy policy of every third-party website or service you visit. This Policy does not apply to third-party integrations facilitated by YBF once you are operating within the third party's own platform or service.

1. Automated Decision-Making and Profiling

The Platform uses automated processing and profiling algorithms to enhance the user experience. The automated features currently in operation are:

• Mentorship matching recommendations, generated on the basis of your profile data, stated preferences, and engagement history;
• Event and content recommendations, derived from your Platform activity and stated interests; and
• Feed personalisation, based on your engagement patterns and connections on the Platform.

These automated processes do not produce legal effects or decisions that similarly significantly affect you. They do not determine your access to services, your pricing, or any other substantive outcome, and all material decisions involving automated processing are subject to human review.

Where any future automated processing could have a significant effect on you, YBF will, before implementing such processing:

• Provide you with a clear explanation of the logic involved in the automated decision;
• Obtain your explicit prior consent for such processing;
• Implement a mechanism through which you may request human review of any automated decision affecting you; and
• Allow you to contest the outcome of any such automated decision.

You may opt out of profiling-based personalisation and recommendations at any time through your account privacy settings. Opting out will not restrict your core access to the Platform.

1. Aggregated and Anonymised Data

YBF may use and share aggregated, anonymised, or de-identified data, i.e., data that has been processed in such a way that it can no longer reasonably be used to identify any individual solely for the purposes including research, industry analytics, internal reporting, investor communications, and the improvement of Platform features and services.

Such data does not constitute personal data under the DPDP Act and is, therefore, not subject to the rights and obligations set out in this Policy. YBF takes reasonable technical and organisational steps to ensure that anonymised data cannot be re-identified. In the event that we become aware that anonymised data has been or is at risk of being re-identified, we will immediately treat it as personal data and apply the full protections of this Policy.

1. Updates to This Privacy Policy

We may update this Policy periodically to reflect changes in our data processing practices, the services we offer, the technologies we employ, or applicable legal and regulatory requirements. Every update will be assigned a new version number and an updated effective date, both of which will be prominently displayed at the top of this Policy. We distinguish between material changes and non-material changes for the purpose of notification:

15.1 Material Changes

A material change is one that significantly affects your rights, expands the categories of personal data we collect, alters our data sharing practices, introduces new lawful bases for processing, or materially modifies our data retention periods. For material changes, we will:

• Provide at least 30 days' advance notice via email to your registered address and/or via a prominent in-app notification;
• Require fresh and explicit consent where the change introduces a new lawful basis or materially expands the scope of processing; and
• Publish a clear summary of the key changes alongside the updated Policy to assist you in understanding what has changed.

Where fresh consent is required and is not obtained from you, the proposed new processing will not be applied to your personal data.

15.2 Non-Material Changes

Non-material changes, such as clarifications of existing provisions, corrections of typographical errors, or administrative updates, will take effect upon publication of the updated Policy. We encourage you to review this Policy periodically. Previous versions of this Policy are archived and are available upon written request to support@yourbestfrnd.com.

1. Governing Law and Dispute Resolution

This Privacy Policy is governed by and shall be construed in accordance with the laws of India, including without limitation the DPDP Act, the Information Technology Act, 2000 (as amended), and all applicable rules and regulations made thereunder.

In the event of any dispute, claim, or controversy arising out of or in connection with this Policy or YBF's processing of your personal data, the following escalation process shall apply:

• Step 1 - Internal Grievance Resolution: Contact our Grievance Officer at grievance@yourbestfrnd.com. We will acknowledge receipt promptly and aim to resolve your grievance within 30 days.
• Step 2 - Data Protection Board of India: If you are not satisfied with the resolution provided by the Grievance Officer, you may escalate your complaint to the Data Protection Board of India, once it is operationally established pursuant to the DPDP Act.
• Step 3 - Courts: Any dispute not resolved through the above mechanisms shall be subject to the exclusive jurisdiction of the competent courts situated in Mumbai, Maharashtra, India.

Note on Jurisdiction: YBF Business Private Limited is registered and operates with its principal place of business in Mumbai, Maharashtra, India. The designation of Mumbai courts as the forum of exclusive jurisdiction is therefore consistent with and appropriate to the company's place of incorporation and principal operations.

For any questions, concerns, rights requests, or complaints relating to this Privacy Policy or YBF's data processing practices, please contact us through the email support@yourbestfrnd.com.