VMENTORZ – Data Protection Policy

1. Purpose

This Data Protection Policy (“Policy”) establishes the internal governance framework adopted by VMENTORZ Private Limited (“VMENTORZ” or “Company”) for the lawful collection, processing, storage, use, retention, protection, and deletion of personal data in accordance with the Digital Personal Data Protection Act, 2023 (“DPDP Act”), applicable rules, notifications, and other relevant laws.

This Policy applies to all individuals and entities processing personal data on behalf of VMENTORZ, including:

• Employees
• Directors
• Contractors
• Mentors / Practitioners
• Technology vendors
• Service providers
• Any other authorised person handling data under the Company’s control

This Policy is an internal governance document and governs operational conduct, accountability, and compliance practices within VMENTORZ.

2. Definitions

For the purpose of this Policy:

3. Data Classification Framework

VMENTORZ classifies personal data into categories based on sensitivity, risk exposure, and potential impact in the event of unauthorised disclosure, misuse, or breach. Data classification determines applicable access controls, retention standards, security safeguards, and breach response prioritisation.

3.1 General Personal Data

General Personal Data includes routine personal information required for platform operations, including but not limited to:

• Name
• Email address
• Phone number
• Account credentials
• Transaction records
• Appointment schedules
• Non-sensitive communications

Safeguards for General Personal Data include:

• Role-based access controls
• Secure cloud infrastructure
• Encryption in transit
• Standard authentication mechanisms

3.2 Sensitive / Health Data (Highly Sensitive Data)

Sensitive / Health Data includes:

• Mental health assessment responses
• Session notes
• Psychological disclosures
• Therapy or counselling summaries
• Audio or video session recordings (if implemented in future)
• Any information revealing physical or mental health status

Due to the nature of VMENTORZ’s services, Sensitive / Health Data shall be internally classified as Highly Sensitive Data. Enhanced safeguards shall apply, including:

• Restricted access strictly on a need-to-know basis
• Segregation from general operational datasets where feasible
• Strong encryption standards
• Access logging and monitoring where technically feasible
• Heightened breach response prioritisation

Practitioner-Generated Session Notes

Session notes created by Mentors are professional records generated in the course of independent service delivery. VMENTORZ does not control the professional judgment exercised by Mentors in determining the clinical or subjective content of such notes. However:

• Mentors are contractually required to comply with applicable data protection laws;
• Mentors must apply data minimisation principles and record only information reasonably necessary for service delivery;
• Mentors must not store, download, copy, or retain session data outside authorised Platform systems unless legally required;
• Mentors must implement reasonable safeguards when accessing data.

VMENTORZ shall not be responsible for the professional opinions, clinical assessments, or narrative content recorded by Mentors, provided such records are created within the scope of lawful professional practice.

3.3 Confidential Internal & Professional Data

Confidential Internal & Professional Data includes:

• Mentor credentials and verification documents
• Internal evaluation reports
• Performance metrics
• Internal investigation records
• Security configurations
• Access control logs
• System architecture details

Access to such data shall be restricted to authorised personnel only and protected against unauthorised internal disclosure.

3.4 Classification Review

Data classification categories and safeguards shall be reviewed periodically by the Data Protection Lead to ensure alignment with:

• Platform feature changes
• Introduction of proprietary recording infrastructure
• AI system expansion
• Regulatory developments
• Evolving security risks

4. Lawful Basis for Processing

VMENTORZ processes Personal Data strictly in accordance with applicable law and only on lawful grounds, including:

• Consent of the Data Principal, obtained through clear affirmative action for specified purposes;
• Performance of a Contract, where processing is necessary for providing services requested by the Data Principal;
• Compliance with Legal Obligations, where processing is required under applicable laws, regulations, or lawful governmental directives;
• Legitimate Uses as permitted under the DPDP Act, including purposes reasonably expected by the Data Principal in the context of service delivery, prevention of fraud, enforcement of legal rights, or internal operational security;
• Protection of Vital Interests, including emergency situations involving risk to life, health, or safety.

All processing activities shall be purpose-bound, proportionate, and limited to what is reasonably necessary to achieve the specified objective.

5. Data Minimisation & Purpose Limitation

VMENTORZ shall collect and process only such Personal Data as is reasonably necessary for specified, lawful, and clearly defined purposes related to platform operations, service delivery, legal compliance, security, and risk management.

Personal Data shall not be collected or retained where:

• It is unrelated to the defined service purpose;
• It is excessive in scope relative to the stated objective;
• The purpose can be reasonably achieved through anonymised or aggregated data.

All processing shall be purpose-bound; proportionate to the intended objective; limited in duration consistent with retention standards.

Internal teams shall ensure that:

• New platform features undergo data impact consideration prior to implementation;
• AI-enabled tools use anonymised or aggregated data where feasible;
• Additional data fields are not introduced without documented operational justification.

Any proposed expansion in categories of data collected shall be reviewed by the Data Protection Lead prior to deployment.

6. Roles & Responsibilities

Effective data protection governance requires clearly defined accountability structures within VMENTORZ.

6.1 Data Fiduciary

VMENTORZ acts as the Data Fiduciary under applicable law and is responsible for determining the purpose and means of processing Personal Data, ensuring compliance with the DPDP Act, implementing reasonable safeguards, enabling Data Principal rights, maintaining internal records, and responding to breaches. Ultimate accountability rests with the Company.

6.2 Data Protection Lead / Compliance Officer

VMENTORZ shall designate a Data Protection Lead (or equivalent internal role) responsible for overseeing implementation of this Policy, reviewing new data practices, monitoring lawful basis, supervising breach responses, maintaining the Data Retention Matrix, and coordinating with legal advisors. The Data Protection Lead shall have authority to recommend corrective actions where non-compliance is identified.

6.3 Operational Teams

All employees and contractors handling Personal Data shall access data strictly on a need-to-know basis, comply with access control policies, immediately report suspected breaches, and participate in mandatory data protection training. Managers are responsible for ensuring team-level compliance.

6.4 Mentors / Practitioners

Mentors operating on the Platform are independent professionals responsible for lawful handling of Personal Data. They must comply with applicable data protection laws, must not export or retain Personal Data outside authorised systems unless legally required, and must implement reasonable safeguards. Failure to comply may result in suspension or termination.

6.5 Data Processors & Vendors

Third-party service providers processing Personal Data on behalf of VMENTORZ must operate under written contracts, process data only under documented instructions, implement reasonable security safeguards, and notify VMENTORZ of any suspected data breach.

7. Access Control & Role-Based Permissions

VMENTORZ implements role-based access controls (RBAC) to ensure that access to Personal Data is restricted strictly to authorised individuals based on functional necessity and operational responsibility.

7.1 Role-Based Access Structure

Access permissions shall be structured based on defined role categories, including but not limited to platform administrators, customer experience personnel, technical personnel, compliance personnel, and mentors. Sensitive / Health Data shall be accessible only to roles directly involved in service delivery, compliance oversight, or operational support.

7.2 Authentication & Credential Controls

Access to systems containing Personal Data shall be protected through secure password policies, multi-factor authentication (where feasible), periodic standard review, and immediate revocation upon role execution. Shared credentials are prohibited.

7.3 Access Logging & Monitoring

Where technically feasible, VMENTORZ shall maintain system logs reflecting access to Sensitive / Health Data to identify unauthorised access, excessive queries, or suspicious patterns. Where high-risk anomalies are identified, appropriate internal review and corrective action may be undertaken.

7.4 Access Review & Revocation

Access permissions shall be reviewed periodically, adjusted based on role changes, and revoked immediately upon termination. Temporary access permissions should be time-bound where feasible.

7.5 Mentor Access Restrictions

Mentors shall have access only to Personal Data relating to users assigned to them for the purpose of service delivery. Mentors shall not access data relating to unassigned users except where expressly authorised. Unauthorised access may result in platform suspension.

7.6 Progressive Security Enhancement

VMENTORZ shall periodically assess the need for enhanced safeguards in proportion to platform growth, infrastructure capability, user volume, and regulatory expectations, such as encryption of data at rest, and segmented storage for Highly Sensitive Data.

8. Data Retention & Deletion Framework

VMENTORZ shall retain Personal Data only for as long as necessary to fulfil the specific purpose for which it was collected, or as required under applicable law, regulatory obligations, dispute resolution requirements, or legitimate operational needs. Personal Data shall not be retained indefinitely without justification.

8.1 Retention Governance

VMENTORZ shall maintain an internal Data Retention Matrix that specifies categories of data processed, retention triggers, legal basis for retention, and deletion protocols.

8.2 User-Initiated Deletion Requests

Where a Data Principal exercises a lawful right to deletion, the request shall be reviewed and data deleted/anonymised unless retention is required for legal compliance, fraud prevention, or enforcement of rights.

8.3 Sensitive / Health Data Retention

Session notes and health data are retained with heightened caution, limited to continuity of care requirements, subject to legal defence considerations, and governed by the internal Matrix. Audio/video recordings (if implemented future) shall have strict predefined limits.

8.4 Secure Deletion & Anonymisation

Upon expiry of retention triggers, data shall be securely deleted or irreversibly anonymised where continued functional retention is operationally justified.

9. Data Sharing & Disclosure Controls

VMENTORZ shall share Personal Data only where necessary, lawful, and proportionate to defined operational, legal, regulatory, or service-related purposes.

• Sharing for Service Delivery: Personal Data may be shared with Mentors for session delivery, and with internal personnel supporting platform compliance and experience.
• Sharing with Vendors: Personal Data may be shared with third-party Data Processors under strict written agreements governing security and instruction-bound processing.
• Sharing with Affiliates: Data may be shared with affiliated operations where it supports continuity of care or business expansion in line with legal protections.
• Regulatory & Legal Disclosure: Data is disclosed to authorities if required by law or emergent safety necessity.
• Commercial Use Limits: Identifiable data shall not be commercially exploited. VMENTORZ may solely commercialise irreversibly Anonymised Data or Aggregated Data.

10. AI Governance & Data Usage Controls

VMENTORZ may deploy artificial intelligence systems, machine learning models, or automated technologies for platform enhancement. AI systems are assistive and do not replace professional Mentor judgment.

• AI Role: AI tools shall not autonomously provide clinical decisions, and human oversight is maintained.
• Training Data: AI systems shall use anonymised or aggregated data primarily. Identifiable Sensitive Data shall not be used for AI training without appropriate safeguards.
• Bias & Risk: Systems will be periodically reviewed for anomalies. VMENTORZ shall not rely solely on AI-generated outputs for critical well-being decisions.

11. Session Data Handling Protocol

Session-related data is highly sensitive and subject to enhanced governance controls.

• Recording infrastructure: VMENTORZ currently does not centrally record sessions. Unauthorised third-party platform recordings are prohibited without consent.
• Session Notes: Classified as Highly Sensitive. Notes must not be exported indiscriminately and are strictly role-based in access. Mentors are responsible for professional discretion.
• Compliance Review: Unauthorised handling is subject to strict investigation and platform penalty. VMENTORZ may engage external reviewers where required.

12. Data Breach Response & Incident Management

VMENTORZ manages security incidents structurally by identifying, containing, and escalating breaches in confidentiality or integrity.

• All personnel must rapidly report suspected incidents to the Data Protection Lead.
• Containment steps and preliminary assessments are initiated immediately based on risk and scope.
• Data subjects and authorities are notified structurally in accordance with the law where necessary.
• Remedial steps and vulnerability fixes are implemented following internal investigations.

13. Security Safeguards Framework

VMENTORZ secures Personal Data dynamically against unauthorized access. This includes technically encrypting data in transit, firewalls, and credential authentication. Organizationally, confidentiality bounds and data handler diligence form the structural barrier. New platform features face stringent technical reviews prioritizing data minimization.

14. Cross-Border Data Transfers

Personal Data may be stored or processed in jurisdictions outside India (e.g. cloud infrastructures). These cross-border shifts are bound contractually for security standard-matching and remain aligned with the DPDP Act or restrictive notification directives where applicable to ensure lawful operational redundancy processing.

15. Children’s Data Protection Framework

Minors (as recognized by law) demand higher-tier security checks. Guardian consent is essential for initiating processing. Profiling for commercial aims is disabled. Mentors, handling sensitive child psychology contexts, maintain clinical methodology independently but remain accountable and mandated by law to escalate abuse or self-harm risks officially.

16. Audit & Compliance Monitoring

VMENTORZ actively reviews access protocols, data incident tracking points, and infrastructure updates structurally. Audits act as corrective enforcers protecting Data Principals organically over standard cycles.

17. Training & Awareness

Personnel and mentors are oriented actively towards internal data accountability guidelines continuously, to build defensive confidentiality practices seamlessly via briefings or binding legal guidelines.

18. Disciplinary Measures

Compliance is mandatory. Unauthorized exposure scales warnings all the way to legal prosecution, platform cessation, and termination proportionately across operational or vendor domains.

19. Policy Review & Amendments

VMENTORZ reserves the legal authority to revise this Policy periodically aligning with regulatory evolution or structural scaling seamlessly without prejudice.

Version History