Data Protection and Retention Policy

POLICY BRIEF & PURPOSE

This Data Protection and Retention Policy establishes the guidelines and measures for managing, protecting, and retaining data at Boomitra, in accordance with international regulations including GDPR, HIPAA, CCPA, DPDPA, and other region-specific regulations. It ensures that personal and sensitive data are processed lawfully, transparently, and securely, while meeting operational and legal requirements.

Boomitra respects the privacy of all its stakeholders, including employees, partners, farmers, ranchers, and others, and their personal data, including digital information that Boomitra holds about them. We will ask for and use personal data in accordance with our values, with respect for privacy as a human right and applicable laws. This policy sets out the steps employees must take to ensure personal data is handled appropriately.

SCOPE

This policy applies to all employees, contractors, vendors, and third parties, including partners, farmers, and ranchers with access to Boomitra’s systems and data, across all locations where Boomitra has operations or business.

DEFINITIONS

• Data: Any information that is processed, stored, or transmitted.
• Personal Data: Any information related to an identified or identifiable individual directly or indirectly. This includes names, email addresses, phone numbers, IP addresses, location data, and more sensitive information such as health records, financial information, biometric data, and racial/ethnic origin.
• Data Processor: An entity processing data.
• Retention Period: The time duration for which data is stored before being securely deleted.

COMPLIANCE AND REGULATORY FRAMEWORK

Boomitra complies with the following regulations:

• General Data Protection Regulation (GDPR): Applicable to operations in the EU.
• California Consumer Privacy Act (CCPA): Relevant to operations in the USA.
• Digital Personal Data Protection Act (DPDPA) and Indian IT Act: Applicable to operations in India.
• Africa Data Protection Laws: Includes the Protection of Personal Information Act (POPIA).
• Local Data Protection Laws in LATAM: Such as LGPD in Brazil.

Regular updates are ensured to maintain compliance with emerging regulations.

DATA COLLECTION AND USAGE

Data collection will adhere to the following principles:

• Lawfulness, Fairness, and Transparency: Data subjects will be informed about data collection purposes. Data must be processed in a legal, fair, and transparent manner.
• Purpose Limitation: Data is collected for specific, explicit, and legitimate purposes.
• Data Minimization: Only the data necessary for intended purposes is collected.
• Accuracy: Steps will be taken to ensure data is accurate and up-to-date.
• Storage Limitation: Data should be retained only as long as necessary for the intended purposes.
• Integrity and Confidentiality: Data must be processed securely to prevent unauthorized access or breaches.
• Updating: Data will be updated as and when required.

DATA SECURITY PRINCIPLES

Boomitra adopts state-of-the-art security measures, including:

• Access Controls: Restricted access based on role and responsibility.
• Encryption: Data at rest and in transit are encrypted.
• Network Security: Firewalls, intrusion detection systems, and endpoint protection.
• Regular Audits: Regular reviews of data protection measures.

RIGHTS OF DATA SUBJECTS

Data subjects (individuals) have the following rights:

• Right to Access: Obtain a copy of their personal data or request access to their personal data.
• Right to Rectification: Request correction of inaccurate data.
• Right to Erasure (“Right to be Forgotten”): Request deletion of data under certain conditions.
• Right to Restrict Processing: Limit data processing under specific scenarios.
• Right to Data Portability: Transfer data to another controller or organization.
• Right to Object: Object to data processing, especially for direct marketing.

Requests from data subjects must be addressed within 30 days unless otherwise required by regional laws.

LAWFUL BASES FOR PROCESSING

The lawful bases for processing personal data include:

• Consent: The data subject has explicitly agreed to the processing of their data.
• Contractual necessity: The data processing is necessary for the performance of a contract.
• Legal obligation: Processing is necessary to comply with a legal obligation.
• Vital interests: Processing is necessary to protect someone’s life.
• Public task: Processing is necessary for carrying out an official function or task.
• Legitimate interests: Processing is based on a legitimate interest of the data controller or a third party, except where the individual’s interests or rights override those interests.

DATA BREACH MANAGEMENT

The following Incident Response Plan will be activated when a data breach is detected:

• Data breaches must be reported to the relevant supervisory authority within 72 hours of discovery if the breach poses a risk to individuals’ rights and freedoms.
• Immediate containment of the breach.
• Assessment of scope and impact.
• Notification to stakeholders, including authorities and affected individuals, where applicable.
• Implementation of remedial actions to prevent recurrence.

CROSS-BORDER DATA TRANSFERS

Boomitra will ensure that cross-border data transfers comply with applicable laws:

• For the EU: Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs).
• For the USA: Compliance with HIPAA and CCPA.
• For India, Africa, and LATAM: Adherence to country-specific data transfer regulations.

Boomitra will ensure that the receiving country has adequate data protection laws.

ROLES AND RESPONSIBILITIES

• IT Department: Implements technical security measures and oversees data protection practices.
• Employees: Ensure compliance with this policy.
• Third-Party Vendors: Sign binding agreements ensuring compliance with company policies.

DATA RETENTION POLICY

Purpose of Retention

Boomitra will ensure that data is retained only as long as necessary for legal, operational, and business purposes. Retention limits are defined by regulatory requirements, contractual obligations, and company policies.

Data Retention Periods

SECURE DISPOSAL OF DATA

• Digital data will be deleted using certified tools to prevent recovery.
• Physical records will be shredded or incinerated under supervision.

MUST

When collecting, using, or storing personal data, authorized employees must:

• Collect data that is adequate and relevant and use it purely for the purpose for which it has been collected.
• Ensure transparency with individuals regarding how their personal data will be used, in alignment with Boomitra’s data privacy policies.
• Obtain consent from individuals wherever required by local law.
• Always keep personal data up to date; correct inaccurate information when requested and respect individual legal rights.
• Ensure the security and confidentiality of personal data.
• Act ethically and responsibly, safeguarding Boomitra’s core values, always considering the risk to individuals in using their personal data and taking steps to mitigate such risk.

MUST NOT

When collecting, using, or storing personal data, authorized employees must not:

• Retain personal data for longer than necessary to achieve the business objectives for which it was collected.
• Transfer personal data outside the country in which it is collected without advice from their Legal business partner, as there may be legal restrictions or requirements relating to the transfer.
• Collect and use personal data for purposes that are not reasonably expected by our stakeholders.

If in doubt, employees must seek advice from management whenever considered necessary.

POLICY GOVERNANCE AND REVIEW

The policy will be reviewed annually or whenever significant regulatory or operational changes occur. All updates will be communicated to employees and stakeholders.