Privacy Policy — VRIP7 Private Limited

§ 1

Definitions

In this Privacy Policy, the following terms have the meanings set out below:

"Company", "We", "Us", "Our" VRIP7 Private Limited (CIN: U62099MP2026PTC084147), incorporated under the Companies Act, 2013, having its registered office at 2nd Floor, 26, Bakhtawar Marg, Freeganj, Madhav Nagar, Ujjain – 456010, Madhya Pradesh, India.

"Verticals" Kanopus Development (kanopus.org) and Sileru (sileru.com), which are operating brands of VRIP7 Private Limited. References to "we", "our", or "the Company" include all Verticals.

"Personal Data" / "Personal Information" Any information that relates to a natural person which, either directly or indirectly, is capable of identifying such person, within the meaning of "personal information" under Rule 2(i) of the SPDI Rules, 2011 read with Section 43A of the IT Act, 2000.

"Sensitive Personal Data or Information (SPDI)" Personal data as defined under Rule 3 of the SPDI Rules, 2011, including financial information, health information, biometric data, sexual orientation, medical records, and passwords.

"Sites" The websites vrip7.com, kanopus.org, and sileru.com, together with all sub-pages and sub-domains thereof.

"IT Act" The Information Technology Act, 2000 (Act 21 of 2000), as amended by the Information Technology (Amendment) Act, 2008.

"SPDI Rules" The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, notified under Section 43A of the IT Act.

§ 2

Who We Are & How to Reach Us

VRIP7 Private Limited is the data controller in respect of all personal data collected through the Sites and through direct correspondence addressed to the Company or its Verticals.

Registered Entity VRIP7 Private Limited · CIN: U62099MP2026PTC084147 · Incorporated 14 May 2026 under the Companies Act, 2013

Registered Office 2nd Floor, 26, Bakhtawar Marg, Freeganj, Madhav Nagar, Ujjain – 456010, Madhya Pradesh, India

Grievance Officer In accordance with Rule 5(9) of the SPDI Rules read with the IT Act, the Company has designated a Grievance Officer to whom data-related complaints and questions may be addressed.

Contact (VRIP7) [email protected]

Contact (Kanopus) [email protected]

Contact (Sileru) [email protected]

Grievances received by the Company shall be acknowledged within 24 hours and resolved within 30 days, in accordance with Rule 5(9) of the SPDI Rules.

§ 3

Data We Collect

The Company collects the minimum personal data necessary for the purpose of responding to enquiries, evaluating potential engagements, and improving the functionality of the Sites. We do not collect Sensitive Personal Data or Information as defined under Rule 3 of the SPDI Rules.

Category	Data Points	Source	Required / Optional
Contact & Correspondence Data	Name, email address, subject, message content, organisation name (if provided voluntarily)	Direct email or contact form submission by you	Required to respond
Technical / Log Data	IP address, browser type and version, device type, operating system, referring URL, pages visited, timestamps	Automatically collected by web server logs and any analytics service in use	Automatic; can be limited via browser settings
Cookie Data	Session identifiers, preference cookies, analytics cookies (if analytics are deployed)	Browser cookie storage; see Cookie Policy	Functional cookies: required. Analytics: optional; consent-gated

ℹ The Sites are presently informational in nature. We do not operate e-commerce, payment processing, user accounts, or any system that collects financial information, health data, or biometric data. No SPDI within the meaning of Rule 3 of the SPDI Rules is collected.

§ 4

How We Use Your Data

We use personal data collected through the Sites and by correspondence for the following purposes only:

To respond to enquiries, requests, and correspondence submitted to us via email or contact forms
To evaluate whether to enter into a commercial engagement with a prospective client, partner, or counterparty
To communicate with you about matters you have raised with us, including follow-up correspondence
To maintain records of business correspondence in accordance with applicable statutory requirements under the Companies Act, 2013
To analyse aggregated, anonymised technical data for the purposes of improving site performance and security — no individual profiling is performed
To comply with applicable law, court orders, or the lawful directions of any governmental authority

We do not use personal data for marketing to third parties, advertising, the training of artificial intelligence models, or any purpose not expressly stated above. We do not create individual profiles based on browsing behaviour.

§ 5

Legal Basis for Processing

Indian privacy law, as constituted by the IT Act, 2000 and the SPDI Rules, 2011, does not employ the GDPR-style enumeration of "lawful bases." The applicable legal framework requires that personal data be collected for a lawful purpose connected with a function or activity of the body corporate, that collection be necessary for that purpose, and that collection not be more than the minimum necessary. The Company's collection and use of personal data satisfies these requirements on the following bases:

Contractual necessity: Processing is necessary for the performance of a contract with you or to take steps at your request prior to entering into a contract (correspondence relating to proposed engagements)
Legitimate interest: Processing is necessary for the legitimate business interests of the Company, including maintaining records of business correspondence, and such interests are not overridden by your privacy interests
Legal obligation: Processing is necessary to comply with a legal obligation applicable to the Company under the Companies Act, 2013, the Income-tax Act, 1961, or other applicable Indian law
Consent: Where we use analytics services that collect personal data beyond what is strictly necessary, we will seek your consent through our cookie consent mechanism

📋 The Digital Personal Data Protection Act, 2023 (DPDPA) has received Presidential assent but its operative provisions are not yet in force as of the date of this Policy (specific sections are yet to be notified). Once operative provisions are notified by the Central Government, this Policy will be updated to reflect compliance with the DPDPA framework, including the consent and notice requirements thereunder.

§ 6

Sharing & Disclosure

We do not sell, rent, or trade personal data. We do not share personal data with any third party for marketing or advertising purposes.

We may share personal data in the following limited circumstances:

Service Providers (Data Processors): We use third-party providers for email hosting (such as email infrastructure providers). These providers act as processors under our instruction and are contractually prohibited from using your data for any other purpose.
Professional Advisors: We may share information with our lawyers, chartered accountants, company secretary, or other professional advisors under appropriate confidentiality obligations, where necessary for the conduct of our business or the provision of professional services to us.
Legal Compliance: We will disclose personal data to courts, regulators, governmental authorities, or law enforcement agencies where we are required to do so by applicable law, court order, or binding direction of a competent authority.
Business Transfer: In the event of a merger, acquisition, restructuring, or sale of the Company or any Vertical, personal data may be transferred to the acquiring entity, provided that the acquiring entity assumes equivalent privacy obligations.
Within VRIP7 Group: Personal data may be shared between VRIP7 Private Limited and its Verticals (Kanopus, Sileru) for internal business purposes connected with your enquiry. All Verticals are operating brands of the same legal entity.

Where data is transferred to any country outside India, such transfer will be in accordance with applicable requirements under the IT Act, the SPDI Rules, and, when operative, the DPDPA.

§ 7

Data Retention

We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by applicable law. The following retention schedule applies:

Data Category	Retention Period	Basis
General correspondence (enquiries that did not result in an engagement)	24 months from the date of last correspondence	Legitimate business interest (follow-up, reference)
Correspondence relating to a completed or rejected engagement	8 years from conclusion of engagement or rejection	Statutory requirement (limitation period under the Limitation Act, 1963; Companies Act record-keeping obligations)
Technical / log data	90 days from collection	Security and performance monitoring; overwritten on a rolling basis
Cookie data (analytics)	As set by applicable cookie expiry (see Cookie Policy)	Consent-based

Upon expiry of the applicable retention period, personal data is securely deleted or anonymised such that it can no longer be attributed to an identifiable individual.

§ 8

Security

The Company implements reasonable security practices and procedures as required under Section 43A of the IT Act, 2000 read with Rule 8 of the SPDI Rules, 2011, commensurate with the nature of the personal data held and the risks of loss, misuse, alteration, or unauthorised access.

Measures implemented include:

HTTPS (TLS 1.2 / 1.3) encryption for all data in transit across the Sites
Access controls limiting access to personal data to those with a need to know
Email security measures including SPF, DKIM, and DMARC records to prevent spoofing and phishing
Regular review of third-party service provider security practices
Secure deletion of data upon expiry of retention periods

⚠ No transmission of data over the internet is completely secure. While we take reasonable technical and organisational measures to protect your personal data, we cannot guarantee absolute security. If you have reason to believe that your interaction with us has been compromised, please notify us immediately at [email protected].

§ 9

Your Rights

Under the IT Act and SPDI Rules, and in anticipation of the operative provisions of the DPDPA 2023, you have the following rights in respect of personal data we hold about you:

Right to Access: You may request confirmation of whether we hold personal data about you and, if so, access to that data and the purposes for which it is processed. Requests will be responded to within 30 days.
Right to Correction: You may request correction of any personal data that is inaccurate, incomplete, or out of date.
Right to Withdraw Consent: Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
Right to Grievance Redressal: You have the right to have any grievance regarding the collection, storage, or use of your personal data resolved within 30 days of raising it with our Grievance Officer, in accordance with Rule 5(9) of the SPDI Rules.

To exercise any of the above rights, write to us at [email protected] with the subject line "Data Rights Request". We may require you to verify your identity before processing your request.

§ 10

Cookies

Our Sites use cookies and similar tracking technologies. A detailed explanation of the cookies we use, the purposes for which they are used, and how you can control them is set out in our Cookie Policy.

In summary: the Sites may use strictly necessary cookies (required for the Sites to function), functional cookies (to remember your preferences), and, subject to your consent, analytics cookies to help us understand how visitors use the Sites. You can manage your cookie preferences at any time through your browser settings or through the cookie preference centre accessible on the Sites.

§ 11

Third-Party Links

The Sites may contain hyperlinks to third-party websites operated by entities that are not affiliated with VRIP7 Private Limited. This Privacy Policy does not apply to those third-party websites. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party website. We encourage you to review the privacy policies of any third-party site you visit.

§ 12

Children

The Sites are not directed at children. We do not knowingly collect personal data from any person under the age of 18 years. If you are a parent or guardian and you believe that a child for whom you are responsible has provided personal data to us without your consent, please contact us immediately at [email protected]. We will promptly delete such data upon verified notification.

§ 13

Changes to This Policy

We reserve the right to amend this Privacy Policy at any time. Where amendments are material, we will publish the updated Policy on this page with a revised effective date and, where practicable, provide notice through an appropriate channel.

Your continued use of the Sites following the posting of any amendment constitutes your acceptance of the amended Policy. If you do not agree with the amended Policy, you should discontinue your use of the Sites.

This Policy will be reviewed, at minimum, annually, and promptly upon the notification of operative provisions under the Digital Personal Data Protection Act, 2023.

§ 14

Contact & Grievance

For questions, data access requests, correction requests, or grievances regarding this Privacy Policy or the handling of your personal data, please write to:

VRIP7 / General [email protected]

Kanopus enquiries [email protected]

Sileru enquiries [email protected]

Postal Address VRIP7 Private Limited, 2nd Floor, 26, Bakhtawar Marg, Freeganj, Madhav Nagar, Ujjain – 456010, Madhya Pradesh, India.