Privacy Policy

For the purposes of this Policy, the following terms shall have the meanings ascribed to them below:

"Personal Data" or "Personal Information"

Any information that identifies or can reasonably identify a natural person, directly or indirectly, including name, email address, telephone number, location data, and online identifiers.

"Processing"

Any operation performed on Personal Data, including collection, recording, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.

"Data Subject"

Any identified or identifiable natural person whose Personal Data is processed by the Company.

"Client"

Any business entity that has entered into a Service Agreement with the Company for the provision of B2B sales acceleration services.

"Services"

The SDR-as-a-Service, LinkedIn Outreach Excellence, and ancillary B2B outreach services offered by the Company.

This Policy applies to:

• All visitors to the Company's website at www.millioncxo.com and any subdomains thereof;
• Prospective clients who interact with the Company through demo requests, contact forms, or direct communications;
• Clients under active or concluded Service Agreements with the Company; and
• Any other individual whose Personal Data is submitted to or collected by the Company in connection with the Services.

This Policy does not apply to the data practices of third-party platforms, tools, or service providers referenced herein, each of which is governed by their own privacy policies.

The Company processes Personal Data for the following purposes:

1. To operate, maintain, and improve the Company's website and digital infrastructure;
2. To respond to enquiries, schedule consultations, and facilitate the onboarding of prospective Clients;
3. To execute and administer Service Agreements, including delivery of contracted outreach and SDR services;
4. To issue invoices, process payments, and maintain financial and accounting records in compliance with applicable law;
5. To communicate service-related updates, operational notices, and material changes to agreements;
6. To conduct analytics and generate insights to improve service quality and website performance;
7. To comply with legal obligations, regulatory requirements, and judicial or governmental orders;
8. To enforce the Company's contractual rights and protect against fraud, misuse, or unlawful activity.

The Company processes Personal Data on the following legal bases, as applicable:

• Contractual necessity: Processing required to perform a Service Agreement to which the Data Subject or their employer is a party;
• Legitimate interests: Processing necessary for the Company's legitimate business interests, including business development, service improvement, and fraud prevention, provided such interests are not overridden by the rights of the Data Subject;
• Legal obligation: Processing necessary to comply with applicable statutory, regulatory, or judicial requirements;
• Consent: Where required by applicable law, the Company will seek explicit consent prior to processing, which may be withdrawn at any time without affecting the lawfulness of prior processing.

The Company does not disclose Personal Data to third parties except in the following circumstances:

• Authorised service providers: Vendors engaged by the Company to facilitate service delivery, including CRM platforms, email infrastructure providers, payment processors, and cloud hosting services, subject to data processing agreements ensuring equivalent levels of protection;
• Legal and regulatory authorities: Where disclosure is required by applicable law, court order, subpoena, or request from a competent governmental or regulatory authority;
• Business transfers: In connection with a merger, acquisition, or sale of all or substantially all of the Company's assets, provided the recipient maintains equivalent data protection standards;
• With consent: Any disclosure beyond the foregoing will be made only with the prior express written consent of the Data Subject.

Given that the Company's Clients are primarily located in the United States, the United Kingdom, and other jurisdictions outside India, Personal Data may be transferred to and processed in countries other than India. The Company undertakes such transfers in accordance with applicable data protection law, including by executing Standard Contractual Clauses or equivalent safeguards with relevant recipients where required.

All cross-border data transfers are conducted in compliance with the Reserve Bank of India's guidelines and any applicable provisions of the Information Technology Act, 2000, and the rules framed thereunder.

The Company retains Personal Data for no longer than is necessary for the purposes for which it was collected, subject to the following minimum retention periods:

• Client contractual and financial records: a minimum of seven (7) years from the date of the last transaction, in accordance with the Companies Act, 2013 and the Income Tax Act, 1961;
• Active service engagement data: for the duration of the Service Agreement plus two (2) years;
• Website visitor and analytics data: up to twenty-four (24) months from collection;
• Marketing and enquiry correspondence: up to twelve (12) months from the last interaction, unless converted to a Client relationship.

Upon expiry of the applicable retention period, Personal Data is securely deleted or anonymised in a manner that prevents reconstruction.

The Company's website uses cookies and similar technologies to enhance user experience and collect analytical data. The following categories of cookies may be deployed:

• Strictly necessary cookies: Essential to the operation of the website and cannot be disabled without impacting core functionality;
• Performance and analytics cookies: Collect aggregated, anonymised data on how visitors interact with the website for the purpose of improving content and navigation;
• Functionality cookies: Enable the website to remember user preferences and settings across sessions.

You may configure your browser to refuse all or certain cookies. Disabling certain cookies may affect the functionality of some areas of the website. The Company does not deploy third-party advertising or behavioural targeting cookies.

The Company implements and maintains appropriate technical and organisational security measures designed to protect Personal Data against unauthorised access, accidental loss, destruction, alteration, or disclosure. Such measures include, without limitation:

• Transmission Layer Security (TLS/SSL) encryption for all data transmitted via the Company's website;
• Access controls and role-based permissions limiting access to Personal Data to authorised personnel only;
• Regular review of data handling practices and vendor security assessments;
• Employee training on data protection obligations.

Notwithstanding the foregoing, no method of electronic transmission or storage is completely secure. The Company cannot guarantee absolute security and shall not be liable for unauthorised access resulting from circumstances beyond its reasonable control.

Subject to applicable law and the provisions of the Digital Personal Data Protection Act, 2023 (as in force), Data Subjects may exercise the following rights with respect to their Personal Data:

1. Right of access: To obtain confirmation of whether the Company processes your Personal Data and to receive a copy thereof;
2. Right to rectification: To request correction of inaccurate or incomplete Personal Data;
3. Right to erasure: To request deletion of Personal Data where it is no longer necessary for the purpose for which it was collected, subject to applicable retention obligations;
4. Right to restriction: To request that the Company restrict processing of your Personal Data in specified circumstances;
5. Right to data portability: To receive your Personal Data in a structured, commonly used, machine-readable format, where technically feasible;
6. Right to object: To object to processing based on legitimate interests, including profiling;
7. Right to withdraw consent: Where processing is based on consent, to withdraw such consent at any time without affecting the lawfulness of prior processing.

To exercise any of the above rights, please submit a written request to the Company's Grievance Officer (see Section 15). The Company will respond within thirty (30) days of receipt of a valid request, subject to verification of identity.

The Company reserves the right to amend or update this Policy at any time to reflect changes in applicable law, regulatory guidance, or the Company's data practices. Material amendments will be notified to registered Clients via electronic communication to the email address on record, at least fourteen (14) days prior to the effective date of such amendments.

Continued use of the Company's website or Services following the effective date of any revision constitutes acceptance of the revised Policy. The current version of this Policy is always available at www.millioncxo.com/privacy-policy.

This Policy is governed by and construed in accordance with the laws of India, including the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023, as amended from time to time. Any dispute arising from or in connection with this Policy shall be subject to the exclusive jurisdiction of the courts of Bengaluru, Karnataka.

In accordance with the Information Technology Act, 2000, and applicable rules, the name and contact details of the Grievance Officer are provided below. Any complaints, queries, or concerns regarding the processing of Personal Data may be directed to:

Grievance Officer

Abhinav Kumar, Managing Director
MillionCXO Outreach Private Limited
235, Binnamangala, 2nd Floor, 13th Cross Road, 2nd Stage, Indiranagar, Bengaluru – 560038, Karnataka, India
Email: info@millioncxo.com
Response time: Within 30 days of receipt