Privacy Policy
Introduction and Background
Campus Activewear Limited, currently positioned as the preeminent Brand in India’s organized sports and athleisure footwear market, operates a sophisticated multi-channel distribution network that forms the backbone of its commercial success. Founded on the legacy of Action Footwear and formally incorporated in 2008, the company has undergone an aggressive digital transformation to support its vast scale, which includes a pan-India reach across Tier 1, 2, and 3 cities. As a publicly listed entity on the National Stock Exchange and Bombay Stock Exchange Limited, Campus Activewear Limited (hereinafter referred to as "the Company" or "CAL") is subject to rigorous corporate governance standards, particularly concerning the management of data within its supply chain.
The "Primary Order Booking App and Portal" serves as the critical digital interface for the Company’s authorized distributors and franchisees. This platform enables the seamless orchestration of inventory procurement, order tracking, and financial reconciliation. However, the digitization of these B2B relationships necessitates a robust framework for protecting the digital personal data of the individuals who represent these business partners. In the evolving legal landscape of India, characterized by the notification of the Digital Personal Data Protection Act (DPDPA), 2023, and the existing Information Technology Act, 2000, data privacy is no longer a discretionary corporate policy but a statutory mandate.
This comprehensive Privacy Policy is designed to be accepted by distributors and franchisees during their inaugural login to the application. It outlines how the Company, acting as a "Data Fiduciary," processes the personal data of its partners, who are categorized as "Data Principals" under Indian law. The policy reflects the Company’s commitment to the seven core principles of data protection: consent and transparency, purpose limitation, data minimization, accuracy, storage limitation, security safeguards, and accountability. By institutionalizing these practices, the Company ensures that its technological advancements in supply chain management do not come at the expense of the privacy rights of its business associates.
Abbreviations and Definitions
To maintain absolute clarity in the interpretation of this document, the following terms and abbreviations are defined in accordance with both the Company's operational protocols and the prevailing statutory framework in India.
| Abbreviation/Term | Expanded Form/Definition | Legal or Operational Context |
|---|---|---|
| CAL | Campus Activewear Limited | The Data Fiduciary responsible for determining the purpose and means of data processing. |
| DPDPA | Digital Personal Data Protection Act, 2023 | The primary standalone data protection legislation in India. |
| Data Fiduciary | Person/Entity determining the purpose/means of data processing | Campus Activewear Limited in the context of the Partner Portal. |
| Data Principal | Individual to whom the personal data relates | The authorized signatory or user representing the distributor/franchisee. |
| Data Processor | Person/Entity processing data on behalf of a Fiduciary | Cloud providers, 3PL logistics, or payment gateways. |
| DPO | Data Protection Officer | The official appointed by CAL to oversee DPDPA compliance. |
| GSTIN | Goods and Services Tax Identification Number | 15-digit identifier for business tax registration in India. |
| KYC | Know Your Customer | Mandatory identity verification process for business partners. |
| PAN | Permanent Account Number | 10-digit alphanumeric identifier for income tax purposes. |
| 3PL | Third-Party Logistics | Outsourced providers for warehousing and delivery. |
| OTP | One-Time Password | Security mechanism for multi-factor authentication. |
| IT Act | Information Technology Act, 2000 | The underlying law for electronic transactions and data security in India. |
| SDF | Significant Data Fiduciary | An entity with higher compliance burdens based on data volume. |
What Personal Data Can Be Collected
In the operation of the Primary Order Booking App and Portal, the Company collects specific categories of digital personal data. The collection process is strictly adhering to the principle of data minimization, ensuring that only information necessary for the business relationship and statutory compliance is gathered.
Personal Identifiers and Contact Information
For the purpose of establishing a secure user profile and maintaining a reliable channel of communication, the Company collects the following data points from the authorized users of the distributor or franchisee :
- Full Name: The legal name of the authorized signatory or designated user.
- Official Designation: The professional role within the partner organization to manage access permissions.
- Email Address: Used for transaction alerts, invoicing, and legal notifications.
- Mobile Phone Number: Used for OTP-based secure login and WhatsApp-based delivery updates.
- Business Address: The registered office and primary warehouse locations of the partner.
Business and Statutory Verification Data (KYC)
In compliance with the Reserve Bank of India (RBI) guidelines and the GST framework, the Company requires the following documentation to verify the legitimacy of its business partners :
- PAN Details: The Permanent Account Number of the entity or the individual proprietor to facilitate tax-deductible at source (TDS) filings.
- GST Registration: The GSTIN and associated certificates to ensure accurate input tax credit (ITC) processing.
- Identity Proof: Aadhaar details of the proprietor or directors for voluntary verification or where mandated by sector-specific regulations.
- Bank Account Proof: Cancelled cheques or bank statements showing the account holder's name, account number, and IFSC code for financial settlement.
- Corporate Documents: Certificate of Incorporation, Memorandum of Association (MoA), and Partnership Deeds where applicable.
Technical and Usage Data
The Primary Order Booking App automatically collects technical metadata to ensure platform security and optimize user experience :
- IP Address and Device ID: For identifying unauthorized access attempts and ensuring geo-fencing if required.
- Operating System and Browser Details: To provide technical support and ensure compatibility with the user’s hardware.
- Activity Logs: Timestamps of login/logout, order placement history, and navigation patterns within the portal.
- Location Metadata: Used to verify that orders are booked from the designated territory of the distributor.
Transactional and Financial Information
Specific data points related to the commercial interactions are recorded to maintain the integrity of the supply chain :
- Order History: Comprehensive records of footwear styles (SKUs), quantities, and transaction values.
- Payment Status: Information regarding bank transfers, credit limits, and outstanding balances.
- Inventory Records: Stock levels held by the distributor or franchisee to facilitate replenishment forecasting.
Purpose for which the Personal Data are to be Processed
The Company adheres to a "Specified Purpose" mandate, where data is processed only for the objectives explicitly communicated to the partner. The processing of digital personal data within the Partner Portal is driven by four primary pillars: functional necessity, legal obligation, security, and supply chain optimization.
Functional Necessity and Contractual Performance
The primary objective of processing is to fulfill the Distributor or Franchisee Agreement. Without processing name, contact details, and business identifiers, the Company would be unable to:
- Provision and manage the user account on the Primary Order Booking App.
- Process purchase orders and coordinate the delivery of footwear products.
- Generate tax-compliant invoices.
- Facilitate training and support for the distributor’s staff on the Company's operational standards.
Legal and Statutory Compliance
As a publicly traded company, CAL must process data to satisfy rigorous Indian laws :
- Tax Compliance: Managing GST filings, TDS deductions, and annual financial reporting.
- Audit Requirements: Maintaining records of business transactions for a period of eight years as mandated by the Companies Act, 2013.
- KYC and Anti-Fraud: Conducting due diligence before onboarding any vendor or distributor to prevent financial crimes.
Platform Security and Reliability
Technical data is processed to protect the interests of both the Company and its partners :
- Authentication: Verifying user identity through passwords and OTPs to prevent account takeovers.
- Monitoring: Identifying and investigating suspicious login activity or unauthorized data access.
- Debugging: Utilizing error logs and performance metrics to fix platform crashes and improve response times.
Supply Chain Optimization and Research
Aggregated and anonymized data (which no longer identifies individual Data Principals) is used for broader business goals :
- Demand Forecasting: Predicting footwear trends and inventory needs across different Indian states.
- Geographic Analysis: Assessing market penetration in North, West, East, and South regions to plan future exclusive brand outlets.
- Service Improvement: Using feedback and usage patterns to enhance the portal’s interface and ordering workflows.
Legal Basis for the Processing
The processing of digital personal data by the Company is sanctioned under Section 4 of the DPDPA, which establishes a "positive obligation" regime. The Company relies on two primary grounds for its processing activities.
Consent of the Data Principal
Consent remains the cornerstone of the DPDPA framework. Upon first-time login, the distributor or franchisee is presented with this policy. By providing a clear affirmative action (clicking "Accept"), they signify consent that meets the statutory thresholds:
- Free: Consent is not coerced, though it is a prerequisite for accessing the digital booking facility which is essential for the commercial relationship.
- Specific: The consent is tied to the itemized purposes mentioned above.
- Informed: The partner is provided with a detailed notice before data collection.
- Unambiguous: No "implied" or "passive" consent via pre-ticked boxes is utilized.
Legitimate Uses (No Consent Required)
In certain scenarios, the Company may process data without explicit consent under Section 7 of the DPDPA :
- Fulfillment of Legal Obligations: Where the law requires the disclosure of information to a government body or court.
- Specified Purposes Provided Voluntarily: Where a distributor provides their business card or PAN for a specific tax transaction, and has not indicated non-consent.
- Employment Purposes: Where the processing relates to the management of the Company’s own employees who use the portal for distributor support.
| Processing Activity | Primary Legal Basis | Statutory Reference (DPDPA) |
|---|---|---|
| Account Creation | Consent | Section 4(1)(a) |
| Order Processing | Contractual Necessity (Informed Consent) | Section 6 |
| GST/TDS Filings | Legal Obligation (Legitimate Use) | Section 7(c) |
| Fraud Monitoring | Legitimate Interest/Security | Section 7 |
Right of Access, Rectification, Erasure, and Data Portability
The DPDPA empowers Data Principals with a set of enforceable rights, ensuring they retain control over their digital footprint. The Company is committed to facilitating these rights through its internal Data Subject Request (DSR) protocols.
Right to Access Information
Distributors and franchisees have the right to request a summary of the personal data being processed by CAL. This includes the identities of any third-party processors (such as logistics or payment partners) with whom their data has been shared. Partners can access most of this information directly through the "User Profile" section of the Primary Order Booking App.
Right to Rectification and Completion
If any personal data (such as a mobile number, email, or business address) is inaccurate or incomplete, the partner has the right to correct it. The Company provides an interface for self-service updates, though changes to critical business documents (like GST certificates) may require manual verification by the Company’s onboarding team to maintain the accuracy of the supply chain.
Right to Erasure
A Data Principal may request the deletion of their personal data if the purpose for which it was collected is no longer being served (e.g., upon termination of the distributorship). The Company will erase such data unless its retention is mandated by law (such as tax records for eight years).
Right to Withdraw Consent
Partners may withdraw their consent at any time with the same ease as it was given. Upon withdrawal, the Company must cease processing within a reasonable time, unless such processing is required under other laws. It is important to note that withdrawing consent for essential data (like login credentials or GST details) will result in the immediate termination of access to the App and the inability to place orders.
Right to Data Portability and Objection
While the DPDPA is primary, the Company follows global best practices by allowing partners to:
- Object to Processing: Particularly for non-essential communications or marketing analysis.
- Data Portability: Requesting a machine-readable download of their transaction history and profile data to facilitate their own business accounting.
Distributor’s Rights in the B2B Context
Within the B2B framework of Campus Activewear Limited, distributors and franchisees are granted specific rights that recognize their role as essential commercial partners.
Transparency in Automated Decision-Making
The Primary Order Booking App may utilize algorithms for credit limit assessments or order prioritization. Distributors have the right to be informed of such automated processes and to request human intervention if a decision significantly impacts their commercial standing.
Right to Grievance Redressal
In accordance with Section 13 of the DPDPA, the Company provides a robust mechanism for resolving privacy-related complaints. The Company has appointed a Data Protection Officer (DPO) who can be reached at _____________@campusshoes.com. The Company is legally bound to provide a response to any privacy grievance within the specified statutory timelines.
Right to Nominate
Individual distributors or sole proprietors have the right to nominate a person who shall, in the event of their death or incapacity, exercise their data rights. This ensures the continuity of the business relationship and the protection of the estate’s information.
DATA PROTECTION FOR GOODS ORDERS, PERSONAL USER PROFILES
The Company employs "techno-legal measures" to protect the confidentiality, integrity, and availability of data within the Primary Order Booking App.
Safeguarding Personal User Profiles
User profiles contain sensitive contact and identity data. These are protected via:
- Encryption: Personal data is encrypted "at rest" using advanced standards like Advance Encryption Standard and "in transit" using Transport Layer Security.
- Access Control: Role-based access control (RBAC) ensures that only authorized Company employees (such as Sales Managers or Accountants) can view specific segments of a distributor’s data.
- Multi-Factor Authentication (MFA): Login requires both a password and an OTP sent to the partner’s registered device.
Integrity of Goods Orders and Transactional Data
The booking of orders involves critical commercial information. Protection measures include:
- Immutable Logs: Every order placed, modified, or cancelled is recorded in an audit trail that cannot be altered, ensuring transparency in the event of a dispute.
- Zero-Trust Architecture: The Company’s network treats every access request as a potential threat, requiring continuous verification of the device and user identity.
- Database Segregation: Partner data is logically segregated to ensure that one distributor cannot access the order or pricing information of another.
Security Incident Response
In the event of a personal data breach (unauthorized access or loss), the Company follows a strict notification protocol:
- Board Notification: Reporting to the Data Protection Board of India without delay.
- Partner Notification: Informing affected distributors/franchisees through their registered communication channels.
- Mitigation: Taking immediate steps to stop the breach and restore the security of the portal.
DATA PROCESSING BY THIRD PARTIES
To provide a seamless digital experience, Campus Activewear Limited engages specialized third-party "Data Processors".
Role of Third-Party Processors
The Company utilizes partners for the following functions:
- Cloud Hosting: Infrastructure services (such as Name of the cloud) where the data is stored in secure Indian data centers.
- Logistics (3PL): Fulfillment partners who receive delivery names and addresses to transport footwear.
- Payment Gateways: Financial intermediaries that process bank transactions.
- KYC Vendors: Specialized agencies that automate the verification of government IDs.
Contractual Safeguards
Under the DPDPA, the Company remains responsible for the actions of its processors. To mitigate risk, CAL ensures that:
- Binding Agreements: All processors sign Data Processing Agreements (DPAs) that mandate compliance with the DPDPA.
- Purpose Limitation: Processors are strictly forbidden from using partner data for their own marketing or selling it to data brokers.
- Audit Rights: The Company reserves the right to audit the security practices of its third-party vendors.
Data Retention
The Company follows the principle of "Storage Limitation," ensuring that data is not kept for longer than is necessary.
Statutory Retention Periods
The Company aligns its retention schedule with Indian tax and corporate laws:
| Data Category | Retention Period | Statutory Basis |
|---|---|---|
| Books of Account | 8 Years | Companies Act, 2013. |
| GST Records | 72 Months (6 Years) | GST Act, 2017. |
| KYC Documents | Duration of Contract + 8 Years | Income Tax Act, 1961. |
| User Activity Logs | 1 to 2 Years | IT Rules, 2011 / Security Monitoring. |
Deletion and Anonymization
Upon the expiry of the retention period or the withdrawal of consent (where the law permits), the Company will:
- Permanently Delete: Securely wiping digital records from all primary and backup servers.
- Anonymize: Stripping all identifiers to leave only non-identifiable statistical data for long-term footwear market analysis.
Review or Changes to Policy
This Privacy Policy is subject to periodic review to ensure alignment with technological shifts and new legal interpretations.
Mechanism for Updates
The Company will review this policy at least once every twelve months. Material changes (such as the collection of new data types or a change in third-party processors) will be communicated to the distributor or franchisee through:
- n-App Notification: A pop-up alert upon the next login.
- Email Update: To the registered authorized email address.
Acceptance
Continued use of the Primary Order Booking App and Portal after the effective date of an update will be treated as the partner’s informed consent to the new terms. Partners are encouraged to periodically review the "Last Updated" date at the top of the policy to stay informed of their privacy rights. By proceeding with the first-time login and accessing the Campus Activewear Limited Primary Order Booking App and Portal, the Distributor or Franchisee confirms that they have read, understood, and agreed to be bound by the terms and conditions set forth in this Privacy Policy. This agreement constitutes a legally binding digital contract under the Information Technology Act, 2000, and is compliant with the Digital Personal Data Protection Act, 2023.