Privacy Policy

RCK Analytics

M-109, City Avenue Corporate Park, Next to Sayaji Hotel, Wakad,

Mumbai-Bangalore Highway, Pune, Maharashtra, India – 411057
Email: info@rckanalytics.com | Web: www.rckanalytics.com


TABLE OF CONTENTS

1. Introduction and Scope
2. About RCK Analytics
3. Definitions
4. Information We Collect
5. How We Collect Your Information
6. Legal Basis for Processing Personal Data
7. How We Use Your Information
8. Disclosure and Sharing of Personal Data
9. International Data Transfers
10. Data Retention
11. Data Security
12. Cookies and Tracking Technologies
13. Third-Party Links and Services
14. Your Rights and Choices
15. Children’s Privacy
16. Confidentiality and Professional Obligations
17. Artificial Intelligence and Automated Decision-Making
18. Regulatory and Compliance Matters
19. Changes to this Privacy Policy
20. Grievance Officer and Contact Information

1. Introduction and Scope

RCK Analytics (“RCKAnalytics,” “we,” “us,” or “our”) is committed to safeguarding the privacy, confidentiality, and security of personal data entrusted to us by our clients, website visitors, business contacts, job applicants, vendors, and all other individuals who interact with our services or digital platforms.

This Privacy Policy (“Policy”) is issued in accordance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”), the Digital Personal Data Protection Act, 2023 (“DPDPA”) of India, and in alignment with applicable international data protection frameworks including, but not limited to:

• The General Data Protection Regulation (EU) 2016/679 (“GDPR”) – applicable to individuals in the European Economic Area and the United Kingdom;
• The UK Data Protection Act, 2018 and UK GDPR – applicable to individuals in the United Kingdom;
• The California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) – applicable to California residents in the United States;
• Data protection and privacy regulations of the Middle East jurisdictions including the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) and applicable GCC data protection laws; and
• Other applicable national and regional data protection laws in jurisdictions where we operate.

This Policy applies to:

• All personal data collected through our website (www.rckanalytics.com) and any associated subdomains;
• Personal data obtained in the course of providing our professional services;
• Personal data of our employees, contractors, consultants, and job applicants;
• Personal data received from clients, counterparties, vendors, and third-party data sources.

By accessing our website or engaging with our services, you acknowledge that you have read, understood, and agree to be bound by the terms of this Privacy Policy. If you do not agree with any part of this Policy, you should refrain from using our website or services. This Policy should be read in conjunction with any additional privacy notices, engagement letters, or data processing agreements that may be provided in connection with specific services.
This Policy does not apply to third-party websites, platforms, or services that may be linked from our website.
RCK Analytics is not responsible for the privacy practices of such third parties.

2. About RCK Analytics

RCK Analytics is a dynamic, India-headquartered professional services firm delivering world-class research, analytics, and advisory solutions to leading financial institutions and corporates across the globe. We serve clients across the United States, Europe (including the United Kingdom), the Middle East, and other international markets.
Our service portfolio spans multiple domains within the financial services ecosystem, including:

• Investment Banking – including Mergers & Acquisitions (M&A) advisory, debt markets support, ratings advisory, valuation and transaction services, and presentation and graphics support;
• Investment Research – including equity research, financial valuation, fixed income and credit research, hedge fund support, and sell-side and buy-side research;
• Private Equity and Venture Capital – including deal sourcing support, due diligence, portfolio monitoring, and fund analysis;
• Data Science and Engineering – including advanced analytics, machine learning, artificial intelligence (including generative AI), data engineering, and business intelligence;
• Strategic Consulting – including market entry strategy, competitive intelligence, and business strategy;
• Financial Modelling – including integrated financial models, LBO models, DCF analysis, and valuation frameworks;
• Market Intelligence – including competitive benchmarking, sector reports, and market sizing; and
• Assurance Services – financial and operational assurance.

We serve clients across the following sectors: Banking, Financial Services and Insurance (BFSI), Technology, Media and Telecommunications (TMT), Healthcare, Manufacturing, Commodities, and Hospitality. Our client base includes investment banks, brokerage houses, private equity firms, asset managers, hedge funds, consulting firms, and corporate entities.

3. Definitions

For the purposes of this Privacy Policy, the following terms shall have the meanings ascribed to them below:

3.1 ‘Personal Data’ or ‘Personal Information’

Any information that relates to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, an online identifier, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

3.2 ‘Sensitive Personal Data or Information’ (SPDI)

As defined under the SPDI Rules and applicable Indian law, this includes passwords, financial information (such as bank account details, credit or debit card details), physical, physiological, or mental health conditions, sexual orientation, medical records and history, and biometric information.

3.3 ‘Data Controller’ or ‘Data Fiduciary’

The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. RCK Analytics acts as a Data Controller or Data Fiduciary in respect of personal data it collects for its own purposes.

3.4 ‘Data Processor’ or ‘Data Processor’

A natural or legal person, public authority, agency, or other body that processes personal data on behalf of the Data Controller. RCK Analytics may act as a Data Processor when processing personal data on behalf of its clients.

3.5 ‘Processing’

Any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

3.6 ‘Consent’

Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.

3.7 ‘Website’

Refers to www.rckanalytics.com, including all associated pages, subdomains, and digital assets maintained by RCK Analytics.

4. Information We Collect

RCK Analytics collects personal data in various categories depending on the nature of your interaction with us.
The following categories of information may be collected:

4.1 Identity and Contact Information

• Full name, preferred name, salutation, gender;
• Job title, designation, and seniority level;
• Name and nature of the employer organisation or firm;
• Business and/or personal email addresses;
• Business and/or personal telephone numbers;
• Postal address (office and/or residence, as applicable);
• Country, city, and location details.

4.2 Professional and Business Information

• Professional background, including employment history, industry experience, and area of specialisation;
• Educational qualifications and professional certifications;
• Business relationships and referral sources;
• Client or counterparty information shared during the course of engagements;
• Information about the organisations or funds you represent;
• Details of investment mandates, transaction structures, or strategic priorities (where shared with us in the course of service delivery).

4.3 Financial and Transaction Information

• Billing details and invoicing information;
• Bank account details required for payment processing (collected and stored securely with restricted access);
• Details of services procured, contract values, and payment history;
• Information required for anti-money laundering (AML), Know Your Customer (KYC), and sanctions screening purposes.

4.4 Technical and Usage Information

• Internet Protocol (IP) address and approximate geographic location derived therefrom;
• Browser type, version, and settings;
• Operating system and device type (including device identifiers);
• Pages visited on our website, time and date of visits, and duration of engagement;
• Referring and exit URLs;
• Click-stream data and navigation patterns;
• Cookies, pixel tags, web beacons, and similar tracking technology data (see Section 12).

4.5 Communications and Correspondence Data

• Content of emails, inquiries, or messages submitted through our website contact form or sent directly to our team;
• Records of business meetings, calls, or correspondence;
• Feedback, testimonials, and survey responses;
• Event registration information (webinars, conferences, etc.).

4.6 Recruitment and Employment Information

For job applicants and candidates, we may additionally collect:

• Curriculum vitae (CV) and cover letter;
• References and background check information;
• Interview notes and evaluation assessments;
• Right-to-work documentation and identification documents;
• Compensation expectations and terms of proposed engagement.

4.7 Sensitive Personal Data

We generally do not seek to collect Sensitive Personal Data or Information (SPDI) unless it is necessary for a specific service or required by law. Where such data is collected (for example, for KYC or regulatory compliance purposes), it shall be collected only with your explicit consent and processed in accordance with the heightened protections required under applicable law.
If you are a healthcare sector client or counterparty and engage us in services touching upon Protected Health Information or analogous data categories, additional data protection provisions shall be agreed upon in writing prior to any such processing.

5. How We Collect Your Information

5.1 Direct Collection

We collect personal data directly from you when you:

• Submit an inquiry or contact us via our website contact form;
• Subscribe to our research publications, newsletters, or market intelligence reports;
• Register for or attend webinars, events, or meetings hosted or co-hosted by RCK Analytics;
• Apply for a position with RCK Analytics;
• Enter into a commercial engagement, contract, or non-disclosure agreement with us;
• Interact with us via social media platforms (LinkedIn, Twitter/X, etc.) or business networking channels;
• Visit our premises.

5.2 Automated Collection

When you visit our website, certain technical data is collected automatically through cookies, server logs, and similar tracking technologies. This includes IP addresses, browser information, and browsing behaviour on our website. Please refer to Section 12 for full details on our use of cookies and tracking technologies.

5.3 Third-Party Sources

We may receive personal data about you from third-party sources, including:

• Our clients, who may provide us with information about their personnel, investors, or counterparties as necessary for the performance of our engagement;
• Publicly available sources such as regulatory filings, company registries, financial databases
  (Bloomberg, Capital IQ, Refinitiv, PitchBook, etc.), LinkedIn, and other professional networks;
• Business partners, referral partners, and data enrichment service providers;
• Third-party analytics and marketing tools (e.g., Google Analytics, HubSpot) that collect data when you
  visit our website.

6. Legal Basis for Processing Personal Data

We process personal data only where we have a lawful basis to do so. Depending on the applicable jurisdictionand the nature of the data processing, we rely on one or more of the following legal bases:

6.1 Consent

Where you have freely given your informed and explicit consent to the processing of your personal data for one or more specific purposes. You may withdraw consent at any time; however, withdrawal shall not affect the lawfulness of processing based on consent prior to withdrawal. Withdrawal of consent may impact our ability to provide certain services.

6.2 Performance of a Contract

Where processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into a contract.

6.3 Legitimate Interests

Where processing is necessary for the purposes of the legitimate interests pursued by RCK Analytics or a third party, except where such interests are overridden by the interests, rights, or freedoms of the data subject. Our legitimate interests include business development, client relationship management, research and analytics operations, fraud prevention, and network and information security.

6.4 Legal Obligation

Where processing is necessary for compliance with a legal obligation to which RCK Analytics is subject, including obligations arising under Indian law, or applicable foreign laws in jurisdictions where we operate or provide services.

6.5 Vitals Interests

Where processing is necessary to protect the vital interests of any natural person.

6.6 GDPR and UK GDPR Specific Bases (EEA and UK Data Subjects)

For individuals located in the European Economic Area or the United Kingdom, all processing shall be carried out in accordance with Articles 6 and 9 of the GDPR and UK GDPR, respectively. Where special categories of data (as defined under Article 9 GDPR) are processed, we shall rely on explicit consent or other specific grounds set out in Article 9(2) of the GDPR.

6.7 CCPA / CPRA (California Residents)

California residents are entitled to specific disclosures and rights under the CCPA as amended by the CPRA. RCK Analytics does not sell personal information as defined under the CCPA. Please refer to Section 14 for information on your rights as a California resident.

7. How We Use Your Information

RCK Analytics uses personal data collected for the following purposes:

7.1 Service Delivery and Client Engagement

• To deliver our professional services in accordance with our client engagements and contractual obligations;
• To conduct investment research, financial analysis, market intelligence, and related analytical work;
• To support M&A transactions, capital markets activities, private equity due diligence, and related deal processes;
• To develop financial models, valuation reports, pitch books, and research publications;
• To develop and deploy generative AI and data science solutions on behalf of clients.

7.2 Business Development and Marketing

• To respond to your inquiries, proposals, and requests for information;
• To send you relevant research, publications, thought leadership, and market updates (where you have subscribed or consented to receive such communications);
• To identify and approach potential clients whose needs align with our service offerings;
• To conduct client satisfaction surveys and gather feedback on our services.

7.3 Recruitment and Human Resources

• To process job applications, conduct interviews, and assess candidate suitability;
• To communicate with applicants regarding the status of their applications;
• To comply with employment law obligations in India;
• To manage employee records and administer HR processes for our workforce.

7.4 Compliance, Risk Management, and Legal Obligations

• To comply with applicable legal and regulatory requirements, including anti-money laundering (AML), Know Your Customer (KYC), and sanctions obligations;
• To maintain appropriate records for tax, accounting, and audit purposes;
• To investigate suspected fraud, misconduct, or other illegal activities;
• To enforce our contractual rights and defend legal claims.

7.5 Website Operations and Analytics

• To operate, maintain, and improve the functionality of our website;
• To analyse website traffic, user behaviour, and engagement to improve user experience;
• To detect and prevent security threats, cyberattacks, and unauthorised access;
• To ensure technical compatibility and optimise website performance.

We shall not use your personal data for purposes that are incompatible with the purposes for which it was originally collected without your prior consent.

8. Disclosure and Sharing of Personal Data

RCK Analytics does not sell, rent, or commercially exploit personal data. We may disclose personal data to the following categories of recipients only where necessary and in accordance with applicable law:

8.1 Within RCK Analytics

Personal data may be shared internally among authorised personnel, including our research analysts, data scientists, relationship managers, and support staff, on a need-to-know basis strictly for the purposes of service delivery and operations.

8.2 Service Providers and Third-Party Processors

We engage third-party vendors and service providers who process personal data on our behalf under binding contractual agreements that require them to maintain confidentiality and comply with applicable data protection laws. These include:

• Cloud computing and IT infrastructure providers;
• Data analytics tools and software providers;
• Financial data and market data providers (e.g., Bloomberg, Capital IQ, Refinitiv);
• Email, communication, and CRM platforms;
• Legal, accounting, audit, and professional advisory services;
• Recruitment and HR management platforms;
• Cybersecurity and IT support vendors.

8.3 Clients

In the ordinary course of providing our services, we may share information about our own personnel (such as analyst profiles or team credentials) with clients. Where we process personal data received from or on behalf of a client, such data shall be used solely for the purposes of that engagement.

8.4 Regulatory and Legal Authorities

We may disclose personal data to government authorities, regulators, courts, law enforcement agencies, or other public authorities where we are required to do so by law, court order, or regulatory requirement, or where we believe in good faith that such disclosure is necessary to prevent harm, protect our legal rights, or comply with our legal obligations.

8.5 Business Reorganisation

In the event of a merger, acquisition, restructuring, sale of assets, or other corporate transaction involving RCK Analytics, personal data may be transferred to the relevant parties as part of such a transaction. We shall endeavour to ensure that any such transfer is subject to appropriate data protection safeguards.

8.6 Aggregated and Anonymised Data

We may use and disclose aggregated, de-identified, or anonymised data (which cannot reasonably be used to identify any individual) for research, analytical, and business development purposes, including publication of sector insights and benchmarking reports. Such data is not subject to the restrictions of this Privacy Policy.

9. International Data Transfers

RCK Analytics operates globally and provides services to clients in the United States, Europe, the United Kingdom, the Middle East, and other jurisdictions. As a result, personal data may be transferred to, stored in, or processed in countries outside your country of residence, including India, the United States, and other jurisdictions where our service providers operate.
Such international transfers of personal data shall be carried out in accordance with applicable law and subject to appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission or the UK Information Commissioner’s Office, as applicable;
• Adequacy decisions by relevant regulatory authorities;;
• Binding Corporate Rules, where applicable;
• Other legally recognised transfer mechanisms under the GDPR, UK GDPR, DPDPA, and applicable local laws.

For transfers of data from the European Economic Area or the United Kingdom to India, RCK Analytics shall rely on Standard Contractual Clauses or other appropriate safeguards, as required under applicable EU and UK data protection law.
For transfers under the Indian DPDPA, we shall comply with the requirements set out by the Central Government regarding cross-border data transfers, including any restrictions on transfer to notified countries.
You may request further information about the specific safeguards in place for international data transfers by contacting our Grievance Officer (see Section 20).

10. Data Retention

RCK Analytics retains personal data only for as long as is necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, accounting, or professional reporting requirements, or as otherwise required by law.
In determining the appropriate retention period for personal data, we consider:

• The amount, nature, and sensitivity of the personal data;
• The potential risk of harm from unauthorised use or disclosure;
• The purposes for which we process the personal data and whether we can achieve those purposes through other means;
• Applicable legal, regulatory, contractual, or professional obligations;
• Statute of limitations for potential legal claims.

As a general principle:

• Client engagement records: Retained for a minimum of seven (7) years following the conclusion of the engagement, unless a longer period is required by law or professional standards;
• Marketing and communications data: Retained until you opt out of communications or withdraw consent, subject to a maximum of three (3) years from last interaction;
• Recruitment records: Retained for a period of two (2) years following the conclusion of the recruitment process, or as required by applicable employment law;
• Website technical data: Retained for periods consistent with our analytical purposes, typically not exceeding twenty-six (26) months;
• Financial and transactional records: Retained for a minimum of seven (7) years as required by Indian accounting and tax regulations.

Upon expiry of the relevant retention period, personal data shall be securely deleted, anonymised, or destroyed in accordance with our internal data management procedures.

11. Data Security

RCK Analytics implements appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. Our security measures include, but are not limited to:

• Encryption of personal data in transit (using TLS/SSL protocols) and at rest, where appropriate;
• Access controls and role-based permissions ensuring that personal data is accessible only to
  authorised personnel with a genuine need-to-know;
• Multi-factor authentication (MFA) for access to sensitive systems and client data environments;
• Regular security assessments, vulnerability testing, and penetration testing;
• Employee training and awareness programmes on data protection and information security;
• Physical security measures for our premises and servers;
• Incident response and breach management procedures;
• Regular backup and business continuity procedures.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals,RCK Analytics shall notify the relevant supervisory authority and/or affected data subjects in accordance with the timelines and requirements prescribed under applicable law (including 72 hours under the GDPR and as required under the DPDPA).
However, no method of transmission over the internet or method of electronic storage is completely secure. While we strive to protect your personal data, we cannot guarantee its absolute security. You are encouraged to use secure and unique passwords and to notify us immediately if you suspect any unauthorised use of your information.

12. Cookies and Tracking Technologies

12.1 What Are Cookies

Cookies are small text files placed on your device when you visit our website. They enable the website to
recognise your device, remember your preferences, and provide a personalised browsing experience. In
addition to cookies, we may use web beacons, pixel tags, local storage objects, and similar tracking
technologies.

12.2 Types of Cookies We Use

• Strictly Necessary Cookies: Essential for the operation of our website and cannot be switched off
  without impacting core functionality (e.g., session management, security);
• Performance and Analytics Cookies: Used to analyse how visitors interact with our website, including
  pages visited, time on site, and error messages (e.g., Google Analytics);
• Functionality Cookies: Enable enhanced functionality and personalisation, such as remembering your
  preferences and settings;
• Marketing and Targeting Cookies: Used to track visitors across websites to deliver relevant
  advertisements and measure campaign effectiveness. We do not currently serve targeted advertising
  on our website, but certain third-party tools may use such cookies.

12.3 Managing Cookies

You may control and manage cookies through your browser settings. Most browsers allow you to refuse or delete cookies; however, if you disable cookies, some features of our website may not function properly. You may also opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on available at tools.google.com/dlpage/gaoptout.

A cookie consent banner is displayed on your first visit to our website, where we seek your consent for non- essential cookies in accordance with applicable law.

13. Third-Party Links and Services

Our website may contain hyperlinks to third-party websites, resources, or services. These third-party sites are not operated or controlled by RCK Analytics and are subject to their own privacy policies and terms of use. We do not endorse, and are not responsible for, the privacy practices, content, or security of any third-party websites.
We encourage you to review the privacy policies of any third-party websites you visit. Your access to and use
of third-party websites is entirely at your own risk.
In the course of delivering our services, we may integrate with or utilise third-party financial data platforms and tools, including Bloomberg, Capital IQ (S&P Global Market Intelligence), Refinitiv (LSEG), PitchBook, and similar providers. Your use of such platforms is governed by the respective terms and privacy policies of those providers.

14. Your Rights and Choices

Depending on your country of residence and applicable law, you may have the following rights with respect to your personal data. We are committed to facilitating the exercise of these rights in a timely and transparent manner.

14.1 Right to Access

You have the right to request confirmation of whether we process your personal data, and to obtain a copy of the personal data we hold about you, together with information about how it is used.

14.2 Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data. We will take reasonable steps to correct such data upon verification of your identity and the accuracy of the correction.

14.3 Right to Erasure (‘Right to be Forgotten’)

You may request that we delete your personal data where it is no longer necessary for the purposes for which it was collected, where you have withdrawn consent (and there is no other legal ground for processing), or where the data has been unlawfully processed. The right to erasure is subject to applicable legal obligations and legitimate interests that may require us to retain certain data.

14.4 Right to Restriction of Processing

You may request that we restrict the processing of your personal data in certain circumstances, such as where you contest the accuracy of the data or where you have objected to processing based on legitimate interests pending verification.

14.5 Right to Data Portability

Where processing is based on consent or contractual necessity and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format, and to request its transmission to another controller where technically feasible.

14.6 Right to Object

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes. Upon receipt of an objection to direct marketing, we shall cease such processing immediately.

14.7 Rights Related to Automated Decision-Making

Where we make decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects on you, you have the right to request human review of such decisions, to express your point of view, and to contest the outcome.

14.8 Right to Withdraw Consent

Where processing is based on your consent, you may withdraw your consent at any time without affecting the lawfulness of processing based on consent prior to withdrawal. Withdrawal of consent may be effected by contacting us using the details in Section 20.

14.9 CCPA / CPRA Rights (California Residents)

California residents have the right to:

• Know what personal information is collected, used, shared, or sold;
• Request deletion of personal information (subject to certain exceptions);
• Opt out of the “sale” or “sharing” of personal information (RCK Analytics does not sell or share personal information for cross-context behavioural advertising);
• Correct inaccurate personal information;
• Limit the use and disclosure of sensitive personal information;
• Non-discrimination for exercising your CCPA rights.

14.10 Indian Data Principal Rights (DPDPA, 2023)

Under the Digital Personal Data Protection Act, 2023, individuals whose personal data is processed by RCK Analytics (“Data Principals”) have the right to:

• Obtain a summary of the personal data being processed and the processing activities;
• Correct or erase their personal data;
• Nominate another individual to exercise rights on their behalf in the event of their death or incapacity;
• Grieve against any decision or action of RCK Analytics relating to their personal data.

14.11 Exercising Your Rights

To exercise any of the rights described above, please submit a request to our Grievance Officer using the contact details in Section 20. We will respond to your request within the timeframe required by applicable law (e.g., within 30 days under the GDPR, or within such period as may be prescribed under the DPDPA). We may need to verify your identity before processing your request. We shall not charge a fee for exercising your rights, except where requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or decline the request.

If you are not satisfied with our response, you have the right to lodge a complaint with the relevant data protection supervisory authority in your jurisdiction.

15. Children’s Privacy

Our website and services are not directed at, or intended for use by, individuals under the age of eighteen (18) years. We do not knowingly collect personal data from minors. If you are a parent or guardian and you believe your child has provided us with personal data, please contact us immediately using the details in Section 20. Upon verification, we shall promptly delete such information from our records.

16. Confidentiality and Professional Obligations

As a financial research and analytics firm, RCK Analytics is subject to stringent professional and ethical obligations of confidentiality with respect to all client information and data entrusted to us in the course of our engagements. These obligations arise under our contractual agreements, applicable professional standards, and legal requirements.
All personnel of RCK Analytics, including employees, contractors, and consultants, are required to maintain strict confidentiality with respect to client data, proprietary information, and any material non-public information (“MNPI”) to which they may be exposed in the course of their work. Our policies strictly prohibit the misuse of any MNPI, including in connection with securities trading or any other form of market misconduct.
Client data received for the purpose of delivering our services shall be used exclusively for those purposes and
shall not be disclosed to any third party without the explicit consent of the relevant client, except as required by
law or as described in this Privacy Policy.
We maintain information barriers and conflict management procedures designed to prevent the inappropriate flow of confidential information within the firm.

17. Artificial Intelligence and Automated Decision-Making

RCK Analytics provides generative AI and data science solutions as part of its service portfolio. In the delivery of these services, AI and machine learning technologies may be used to analyse data, generate insights, and produce research outputs. We are committed to the responsible and ethical use of AI and adhere to the following principles:

• Transparency: We inform clients of the use of AI tools in the delivery of our services and the extent to which AI is used to generate research outputs;
• Human Oversight: AI-generated outputs are reviewed and validated by qualified research and analytics professionals before being delivered to clients;
• Data Minimisation: We use the minimum amount of personal data necessary when training, testing, or operating AI systems;
• Non-Discrimination: We are committed to ensuring that our AI systems do not perpetuate or amplify unlawful bias or discrimination;
• Accuracy and Reliability: We implement quality assurance measures to ensure the accuracy and reliability of AI-generated outputs.

We do not use personal data to make fully automated decisions that produce legal or similarly significant effects on individuals, except as may be required or permitted by applicable law. Where any such automated decision-making is employed, we ensure that appropriate safeguards are in place, including the right to human review.

18. Regulatory and Compliance Matters

RCK Analytics provides services to clients in highly regulated industries, including banking, financial services, and insurance (BFSI). In the course of delivering these services, we may be required to collect and process personal data for regulatory compliance purposes, including:

• Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF) compliance;
• Know Your Customer (KYC) and Know Your Business (KYB) due diligence;
• Sanctions screening against applicable national and international sanctions lists;
• Regulatory reporting obligations to SEBI, RBI, FCA, SEC, FINRA, and other applicable regulators;
• Prevention of insider trading and market abuse compliance.

Personal data processed for compliance purposes shall be handled with the highest levels of confidentiality and security, and shall be retained in accordance with the requirements of the relevant regulatory framework.

19. Changes to this Privacy Policy

RCK Analytics reserves the right to update, amend, or modify this Privacy Policy at any time to reflect changes in our practices, services, legal requirements, or technological developments. Any changes to this Policy will be posted on our website (www.rckanalytics.com) with the revised “Effective Date” noted at the top of the document.
Where the changes are material, we will endeavour to provide prominent notice, which may include a
notification on our website homepage, an email notification to subscribed users, or other appropriate
communication. We encourage you to review this Policy periodically to stay informed of how we protect your
personal data.
Your continued use of our website or services following the posting of any changes constitutes your acknowledgment of the revised Policy. If you do not agree with the revised Policy, you should discontinue your use of our website and services and contact us to discuss how we can address your concerns.

20. Grievance Officer and Contact Information

In accordance with the Information Technology Act, 2000, the SPDI Rules, and the Digital Personal Data Protection Act, 2023, RCK Analytics has designated a Grievance Officer to address any concerns, grievances, or inquiries regarding the processing of personal data.

Any individual wishing to raise a grievance, exercise their data protection rights, or seek clarification regarding this Privacy Policy may do so by contacting the Grievance Officer at the details above. Complaints will be acknowledged within five (5) business days and addressed within thirty (30) days of receipt.

Where an individual remains unsatisfied with the resolution provided by our Grievance Officer, they may escalate their complaint to the applicable data protection supervisory authority in their jurisdiction, including:

• India: The Data Protection Board of India (once constituted under the DPDPA, 2023);
• European Union / EEA: The competent data protection supervisory authority in the relevant EU Member State;
• United Kingdom: The Information Commissioner’s Office (ICO);
• United States (California): The California Privacy Protection Agency (CPPA);
• UAE: The UAE Data Office.