Term	Meaning
“Agreement” or “DPA”	This Data Processing Agreement, including all Annexes.
“Client Personal Data”	Any personal data provided by or made available by a Corporate Client to Vouchagram India Pvt. Ltd. for the purpose of receiving the Services, including data of the Client’s employees, customers, and end users.
“Consent”	A freely given, specific, informed, unconditional, and unambiguous indication of the Data Principal’s wishes, by a clear affirmative action, signifying agreement to the processing of their personal data. (Section 6, DPDP Act)
“Corporate Client” or “Client”	Any legal entity (company, partnership, or organization) that has entered into a Master Services Agreement or Terms of Service with Vouchagram India Pvt. Ltd. for the provision of B2B services.
“Data Fiduciary”	The entity that alone or in conjunction with others determines the purpose and means of processing of personal data. In a B2B context under Part B, the Corporate Client is the Data Fiduciary in respect of Client Personal Data. Vouchagram India Pvt. Ltd. is independently a Data Fiduciary in respect of data processed for its own purposes.
“Data Principal”	The individual to whom personal data relates. Under the DPDP Act, this refers exclusively to a natural person — not a company or organization.
“Data Processor”	Any person or entity that processes personal data on behalf of a Data Fiduciary. Under Part B, Vouchagram India Pvt. Ltd. acts as a Data Processor in respect of Client Personal Data.
“Data Protection Laws”	The Digital Personal Data Protection Act, 2023 (“DPDP Act”); the Digital Personal Data Protection Rules, 2025 (“DPDP Rules”); the Information Technology Act, 2000; the IT (Reasonable Security Practices and Procedures and SPDI) Rules, 2011 (“SPDI Rules”); and all other applicable Indian laws relating to data protection and privacy, as amended from time to time.
“DPBI” or “Board”	The Data Protection Board of India, established under Section 18 of the DPDP Act.
“Personal Data”	Any data about an individual who is identifiable by or in relation to such data. (Section 2(t), DPDP Act)
“Processing”	Any operation or set of operations performed on personal data, and includes collection, recording, organization, storage, adaptation, retrieval, use, alignment, combination, sharing, disclosure, erasure, or destruction.
“Security Incident”	Any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data.
“Sensitive Personal Data”	Personal data relating to financial information (bank accounts, credit/debit card details), health/medical data, biometric data, and such other categories as prescribed under the SPDI Rules 2011 or notified by the Central Government under applicable law.
“Services”	The gift voucher, rewards, loyalty, payment, and related services provided by Vouchagram India Pvt. Ltd. to Corporate Clients or individual users, as applicable.
“Sub-processor”	Any third party appointed by Vouchagram India Pvt. Ltd. to process personal data in connection with the Services, as listed in Annex 2.

 

 

Part A applies to all individual users who access GyFTR’s website, mobile applications, or digital services. In this context, Vouchagram India Pvt. Ltd. acts as the independent Data Fiduciary and processes personal data of Data Principals for the purposes described in the GyFTR Privacy Policy.

 

2.  Vouchagram’s Role — Individual Users

In relation to individual users, Vouchagram India Pvt. Ltd. is the Data Fiduciary as defined under Section 2(i) of the DPDP Act. It alone determines the purpose and means of processing personal data of users and is responsible for all obligations of a Data Fiduciary under the DPDP Act.

 

Users are the Data Principals in this relationship. Their rights and our processing obligations are described in full in the GyFTR Privacy Policy. The key rights available to individual users are:

 

 

To exercise any of the above rights, please contact:

• Email: help@gyftr.com (Subject: Data Protection Request)
• Grievance Officer: Ashish Aggarwal, Vouchagram India Pvt. Ltd., 3rd Floor, B-11, Block B, Qutub Institutional Area, New Delhi – 110016

 

For full details of how we collect, use, and protect your personal data, please read our Privacy Policy at www.gyftr.com/privacy-policy.

 

3.  Lawful Basis for Processing — Individual Users

We process personal data of individual users under the following lawful grounds:

 

 

4.  Consent — Individual Users

Consent from individual users is obtained through a clear affirmative action (such as checking a consent box or clicking ‘Accept’) at or before the point of data collection. Each Consent is:

• Freely given, without any element of coercion;
• Specific to the stated purpose as described in the accompanying Notice;
• Informed — accompanied by a Notice in plain language describing the data collected and the purpose;
• Unconditional — not bundled with acceptance of unrelated terms; and
• Unambiguous — obtained through an active, affirmative action.

 

Users may withdraw their Consent at any time through their account settings or by contacting ashish@gyftr.com. Withdrawal will not affect any processing already carried out.

 

 

 

Part B constitutes the Data Processing Addendum (“Addendum”) between Vouchagram India Pvt. Ltd. and Corporate Clients. It forms part of the Master Services Agreement (“MSA”) or Terms of Service (“ToS”) entered into between the parties. By accepting the MSA or ToS, Corporate Clients agree to be bound by this Addendum.

 

5.  Roles of the Parties — Corporate Clients

In the B2B context:

 

 

Important: In this B2B context, the Corporate Client (company) is the Data Fiduciary — not a Data Principal. Under the DPDP Act, ‘Data Principal’ refers exclusively to a natural person (individual). The employees or end users of the Corporate Client are the Data Principals whose data is being processed.

 

Where Vouchagram India Pvt. Ltd. also processes personal data independently for its own purposes (e.g., platform security, fraud prevention, regulatory compliance), it acts as an independent Data Fiduciary for such processing, subject to its Privacy Policy.

 

6.  Scope & Instructions

Vouchagram India Pvt. Ltd. shall process Client Personal Data only:

• As necessary to provide the Services described in the MSA;
• In accordance with the documented instructions of the Corporate Client as set out in Annex 1 and any subsequent written instructions;
• To comply with applicable Data Protection Laws and legal obligations; and
• As otherwise agreed in writing between the parties.

 

Vouchagram India Pvt. Ltd. shall promptly inform the Corporate Client if, in its opinion, any processing instruction infringes applicable Data Protection Laws. Vouchagram shall not be obligated to follow instructions that would cause it to violate any applicable law.

 

Vouchagram India Pvt. Ltd. shall not sell, share, or process Client Personal Data for its own commercial purposes without obtaining explicit written consent from the Corporate Client, except where such processing is required to deliver the contracted Services or is mandated by law.

 

7.  Corporate Client Obligations

The Corporate Client represents, warrants, and undertakes that:

 

1. It has obtained all necessary Consents from its employees and end users (Data Principals) prior to sharing their personal data with Vouchagram India Pvt. Ltd., and has provided appropriate Notices as required under Section 5 of the DPDP Act;
2. All personal data shared with Vouchagram India Pvt. Ltd. is accurate, complete, and up-to-date;
3. It shall not direct Vouchagram India Pvt. Ltd. to process personal data in a manner that would violate applicable Data Protection Laws;
4. It shall promptly notify Vouchagram India Pvt. Ltd. of any change to the applicable Data Protection Laws that may affect the processing of Client Personal Data;
5. It shall not impersonate any person or entity when providing personal data, and shall not suppress any material information;
6. It shall not file any false or frivolous grievances or complaints with Vouchagram India Pvt. Ltd. or with the Data Protection Board of India (Section 15, DPDP Act); and
7. It is responsible for ensuring that its own data processing activities in relation to its employees and end users are compliant with applicable Data Protection Laws.

 

8.  Vouchagram’s Obligations as Data Processor

Vouchagram India Pvt. Ltd. shall, in its capacity as Data Processor:

 

8.1 Processing

• Process Client Personal Data only on the documented instructions of the Corporate Client, except where processing is required by applicable law;
• Ensure that personnel authorized to process Client Personal Data are subject to appropriate confidentiality obligations;
• Not engage Sub-processors (other than those listed in Annex 2) without prior written authorization from the Corporate Client; and
• Remain fully liable for the acts and omissions of any Sub-processor to the same extent as if the acts or omissions were its own.

 

8.2 Security

• Implement and maintain appropriate technical and organizational security measures as described in Annex 3, having regard to the risks of the processing;
• Ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems;
• Restore access to personal data in a timely manner following a Security Incident; and
• Conduct regular testing and assessment of the effectiveness of security measures.

 

8.3  Data Principal Rights Assistance

• Assist the Corporate Client (as Data Fiduciary) in fulfilling its obligations to respond to Data Principal requests for access, correction, or erasure of personal data, after validating the identity of the requester;
• Provide necessary technical and organizational support to enable the Corporate Client to respond to Data Principal rights requests within the timelines prescribed under the DPDP Rules; and
• Notify the Corporate Client without undue delay if it receives a request directly from a Data Principal that relates to Client Personal Data.

 

8.4 Notifications

• Notify the Corporate Client without undue delay upon becoming aware of a Security Incident affecting Client Personal Data, with sufficient detail to enable the Corporate Client to fulfil its breach notification obligations;
• Notify the Corporate Client promptly upon receiving a legally binding request for disclosure of Client Personal Data from any government authority, law enforcement agency, or court, to the extent permitted by law; and
• Notify the Corporate Client if, in Vouchagram’s assessment, any instruction from the Corporate Client would cause Vouchagram to violate applicable Data Protection Laws.

 

8.5 Audit & Compliance

• Maintain relevant records of processing activities in relation to Client Personal Data;
• Make available to the Corporate Client all information reasonably necessary to demonstrate compliance with this Addendum; and
• Allow for and contribute to audits, including inspections, conducted by the Corporate Client or an auditor appointed by the Corporate Client, subject to reasonable notice and confidentiality obligations.

 

8.6 Return or Deletion

Upon termination or expiry of the MSA or upon the Corporate Client’s written request, Vouchagram India Pvt. Ltd. shall, at the Corporate Client’s election, securely delete or return all Client Personal Data in its possession, unless retention is required by applicable law. Vouchagram shall certify in writing the completion of such deletion or return within [30] days of the relevant request or termination.

 

9.  Data Breach Notification

In the event of a Security Incident affecting Client Personal Data:

 

• Vouchagram India Pvt. Ltd. will notify the Corporate Client without undue delay (and in any event within [48] hours of becoming aware), providing all available details including the nature of the breach, categories and approximate number of Data Principals affected, likely consequences, and measures taken or proposed;
• The Corporate Client (as Data Fiduciary) is responsible for notifying the Data Protection Board of India under Section 25 of the DPDP Act, and for any notification to affected Data Principals as directed by the Board; and
• Vouchagram will provide all reasonable assistance to the Corporate Client in fulfilling its breach notification obligations.

Under Section 25 of the DPDP Act, it is the Data Fiduciary (i.e., the Corporate Client) — not the Data Processor — who bears the legal obligation to notify the Data Protection Board of India of a personal data breach. Vouchagram, as Data Processor, will support the Corporate Client in fulfilling this obligation.

10.  Sub-processors

The Corporate Client provides general authorization for Vouchagram India Pvt. Ltd. to engage the Sub-processors listed in Annex 2. Vouchagram shall:

• Notify the Corporate Client at least [30] days in advance of any addition or replacement of Sub-processors;
• Impose data protection obligations on each Sub-processor equivalent to those set out in this Addendum; and
• Remain fully liable for the performance of each Sub-processor’s obligations.

The Corporate Client may object to the addition of a new Sub-processor within [14] days of notification. If the parties cannot resolve the objection, either party may terminate the relevant Services upon [30] days’ written notice without liability.

11.  Cross-Border Transfers

Client Personal Data shall not be transferred outside the territory of India except in strict compliance with Section 16 of the DPDP Act, which permits transfers only to countries or territories notified by the Central Government of India.

Until the Central Government publishes the list of notified countries, Vouchagram India Pvt. Ltd. shall:

• Process Client Personal Data primarily within India;
• In the event that a Sub-processor operates outside India, ensure that any transfer is subject to the conditions prescribed under the DPDP Act and DPDP Rules at the time of transfer; and
• Notify the Corporate Client of any planned cross-border transfer and seek written approval in advance.

Vouchagram shall also notify the Corporate Client of any government requests for disclosure of Client Personal Data and, to the extent permitted by law, limit such disclosure to the minimum required.

 

12.  Confidentiality

Vouchagram India Pvt. Ltd. shall ensure that all personnel involved in the processing of Client Personal Data are bound by appropriate confidentiality obligations (whether contractual or statutory) and are informed of the confidential nature of the data. This obligation shall survive the termination of the MSA.

 

13.  Warranties

Each party warrants that:

• It has the legal authority to enter into this Addendum;
• It will comply with all applicable Data Protection Laws in performing its obligations under this Addendum; and
• Its personnel, agents, and sub-contractors engaged in the processing of personal data under this Addendum are aware of and bound by applicable data protection obligations.

 

Vouchagram India Pvt. Ltd. further warrants that it adheres to the ISO/IEC 27001:2022 Information Security Management System standard and complies with the SPDI Rules 2011 in respect of Sensitive Personal Data.

 

14.  Indemnity

The Corporate Client shall indemnify and hold harmless Vouchagram India Pvt. Ltd. and its affiliates from and against any and all claims, losses, liabilities, damages, fines, penalties, or costs (including reasonable legal fees) arising out of or in connection with:

• The Corporate Client’s breach of this Addendum;
• The Corporate Client’s failure to obtain lawful Consent from Data Principals before sharing their data with Vouchagram; or
• Any violation of applicable Data Protection Laws by the Corporate Client. 

Vouchagram India Pvt. Ltd. shall indemnify and hold harmless the Corporate Client from and against any and all claims, losses, liabilities, damages, fines, penalties, or costs arising out of or in connection with Vouchagram’s breach of this Addendum or its obligations as a Data Processor under applicable Data Protection Laws.

15.  Limitation of Liability

Each party’s aggregate liability to the other under or in connection with this Addendum, whether arising in contract, tort (including negligence), or otherwise, shall not exceed the total fees paid or payable by the Corporate Client to Vouchagram India Pvt. Ltd. in the twelve (12) months immediately preceding the event giving rise to the claim, unless a higher limit is required by applicable law.

 

Neither party shall be liable to the other for any indirect, special, incidental, punitive, or consequential loss or damage, except to the extent such loss arises from a willful breach or gross negligence.

 

16.  Privacy by Design

Vouchagram India Pvt. Ltd. shall implement privacy by design principles in respect of all processing under this Addendum, including by:

• Embedding data protection considerations into the design of systems and processes;
• Implementing data minimization principles, collecting only the minimum personal data necessary for the stated purpose;
• Conducting Data Protection Impact Assessments (“DPIA”) where processing is likely to result in a high risk to the rights of Data Principals; and
• Where required, engaging independent data auditors to assess compliance.

 

17.  Term & Termination

This Addendum shall remain in force for the duration of the MSA between the parties. It shall terminate automatically upon termination or expiry of the MSA, subject to any survival provisions.

 

Clauses relating to confidentiality (Section 12), indemnity (Section 14), surviving obligations post-termination (Section 8.6), and governing law (Section 19) shall survive termination of this Addendum.

 

18.  Severability

If any provision of this Addendum is found by a competent court or authority to be invalid, unlawful, or unenforceable, that provision shall be deemed modified to the minimum extent necessary to make it valid, lawful, and enforceable. The remaining provisions shall continue in full force and effect.

 

19.  Governing Law & Dispute Resolution

This Addendum shall be governed by and construed in accordance with the laws of India, including the DPDP Act, 2023, the IT Act, 2000, and applicable rules thereunder.

 

Any dispute arising out of or in connection with this Addendum shall be subject to the exclusive jurisdiction of the competent courts at New Delhi, India.

 

20.  Amendments

This Addendum may be amended by Vouchagram India Pvt. Ltd. to reflect changes in applicable Data Protection Laws or regulatory guidance. Vouchagram shall provide at least [30] days’ written notice of any material amendments. Continued use of the Services after the effective date of the amendment shall constitute acceptance by the Corporate Client.

 

21.  Contact for Data Protection Matters

All data protection queries, complaints, and requests under this DPA (both Part A and Part B) should be directed to:

 

 

 

 

 

 

 

The following Sub-processors are approved as of the effective date of this DPA. Vouchagram India Pvt. Ltd. shall provide [30] days’ prior notice of any additions or replacements.

 

 

All Sub-processors are contractually bound to comply with data protection obligations equivalent to those in this DPA. Vouchagram India Pvt. Ltd. remains fully liable for the acts and omissions of each Sub-processor.

 

 

 

Vouchagram India Pvt. Ltd. implements the following security measures in accordance with the SPDI Rules 2011, the DPDP Act 2023, and ISO/IEC 27001:2022: