PRIVACY POLICY

MURUGAPPA GROUP PUBLIC WEBSITE

1. INTRODUCTION AND COMMITMENT

The Murugappa Group ("Murugappa Group," "We," "Us," or "Our"), operating through Murugappa Management Services Private Limited, is committed to the highest standards of data protection and privacy. This Privacy Policy ("Policy") reflects our core values—The Five Lights: Integrity, Passion, Quality, Respect, and Responsibility.

This Policy governs the collection, use, storage, and processing of personal data through our official public website www.murugappa.com (the "Website"). We are committed to transparency, security, and full compliance with the Digital Personal Data Protection Act (DPDP Act), 2023, and the Information Technology Act, 2000.

2. SCOPE AND APPLICABILITY

This Policy applies to all visitors and users of our public Website, including:

General visitors browsing information about the Murugappa Group
Prospective customers, partners, and investors
Job applicants and candidates
Media representatives and researchers
Vendors and business partners
Any other individual or entity accessing this Website

This Policy governs the lifecycle of personal data from the point of collection until its eventual erasure or anonymization. This Privacy Policy does not apply to third-party websites linked from our Website. We are not responsible for the privacy practices or content of such external sites. Users are encouraged to review the privacy policies of those websites before providing any personal data.

3. DATA FIDUCIARY

For the purposes of this Policy and the DPDP Act, 2023:

Murugappa Management Services Private Limited acts as the Data Fiduciary on behalf of the Murugappa Group.

Registered Office:

Dare House, 234, N.S.C. Bose Road (Parrys Corner), Chennai – 600 001, Tamil Nadu, India
CIN: U74140TN1972PTC006192

4. CATEGORIES OF PERSONAL DATA COLLECTED

We adhere to the principle of "Data Minimisation," collecting only such personal data as is necessary for the specific, lawful purposes outlined in this Policy. We do not intentionally collect sensitive personal data (such as financial, health, or biometric information) unless necessary for a lawful purpose and with explicit consent.

4.1. Information You Provide Voluntarily

When you interact with our Website, you may voluntarily provide:

Contact Information:

Name (first name, last name)
Email address
Phone number
Company name and designation (for business inquiries)
Mailing address (if applicable)

Inquiry and Communication Data:

Subject matter and content of inquiries submitted through contact forms
Feedback, comments, or suggestions
Career application information (resume/CV, cover letter, educational qualifications, work experience)

Event and Registration Data:

Registration details for events, webinars, or investor presentations
Preferences for communications and updates

4.2. Information Collected Automatically

To ensure website security and improve user experience, we automatically collect:

Technical and Usage Data:

Internet Protocol (IP) address
Browser type and version
Device type and operating system
Date and time of access
Pages visited and clickstream data
Referring website addresses
Geographic location (country/city level based on IP address)

Cookies and Similar Technologies:

Session cookies (temporary, deleted when browser is closed)
Persistent cookies (remain on device for a set period)
Analytics cookies (to understand how visitors use the Website)

For detailed information about our use of cookies, please refer to our Cookie Policy available on the Website.

5. PURPOSE AND LEGAL BASIS FOR PROCESSING

Under Section 4 of the DPDP Act, 2023, personal data must be processed for a lawful purpose with a valid legal basis. We do not engage in automated decision-making that significantly affects individuals. If any profiling or analytics is performed, it is solely for improving user experience and website functionality.

We process your personal data based on:

5.1. Consent

Where you have provided explicit, informed, and freely given consent for specific processing activities, such as:

Receiving newsletters and marketing communications
Participating in surveys or feedback initiatives
Registering for events or webinars

5.2. Certain Legitimate Uses

As defined under the DPDP Act, we may process personal data for:

Responding to your inquiries and providing information about our Group companies and services
Processing job applications and recruitment
Conducting business operations and maintaining business relationships
Improving website functionality and user experience
Ensuring website security and preventing fraud
Complying with legal and regulatory obligations

5.3. Detailed Processing Purposes

Communication and Inquiry Management:

To respond to your questions, comments, or requests for information
To send you requested materials about Murugappa Group companies
To follow up on business inquiries and partnership proposals

Recruitment and Human Resources:

To process job applications and assess candidate suitability
To conduct background verification (with consent)
To maintain a talent database for future opportunities (with consent)

Website Optimization and Analytics:

To analyze website traffic patterns and user behavior
To identify technical issues and improve website performance
To enhance user interface and navigation
To develop new features and services

Security and Fraud Prevention:

To detect and prevent security threats, cyber-attacks, and unauthorized access
To investigate suspicious activities or policy violations
To protect the integrity of our systems and data

Legal and Regulatory Compliance:

To comply with applicable laws, regulations, and legal processes
To respond to lawful requests from government authorities
To enforce our Terms and Conditions and other policies
To establish, exercise, or defend legal claims

6. DATA SHARING AND DISCLOSURE

The Murugappa Group does not sell, rent, or trade your personal data to third parties for marketing purposes. We may share your data in the following limited circumstances:

6.1. Within the Murugappa Group

Personal data may be shared among Group companies for:

Processing inquiries related to specific business units
Recruitment across Group companies
Coordinating investor relations and corporate communications

All Group companies are bound by this Policy and applicable data protection laws.

6.2. Service Providers and Data Processors

We engage trusted third-party service providers to support our operations, including:

Website hosting and cloud infrastructure providers
IT security and cybersecurity service providers
Analytics and website optimization tools
Email and communication platforms
Recruitment and applicant tracking systems
Professional advisors (legal, accounting, auditing firms)

These service providers:

Act only on our documented instructions
Are contractually bound to protect your data
Maintain security standards equivalent to or exceeding ours
Process data only for the specific purposes for which they are engaged

6.3. Legal and Regulatory Authorities

We may disclose personal data when required by law or when we believe in good faith that such disclosure is necessary to:

Comply with legal obligations, court orders, or regulatory requirements
Protect and defend our rights, property, or safety
Protect the vital interests of individuals in emergency situations
Prevent fraud, security threats, or illegal activities
Cooperate with law enforcement or government agencies

6.4. Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets involving the Murugappa Group, your personal data may be transferred to the successor entity. We will notify you of any such transfer and any choices you may have regarding your data.

7. INTERNATIONAL DATA TRANSFERS

Our Website is hosted and operated from India. If you access the Website from outside India, please be aware that your personal data will be transferred to and processed in India.

We ensure that any international data transfers comply with applicable data protection laws and that appropriate safeguards are in place to protect your data, including:

Standard contractual clauses approved by relevant authorities
Adequacy decisions by competent data protection authorities
Other lawful transfer mechanisms as permitted under the DPDP Act

8. DATA SECURITY: REASONABLE TECHNICAL AND ORGANISATIONAL MEASURES

In accordance with Section 8 of the DPDP Act, the Murugappa Group has implemented robust technical and organizational measures to protect personal data against unauthorized access, loss, misuse, alteration, or destruction.

8.1. Technical Safeguards

Encryption: Data in transit is protected using industry-standard encryption protocols (SSL/TLS)
Access Controls: Role-based access controls and authentication mechanisms
Firewalls: Network security measures to prevent unauthorized access
Intrusion Detection: Systems to monitor and detect suspicious activities
Regular Security Audits: Periodic vulnerability assessments and penetration testing
Secure Hosting: Website hosted on secure, reputable cloud infrastructure

8.2. Organizational Safeguards

Limited Access: Personal data is accessible only to authorized personnel on a need-to-know basis
Confidentiality Obligations: Employees and contractors are bound by confidentiality agreements
Data Protection Training: Regular training for staff handling personal data
Incident Response Plan: Procedures for detecting, reporting, and responding to data breaches
Vendor Management: Due diligence and security requirements for third-party processors

8.3. Data Breach Notification

In the event of a personal data breach that is likely to cause harm to Data Principals, we will:

Notify affected individuals in accordance with the DPDP Act
Report the breach to the Data Protection Board of India as required
Take immediate steps to contain and remediate the breach
Provide guidance on protective measures you can take

While we employ industry-standard security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but remain committed to protecting your data to the best of our ability.

9. DATA RETENTION AND ERASURE

Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable laws and regulations.

9.1. Retention Periods

General Inquiries and Communications:

Retained for the duration necessary to respond to your inquiry and for a reasonable period thereafter (typically up to 2 years) to maintain records of our communications

Job Applications and Recruitment:

Active applications: Retained for the duration of the recruitment process
Unsuccessful applications: Retained for up to 1 year (with consent) to consider for future opportunities
Successful applications: Data transferred to HR systems and retained in accordance with employment laws

Marketing and Communications:

Retained until you withdraw consent or unsubscribe from communications
Suppression lists (to honor opt-outs) are retained indefinitely

Website Analytics and Logs:

Retained for up to 2 years for security and analytical purposes
Anonymized or aggregated thereafter for statistical analysis

Legal and Compliance Records:

Retained for periods required by applicable laws (e.g., tax laws, corporate laws, litigation holds)

9.2. Secure Erasure

Upon expiry of the retention period or upon your request (where applicable), personal data will be securely erased or anonymized such that it can no longer identify you. Secure erasure methods include:

Permanent deletion from active databases and backup systems
Overwriting or degaussing of storage media
Physical destruction of hardware containing personal data

10. YOUR RIGHTS AS A DATA PRINCIPAL

Under the DPDP Act, 2023, you possess specific rights regarding your personal data. The Murugappa Group is committed to facilitating the exercise of these rights.

10.1. Right to Information

You have the right to obtain:

Confirmation of whether we are processing your personal data
A summary of the personal data being processed
Information about the purposes of processing
Details of Data Processors with whom data has been shared

10.2. Right to Correction and Erasure

You have the right to:

Request correction of inaccurate or incomplete personal data
Request erasure of personal data where it is no longer necessary for the purpose or where consent has been withdrawn (subject to legal retention obligations)

10.3. Right to Grievance Redressal

You have the right to lodge a complaint with our designated Grievance Officer (see Section 12) regarding the processing of your personal data.

10.4. Right to Nominate

You have the right to nominate another individual who may exercise your rights in the event of your death or incapacity.

10.5. Exercising Your Rights

To exercise any of these rights, please contact our Grievance Officer using the details provided in Section 12. We will respond to your request within the timeframes prescribed by the DPDP Act (generally within 30 days).

Please note that we may require you to verify your identity before processing requests to exercise your rights. Certain rights may be subject to legal limitations or exceptions.

11. CONSENT MANAGEMENT

11.1. Providing Consent

Where we rely on your consent to process personal data, we ensure that consent is:

Free: Given voluntarily without coercion
Informed: You are provided with clear information about what you are consenting to
Specific: Consent is obtained for specific, clearly stated purposes
Clear: Consent mechanisms use plain, easy-to-understand language
Unambiguous: Affirmative action is required (e.g., ticking a checkbox)

11.2. Withdrawing Consent

You have the right to withdraw your consent at any time. Withdrawal of consent:

Does not affect the lawfulness of processing based on consent before withdrawal
Can be done as easily as giving consent
Will result in cessation of processing for the specific purpose (unless we have another legal basis)

To withdraw consent:

For marketing communications: Use the "unsubscribe" link in emails or contact our Grievance Officer
For other processing: Contact our Grievance Officer using details in Section 12

11.3. Consequences of Withdrawal

Withdrawal of consent may affect our ability to:

Provide certain information or services
Process job applications
Send updates about Murugappa Group activities

We will inform you of any consequences before you withdraw consent.

12. GRIEVANCE REDRESSAL MECHANISM

The Murugappa Group has established a dedicated mechanism to address privacy concerns and complaints. In line with the IT Act and Section 13 of the DPDP Act, grievances may be addressed to:

Data Protection and Grievance Officer:

Murugappa Group
Murugappa Management Services Private Limited
Dare House, 234, N.S.C. Bose Road (Parrys Corner), Chennai – 600 001, Tamil Nadu, India
Email: gcc@corp.murugappa.com
Phone: +91-44-2530 6789

We are committed to:

Acknowledging all grievances within 48 hours of receipt
Investigating and responding to grievances within the statutory period of 30 days
Providing a clear explanation of our findings and any actions taken

If you are not satisfied with our response, you have the right to lodge a complaint with the Data Protection Board of India.

13. COOKIES AND TRACKING TECHNOLOGIES

Our Website uses cookies and similar tracking technologies to enhance user experience, analyze website traffic, and improve functionality. Our Website will display a cookie consent banner allowing you to manage preferences in compliance with DPDP Act requirements.

13.1. Types of Cookies We Use

Essential Cookies:

Required for basic website functionality
Enable you to navigate the website and use its features
Cannot be disabled as the website will not function properly without them

Performance and Analytics Cookies:

Collect information about how you use the website
Help us understand which pages are most popular
Allow us to improve website performance and user experience

Functional Cookies:

Remember your preferences and choices
Provide enhanced, personalized features

13.2. Third-Party Cookies

We may use third-party analytics services (such as Google Analytics) that place cookies on your device. These services help us understand website usage patterns. Third-party cookies are governed by the privacy policies of the respective service providers.

13.3. Managing Cookies

You can control and manage cookies through your browser settings. Most browsers allow you to:

View cookies that have been set
Block third-party cookies
Block cookies from specific websites
Delete all cookies when you close your browser
Delete cookies manually

Please note that blocking or deleting cookies may affect website functionality and your user experience.

For more detailed information, please refer to our separate Cookie Policy available on the Website.

14. CHILDREN'S PRIVACY

Our Website is not directed at or intended for use by children under the age of 18. We do not knowingly collect personal data from individuals under 18 years of age.

If you are under 18, please do not use this Website or provide any personal information to us. If you are a parent or guardian and believe that your child has provided us with personal information, please contact our Grievance Officer immediately.

Upon learning that we have collected personal data from a child under 18 without appropriate parental consent, we will take steps to delete such information as soon as possible.

15. POLICY UPDATES AND COMMUNICATION

This Policy may be updated periodically to reflect changes in:

Legal and regulatory requirements
Our data processing practices
Technological developments
Business operations

15.1. Notification of Changes

When we make material changes to this Policy, we will:

Update the "Effective Date" at the top of this Policy
Post a prominent notice on our Website homepage
Notify you via email if we have your contact information (for significant changes affecting your rights)

15.2. Acceptance of Changes

Your continued use of the Website following the posting of updated Terms constitutes your acknowledgment and acceptance of the revised Policy. We encourage you to review this Policy periodically to stay informed about how we protect your personal data.

Previous versions of this Policy may be available upon request to our Grievance Officer.

16. GOVERNING LAW AND JURISDICTION

This Privacy Policy shall be governed by and construed in accordance with the laws of India, including but not limited to:

The Digital Personal Data Protection Act, 2023
The Information Technology Act, 2000, and rules thereunder
The Indian Contract Act, 1872
Other applicable Indian laws and regulations

Any disputes arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the courts in Chennai, Tamil Nadu, India.

17. CONTACT INFORMATION

For questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact:

Data Protection and Grievance Officer:

18. ACKNOWLEDGMENT AND ACCEPTANCE

By using this Website and providing your personal data, you acknowledge that you have read this Privacy Policy, understood how we collect, use, and protect your personal data, and consent to our processing of your data in accordance with this Policy. We are committed to making this Privacy Policy accessible to all users, including those using assistive technologies.

By accessing and using this Website, you confirm that you have read and understood this Privacy Policy and agree to the collection, use, and protection of your personal data as described herein. We are committed to making this Privacy Policy accessible to all users, including those using assistive technologies.

If you do not agree with the terms of this Policy, please refrain from using the Website or providing any personal information.